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SPACE  SHUTTLE  OPERATIONAL  FLIGHT  RULES  ANNEX 


ALL  FLIGHTS 
VOLUME  A 
FINAL,  PCN-1 
PREFACE 


THIS  DOCUMENT,  VOLUME  A,  FINAL,  PCN-1,  DATED  NOVEMBER  21,  2002,  IS 

THE  GENERIC  VERSION  OF  THE  SPACE  SHUTTLE  OPERATIONAL  FLIGHT  RULES  AND 
IS  INTENDED  TO  BE  USED  IN  CONJUNCTION  WITH  THE  SPACE  SHUTTLE 
OPERATIONAL  FLIGHT  RULES  ANNEX  (NSTS-18308)  WHICH  CONTAINS  THE  FLIGHT 
SPECIFIC  RULES.  INCLUDED  IN  THIS  PUBLICATION  ARE  FLIGHT  RULE  CHANGES 
APPROVED  IN  FLIGHT  RULES  CONTROL  BOARD  (FRCB )  MEETINGS  140,  141,  142, 

AND  143  HELD  ON  JUNE  27,  AUGUST  29,  SEPTEMBER  26,  AND  OCTOBER  24, 

2002,  RESPECTIVELY. 

THIS  DOCUMENT  USES  A  NEW  RULE  NUMBER  SYSTEM  DESIGNED  TO  FACILITATE 
NEW  DATABASES  FOR  MAINTAINING  CONFIGURATION  MANAGEMENT  OF  JOINT 
SHUTTLE-ISS  ANNEXES,  SPACE  SHUTTLE  OPERATIONAL  FLIGHT  RULES,  VOLUME 
A;  ISS  GENERIC  OPERATIONAL  FLIGHT  RULES,  VOLUME  B;  JOINT  SHUTTLE/ISS 
GENERIC  OPERATIONAL  FLIGHT  RULES,  VOLUME  C;  AND  SOYUZ/PROGRESS/ISS 
JOINT  FLIGHT  RULES,  VOLUME  D. 

IT  IS  REQUESTED  THAT  ANY  ORGANIZATION  HAVING  COMMENTS,  QUESTIONS,  OR 
SUGGESTIONS  CONCERNING  THESE  FLIGHT  RULES  CONTACT  DA8/W.  PRESTON  DILL, 
FLIGHT  DIRECTOR  OFFICE,  BUILDING  4  NORTH,  ROOM  3039,  PHONE  281-483-5418. 

ALL  FLIGHT  RULES  ARE  AVAILABLE  ON  THE  INTERNET.  THE  URL  IS: 

HTTP: //MOD. JSC.NASA.GOV/DA8.  NO  ID  OR  PASSWORD  WILL  BE  REQUIRED  TO 
ACCESS  ANY  OF  THE  RULES  PROVIDED  THE  USER  IS  ACCESSING  FROM  A  TRUSTED 
SITE  (ALL  NASA  CENTERS,  CONTRACTORS,  AND  INTERNATIONAL  PARTNERS) .  IF 
UNABLE  TO  ACCESS,  USERS  NEED  TO  SEND  AN  E-MAIL  NOTE  TO  DA8/M.  L. 

GRIFFITH  (MARY.L.GRIFFITH1@JSC.NASA.GOV)  WITH  THEIR  FULL  NAME,  COMPANY, 
IP  ADDRESS,  AND  A  JUSTIFICATION  STATEMENT  FOR  ACCESS. 

THIS  IS  A  CONTROLLED  DOCUMENT  AND  ANY  CHANGES  ARE  SUBJECT  TO  THE 
CHANGE  CONTROL  PROCEDURES  DELINEATED  IN  APPENDIX  B.  THIS  DOCUMENT 
IS  NOT  TO  BE  REPRODUCED  WITHOUT  THE  WRITTEN  APPROVAL  OF  THE  CHIEF, 

FLIGHT  DIRECTOR  OFFICE,  DA8 ,  LYNDON  B.  JOHNSON  SPACE  CENTER, 

HOUSTON,  TEXAS. 


MANAGER,  SPACE  SHUTTLE  PROGRAM 


Verify  that  this  is  the  correct  version  before  use. 
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ALL  FLIGHTS 
VOLUME  A 

FINAL,  DATED  JUNE  20,  2002 
PCN-1,  DATED  NOVEMBER  21,  2002 


THIS  PCN-1  INCORPORATES  CHANGES  TO  THE  FOLLOWING  RULES  BY  THE  APPLICABLE 
CHANGE  REQUESTS  (CR' S). 


RULE  NO. 

CR  NO. 

RULE  NO. 

CR  NO. 

RULE  NO. 

CR  NO. 

A2-2 

ED 

A4-59 

ED 

A8-59 

CR  5804C 

A2-5 

ED 

A4-61 

ED 

A8-61 

ED 

A2-6 

ED 

A4-107 

ED 

A8-115 

CR  5643 

A2-7 

CR  5668 

A4-110 

ED 

A8-1001 

CR  5718 

A2-9 

CR  5669A 

A4-111 

CR  5149C 

A8-1001 

CR  5804C 

A2-64 

ED 

A4-111 

CR  5804C 

A8-1001 

ED 

A2-70 

CR  5  6  6  7 A 

A4-111 

ED 

A2-102 

ED 

A4-203 

CR  5439 

A9-152 

ED 

A2-104 

ED 

A4-204 

CR  5440 

A9-1001 

ED 

A2-133 

CR  5513 

A4-205 

CR  544 1 A 

A2-207 

CR  5804C 

A4-210 

CR  5804C 

A10-23 

ED 

A2-254 

ED 

A10-141 

CR  5804C 

A2-261 

ED 

A5-2 

ED 

A2-264 

ED 

A5-3 

ED 

All-3 

CR  5734 

A2-266 

CR  5636 

A5-6 

ED 

All-11 

CR  5735 

A2-266 

ED 

A5-7 

ED 

All-13 

CR  5737 

A2-301 

CR  5640 

A5-8 

ED 

All-16 

CR  5742 

A2-301 

CR  5804C 

A5-9 

ED 

All-16 

ED 

A2-301 

ED 

A5-10 

ED 

All-61 

CR  57  41 

A2-311 

ED 

A5-11 

ED 

All-66 

CR  5743 

A2-312 

ED 

A5-12 

ED 

A2-330 

ED 

A5-13 

ED 

A13-156 

ED 

A2-1001 

ED 

A5-106 

ED 

A5-108 

ED 

A16-11 

ED 

A3-1 

CR  5502C 

A5-151 

ED 

A16-12 

ED 

A3-2 

CR  5502C 

A5-152 

ED 

A16-205 

ED 

A3-3 

CR  5502C 

A5-155 

ED 

A3-3 

CR  5641 

A5-156 

ED 

A17-255 

ED 

A3-52 

ED 

A5-203 

ED 

A17-258 

ED 

A3-102 

CR  5502C 

A5-204 

ED 

All -1 0  6 

ED 

A3-103 

CR  5502C 

A5-205 

ED 

A3-151 

ED 

A5-208 

ED 

A18-553 

ED 

A3-152 

ED 

A5-209 

ED 

A18-557 

ED 

A3-201 

CR  5642 

A18-605 

ED 

A3-203 

CR  5786 

A6-3 

ED 

A8-19 

ED 

BOOK  MANAGER 

WPD  11/21/02 

FINAL  QA  ned  11/21/02 


Verify  that  this  is  the  correct  version  before  use. 


VOLUME  A  KEY 


PLEASE  NOTE  THAT  THE  NUMBERING  IN  SECTIONS  5,  6,  7,  10,  AND  13  HAS  BEEN  REORDERED.  ALL  GO/NO-GO 
CRITERIA  RULES  ARE  NUMBERED  WITH  THE  SECTION  NUMBER  AND  THENRULE  NUMBER  1001.  EXAMPLE:  A6-1001. 


NEW  RULE  # 


OLD  RULE  #  RULE  TITLE 


SECTION  Al  -  OPERATIONS  POLICY,  GENERAL,  AND  DEFINITIONS 


OPERATIONS  POLICY 


Al-l 

Al . 1 . 1-1 

Al-2 

Al . 1 . 1-2 

Al-3 

Al . 1 . 1-3 

Al-4 

Al . 1 . 1-4 

Al-5 

Al . 1 . 1-5 

Al-6 

Al . 1 . 1-6 

Al-7 

Al . 1 . 1-7 

NONE 

Al . 1 . 1-8 

Al-8 

Al . 1 . 1-9 

Al-9 

o 

I — 1 

1 

I — 1 

< 

Al-10 

Al . 1 . 1-11 

Al-l  1 

Al . 1 . 1-12 

Al-12 

Al . 1 . 1-13 

Al-13 

Al . 1 . 1-14 

Al-51 

Al. 1.2-1 

Al-52 

Al. 1.2-2 

a:  53 

Al. 1.2-3 

Al-54 

Al. 1.2-4 

Al-55 

Al. 1.2-5 

Al-5  6 

Al. 1.2-6 

Al-57 

Al. 1.2-7 

Al-58 

Al. 1.2-8 

Al-5  9 

Al. 1.2-9 

FLIGHT  RULE  PURPOSE 
REAL-TIME  OPERATING  POLICY 
PROGRAM  LIFETIME  OPERATING  POLICY 
MISSION  MANAGEMENT  TEAM  (MMT)  AUTHORITY 
FLIGHT  DIRECTOR  AUTHORITY 
SHUTTLE  COMMANDER  AUTHORITY 

FLIGHT  CONTROL  ROOM  (FOR)  SURGEON  AUTHORITY 
RESERVED 

WEATHER  DECISION  AUTHORITY 

POSTLANDING  DECISION  AUTHORITY 

POSTLANDING  EMERGENCY  DECLARATION 

SEARCH  AND  RESCUE  RESPONSIBILITY 

ORBITER  EMERGENCY  LANDING  SITE  (ELS)  AUTHORITY 

MCC  REAL-TIME  COMMAND  COORDINATION  POLICY 

Al-14  THROUGH  Al-50  RULES  ARE  RESERVED 

GENERAL 

VEHICLE  SYSTEM  LIMITS 
INTERIM  OR  UNCONFIRMED  LIMITS 
MANDATORY  INSTRUMENTATION  REQUIREMENTS 
FAILURE  DEFINITION  APPLICATION 
CONFLICTING  FLIGHT  RULES 

INSTRUMENTATION  ONBOARD  VS.  GROUND  READOUT  PHILOSOPHY 
FLIGHT-CRITICAL  MODING 

SHUTTLE  OPERATIONAL  DATA  BOOK  (SODB) ,  VOLUME  III,  DATA  USE 
ACTIVITIES  DURING  YEAR  END  ROLLOVER/LEAP  SECOND  INCORPORATION 
Al-60  THROUGH  Al-100  RULES  ARE  RESERVED 

GENERAL  DEFINITIONS 


Al-101 

Al . 1 . 3-1 

AS  SOON  AS  PRACTICAL  (ASAP) 

Al-102 

Al . 1 . 3-2 

HIGHLY  DESIRABLE  (HD) 

Al-103 

Al . 1 . 3-3 

MANDATORY  (M) 

Al-104 

Al . 1 . 3-4 

FLIGHT  PHASE 

Al-105 

Al . 1 . 3-5 

THROTTLE  SETTINGS 

Al-106 

Al . 1 . 3-6 

LANDING  SITES 

Al-107 

Al . 1 . 3-7 

LANDING  OPPORTUNITIES 

Al-108 

Al . 1 . 3-8 

POSTLANDING  CREW  EGRESS /ESCAPE  MODES 

Al-109 

Al . 1 . 3-9 

CREW  MEDICAL  (MED)  CONDITIONS 

Al -110 

Al . 1 . 3-10 

REMOTE  MANIPULATOR  SYSTEM  (RMS) 

Al-l 1 1 

Al . 1 . 3-11 

TIME  REFERENCE  DEFINITIONS 

Al-112 

Al . 1 . 3-12 

MULTIFUNCTION  ELECTRONIC  DISPLAY  SUBSYSTEM 

SECTION  A2  -  FLIGHT  OPERATIONS 

PRELAUNCH 

A2-1  A2. 1.1-1  PRELAUNCH  GO/NO-GO  REQUIREMENTS 

A2-2  A2. 1.1-2  ABORT  LANDING  SITE  REQUIREMENTS 


VOLUME  A  KEY 


NEW  RULE  # 

A2-5  9 
A2-60 
A2-61 
A2-62 
A2-63 
A2-64 
A2-65 
A2-66 
A2-67 
A2-68 
A2-69 


A2-101 

A2-102 

A2-103 

A2-104 

A2-105 

A2-106 

A2-107 

A2-108 

A2-109 

A2-110 

NONE 

NONE 

A2-111 

A2-112 

A2-113 

A2-114 

A2-115 

A2-116 

A2-117 

A2-118 

A2-119 

A2-120 

A2-121 

A2-122 

A2-123 

A2-124 

A2-125 

A2-126 

A2-127 

A2-128 

A2-129 

A2-130 

A2-131 

A2-132 

A2-133 

A2-134 

A2-135 


A2-201 

A2-202 

A2-203 

A2-204 

A2-205 


OLD  RULE  #  RULE  TITLE 


A2 . 1.2-10 
A2. 1.2-11 
A2 . 1.2-12 
A2. 1.2-13 
A2 . 1.2-14 
A2. 1.2-15 
A2. 1.2-16 
A2. 1.2-17 
A2. 1.2-18 
A2. 1.2-19 
A2. 1.2-20 


A2 . 1.3-0 
A2. 1.3-1 
A2. 1.3-2 
A2. 1.3-3 
A2. 1.3-4 
A2. 1.3-5 
A2 . 1.3-6 
A2. 1.3-7 
A2. 1.3-8 
A2. 1.3-9 
A2. 1.3-10 
A2. 1.3-11 
A2 . 1.3-12 
A2. 1.3-13 
A2. 1.3-14 
A2. 1.3-15 
A2. 1.3-16 
A2. 1.3-17 
A2. 1.3-18 
A2. 1.3-19 
A2. 1.3-20 
A2. 1.3-21 
A2. 1.3-22 
A2. 1.3-23 
A2. 1.3-24 
A2. 1.3-25 
A2 . 1.3-26 
A2. 1.3-27 
A2 . 1.3-28 
A2. 1.3-29 
A2 . 1.3-30 
A2. 1.3-31 
A2 . 1.3-32 
A2. 1.3-33 
A2. 1.3-34 
A2. 1.3-35 
A2. 1.3-36 


A2 . 1 . 4-1 
A2 . 1 . 4-2 
A2 . 1 . 4-3 
A2 . 1 . 4-4 
A2 . 1 . 4-5 


BFS  ENGAGE  CRITERIA 
NAVIGATION  UPDATE  CRITERIA 
Q-BAR/G-CONTROL 
ET  FOOTPRINT  CRITERIA 
ASCENT  STRING  REASSIGNMENT 
MANUAL  THROTTLE  CRITERIA 
OMS-1  DELAYED  TARGET  CRITERIA 
APU  SHUTDOWN  DELAY  CRITERIA 
ARD  UPDATE  CRITERIA 
ET  PHOTOGRAPHY 

REGAIN  RCS  JETS  FOR  RTLS  ET  SEPARATION 
A2-70  THROUGH  A2-100  RULES  ARE  RESERVED 

ORBIT 

VEHICLE  SYSTEMS  REDUNDANCY  DEFINITIONS 
MISSION  DURATION  REQUIREMENTS 
EXTENSION  DAY  REQUIREMENTS 
SYSTEMS  REDUNDANCY  REQUIREMENTS 
IN-FLIGHT  MAINTENANCE  ( IFM) 

PBD  OPERATIONS  [CIL] 

EVA  GUIDELINES 

CONSUMABLES  MANAGEMENT 

PREFERRED  ATTITUDE  FOR  WATER  DUMPS 

STRUCTURES  THERMAL  CONDITIONING 

RESERVED 

RESERVED 

DPS  COMMAND  CRITERIA 
PDRS 

OMS/RCS  DOWNMODING  CRITERIA 
OMS/RCS  MANEUVER  CRITICALITY 
ENGINE  SELECTION  CRITERIA 

RENDEZVOUS  (RNDZ ) /PROXIMITY  OPERATIONS  (PROX  OPS)  DEFINITIONS 

RNDZ/PROX  OPS  GNC  SYSTEMS  MANAGEMENT 

RNDZ /PROX  OPS  COMMUNICATION  SYSTEMS  MANAGEMENT 

RNDZ/PROX  OPS  SENSOR  REQUIREMENTS 

RNDZ/PROX  OPS  DPS  SYSTEMS  MANAGEMENT 

RNDZ/PROX  OPS  PROPULSION  SYSTEMS  MANAGEMENT 

RENDEZVOUS  MANEUVERS 

RENDEZVOUS  MANEUVER  SOLUTION  SELECTION  CRITERIA 

RENDEZVOUS  MANEUVER  EXECUTION 

RNDZ  OPS  DELAY 

RNDZ/PROX  OPS  BREAKOUT 

RENDEZVOUS  GUIDANCE 

EMCC/TMCC  ACTIVATION 

ORBITER  ON-ORBIT  HIGH  DATA  RATE  REQUIREMENTS 
PAYLOAD  OBJECTIVES  VS.  PAYLOAD  DAMAGE  POLICY 
ATTITUDE  RESTRICTIONS  FOR  ORBITAL  DEBRIS 
THERMAL  CONDITIONING  FOR  FLIGHT  DAY  1  LANDING 
POCC  THROUGHPUT  COMMAND  RATES 
ON-ORBIT  CRYO  MARGIN  BUYBACKS 

COMMANDER  (CDR)  AND  PILOT  (PLT)  PARTICIPATING  AS  TEST  SUBJECTS 
A2-136  THROUGH  A2-200  RULES  ARE  RESERVED 

DEORBIT 

DEORBIT  GUIDELINES 
EXTENSION  DAY  GUIDELINES 
DEORBIT  DELAY  GUIDELINES 
MDF  DEORBIT  GUIDELINES 
EMERGENCY  DEORBIT 


VOLUME  A  KEY 


NEW  RULE  # 

A2-262 

A2-263 

A2-264 

A2-265 


A2-301 


A2-311 

A2-312 

A2-313 

A2-314 

A2-315 

A2-316 

A2-317 

A2-318 

A2-319 

A2-320 

A2-321 

A2-322 

A2-323 

A2-324 

A2-325 

A2-326 

A2-327 

A2-328 

A2-329 

A2-330 

A2-331 

NONE 

NONE 

NONE 

NONE 

A2-332 

A2-333 

A2-334 

A2-335 

NONE 

NONE 

NONE 

NONE 


A2-1001 


OLD  RULE  # 

A2 . 1.5-12 
A2 . 1.5-13 

A2. 1.5-14 
A2 . 1.5-15 


A2 . 1 . 6-1 


A2 .6.1-1 
A2 .6.1-2 
A2 .6.1-3 
A2 .6.1-4 
A2 .6.1-5 
A2 .6.1-6 
A2 .6.1-7 
A2 .6.1-8 
A2 .6.1-9 
A2 .6.1-10 
A2 .6.2-5 
A2 .6.1-11 
A2 .6.1-12 
A2 .6.1-13 
A2 .6.1-14 
A2 .6.1-15 
A2 .6.1-16 
A2 .6.1-17 
A2 .6.1-18 
A2 .6.1-19 
A2 .6.1-20 
A2 .6.1-21 
A2 .6.1-22 
A2 .6.1-23 
A2 .6.1-24 
A2 .6.2-1 
A2 .6.2-2 
A2 .6.2-3 
A2 .6.2-4 
A2 .6.2-6 
A2 .6.2-7 
A2 .6.2-8 
A2 .6.2-9 


A2 . 1.7-1 


RULE  TITLE 

LANDING  DTO'S 

STA/WEATHER  AIRCRAFT  RUNWAY  APPROACH  OPERATIONS  FOR  SITES  WITH  ONLY  ONE 
RUNWAY 

EMERGENCY  LANDING  FACILITY  CRITERIA 

SINGLE  STRING  GPS  OPERATIONS 

A2-266  THROUGH  A2-300  RULES  ARE  RESERVED 

CONTINGENCY  ACTION  SUMMARY 

CONTINGENCY  ACTION  SUMMARY 

A2-302  THROUGH  A2-310  RULES  ARE  RESERVED 

SPACEHAB  OPERATIONS  MANAGEMENT 

SPACEHAB  SAFETY  DEFINITION  AND  MANAGEMENT 
REAL-TIME  SAFETY  COORDINATION 
GROUND  COMMANDING 

SPACEHAB  MINIMUM  DURATION  FLIGHT  CRITERIA 
POWERING  OFF  AND  REPOWERING  SPACEHAB  EQUIPMENT 
ORBITER-TO-SPACEHAB  HATCH  CONFIGURATION 
EVA  CONSTRAINTS 

ORBITAL  MANEUVERING  SYSTEM/REACTION  CONTROL  SYSTEM  (OMS/RCS)  CONSTRAINTS 
CONTAMINATION  AND  MICROGRAVITY  CONSTRAINTS 
COMMAND  AND  DATA  SYSTEM  CONSTRAINTS 
SPACEHAB  AIR-TO-GROUND  (A/G)  USAGE 

SPACEHAB  CAUTION  AND  WARNING  ANNUNCIATION  IN  MODULE 
COMMUNICATIONS  CONSTRAINTS 

SPACEHAB  IN-FLIGHT  MAINTENANCE  ( IFM)  PROCEDURES 

IFM  PROCEDURES  ON  EXPERIMENTS  WITH  TOXIC  HAZARDS 

EQUIPMENT  EXCHANGE  BETWEEN  ORBITER  CABIN  AND  SPACEHAB  MODULE 

SPACEHAB  MODULE/TUNNEL  SLEEP  CONSTRAINTS 

CREW  LIMITATIONS  IN  THE  SPACEHAB  MODULE 

SPACEHAB  DEACTIVATION/ENTRY  PREP 

EXTENSION  DAY  GROUND  RULES 

CONSTRAINTS  ON  CABLES  THROUGH  THE  SPACEHAB  HATCH  AND  TUNNEL 

RESERVED 

RESERVED 

RESERVED 

RESERVED 

LOSS  OF  SM  GPC  DURING  SPACEHAB  ACTIVATION/ENTRY  PREP 
LOSS  OF  PAYLOAD  MDM  DURING  SPACEHAB  ACT/ENTRY  PREP 
LOSS  OF  SM  MAJOR  FUNCTION 

LOSS  OF  ORBITER  MASTER  TIMING  UNIT  (MTU) /PAYLOAD  TIMING  BUFFER 

RESERVED 

RESERVED 

RESERVED 

RESERVED 

A2-336  THROUGH  A2-400  RULES  ARE  RESERVED 

ORBITER  SYSTEMS  GO/NO-GO  CRITERIA 

ORBITER  SYSTEMS  GO/NO-GO  CRITERIA 


SECTION  A3  -  GROUND  INSTRUMENTATION  REQUIREMENTS 
GENERAL 

A3-1  A3. 1.1-1  GROUND  REQUIREMENTS  OVERVIEW 

A3-2  A3. 1.1-2  MISSION  CONTROL  CENTER  (MCC)  REDUNDANCY  REQUIREMENTS 

a'}-'}  a  ^  i  i  —  ”3  Mnr  /n.qr  ARF.wnc: 


VOLUME  A  KEY 


NEW  RULE  # 


A3-151 

A3-152 

A3-153 

A3-154 

A3-155 

A3-156 


A3-201 

A3-202 

A3-203 


A4-1 

A4-2 

A4-3 

A4-4 


A4-51 

A4-52 

A4-53 

NONE 

A4-54 

A4-55 

A4-56 

A4-57 

A4-58 

A4-59 

NONE 

A4-60 

A4-61 

A4-62 


A4-101 

A4-102 

A4-103 

A4-104 

A4-105 

A4-106 

A4-107 

A4-108 

A4-109 

A4-110 

A4-111 

A4-112 


OLD  RULE  # 


A3 . 1 . 4-1 
A3 . 1 . 4-2 
A3 . 1 . 4-3 
A3 . 1 . 4-4 
A3 . 1 . 4-5 
A3 . 1 . 4-6 


A3. 1.5-1 
A3. 1.5-2 
A3. 1.5-3 


RULE  TITLE 

A3-103  THROUGH  A3-150  RULES  ARE  RESERVED 

MCC  EXTERNAL  INTERFACE  (VOICE  DATA)  PRELAUNCH  REQUIREMENTS 

MCC/KSC/45  SPW  INTERFACE 

GSFC/STDN  INTERFACE 

45  SPW/VAFB  INTERFACE 

45  SPW/WSMR  INTERFACE 

MCC/GSFC/NGT  INTERFACE 

MCC/ASCENT  ABORT  SITE  INTERFACE 

A3-157  THROUGH  A3-200  RULES  ARE  RESERVED 

NAVAIDS  REQUIREMENTS 

TACAN  REDUNDANCY  REQUIREMENTS  AND  ALTERNATE  TACAN  SELECTION  PHILOSOPHY 
MLS 

LANDING  AID  REQUIREMENTS 


SECTION  A4  -  TRAJECTORY  AND  GUIDANCE 


A4 . 1 . 1-1 
A4 . 1 . 1-2 
A4 . 1 . 1-3 
A4 . 1 . 1-4 


A 4 . 1.2-1 
A4. 1.2-2 
A4. 1.2-3 
A4. 1.2-4 
A4. 1.2-5 
A4. 1.2-6 
A4. 1.2-7 
A4. 1.2-8 
A4. 1.2-9 
A4. 1.2-10 
A4. 1.2-11 
A4. 1.2-12 
A4. 1.2-13 
A4. 1.2-14 


A4. 1.3-1 
A4. 1.3-2 
A4. 1.3-3 
A4. 1.3-4 
A4. 1.3-5 
A4. 1.3-6 
A4. 1.3-7 
A4. 1.3-8 
A4. 1.3-9 
A4. 1.3-10 
A4. 1.3-11 
A4. 1.3-12 


PRELAUNCH 

PERFORMANCE  ANALYSES 
LANDING  SITE  CONDITIONS 
ORBIT  CONJUNCTIONS/CONFLICTS 
DOLILU  OPERATIONS 

A4-5  THROUGH  A4-50  RULES  ARE  RESERVED 

ASCENT 

KALMAN  FILTER  SOLUTION 

ARD  THRUST  UPDATE  CRITERIA  AND  FPR 

USE  OF  MAXIMUM  THROTTLES 

RESERVED 

ABORT  MODE  RESPONSIBILITY 

DESIGN  AND  CRITICAL  MECO  UNDERSPEED  DEFINITIONS 

PERFORMANCE  BOUNDARIES 

NAVIGATION  UPDATES 

AUTO  GUIDANCE  NO-GO 

MANUAL  THROTTLE  SELECTION 

RESERVED 

MANUAL  SHUTDOWN  CRITERIA 

THRUST  LIMITING,  HYDRAULIC,  OR  ELECTRICAL  LOCKUP 
OMS-l/OMS-2  EXECUTION 

A4-63  THROUGH  A4-100  RULES  ARE  RESERVED 

ORBIT 

ONBOARD  NAVIGATION  MAINTENANCE 
MINIMUM  ORBITAL  LIFETIME 

OFF-NOMINAL  ORBITAL  ALTITUDE  RECOVERY  PRIORITIES 
OMS  LEAK/PERIGEE  ADJUST 
MINIMUM  TIME  OF  FREE  FALL 

DEBRIS  AVOIDANCE  CRITERIA  FOR  PREDICTED  CONJUNCTIONS  [HC] 
PLS/EOM  LANDING  OPPORTUNITY  REQUIREMENTS 
TIRE  SPEED,  BRAKING,  AND  ROLLOUT  REQUIREMENTS 
DEORBIT  PRIORITY  FOR  EOM  WEATHER 

AIMPOINT,  EVALUATION  VELOCITY,  AND  SHORT  FIELD  SELECTION 
RUNWAY  ACCEPTABILITY  CONDITIONS 

UPPER  AND  LOWER  LEVEL  MEASURED  WIND  AND  ATMOSPHERIC  DATA 


VOLUME  A  KEY 


NEW  RULE  # 

OLD  RULE  # 

RULE  TITLE 

A4-203 

A4 . 1 . 5-3 

ENTRY  NAVIGATION  UPDATE  PHILOSOPHY 

A4-204 

A4 . 1 . 5-4 

DELTA  STATE  POSITION  UPDATES 

A4-205 

A4 . 1 . 5-5 

DELTA  STATE  VELOCITY  UPDATES 

A4-206 

A4 . 1 . 5-6 

NAVIGATION  FILTER  MANAGEMENT  AUTO/INHIBIT/FORCE  (AIF) 

A4-207 

A4 . 1 . 5-7 

ENTRY  LIMITS 

A4-208 

A4 . 1 . 5-8 

ENTRY  TAKEOVER  RULES 

A4-209 

A4 . 1 . 5-9 

AERO  TEST  MANEUVERS 

A4-210 

A4 . 1 . 5-10 

EOM  ENTRY  DTO/RUNWAY  SELECTION  PRIORITIES 

A4-211  THROUGH  A4-250  RULES  ARE  RESERVED 

RANGE  SAFETY  FLIGHT  RULES 

A4-251 

A4 . 1 . 6-0 

SIGNATURE  SECTION 

A4-252 

A4 . 1 . 6-1 

POLICY 

A4-253 

A4 . 1 . 6-2 

DEFINITIONS 

A4-254 

A4 . 1 . 6-3 

FCO  TO  MCC  WARNING  NOTIFICATION 

A4-255 

A4 . 1 . 6-4 

MCC  TO  FCO  REPORTING 

A4-256 

A4 . 1 . 6-5 

CONTROLLABILITY 

A4-257 

A4 . 1 . 6-6 

FLIGHT  TERMINATION/MANUAL  MECO  EVALUATION 

A4-258 

A4 . 1 . 6-7 

FLIGHT  TERMINATION/MANUAL  MECO  CRITERIA 

A4-259 

A4 . 1 . 6-8 

FLIGHT  TERMINATION/MANUAL  MECO  ACTION 

A4-260 

A4 . 1 . 6-9 

RANGE  SAFETY  LIMIT  AVOIDANCE  ACTIONS 

SECTION  A5  -  BOOSTER 


A5-1 

A5 . 1 . 1-1 

FAILURE  DEFINITIONS 

LOSS  OF  SRB  THRUST  VECTOR  CONTROL  (TVC) 

A5-2 

A5 . 1 . 1-2 

SPACE  SHUTTLE  MAIN  ENGINE  OUT 

A5-3 

A5 . 1 . 1-3 

STUCK  THROTTLE 

A5-4 

A5 . 1 . 1-4 

DATA  PATH  FAILURE 

A5-5 

A5 . 1 . 1-5 

SUSPECT  ENGINE 

A5-6 

A5 . 1 . 1-6 

SSME  REDLINE  SENSOR  FAILED 

A5-10 

A5 . 1 . 1-7 

SIGNIFICANT  ENGINE  HELIUM  SYSTEM  LEAK 

A5-11 

A5 . 1 . 1-8 

SIGNIFICANT  PNEUMATIC  SYSTEM  HELIUM  LEAK 

A5-12 

A5 . 1 . 1-9 

INSUFFICIENT  PNEUMATIC  HELIUM  ACCUMULATOR  PRESSURE 

A5-13 

A5 . 1 . 1-10 

MPS  DUMPS  AND  VACUUM  INERTING  DEFINITIONS 

A5-7 

A5 . 1 . 1-11 

SSME  ONE  REDLINE  SENSOR  FAILURE  AWAY  FROM  AN  ERRONEOUS 

SHUTDOWN 

NONE 

A5 . 1 . 1-12 

RESERVED 

A5-12 

A5 . 1 . 1-13 

SPACE  SHUTTLE  MAIN  ENGINE  TYPES 

A5-13 

A5 . 1 . 1-14 

LH2  ULLAGE  LEAK 

A5-51 

A5 . 1 . 2-1 

A5-14  THROUGH  A5-50  RULES  ARE  RESERVED 

SRB  SYSTEMS  MANAGEMENT 

LOSS  OF  SRB  THRUST  VECTOR  CONTROL  (TVC) 

A5-101 

A5 . 1 . 3-1 

A5-52  THROUGH  A5-100  RULES  ARE  RESERVED 

SSME  SYSTEMS  MANAGEMENT 

ABORT  CUE  REQUIREMENT 

A5-102 

A5 . 1 . 3-2 

AUTO/MANUAL  SHUTDOWN 

A5-103 

A5 . 1 . 3-3 

LIMIT  SHUTDOWN  CONTROL 

A5-104 

A5 . 1 . 3-4 

DATA  PATH  FAIL/ENGINE-ON  LIMIT  SHUTDOWN  CONTROL 

A5-105 

A5 . 1 . 3-5 

DATA  PATH  FAIL/ENGINE-OUT  ACTION 

A5-106 

A5 . 1 . 3-6 

MANUAL  SHUTDOWN  FOR  COMMAND/DATA  PATH  FAILURES 

A5-108 

A5 . 1 . 3-7 

MANUAL  SHUTDOWN  FOR  HYDRAULIC  OR  ELECTRICAL  LOCKUP 

A5-109 

A5 . 1 . 3-8 

MANUAL  SHUTDOWN  FOR  TWO  STUCK  THROTTLES  (NOT  DUAL  APU 

FAILURES) 

A5-110 

A5 . 1 . 3-9 

SSME  PERFORMANCE  DISPERSION 

a  R-1 1 1 

a  r  i  s-i  n 

ar  RTTq  qPMCinR  F.T.P.PTR  OTJ  TPR  P  DM  TROT.  rOTT.l 

VOLUME  A  KEY 


NEW  RULE  # 

A5-202 

A5-203 

A5-209 

A5-204 

A5-205 

A5-206 

NONE 

A5-207 

A5-208 

A5-210 

A5-201 


A6-1 

A6-2 

A6-3 

A6-4 

A6-5 

A6-6 

A6-7 

A6-8 

A6-9 


A6-51 

A6-52 

A6-53 

A6-54 

A6-55 

A6-56 

A6-57 

A6-58 

A6-59 

A6-60 

A6-61 

A6-62 

A6-63 


A6-101 

A6-102 

A6-103 

A6-104 

A6-105 

A6-106 

A6-107 

A6-108 


OLD  RULE  #  RULE  TITLE 


A5. 1.5-1 
A5 . 1 . 5-2 
A5 . 1 . 5-3 
A5. 1.5-4 
A5 . 1 . 5-5 
A5. 1.5-6 
A5. 1.5-7 
A5. 1.5-8 
A5. 1.5-9 
A5. 1.5-10 
A5. 1.5-11 


ET  SEPARATION  INHIBIT  FOR  17-INCH  DISCONNECT  FAILURE  [OIL] 
MPS  PROPELLANT  MANIFOLD  OVERPRESSURE  [OIL] 

POST-MECO  AND  ENTRY  HELIUM  ISOLATION 
MANUAL  MPS  DUMP 

NOMINAL,  AO A,  AND  ATO  MPS  DUMP  FAILURES 

MANUAL  VACUUM  INERTING  REQUIREMENTS  (NOMINAL,  ATO,  AOA) 
RESERVED 

LH2  PRESSURIZATION  VENT  CONTROL 

ENTRY  MPS  HELIUM  PURGE/MANIFOLD  PRESSURIZATION 
ENTRY  MPS  PROPELLANT  DUMP  FAILURES  [CIL] 

MPS  DUMP  INHIBIT  [CIL] 


SECTION  A6  -  PROPULSION 


FAILURE  DEFINITIONS 


A6 . 1 . 1-1 
A6 . 1 . 1-2 
A6 . 1 . 1-3 
A6 . 1 . 1-5 
A6 . 1 . 1-4 
A6 . 1 . 1-8 
A6 . 1 . 1-7 
A6 . 1 . 1-6 
A6 . 1 . 1-10 


OMS/RCS  HELIUM  TANK 

OMS  PROPELLANT  TANK  (OXIDIZER  OR  FUEL) 

OMS  ENGINE 

OMS  N2  TANK 

OMS  N2  ACCUMULATOR 

OMS/RCS  CROSSFEED  LINE 

RCS  PROPELLANT  TANK  (OXIDIZER  OR  FUEL) 
RCS  THRUSTER 
RCS  JET  HEATER 

A6-10  THROUGH  A6-50  RULES  ARE  RESERVED 


A6. 1.2-17 
A6. 1.2-18 
A6. 1.2-21 
A6. 1.2-4 
A6. 1.2-1 
A6. 1.2-15 
A6 . 1 . 1-11 
A6. 1.2-23 
A6. 1.2-24 
A6. 1.2-9 
A6. 1.2-11 
A6. 1.2-14 
A6. 1.2-35 


OMS/RCS  MANAGEMENT 

OMS  FAILURE  MANAGEMENT  [CIL] 

RCS  FAILURE  MANAGEMENT 
OMS  HELIUM  INGESTION 

OMS  PROPELLANT  FAIL  FEED  CONSTRAINTS  [CIL] 

OMS  N2  TANK  FAILURE  MANAGEMENT 

OMS  N2  REGULATOR  FAILURE  MANAGEMENT 

AFT  RCS  PROPELLANT  TANK  FAIL/HELIUM  INGESTION 

RCS  REGULATOR  FAILURE  TROUBLESHOOTING 

LOSS  OF  AFT  RCS  LEAK  DETECTIONS 

RCS  MANIFOLD  CLOSURE  CRITERIA 

RCS  MANIFOLD/OMS  CROSSFEED  LINE  REPRESSURIZATION  [CIL] 
OMS/RCS  CONTINUOUS  VALVE  POWER  MANAGEMENT 
RCS  BFS  PVT  INIT  PRELAUNCH  CRITERIA 
A6-64  THROUGH  A6-100  RULES  ARE  RESERVED 


OMS 

A6. 1.2-33 

OMS 

A6. 1.2-5 

OMS 

A6. 1.2-34 

OMS 

A6. 1.2-8 

OMS 

A6. 1.2-28 

OMS 

A6. 1.2-6 

OMS 

A6. 1.2-25 

OMS 

A6. 1.2-7 

OMS 

OMS  ENGINE  MANAGEMENT 


A6-109  THROUGH  A6-150  RULES  ARE  RESERVED 


RCS  THRUSTER  MANAGEMENT 


VOLUME  A  KEY 


NEW  RULE  # 

A6-205 

A6-206 


A6-251 

A6-252 

A6-253 

A6-254 

A6-255 

A6-256 

A6-257 

A6-258 


A6-301 

A6-302 

A6-303 

A6-304 

A6-305 


A6-351 

A6-352 

A6-353 

A6-354 

A6-355 

A6-356 

A6-357 

A6-358 

A6-359 


OLD  RULE  # 

A6. 1.2-10 
A6. 1.2-16 


A6. 1.3-1 
A6 . 1 . 1-9 
A6. 1.3-2 
A6. 1.3-3 
A6. 1.3-4 
A6. 1.3-5 
A6. 1.3-6 
A6. 1.3-7 


A6 . 1 . 5-1 
A6. 1.5-2 
A6 . 1 . 5-3 
A6. 1.5-4 
A6. 1.5-5 


A6 . 1 . 4-1 
A6 . 1 . 4-2 
A6 . 1 . 4-3 
A6 . 1 . 4-4 
A6 . 1 . 4-5 
A6 . 1 . 4-6 
A6. 1.2-13 
A6. 1.5-6 
A6. 1.5-7 


RULE  TITLE 

RCS  LEAKING  PROPELLANT  TANK  BORN 
RCS  MANIFOLD/LEG  LEAK  PRESSURIZATION 
A6-207  THROUGH  A6-250  RULES  ARE  RESERVED 

THERMAL  REDLINES  AND  MANAGEMENT 

GENERAL 

OMS/RCS  POD  HEATER 

FORWARD  RCS  MODULE  TEMPERATURE  MANAGEMENT 

OMS/RCS  PODS  TEMPERATURE  MANAGEMENT 

OMS/RCS  CROSSFEED  LINES  TEMPERATURE  MANAGEMENT 

OMS/RCS  HEATER  PERFORMANCE  MONITORING 

RCS  JET  TEMPERATURE  MANAGEMENT 

ARCS  BULK  PROPELLANT  TEMPERATURE  MANAGEMENT 

A6-259  THROUGH  A6-300  RULES  ARE  RESERVED 

CONSUMABLES  DEFINITIONS  AND  REDLINES 

OMS  USABLE  PROPELLANT 
RCS  USABLE  PROPELLANT 
OMS  REDLINES  [CIL] 

FORWARD  RCS  REDLINES 
AFT  RCS  REDLINES 

A6-306  THROUGH  A6-350  RULES  ARE  RESERVED 

CONSUMABLES  MANAGEMENT 

OMS  PROPELLANT  MANAGEMENT  MATRIX 
OMS  PROPELLANT  BUDGET  GROUND  RULES 
CG  MANAGEMENT 

RCS  ENTRY  REDLINE  PROTECTION 

OMS  PROPELLANT  DEFICIENCY  FOR  DEORBIT 

DEORBIT  PLANNING  CRITERIA 

FORWARD  RCS  CONTINGENCY  PROPELLANT  AVAILABLE 
VIOLATION  OF  MISSION  COMPLETION  REDLINES  MATRIX 
RCS  PROPELLANT  CONSERVATION  PRIORITIES 
A6-360  THROUGH  A6-400  RULES  ARE  RESERVED 


A6-1001 


OMS/RCS  GO/NO-GO  CRITERIA 

A6. 1.5-8  OMS/RCS  GO/NO-GO  CRITERIA  [CIL] 


SECTION  A 7  -  DATA  SYSTEMS 


GPC  &  DATA  PATH  MANAGEMENT 


A7-1 

A7. 1.2-1 

PASS  DPS  FAILURE 

A7-2 

A7. 1.2-3 

UNRECOVERABLE  GPC 

A7-3 

A7. 1.3-3 

GPC  FAILURE 

A7-4 

A7. 1.2-4 

TRANSIENT  GPC 

A7-5 

A7. 1.3-10 

PASS  GPC  BCE  FAILURE  MANAGEMENT 

A7-6 

A7. 1.3-4 

DATA  PATH  FAILURE 

A7-7 

A7. 1.3-16 

POWERED  OFF  GPC  ACTION  (101S) 

A7-8 

A7. 1.3-1 

REDUNDANT  SET  FAILURE 

A7-9 

A7. 1.3-2 

REDUNDANT  SET  SPLIT 

A7-10 

A7 . 1 . 1-3 

GNC  GPC  REACTIVATION  PRIORITY 

A7-11 

A7 . 1 . 1-4 

GNC  GPC  REDUNDANCY  REQUIREMENTS 

A7-12 

A7 . 1 . 1-2 

PASS/BFS  REDUNDANCY 

A7-13 

A7. 1.3-5 

GPC  MAJOR  FUNCTION  CONFIGURATION 

VOLUME  A  KEY 


NEW  RULE  # 

A7-106 

A7-107 

A7-108 

A7-109 


A7-151 


A7-201 


A7-1001 


A8-1 

A8-2 

A8-3 

A8-4 

A8-5 

A8-6 

A8-7 

A8-8 

A8-9 

A8-10 

A8-11 

A8-12 

A8-13 

A8-14 

A8-15 

A8-16 

A8-17 

A8-18 

A8-19 

A8-20 

NONE 


A8-51 

A8-52 

A8-53 

A8-54 

A8-55 

A8-56 

A8-57 

A8-58 

A8-59 


OLD  RULE  # 


A 7 . 1.3-13 
A7. 1.3-14 
A 7 . 1.3-22 
A 7 . 1.3-15 


RULE  TITLE 

MMU  OPERATIONS 
TIME  MANAGEMENT 
DEO  EQUIVALENT  CRITERIA 
IN-FLIGHT  MAINTENANCE  ( IFM) 

A7-110  THROUGH  A7-150  RULES  ARE  RESERVED 

PAYLOAD  SPECIFIC  DPS  SYSTEMS  MANAGEMENT 


A7. 1.3-21  CONSTRAINTS  ON  PORT  MODING  OR  I/O  RESETS 

A7-152  THROUGH  A7-200  RULES  ARE  RESERVED 


DPS  EOM  REQUIREMENTS/DEFINITIONS 

A7. 1.1-1  DPS  REDUNDANCY  REQUIREMENTS 

A7-202  THROUGH  A7-200  RULES  ARE  RESERVED 

DPS  GO/NO-GO  MATRIX 

A7. 1.5-1  DPS  GO/NO-GO  MATRIX 


SECTION  A8  -  GUIDANCE,  NAVIGATION,  AND  CONTROL  (GNSC) 


A8 . 1 . 1-1 
A8 . 1 . 1-2 
A8 . 1 . 1-3 
A8 . 1 . 1-4 
A8 . 1 . 1-5 
A8 . 1 . 1-6 
A8 . 1 . 1-7 
A8 . 1 . 1-8 
A8 . 1 . 1-9 
A8 . 1 . 1-10 
A8 . 1 . 1-11 
A8 . 1 . 1-12 
A8 . 1 . 1-13 
A8 . 1 . 1-14 
A8 . 1 . 1-15 
A8 . 1 . 1-16 
A8 . 1 . 1-17 
A8 . 1 . 1-18 
A8 . 1 . 1-19 
A8 . 1 . 1-20 
A8 . 1 . 1-21 


A8. 1.2-1 
A8. 1.2-2 
A8. 1.2-3 
A8. 1.2-4 
A8. 1.2-5 
A8. 1.2-6 
A8. 1.2-7 
A8. 1.2-8 
A8. 1.2-9 


GENERAL 

FCS  DOWNMODE 

SSME  THRUST  VECTOR  CONTROL  (TVC)  HARDOVER 

LOSS  OF  GNC  SYSTEM 

FAULT  TOLERANCE  PHILOSOPHY 

ACCELEROMETER  ASSEMBLIES  (AA)  FAULT  TOLERANCE 

CONTROLLERS /FCS  SWITCHING  FAULT  TOLERANCE 

ENTRY  SYSTEMS  SINGLE-FAULT  TOLERANCE  VERIFICATION 

ENTRY  SYSTEMS  RM  DILEMMA 

AFT  STATION  GNC  REDUNDANCY 

POWER/DATA  PATH  REDUNDANCY 

LOSS  OF  BFS 

HEAD  UP  DISPLAY  (HUD)  AND  CREW  OPTICAL  ALIGNMENT  SIGHT  (COAS)  ALIGNMENT 

RTLS  ET  SEPARATION 

POWER  MANAGEMENT 

GNC  PARAMETERS/LRU  FAILURES 

GNC  SYSTEMS  FAILURES 

EQUIPMENT  REQUIRED  FOR  EMERGENCY  AUTOLAND 
LANDING  SYSTEMS  REQUIREMENTS 
YAW  JET  DOWNMODE 

ENTRY  ELEVON  SCHEDULE  SELECTION  CRITERIA 
RESERVED 

A8-21  THROUGH  A8-50  RULES  ARE  RESERVED 

FAILURE  DEFINITIONS 

PHILOSOPHY 
SENSOR  FAILURES 
OMS  TVC  LOSS 

FIRST  STAGE  LOSS  OF  CONTROL  DEFINITION 

ET  SEPARATION  RCS  REQUIREMENTS 

BFS  LRU  REQUIREMENTS 

PRELAUNCH  IMU  HOLD 

ADI  LOSS 

IMU  BITE  FAILURE  DEFINITION 


VOLUME  A  KEY 


NEW  RULE  # 

A8-113 

A8-114 


A8-1001 


A9-1 

A9-2 

A9-3 

A9-4 


A9-51 

A9-52 

A9-53 

A9-54 

A9-55 

A9-56 

A9-57 

A9-58 

A9-59 

A9-60 

A9-61 

A9-62 


A9-101 

A9-102 

A9-103 

A9-104 

A9-105 

A9-106 

A9-107 

A9-108 

A9-109 

A9-110 


A9-151 

A9-152 

A9-153 

A9-154 

A9-155 

A9-156 

A9-157 

A9-158 

A9-159 

A9-160 


OLD  RULE  # 


A8. 1.3-14 
A8. 1.3-15 


A8 . 1 . 6-1 


RULE  TITLE 

OMS  TVC  SYSTEM  MANAGEMENT 

ENTRY  BODY  BENDING  FILTER  SELECTION 

A8-115  THROUGH  A8-150  RULES  ARE  RESERVED 

GNC  GO/NO-GO  CRITERIA 

GNC  GO/NO-GO  CRITERIA 


SECTION  A9  -  ELECTRICAL 


A9 . 1 . 1-1 
A9 . 1 . 1-2 
A9  . 1 . 1-3 
A9 . 1 . 1-4 


A9. 1.2-1 
A9. 1.2-2 
A9. 1.2-3 
A9. 1.2-4 
A9. 1.2-5 
A9. 1.2-6 
A9 . 1 . 2-7 
A9. 1.2-8 
A9. 1.2-9 
A9. 1.2-10 
A9. 1.2-11 
A9. 1.2-12 


A9. 1.3-1 
A9. 1.3-2 
A9. 1.3-3 
A9. 1.3-4 
A9. 1.3-5 
A9. 1.3-6 
A9. 1.3-7 
A9. 1.3-8 
A9. 1.3-9 
A9. 1.3-10 


A9 . 1 . 4-1 
A9 . 1 . 4-2 
A9 . 1 . 4-3 
A9 . 1 . 4-4 
A9 . 1 . 4-5 
A9 . 1 . 4-6 
A9 . 1 . 4-7 
A9 . 1 . 4-8 
A9 . 1 . 4-9 
A9 . 1 . 4-10 


LOSS/FAILURE  DEFINITIONS 

FUEL  CELL  (FC)  LOSS  [OIL] 

FC  ALTERNATE  H20  SYSTEM  LOSS 

ELECTRICAL  POWER  DISTRIBUTION  AND  CONTROL  (EPDC)  SYSTEM  [CIL] 
CAUTION  AND  WARNING  (C&W) 

A9-5  THROUGH  A9-50  RULES  ARE  RESERVED 

FUEL  CELL  SYSTEMS  MANAGEMENT 

FC  POWER  LEVEL  CONSTRAINTS 
FC  PURGE 

FC  H20  SYSTEM  HEATERS 
FC  STANDBY  DEFINITION 
FC  SHUTDOWN  DEFINITION  [CIL] 

FC  SAFING 
REUSABLE  FC 
FC  SUSTAINER  HEATER 

FC  -  CELL  PERFORMANCE  MONITOR  [CIL] 

FC  COOLANT  PUMP  FAILURE  MANAGEMENT  [CIL] 

ACTIONS  FOR  FUEL  CELL  PH  INDICATIONS 
FUEL  CELL  MONITORING  SYSTEM  DATA  TAKE 
A9-63  THROUGH  A9-100  RULES  ARE  RESERVED 

DC  POWER  DISTRIBUTION  AND  CONTROL  SYSTEMS  MANAGEMENT 

DC  BUS  VOLTAGE  LIMITS 
ESSENTIAL  BUS 

POWER  REDUCTION  GUIDELINES 

MAIN  BUS  SHORT 

CB/RPC  RESET 

CONTROL  BUS 

MAIN  BUS  TIE  [CIL] 

CRITICAL  PHASE  BUS  MANAGEMENT 
PRIMARY  PAYLOAD  BUS  MANAGEMENT 
PREFLIGHT  TEST  BUS  MANAGEMENT 
A9-111  THROUGH  A9-150  RULES  ARE  RESERVED 

AC  POWER  DISTRIBUTION  AND  CONTROL  SYSTEMS  MANAGEMENT 

AC  INVERTER  MANAGEMENT 

AC  BUS  SENSORS  SWITCH  MANAGEMENT 

AC  BUS  LOADING 

AC  LOAD  MANAGEMENT  DURING  ASCENT 

AC  INVERTER  THERMAL  LIFE 

LOSS  OF  SINGLE-PHASE  AC 

LOSS  OF  TWO-PHASE  AC 

AC  POWER  TRANSFER  CABLE 

MOTOR  CONTROL  ASSEMBLY  (MCA) 

CAUTION  AND  WARNING  (C&W)  [CIL] 


VOLUME  A  KEY 


NEW  RULE  #  OLD  RULE  #  RULE  TITLE 

A9-257  A9. 1.6-7  POWER  REACTANT  STORAGE  AND  DISTRIBUTION  (PRSD)  H2  AND  02  REDLINE 

DETERMINATION 

A9-258  A9. 1.6-8  CRYO  02  AND  H2  PRESSURE  MANAGEMENT 

A9-259  A9. 1.6-9  CRYO  02/H2  MANIFOLD  VALVES 

A9-260  A9. 1.6-10  CRYO  SYSTEM  LEAKS  [CIL] 

A9-261  A9. 1.6-11  IMPENDING  LOSS  OF  ALL  CRYO 

A9-262  A9. 1.6-12  EDO  PALLET  MANAGEMENT 

A9-263  THROUGH  A9-300  RULES  ARE  RESERVED 

SPACEHAB  SUPPORT 

A9-301  A9 .6.1-1  SPACEHAB  DC  BUSES 

A9-302  A9 .6.1-2  SPACEHAB  AC  INVERTER 

A9-303  THROUGH  A9-350  RULES  ARE  RESERVED 

SPACEHAB  ELECTRICAL  POWER  SUBSYSTEM  (EPS)  MANAGEMENT 

A9. 6.2-1  RESERVED 

A9. 6.2-9  ELECTRICAL  POWER  SUBSYSTEM  (EPS)  CONSTRAINTS 

A9. 6.2-2  SPACEHAB  MAIN  BUS  MANAGEMENT 

A9. 6.2-3  SPACEHAB  EMERGENCY  BUS  LOSS 

A9. 6.2-4  SPACEHAB  AC  MANAGEMENT 

A9. 6.2-5  FUSE/CIRCUIT  BREAKER  MANAGEMENT 

A9. 6.2-6  FUEL  CELL  FAILURE  MANAGEMENT 

A9. 6.2-7  SPACEHAB  SURVIVAL  POWER  CONFIGURATION 

A9. 6.2-8  CAUTION  AND  WARNING  (C&W) 

A9-359  THROUGH  A9-400  RULES  ARE  RESERVED 

ELECTRICAL  GO/NO-GO  CRITERIA 

A9-1001  A9. 1.7-1  ELECTRICAL  GO/NO-GO  CRITERIA 


SECTION  A10  -  MECHANICAL 


AUXILIARY  POWER  UNIT  (APU)  LOSS  FAILURE/DEFINITION 

A10-1  A10. 1.1-1  APU  LOSS  DEFINITIONS 

A10-2  THROUGH  A10-20  RULES  ARE  RESERVED 

APU  SYSTEMS  MANAGEMENT 

A10. 1.2-1  LOSS  OF  APU/HYDRAULIC  SYSTEM (S)  ACTIONS 

A10. 1.2-2  APU  START/RESTART  LIMITS 

A10. 1.2-3  APU  ENTRY  START  TIME 

A10. 1.2-4  APU  OIL/GEARBOX  TEMPERATURE/PRESSURE 

A10. 1.2-5  APU  HIGH  SPEED  SELECTION/SHIFT 

A10. 1.2-6  APU  AUTO  SHUTDOWN  INHIBIT  MANAGEMENT 

A10. 1.2-7  APU  FUEL  LEAKS  [CIL] 

A10. 1.2-8  AOA  APU/HYDRAULIC  SYSTEM  OPERATIONS 

A10. 1.2-9  FCS  CHECKOUT  APU  OPERATIONS 

A10. 1.2-10  LOSS  OF  APU  HEATERS/INSTRUMENTATION  [CIL] 

A10. 1.2-11  APU  FREEZE/THAW 

A10. 1.2-12  APU/HYD  CONSUMABLES 

A10. 1.2-13  APU  DEFINITIONS 

A10-34  THROUGH  A10-50  RULES  ARE  RESERVED 

HYDRAULIC  SYSTEMS  LOSS/FAILURE  DEFINITIONS 

A10-51  A10. 1.3-1  HYDRAULIC  LOSS  DEFINITIONS 

A10-52  THROUGH  A10-70  RULES  ARE  RESERVED 


A10-21 

A10-22 

A10-23 

A10-24 

A10-25 

A10-26 

A10-27 

A10-28 

A10-29 

A10-30 

A10-31 

A10-32 

A10-33 


NONE 

A9-351 

A9-352 

A9-353 

A9-354 

A9-355 

A9-356 

A9-357 

A9-358 


VOLUME  A  KEY 


NEW  RULE  #  OLD  RULE  #  RULE  TITLE 


LANDING/DECEL  SYSTEMS  MANAGEMENT 

A10-141  A10. 1.7-1  NOSE  WHEEL  STEERING  (NWS) 

A10-142  A10. 1.8-1  TIRE  PRESSURE  [OIL] 

A10-143  A10. 1.8-2  DRAG  CHUTE  DEPLOY  TECHNIQUES 

A10-144  A10. 1.8-3  DRAG  CHUTE  DEPLOY  CONSTRAINTS 

A10-145  A10. 1.8-4  UNCOMMANDED  BRAKE  PRESSURE  [CIL] 

A10-146  A10. 1.8-5  BRAKING 

A10-147  THROUGH  A10-160  RULES  ARE  RESERVED 

MECHANICAL  SYSTEMS  LOSS/FAILURE  DEFINITIONS 

A10-161  A10. 1.9-1  DRIVE  MECHANISMS  LOSS  DEFINITIONS 

A10-162  THROUGH  A10-180  RULES  ARE  RESERVED 

GENERAL  MECHANISMS  SYSTEMS  MANAGEMENT 

A10-181  A10. 1.10-1  DRIVE  MECHANISMS 

A10-182  THROUGH  A10-200  RULES  ARE  RESERVED 

PAYLOAD  DOOR  (PLBD)  SYSTEMS  MANAGEMENT 

A10-201  A10. 1.11-1  PLBD  GENERAL 

A10-202  A10. 1.11-2  PLBD  VISUAL  CUES 

A10-203  A10. 1.11-3  PLBD  CRITICAL  LATCHES 

A10-204  A10. 1.11-4  FAILED  PLBD  GPC  SEQUENCE 

A10-205  A10. 1.11-5  PLBD  CLEARANCE  CONSTRAINTS 

A10-206  A10. 1.11-6  PLBD  CLOSE  GO/NO-GO 

A10-207  A10. 1.11-7  PLBD  OVERLAP 

A10-208  A10. 1.11-8  CONTINGENCY  PLBD  CLOSURE 

A10-209  A10. 1.11-9  PLBD  RULE  REFERENCE  MATRIX 

A10-210  THROUGH  A10-220  RULES  ARE  RESERVED 


RADIATOR  SYSTEMS  MANAGEMENT 

A10-221  A10. 1.12-1  RADIATOR  MECHANICAL 

A10-222  A10. 1.12-2  RADIATOR  VISUAL  CUES 

A10-223  THROUGH  A10-240  RULES  ARE  RESERVED 

ET  UMBILICAL  DOORS  SYSTEMS  MANAGEMENT 

A10-241  A10. 1.13-1  ET  UMBILICAL  DOOR  KEYBOARD  ENTRY 

A10-242  A10. 1.13-2  ET  UMBILICAL  DOORS  ON  ORBIT 

A10-243  A10. 1.13-3  ET  UMBILICAL  DOOR  CLOSURE  DELAY  FOR  DISCONNECT  VALVE  FAILURE  [CIL] 

A10-244  THROUGH  A10-260  RULES  ARE  RESERVED 

VENT  DOOR  SYSTEMS  MANAGEMENT 

A10-261  A10. 1.14-1  VENT  DOOR  MANAGEMENT 

A10-262  THROUGH  A10-280  RULES  ARE  RESERVED 

PAYLOAD  RETENTION  LATCHES  (PRLA)  SYSTEMS  MANAGEMENT 

A10-281  A10. 1.15-1  PRLA' S/AKA'S 

A10-282  THROUGH  A10-300  RULES  ARE  RESERVED 

KU-BAND  ANTENNA  DEPLOY  MECHANISM  SYSTEMS  MANAGEMENT 

A10-301  A10. 1.16-1  ANTENNA  STOW  REQUIREMENT  [CIL] 

A10-302  A10. 1.16-2  DAP  CONFIGURATION  FOR  ANTENNA  STOW 

A10-303  A10. 1.16-3  ANTENNA  CONTINGENCY  PROCEDURES 

NONE  A1 0.1. 16- 4  RESERVED 

A10-304  THROUGH  A10-320  RULES  ARE  RESERVE! 


VOLUME  A  KEY 


NEW  RULE  # 

A10-362 

A10-363 

A10-364 

A10-365 


A10-381 

A10-382 

A10-383 

A10-384 

A10-385 


A10-1001 


All-1 

All-2 

All-3 

All-4 

All-5 

All-6 

All-7 

All-8 

All-9 

All-10 

All-11 

All-12 

All-13 

All-14 

All-15 

All-16 

All-17 

All-18 

All-19 

All-20 

All-21 

All-22 

NONE 

All-23 


All-51 

All-52 

All-53 

All-54 

All-55 

All-56 

All-57 

SI  1  -Rfi 


OLD  RULE  #  RULE  TITLE 


A10.6.1-2 

A10.6.1-3 

A10.6.1-4 

A10.6.1-5 


A10 . 1 . 17-1 
A10 . 1 . 17-2 
A10 . 1 . 17-3 
A10 . 1 . 17-4 
A10 . 1 . 17-5 


A10. 1.20-1 


CRACKED  VIEWPORT 

VIEWPORT  CONFIGURATION  FOR  CLOSED  SPACEHAB  HATCH 
LOSS  OF  VP  PRESSURE  INTEGRITY 
EVA  REQUIREMENTS  FOR  FAILED  VP  OUTER  COVER 
A10-366  THROUGH  A10-380  RULES  ARE  RESERVED 

STRUCTURAL  MANAGEMENT 

THERMAL  WINDOWPANE  FAILURE  [CIL] 

PRESSURE/REDUNDANT  WINDOWPANE  FAILURE 

BAILOUT/POSTLANDING  EMERGENCY  EGRESS  PYROTECHNICS  MANAGEMENT 

MAXIMUM  NUMBER  OF  FILLED  CWC' S 

FILLED  CWC  STOWAGE  MANAGEMENT 

A10-386  THROUGH  A10-400  RULES  ARE  RESERVED 

MMACS  GO/NO-GO  CRITERIA 

MMACS  GO/NO-GO  CRITERIA 


SECTION  All  -  COMMUNICATIONS 


SYSTEM  MANAGEMENT  RULES 


All . 1 . 1-1 
All . 1 . 1-2 
All . 1 . 1-3 
All . 1 . 1-4 
All . 1 . 1-5 
All . 1 . 1-6 
All . 1 . 1-7 
All . 1 . 1-8 
All . 1 . 1-9 
All . 1 . 1-10 
All . 1 . 1-11 
All . 1 . 1-12 
All . 1 . 1-13 
All . 1 . 1-14 
All . 1 . 1-15 
All . 1 . 1-16 
All . 1 . 1-17 
All . 1 . 1-18 
All . 1 . 1-19 
All . 1 . 1-20 
All . 1 . 1-21 
All . 1 . 1-22 
All . 1 . 1-23 
All . 1 . 1-24 


COMMUNICATIONS  DURING  ASCENT 
S-BAND/UHF  LAUNCH  REQUIREMENT 
UPLINK  HANDOVER  DURING  ASCENT  FROM  KSC 
ORBITER  DATA  PRIORITY  DURING  ASCENT/ENTRY 
POSTLANDING  S-BAND  ANTENNA  SELECTION 

MINIMUM  COMMUNICATIONS  REQUIREMENTS  FOR  SCHEDULED  EVA 

KU-BAND  OPERATIONS  DURING  EVA 

ORBITER  S-BAND  OPERATIONS  DURING  EVA 

RECORDER  USAGE 

UHF  USAGE 

S-BAND  FM  USAGE 

S-BAND  PM  USAGE 

S-BAND  PAYLOAD  USAGE 

CREW  ALERT  SPC'S 

ELBOW  CAMERA/PAYLOAD  INTERFERENCE  [CIL] 

KU-BAND  MANAGEMENT 

PI  CHANNELS  AND  S-BD  FREQUENCIES  COMPATIBILITIES 
COMSEC  USAGE 
UPLINK  BLOCK 

UPLINK  COMMANDING  DURING  OPS  TRANSITIONS 
CRITICAL  UPLINK  COMMAND  POLICY 
TWO-STAGE  COMMAND  BUFFER  TLM  REJECT 
RESERVED 

KU  BAND  TRANSMITTER  INHIBITED  DURING  ACQUISITION  OF  TDRS  INSIDE  THE  RF 
PROTECT  BOX 

All-24  THROUGH  All-50  RULES  ARE  RESERVED 

SYSTEM  FAILURE  RULES 


All. 1.2-1 

LOSS 

All. 1.2-2 

LOSS 

All. 1.2-3 

LOSS 

All. 1.2-4 

LOSS 

All. 1.2-5 

LOSS 

All. 1.2-6 

LOSS 

All. 1.2-7 

LOSS 

All  1  9-R 

T.nqq 

OF  TWO-WAY  VOICE 

OF  BOTH  VOICE  AND  COMMAND 

OF  COMMAND 

OF  TELEMETRY 

OF  KU-BAND 

OF  KU-BAND  TEMPERATURE  CONTROL  [CIL] 

OF  KU-BAND  TEMPERATURE  MONITORING  CAPABILITY 
of  TRaw.cipnMnp.R.q 


[CIL] 


VOLUME  A  KEY 


NEW  RULE  # 

All-77 


All-1001 


A12-1 

A12-2 

A12-3 

A12-4 

A12-5 

A12-6 

A12-7 

A12-8 

A12-9 


A12-51 

A12-52 

A12-53 


A12-71 

A12-72 

A12-73 

A12-74 


A12-91 

A12-92 


A12-111 

A12-112 

A12-113 

A12-114 

A12-115 

A12-116 

A12-117 

A12-118 

NONE 


A12-141 

A12-142 


OLD  RULE  # 

All. 1.2-27 


All. 1.3-1 


RULE  TITLE 

LOSS  OF  ANY  01  DSC 

All-78  THROUGH  All-100  RULES  ARE  RESERVED 

COMMUNICATIONS  GO/NO-GO  CRITERIA 

COMMUNICATIONS  GO/NO-GO  CRITERIA 


SECTION  A12  -  ROBOTICS 


A12 . 1 . 1-1 
A12 . 1 . 1-2 
A12 . 1 . 1-3 
A12 . 1 . 1-4 
A12 . 1 . 1-5 
A12 . 1 . 1-6 
A12 . 1 . 1-7 
A12 . 1 . 1-8 
A12 . 1 . 1-9 


A12. 1.2-1 
A12. 1.2-2 
A12. 1.2-3 


A12. 1.3-1 
A12. 1.3-2 
A12. 1.3-3 
A12. 1.3-4 


A12 . 1 . 4-1 
A12 . 1 . 4-2 


A12 . 1 . 5-1 
A12 . 1 . 5-2 
A12 . 1 . 5-3 
A12 . 1 . 5-4 
A12 . 1 . 5-5 
A12 . 1 . 5-6 
A12 . 1 . 5-7 
A12 . 1 . 5-8 
A12 . 1 . 5-9 


A12 . 1 . 6-1 
A12 . 1 . 6-2 


GENERAL 

EVA  FOR  RMS  OPERATIONS 
UNATTENDED  RMS  CONSTRAINTS 
TEMPERATURE  CONSTRAINTS  [CIL] 

RMS  ACTIVITY  TERMINATION 

ORBITER  AVOIDANCE  MANEUVERS  CONSTRAINT  [CIL] 

OMS/RCS  CONSTRAINTS 

RMS  IFM  D&C  KIT 

RMS  OPCODE  UPLINKS 

RMS  MCIU  BITE  OVERRIDES  [CIL] 

A12-10  THROUGH  A12-50  RULES  ARE  RESERVED 

MPM/MRL  LOSS/FAILURE  DEFINITIONS 

MPM/MRL  POSITIONING 
MPM  FAILED  IN  TRANSIT 
MRL  FAILED  IN  TRANSIT 

A12-54  THROUGH  A12-70  RULES  ARE  RESERVED 

MPM/MRL  SYSTEMS  MANAGEMENT 

MPM/MRL  CYCLING 

MPM  DEPLOY/STOW  CONSTRAINTS 

MRL  CONSTRAINTS 

INADVERTENT  MPM  CYCLING  PROTECTION  [CIL] 
A12-75  THROUGH  A12-90  RULES  ARE  RESERVED 


RMS  PREOPERATION  SYSTEM  MANAGEMENT 

SHOULDER  BRACE  OPERATION 
RMS  CHECKOUT 

A12-93  THROUGH  A12-110  RULES  ARE  RESERVED 

RMS  DRIVE  SYSTEM  MANAGEMENT 

MODE  AVAILABILITY  DRIVE  CONSTRAINT 
FIELD  OF  VIEW  CONSTRAINT  [CIL] 

AUTO  MODE  ENTRY  CONSTRAINT  [CIL] 

ORBITER  PROXIMITY  CONSTRAINTS  [CIL] 
INOPERATIVE  BRAKE  CONSTRAINT  [CIL] 

AUTO  BRAKES  CONSTRAINT  [CIL] 

CONTINGENCY  STOP  [CIL] 

POHS  AND  LEFT-HANDED  COORDINATE  SYSTEMS 
RESERVED 

A12-119  THROUGH  A12-140  RULES  ARE  RESERVED 

END  EFFECTOR  (EE)  LOSS/FAILURE  DEFINITIONS 

EE  BACKUP  RELEASE 
EE  CAPTURE/RIGIDIZE 


VOLUME  A  KEY 


NEW  RULE  # 


A13-1 

A13-2 


A13-21 

A13-22 

A13-23 

A13-24 

A13-25 

A13-26 

A13-27 

A13-28 

A13-29 

A13-30 

A13-31 

A13-32 

A13-33 


A13-51 

A13-52 

A13-53 

A13-54 


A13-101 

A13-102 

A13-103 

A13-104 

A13-105 


A13-151 

A13-152 

A13-153 

A13-154 

A13-155 

A13-156 

NONE 

NONE 


A13-201 


OLD  RULE  #  RULE  TITLE 


SECTION  A13  -  AEROMED 


A13 . 1 . 1-1 
A13 . 1 . 1-2 


A13. 1.2-1 
A13. 1.2-2 
A13. 1.2-9 
A13. 1.2-10 
A13. 1.2-11 
A13. 1.2-19 
A13. 1.2-20 
A13. 1.2-21 
A13. 1.2-25 
A13. 1.2-28 
A13. 1.2-30 
A13. 1.2-22 
A13. 1.2-31 


A13. 1.2-3 
A13. 1.2-4 
A13. 1.2-5 
A13. 1.2-6 


A13. 1.2-8 
A13. 1.2-29 
A13. 1.2-7 
A13. 1.2-26 
A13. 1.2-27 


A13. 1.2-12 
A13. 1.2-13 
A13. 1.2-14 
A13. 1.2-17 
A13. 1.2-15 
A13. 1.2-16 
A13. 1.2-23 
A13. 1.2-24 


A13. 1.3-1 


ASCENT 

ASCENT  ABORT 

SPACEHAB  SAFE  ATMOSPHERE  REQUIREMENTS  -  UNPOWERED  ASCENT 
A13-3  THROUGH  A13-20  RULES  ARE  RESERVED 

ON-ORBIT 

EARLY  FLIGHT  TERMINATION 
ONBOARD  MEDICAL  KIT 

PRIVATE  MEDICAL  COMMUNICATION  (PMC) 

CPHS  PROTOCOLS 

CREW  AWAKE  TIME  CONSTRAINT 

ACCELERATION  RESTRICTIONS  ON  MEDICAL  PROCEDURES 
LOWER  BODY  NEGATIVE  PRESSURE  (LBNP ) 

LBNP  TEST  TERMINATION  CRITERIA 
NOISE  LEVEL  CONSTRAINTS 
IODINE  REMOVAL  REQUIREMENT 
CREW  CABIN  TEMPERATURE  LIMITS 
INTENSE  CYCLE  EXERCISE 
EXERCISE  REQUIREMENTS 

A13-34  THROUGH  A13-50  RULES  ARE  RESERVED 

ATMOSPHERE 

CABIN  PRESSURE 

PPC02  CONSTRAINT 

MINIMUM  PP02  CONSTRAINTS 

100  PERCENT  OXYGEN  USE  CONSTRAINT 

A13-55  THROUGH  A13-100  RULES  ARE  RESERVED 

EVA  OPERATIONS 

SCHEDULED  AND  UNSCHEDULED  EVA  CONSTRAINTS 
MAXIMUM  EVA  DURATION  CONSTRAINTS 
EVA  PREBREATHE  PROTOCOL 

DECOMPRESSION  SICKNESS  SYMPTOMS  AND  CREW  DISPOSITION 
DECOMPRESSION  SICKNESS  RESPONSE  AND  TREATMENT 
A13-106  THROUGH  A13-150  RULES  ARE  RESERVED 

HAZARD  MANAGEMENT 

HOT  CABIN  ATMOSPHERE 

CABIN  ATMOSPHERE  CONTAMINATION 

BROKEN  GLASS/HAZARDOUS  SUBSTANCE  CONSTRAINT 

HAZARDOUS  SPILL  LEVEL  DEFINITIONS 

ORBITER  HAZARDOUS  SUBSTANCE  SPILL  RESPONSE 

SPACEHAB  HAZARDOUS  SUBSTANCE  SPILL  RESPONSE 

RESERVED 

RESERVED 

A13-157  THROUGH  A13-200  RULES  ARE  RESERVED 

ENTRY 

ANTI-G  SUIT  PROTOCOL  (ANTI-ORTHOSTATIC  COUNTERMEASURE 


VOLUME  A  KEY 


NEW  RULE  # 

OLD  RULE  # 

RULE  TITLE 

A14-10 

A14  . 1 . 1-10 

LEGAL  EXPOSURE  LIMITS  [HC] 

A14-11 

A14 . 1 . 1-11 

SHUTTLE  ADMINISTRATIVE  LIMIT  [HC] 

A14-12 

A14 . 1 . 1-12 

HIGH  DOSE  RATE  LIMITS  [HC] 

A14-13  THROUGH  A14-50  RULES  ARE  RESERVED 

MANAGEMENT 

A14-51 

A14. 1.2-1 

CREW  RADIATION  EXPOSURE  LIMITS  [HC] 

A14-52 

A14. 1.2-2 

ACTIONS  REQUIRED  FOR  RADIATION  ENVIRONMENT  CONDITIONS 

-  PRELAUNCH 

A14-53 

A14. 1.2-3 

ACTIONS  REQUIRED  FOR  RADIATION  ENVIRONMENT  CONDITIONS 

-  ON  ORBIT 

A14-54 

A14. 1.2-4 

GO/NO-GO  CRITERIA  FOR  EVA  BASED  ON  RADIATION  EXPOSURE 

[HC] 

NONE 

A14. 1.2-5 

RESERVED 

NONE 

A14. 1.2-6 

RESERVED 

A14-55 

A14. 1.2-7 

DOWNGRADING  TO  NOMINAL  FROM  ALERT  OR  CONTINGENCY 
A14-56  THROUGH  A14-100  RULES  ARE  RESERVED 

SPACE  ENVIRONMENT  GO/NO-GO  CRITERIA 

A14-1001 

A14. 1.3-1 

SPACE  ENVIRONMENT  GO/NO-GO  CRITERIA  [HC] 

SECTION  A15  —  EXTRAVEHICULAR  ACTIVITY  (EVA) 


GENERAL 


A15-1 

A15 . 1 . 1-1 

A15-2 

A15 . 1 . 1-2 

A15-3 

A15 . 1 . 1-3 

A15-4 

A15 . 1 . 1-4 

A15-5 

A15 . 1 . 1-5 

A15-6 

A15 . 1 . 1-6 

A15-7 

A15 . 1 . 1-7 

A15-8 

A15 . 1 . 1-8 

A15-9 

A15 . 1 . 1-9 

A15-10 

A15 . 1 . 1-10 

A15-11 

A15 . 1 . 1-11 

A15-12 

A15 . 1 . 1-12 

A15-13 

A15 . 1 . 1-13 

A15-14 

A15 . 1 . 1-14 

A15-15 

A15 . 1 . 1-15 

A15-16 

A15 . 1 . 1-16 

A15-17 

A15 . 1 . 1-17 

A15-18 

A15 . 1 . 1-18 

A15-19 

A15 . 1 . 1-19 

A15-20 

A15 . 1 . 1-20 

A15-21 

A15 . 1 . 1-21 

A15-22 

A15 . 1 . 1-22 

A15-23 

A15 . 1 . 1-23 

A15-24 

A15 . 1 . 1-24 

A15-25 

A15 . 1 . 1-25 

A15-26 

A15 . 1 . 1-26 

EVA  TIME  DEFINITION 

TERMINATE  EVA  DEFINITION 

ABORT  EVA  DEFINITION 

SCHEDULED  EVA  DEFINITION 

UNSCHEDULED  EVA  DEFINITION 

CONTINGENCY  EVA  DEFINITION 

MINIMUM  RF  COMMUNICATIONS  DEFINITION 

OPERATIONAL  CAUTION  AND  WARNING  SYSTEM  (CWS)  DEFINITION 

TWO/ ONE-CREWMEMBER  EVA  GUIDELINES 

EVA  CREWMEMBER (S)  SUPPORT 

SAFETY  TETHER  REQUIREMENTS 

HAZARDOUS  EQUIPMENT  SAFING 

AIRLOCK  CONFIGURATION 

SCHEDULED  AND  UNSCHEDULED  EVA  CONSTRAINTS 
CONTINGENCY  EVA  PROTECTION 
EVA  TERMINATION  FOR  CABIN  LEAK 
PAYLOAD  BAY  CONFIGURATION  POST-EVA 
PAYLOAD  OPERATION/DEPLOY  GUIDELINE 
UNSCHEDULED  EVA  PREPARATION 
ECG  TELEMETRY  CHECKOUT 
LEAKING  RCS  THRUSTER/APU  AVOIDANCE 
RCS/APU  THRUSTER  PLUME  AVOIDANCE 

EV  CREW  IN  VICINITY  OF  ACTIVE  PAYLOAD  RETENTION  LATCH  ASSEMBLIES 
EVA  OPERATIONS  IN  THE  GENERIC  PAYLOAD  BAY  ENVELOPE 
ORBITER  EVA  OPERATIONS  NEAR  S-BAND  ANTENNAS 

KEEPOUT  ZONE  FOR  EVA  OPERATIONS  NEAR  THE  ORBITER  UHF  PAYLOAD  BAY  ANTENNA 
A15-27  THROUGH  A15-100  RULES  ARE  RESERVED 

LOSS/FAILURE  DEFINITIONS 


A15-101 

A15. 1.2-1 

EVA  CAPABILITY 

A15-102 

A15. 1.2-2 

EMU  GO/NO-GO  CRITERIA 

NONE 

A15. 1.2-3 

RESERVED 

A15-103  THROUGH  A15-150  RULES  ARE  RESERVED 


SYSTEMS  MANAGEMENT 


VOLUME  A  KEY 


NEW  RULE  #  OLD  RULE  #  RULE  TITLE 

A15-202  A15. 1.4-2  EXTERNAL  AIRLOCK  LCG  PRESSURE  AND  TEMPERATURE  MANAGEMENT  USING  THE  EMU 

A15-203  A15. 1.4-3  CABIN  ATMOSPHERE  DECONTAMINATION  FOLLOWING  EVA 

A15-204  A15. 1.4-4  EXTERNAL  AIRLOCK  EMU  SERVICING  CONSTRAINTS 

A15-205  A15. 1.4-5  EMU  DECONTAMINATION  DURING  EVA 


SECTION  A16  -  POSTLANDING 


GENERAL 

A16. 1.1-1  CONVOY  POSITIONING 

A1 6. 1.1-2  VEHICLE  SYSTEM  RECONFIGURATION  CONSTRAINT 

A1 6. 1.1-3  PRECREW  EGRESS  TROUBLESHOOTING  CONSTRAINT 

A1 6. 1.1-4  VEHICLE  SYSTEM  MODING  CONSTRAINT 

A1 6. 1.1-5  MEMORY  RECONFIGURATION  CONSTRAINT 

A1 6. 1.1-6  RECORDER  DUMP 

A1 6. 1.1-7  GOM  HANDOVER 

A16. 1.1-8  CREW  EGRESS  METHOD  DETERMINATION  (FOR  MODE  V  EGRESS) 

A1 6. 1.1-9  SSME  REPOSITIONING  CONSTRAINT 

A16. 1.1-10  NORMAL  POSTLANDING  OPERATIONS 

A16. 1.1-11  EXPEDITED  POWERDOWN 

A1 6. 1.1-12  EMERGENCY  POWERDOWN 

A1 6. 1.1-13  SIDE  HATCH  OPENING  CONSTRAINT 

A16-14  THROUGH  A16-50  RULES  ARE  RESERVED 

COOLING 

A1 6. 1.2-1  NO  GROUND  COOLING/EARLY  VEHICLE  POWER  TERMINATION 

A1 6. 1.2-2  EXTENDED  COOLING 

A1 6. 1.2-3  FREON  LOOP  CONFIGURATION 

A1 6. 1.2-4  AMMONIA  BOILER  MANAGEMENT 

A16-55  THROUGH  A16-100  RULES  ARE  RESERVED 

ET  UMBILICAL  DOOR 

A16-101  A16. 1.3-1  ET  UMBILICAL  DOOR  POSITIONING 

A16-102  THROUGH  A16-150  RULES  ARE  RESERVED 

VENT  DOORS 

A16-151  A16. 1.4-1  VENT  DOOR  POSITIONING 

A16-152  THROUGH  A16-200  RULES  ARE  RESERVED 

APU/HYDRAULIC 

A16-201  A16. 1.5-1  HYDRAULIC  CIRCULATION  PUMP  OPERATION 

A16-202  A16. 1.5-2  APU  REQUIREMENTS 

A16-203  A16. 1.5-3  APU/HYDRAULIC  LOAD  TEST  TERMINATION 

A16-204  A16. 1.5-4  WINDWARD  APU  OPERATION  CONSTRAINT 

A16-205  A16. 1.5-5  EARLY  APU  SHUTDOWN 

A16-206  THROUGH  A16-250  RULES  ARE  RESERVED 

FUEL  CELLS 

A16-251  A16. 1.6-1  FUEL  CELL  LIFETIME 

A1 6-252  THROUGH  A1 6-300  RULES  ARE  RESERVED 


A16-51 

A16-52 

A16-53 

A16-54 


A16-1 

A16-2 

A16-3 

A16-4 

A16-5 

A16-6 

A16-7 

A16-8 

A16-9 

A16-10 

A16-11 

A16-12 

A16-13 


A16-301 

A16-302 


A16. 1.7-1 
A16. 1.7-2 


CONT  AMI  NAT  I  ON  /  F  L  AMMAB I L I T  Y 

CONTAMINATION/FLAMMABILITY/TOXICITY 
EMERGENCY  OXYGEN  SYSTEM  REQUIREMENTS 


VOLUME  A  KEY 


NEW  RULE  # 


A17-101 

A17-102 

A17-103 

A17-104 

A17-105 

A17-106 


A17-151 

A17-152 

A17-153 

A17-154 

A17-155 

A17-156 

A17-157 

A17-158 


A17-201 

A17-202 

A17-203 

A17-204 

A17-205 

A17-206 


A17-251 

A17-252 

A17-253 

A17-254 

A17-255 

A17-256 

A17-257 

A17-258 

NONE 

A17-259 

A17-260 


A17-301 

A17-302 

A17-303 

A17-304 

A17-305 

A17-306 

A17-307 

A17-308 

A17-309 


OLD  RULE  #  RULE  TITLE 


A17 . 1.3-1 
A17. 1.3-2 
A17 . 1.3-3 
A17 . 1.3-4 
A17 . 1.3-5 
A17 . 1.3-6 


A17 . 1 . 4-1 
A17 . 1 . 4-2 
A17 . 1 . 4-3 
A17 . 1 . 4-4 
A17 . 1 . 4-5 
A17 . 1 . 4-6 
A17 . 1 . 4-7 
A17 . 1 . 4-8 


A17 . 1 . 5-1 
A17 . 1 . 5-2 
A17 . 1 . 5-3 
A17 . 1 . 5-4 
A17 . 1 . 5-5 
A17 . 1 . 5-6 


A17 . 1 . 6-1 
A17 . 1 . 6-2 
A17 . 1 . 6-3 
A17 . 1 . 6-4 
A17 . 1 . 6-5 
A17 . 1 . 6-6 
A17 . 1 . 6-7 
A17 . 1 . 6-8 
A17 . 1 . 6-9 
A17 . 1 . 6-10 
A17 . 1 . 6-11 


A17 . 1 . 7-1 
A17 . 1 . 7-2 
A17 . 1 . 7-3 
A17 . 1 . 7-4 
A17 . 1 . 7-5 
A17 . 1 . 7-6 
A17 . 1 . 7-7 
A17 . 1 . 7-8 
A17 . 1 . 7-9 


ATMOSPHERE  REVITALIZATION  SYSTEM  (ARS)  AIR  LOSS  DEFINITIONS 

CABIN  FAN 

CABIN  ATMOSPHERIC  CONTROL 
LOSS  OF  AVIONICS  BAY  FAN 
IMO  FAN 

AVIONICS  BAY  COOLING 

REGENERATIVE  C02  REMOVAL  SYSTEM  (RCRS)  LOSS  DEFINITION 
A17-107  THROUGH  A17-150  RULES  ARE  RESERVED 

ARS  AIR  SYSTEM  MANAGEMENT 

CABIN  ATMOSPHERE  CONTROL 

CABIN  TEMPERATURE  CONTROL  AND  MANAGEMENT 
CABIN/AVIONICS  BAY  FAN  MANAGEMENT 
MANAGEMENT  OF  DEGRADED  ROTATING  EQUIPMENT 
REGENERATIVE  C02  REMOVAL  SYSTEM  (RCRS)  MANAGEMENT 
RCRS  MANUAL  SHUTDOWN  CRITERIA 
LI OH  REDLINE  DETERMINATION 

MANAGEMENT  OF  LIOH  CANS  FOR  ADDITIONAL  DAYS 
A17-159  THROUGH  A17-200  RULES  ARE  RESERVED 

PRESSURE  CONTROL  SYSTEMS  (PCS)  LOSS  DEFINITIONS 

CABIN  PRESSURE  INTEGRITY 

8  PSIA  CABIN  CONTINGENCY  165-MINUTE  RETURN  CAPABILITY 
PP02  CONTROL 
N2  SUPPLY 

PP02  SENSOR  LOSS  DEFINITION 

LES  02  SUPPLY  SYSTEM  LOSS  DEFINITION 

A17-207  THROUGH  A17-250  RULES  ARE  RESERVED 

PCS  SYSTEMS  MANAGEMENT 

NORMAL  PCS  CONFIGURATION 
CABIN  PRESSURE  RELIEF  VALVES 
CABIN  VENT  VALVES 
CABIN  02  CONCENTRATION 

8  PSIA  EMERGENCY  CABIN  CONFIGURATION 
02  BLEED  ORIFICE  MANAGEMENT 
N2  SYSTEM  MANAGEMENT 

LOSS  OF  CABIN  INTEGRITY  TMAX  DEFINITION  AND  TIG  SELECTION 
RESERVED 

LES  02  SUPPLY  SYSTEM  LOSS  MANAGEMENT 

PCS  02 /N2  CONTROLLER  CHECKOUT 

A17-261  THROUGH  A17-300  RULES  ARE  RESERVED 

10.2  PSIA  CABIN  ATMOSPHERE  OPERATION 

CABIN  ATMOSPHERE  MANAGEMENT 

10.2  PSIA  CABIN  DEPRESSURIZATION  CONSTRAINTS 
CABIN  REPRESSURIZATION  PRIOR  TO  DEORBIT 

10.2  PSIA  CABIN  PRESSURE  MANAGEMENT  FOR  MULTIPLE  EVA'S 

14.7  PSIA  CABIN  REPRESSURIZATION  LIMITATION 

10.2  PSIA  CABIN  TEMPERATURE  CONSTRAINT 

PAYLOAD  10.2  PSIA  CABIN  OPERATIONS 

ATCS  (10.2  PSIA  CABIN)  CONFIGURATION 

CABIN  PRESSURE  TIME  AT  10.2  PSIA 

A17-310  THROUGH  A17-350  RULES  ARE  RESERVED 


WASTE  COLLECTION  SYSTEM  (WCS) /VACUUM  VENT  LOSS  DEFINITIONS 


VOLUME  A  KEY 


NEW  RULE  #  OLD  RULE  # 


RULE  TITLE 


A17-501 

A1 7 . 1 . 11-1 

A17-502 

A1 7 . 1 . 11-2 

A17-503 

A1 7 . 1 . 11-3 

A17-504 

A1 7 . 1 .11-4 

A17-505 

A1 7 . 1 .11-5 

A17-506 

A17 . 1 .11-6 

A17-507 

A17 . 1 .11-7 

A17-551 

A17 . 1 . 12-1 

A17-601 

A17-602 

A17-603 

A17.6.1-1 

A17.6.1-2 

A17.6.1-3 

A17-651 

A17-652 

A17. 6.2-1 
A17. 6.2-2 

A17-701 

A17-702 

A17-703 

A17-704 

A17-705 

A17-706 

A17. 6.3-1 
A17. 6.3-2 
A17. 6.3-3 
A17. 6.3-4 
A17. 6.3-5 
A17. 6.3-6 

A17-751 

A17.6.4-1 

A17-752 

A17.6.4-2 

A17-753 

A17.6.4-3 

A17-754 

A17.6.4-4 

A17-755 

A17.6.4-5 

A17-756 

A17.6.4-6 

A17-757 

A17.6.4-7 

A17-758 

A17.6.4-8 

A17-1001 

A17 . 1 . 13- 

WASTE  WATER  MANAGEMENT 

ALTERNATE  PRESSURE  VALVE  MANAGEMENT 
WASTE  DUMP  NOZZLE  ICE  FORMATION 
WASTE  WATER  STORAGE 

MINIMUM  WASTE  TANK  QUANTITY  AFTER  DUMPING 
WASTE  WATER  DUMP  NOZZLE  TEMPERATURE  CONSTRAINTS 
WASTE  WATER  SYSTEM  LEAK  MANAGEMENT 
OMS  &  PROS  BURNS  WITH  FREE  H20  IN  THE  CABIN 
A17-508  THROUGH  A17-550  RULES  ARE  RESERVED 

GALLEY  MANAGEMENT  LIFE  SUPPORT 

IODINE  REMOVAL  IMPLEMENTATION 

A17-552  THROUGH  A17-600  RULES  ARE  RESERVED 

SPACEHAB  FIRE /SMOKE 

SPACEHAB  FIRE/SMOKE  DETECTION  LOSS 
SPACEHAB  FIRE /SMOKE  CONFIRMATION 
SPACEHAB  FIRE /SMOKE  MANAGEMENT 
A17-604  THROUGH  A17-650  RULES  ARE  RESERVED 

SPACEHAB  ECS  MANAGEMENT 

SPACEHAB  ENVIRONMENTAL  CONTROL  AND  LIFE  SUPPORT  (ECLS)  REQUIREMENTS 

SPACEHAB  SUBSYSTEM  FANS/AIR  LOOP 

A17-653  THROUGH  A17-700  RULES  ARE  RESERVED 

MODULE  ATMOSPHERE  MANAGEMENT 

MODULE  ATMOSPHERIC  CONTROL 

PARTIAL  PRESSURE  OF  OXYGEN  (PP02)  SENSORS 
PARTIAL  PRESSURE  OF  CARBON  DIOXIDE  (PPC02 )  SENSORS 
CABIN/HFA  FAN 

ATMOSPHERE  REVITALIZATION  SYSTEM  (ARS)  FAN 
SPACEHAB  FAN  CONFIGURATIONS 

A17-707  THROUGH  A17-750  RULES  ARE  RESERVED 

ATMOSPHERE  INTEGRITY 

MODULE  PRESSURE  INTEGRITY 

NEGATIVE  PRESSURE  RELIEF  VALVE  COVERS 

CABIN  DEPRESS  VALVE  (CDV) 

EXPERIMENT  VENT  VALVE 
PPRV  MANAGEMENT 

SM/LDM  ASCENT/DESCENT  INLET  STUB 
RDM  MIXING  BOX  CAP 
RDM  LIOH  CANISTER 

A17-759  THROUGH  A17-800  RULES  ARE  RESERVED 

LIFE  SUPPORT  GO/NO-GO  CRITERIA 

LIFE  SUPPORT  GO/NO-GO  CRITERIA 


SECTION  A18  -  THERMAL 

SUPPLY  WATER  LOSS  DEFINITIONS 


A18-1 


A1 8 . 1 . 1-1 


SUPPLY  WATER  TANK 


VOLUME  A  KEY 


NEW  RULE  # 

OLD  RULE  # 

RULE  TITLE 

A18-101 

A18. 1.3-1 

ARS  H20  LOOP  LOSS  DEFINITIONS 

ARS  WATER  LOOP 

A18-102  THROUGH  A18-150  RULES  ARE  RESERVED 


ARS  H20  LOOP  LOSS  MANAGEMENT 

A18-151  A18. 1.4-1  ARS  WATER  LOOP 

A18-152  THROUGH  A18-200  RULES  ARE  RESERVED 

ACTIVE  THERMAL  CONTROL  SYSTEM  (ATCS)  LOSS  DEFINITIONS 

A18-201  A18. 1.5-1  FREON  COOLANT  LOOPS  (FCL) 

A18-202  A18. 1.5-2  TOPPING  EVAPORATOR 

A18-203  A1 8. 1.5-3  HIGH-LOAD  EVAPORATOR 

A18-204  A18. 1.5-4  FES  PRIMARY  A  (B)  CONTROLLER 

A18-205  A18. 1.5-5  FES  SECONDARY  CONTROLLER 

A18-206  A18. 1.5-6  FES  H20  FEEDLINE 

A18-207  A18. 1.5-7  AMMONIA  BOILER  SUBSYSTEM  (ABS) 

A18-208  A18. 1.5-8  RADIATOR  FLOW  CONTROL  ASSEMBLY  (RFCA) 

A18-209  THROUGH  A18-250  RULES  ARE  RESERVED 

ATCS  MANAGEMENT 

A18-251  A18. 1.6-1  FREON  COOLANT  LOOPS  (FCL) 

A18-252  A18. 1.6-2  FLASH  EVAPORATOR  SYSTEM  (FES) 

A18-253  A18. 1.6-3  AMMONIA  BOILER  SUBSYSTEM  (ABS) 

A18-254  A18. 1.6-4  ABS  AMMONIA  REDLINE 

A18-255  A18. 1.6-5  RADIATOR  FLOW  CONTROL  ASSEMBLY  (RFCA) 

A18-256  A18. 1.6-6  RADIATOR  ISOLATION  VALVE  MANAGEMENT 

A18-257  A18. 1.6-7  POSTLANDING  NH3  TERMINATION 

A18-258  THROUGH  A18-300  RULES  ARE  RESERVED 

EECOM  HEATER  MANAGEMENT 

A18-301  A18. 1.7-1  TCS  HEATER  CONFIGURATION 

A18-302  A18. 1.7-2  TCS  HEATER  REDUNDANCY 

A18-303  A18. 1.7-3  REDUNDANT  TCS  HEATER  VERIFICATION 

A18-304  A18. 1.7-4  TCS  HEATER  OPERATIONS  FOR  LOSS  OF  INSTRUMENTATION 

A18-305  A18. 1.7-5  LOSS  OF  HEATER  SM  CAPABILITY 

A18-306  A18. 1.7-6  EXTERNAL  AIRLOCK  HEATER  LOSS  MANAGEMENT 

A18-307  THROUGH  A18-350  RULES  ARE  RESERVED 

EECOM  SOFTWARE  REQUIREMENT 

A18-351  A18. 1.8-1  EECOM  SOFTWARE  REQUIREMENT 

A18-352  THROUGH  A18-400  RULES  ARE  RESERVED 

TPS  BONDLINE  TEMPERATURES  MANAGEMENT 

A18-401  A18. 1.9-1  THERMAL  PROTECTION  SYSTEM  (TPS)  BONDLINE  TEMPERATURES 

A18-402  THROUGH  A18-450  RULES  ARE  RESERVED 

ATTITUDE  MANAGEMENT  FOR  THERMAL  CONTROL 

A18-451  A18. 1.10-1  ORBITER  THERMAL  CONSTRAINTS  AND  ATTITUDE  MANAGEMENT  [CIL] 

A18-452  THROUGH  A18-500  RULES  ARE  RESERVED 

COOLING  EQUIPMENT  CONSTRAINTS 

A18-501  A18. 1.11-1  MAXIMUM  OFF  TIME  FOR  COOLING  EQUIPMENT 

A18-502  THROUGH  A18-550  RULES  ARE  RESERVED 


NEW  RULE  #  OLD  RULE  # 


A18-1001  A18. 1.12-1 


VOLUME  A  KEY 


RULE  TITLE 

MANAGEMENT 

A18-607  THROUGH  A18-650  RULES  ARE  RESERVED 

THERMAL  GO/NO-GO  CRITERIA 

THERMAL  GO/NO-GO  CRITERIA 


VOLUME  A  KEY 
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CR 
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ED 

A4-110 

ED 

A9-152 
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ED 

A4-111 
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A2-6 
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A4-111 
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A4-203 

CR 

5439 
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CR  5804C 
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ED 

A4-204 

CR 

5440 

A2-70 

CR 

5667A 

A4-205 

CR 

5  4  4  1 A 

All-3 

CR  5734 

A2-102 

ED 

A4-210 

CR 

5804C 

All-11 

CR  5735 

A2-104 

ED 

All-13 

CR  5737 

A2-133 

CR 

5513 

A5-2 

ED 

All-16 

CR  5742 

A2-207 

CR 

5804C 

A5-3 

ED 

All-16 

ED 

A2-254 

ED 

A5-6 

ED 

All-61 

CR  5741 

A2-261 

ED 

A5-7 

ED 

All-66 

CR  5743 

A2-264 

ED 

A5-8 

ED 

A2-266 

CR 

5636 

A5-9 

ED 

A13-156 

ED 

A2-266 

ED 

A5-10 

ED 

A2-301 

CR 

5640 

A5-11 

ED 

A16-11 

ED 

A2-301 

CR 

5804C 

A5-12 

ED 

A16-12 

ED 

A2-301 

ED 

A5-13 

ED 

A16-205 

ED 

A2-311 

ED 

A5-106 

ED 

A2-312 

ED 

A5-108 

ED 

A17-255 

ED 

A2-330 

ED 

A5-151 

ED 

A17-258 

ED 

A2-1001 

ED 

A5-152 

ED 

A17-706 

ED 

A5-155 

ED 

A3- 1 

CR 

5502C 

A5-156 

ED 

A18-553 

ED 

A3-2 

CR 

5502C 

A5-203 

ED 

A18-557 

ED 

A3-3 

CR 

5502C 

A5-204 

ED 

A18-605 

ED 

A3-3 

CR 

5641 

A5-205 

ED 

A3-52 

ED 

A5-208 

ED 

A3-102 

CR 

5502C 

A5-209 

ED 

A3-103 

CR 

5502C 

A3-151 

ED 

A6-3 

ED 

A3-152 

ED 

A3-201 

CR 

5642 

A8-19 

ED 

A3-203 

CR 

5786 

A8-59 

CR 

5804C 

A8-61 

ED 

A4-59 

ED 

A8-115 

CR 

5643 

A4-61 

ED 

A8-1001 

CR 

5718 

A4-107 

ED 

A8-1001 

CR 

5804C 

BOOK  MANAGER 

WPD  11/21/02 

A8-1001 

ED 
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SPACE  SHUTTLE  OPERATIONAL  FLIGHT  RULES  ANNEX 

ALL  FLIGHTS 
VOLUME  A 
FINAL,  PCN-1 
PREFACE 

THIS  DOCUMENT,  VOLUME  A,  FINAL,  PCN-1,  DATED  NOVEMBER  21,  2002,  IS 

THE  GENERIC  VERSION  OF  THE  SPACE  SHUTTLE  OPERATIONAL  FLIGHT  RULES  AND 
IS  INTENDED  TO  BE  USED  IN  CONJUNCTION  WITH  THE  SPACE  SHUTTLE 
OPERATIONAL  FLIGHT  RULES  ANNEX  (NSTS-18308)  WHICH  CONTAINS  THE  FLIGHT 
SPECIFIC  RULES.  INCLUDED  IN  THIS  PUBLICATION  ARE  FLIGHT  RULE  CHANGES 
APPROVED  IN  FLIGHT  RULES  CONTROL  BOARD  (FRCB )  MEETINGS  140,  141,  142, 

AND  143  HELD  ON  JUNE  27,  AUGUST  29,  SEPTEMBER  26,  AND  OCTOBER  24, 

2002,  RESPECTIVELY. 

THIS  DOCUMENT  USES  A  NEW  RULE  NUMBER  SYSTEM  DESIGNED  TO  FACILITATE  NEW 
DATABASES  FOR  MAINTAINING  CONFIGURATION  MANAGEMENT  OF  JOINT  SHUTTLE-ISS 
ANNEXES,  SPACE  SHUTTLE  OPERATIONAL  FLIGHT  RULES,  VOLUME  A;  ISS  GENERIC 
OPERATIONAL  FLIGHT  RULES,  VOLUME  B;  JOINT  SHUTTLE/ISS  GENERIC 
OPERATIONAL  FLIGHT  RULES,  VOLUME  C;  AND  SOYUZ/PROGRESS/ISS  JOINT  FLIGHT 
RULES,  VOLUME  D.  AN  EXPLANATION  OF  THE  NEW  NUMBERING  SYSTEM  IS  SHOWN  ON 
PAGE  VII . 

IT  IS  REQUESTED  THAT  ANY  ORGANIZATION  HAVING  COMMENTS,  QUESTIONS,  OR 
SUGGESTIONS  CONCERNING  THESE  FLIGHT  RULES  CONTACT  DA8/W.  PRESTON  DILL, 
FLIGHT  DIRECTOR  OFFICE,  BUILDING  4  NORTH,  ROOM  3039,  PHONE  281-483-5418. 

ALL  FLIGHT  RULES  ARE  AVAILABLE  ON  THE  INTERNET.  THE  URL  IS: 

HTTP: //MOD. JSC.NASA.GOV/DA8.  NO  ID  OR  PASSWORD  WILL  BE  REQUIRED  TO 
ACCESS  ANY  OF  THE  RULES  PROVIDED  THE  USER  IS  ACCESSING  FROM  A 
TRUSTED  SITE  (ALL  NASA  CENTERS,  CONTRACTORS,  AND  INTERNATIONAL 
PARTNERS) .  IF  UNABLE  TO  ACCESS,  USERS  NEED  TO  SEND  AN  E-MAIL  NOTE 
TO  DA8/M.  L.  GRIFFITH  (MARY.L.GRIFFITH1@JSC.NASA.GOV)  WITH  THEIR 
FULL  NAME,  COMPANY,  IP  ADDRESS,  AND  A  JUSTIFICATION  STATEMENT  FOR 
ACCESS  . 

THIS  IS  A  CONTROLLED  DOCUMENT  AND  ANY  CHANGES  ARE  SUBJECT  TO  THE 
CHANGE  CONTROL  PROCEDURES  DELINEATED  IN  APPENDIX  B.  THIS  DOCUMENT 
IS  NOT  TO  BE  REPRODUCED  WITHOUT  THE  WRITTEN  APPROVAL  OF  THE  CHIEF, 

FLIGHT  DIRECTOR  OFFICE,  DA8 ,  LYNDON  B.  JOHNSON  SPACE  CENTER, 

HOUSTON,  TEXAS. 


MANAGER,  SPACE  SHUTTLE  PROGRAM 


Verify  that  this  is  the  correct  version  before  use. 


Verify  that  this  is  the  correct  version  before  use. 


VOLUME  A  KEY 


PLEASE  NOTE  THAT  THE  NUMBERING  IN  SECTIONS  5,  6,  7,  10,  AND  13  HAS  BEEN  REORDERED.  ALL  GO/NO-GO 
CRITERIA  RULES  ARE  NUMBERED  WITH  THE  SECTION  NUMBER  AND  THENRULE  NUMBER  1001.  EXAMPLE:  A6-1001. 


NEW  RULE  # 


OLD  RULE  #  RULE  TITLE 


SECTION  A1  -  OPERATIONS  POLICY,  GENERAL,  AND  DEFINITIONS 


OPERATIONS  POLICY 


Al-l 

A1 . 1 . 1-1 

A 1-2 

A1 . 1 . 1-2 

Al-3 

A1 . 1 . 1-3 

Al-4 

A1 . 1 . 1-4 

Al-5 

A1 . 1 . 1-5 

Al-6 

A1 . 1 . 1-6 

Al-7 

A1 . 1 . 1-7 

NONE 

CO 

1 

I — 1 

< 

Al-8 

O'. 

1 

I — 1 

< 

Al-9 

o 

V — 1 

1 

I — 1 

< 

Al-10 

A1 . 1 . 1-11 

Al-l  1 

A1 . 1 . 1-12 

Al-12 

A1 . 1 . 1-13 

Al-13 

A1 . 1 . 1-14 

Al-51 

Al. 1.2-1 

Al-52 

Al. 1.2-2 

Al-53 

Al. 1.2-3 

Al-54 

Al. 1.2-4 

Al-5  5 

Al. 1.2-5 

Al-56 

Al. 1.2-6 

Al-51 

Al. 1.2-7 

Al-58 

Al. 1.2-8 

Al-59 

Al. 1.2-9 

FLIGHT  RULE  PURPOSE 
REAL-TIME  OPERATING  POLICY 
PROGRAM  LIFETIME  OPERATING  POLICY 
MISSION  MANAGEMENT  TEAM  (MMT)  AUTHORITY 
FLIGHT  DIRECTOR  AUTHORITY 
SHUTTLE  COMMANDER  AUTHORITY 

FLIGHT  CONTROL  ROOM  (FOR)  SURGEON  AUTHORITY 
RESERVED 

WEATHER  DECISION  AUTHORITY 

POSTLANDING  DECISION  AUTHORITY 

POSTLANDING  EMERGENCY  DECLARATION 

SEARCH  AND  RESCUE  RESPONSIBILITY 

ORBITER  EMERGENCY  LANDING  SITE  (ELS)  AUTHORITY 

MCC  REAL-TIME  COMMAND  COORDINATION  POLICY 

Al-14  THROUGH  Al-50  RULES  ARE  RESERVED 

GENERAL 

VEHICLE  SYSTEM  LIMITS 
INTERIM  OR  UNCONFIRMED  LIMITS 
MANDATORY  INSTRUMENTATION  REQUIREMENTS 
FAILURE  DEFINITION  APPLICATION 
CONFLICTING  FLIGHT  RULES 

INSTRUMENTATION  ONBOARD  VS.  GROUND  READOUT  PHILOSOPHY 
FLIGHT-CRITICAL  MODING 

SHUTTLE  OPERATIONAL  DATA  BOOK  (SODB) ,  VOLUME  III,  DATA  USE 
ACTIVITIES  DURING  YEAR  END  ROLLOVER/LEAP  SECOND  INCORPORATION 
Al-60  THROUGH  Al-100  RULES  ARE  RESERVED 

GENERAL  DEFINITIONS 


Al-101 

Al . 1 . 3-1 

AS  SOON  AS  PRACTICAL  (ASAP) 

Al-102 

Al . 1 . 3-2 

HIGHLY  DESIRABLE  (HD) 

Al-l  03 

Al . 1 . 3-3 

MANDATORY  (M) 

Al-104 

Al . 1 . 3-4 

FLIGHT  PHASE 

Al-105 

Al . 1 . 3-5 

THROTTLE  SETTINGS 

Al-106 

Al . 1 . 3-6 

LANDING  SITES 

Al-l  07 

Al . 1 . 3-7 

LANDING  OPPORTUNITIES 

Al-l 08 

Al . 1 . 3-8 

POSTLANDING  CREW  EGRESS /ESCAPE  MODES 

Al-109 

Al . 1 . 3-9 

CREW  MEDICAL  (MED)  CONDITIONS 

Al— 11 0 

Al . 1 . 3-10 

REMOTE  MANIPULATOR  SYSTEM  (RMS) 

Al-l 1 1 

Al . 1 . 3-11 

TIME  REFERENCE  DEFINITIONS 

Al-112 

Al . 1 . 3-12 

MULTIFUNCTION  ELECTRONIC  DISPLAY  SUBSYSTEM 

SECTION  A2  -  FLIGHT  OPERATIONS 

PRELAUNCH 

A2-1 

A2 . 1 . 1-1 

PRELAUNCH  GO/NO-GO  REQUIREMENTS 

A2-2 

A2 . 1 . 1-2 

ABORT  LANDING  SITE  REQUIREMENTS 

A2-3 

A2 . 1 . 1-3 

LAUNCH  HOLD 

A2-4 

A2 . 1 . 1-4 

LAUNCH  DAY  CREW  TIME  CONSTRAINTS 

A2-5 

A2 . 1 . 1-5 

PORT  MODING/RESTRINGING  GUIDELINES 

A2-6 

A2 . 1 . 1-6 

LANDING  SITE  WEATHER  CRITERIA  [HC] 

A2-7 

A2 . 1 . 1-7 

DAY-OF-LAUNCH  ET  LOAD  DATA 

A2-8 

A2 . 1 . 1-8 

LAUNCH  TIME  SELECTION  FOR  GROUND-UP  RENDEZVOUS 

A2-9  THROUGH  A2-50  RULES  ARE  RESERVED 

ASCENT 

A2-51 

A2. 1.2-1 

STS  ABORT  CRITERIA 

A2-52 

A2. 1.2-2 

ASCENT  MODE  PRIORITIES  FOR  PERFORMANCE  CASES 

A2-53 

A2. 1.2-3 

FORWARD  RCS  USAGE  GUIDELINES 

A2-54 

A2. 1.2-4 

RTLS ,  TAL,  AND  AOA  ABORTS  FOR  SYSTEMS  FAILURES  [CIL 

A2-55 

A2. 1.2-5 

USE  OF  LOW  ENERGY  GUIDANCE 

A2-5  6 

A2. 1.2-6 

ABORT  GAP 

A2-57 

A2. 1.2-7 

CONTINGENCY  ASCENTS /ABORTS 

NONE 

A2. 1.2-8 

RESERVED 

A2-5  8 

A2. 1.2-9 

ABORT  LIGHT 

KEY-1 


VOLUME  A  KEY 


NEW  RULE  # 

A2-5  9 
A2-60 
A2-61 
A2-62 
A2-63 
A2-64 
A2-65 
A2-66 
A2-67 
A2-68 
A2-69 


A2-101 

A2-102 

A2-103 

A2-104 

A2-105 

A2-106 

A2-107 

A2-108 

A2-109 

A2-110 

NONE 

NONE 

A2-111 

A2-112 

A2-113 

A2-114 

A2-115 

A2-116 

A2-117 

A2-118 

A2-119 

A2-120 

A2-121 

A2-122 

A2-123 

A2-124 

A2-125 

A2-126 

A2-127 

A2-128 

A2-129 

A2-130 

A2-131 

A2-132 

A2-133 

A2-134 

A2-135 


A2-201 

A2-202 

A2-203 

A2-204 

A2-205 

A2-206 

A2-207 

A2-208 

A2-209 


A2-251 

A2-252 

A2-253 

A2-254 

A2-255 

A2-256 

A2-257 

A2-258 

A2-259 

A2-260 

A2-261 


OLD  RULE  #  RULE  TITLE 


A2. 1.2-10 
A2. 1.2-11 
A2. 1.2-12 
A2. 1.2-13 
A2. 1.2-14 
A2. 1.2-15 
A2. 1.2-16 
A2. 1.2-17 
A2. 1.2-18 
A2. 1.2-19 
A2. 1.2-20 


A2. 1.3-0 
A2. 1.3-1 
A2. 1.3-2 
A2. 1.3-3 
A2. 1.3-4 
A2. 1.3-5 
A2. 1.3-6 
A2. 1.3-7 
A2. 1.3-8 
A2. 1.3-9 
A2. 1.3-10 
A2. 1.3-11 
A2. 1.3-12 
A2. 1.3-13 
A2. 1.3-14 
A2. 1.3-15 
A2. 1.3-16 
A2. 1.3-17 
A2. 1.3-18 
A2. 1.3-19 
A2. 1.3-20 
A2. 1.3-21 
A2. 1.3-22 
A2. 1.3-23 
A2. 1.3-24 
A2. 1.3-25 
A2. 1.3-26 
A2. 1.3-27 
A2. 1.3-28 
A2. 1.3-29 
A2. 1.3-30 
A2. 1.3-31 
A2. 1.3-32 
A2. 1.3-33 
A2. 1.3-34 
A2. 1.3-35 
A2. 1.3-36 


A2 . 1 . 4-1 
A2 . 1 . 4-2 
A2 . 1 . 4-3 
A2 . 1 . 4-4 
A2 . 1 . 4-5 
A2 . 1 . 4-6 
A2 . 1 . 4-7 
A2 . 1 . 4-8 
A2 . 1 . 4-9 


A2. 1.5-1 
A2. 1.5-2 
A2. 1.5-3 
A2. 1.5-4 
A2. 1.5-5 
A2. 1.5-6 
A2. 1.5-7 
A2. 1.5-8 
A2. 1.5-9 
A2. 1.5-10 
A2. 1.5-11 


BFS  ENGAGE  CRITERIA 
NAVIGATION  UPDATE  CRITERIA 
Q-BAR/G-CONTROL 
ET  FOOTPRINT  CRITERIA 
ASCENT  STRING  REASSIGNMENT 
MANUAL  THROTTLE  CRITERIA 
OMS-1  DELAYED  TARGET  CRITERIA 
APU  SHUTDOWN  DELAY  CRITERIA 
ARD  UPDATE  CRITERIA 
ET  PHOTOGRAPHY 

REGAIN  RCS  JETS  FOR  RTLS  ET  SEPARATION 
A2-70  THROUGH  A2-100  RULES  ARE  RESERVED 

ORBIT 

VEHICLE  SYSTEMS  REDUNDANCY  DEFINITIONS 
MISSION  DURATION  REQUIREMENTS 
EXTENSION  DAY  REQUIREMENTS 
SYSTEMS  REDUNDANCY  REQUIREMENTS 
IN-FLIGHT  MAINTENANCE  ( IFM) 

PBD  OPERATIONS  [CIL] 

EVA  GUIDELINES 

CONSUMABLES  MANAGEMENT 

PREFERRED  ATTITUDE  FOR  WATER  DUMPS 

STRUCTURES  THERMAL  CONDITIONING 

RESERVED 

RESERVED 

DPS  COMMAND  CRITERIA 
PDRS 

OMS/RCS  DOWNMODING  CRITERIA 
OMS/RCS  MANEUVER  CRITICALITY 
ENGINE  SELECTION  CRITERIA 

RENDEZVOUS  (RNDZ ) /PROXIMITY  OPERATIONS  (PROX  OPS)  DEFINITIONS 

RNDZ/PROX  OPS  GNC  SYSTEMS  MANAGEMENT 

RNDZ /PROX  OPS  COMMUNICATION  SYSTEMS  MANAGEMENT 

RNDZ/PROX  OPS  SENSOR  REQUIREMENTS 

RNDZ/PROX  OPS  DPS  SYSTEMS  MANAGEMENT 

RNDZ/PROX  OPS  PROPULSION  SYSTEMS  MANAGEMENT 

RENDEZVOUS  MANEUVERS 

RENDEZVOUS  MANEUVER  SOLUTION  SELECTION  CRITERIA 

RENDEZVOUS  MANEUVER  EXECUTION 

RNDZ  OPS  DELAY 

RNDZ/PROX  OPS  BREAKOUT 

RENDEZVOUS  GUIDANCE 

EMCC/TMCC  ACTIVATION 

ORBITER  ON-ORBIT  HIGH  DATA  RATE  REQUIREMENTS 
PAYLOAD  OBJECTIVES  VS.  PAYLOAD  DAMAGE  POLICY 
ATTITUDE  RESTRICTIONS  FOR  ORBITAL  DEBRIS 
THERMAL  CONDITIONING  FOR  FLIGHT  DAY  1  LANDING 
POCC  THROUGHPUT  COMMAND  RATES 
ON-ORBIT  CRYO  MARGIN  BUYBACKS 

COMMANDER  (CDR)  AND  PILOT  (PLT)  PARTICIPATING  AS  TEST  SUBJECTS 
A2-136  THROUGH  A2-200  RULES  ARE  RESERVED 

DEORBIT 

DEORBIT  GUIDELINES 
EXTENSION  DAY  GUIDELINES 
DEORBIT  DELAY  GUIDELINES 
MDF  DEORBIT  GUIDELINES 
EMERGENCY  DEORBIT 
DEROTATION  SPEED 
LANDING  SITE  SELECTION 
ACES  PRESSURE  INTEGRITY  CHECK 

LANDING  SITE  SELECTION  FOR  AN  INFLIGHT  EMERGENCY 
A2-210  THROUGH  A2-250  RULES  ARE  RESERVED 

ENTRY 

BAILOUT 

GCA  CRITERIA 

ENERGY  MANAGEMENT 

ENTRY  STRING  REASSIGNMENT 

CREW  TAKEOVER 

EARLY  POWERDOWN 

DEORBIT  BURN  TERMINATION 

BFS  ENGAGE 

CHASE  AIRCRAFT  OPERATIONS 
ENTRY  LOAD  MINIMIZATION 

ENTRY  DTO/AUTO  MODE/CROSSWIND  DTO  GO/NO-GO 


KEY-2 


VOLUME  A  KEY 


NEW  RULE  # 

A2-262 

A2-263 

A2-264 

A2-265 


A2-301 


A2-311 

A2-312 

A2-313 

A2-314 

A2-315 

A2-316 

A2-317 

A2-318 

A2-319 

A2-320 

A2-321 

A2-322 

A2-323 

A2-324 

A2-325 

A2-326 

A2-327 

A2-328 

A2-329 

A2-330 

A2-331 

NONE 

NONE 

NONE 

NONE 

A2-332 

A2-333 

A2-334 

A2-335 

NONE 

NONE 

NONE 

NONE 


A2-1001 


OLD  RULE  # 

A2. 1.5-12 
A2. 1.5-13 

A2. 1.5-14 
A2. 1.5-15 


A2 . 1 . 6-1 


A2 .6.1-1 
A2 .6.1-2 
A2 .6.1-3 
A2 .6.1-4 
A2 .6.1-5 
A2 .6.1-6 
A2 .6.1-7 
A2 .6.1-8 
A2 .6.1-9 
A2 .6.1-10 
A2 .6.2-5 
A2 .6.1-11 
A2 .6.1-12 
A2 .6.1-13 
A2 .6.1-14 
A2 .6.1-15 
A2 .6.1-16 
A2 .6.1-17 
A2 .6.1-18 
A2 .6.1-19 
A2 .6.1-20 
A2 .6.1-21 
A2 .6.1-22 
A2 .6.1-23 
A2 .6.1-24 
A2 .6.2-1 
A2 .6.2-2 
A2 .6.2-3 
A2 .6.2-4 
A2 .6.2-6 
A2 .6.2-7 
A2 .6.2-8 
A2 .6.2-9 


A2. 1.7-1 


RULE  TITLE 

LANDING  DTO'S 

STA/WEATHER  AIRCRAFT  RUNWAY  APPROACH  OPERATIONS  FOR  SITES  WITH  ONLY  ONE 
RUNWAY 

EMERGENCY  LANDING  FACILITY  CRITERIA 

SINGLE  STRING  GPS  OPERATIONS 

A2-266  THROUGH  A2-300  RULES  ARE  RESERVED 

CONTINGENCY  ACTION  SUMMARY 

CONTINGENCY  ACTION  SUMMARY 

A2-302  THROUGH  A2-310  RULES  ARE  RESERVED 

SPACEHAB  OPERATIONS  MANAGEMENT 

SPACEHAB  SAFETY  DEFINITION  AND  MANAGEMENT 
REAL-TIME  SAFETY  COORDINATION 
GROUND  COMMANDING 

SPACEHAB  MINIMUM  DURATION  FLIGHT  CRITERIA 
POWERING  OFF  AND  REPOWERING  SPACEHAB  EQUIPMENT 
ORBITER-TO-SPACEHAB  HATCH  CONFIGURATION 
EVA  CONSTRAINTS 

ORBITAL  MANEUVERING  SYSTEM/REACTION  CONTROL  SYSTEM  (OMS/RCS)  CONSTRAINTS 
CONTAMINATION  AND  MICROGRAVITY  CONSTRAINTS 
COMMAND  AND  DATA  SYSTEM  CONSTRAINTS 
SPACEHAB  AIR-TO-GROUND  (A/G)  USAGE 

SPACEHAB  CAUTION  AND  WARNING  ANNUNCIATION  IN  MODULE 
COMMUNICATIONS  CONSTRAINTS 

SPACEHAB  IN-FLIGHT  MAINTENANCE  ( IFM)  PROCEDURES 

IFM  PROCEDURES  ON  EXPERIMENTS  WITH  TOXIC  HAZARDS 

EQUIPMENT  EXCHANGE  BETWEEN  ORBITER  CABIN  AND  SPACEHAB  MODULE 

SPACEHAB  MODULE/TUNNEL  SLEEP  CONSTRAINTS 

CREW  LIMITATIONS  IN  THE  SPACEHAB  MODULE 

SPACEHAB  DEACTIVATION/ENTRY  PREP 

EXTENSION  DAY  GROUND  RULES 

CONSTRAINTS  ON  CABLES  THROUGH  THE  SPACEHAB  HATCH  AND  TUNNEL 

RESERVED 

RESERVED 

RESERVED 

RESERVED 

LOSS  OF  SM  GPC  DURING  SPACEHAB  ACTIVATION/ENTRY  PREP 
LOSS  OF  PAYLOAD  MDM  DURING  SPACEHAB  ACT/ENTRY  PREP 
LOSS  OF  SM  MAJOR  FUNCTION 

LOSS  OF  ORBITER  MASTER  TIMING  UNIT  (MTU) /PAYLOAD  TIMING  BUFFER 

RESERVED 

RESERVED 

RESERVED 

RESERVED 

A2-336  THROUGH  A2-400  RULES  ARE  RESERVED 

ORBITER  SYSTEMS  GO/NO-GO 

ORBITER  SYSTEMS  GO/NO-GO 


SECTION  A3  -  GROUND  INSTRUMENTATION  REQUIREMENTS 


GENERAL 


A3-1 

A3 . 1 . 1-1 

GROUND  AND  NETWORK  DEFINITIONS 

A3-2 

A3 . 1 . 1-2 

GROUND  AND  NETWORK  OVERALL  PHILOSOPHY 

A3 -3 

A3 . 1 . 1-3 

GROUND  AND  NETWORK  DETAILED  REQUIREMENTS 
A3-4  THROUGH  A3-50  RULES  ARE  RESERVED 

MCC  INSTRUMENTATION  PRELAUNCH  REQUIREMENTS 

NONE 

A3 . 1 . 2-1 

RESERVED 

NONE 

A3. 1.2-2 

RESERVED 

NONE 

A3. 1.2-3 

RESERVED 

A3-51 

A3 . 1 . 2-4 

TRAJECTORY  PROCESSING  REQUIREMENTS 

A3-52 

A3 . 1 . 2-5 

MCC  INTERNAL  VOICE 

NONE 

A3 . 1 . 2-6 

RESERVED 

NONE 

A3 . 1 . 2-7 

RESERVED 

A3-53 

A3 . 1 . 2-8 

MCC  POWER 

A3-54  THROUGH  A3-100  RULES  ARE  RESERVED 

45  SPW/GSFC/STDN  PRELAUNCH  REQUIREMENTS 

NONE 

A3 . 1 . 3-1 

RESERVED 

A3-101 

A3. 1.3-2 

GSFC 

A3-102 

A3 . 1 . 3-3 

INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX 

KEY-3 


VOLUME  A  KEY 


NEW  RULE  # 

A3-103 


A3-151 

A3-152 

A3-153 

A3-154 

A3-155 

A3-156 


A3-201 

A3-202 

A3-203 


A4-1 

A4-2 

A4-3 

A4-4 


A4-51 

A4-52 

A4-53 

NONE 

A4-54 

A4-55 

A4-56 

A4-57 

A4-58 

A4-59 

NONE 

A4-60 

A4-61 

A4-62 


A4-101 

A4-102 

A4-103 

A4-104 

A4-105 

A4-106 

A4-107 

A4-108 

A4-109 

A4-110 

A4-111 

A4-112 

A4-113 


A4-151 

A4-152 

A4-153 

A4-154 

A4-155 

A4-156 

A4-157 

A4-158 

A4-159 


A4-201 


OLD  RULE  #  RULE  TITLE 


NONE 


A3 . 1 . 4-1 
A3 . 1 . 4-2 
A3 . 1 . 4-3 
A3 . 1 . 4-4 
A3 . 1 . 4-5 
A3 . 1 . 4-6 


A3. 1.5-1 
A3. 1.5-2 
A3. 1.5-3 


CRITICAL  LAUNCH  SYSTEM  RECOVERY  TIMES 
A3-104  THROUGH  A3-150  RULES  ARE  RESERVED 

MCC  EXTERNAL  INTERFACE  (VOICE  DATA)  PRELAUNCH  REQUIREMENTS 

MCC/KSC/45  SPW  INTERFACE 

GSFC/STDN  INTERFACE 

45  SPW/VAFB  INTERFACE 

45  SPW/WSMR  INTERFACE 

MCC/GSFC/NGT  INTERFACE 

MCC/ASCENT  ABORT  SITE  INTERFACE 

A3-157  THROUGH  A3-200  RULES  ARE  RESERVED 

NAVAIDS  REQUIREMENTS 

TACAN  REDUNDANCY  REQUIREMENTS  AND  ALTERNATE  TACAN  SELECTION  PHILOSOPHY 
MLS 

LANDING  AID  REQUIREMENTS 


SECTION  A4  -  TRAJECTORY  AND  GUIDANCE 


A4 . 1 . 1-1 
A4 . 1 . 1-2 
A4 . 1 . 1-3 
A4 . 1 . 1-4 


A4. 1.2-1 
A4. 1.2-2 
A4. 1.2-3 
A4. 1.2-4 
A4. 1.2-5 
A4. 1.2-6 
A4. 1.2-7 
A4. 1.2-8 
A4. 1.2-9 
A4. 1.2-10 
A4. 1.2-11 
A4. 1.2-12 
A4. 1.2-13 
A4. 1.2-14 


A 4 . 1.3-1 
A4. 1.3-2 
A4. 1.3-3 
A4. 1.3-4 
A4. 1.3-5 
A4. 1.3-6 
A 4 . 1.3-7 
A4. 1.3-8 
A4. 1.3-9 
A4. 1.3-10 
A4. 1.3-11 
A4. 1.3-12 
A4. 1.3-13 


A4 . 1 . 4-1 
A4 . 1 . 4-2 
A4 . 1 . 4-3 
A4 . 1 . 4-4 
A4 . 1 . 4-5 
A4 . 1 . 4-6 
A4 . 1 . 4-7 
A4 . 1 . 4-8 
A4 . 1 . 4-9 


A4 . 1 . 5-1 


PRELAUNCH 

PERFORMANCE  ANALYSES 
LANDING  SITE  CONDITIONS 
ORBIT  CONJUNCTIONS/CONFLICTS 
DOLILU  OPERATIONS 

A4-5  THROUGH  A4-50  RULES  ARE  RESERVED 

ASCENT 

KALMAN  FILTER  SOLUTION 

ARD  THRUST  UPDATE  CRITERIA  AND  FPR 

USE  OF  MAXIMUM  THROTTLES 

RESERVED 

ABORT  MODE  RESPONSIBILITY 

DESIGN  AND  CRITICAL  MECO  UNDERSPEED  DEFINITIONS 

PERFORMANCE  BOUNDARIES 

NAVIGATION  UPDATES 

AUTO  GUIDANCE  NO-GO 

MANUAL  THROTTLE  SELECTION 

RESERVED 

MANUAL  SHUTDOWN  CRITERIA 

THRUST  LIMITING,  HYDRAULIC,  OR  ELECTRICAL  LOCKUP 
OMS-l/OMS-2  EXECUTION 

A4-63  THROUGH  A4-100  RULES  ARE  RESERVED 

ORBIT 

ONBOARD  NAVIGATION  MAINTENANCE 
MINIMUM  ORBITAL  LIFETIME 

OFF-NOMINAL  ORBITAL  ALTITUDE  RECOVERY  PRIORITIES 
OMS  LEAK/PERIGEE  ADJUST 
MINIMUM  TIME  OF  FREE  FALL 

DEBRIS  AVOIDANCE  CRITERIA  FOR  PREDICTED  CONJUNCTIONS  [HC] 

PLS/EOM  LANDING  OPPORTUNITY  REQUIREMENTS 
TIRE  SPEED,  BRAKING,  AND  ROLLOUT  REQUIREMENTS 
DEORBIT  PRIORITY  FOR  EOM  WEATHER 

AIMPOINT,  EVALUATION  VELOCITY,  AND  SHORT  FIELD  SELECTION 
RUNWAY  ACCEPTABILITY  CONDITIONS 

UPPER  AND  LOWER  LEVEL  MEASURED  WIND  AND  ATMOSPHERIC  DATA 
OMS-2  TARGETING 

A4-114  THROUGH  A4-150  RULES  ARE  RESERVED 

ENTRY  PLANNING 

IMU  ALIGNMENT 

DEORBIT  BURN  TARGETING  PRIORITIES 
CG  PLANNING 
DOWNTRACK  ERROR 

SUN  ANGLE  LIMITS  AND  GLARE  CRITERIA  FOR  INNER  AND  OUTER  GLIDE  SLOPES 

HAC  SELECTION  CRITERIA 

ENERGY  DOWNMODING 

MANEUVER  EXECUTION  MATRIX 

ORBITER  LANDING  WEIGHT 

A4-160  THROUGH  A4-200  RULES  ARE  RESERVED 

ENTRY 

DELTA-T  UPDATE  CRITERIA 


KEY-4 


VOLUME  A  KEY 


NEW  RULE  # 

OLD  RULE  # 

RULE  TITLE 

A4-202 

A4 . 1 . 5-2 

DEORBIT  BURN  COMPLETION 

A4-203 

A4 . 1 . 5-3 

ENTRY  NAVIGATION  UPDATE  PHILOSOPHY 

A4-204 

A4 . 1 . 5-4 

DELTA  STATE  POSITION  UPDATES 

A4-205 

A4 . 1 . 5-5 

DELTA  STATE  VELOCITY  UPDATES 

A4-206 

A4 . 1 . 5-6 

NAVIGATION  FILTER  MANAGEMENT  AUTO/ INHIBIT/FORCE 

A4-207 

A4 . 1 . 5-7 

ENTRY  LIMITS 

A4-208 

A4 . 1 . 5-8 

ENTRY  TAKEOVER  RULES 

A4-209 

A4 . 1 . 5-9 

AERO  TEST  MANEUVERS 

A4-210 

A4 . 1 . 5-10 

EOM  ENTRY  DTO/ RUNWAY  SELECTION  PRIORITIES 

A4-211  THROUGH  A4-250  RULES  ARE  RESERVED 

RANGE  SAFETY  FLIGHT  RULES 

A4-251 

A4 . 1 . 6-0 

SIGNATURE  SECTION 

A4-252 

A4 . 1 . 6-1 

POLICY 

A4-253 

A4 . 1 . 6-2 

DEFINITIONS 

A4-254 

A4 . 1 . 6-3 

FCO  TO  MCC  WARNING  NOTIFICATION 

A4-255 

A4 . 1 . 6-4 

MCC  TO  FCO  REPORTING 

A4-256 

A4 . 1 . 6-5 

CONTROLLABILITY 

A4-257 

A4 . 1 . 6-6 

FLIGHT  TERM I NAT I ON /MANUAL  MECO  EVALUATION 

A4-258 

A4 . 1 . 6-7 

FLIGHT  TERM I NAT I ON /MANUAL  MECO  CRITERIA 

A4-259 

A4 . 1 . 6-8 

FLIGHT  TERM I NAT I ON /MANUAL  MECO  ACTION 

A4-260 

A4 . 1 . 6-9 

RANGE  SAFETY  LIMIT  AVOIDANCE  ACTIONS 

(AIF) 


SECTION  A5  -  BOOSTER 


A5-1 

A5 . 1 . 1-1 

A5-2 

A5 . 1 . 1-2 

A5-3 

A5 . 1 . 1-3 

A5-4 

A5 . 1 . 1-4 

A5-5 

A5 . 1 . 1-5 

A5-6 

A5 . 1 . 1-6 

A5-10 

A5 . 1 . 1-7 

A5-11 

A5 . 1 . 1-8 

A5-12 

A5 . 1 . 1-9 

A5-13 

A5 . 1 . 1-10 

A5-7 

A5 . 1 . 1-11 

NONE 

A5 . 1 . 1-12 

A5-8 

A5 . 1 . 1-13 

A5-9 

A5 . 1 . 1-14 

A5-51 

A5 . 1 . 2-1 

A5-101 

A5 . 1 . 3-1 

A5-102 

A5 . 1 . 3-2 

A5-103 

A5 . 1 . 3-3 

A5-104 

A5 . 1 . 3-4 

A5-105 

A5 . 1 . 3-5 

A5-106 

A5 . 1 . 3-6 

A5-108 

A5 . 1 . 3-7 

A5-109 

A5 . 1 . 3-8 

A5-110 

A5 . 1 . 3-9 

A5-111 

A5 . 1 . 3-10 

A5-112 

A5 . 1 . 3-11 

A5-107 

A5 . 1 . 3-12 

A5-113 

A5 . 1 . 3-13 

A5-114 

A5 . 1 . 3-14 

A5-151 

A5 . 1 . 4-1 

A5-152 

A5 . 1 . 4-2 

A5-153 

A5 . 1 . 4-3 

A5-154 

A5 . 1 . 4-4 

A5-155 

A5 . 1 . 4-5 

A5-156 

A5 . 1 . 4-6 

A5-157 

A5 . 1 . 4-7 

FAILURE  DEFINITIONS 

LOSS  OF  SRB  THRUST  VECTOR  CONTROL  (TVC) 

SPACE  SHUTTLE  MAIN  ENGINE  OUT 

STUCK  THROTTLE 

DATA  PATH  FAILURE 

SUSPECT  ENGINE 

SSME  REDLINE  SENSOR  FAILED 

SIGNIFICANT  ENGINE  HELIUM  SYSTEM  LEAK 

SIGNIFICANT  PNEUMATIC  SYSTEM  HELIUM  LEAK 

INSUFFICIENT  PNEUMATIC  HELIUM  ACCUMULATOR  PRESSURE 

MPS  DUMPS  AND  VACUUM  INERTING  DEFINITIONS 

SSME  ONE  REDLINE  SENSOR  FAILURE  AWAY  FROM  AN  ERRONEOUS  SHUTDOWN 
RESERVED 

SPACE  SHUTTLE  MAIN  ENGINE  TYPES 
LH2  ULLAGE  LEAK 

A5-14  THROUGH  A5-50  RULES  ARE  RESERVED 

SRB  SYSTEMS  MANAGEMENT 

LOSS  OF  SRB  THRUST  VECTOR  CONTROL  (TVC) 

A5-52  THROUGH  A5-100  RULES  ARE  RESERVED 

SSME  SYSTEMS  MANAGEMENT 

ABORT  CUE  REQUIREMENT 
AUTO/MANUAL  SHUTDOWN 
LIMIT  SHUTDOWN  CONTROL 

DATA  PATH  FAIL/ENGINE-ON  LIMIT  SHUTDOWN  CONTROL 

DATA  PATH  FAIL/ENGINE-OUT  ACTION 

MANUAL  SHUTDOWN  FOR  COMMAND/DATA  PATH  FAILURES 

MANUAL  SHUTDOWN  FOR  HYDRAULIC  OR  ELECTRICAL  LOCKUP 

MANUAL  SHUTDOWN  FOR  TWO  STUCK  THROTTLES  (NOT  DUAL  APU  FAILURES) 

SSME  PERFORMANCE  DISPERSION 

AC  BUS  SENSOR  ELECTRONICS  CONTROL  [CIL] 

MANUAL  THROTTLEDOWN  FOR  L02  NPSP  PROTECTION  AT  SHUTDOWN 
MANUAL  SHUTDOWN  FOR  SUSPECT  COMMAND  PATH  FAILURES 
MANUAL  MECO/MECO  CONFIRMED 

SSME  HYDRAULIC  REPRESSURIZATION/POSTLANDING  SSME  REPOSITIONING 
A5-115  THROUGH  A5-150  RULES  ARE  RESERVED 

MPS  MANAGEMENT:  PRELAUNCH  THROUGH  MECO 

PRE-MECO  MPS  HELIUM  SYSTEM  LEAK  ISOLATION  [CIL] 

PRE-MECO  MPS  HELIUM  SYSTEM  INTERCONNECTS  [CIL] 

PRE-MECO  SHUT  DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM  LEAKS 
LH2  TANK  PRESSURIZATION  [CIL] 

LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR  LOW  LH2  NPSP 
ABORT  PREFERENCE  FOR  SYSTEMS  FAILURES 
ET  LOW  LEVEL  CUTOFF  SENSOR  FAILED  DRY 
A5-158  THROUGH  A5-200  RULES  ARE  RESERVED 


KEY-5 


VOLUME  A  KEY 


NEW  RULE  #  OLD  RULE  # 


A5-202 
A5-203 
|  A5-208 
A5-204 
A5-205 
A5-206 
NONE 
A5-207 
|  A5-209 
A5-210 
A5-201 


A5 . 1 . 5-1 
A5. 1.5-2 
A5. 1.5-3 
A5. 1.5-4 
A5 . 1 . 5-5 
A5. 1.5-6 
A5 . 1 . 5-7 
A5. 1.5-8 
A5 . 1 . 5-9 
A5. 1.5-10 
A5. 1.5-11 


RULE  TITLE 

MPS  MANAGEMENT:  POST-MECO 

ET  SEPARATION  INHIBIT  FOR  17-INCH  DISCONNECT  FAILURE  [OIL] 
MPS  PROPELLANT  MANIFOLD  OVERPRESSURE  [OIL] 

POST-MECO  AND  ENTRY  HELIUM  ISOLATION 
MANUAL  MPS  DUMP 

NOMINAL,  AO A,  AND  ATO  MPS  DUMP  FAILURES 

MANUAL  VACUUM  INERTING  REQUIREMENTS  (NOMINAL,  ATO,  AOA) 
RESERVED 

LH2  PRESSURIZATION  VENT  CONTROL 
ENTRY  MPS  HELIUM  PURGE/MANIFOLD 
ENTRY  MPS  PROPELLANT  DUMP  FAILURES  [CIL] 

MPS  DUMP  INHIBIT  [CIL] 


SECTION  A6  -  PROPULSION 


FAILURE  DEFINITIONS 


A6-1 

A6 . 1 . 1-1 

OMS/RCS  HELIUM  TANK 

A6-2 

A6 . 1 . 1-2 

OMS  PROPELLANT  TANK 

(OXIDIZER 

OR 

FUEL) 

A6-3 

A6 . 1 . 1-3 

OMS  ENGINE 

A6-4 

A6 . 1 . 1-5 

OMS  N2  TANK 

A6-5 

A6 . 1 . 1-4 

OMS  N2  ACCUMULATOR 

A6-6 

A6 . 1 . 1-8 

OMS/RCS  CROSSFEED  LINE 

A6-7 

A6 . 1 . 1-7 

RCS  PROPELLANT  TANK 

(OXIDIZER 

OR 

FUEL) 

A6-8 

A6 . 1 . 1-6 

RCS  THRUSTER 

A6-9 

A6 . 1 . 1-10 

RCS  JET  HEATER 

A6-10  THROUGH  A6-50  RULES  ARE  RESERVED 


OMS/RCS  MANAGEMENT 

A6. 1.2-17  OMS  FAILURE  MANAGEMENT  [CIL] 

A6. 1.2-18  RCS  FAILURE  MANAGEMENT 

A6. 1.2-21  OMS  HELIUM  INGESTION 

A6. 1.2-4  OMS  PROPELLANT  FAIL  FEED  CONSTRAINTS  [CIL] 

A6. 1.2-1  OMS  N2  TANK  FAILURE  MANAGEMENT 

A6. 1.2-15  OMS  N2  REGULATOR  FAILURE  MANAGEMENT 

A6. 1.1-11  AFT  RCS  PROPELLANT  TANK  FAIL/HELIUM  INGESTION 

A6. 1.2-23  RCS  REGULATOR  FAILURE  TROUBLESHOOTING 

A6. 1.2-24  LOSS  OF  AFT  RCS  LEAK  DETECTIONS 

A6. 1.2-9  RCS  MANIFOLD  CLOSURE  CRITERIA 

A6. 1.2-11  RCS  MANIFOLD/OMS  CROSSFEED  LINE  REPRESSURIZATION  [CIL] 

A6. 1.2-14  OMS/RCS  CONTINUOUS  VALVE  POWER  MANAGEMENT 

A6. 1.2-35  RCS  BFS  PVT  INIT  PRELAUNCH  CRITERIA 

A6-64  THROUGH  A6-100  RULES  ARE  RESERVED 


OMS  ENGINE  MANAGEMENT 

A6. 1.2-33  OMS  ENGINE  BELL  MOVEMENT  DURING  ASCENT 

A6. 1.2-5  OMS  PROPELLANT  SETTLING  REQUIREMENT 

A6. 1.2-34  OMS  BURN  DOWNLIST  REQUIREMENT 

A6. 1.2-8  OMS  ENGINE  INSTRUMENTATION  REQUIREMENT 

A6. 1.2-28  OMS  BURN  MINIMUM  PRESSURE  REQUIREMENTS 

A6. 1.2-6  OMS  ENGINE  BURN  TO  DEPLETION 

A6. 1.2-25  OMS  ENGINE  FAILURE  MANAGEMENT 

A6. 1.2-7  OMS  BALL  VALVE  FAILURE  MANAGEMENT 

A6-109  THROUGH  A6-150  RULES  ARE  RESERVED 

RCS  THRUSTER  MANAGEMENT 

A6. 1.2-22  RCS  JET  DRIVER  MANAGEMENT  [CIL] 

A6. 1.2-26  RCS  ENTRY  HOTFIRE  CHECK 

A6. 1.2-20  RCS  JET  MAXIMUM  BURN  TIME 

A6. 1.2-27  RCS  VERNIER  OPERATION  TERMINATION 

A6. 1.2-31  SUSPECT  RCS  JET  REPRIORITIZATION  CRITERIA 

A6. 1.2-19  RCS  RM  LOSS  MANAGEMENT 

A6. 1.2-12  RCS  JET  FAILED  OFF  HOTFIRE  TEST 

A6.1.2-29  RCS  LEAKING  JET  MANAGEMENT 

A6. 1.2-32  FAILED  PRCS  JET  RESELECTION  PRIORITY 

A6-160  THROUGH  A6-200  RULES  ARE  RESERVED 


OMS/RCS  LEAK  MANAGEMENT 

A6-201  A6. 1.2-2  OMS/RCS  LEAKING  HE  TANK  BURN 

A6-202  A6. 1.2-3  OMS  LEAKING  HE  SYSTEM  BURN 


A6-151 

A6-152 

A6-153 

A6-154 

A6-155 

A6-156 

A6-157 

A6-158 

A6-159 


A6-101 

A6-102 

A6-103 

A6-104 

A6-105 

A6-106 

A6-107 

A6-108 


A6-51 

A6-52 

A6-53 

A6-54 

A6-55 

A6-56 

A6-57 

A6-58 

A6-59 

A6-60 

A6-61 

A6-62 

A6-63 


KEY-6 


VOLUME  A  KEY 


NEW  RULE  # 

A6-203 

A6-204 

A6-205 

A6-206 


A6-251 

A6-252 

A6-253 

A6-254 

A6-255 

A6-256 

A6-257 

A6-258 


A6-301 

A6-302 

A6-303 

A6-304 

A6-305 


A6-351 

A6-352 

A6-353 

A6-354 

A6-355 

A6-356 

A6-357 

A6-358 

A6-359 


OLD  RULE  # 

A6. 1.2-30 
A6. 1.2-36 
A6. 1.2-10 
A6. 1.2-16 


A6. 1.3-1 
A6 . 1 . 1-9 
A6. 1.3-2 
A6. 1.3-3 
A6. 1.3-4 
A6. 1.3-5 
A6. 1.3-6 
A6. 1.3-7 


A6. 1.5-1 
A6 . 1 . 5-2 
A6. 1.5-3 
A6 . 1 . 5-4 
A6. 1.5-5 


A6 . 1 . 4-1 
A6 . 1 . 4-2 
A6 . 1 . 4-3 
A6 . 1 . 4-4 
A6 . 1 . 4-5 
A6 . 1 . 4-6 
A6. 1.2-13 
A6. 1.5-6 
A6. 1.5-7 


RULE  TITLE 

OMS  LEAKING  INLET  LINE  PERIGEE  ADJUST  BURN 
OMS  GN2  ACCUMULATOR  LEAK  DETERMINATION 
RCS  LEAKING  PROPELLANT  TANK  BURN 
RCS  MANIFOLD/LEG  LEAK  PRESSURIZATION 
A6-207  THROUGH  A6-250  RULES  ARE  RESERVED 

THERMAL  REDLINES  AND  MANAGEMENT 

GENERAL 

OMS/RCS  POD  HEATER 

FORWARD  RCS  MODULE  TEMPERATURE  MANAGEMENT 

OMS/RCS  PODS  TEMPERATURE  MANAGEMENT 

OMS/RCS  CROSSFEED  LINES  TEMPERATURE  MANAGEMENT 

OMS/RCS  HEATER  PERFORMANCE  MONITORING 

RCS  JET  TEMPERATURE  MANAGEMENT 

ARCS  BULK  PROPELLANT  TEMPERATURE  MANAGEMENT 

A6-259  THROUGH  A6-300  RULES  ARE  RESERVED 

CONSUMABLES  DEFINITIONS  AND  REDLINES 

OMS  USABLE  PROPELLANT 
RCS  USABLE  PROPELLANT 
OMS  REDLINES  [CIL] 

FORWARD  RCS  REDLINES 
AFT  RCS  REDLINES 

A6-306  THROUGH  A6-350  RULES  ARE  RESERVED 

CONSUMABLES  MANAGEMENT 

OMS  PROPELLANT  MANAGEMENT  MATRIX 
OMS  PROPELLANT  BUDGET  GROUND  RULES 
CG  MANAGEMENT 

RCS  ENTRY  REDLINE  PROTECTION 

OMS  PROPELLANT  DEFICIENCY  FOR  DEORBIT 

DEORBIT  PLANNING  CRITERIA 

FORWARD  RCS  CONTINGENCY  PROPELLANT  AVAILABLE 
VIOLATION  OF  MISSION  COMPLETION  REDLINES  MATRIX 
RCS  PROPELLANT  CONSERVATION  PRIORITIES 
A6-360  THROUGH  A6-400  RULES  ARE  RESERVED 


A6-1001 


OMS/RCS  GO/NO-GO  CRITERIA 

A6. 1.5-8  OMS/RCS  GO/NO-GO  CRITERIA  [CIL] 


SECTION  A 7  -  DATA  SYSTEMS 


GPC  &  DATA  PATH  MANAGEMENT 


A7-1 

A7 . 1 . 2-1 

PASS  DPS  FAILURE 

A7-2 

A7 . 1 . 2-3 

UNRECOVERABLE  GPC 

A7-3 

A7 . 1 . 3-3 

GPC  FAILURE 

A7-4 

A7 . 1 . 2-4 

TRANSIENT  GPC 

A7-5 

A7 . 1 . 3-10 

PASS  GPC  BCE  FAILURE  MANAGEMENT 

A7-6 

A7 . 1 . 3-4 

DATA  PATH  FAILURE 

A7-7 

A7 . 1 . 3-16 

POWERED  OFF  GPC  ACTION  (101S) 

A7-8 

A7 . 1 . 3-1 

REDUNDANT  SET  FAILURE 

A7-9 

A7 . 1 . 3-2 

REDUNDANT  SET  SPLIT 

A7-10 

A7 . 1 . 1-3 

GNC  GPC  REACTIVATION  PRIORITY 

A7-11 

A7 . 1 . 1-4 

GNC  GPC  REDUNDANCY  REQUIREMENTS 

A7-12 

A7 . 1 . 1-2 

PASS/BFS  REDUNDANCY 

A7-13 

A7 . 1 . 3-5 

GPC  MAJOR  FUNCTION  CONFIGURATION 

A7-14 

A7 . 1 . 3-19 

GNC  3  ARCHIVE  MANAGEMENT 

A7-15 

A7 . 1 . 3-17 

SM  OPS  4  TRANSITION  REQUIREMENTS 

A7-16 

A7 . 1 . 3-6 

GPC  MEMORY  WRITE  CRITERIA  [CIL] 

A7-17 

A7 . 1 . 3-7 

GPC  MEMORY  DUMP  CRITERIA 

A7-17  THROUGH  A7-50  RULES  ARE  RESERVED 

BFS  SYSTEMS  MANAGEMENT 

A7-51 

A7 . 1 . 2-2 

BFS  DPS  FAILURE 

A7-52 

A7 . 1 . 4-1 

ASCENT/ENTRY  BFS  MANAGEMENT  GUIDELINES 

A7-53 

A7 . 1 . 4-2 

ON-ORBIT  BFS  MANAGEMENT  GUIDELINES 

A7-54  THROUGH  A7-100  RULES  ARE  RESERVED 

OTHER  DPS  SYSTEMS  MANAGEMENT 

A7-101 

A7 . 1 . 3-11 

POWER  CYCLING/MANAGEMENT 

A7-102 

A7 . 1 . 3-8 

PASS  DATA  BUS  ASSIGNMENT  CRITERIA 

A7-103 

A7 . 1 . 3-9 

I/O  RESET 

KEY-7 


VOLUME  A  KEY 


NEW  RULE  # 

A7-104 

A7-105 

A7-106 

A7-107 

A7-108 

A7-109 


A7-151 


A7-201 


A7-1001 


A8-1 

A8-2 

A8-3 

A8-4 

A8-5 

A8-6 

A8-7 

A8-8 

A8-9 

A8-10 

A8-11 

A8-12 

A8-13 

A8-14 

A8-15 

A8-16 

A8-17 

A8-18 

A8-19 

A8-20 

NONE 


A8-51 

A8-52 

A8-53 

A8-54 

A8-55 

A8-56 

A8-57 

A8-58 

A8-59 

A8-60 

A8-61 


A8-101 

NONE 

A8-102 

A8-103 

A8-104 

A8-105 

A8-106 

A8-107 

A8-108 

A8-109 

A8-110 


OLD  RULE  #  RULE  TITLE 


A7. 1.3-18 
A7. 1.3-12 
A7. 1.3-13 
A7. 1.3-14 
A7. 1.3-22 
A7. 1.3-15 


NONUNIVERSAL  I/O  ERROR  ACTION 

MDM  PORT  MODING 

MMU  OPERATIONS 

TIME  MANAGEMENT 

DEU  EQUIVALENT  CRITERIA 

IN-FLIGHT  MAINTENANCE  ( IFM) 

A7-110  THROUGH  A7-150  RULES  ARE  RESERVED 

PAYLOAD  SPECIFIC  DPS  SYSTEMS  MANAGEMENT 


A7. 1.3-21  CONSTRAINTS  ON  PORT  MODING  OR  I/O  RESETS 

A7-152  THROUGH  A7-200  RULES  ARE  RESERVED 


DPS  EOM  REQUIREMENTS/DEFINITIONS 

A7. 1.1-1  DPS  REDUNDANCY  REQUIREMENTS 

A7-202  THROUGH  A7-200  RULES  ARE  RESERVED 

DPS  GO/NO-GO  MATRIX 

A7. 1.5-1  DPS  GO/NO-GO  MATRIX 


SECTION  A8  -  GUIDANCE,  NAVIGATION,  AND  CONTROL  (GNSC) 


A8 . 1 . 1-1 
A8 . 1 . 1-2 
A8 . 1 . 1-3 
A8 . 1 . 1-4 
A8 . 1 . 1-5 
A8 . 1 . 1-6 
A8 . 1 . 1-7 
A8 . 1 . 1-8 
A8 . 1 . 1-9 
A8 . 1 . 1-10 
A8 . 1 . 1-11 
A8 . 1 . 1-12 
A8 . 1 . 1-13 
A8 . 1 . 1-14 
A8 . 1 . 1-15 
A8 . 1 . 1-16 
A8 . 1 . 1-17 
A8 . 1 . 1-18 
A8 . 1 . 1-19 
A8 . 1 . 1-20 
A8 . 1 . 1-21 


A8. 1.2-1 
A8. 1.2-2 
A8. 1.2-3 
A8. 1.2-4 
A8. 1.2-5 
A8. 1.2-6 
A8. 1.2-7 
A8. 1.2-8 
A8. 1.2-9 
A8. 1.2-10 
A8. 1.2-11 


A8. 1.3-1 
A8. 1.3-2 
A8. 1.3-3 
A8. 1.3-4 
A8. 1.3-5 
A8. 1.3-6 
A8. 1.3-7 
A8. 1.3-8 
A8. 1.3-9 
A8. 1.3-10 
A8. 1.3-11 


GENERAL 

FCS  DOWNMODE 

SSME  THRUST  VECTOR  CONTROL  (TVC)  HARDOVER 

LOSS  OF  GNC  SYSTEM 

FAULT  TOLERANCE  PHILOSOPHY 

ACCELEROMETER  ASSEMBLIES  (AA)  FAULT  TOLERANCE 

CONTROLLERS /FCS  SWITCHING  FAULT  TOLERANCE 

ENTRY  SYSTEMS  SINGLE-FAULT  TOLERANCE  VERIFICATION 

ENTRY  SYSTEMS  RM  DILEMMA 

AFT  STATION  GNC  REDUNDANCY 

POWER/DATA  PATH  REDUNDANCY 

LOSS  OF  BFS 

HEAD  UP  DISPLAY  (HUD)  AND  CREW  OPTICAL  ALIGNMENT  SIGHT  (COAS)  ALIGNMENT 

RTLS  ET  SEPARATION 

POWER  MANAGEMENT 

GNC  PARAMETERS/LRU  FAILURES 

GNC  SYSTEMS  FAILURES 

EQUIPMENT  REQUIRED  FOR  EMERGENCY  AUTOLAND 
LANDING  SYSTEMS  REQUIREMENTS 
YAW  JET  DOWNMODE 

ENTRY  ELEVON  SCHEDULE  SELECTION  CRITERIA 
RESERVED 

A8-21  THROUGH  A8-50  RULES  ARE  RESERVED 

FAILURE  DEFINITIONS 

PHILOSOPHY 
SENSOR  FAILURES 
OMS  TVC  LOSS 

FIRST  STAGE  LOSS  OF  CONTROL  DEFINITION 

ET  SEPARATION  RCS  REQUIREMENTS 

BFS  LRU  REQUIREMENTS 

PRELAUNCH  IMU  HOLD 

ADI  LOSS 

IMU  BITE  FAILURE  DEFINITION 
LOSS  OF  VERNIER  RCS  DAP  MODE 

SSME  SHUTDOWN  DUE  TO  HYDRAULIC  SYSTEM  FAILURES 
A8-62  THROUGH  A8-100  RULES  ARE  RESERVED 

MANAGEMENT 

BEEP  TRIM  DEROTATION 
RESERVED 

RGA  SYSTEM  MANAGEMENT  [CIL] 

PRIORITY  RATE  LIMITING  (PRL)  SYSTEMS  MANAGEMENT 

FCS  CHECKOUT 

CONTROLLERS 

TVC-SSME  STOW/ACTUATOR  FLUID  FILL  (REPRESSURIZATION) 

FCS  CHANNEL  MANAGEMENT 

HUD/COAS  SYSTEM  MANAGEMENT 

STAR  TRACKER  SYSTEM  MANAGEMENT  [CIL] 

IMU  SYSTEM  MANAGEMENT 


KEY-8 


VOLUME  A  KEY 


NEW  RULE  # 

A8-111 

A8-112 

A8-113 

A8-114 


A8-1001 


A9-1 

A9-2 

A9-3 

A9-4 


A9-51 
A9-52 
A9-53 
A9-54 
A9-55 
A9-5  6 
A9-57 
A9-58 
A9-59 
A9-60 
A9-61 
A9-62 


A9-101 

A9-102 

A9-103 

A9-104 

A9-105 

A9-106 

A9-107 

A9-108 

A9-109 

A9-110 


A9-151 

A9-152 

A9-153 

A9-154 

A9-155 

A9-156 

A9-157 

A9-158 

A9-159 

A9-160 

A9-161 


A9-201 

A9-202 

A9-203 

A9-204 

A9-205 


A9-251 

A9-252 

A9-253 

A9-254 


OLD  RULE  # 


A8. 1.3-12 
A8. 1.3-13 
A8. 1.3-14 
A8. 1.3-15 


A8 . 1 . 6-1 


RULE  TITLE 

GNC  AIR  DATA  SYSTEM  MANAGEMENT  [CIL] 
AEROSURFACE  ACTUATOR  PROTECTION 
OMS  TVC  SYSTEM  MANAGEMENT 
ENTRY  BODY  BENDING  FILTER  SELECTION 
A8-115  THROUGH  A8-150  RULES  ARE  RESERVED 

GNC  GO/NO-GO  CRITERIA 

GNC  GO/NO-GO  CRITERIA 


SECTION  A9  -  ELECTRICAL 


A9 . 1 . 1-1 
A9 . 1 . 1-2 
A9 . 1 . 1-3 
A9 . 1 . 1-4 


A9. 1.2-1 
A9. 1.2-2 
A9. 1.2-3 
A9. 1.2-4 
A9. 1.2-5 
A9. 1.2-6 
A9 . 1 . 2-7 
A9. 1.2-8 
A9. 1.2-9 
A9. 1.2-10 
A9. 1.2-11 
A9. 1.2-12 


A9. 1.3-1 
A9. 1.3-2 
A9. 1.3-3 
A9. 1.3-4 
A9. 1.3-5 
A9. 1.3-6 
A9. 1.3-7 
A9. 1.3-8 
A9. 1.3-9 
A9. 1.3-10 


A9 . 1 . 4-1 
A9 . 1 . 4-2 
A9 . 1 . 4-3 
A9 . 1 . 4-4 
A9 . 1 . 4-5 
A9 . 1 . 4-6 
A9 . 1 . 4-7 
A9 . 1 . 4-8 
A9 . 1 . 4-9 
A9  . 1 . 4-10 
A9  . 1 . 4-11 


A9. 1.5-1 
A9. 1.5-2 
A9. 1.5-3 
A9. 1.5-4 
A9. 1.5-5 


A9 . 1 . 6-1 
A9 . 1 . 6-2 
A9 . 1 . 6-3 
A9 . 1 . 6-4 


LOSS/FAILURE  DEFINITIONS 

FUEL  CELL  (FC)  LOSS  [CIL] 

FC  ALTERNATE  H20  SYSTEM  LOSS 

ELECTRICAL  POWER  DISTRIBUTION  AND  CONTROL  (EPDC)  SYSTEM  [CIL] 
CAUTION  AND  WARNING  (C&W) 

A9-5  THROUGH  A9-50  RULES  ARE  RESERVED 

FUEL  CELL  SYSTEMS  MANAGEMENT 

FC  POWER  LEVEL  CONSTRAINTS 
FC  PURGE 

FC  H20  SYSTEM  HEATERS 
FC  STANDBY  DEFINITION 
FC  SHUTDOWN  DEFINITION  [CIL] 

FC  SAFING 
REUSABLE  FC 
FC  SUSTAINER  HEATER 

FC  -  CELL  PERFORMANCE  MONITOR  [CIL] 

FC  COOLANT  PUMP  FAILURE  MANAGEMENT  [CIL] 

ACTIONS  FOR  FUEL  CELL  PH  INDICATIONS 
FUEL  CELL  MONITORING  SYSTEM  DATA  TAKE 
A9-63  THROUGH  A9-100  RULES  ARE  RESERVED 

DC  POWER  DISTRIBUTION  AND  CONTROL  SYSTEMS  MANAGEMENT 

DC  BUS  VOLTAGE  LIMITS 
ESSENTIAL  BUS 

POWER  REDUCTION  GUIDELINES 

MAIN  BUS  SHORT 

CB/RPC  RESET 

CONTROL  BUS 

MAIN  BUS  TIE  [CIL] 

CRITICAL  PHASE  BUS  MANAGEMENT 
PRIMARY  PAYLOAD  BUS  MANAGEMENT 
PREFLIGHT  TEST  BUS  MANAGEMENT 
A9-111  THROUGH  A9-150  RULES  ARE  RESERVED 

AC  POWER  DISTRIBUTION  AND  CONTROL  SYSTEMS  MANAGEMENT 

AC  INVERTER  MANAGEMENT 

AC  BUS  SENSORS  SWITCH  MANAGEMENT 

AC  BUS  LOADING 

AC  LOAD  MANAGEMENT  DURING  ASCENT 

AC  INVERTER  THERMAL  LIFE 

LOSS  OF  SINGLE-PHASE  AC 

LOSS  OF  TWO-PHASE  AC 

AC  POWER  TRANSFER  CABLE 

MOTOR  CONTROL  ASSEMBLY  (MCA) 

CAUTION  AND  WARNING  (C&W)  [CIL] 

HYDRAULIC  CIRCULATION  PUMP  OPERATION 
A9-162  THROUGH  A9-200  RULES  ARE  RESERVED 

CRYOGENIC  LOSS/FAILURE  DEFINITIONS 

02  (H2 )  MANIFOLD 

CRYO  TANK 

CRYO  TANK  ANNULUS  VACUUM 
CRYO  HEATER 

02  DELTA  CURRENT  SENSOR 

A9-206  THROUGH  A9-250  RULES  ARE  RESERVED 

CRYOGENIC  SYSTEMS  MANAGEMENT 

CRYO  HEATER  MANAGEMENT  FOR  ASCENT 
CRYO  HEATER  MANAGEMENT  FOR  ORBIT  [CIL] 

CRYO  TANK  HEATER  TEMPERATURE  MANAGEMENT 
CRYO  HEATERS  DEACTIVATION 


KEY-9 


VOLUME  A  KEY 


NEW  RULE  # 

A9-255 

A9-256 

A9-257 

A9-258 

A9-259 

A9-260 

A9-261 

A9-262 


A9-301 

A9-302 


NONE 

A9-351 

A9-352 

A9-353 

A9-354 

A9-355 

A9-356 

A9-357 

A9-358 


A9-1001 


A10-1 


A10-21 

A10-22 

A10-23 

A10-24 

A10-25 

A10-26 

A10-27 

A10-28 

A10-29 

A10-30 

A10-31 

A10-32 

A10-33 


A10-51 


A10-71 

A10-72 

A10-73 

A10-74 


A10-101 


A10-121 

A10-122 


OLD  RULE  #  RULE  TITLE 


A9 . 1 . 6-5 
A9 . 1 . 6-6 
A9 . 1 . 6-7 

A9 . 1 . 6-8 
A9 . 1 . 6-9 
A9 . 1 . 6-10 
A9 . 1 . 6-11 
A9 . 1 . 6-12 


A9 .6.1-1 
A9 .6.1-2 


A9. 6.2-1 
A9. 6.2-9 
A9. 6.2-2 
A9. 6.2-3 
A9. 6.2-4 
A9. 6.2-5 
A9. 6.2-6 
A9. 6.2-7 
A9. 6.2-8 


A9. 1.7-1 


02  DELTA  CURRENT  SENSOR 

CRYO  02/H2  TANK  QUANTITY  BALANCING 

POWER  REACTANT  STORAGE  AND  DISTRIBUTION  (PRSD)  H2  AND  02  REDLINE 
DETERMINATION 

CRYO  02  AND  H2  PRESSURE  MANAGEMENT 
CRYO  02/H2  MANIFOLD  VALVES 
CRYO  SYSTEM  LEAKS  [CIL] 

IMPENDING  LOSS  OF  ALL  CRYO 
EDO  PALLET  MANAGEMENT 

A9-263  THROUGH  A9-300  RULES  ARE  RESERVED 

SPACEHAB  SUPPORT 

SPACEHAB  DC  BUSES 
SPACEHAB  AC  INVERTER 

A9-303  THROUGH  A9-350  RULES  ARE  RESERVED 

SPACEHAB  ELECTRICAL  POWER  SUBSYSTEM  (EPS)  MANAGEMENT 

RESERVED 

ELECTRICAL  POWER  SUBSYSTEM  (EPS)  CONSTRAINTS 

SPACEHAB  MAIN  BUS  MANAGEMENT 

SPACEHAB  EMERGENCY  BUS  LOSS 

SPACEHAB  AC  MANAGEMENT 

FUSE/CIRCUIT  BREAKER  MANAGEMENT 

FUEL  CELL  FAILURE  MANAGEMENT 

SPACEHAB  SURVIVAL  POWER  CONFIGURATION 

CAUTION  AND  WARNING  (C&W) 

A9-359  THROUGH  A9-400  RULES  ARE  RESERVED 

ELECTRICAL  GO/NO-GO  CRITERIA 

ELECTRICAL  GO/NO-GO  CRITERIA 


SECTION  A10  -  MECHANICAL 


A10 . 1 . 1-1 


A10. 1.2-1 
A10. 1.2-2 
A10. 1.2-3 
A10. 1.2-4 
A10. 1.2-5 
A10. 1.2-6 
A10. 1.2-7 
A10. 1.2-8 
A10. 1.2-9 
A10. 1.2-10 
A10. 1.2-11 
A10. 1.2-12 
A10. 1.2-13 


A10. 1.3-1 


A10 . 1 . 4-1 
A10 . 1 . 4-2 
A10 . 1 . 4-3 
A10 . 1 . 4-4 


A10 . 1 . 5-1 


A10 . 1 . 6-1 
A10 . 1 . 6-2 


AUXILIARY  POWER  UNIT  (APU)  LOSS  FAILURE/DEFINITION 

APU  LOSS  DEFINITIONS 

A10-2  THROUGH  A10-20  RULES  ARE  RESERVED 

APU  SYSTEMS  MANAGEMENT 

LOSS  OF  APU/HYDRAULIC  SYSTEM (S)  ACTIONS 
APU  START/RESTART  LIMITS 
APU  ENTRY  START  TIME 

APU  OIL/GEARBOX  TEMPERATURE/PRESSURE 
APU  HIGH  SPEED  SELECTION/SHIFT 
APU  AUTO  SHUTDOWN  INHIBIT  MANAGEMENT 
APU  FUEL  LEAKS  [CIL] 

AOA  APU/HYDRAULIC  SYSTEM  OPERATIONS 

FCS  CHECKOUT  APU  OPERATIONS 

LOSS  OF  APU  HEATERS/INSTRUMENTATION  [CIL] 

APU  FREEZE/THAW 
APU/HYD  CONSUMABLES 
APU  DEFINITIONS 

A10-34  THROUGH  A10-50  RULES  ARE  RESERVED 

HYDRAULIC  SYSTEMS  LOSS/FAILURE  DEFINITIONS 

HYDRAULIC  LOSS  DEFINITIONS 

A10-52  THROUGH  A10-70  RULES  ARE  RESERVED 

HYDRAULIC  SYSTEMS  MANAGEMENT 

HYDRAULIC  SYSTEMS  CONFIGURATION 
HYDRAULIC  LEAKS 

HYDRAULIC  SYSTEMS  PRESSURE/TEMPERATURE  [CIL] 
HYDRAULIC  CIRCULATION  PUMP  OPERATION  [CIL] 

A10-75  THROUGH  A10-100  RULES  ARE  RESERVED 

WATER  SPRAY  BOILER  (WSB)  LOSS/FAILURE  DEFINITIONS 

WSB  LOSS  DEFINITIONS 

A10-102  THROUGH  A1 0-120  RULES  ARE  RESERVED 

WSB  SYSTEMS  MANAGEMENT 

WSB  CONFIGURATION 
LOSS  OF  WSB(S)  ACTIONS 

A1 0-123  THROUGH  A10-140  RULES  ARE  RESERVED 


KEY-10 


VOLUME  A  KEY 


NEW  RULE  #  OLD  RULE  #  RULE  TITLE 

LANDING/DECEL  SYSTEMS  MANAGEMENT 

A10-141  A10. 1.7-1  NOSE  WHEEL  STEERING  (NWS) 

A10-142  A10. 1.8-1  TIRE  PRESSURE  [OIL] 

A10-143  A10. 1.8-2  DRAG  CHUTE  DEPLOY  TECHNIQUES 

A10-144  A10. 1.8-3  DRAG  CHUTE  DEPLOY  CONSTRAINTS 

A10-145  A10. 1.8-4  UNCOMMANDED  BRAKE  PRESSURE  [CIL] 

A10-146  A10. 1.8-5  BRAKING 

A10-147  THROUGH  A10-160  RULES  ARE  RESERVED 

MECHANICAL  SYSTEMS  LOSS/FAILURE  DEFINITIONS 

A10-161  A10. 1.9-1  DRIVE  MECHANISMS  LOSS  DEFINITIONS 

A10-162  THROUGH  A10-180  RULES  ARE  RESERVED 

GENERAL  MECHANISMS  SYSTEMS  MANAGEMENT 

A10-181  A10. 1.10-1  DRIVE  MECHANISMS 

A10-182  THROUGH  A10-200  RULES  ARE  RESERVED 

PAYLOAD  DOOR  (PLBD)  SYSTEMS  MANAGEMENT 

A10-201  A10. 1.11-1  PLBD  GENERAL 

A10-202  A10. 1.11-2  PLBD  VISUAL  CUES 

A10-203  A10. 1.11-3  PLBD  CRITICAL  LATCHES 

A10-204  A10. 1.11-4  FAILED  PLBD  GPC  SEQUENCE 

A10-205  A10. 1.11-5  PLBD  CLEARANCE  CONSTRAINTS 

A10-206  A10. 1.11-6  PLBD  CLOSE  GO/NO-GO 

A10-207  A10. 1.11-7  PLBD  OVERLAP 

A10-208  A10. 1.11-8  CONTINGENCY  PLBD  CLOSURE 

A10-209  A10. 1.11-9  PLBD  RULE  REFERENCE  MATRIX 

A10-210  THROUGH  A10-220  RULES  ARE  RESERVED 


RADIATOR  SYSTEMS  MANAGEMENT 

A10-221  A10. 1.12-1  RADIATOR  MECHANICAL 

A10-222  A10. 1.12-2  RADIATOR  VISUAL  CUES 

A10-223  THROUGH  A10-240  RULES  ARE  RESERVED 

ET  UMBILICAL  DOORS  SYSTEMS  MANAGEMENT 

A10-241  A10. 1.13-1  ET  UMBILICAL  DOOR  KEYBOARD  ENTRY 

A10-242  A10. 1.13-2  ET  UMBILICAL  DOORS  ON  ORBIT 

A10-243  A10. 1.13-3  ET  UMBILICAL  DOOR  CLOSURE  DELAY  FOR  DISCONNECT  VALVE  FAILURE  [CIL] 

A10-244  THROUGH  A10-260  RULES  ARE  RESERVED 

VENT  DOOR  SYSTEMS  MANAGEMENT 

A10-261  A10. 1.14-1  VENT  DOOR  MANAGEMENT 

A10-262  THROUGH  A10-280  RULES  ARE  RESERVED 

PAYLOAD  RETENTION  LATCHES  (PRLA)  SYSTEMS  MANAGEMENT 

A10-281  A10. 1.15-1  PRLA' S/AKA'S 

A10-282  THROUGH  A10-300  RULES  ARE  RESERVED 

KU-BAND  ANTENNA  DEPLOY  MECHANISM  SYSTEMS  MANAGEMENT 

A10-301  A10. 1.16-1  ANTENNA  STOW  REQUIREMENT  [CIL] 

A10-302  A10. 1.16-2  DAP  CONFIGURATION  FOR  ANTENNA  STOW 

A10-303  A10. 1.16-3  ANTENNA  CONTINGENCY  PROCEDURES 

NONE  A10. 1.16-4  RESERVED 

A10-304  THROUGH  A10-320  RULES  ARE  RESERVED 

REMOTELY  OPERATED  ELECTRICAL/FLUID  UMBILICAL  (ROEU/ROFU)  SYSTEMS 
MANAGEMENT 

A10-321  A10. 1.19-1  ROEU/ROFU  OPERATIONS 

A10-322  THROUGH  A10-340  RULES  ARE  RESERVED 

ANDROGYNOUS  PERIPHERAL  DOCKING  SYSTEM  (APDS)  SYSTEMS  MANAGEMENT 

A10-341  A10. 1.18-1  APDS  CONFIGURATION 

A10-342  A10. 1.18-2  APDS  PRESSURE/TEMPERATURE 

A10-343  A10. 1.18-3  APDS  MECHANISM  END  OF  TRAVEL  INDICATIONS 

A10-344  A10. 1.18-4  APDS  DOCKING  SEQUENCE  OPERATIONS 

A10-345  A10. 1.18-5  APDS  RECONFIGURATION  AFTER  FAILED  DOCKING 

A10-346  A10. 1.18-6  APDS  REDUNDANCY  REQUIREMENTS 

A10-347  THROUGH  A10-360 

VIEWPORT  SYSTEMS  MANAGEMENT 

A10-361  A10.6.1-1  VIEWPORT  (VP) 


KEY-11 


VOLUME  A  KEY 


NEW  RULE  # 

A10-362 

A10-363 

A10-364 

A10-365 


A10-381 

A10-382 

A10-383 

A10-384 

A10-385 


A10-1001 


All-1 

All-2 

All-3 

All-4 

All-5 

All-6 

All-7 

All-8 

All-9 

All-10 

All-11 

All-12 

All-13 

All-14 

All-15 

All-16 

All-17 

All-18 

All-19 

All-20 

All-21 

All-22 

NONE 

All-23 


All-51 

All-52 

All-53 

All-54 

All-55 

All-56 

All-57 

All-58 

All-59 

All-60 

All-61 

All-62 

All-63 

All-64 

All-65 

All-66 

All-67 

All-68 

All-69 

All-70 

All-71 

All-72 

All-73 

All-74 

All-75 

All-76 


OLD  RULE  #  RULE  TITLE 


A10.6.1-2 

A10.6.1-3 

A10.6.1-4 

A10.6.1-5 


A10 . 1 . 17-1 
A10 . 1 . 17-2 
A10 . 1 . 17-3 
A10 . 1 . 17-4 
A10 . 1 . 17-5 


A10. 1.20-1 


CRACKED  VIEWPORT 

VIEWPORT  CONFIGURATION  FOR  CLOSED  SPACEHAB  HATCH 
LOSS  OF  VP  PRESSURE  INTEGRITY 
EVA  REQUIREMENTS  FOR  FAILED  VP  OUTER  COVER 
A10-366  THROUGH  A10-380  RULES  ARE  RESERVED 

STRUCTURAL  MANAGEMENT 

THERMAL  WINDOWPANE  FAILURE  [CIL] 

PRESSURE/REDUNDANT  WINDOWPANE  FAILURE 

BAILOUT/POSTLANDING  EMERGENCY  EGRESS  PYROTECHNICS  MANAGEMENT 

MAXIMUM  NUMBER  OF  FILLED  CWC' S 

FILLED  CWC  STOWAGE  MANAGEMENT 

A10-386  THROUGH  A10-400  RULES  ARE  RESERVED 

MMACS  GO/NO-GO  CRITERIA 

MMACS  GO/NO-GO  CRITERIA 


SECTION  All  -  COMMUNICATIONS 


SYSTEM  MANAGEMENT  RULES 


All . 1 . 1-1 
All . 1 . 1-2 
All . 1 . 1-3 
All . 1 . 1-4 
All . 1 . 1-5 
All . 1 . 1-6 
All . 1 . 1-7 
All . 1 . 1-8 
All . 1 . 1-9 
All . 1 . 1-10 
All . 1 . 1-11 
All . 1 . 1-12 
All . 1 . 1-13 
All . 1 . 1-14 
All . 1 . 1-15 
All . 1 . 1-16 
All . 1 . 1-17 
All . 1 . 1-18 
All . 1 . 1-19 
All . 1 . 1-20 
All . 1 . 1-21 
All . 1 . 1-22 
All . 1 . 1-23 
All . 1 . 1-24 


COMMUNICATIONS  DURING  ASCENT 
S-BAND/UHF  LAUNCH  REQUIREMENT 
UPLINK  HANDOVER  DURING  ASCENT  FROM  KSC 
ORBITER  DATA  PRIORITY  DURING  ASCENT/ENTRY 
POSTLANDING  S-BAND  ANTENNA  SELECTION 

MINIMUM  COMMUNICATIONS  REQUIREMENTS  FOR  SCHEDULED  EVA 

KU-BAND  OPERATIONS  DURING  EVA 

ORBITER  S-BAND  OPERATIONS  DURING  EVA 

RECORDER  USAGE 

UHF  USAGE 

S-BAND  FM  USAGE 

S-BAND  PM  USAGE 

S-BAND  PAYLOAD  USAGE 

CREW  ALERT  SPC'S 

ELBOW  CAMERA/PAYLOAD  INTERFERENCE  [CIL] 

KU-BAND  MANAGEMENT 

PI  CHANNELS  AND  S-BD  FREQUENCIES  COMPATIBILITIES 
COMSEC  USAGE 
UPLINK  BLOCK 

UPLINK  COMMANDING  DURING  OPS  TRANSITIONS 
CRITICAL  UPLINK  COMMAND  POLICY 
TWO-STAGE  COMMAND  BUFFER  TLM  REJECT 
RESERVED 

KU  BAND  TRANSMITTER  INHIBITED  DURING  ACQUISITION  OF  TDRS  INSIDE  THE  RF 
PROTECT  BOX 

All-24  THROUGH  All-50  RULES  ARE  RESERVED 

SYSTEM  FAILURE  RULES 


All. 1.2-1 

LOSS 

OF 

TWO-WAY  VOICE 

All. 1.2-2 

LOSS 

OF 

BOTH  VOICE  AND  COMMAND 

All. 1.2-3 

LOSS 

OF 

COMMAND 

All. 1.2-4 

LOSS 

OF 

TELEMETRY 

All. 1.2-5 

LOSS 

OF 

KU-BAND 

All. 1.2-6 

LOSS 

OF 

KU-BAND  TEMPERATURE  CONTROL  [CIL] 

All. 1.2-7 

LOSS 

OF 

KU-BAND  TEMPERATURE  MONITORING  CAPABILITY 

All. 1.2-8 

LOSS 

OF 

TRANSPONDERS 

All. 1.2-9 

FM  SYSTEM  IFM  GROUND  RULE 

All. 1.2-10 

LOSS 

OF 

TDRS  TRACKING  CAPABILITY 

All. 1.2-11 

LOSS 

OF 

S-BAND  PREAMPS  AND  POWER  AMPS 

All. 1.2-12 

LOSS 

OF 

ANTENNA  ELECTRONICS 

All. 1.2-13 

LOSS 

OF 

NSP '  S 

All. 1.2-14 

LOSS 

OF 

COMMUNICATIONS  SECURITY  (COMSEC) 

All. 1.2-15 

AUDIO  CENTRAL  CONTROL  UNIT  (ACCU) 

All. 1.2-16 

LOSS 

OF 

ACCU' S 

All. 1.2-17 

LOSS 

OF 

THE  PLT  AND  MS  ATU' S 

All. 1.2-18 

LOSS 

OF 

INTERCOM 

All. 1.2-19 

LOSS 

OF 

UHF 

All. 1.2-20 

LOSS 

OF 

GCIL 

All. 1.2-21 

LOSS 

OF 

RECORDERS 

All. 1.2-22 

LOSS 

OF 

TV 

All. 1.2-23 

LOSS 

OF 

OCA 

All. 1.2-24 

PCM  MASTER  UNIT  (PCMMU) 

All. 1.2-25 

LOSS 

OF 

PCMMU' S 

All. 1.2-26 

LOSS 

OF 

OI  MDM 

KEY-12 


VOLUME  A  KEY 


NEW  RULE  # 

All-77 


All-1001 


A12-1 

A12-2 

A12-3 

A12-4 

A12-5 

A12-6 

A12-7 

A12-8 

A12-9 


A12-51 

A12-52 

A12-53 


A12-71 

A12-72 

A12-73 

A12-74 


A12-91 

A12-92 


A12-111 

A12-112 

A12-113 

A12-114 

A12-115 

A12-116 

A12-117 

A12-118 

NONE 


A12-141 

A12-142 

A12-143 


A12-161 

A12-162 

A12-163 

A12-164 


A12-181 

A12-182 


A12-1001 


OLD  RULE  # 

All. 1.2-27 


All. 1.3-1 


RULE  TITLE 

LOSS  OF  ANY  01  DSC 

All-78  THROUGH  All-100  RULES  ARE  RESERVED 

COMMUNICATIONS  GO/NO-GO  CRITERIA 

COMMUNICATIONS  GO/NO-GO  CRITERIA 


SECTION  A12  -  ROBOTICS 


A12 . 1 . 1-1 
A12 . 1 . 1-2 
A12 . 1 . 1-3 
A12 . 1 . 1-4 
A12 . 1 . 1-5 
A12 . 1 . 1-6 
A12 . 1 . 1-7 
A12 . 1 . 1-8 
A12 . 1 . 1-9 


A12. 1.2-1 
A12. 1.2-2 
A12. 1.2-3 


A12. 1.3-1 
A12. 1.3-2 
A12. 1.3-3 
A12. 1.3-4 


A12 . 1 . 4-1 
A12 . 1 . 4-2 


A12 . 1 . 5-1 
A12 . 1 . 5-2 
A12 . 1 . 5-3 
A12 . 1 . 5-4 
A12 . 1 . 5-5 
A12 . 1 . 5-6 
A12 . 1 . 5-7 
A12 . 1 . 5-8 
A12 . 1 . 5-9 


A12 . 1 . 6-1 
A12 . 1 . 6-2 
A12 . 1 . 6-3 


A12 . 1 . 7-1 
A12 . 1 . 7-2 
A12 . 1 . 7-3 
A12 . 1 . 7-4 


A12 . 1 . 8-1 
A12 . 1 . 8-2 


A12 . 1 . 9-1 


GENERAL 

EVA  FOR  RMS  OPERATIONS 
UNATTENDED  RMS  CONSTRAINTS 
TEMPERATURE  CONSTRAINTS  [CIL] 

RMS  ACTIVITY  TERMINATION 

ORBITER  AVOIDANCE  MANEUVERS  CONSTRAINT  [CIL] 

OMS/RCS  CONSTRAINTS 

RMS  IFM  D&C  KIT 

RMS  OPCODE  UPLINKS 

RMS  MCIU  BITE  OVERRIDES  [CIL] 

A12-10  THROUGH  A12-50  RULES  ARE  RESERVED 

MPM/MRL  LOSS/FAILURE  DEFINITIONS 

MPM/MRL  POSITIONING 
MPM  FAILED  IN  TRANSIT 
MRL  FAILED  IN  TRANSIT 

A12-54  THROUGH  A12-70  RULES  ARE  RESERVED 

MPM/MRL  SYSTEMS  MANAGEMENT 

MPM/MRL  CYCLING 

MPM  DEPLOY/STOW  CONSTRAINTS 

MRL  CONSTRAINTS 

INADVERTENT  MPM  CYCLING  PROTECTION  [CIL] 
A12-75  THROUGH  A12-90  RULES  ARE  RESERVED 


RMS  PREOPERATION  SYSTEM  MANAGEMENT 

SHOULDER  BRACE  OPERATION 
RMS  CHECKOUT 

A12-93  THROUGH  A12-110  RULES  ARE  RESERVED 

RMS  DRIVE  SYSTEM  MANAGEMENT 

MODE  AVAILABILITY  DRIVE  CONSTRAINT 
FIELD  OF  VIEW  CONSTRAINT  [CIL] 

AUTO  MODE  ENTRY  CONSTRAINT  [CIL] 

ORBITER  PROXIMITY  CONSTRAINTS  [CIL] 

INOPERATIVE  BRAKE  CONSTRAINT  [CIL] 

AUTO  BRAKES  CONSTRAINT  [CIL] 

CONTINGENCY  STOP  [CIL] 

POHS  AND  LEFT-HANDED  COORDINATE  SYSTEMS 
RESERVED 

A12-119  THROUGH  A12-140  RULES  ARE  RESERVED 

END  EFFECTOR  (EE)  LOSS/FAILURE  DEFINITIONS 

EE  BACKUP  RELEASE 
EE  CAPTURE/RIGIDIZE 
EE  RELEASE/DERIGIDIZE 

A12-144  THROUGH  A12-160  RULES  ARE  RESERVED 

END  EFFECTOR  SYSTEM  MANAGEMENT 

PAYLOAD  GRAPPLE  CONSTRAINTS 
EE  MODE  SWITCH  CONSTRAINTS  [CIL] 

CAPTURE  AND  RELEASE  PROXIMITY  CONSTRAINT  [CIL] 

PAYLOAD  RELEASE  DURING  BERTHING 

A12-165  THROUGH  A12-180  RULES  ARE  RESERVED 

RMS  JETTISON  SYSTEM  MANAGEMENT 

JETTISON  SYSTEM  CONSTRAINT 
RMS /PAYLOAD  JETTISON 

A12-183  THROUGH  A12-200  RULES  ARE  RESERVED 

RMS  GO/NO-GO  CRITERIA 

RMS  GO/NO-GO  CRITERIA 


KEY-13 


VOLUME  A  KEY 


NEW  RULE  # 


A13-1 

A13-2 


A13-21 

A13-22 

A13-23 

A13-24 

A13-25 

A13-26 

A13-27 

A13-28 

A13-29 

A13-30 

A13-31 

A13-32 

A13-33 


A13-51 

A13-52 

A13-53 

A13-54 


A13-101 

A13-102 

A13-103 

A13-104 

A13-105 


A13-151 

A13-152 

A13-153 

A13-154 

A13-155 

A13-156 

NONE 

NONE 


A13-201 

A13-202 

A13-203 


A14-1 

A14-2 

A14-3 

A14-4 

A14-5 

A14-6 

A14-7 

A14-8 

A14-9 


OLD  RULE  #  RULE  TITLE 


SECTION  A13  -  AEROMED 


A13 . 1 . 1-1 
A13 . 1 . 1-2 


A13. 1.2-1 
A13. 1.2-2 
A13. 1.2-9 
A13. 1.2-10 
A13. 1.2-11 
A13. 1.2-19 
A13. 1.2-20 
A13. 1.2-21 
A13. 1.2-25 
A13. 1.2-28 
A13. 1.2-30 
A13. 1.2-22 
A13. 1.2-31 


A13. 1.2-3 
A13. 1.2-4 
A13. 1.2-5 
A13. 1.2-6 


A13. 1.2-8 
A13. 1.2-29 
A13. 1.2-7 
A13. 1.2-26 
A13. 1.2-27 


A13. 1.2-12 
A13. 1.2-13 
A13. 1.2-14 
A13. 1.2-17 
A13. 1.2-15 
A13. 1.2-16 
A13. 1.2-23 
A13. 1.2-24 


A13. 1.3-1 
A13. 1.3-2 
A13. 1.3-3 


ASCENT 

ASCENT  ABORT 

SPACEHAB  SAFE  ATMOSPHERE  REQUIREMENTS  -  UNPOWERED  ASCENT 
A13-3  THROUGH  A13-20  RULES  ARE  RESERVED 

ON-ORBIT 

EARLY  FLIGHT  TERMINATION 
ONBOARD  MEDICAL  KIT 

PRIVATE  MEDICAL  COMMUNICATION  (PMC) 

CPHS  PROTOCOLS 

CREW  AWAKE  TIME  CONSTRAINT 

ACCELERATION  RESTRICTIONS  ON  MEDICAL  PROCEDURES 
LOWER  BODY  NEGATIVE  PRESSURE  (LBNP ) 

LBNP  TEST  TERMINATION  CRITERIA 
NOISE  LEVEL  CONSTRAINTS 
IODINE  REMOVAL  REQUIREMENT 
CREW  CABIN  TEMPERATURE  LIMITS 
INTENSE  CYCLE  EXERCISE 
EXERCISE  REQUIREMENTS 

A13-34  THROUGH  A13-50  RULES  ARE  RESERVED 

ATMOSPHERE 

CABIN  PRESSURE 

PPC02  CONSTRAINT 

MINIMUM  PP02  CONSTRAINTS 

100  PERCENT  OXYGEN  USE  CONSTRAINT 

A13-55  THROUGH  A13-100  RULES  ARE  RESERVED 

EVA  OPERATIONS 

SCHEDULED  AND  UNSCHEDULED  EVA  CONSTRAINTS 
MAXIMUM  EVA  DURATION  CONSTRAINTS 
EVA  PREBREATHE  PROTOCOL 

DECOMPRESSION  SICKNESS  SYMPTOMS  AND  CREW  DISPOSITION 
DECOMPRESSION  SICKNESS  RESPONSE  AND  TREATMENT 
A13-106  THROUGH  A13-150  RULES  ARE  RESERVED 

HAZARD  MANAGEMENT 

HOT  CABIN  ATMOSPHERE 

CABIN  ATMOSPHERE  CONTAMINATION 

BROKEN  GLASS/HAZARDOUS  SUBSTANCE  CONSTRAINT 

HAZARDOUS  SPILL  LEVEL  DEFINITIONS 

ORBITER  HAZARDOUS  SUBSTANCE  SPILL  RESPONSE 

SPACEHAB  HAZARDOUS  SUBSTANCE  SPILL  RESPONSE 

RESERVED 

RESERVED 

A13-157  THROUGH  A13-200  RULES  ARE  RESERVED 

ENTRY 

ANTI-G  SUIT  PROTOCOL  (ANTI-ORTHOSTATIC  COUNTERMEASURE) 
FLUID  LOADING 

TANK  B  WATER  CONTINGENCY  USE 


SECTION  A14  -  SPACE  ENVIRONMENT 


A14 . 1 . 1-1 
A14 . 1 . 1-2 
A14 . 1 . 1-3 
A14 . 1 . 1-4 
A14 . 1 . 1-5 
A14 . 1 . 1-6 
A14 . 1 . 1-7 
A14 . 1 . 1-8 
A14 . 1 . 1-9 


DEFINITIONS 

UNCONFIRMED  ARTIFICIAL  EVENT  DEFINITION 

CONFIRMED  ARTIFICIAL  EVENT  DEFINITION 

SOLAR  PARTICLE  EVENT  WARNING  DEFINITION 

SOLAR  PARTICLE  EVENT  DEFINITION 

GEOMAGNETIC  STORM  DEFINITION 

OTHER  RADIATION  EVENT  DEFINITION 

RADIATION  ENVIRONMENT  CONDITION  DEFINITION 

PROJECTED  OPERATIONAL  DOSE  LIMIT  VIOLATION  DEFINITION 

ALARA  DEFINITION 


KEY-14 


VOLUME  A  KEY 


NEW  RULE  # 

A14-10 

A14-11 

A14-12 


A14-51 

A14-52 

A14-53 

A14-54 

NONE 

NONE 

A14-55 


A14-1001 


A15-1 

A15-2 

A15-3 

A15-4 

A15-5 

A15-6 

A15-7 

A15-8 

A15-9 

A15-10 

A15-11 

A15-12 

A15-13 

A15-14 

A15-15 

A15-16 

A15-17 

A15-18 

A15-19 

A15-20 

A15-21 

A15-22 

A15-23 

A15-24 

A15-25 

A15-26 


A15-101 

A15-102 

NONE 


A15-151 

A15-152 

A15-153 

NONE 

NONE 

NONE 

NONE 

NONE 

NONE 

A15-154 

NONE 

A15-155 


A15-201 


OLD  RULE  #  RULE  TITLE 


A14 . 1 . 1-10 
A14 . 1 . 1-11 
A14 . 1 . 1-12 


A14 . 1.2-1 
A14 . 1.2-2 
A14 . 1.2-3 
A14 . 1.2-4 
A14 . 1.2-5 
A14 . 1.2-6 
A14 . 1.2-7 


A14 . 1 . 3-1 


LEGAL  EXPOSURE  LIMITS  [HC] 

SHUTTLE  ADMINISTRATIVE  LIMIT  [HC] 

HIGH  DOSE  RATE  LIMITS  [HC] 

A14-13  THROUGH  A14-50  RULES  ARE  RESERVED 

MANAGEMENT 

CREW  RADIATION  EXPOSURE  LIMITS  [HC] 

ACTIONS  REQUIRED  FOR  RADIATION  ENVIRONMENT  CONDITIONS  -  PRELAUNCH 
ACTIONS  REQUIRED  FOR  RADIATION  ENVIRONMENT  CONDITIONS  -  ON  ORBIT  [HC] 
GO/NO-GO  CRITERIA  FOR  EVA  BASED  ON  RADIATION  EXPOSURE  [HC] 

RESERVED 

RESERVED 

DOWNGRADING  TO  NOMINAL  FROM  ALERT  OR  CONTINGENCY 
A14-56  THROUGH  A14-100  RULES  ARE  RESERVED 

SPACE  ENVIRONMENT  GO/NO-GO  CRITERIA 

SPACE  ENVIRONMENT  GO/NO-GO  CRITERIA  [HC] 


SECTION  A15  —  EXTRAVEHICULAR  ACTIVITY  (EVA) 


A15 . 1 . 1-1 
A15 . 1 . 1-2 
A15 . 1 . 1-3 
A15 . 1 . 1-4 
A15 . 1 . 1-5 
A15 . 1 . 1-6 
A15 . 1 . 1-7 
A15 . 1 . 1-8 
A15 . 1 . 1-9 
A15 . 1 . 1-10 
A15 . 1 . 1-11 
A15 . 1 . 1-12 
A15 . 1 . 1-13 
A15 . 1 . 1-14 
A15 . 1 . 1-15 
A15 . 1 . 1-16 
A15 . 1 . 1-17 
A15 . 1 . 1-18 
A15 . 1 . 1-19 
A15 . 1 . 1-20 
A15 . 1 . 1-21 
A15 . 1 . 1-22 
A15 . 1 . 1-23 
A15 . 1 . 1-24 
A15 . 1 . 1-25 
A15 . 1 . 1-26 


A15. 1 .2-1 
A15. 1 .2-2 
A15. 1 .2-3 


A15 . 1 . 3-1 
A15 . 1 . 3-2 
A15 . 1 . 3-3 
A15 . 1 . 3-4 
A15 . 1 . 3-5 
A15 . 1 . 3-6 
A15 . 1 . 3-7 
A15 . 1 . 3-8 
A15. 1.3-9 
A15 . 1 . 3-10 
A15 . 1 . 3-11 
A15 . 1 . 3-12 


A15 . 1 . 4-1 


GENERAL 

EVA  TIME  DEFINITION 

TERMINATE  EVA  DEFINITION 

ABORT  EVA  DEFINITION 

SCHEDULED  EVA  DEFINITION 

UNSCHEDULED  EVA  DEFINITION 

CONTINGENCY  EVA  DEFINITION 

MINIMUM  RF  COMMUNICATIONS  DEFINITION 

OPERATIONAL  CAUTION  AND  WARNING  SYSTEM  (CWS)  DEFINITION 

TWO/ONE-CREWMEMBER  EVA  GUIDELINES 

EVA  CREWMEMBER (S)  SUPPORT 

SAFETY  TETHER  REQUIREMENTS 

HAZARDOUS  EQUIPMENT  SAFING 

AIRLOCK  CONFIGURATION 

SCHEDULED  AND  UNSCHEDULED  EVA  CONSTRAINTS 
CONTINGENCY  EVA  PROTECTION 
EVA  TERMINATION  FOR  CABIN  LEAK 
PAYLOAD  BAY  CONFIGURATION  POST-EVA 
PAYLOAD  OPERATION/DEPLOY  GUIDELINE 
UNSCHEDULED  EVA  PREPARATION 
ECG  TELEMETRY  CHECKOUT 
LEAKING  RCS  THRUSTER/APU  AVOIDANCE 
RCS/APU  THRUSTER  PLUME  AVOIDANCE 

EV  CREW  IN  VICINITY  OF  ACTIVE  PAYLOAD  RETENTION  LATCH  ASSEMBLIES 
EVA  OPERATIONS  IN  THE  GENERIC  PAYLOAD  BAY  ENVELOPE 
ORBITER  EVA  OPERATIONS  NEAR  S-BAND  ANTENNAS 

KEEPOUT  ZONE  FOR  EVA  OPERATIONS  NEAR  THE  ORBITER  UHF  PAYLOAD  BAY  ANTENNA 
A15-27  THROUGH  A15-100  RULES  ARE  RESERVED 

LOSS/FAILURE  DEFINITIONS 

EVA  CAPABILITY 

EMU  GO/NO-GO  CRITERIA 

RESERVED 

A15-103  THROUGH  A15-150  RULES  ARE  RESERVED 

SYSTEMS  MANAGEMENT 

DENITROGENATION 

EMU  CONSUMABLES  WITH  REAL-TIME  EMU  DATA  DOWNLINK 

EMU  CONSUMABLES  WITHOUT  REAL-TIME  EMU  DATA  DOWNLINK 

RESERVED 

RESERVED 

RESERVED 

RESERVED 

RESERVED 

RESERVED 

EMU  CONSUMABLES  PRE-EVA 
RESERVED 

MANIPULATOR  FOOT  RESTRAINT  (MFR)  AND  PFR  ATTACHMENT  DEVICE  (PAD) 
GUIDELINES 

A15-156  THROUGH  A15-200  RULES  ARE  RESERVED 

EXTERNAL  AIRLOCK 

EXTERNAL  AIRLOCK  HATCH  THERMAL  COVER 


KEY-15 


VOLUME  A  KEY 


NEW  RULE  #  OLD  RULE  #  RULE  TITLE 

A15-202  A15. 1.4-2  EXTERNAL  AIRLOCK  LCG  PRESSURE  AND  TEMPERATURE  MANAGEMENT  USING  THE  EMU 

A15-203  A15. 1.4-3  CABIN  ATMOSPHERE  DECONTAMINATION  FOLLOWING  EVA 

A15-204  A15. 1.4-4  EXTERNAL  AIRLOCK  EMU  SERVICING  CONSTRAINTS 

A15-205  A15. 1.4-5  EMU  DECONTAMINATION  DURING  EVA 


SECTION  A16  -  POSTLANDING 


GENERAL 

CONVOY  POSITIONING 

VEHICLE  SYSTEM  RECONFIGURATION  CONSTRAINT 
PRECREW  EGRESS  TROUBLESHOOTING  CONSTRAINT 
VEHICLE  SYSTEM  MODING  CONSTRAINT 
MEMORY  RECONFIGURATION  CONSTRAINT 
RECORDER  DUMP 
GOM  HANDOVER 

CREW  EGRESS  METHOD  DETERMINATION  (FOR  MODE  V  EGRESS) 
SSME  REPOSITIONING  CONSTRAINT 
NORMAL  POSTLANDING  OPERATIONS 
EXPEDITED  POWERDOWN 
EMERGENCY  POWERDOWN 
SIDE  HATCH  OPENING  CONSTRAINT 
A16-14  THROUGH  A16-50  RULES  ARE  RESERVED 

COOLING 

A1 6. 1.2-1  NO  GROUND  COOLING/EARLY  VEHICLE  POWER  TERMINATION 

A1 6. 1.2-2  EXTENDED  COOLING 

A1 6. 1.2-3  FREON  LOOP  CONFIGURATION 

A1 6. 1.2-4  AMMONIA  BOILER  MANAGEMENT 

A16-55  THROUGH  A16-100  RULES  ARE  RESERVED 

ET  UMBILICAL  DOOR 

A16-101  A16. 1.3-1  ET  UMBILICAL  DOOR  POSITIONING 

A16-102  THROUGH  A16-150  RULES  ARE  RESERVED 

VENT  DOORS 

A16-151  A16. 1.4-1  VENT  DOOR  POSITIONING 

A16-152  THROUGH  A16-200  RULES  ARE  RESERVED 

APU/HYDRAULIC 

A16-201  A16. 1.5-1  HYDRAULIC  CIRCULATION  PUMP  OPERATION 

A16-202  A16. 1.5-2  APU  REQUIREMENTS 

A16-203  A16. 1.5-3  APU/HYDRAULIC  LOAD  TEST  TERMINATION 

A16-204  A16. 1.5-4  WINDWARD  APU  OPERATION  CONSTRAINT 

A16-205  A16. 1.5-5  EARLY  APU  SHUTDOWN 

A16-206  THROUGH  A16-250  RULES  ARE  RESERVED 

FUEL  CELLS 

A16-251  A16. 1.6-1  FUEL  CELL  LIFETIME 

A1 6-252  THROUGH  A1 6-300  RULES  ARE  RESERVED 

CONT  AMI  NAT  I  ON  /  F  L  AMMAB I L I T  Y 

A1 6-301  A1 6. 1.7-1  CONTAMINATION/FLAMMABILITY/TOXICITY 

A1 6-302  A1 6. 1.7-2  EMERGENCY  OXYGEN  SYSTEM  REQUIREMENTS 


SECTION  A17  -  LIFE  SUPPORT 

SMOKE  DETECTION/FIRE  SUPPRESSION  LOSS  DEFINITIONS 

A17. 1.1-1  FIRE/POST-FIRE  DEFINITIONS 

A17. 1.1-2  SMOKE  DETECTION  LOSS  DEFINITION 

A17. 1.1-3  FORWARD  AVIONICS  BAY  FIRE  SUPPRESSION 

A17-4  THROUGH  A17-50  RULES  ARE  RESERVED 

SMOKE  DETECTION/FIRE  SUPPRESSION  MANAGEMENT 

A17-51  A17. 1.2-1  MANAGEMENT  FOLLOWING  LOSS  OF  SMOKE  DETECTION 

A17-52  A17. 1.2-2  MANAGEMENT  FOLLOWING  LOSS  OF  FIRE  SUPPRESSION  IN  AN  AVIONICS  BAY 

A17-53  A17. 1.2-3  FIRE  AND  POST-FIRE  ACTIONS 

A17-54  A17. 1.2-4  MANAGEMENT  FOLLOWING  HALON  DISCHARGE  WITHOUT  FIRE  CONFIRMATION 

A17-55  THROUGH  A17-100  RULES  ARE  RESERVED 


A17-1 

A17-2 

A17-3 


A16-51 

A16-52 

A16-53 

A16-54 


A16-1 

A16-2 

A16-3 

A16-4 

A16-5 

A16-6 

A16-7 

A16-8 

A16-9 

A16-10 

A16-11 

A16-12 

A16-13 


A16. 1.1-1 
A16. 1.1-2 
A16. 1.1-3 
A16. 1.1-4 
A16. 1.1-5 
A16. 1.1-6 
A16. 1.1-7 
A16. 1.1-8 
A16. 1.1-9 
A16. 1.1-10 
A16. 1.1-11 
A16. 1.1-12 
A16. 1.1-13 


KEY-16 


VOLUME  A  KEY 


NEW  RULE  # 


A17-101 

A17-102 

A17-103 

A17-104 

A17-105 

A17-106 


A17-151 

A17-152 

A17-153 

A17-154 

A17-155 

A17-156 

A17-157 

A17-158 


A17-201 

A17-202 

A17-203 

A17-204 

A17-205 

A17-206 


A17-251 

A17-252 

A17-253 

A17-254 

A17-255 

A17-256 

A17-257 

A17-258 

NONE 

A17-259 

A17-260 


A17-301 

A17-302 

A17-303 

A17-304 

A17-305 

A17-306 

A17-307 

A17-308 

A17-309 


A17-351 

A17-352 

A17-353 

A17-354 


A17-401 

A17-402 

A17-403 

A17-404 

A17-405 


A17-451 

A17-452 


OLD  RULE  #  RULE  TITLE 


A17 . 1.3-1 
A17 . 1.3-2 
A17 . 1.3-3 
A17 . 1.3-4 
A17 . 1.3-5 
A17 . 1.3-6 


A17 . 1 . 4-1 
A17 . 1 . 4-2 
A17 . 1 . 4-3 
A17 . 1 . 4-4 
A17 . 1 . 4-5 
A17 . 1 . 4-6 
A17 . 1 . 4-7 
A17 . 1 . 4-8 


A17 . 1 . 5-1 
A17 . 1 . 5-2 
A17 . 1 . 5-3 
A17 . 1 . 5-4 
A17 . 1 . 5-5 
A17 . 1 . 5-6 


A17 . 1 . 6-1 
A17 . 1 . 6-2 
A17 . 1 . 6-3 
A17 . 1 . 6-4 
A17 . 1 . 6-5 
A17 . 1 . 6-6 
A17 . 1 . 6-7 
A17 . 1 . 6-8 
A17 . 1 . 6-9 
A17 . 1 . 6-10 
A17 . 1 . 6-11 


A17 . 1 . 7-1 
A17 . 1 . 7-2 
A17 . 1 . 7-3 
A17 . 1 . 7-4 
A17 . 1 . 7-5 
A17 . 1 . 7-6 
A17 . 1 . 7-7 
A17 . 1 . 7-8 
A17 . 1 . 7-9 


A17 . 1 . 8-1 
A17 . 1 . 8-2 
A17 . 1 . 8-3 
A17 . 1 . 8-4 


A17 . 1 . 9-1 
A17 . 1 . 9-2 
A17 . 1 . 9-3 
A17 . 1 . 9-4 
A17 . 1 . 9-5 


A17 . 1 . 10-1 
A17 . 1 . 10-2 


ATMOSPHERE  REVITALIZATION  SYSTEM  (ARS)  AIR  LOSS  DEFINITIONS 

CABIN  FAN 

CABIN  ATMOSPHERIC  CONTROL 
LOSS  OF  AVIONICS  BAY  FAN 
I MO  FAN 

AVIONICS  BAY  COOLING 

REGENERATIVE  C02  REMOVAL  SYSTEM  (RCRS)  LOSS  DEFINITION 
A17-107  THROUGH  A17-150  RULES  ARE  RESERVED 

ARS  AIR  SYSTEM  MANAGEMENT 

CABIN  ATMOSPHERE  CONTROL 

CABIN  TEMPERATURE  CONTROL  AND  MANAGEMENT 
CABIN/AVIONICS  BAY  FAN  MANAGEMENT 
MANAGEMENT  OF  DEGRADED  ROTATING  EQUIPMENT 
REGENERATIVE  C02  REMOVAL  SYSTEM  (RCRS)  MANAGEMENT 
RCRS  MANUAL  SHUTDOWN  CRITERIA 
LI OH  REDLINE  DETERMINATION 

MANAGEMENT  OF  LIOH  CANS  FOR  ADDITIONAL  DAYS 
A17-159  THROUGH  A17-200  RULES  ARE  RESERVED 

PRESSURE  CONTROL  SYSTEMS  (PCS)  LOSS  DEFINITIONS 

CABIN  PRESSURE  INTEGRITY 

8  PSIA  CABIN  CONTINGENCY  165-MINUTE  RETURN  CAPABILITY 
PP02  CONTROL 
N2  SUPPLY 

PP02  SENSOR  LOSS  DEFINITION 

LES  02  SUPPLY  SYSTEM  LOSS  DEFINITION 

A17-207  THROUGH  A17-250  RULES  ARE  RESERVED 

PCS  SYSTEMS  MANAGEMENT 

NORMAL  PCS  CONFIGURATION 
CABIN  PRESSURE  RELIEF  VALVES 
CABIN  VENT  VALVES 
CABIN  02  CONCENTRATION 

8  PSIA  EMERGENCY  CABIN  CONFIGURATION 
02  BLEED  ORIFICE  MANAGEMENT 
N2  SYSTEM  MANAGEMENT 

LOSS  OF  CABIN  INTEGRITY  TMAX  DEFINITION  AND  TIG  SELECTION 
RESERVED 

LES  02  SUPPLY  SYSTEM  LOSS  MANAGEMENT 

PCS  02 /N2  CONTROLLER  CHECKOUT 

A17-261  THROUGH  A17-300  RULES  ARE  RESERVED 

10.2  PSIA  CABIN  ATMOSPHERE  OPERATION 

CABIN  ATMOSPHERE  MANAGEMENT 

10.2  PSIA  CABIN  DEPRESSURIZATION  CONSTRAINTS 
CABIN  REPRESSURIZATION  PRIOR  TO  DEORBIT 

10.2  PSIA  CABIN  PRESSURE  MANAGEMENT  FOR  MULTIPLE  EVA'S 

14.7  PSIA  CABIN  REPRESSURIZATION  LIMITATION 

10.2  PSIA  CABIN  TEMPERATURE  CONSTRAINT 

PAYLOAD  10.2  PSIA  CABIN  OPERATIONS 

ATCS  (10.2  PSIA  CABIN)  CONFIGURATION 

CABIN  PRESSURE  TIME  AT  10.2  PSIA 

A17-310  THROUGH  A17-350  RULES  ARE  RESERVED 

WASTE  COLLECTION  SYSTEM  (WCS) /VACUUM  VENT  LOSS  DEFINITIONS 

WCS  SEPARATOR 

WCS  URINE  COLLECTION 

WCS  COMMODE 

VACUUM  VENT  LOSS  DEFINITION 

A17-355  THROUGH  A17-400  RULES  ARE  RESERVED 

WCS /VACUUM  VENT  MANAGEMENT 

WCS  USAGE  CONSTRAINT 

LEAKING  WCS  WATER  LINES 

ALTERNATE  FECAL  COLLECTION 

ALTERNATE  URINE  COLLECTION 

VACUUM  VENT  SYSTEMS  MANAGEMENT  [CIL] 

A17-406  THROUGH  A17-450  RULES  ARE  RESERVED 

WASTE  WATER  LOSS  DEFINITIONS 

WASTE  WATER  TANK 

WASTE  WATER  DUMP  CAPABILITY 

A17-453  THROUGH  Al-500  RULES  ARE  RESERVED 


KEY-17 


VOLUME  A  KEY 


NEW  RULE  #  OLD  RULE  # 


RULE  TITLE 


A17-501 

A1 7 . 1 .11-1 

A17-502 

A1 7 . 1 .11-2 

A17-503 

A17 . 1 .11-3 

A17-504 

A17 . 1 .11-4 

A17-505 

A17 . 1 .11-5 

A17-506 

A17 . 1 .11-6 

A17-507 

A17 . 1 .11-7 

A17-551 

A17 . 1 . 12-1 

A17-601 

A17-602 

A17-603 

A17.6.1-1 

A17.6.1-2 

A17.6.1-3 

A17-651 

A17-652 

A17. 6.2-1 
A17. 6.2-2 

A17-701 

A17-702 

A17-703 

A17-704 

A17-705 

A17-706 

A17. 6.3-1 
A17. 6.3-2 
A17. 6.3-3 
A17. 6.3-4 
A17. 6.3-5 
A17. 6.3-6 

A17-751 

A17.6.4-1 

A17-752 

A17.6.4-2 

A17-753 

A17.6.4-3 

A17-754 

A17.6.4-4 

A17-755 

A17.6.4-5 

A17-756 

A17.6.4-6 

A17-757 

A17.6.4-7 

A17-758 

A17.6.4-8 

A17-1001 

A17 . 1 . 13- 

WASTE  WATER  MANAGEMENT 

ALTERNATE  PRESSURE  VALVE  MANAGEMENT 
WASTE  DUMP  NOZZLE  ICE  FORMATION 
WASTE  WATER  STORAGE 

MINIMUM  WASTE  TANK  QUANTITY  AFTER  DUMPING 
WASTE  WATER  DUMP  NOZZLE  TEMPERATURE  CONSTRAINTS 
WASTE  WATER  SYSTEM  LEAK  MANAGEMENT 
OMS  &  PROS  BURNS  WITH  FREE  H20  IN  THE  CABIN 
A17-508  THROUGH  A17-550  RULES  ARE  RESERVED 

GALLEY  MANAGEMENT  LIFE  SUPPORT 

IODINE  REMOVAL  IMPLEMENTATION 

A17-552  THROUGH  A17-600  RULES  ARE  RESERVED 

SPACEHAB  FIRE/ SMOKE 

SPACEHAB  FIRE/SMOKE  DETECTION  LOSS 
SPACEHAB  FIRE /SMOKE  CONFIRMATION 
SPACEHAB  FIRE /SMOKE  MANAGEMENT 
A17-604  THROUGH  A17-650  RULES  ARE  RESERVED 

SPACEHAB  ECS  MANAGEMENT 

SPACEHAB  ENVIRONMENTAL  CONTROL  AND  LIFE  SUPPORT  (ECLS)  REQUIREMENTS 

SPACEHAB  SUBSYSTEM  FANS/AIR  LOOP 

A17-653  THROUGH  A17-700  RULES  ARE  RESERVED 

MODULE  ATMOSPHERE  MANAGEMENT 

MODULE  ATMOSPHERIC  CONTROL 

PARTIAL  PRESSURE  OF  OXYGEN  (PP02)  SENSORS 
PARTIAL  PRESSURE  OF  CARBON  DIOXIDE  (PPC02 )  SENSORS 
CABIN/HFA  FAN 

ATMOSPHERE  REVITALIZATION  SYSTEM  (ARS)  FAN 
SPACEHAB  FAN  CONFIGURATIONS 

A17-707  THROUGH  A17-750  RULES  ARE  RESERVED 

ATMOSPHERE  INTEGRITY 

MODULE  PRESSURE  INTEGRITY 

NEGATIVE  PRESSURE  RELIEF  VALVE  COVERS 

CABIN  DEPRESS  VALVE  (CDV) 

EXPERIMENT  VENT  VALVE 
PPRV  MANAGEMENT 

SM/LDM  ASCENT/DESCENT  INLET  STUB 
RDM  MIXING  BOX  CAP 
RDM  LIOH  CANISTER 

A17-759  THROUGH  A17-800  RULES  ARE  RESERVED 

LIFE  SUPPORT  GO/NO-GO  CRITERIA 

LIFE  SUPPORT  GO/NO-GO  CRITERIA 


SECTION  A18  —  THERMAL 


SUPPLY  WATER  LOSS  DEFINITIONS 


A18-1 

A18 . 1 . 1-1 

SUPPLY 

WATER 

TANK 

A18-2 

A18 . 1 . 1-2 

SUPPLY 

WATER 

DUMPLINE 

A18-3 

A18 . 1 . 1-3 

SUPPLY 

WATER 

DUMP  CAPABILITY 

A18-4  THROUGH  A18-50  RULES  ARE  RESERVED 

SUPPLY  WATER  MANAGEMENT  -  THERMAL 


A18-51 

A18. 1.2-1 

A18-52 

A18. 1.2-2 

A18-53 

A18. 1.2-3 

A18-54 

A18. 1.2-4 

A18-55 

A18. 1.2-5 

A18-56 

A18. 1.2-6 

A18-57 

A18. 1.2-7 

A18-58 

A18. 1.2-8 

A18-59 

A18. 1.2-9 

A18-60 

A18. 1.2-10 

A18-61 

A18. 1.2-11 

A18-62 

A18. 1.2-12 

SUPPLY  H20  TANK  A  MANAGEMENT 
SUPPLY/WASTE  WATER  CROSSCONNECT 
SUPPLY  WATER  TANK  A  OUTLET  VALVE  MANAGEMENT 
SUPPLY  WATER  TANK  A  PRESSURE  CONTROL  MANAGEMENT 
SUPPLY  WATER  DUMP 

SUPPLY  WATER  DUMP  NOZZLE  TEMPERATURE  CONSTRAINT 
ON-ORBIT  SUPPLY  WATER  TANK  MANAGEMENT 
SUPPLY  WATER  SYSTEM  LEAK  MANAGEMENT 
SUPPLY  WATER  REDLINE 
EXTERNAL  AIRLOCK  WATER  LINES 

EXTERNAL  AIRLOCK  LCG  FLUID  LINE  LOSS  DEFINITION 

EXTERNAL  AIRLOCK  WATER  LINE  OVERPRESSURE/TEMPERATURE  MANAGEMENT 
A18-63  THROUGH  A18-100  RULES  ARE  RESERVED 


KEY-18 


VOLUME  A  KEY 


NEW  RULE  #  OLD  RULE  # 


RULE  TITLE 


A18-101 


A1 8 . 1 . 3-1 


A :  8  "51 

A18 . 1 . 4-1 

A18-201 

A18 . 1 . 5-1 

A18-202 

A18 . 1 . 5-2 

A18-203 

A18 . 1 . 5-3 

A18-204 

A18 . 1 . 5-4 

A18-205 

A18 . 1 . 5-5 

A18-206 

A18 . 1 . 5-6 

A18-207 

A18 . 1 . 5-7 

A18-208 

A18 . 1 . 5-8 

A18-251 

A18 . 1 . 6-1 

A18-252 

A18 . 1 . 6-2 

A18-253 

A18 . 1 . 6-3 

A18-254 

A18 . 1 . 6-4 

A18-255 

A18 . 1 . 6-5 

A18-256 

A18 . 1 . 6-6 

A18-257 

A18 . 1 . 6-7 

A18-301 

A18 . 1 . 7-1 

A18-302 

A18 . 1 . 7-2 

A18-303 

A18 . 1 . 7-3 

A18-304 

A18 . 1 . 7-4 

A18-305 

A18 . 1 . 7-5 

A18-306 

A18 . 1 . 7-6 

A18-351 

A18 . 1 . 8-1 

A18-401 

A18 . 1 . 9-1 

A18-451 

A18 . 1 . 10- 

A18-501 

A18 . 1 . 11- 

A18-551 

A18.6.1-1 

A18-552 

A18.6.1-2 

A18-553 

A18.6.1-3 

A18-554 

A18.6.1-4 

A18-555 

A18.6.1-5 

A18-556 

A18.6.1-6 

A18-557 

A18.6.1-7 

A18-601 

A18. 6.2-1 

A18-602 

A18. 6.2-2 

A18-603 

A18. 6.2-3 

A18-604 

A18. 6.2-4 

A18-605 

A18. 6.2-5 

A18-606 

A18.6.5-6 

ARS  H20  LOOP  LOSS  DEFINITIONS 

ARS  WATER  LOOP 

A18-102  THROUGH  A18-150  RULES  ARE  RESERVED 


ARS  H20  LOOP  LOSS  MANAGEMENT 

ARS  WATER  LOOP 

A18-152  THROUGH  A18-200  RULES  ARE  RESERVED 

ACTIVE  THERMAL  CONTROL  SYSTEM  (ATCS)  LOSS  DEFINITIONS 

FREON  COOLANT  LOOPS  (FCL) 

TOPPING  EVAPORATOR 

HIGH-LOAD  EVAPORATOR 

FES  PRIMARY  A  (B)  CONTROLLER 

FES  SECONDARY  CONTROLLER 

FES  H20  FEEDLINE 

AMMONIA  BOILER  SUBSYSTEM  (ABS) 

RADIATOR  FLOW  CONTROL  ASSEMBLY  (RFCA) 

A18-209  THROUGH  A18-250  RULES  ARE  RESERVED 

ATCS  MANAGEMENT 

FREON  COOLANT  LOOPS  (FCL) 

FLASH  EVAPORATOR  SYSTEM  (FES) 

AMMONIA  BOILER  SUBSYSTEM  (ABS) 

ABS  AMMONIA  REDLINE 

RADIATOR  FLOW  CONTROL  ASSEMBLY  (RFCA) 

RADIATOR  ISOLATION  VALVE  MANAGEMENT 
POSTLANDING  NH3  TERMINATION 

A18-258  THROUGH  A18-300  RULES  ARE  RESERVED 

EECOM  HEATER  MANAGEMENT 

TCS  HEATER  CONFIGURATION 

TCS  HEATER  REDUNDANCY 

REDUNDANT  TCS  HEATER  VERIFICATION 

TCS  HEATER  OPERATIONS  FOR  LOSS  OF  INSTRUMENTATION 
LOSS  OF  HEATER  SM  CAPABILITY 
EXTERNAL  AIRLOCK  HEATER  LOSS  MANAGEMENT 
A18-307  THROUGH  A18-350  RULES  ARE  RESERVED 

EECOM  SOFTWARE  REQUIREMENT 

EECOM  SOFTWARE  REQUIREMENT 

A18-352  THROUGH  A18-400  RULES  ARE  RESERVED 

TPS  BONDLINE  TEMPERATURES  MANAGEMENT 

THERMAL  PROTECTION  SYSTEM  (TPS)  BONDLINE  TEMPERATURES 
A18-402  THROUGH  A18-450  RULES  ARE  RESERVED 

ATTITUDE  MANAGEMENT  FOR  THERMAL  CONTROL 

ORBITER  THERMAL  CONSTRAINTS  AND  ATTITUDE  MANAGEMENT  [CIL] 

A18-452  THROUGH  A18-500  RULES  ARE  RESERVED 

COOLING  EQUIPMENT  CONSTRAINTS 

MAXIMUM  OFF  TIME  FOR  COOLING  EQUIPMENT 
A18-502  THROUGH  A18-550  RULES  ARE  RESERVED 

WATER  LOOP 

SPACEHAB  SUBSYSTEM  WATER  LOOP 

SPACEHAB  SUBSYSTEM  WATER  LOOP  MANAGEMENT 

SPACEHAB  SUBSYSTEM  PUMP  OPERATIONS 

WATER  LINE  HEATERS 

WATER  LINE  HEATER  MANAGEMENT 

RDM  CENTRALIZED  EXPERIMENT  WATER  LOOP  (CEWL) 

RDM  CEWL  PUMP  OPERATIONS 

A18-558  THROUGH  A18-600  RULES  ARE  RESERVED 

SPACEHAB  ENVIRONMENTAL  CONTROL  SYSTEM  (ECS)  MANAGEMENT 

ORBITER/ SPACEHAB/EXPERIMENT  THERMAL  PRIORITIES 
ORBITER  FREON  FLOW  PROPORTIONING  VALVE  (FPV)  USAGE 
SM/LDM  WATER  FLOW  CONTROL  ELECTRONICS  UNIT  (WFCEU) 

RDM  ENVIRONMENTAL  CONTROL  UNIT  (ECU)  OPERATIONS 
RDM  ROTARY  SEPARATOR  (RS)  OPERATIONS 

RDM  CONDENSATE  STORAGE  TANK  (CST) /CONTINGENCY  WATER  CONTAINER  (CWC) 


KEY-19 


VOLUME  A  KEY 


NEW  RULE  #  OLD  RULE  #  RULE  TITLE 

MANAGEMENT 

A18-607  THROUGH  A18-650  RULES  ARE  RESERVED 

THERMAL  GO/NO-GO  CRITERIA 

A18-1001  A18. 1.12-1  THERMAL  GO/NO-GO  CRITERIA 


KEY-20 


VOLUME  A  KEY 


THIS  PAGE  INTENTIONALLY  BLANK 
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NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


SECTION  2  -  FLIGHT  OPERATIONS 

PRE LAUNCH 

A2-1  PRELAUNCH  GO/NO-GO  REQUIREMENTS . 2-1 

A2-2  ABORT  LANDING  SITE  REQUIREMENTS . 2-7 

A2-3  LAUNCH  HOLD . 2-11 

A2-4  LAUNCH  DAY  CREW  TIME  CONSTRAINTS . 2-11 

A2-5  PORT  MODING/RESTRINGING  GUIDELINES . 2-12 

A2-6  LANDING  SITE  WEATHER  CRITERIA  [HC] . 2-14 

TABLE  A2-6-I  -  CEILING  AND  VISIBILITY  LIMITS . 2-15 

TABLE  A2-6-II  -  SURFACE  WINDS  AND  TURBULENCE  LIMITS....  2-19 

TABLE  A2-6-III  -  THUNDERSTORM,  LIGHTNING,  AND 
PRECIPITATION  .  2-24 

FIGURE  A2-6-I  -  VERTICAL  CLOUD  TOP  CLEARANCE  LIMITS 
PROTECT  STRAIGHT  IN  APPROACHES . 2-33 

FIGURE  A2-6-II  -  ONLY  STRAIGHT  IN  HACS  AVAILABLE . 2-34 

FIGURE  A2-6-III  -  ONLY  OVERHEAD  HACS  AVAILABLE . 2-35 

FIGURE  A2-6-IV  -  ONLY  KSC33  AVAILABLE . 2-36 

FIGURE  A2-6-V  -  ONLY  KSC15  AVAILABLE . 2-37 

A2-7  DAY-OF-LAUNCH  ET  LOAD  DATA . 2-38 

A2-8  LAUNCH  TIME  SELECTION  FOR  GROUND-UP 

RENDEZVOUS . 2-4  0 

A2-9  LOSS  OF  ET  LOX  LIQUID  LEVEL  CONTROL  SENSORS  .  2-4 8a 

A2-10  THROUGH  A2-50  RULES  ARE  RESERVED . 2-48c 


VOLUME  A  11/21/02  FINAL,  PCN-1  FLIGHT  OPERATIONS  2-i 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


ASCENT 

A2-51  STS  ABORT  CRITERIA . 2-49 

A2-52  ASCENT  MODE  PRIORITIES  FOR  PERFORMANCE  CASES.  2-50 

FIGURE  A2-52-I  -  SHUTTLE  LANDING  FOOTPRINT . 2-56 

A2-53  FORWARD  RCS  USAGE  GUIDELINES . 2-60 

A2-54  RTLS ,  TAL,  AND  AOA  ABORTS  FOR  SYSTEMS 

FAILURES  [CIL] . 2-61 

A2-55  USE  OF  LOW  ENERGY  GUIDANCE . 2-69 

A2-56  ABORT  GAP . 2-72 

A2-57  CONTINGENCY  ASCENTS/ABORTS . 2-73 

A2-58  ABORT  LIGHT . 2-75 

A2-59  BFS  ENGAGE  CRITERIA . 2-77 

A2-60  NAVIGATION  UPDATE  CRITERIA . 2-78 

A2-61  Q-BAR/G-CONTROL . 2-79 

A2-62  ET  FOOTPRINT  CRITERIA . 2-80 

A2-63  ASCENT  STRING  REASSIGNMENT . 2-83 

A2-64  MANUAL  THROTTLE  CRITERIA . 2-87 

A2-65  OMS-1  DELAYED  TARGET  CRITERIA . 2-88 

A2-66  APU  SHUTDOWN  DELAY  CRITERIA . 2-89 

A2-67  ARD  UPDATE  CRITERIA . 2-89 

A2-68  ET  PHOTOGRAPHY . 2-90 

A2-69  REGAIN  RCS  JETS  FOR  RTLS  ET  SEPARATION . 2-92 

A2-70  DELAYED  TRANSATLANTIC  LANDING  (TAL)  ABORT  .  .  .  2-92a 

A2-71  THROUGH  A2-100  RULES  ARE  RESERVED . 2-92b 
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ORBIT 

A2-101  VEHICLE  SYSTEMS  REDUNDANCY  DEFINITIONS . 2-93 

A2-102  MISSION  DURATION  REQUIREMENTS . 2-94 

A2-103  EXTENSION  DAY  REQUIREMENTS  .  2-99 

A2-104  SYSTEMS  REDUNDANCY  REQUIREMENTS . 2-103 

A2-105  IN-FLIGHT  MAINTENANCE  ( IFM)  .  2-108 

A2-106  PBD  OPERATIONS  [CIL]  . 2-118 

A2-107  EVA  GUIDELINES . 2-119 

A2-108  CONSUMABLES  MANAGEMENT . 2-122 

A2-109  PREFERRED  ATTITUDE  FOR  WATER  DUMPS . 2-128 

FIGURE  A2-109-I  -  PREFERRED  ATTITUDE  FOR  WATER  DUMPS..  2-128 

A2-110  STRUCTURES  THERMAL  CONDITIONING . 2-131 

A2-111  DPS  COMMAND  CRITERIA . 2-138 

A2-112  PDRS . 2-140 

A2-113  OMS/RCS  DOWNMODING  CRITERIA . 2-142 

A2-114  OMS/RCS  MANEUVER  CRITICALITY . 2-143 

A2-115  ENGINE  SELECTION  CRITERIA . 2-145 

A2-116  RENDEZVOUS  (RNDZ ) /PROXIMITY  OPERATIONS  (PROX 

OPS)  DEFINITIONS . 2-146 

A2-117  RNDZ/PROX  OPS  GNC  SYSTEMS  MANAGEMENT . 2-147 

A2-118  RNDZ/PROX  OPS  COMMUNICATION  SYSTEMS 

MANAGEMENT . 2-153 

A2-119  RNDZ/PROX  OPS  SENSOR  REQUIREMENTS . 2-154 

A2-120  RNDZ/PROX  OPS  DPS  SYSTEMS  MANAGEMENT . 2-157 

A2-121  RNDZ/PROX  OPS  PROPULSION  SYSTEMS  MANAGEMENT.  2-159 

A2-122  RENDEZVOUS  MANEUVERS . 2-169 

A2-123  RENDEZVOUS  MANEUVER  SOLUTION  SELECTION 

CRITERIA . 2-170 
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A2-124  RENDEZVOUS  MANEUVER  EXECUTION . 2-172 

A2-125  RNDZ  OPS  DELAY . 2-175 

A2-126  RNDZ/PROX  OPS  BREAKOUT . 2-176 

A2-127  RENDEZVOUS  GUIDANCE . 2-186 

A2-128  EMCC/TMCC  ACTIVATION . 2-190 

A2-129  ORBITER  ON-ORBIT  HIGH  DATA  RATE  REQUIREMENTS  2-1 91 

A2-130  PAYLOAD  OBJECTIVES  VS.  PAYLOAD  DAMAGE  POLICY  2-193 

A2-131  ATTITUDE  RESTRICTIONS  FOR  ORBITAL  DEBRIS  ....  2-1 94 

A2-132  THERMAL  CONDITIONING  FOR  FLIGHT  DAY  1  LANDINS-196 

A2-133  POCC  THROUGHPUT  COMMAND  RATES . 2-198 

A2-134  ON-ORBIT  CRYO  MARGIN  BUYBACKS . 2-199 

A2-135  COMMANDER  ( CDR)  AND  PILOT  (PLT )  PARTICIPATING 

AS  TEST  SUBJECTS . 2-206 

A2-136  THROUGH  A2-200  RULES  ARE  RESERVED . 2-206 

DEORBIT 

A2-201  DEORBIT  GUIDELINES . 2-207 

A2-202  EXTENSION  DAY  GUIDELINES . 2-209 

A2-203  DEORBIT  DELAY  GUIDELINES . 2-211 

A2-204  MDF  DEORBIT  GUIDELINES . 2-213 

A2-205  EMERGENCY  DEORBIT . 2-214 

A2-206  DEROTATION  SPEED . 2-223 

A2-207  LANDING  SITE  SELECTION . 2-224 

A2-208  ACES  PRESSURE  INTEGRITY  CHECK . 2-231 

A2-209  LANDING  SITE  SELECTION  FOR  AN  INFLIGHT 

EMERGENCY . 2-232 

A2-210  THROUGH  A2-250  RULES  ARE  RESERVED . 2-233 
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ENTRY 

A2-251  BAILOUT  .  2-234 

A2-252  GCA  CRITERIA . 2-237 

A2-253  ENERGY  MANAGEMENT . 2-238 

A2-254  ENTRY  STRING  REASSIGNMENT . 2-239 

A2-255  CREW  TAKEOVER . 2-243 

A2-256  EARLY  POWERDOWN . 2-244 

A2-257  DEORBIT  BURN  TERMINATION . 2-244 

A2-258  BFS  ENGAGE . 2-244 

A2-259  CHASE  AIRCRAFT  OPERATIONS  .  2-245 

A2-260  ENTRY  LOAD  MINIMIZATION . 2-246 

A2-261  ENTRY  DTO/AUTO  MODE/CROSSWIND  DTO  GO/NO-GO..  2-247 

A2-262  LANDING  DTO'  S . 2-261 

A2-263  STA/WEATHER  AIRCRAFT  RUNWAY  APPROACH 

OPERATIONS  FOR  SITES  WITH  ONLY  ONE  RUNWAY...  2-262 

A2-264  EMERGENCY  LANDING  FACILITY  CRITERIA . 2-263 

A2-265  SINGLE  STRING  GPS  OPERATIONS . 2-266 

A2-266  SUBSONIC  PILOT  FLIGHT  CONTROL . 2-267 

A2-267  THROUGH  A2-300  RULES  ARE  RESERVED . 2-269 

CONTINGENCY  ACTION  SUMMARY 

A2-301  CONTINGENCY  ACTION  SUMMARY . 2-271 

A2-302  THROUGH  A2-310  RULES  ARE  RESERVED . 2-282 


SPACEHAB  OPERATIONS  MANAGEMENT 

A2-311  SPACEHAB  SAFETY  DEFINITION  AND  MANAGEMENT...  2-283 


A2-312  REAL-TIME  SAFETY  COORDINATION . 2-285 

A2-313  GROUND  COMMANDING . 2-286 

A2-314  SPACEHAB  MINIMUM  DURATION  FLIGHT  CRITERIA...  2-288 

A2-315  POWERING  OFF  AND  REPOWERING  SPACEHAB 

EQUIPMENT . 2-288 

A2-316  ORBITER-TO-SPACEHAB  HATCH  CONFIGURATION . 2-289 
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A2-317  EVA  CONSTRAINTS . 2-290 
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A2-2  ABORT  LANDING  SITE  REQUIREMENTS  (CONTINUED) 

Continuous  single  engine  out  intact  abort  capability  to  a  landing  site  meeting  all  requirements  must  be 
achieved  to  commit  to  launch  (ref.  Rule  {A4-1D},  PERFORMANCE  ANALYSES).  Since  the  only  two 
engine  intact  abort  mode  available  for  the  first  2  to  3  minutes  of  any  flight  is  the  RTLS  site,  GO 
conditions  are  mandatory  at  the  RTLS  landing  site. 

TAL  is  required  unless  RTLS/two  engine  press  overlaps.  Even  in  those  cases,  TAL  is  the  preferred  abort 
mode  for  an  engine  out  during  the  RTLS/TAL  overlap  period.  Launching  without  TAL  capability  should 
never  be  a  design  goal  but  a  real-time  fallback  if  weather  or  equipmen  t  outages  at  the  TAL  sites  are  the 
only  constraints  to  launch. 

The  ATO  single  SSME  out  press  boundary  represen  ts  the  earliest  time  at  which  an  engine  failure  will 
result  in  the  achievement  of  cm  acceptable  MECO  underspeed  based  on  one  of  four  cases:  AO  A  steep 
capability;  ATO/minimum  Hp  with  shallow  deorbit  on  flight  day  1  capability;  ATO/minimum  Hp  with 
shallow  deorbit  on  flight  day  2  capability,  including  OPS  2  use  of  Fwd  RCS  (ref.  Rule  {A2-53}, 
FORWARD  RCS  USAGE  GUIDELINES);  or  ET  impact  in  an  acceptable  area  (ref.  Rule  { A4-55B j, 
DESIGN  AND  CRITICAL  MECO  UNDERSPEED  DEFINITIONS).  If  the  design  press  boundary  is 
based  on  AO  A  steep  but  no  AO  A  site  is  available,  then  intact  capability  can  still  be  provided  as  long  as 
no  gap  exists  between  last  RTLS  or  TAL  and  the  press  boundary  based  on  ATO/minimum  Hp  for  flight 
day  1/shallow  deorbit.  If  no  first  day  PLS  site  is  available,  then  continuous  single  SSME  out  intact  abort 
capability  can  still  be  provided  as  long  as  no  gap  exists  between  last  RTLS  or  TAL  and  the  press 
boundary  based  on  AOA  steep  (press  capabilities  based  on  AOA  steep  and  ATO/rnin  Hp/flight  day  1 
shallow  come  only  a  few  seconds  apart).  If  neither  cm  AOA  or  first  day  PLS  site  are  available,  then 
launch  commit  may  be  allowed  if  there  is  no  gap  between  last  RTLS  or  TAL  and  a  press  boundary  based 
on  ATO  OMS-l/minimum  Hp  OMS-2/shallow  deorbit  on  flight  day  2.  This  boundary  assumes  the  use  of 
the  Fwd  RCS  in  OPS  2.  Analysis  has  shown  that  there  is  no  delay  in  this  press  boundary  with  respect  to 
the  flight  day  1  press  boundary  when  the  Fwd  RCS  is  allowed.  ®[01 2402-51 12B] 

Even  if  a  first  day  PLS  site  is  not  technically  available  at  launch  time,  equipmen  t  outages  may  be 
resolved  or  weather  may  improve  by  deorbit  decision  time. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-2  ABORT  LANDING  SITE  REQUIREMENTS  (CONTINUED) 

If  a  first  day  PLS  landing  site  is  not  available,  and  systems  failures  requiring  early  flight  termination 
occur,  landing  will  be  supported  by  RTLS,  TAL,  and  AFO  sites.  This  means  that  deorbit/landing  might 
be  made  under  AC LS/ELS  type  conditions:  less  than  normally  acceptable  weather;  lack  of  navciids;  etc. 
Systems  failures  requiring  first  day  PLS  are  typically  multiple  failures  or  structural  failures.  In  some 
cases,  immediate  deorbit  is  required.  Should  these  type  failures  occur  during  the  on-orbit  timeframe,  it 
has  always  been  acceptable  to  land  under  ACLS/ELS  conditions.  In  other  cases,  loss  of  redundancy  in 
entry  critical  equipment  is  cause  for  a  first  day  PLS.  When  a  first  day  PLS  site  is  not  available,  for  loss 
of  redundancy  that  normally  calls  for  first  day  PLS,  the  risk  of  staying  on  orbit  until  the  next  day  for 
improved  landing  conditions  outweighs  the  risk  of  loss  of  critical  equipment  during  the  on-orbit  wait  for 
24  hours. 

If  cm  abort  landing  site  is  required,  the  sites  must  fully  meet  the  requirements  listed  in  the  flight  rules 
(ref.  Rules  {A2-1G}  and  {A2-1F},  PRELAUNCH  GO/NO-GO  REQUIREMENTS,  and  {A4-107A}, 
PLS/EOM  LANDING  OPPORTUNITY  REQUIREMENTS)  for:  landing  site  weather  conditions  including 
visibility,  clouds,  winds,  turbulence,  precipitation,  runway/lakebed  surface  conditions,  and  resources 
necessary  to  measure  low-level  winds  and  atmospheric  data  ( not  PLS);  crossrange,  rollout  margin,  brake 
energy,  navigation  aids,  and  lighting  (not  PLS);  touchdown  margin  (not  PLS);  and  tracking  (not  AO  A  or 
PLS),  telemetry,  command,  and  car-ground  voice  (for  PLS  equipment  outage  ETRO  must  be  before 
deorbit  decision  time).  @[072795-1772  ] 

Rules  (A1-106J,  LANDING  SITES;  (A2-1J,  PRELAUNCH  GO/NO-GO  REQUIREMENTS;  {A3-1}, 
GROUND  AND  NETWORK  DEFINITIONS;  {A3-102J,  INTEGRATED  NETWORK  FAILURE 
DECISION  MATRIX;  {A3-201J,  TACAN  REDUNDANCY  REQUIREMENTS  AND  ALTERNATE  TACAN 
SELECTION  PHILOSOPHY;  {A4-2},  LANDING  SITE  CONDITIONS;  and  { A4-55 },  DESIGN  AND 
CRITICAL  MECO  UNDERSPEED  DEFINITIONS,  reference  this  rule.  ®[ED  ] 
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A2-3  LAUNCH  HOLD 

NO  MCC  COUNTDOWN  HOLD  WILL  BE  CALLED  AFTER  T-31  SECONDS. 

After  T-31  seconds,  launch  holds  will  not  be  called  by  the  MCC.  T-31  seconds  is  the  latest  time  that  an 
MCC  voice  call  for  a  launch  hold  can  realistically  be  acted  on  in  real  time.  Calling  such  a  hold  for 
MCC-related/non-ground  launch  sequencer  (GLS)  recognized  problems  does  not  merit  the  risk  of  such  a 
launch  hold.  Backup  onboard  crew  procedures  can  accomplish  most  abort  functions  should  the  MCC 
have  a  problem  in  the  last  few  seconds  before  launch.  @[061396  4005  ] 


A2-4  LAUNCH  DAY  CREW  TIME  CONSTRAINTS 

A.  THE  MAXIMUM  TIME  THE  CREW  WILL  REMAIN  IN  THE  VEHICLE  IS  5 
HOURS  15  MINUTES  (EXCLUDING  SAFING  AND  EGRESS  TIME)  (REF.  LCC 
3.2B),  WHICH  ALLOWS  2.5  HOURS  OF  HOLD  TIME  AFTER  THE  EARLIEST 
PLANNED  LAUNCH  TIME. 

It  is  impractical  to  keep  the  crew  in  the  launch-seat  posture  for  an  extended  period  of  time.  The  crew 
enters  the  vehicle  about  2  hours  45  minutes  before  launch;  thus,  a  2.5-hour  launch  window  is  preserved. 

B.  THE  SCHEDULED  CREW  AWAKE  TIME  ON  LAUNCH  DAY  WILL  NOT  NORMALLY 
EXCEED  16  HOURS.  PRELAUNCH  HOLD  TIME  AND  POSTLAUNCH 
ORBITER/PAYLOAD  CONTINGENCIES  REQUIRING  THE  USE  OF  BACKUP 
TIMELINES  WILL  BE  ACCOMMODATED  AS  LONG  AS  THEY  DO  NOT  EXTEND 
THE  CREW  DAY  BEYOND  18  HOURS. 

Abnormally  long  days  will  result  in  crew  fatigue  and  increase  the  potential  for  procedural  errors  that 
could  affect  safety  or  compromise  mission  success.  Without  a  waiver,  crew  awake  time  on  launch  day 
will  not  be  premission  scheduled  for  greater  than  16  hours.  Since  the  crew  is  awake  about  4  hours  55 
minutes  before  launch,  this  allows  for  up  to  11  hours  5  minutes  of  on-orbit  activities  before  the  start  of 
the  sleep  period.  If  there  is  a  launch  hold  or  orbiter/payload  contingencies  require  the  use  of  backup 
timelines  for  deploy  opportunities  or  off-nominal  operations,  these  adjustments  will  be  accommodated  as 
long  as  the  maximum  crew  day  of  18  hours  is  not  exceeded. 
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A2-5  PORT  MODING/RESTRINGING  GUIDELINES 

A.  PORT  MODING  OR  RESTRINGING  MAY  BE  USED  PER  RULES  {A2-254C}, 
ENTRY  STRING  REASSIGNMENT;  {A2-63B}.2,  ASCENT  STRING 
REASSIGNMENT;  {A7-5},  PASS  GPC  BCE  FAILURE  MANAGEMENT;  AND 
{ A7-105 } ,  MDM  PORT  MODING,  TO  REGAIN  LOST  CAPABILITIES  DUE  TO 
GPC  FLIGHT-CRITICAL  BCE  FAILURES.  THE  RECOVERY  TECHNIQUE 
USED  WILL  DEPEND  UPON  THE  SPECIFIC  FLIGHT  PHASE  AND  FAILURE 
SCENARIO  PRESENT  IN  THE  ORBITER.  IN  GENERAL,  PORT  MODING 
WILL  BE  ATTEMPTED  DURING  DYNAMIC  PHASES  OVER  RESTRINGING 
EXCEPT  AS  NOTED  IN  THE  REFERENCED  RULES.  ®[ED  ] 

For  flight-critical  BCE  failures,  recovery  of  lost  capability  may  be  attempted  via  port  moding  or 
restringing.  Port  moding  will  recover  the  bypassed  FC  MDM,  but  will  result  in  the  loss  of  the  other  FC 
MDM  on  the  affected  string.  Restringing  will  result  in  the  entire  recovery  of  string  capability,  but  GPC 
redundancy  may  be  given  up. 


Port  moding  is  preferred  over  restringing  because  of  the  ease  of  implementation  (crew  SPEC  entry),  port 
mode  reconfiguration  is  considered  to  be  less  hazardous  to  the  PASS  redundant  set  than  restring 
reconfiguration,  and  the  desire  to  maintain  GPC  redundancy. 


In  general,  restringing  will  only  be  attempted  when  the  appropriate  restring  criteria  is  satisfied. 
Otherwise,  port  moding  may  be  done  to  recover  lost  capability. 

B.  A  RESTRING  WILL  BE  PERFORMED  TO  MAINTAIN  CRITICAL  CAPABILITY 
FOR  THE  FOLLOWING  POWERDOWNS : 

1.  LOSS  OF  AV  BAY  COOLING  (TO  RECOVER  TWO  STRINGS) 

2.  LOSS  OF  CABIN  PRESSURE 

3.  LOSS  OF  FLASH  EVAPORATOR  SYSTEM 

4.  LOSS  OF  TWO  FREON  LOOPS 

5.  LOSS  OF  TWO  FUEL  CELLS 

6.  LOSS  OF  TWO  H20  LOOPS 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-6  LANDING  SITE  WEATHER  CRITERIA  [HC]  (CONTINUED) 

NO  MLS 

Without  MLS,  visual  cues  provide  the  only  means  to  correct  navigation  dispersions  remaining  from 
TACAN/ADTA  processing.  Flight  history  has  shown  that  the  one-sigma  position  errors  in  the  onboard 
state  when  using  HAINS  IMU’s  (no  piloting  dispersions  included)  just  before  processing  MLS  (at 
approximately  17Kfeet)  are  188  ft  u,  232  ft  v,  225 ft  w,  and  374 ft  RSS’d.  The  one-sigma  position  errors 
after  one  cycle  of  MLS  processing  are  38  ft  u,  37  ft  v,  64  ft  w,  and  83  ft  RSS’d.  Reference:  The  Summary 
of  Navigation  Errors  through  STS-88  (STF  NAV-99-48500-008,  February  4,  1999).  Therefore,  the  crew 
can  rely  on  guidance  commands  to  a  lower  altitude  when  using  MLS  before  beginning  transition  to 
visual  cues.  ©[070899-6872A] 

REDUNDANT  AND  SINGLE  STRING  MLS 

The  runway  and  orbiter  must  have  redundant  MLS  for  a  night  landing  except  for  a  lakebed  runway. 
Single  string  MLS  is  acceptable  because  navigation  dispersions  are  more  tolerable  on  the  larger  area 
provided  by  the  lakebed  environment.  If  the  single-string  MLS  fails,  visual  cues  provide  the  only  means 
to  correct  navigation  dispersions.  Flight  Design  and  Dynamics  personnel  in  cooperation  with  the 
Astronaut  Office  conducted  an  analysis  to  determine  the  night  ceiling  limit  of  15K  feet  on  the  lakebed. 
The  Shuttle  Mission  Simulator  (SMS)  and  Shuttle  Training  Aircraft  (ST A)  flew  several  sessions  of  night 
landings  with  dispersed  initial  conditions  and  good  navigation.  The  experience  gained  from  these 
analyses  indicated  that  a  ceiling  level  of  15K  feet  would  be  acceptable.  This  ceiling  level  will  provide 
sufficient  time  for  the  crew  to  visually  acquire  the  landing  area,  assess  the  need  to  correct  dispersions, 
and  take  the  necessary  actions.  If  MLS  were  available,  this  is  the  approximate  altitude  when  processing 
would  begin.  ®[i  1 1 094-1 622B] 

INOPERATIVE  MLS  COMPONENTS 

For  purposes  of  this  rule,  failure  of  any  of  the  three  MLS  ground  station  measuremen  ts  (azimuth, 
elevation,  or  range)  constitutes  a  toted  failure  of  that  string.  Onboard  navigation  software  will  not 
process  MLS  data  if  either  azimuth  or  range  is  unavailable.  Although  MLS  azimuth  and  range  data  will 
be  processed  in  case  of  ground  elevation  equipment  failure,  onboard  altitude  errors  will  not  be  corrected 
adequately.  ®[070899-6872A]  ®[041 097-4927A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-6  LANDING  SITE  WEATHER  CRITERIA  [HC]  (CONTINUED) 

®[ED  ] 

ACLS / ECAL / ELS 

The  ACLS,  ECAL,  or  ELS  limits  require  accepting  additional  risk.  Emergency  deorbit,  SSME  limits 
management,  and  abort  gap  closure  procedures  potentially  use  these  sites.  Rules  (A2-205EJ  and 
{A2-205F},  EMERGENCY  DEORBIT,  and  {A4-107},  PLS/EOM  LANDING  OPPORTUNITY 
REQUIREMENTS,  outline  conditions  for  use  of  an  ELS  for  emergency  deorbit.  Rule  { A5-103A}.2 , 
LIMIT  SHUTDOWN  CONTROL,  specifies  enabling  main  engine  limits  at  the  earliest  single-engine 
capability  to  reach  a  prime  TAL  or  ACLS  for  some  cases  following  an  SSME  failure.  This  action 
precludes  exposure  to  SSME  limits-inhibited  operation  for  any  longer  than  necessary.  Landing  at  an 
ACLS  with  zero/zero  conditions  carries  less  risk  than  continuing  limits-inhibited  SSME  operation. 
Rule  ( A4-56I  j.3,  PERFORMANCE  BOUNDARIES,  specifies  the  use  of  an  ACLS  for  abort  gap 
closure.  It  is  reasonable  to  attempt  landing  at  an  ACLS  with  zero/zero  conditions  if  the  attempt 
carries  a  reasonable  probability  of  success  and  the  only  alternative  is  a  bailout. 

ONE  APU  FAILED  (OR  ATTEMPT  TWO  APU’S  PROCEDURE ) 

Flight  Rules  (A2-207},  LANDING  SITE  SELECTION,  and  (A10-23},  APU  ENTRY  START  TIME, 
summarize  the  conditions  and  rationale  for  selecting  a  landing  site  with  one  APU  failed  and  using  the 
ATTEMPT  TWO  APU’s  start  procedure.  With  two  APU’s  failed,  the  loss  of  hydraulic  power  causes 
reduced  flight  control  authority,  reduced  braking,  and  loss  of  nose  wheel  steering.  The  APU  placards 
assure  safe  conditions  should  the  orbiter  lose  a  second  APU.  ®[111 094-1 622B] 
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A2-6  LANDING  SITE  WEATHER  CRITERIA  [HC]  (CONTINUED) 


FltRule5cvs 


NOTE:  VALID  FOR  28.45  DEG  INCLINATION  ®[ED  ] 

FIGURE  A2-6-V  -  ONLY  KSC15  AVAILABLE 

®[081497-6278A] 
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A2-7  DAY-OF-LAUNCH  ET  LOAD  DATA 

A.  ACTUAL  DAY  OF  LAUNCH  (DOL)  ET  LOAD  DATA  FROM  THE  PLOAD 
PROGRAM  WILL  BE  USED  TO  RE-COMPUTE  ASCENT  PERFORMANCE  MARGIN, 
ARD  MASS  PROPERTIES,  AND  ARD  FPR  BASED  ON  L-1.75  HOUR  (OR 
LATER)  DATA.  ®[050495-1729D]  ®[081 497-6305A] 

B.  IF  A  REVERT  HAS  OCCURRED,  MCC  WILL  BE  NO-GO  FOR  LAUNCH  UNTIL 
STABLE  REPLENISH  HAS  BEEN  RE-ESTABLISHED  AND  A  NEW  PLOAD  DATA 
INPUT  HAS  BEEN  RECEIVED  AND  EVALUATED  (APPROXIMATELY  50 
MINUTES  FOR  AN  LO2  REVERT  OR  APPROXIMATELY  25  MINUTES  FOR  AN 
LH2  REVERT) . 

C.  IF  PLOAD  IS  UNAVAILABLE,  THE  ARD  WILL  BE  CONFIGURED  TO 
REFLECT  TARGET  TDDP  LOAD  QUANTITIES  AND  THE  ARD  FPR  WILL  BE 
RE-CALCULATED  WITH  INCREASED  LOAD  UNCERTAINTIES  TO  ACCOUNT 
FOR  ADDITIONAL  DISPERSIONS  IN  THE  ACTUAL  LOAD.  NOTE:  THIS 
IS  VALID  ONLY  FOR  A  NOMINAL  ET  LOADING  TIMELINE,  UNLESS 
PROPULSION  SYSTEMS  COMMUNITY  CONCURRENCE  IS  RECEIVED  PER 
PARAGRAPH  D,  BELOW. 

D.  IF  BOTH  AN  L02  REVERT  HAS  OCCURRED  AND  PLOAD  IS  UNAVAILABLE, 
OR  IF  FOR  ANY  OTHER  REASON  LOAD  UNCERTAINTY  EXISTS  WITHOUT 
PLOAD  DATA,  MCC  WILL  BE  NO-GO  FOR  LAUNCH  UNTIL  THE  PROPULSION 
SYSTEMS  COMMUNITY,  AS  REPORTED  BY  THE  JSC/USA  PSIG 
REPRESENTATIVE  IN  THE  MER,  VALIDATES  THAT  THE  MEASURED  ULLAGE 
PRESSURE  DOES  NOT  EXCEED  0.255  PSI  ABOVE  THE  TDDP  NOMINAL 
LOAD  ULLAGE  PRESSURE  OF  0.781  PSIG.  @[092602-5668] 
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A2-7  DAY-OF-LAUNCH  ET  LOAD  DATA  (CONTINUED) 

The  PLOAD  program  is  executed  at  L-l.  75  hours  to  estimate  LO2  and  LH2  loads  based  on  ullage 
pressures  and  environmental  conditions.  This  data  is  provided  to  the  flight  dynamics  team  at  about  L- 
1.5  hours  (subsequent  PLOAD  run  data  during  extended  launch  holds  will  also  be  incorporated  as  it 
becomes  available,  if  necessary).  The  predicted  end-of-replenish  quantities  are  used  to  calculate  DOL 
ascen  t  performance  margin,  fuel  bias,  ARD  Main  Engine  Propellant  (MEP)  quantity,  and  vehicle 
weights.  ARD  FPR  is  also  recalculated  based  on  the  actual  load,  since  the  ET  load  and  mixture  ratio 
component  of  ARD  FPR  is  a  function  of  predicted  fuel  bias. 

If  a  revert  occurs,  launch  will  not  be  attempted  until  a  valid  PLOAD  data  point  can  be  evaluated 
(approximately  50  minutes  of  stable  replenish  for  ullage  pressure  stabilization  and  load  data  transmittal 
for  cm  LO2  revert,  approximately  25  minu  tes  for  LH2),  to  assure  cm  adequate  ascen  t  performance 
margin.  The  minimum  time  is  that  which  is  required  before  giving  a  “GO”  to  pick  up  the  count  at  T-9 
min  or  T-5  min.  These  procedures  were  approved  at  the  PRCB,  January  14,  1992.  ®[050495-l729D] 

®[081 497-6305A] 

When  PLOAD  is  not  available,  it  is  assumed  that  the  load  fits  within  statistical  limits  of  previous  load 
quantities,  which  historically  have  been  very  close  to  the  targeted  load  specified  in  the  Trajectory  Design 
Data  Package  (TDDP).  In  this  case,  ARD  FPR  must  protect  for  historical  deviations  of  the  reported 
load  from  the  target  load  as  well  as  normal  PLOAD  uncertainties.  The  historical  deviations  (reference 
NSTS  08209,  Shuttle  Systems  Design  Criteria;  Volume  I,  Shuttle  Performance  Assessment  Databook; 
Section  8,  Flight  Performance  Reserve;  Table  8.1,  System  Dispersions  for  FPR  Computation)  are  root 
sum  squared  with  the  normal  PLOAD  uncertainties  to  provide  a  total  load  uncertainty  that  is  used  to 
recompute  ARD  FPR.  This  increases  the  ARD  FPR  by  approximately  70  lbs.  ®[08i  497-6305A] 

For  any  case  involving  loss  of  PLOAD  data,  a  nominal  stable  replenish  timeline  is  necessary  to  ensure 
that  the  load  has  reached  TDDP  target  conditions.  In  the  very  unlikely  event  that  both  an  LO2  revert  has 
occurred  and  the  PLOAD  program  is  unavailable,  or  if  for  any  other  reason  load  uncertainty  exists,  the 
propulsion  systems  community,  as  reported  via  the  Propulsion  Systems  Integration  Group  (PSIG) 
representative  in  the  MER,  must  be  satisfied  that  the  target  MPS  inventory  has  been  achieved  before  a 
“GO”  can  be  given  to  pick  up  the  count.  The  MPS  inventory  is  protected  if  the  ullage  pressure  is  less 
than  1.036  psi.  Ullage  pressure  above  this  limit  indicates  an  under-load  of  a  magnitude  beyond  that 
covered  in  the  FPR.  The  value  of  1.036  psi  is  derived  by  adding  the  ullage  pressure  used  in  deriving  the 
inventory  (0.781  psi)  to  a  tolerance  that  is  protected  by  FPR  (0.255  psi).  ®[08i 497-6305A]  @[092602-5668  ] 
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A2-8  LAUNCH  TIME  SELECTION  FOR  GROUND-UP  RENDEZVOUS 

THE  MCC-H  FLIGHT  DYNAMICS  OFFICER  (FDO)  IS  RESPONSIBLE  FOR  ALL 
COMPUTATIONS  RELATED  TO  LAUNCH  WINDOW.  FINAL  CALCULATIONS  WILL 
BE  MADE  AT  APPROXIMATELY  L-2  HOURS.  THESE  WILL  USE  THE  LATEST 
AVAILABLE  BALLOON  PERFORMANCE  ANALYSIS,  LATEST  AVAILABLE  TARGET 
TRACKING  VECTOR,  AND  THE  FINAL  PLOAD  ANALYSIS  OF  ET  LOADING.  THE 
FDO  SHALL  INFORM  THE  MCC-H  FLIGHT  DIRECTOR  OF  THE  LAUNCH  WINDOW 
TIMES.  THE  FLIGHT  DIRECTOR  SHALL  BE  THE  SINGLE  POINT  OF 
COMMUNICATION  FOR  THE  LAUNCH  WINDOW  TIMES  TO  KSC  VIA  THE  NTD . 

THE  ASSOCIATED  LAUNCH  TARGET ING/AUTO  DEL  PSI  COMMAND  LOADS  WILL 
BE  GENERATED  AND  UPLINKED  TO  THE  VEHICLE  IN  THIS  TIMEFRAME. 

AFTER  THIS  TIME,  UPDATES  TO  WINDOW  TIMES  AND/OR  A  NEW  COMMAND 
UPLINK  WILL  BE  REQUIRED  IF  THE  PANE  SWITCH  WINDOW  TIME  CHANGES  BY 
MORE  THAN  5  SECONDS  (IN  EITHER  DIRECTION)  BASED  ON  THE  L-2. 25  HR 
BALLOON  ANALYSIS  AT  APPROXIMATELY  L-30  .  ©[081497-6263B]  @[111298-6693] 

A.  LAUNCH  WINDOW  OPEN  AND  CLOSE  TIMES  WILL  BE  COMPUTED  TO  THE 
NEAREST  SECOND.  ON  A  GIVEN  DAY,  A  RENDEZVOUS  LAUNCH  WINDOW 
MAY  BE  ONLY  ONE  PLANAR  PANE  OR  THE  COMBINATION  OF  TWO  PLANAR 
PANES.  ONLY  THE  PLANAR  PANE  WHERE  THE  PHASE  ANGLE  IS 
ACCEPTABLE  WILL  BE  CONSIDERED  PART  OF  THE  COMBINED  LAUNCH 
WINDOW.  THIS  MAY  RESULT  IN  CUTOUTS  IN  THE  LAUNCH  WINDOW. 
CALCULATION  OF  LAUNCH  WINDOW  OPEN,  CLOSE,  AND  PANE  SWITCH 
TIMES  WILL  PROTECT: 

1.  MPS  AND  OMS  PERFORMANCE  MARGIN  FOR  MISSION  SUCCESS  AS 

DEFINED  BY  THE  ANNEX  FLIGHT  RULE,  SHUTTLE  TRAJECTORY  AND 
GUIDANCE  PARAMETERS,  PARAGRAPHS  A  AND  B.  THIS  IS  ZERO 
PREDICTED  MPS  USABLE  RESIDUALS  ABOVE  THE  FLIGHT  PERFORMANCE 
RESERVE  AND  THE  REQUIRED  SIGMA  DISPERSION.  THE  SIGMA 
DISPERSION  IS  DEFINED  IN  THE  ANNEX  FLIGHT  RULE,  SHUTTLE 
TRAJECTORY  AND  GUIDANCE  PARAMETERS.  @[062801-4521] 
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A2-9  LOSS  OF  ET  LOX  LIQUID  LEVEL  CONTROL  SENSORS 

IN  THE  PRELAUNCH  TIMEFRAME:  ©[092602-5669A] 

A.  FOR  THE  LOSS  OF  THE  FIRST  100  PERCENT  ET  LOX  LIQUID  LEVEL 
CONTROL  SENSOR,  NO  MCC  ACTION  IS  REQUIRED,  REGARDLESS  OF  WHEN 
THE  FIRST  SENSOR  FAILS. 

B.  LOSS  OF  A  SECOND  100  PERCENT  ET  LOX  LIQUID  LEVEL  CONTROL 
SENSOR  WILL  RESULT  IN  THE  TRANSFER  OF  ET  LOX  LOADING  CONTROL 
TO  THE  100.15  PERCENT  SENSOR. 

1.  FOR  CONTROL  TRANSFER  TO  100.15  PERCENT  SENSOR  PRIOR  TO  L- 

25  MINUTES: 

a.  ARD  AND  LAUNCH  WINDOW  DATA  WILL  BE  BASED  ON  A  100.15 
PERCENT  LOX  LOADING  ESTIMATE  (WITH  ADJUSTMENT  FOR 
ADDITIONAL  DRAINBACK  TIME,  AS  APPLICABLE)  . 

b.  IF  STABLE  REPLENISH  USING  THE  100.15  PERCENT  SENSOR 
IS  REACHED  PRIOR  TO  L-l:20  HOURS,  THE  LOX  LOADING 
ESTIMATE  WILL  BE  GENERATED  USING  PLOAD .  OTHERWISE, 
"NO  PLOAD"  LOADING  ESTIMATES  WILL  BE  USED  PER  RULE 
{A2-7C},  DAY-OF-LAUNCH  ET  LOAD  DATA,  DUE  TO  MCC 
OPERATIONAL  PROCESSING  TIMELINE  CONSTRAINTS. 

C.  IF  LAUNCH  WINDOW  UPDATES  ARE  AVAILABLE  PRIOR  TO  L-39 
MINUTES,  THE  FDO  WILL  COORDINATE  UPDATES  TO  THE  KSC 
LAUNCH  WINDOW  DATA.  OTHERWISE,  THERE  WILL  BE  NO 
UPDATE  TO  THE  KSC  LAUNCH  WINDOW  TIMES. 

d.  ADDITIONAL  DRAINBACK  TIME  SHALL  BE  INSERTED  INTO  THE 
TIMELINE  AFTER  THE  START  OF  DRAINBACK  AS  SPECIFIED  BY 
THE  DOLILU  OPERATIONS  SUPPORT  PLAN.  FD  WILL 
COORDINATE  THE  INSERTION  OF  THE  ADDITIONAL  DRAINBACK 
TIME,  IF  ANY,  WITH  NTD  .  ®[092602-5669A] 
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A2-9  LOSS  OF  ET  LOX  LIQUID  LEVEL  CONTROL  SENSORS 

(CONTINUED) 

2.  FOR  CONTROL  TRANSFER  TO  100.15  PERCENT  SENSOR  AFTER  L-25 

MINUTES:  ®[092602-5669A] 

a.  LAUNCH  WINDOW  DATA  AND  ARD  CALCULATIONS  WILL  NOT  BE 
UPDATED . 

b.  ADDITIONAL  DRAINBACK  TIME  WILL  NOT  BE  INSERTED  INTO 
THE  TIMELINE. 

c.  MCC  WILL  BE  NO-GO  FOR  LAUNCH  UNTIL  THE  PSIG 
REPRESENTATIVE  IN  THE  MER  VALIDATES  THAT  THE  MEASURED 
ULLAGE  PRESSURE  DOES  NOT  EXCEED  0.255  PSI  ABOVE  THE 
TDDP  NOMINAL  LOAD  ULLAGE  PRESSURE  OF  0.781  PSIG 

The  ET  project  has  determined  that  the  PLOAD  LOX  loading  estimate  based  on  liquid  level  con  trol 
using  a  100  percent  sensor  which  subsequently  fails  will  remain  valid  after  a  switch  to  the  second  100 
percent  ET  LOX  liquid  level  control  sensor.  Therefore,  switching  liquid  level  control  from  one  100 
percent  sensor  to  the  second  100  percent  sensor  does  not  invalidate  the  original  PLOAD  loading 
estimate. 

The  ET  project  has  determined  that  the  PLOAD  LOX  loading  estimate  based  on  liquid  level  control 
using  either  100  percent  sensor  is  not  accurate  in  the  event  of  a  later  failure  of  both  100  percent  LOX 
liquid  level  con  trol  sensors  and  subsequen  t  fill  to  the  100.15  percen  t  sensor  per  LCC  ET-10.  The  ET 
Project  has  requested  DOSS  to  rerun  PLOAD  or  revert  to  100.15  percen  t  MPS  inventory  loading 
estimates.  A  rerun  and  QA  of  PLOAD  loading  updates,  nominal  mission  performance  margin,  and 
launch  window  impacts  requires  approximately  40  minutes.  KSC  Ground  Operations  is  unable  to  accept 
launch  window  updates  after  L-39  minutes.  However,  EDO  and  ARD  Support  should  reflect  the  best 
possible  estimate  of  the  true  LOX  loading.  Therefore  these  elements  will  reconfigure  to  reflect  LOX 
loading  to  the  100.15  percent  MPS  inventory  values,  if  the  fail  over  occurs  after  the  latest  time  to  rerun 
PLOAD  (about  L-l:20  hour)  and  prior  to  L-25  minutes,  regardless  of  whether  or  not  the  KSC  launch 
window  is  updated. 

For  any  level  sensor  failure  after  L-25  minutes,  no  action  is  required  by  the  MCC.  A  late  sensor  failure 
(either  the  first  or  the  second)  may  result  in  an  underload  of  approximately  1,100  pounds  of  LOX,  which 
still  meets  LCC  ET-10  launch  requirements.  This  equates  to  approximately  15  fps  of  ascent  performance 
margin.  A  launch  with  an  underload  of  this  magnitude  will  result  in  TAL  and  ATO  abort  boundary  calls 
being  made  approximately  15  fps  early  and  slightly  increases  the  chances  of  a  low  level  cut-off  with  a 
small  underspeed.  The  program  accepts  this  risk  due  to  its  low  probability  of  occurrence.  ®[092602-5669A] 
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A2-9  LOSS  OF  ET  LOX  LIQUID  LEVEL  CONTROL  SENSORS 

(CONTINUED) 


In  the  event  of  a  failure  of  both  100  percent  sensors  and  fail-over  to  a  fill  to  the  100.15  percent  sensor 
failure,  no  additional  drainback  time  will  be  added  to  the  countdown.  Analysis  to  clear  the  ET  for  flight 
in  this  condition  is  valid  only  through  STS- 118.  ET  LOX  tank  changes  being  made  subsequent  to  STS- 
118  will  require  additional  analysis.  ©[092602-5669A] 

Late  fail-over  to  a  LOX  tank  fill  controlled  by  the  100.15  percent  (after  failure  of  both  100  percent  level 
sensors)  will  require  verification  that  the  LOX  loading  is  consistent  with  MPS  inventory  loading 
estimates.  The  MPS  inventory  is  protected  if  the  ullage  pressure  is  less  than  1.036  psi.  Ullage  pressure 
above  this  limit  indicates  an  under-load  of  a  magnitude  beyond  that  covered  in  the  FPR.  The  value  of 
1.036  psi  is  derived  by  adding  the  ullage  pressure  used  in  deriving  the  inventory  (0.781  psi)  to  a 
tolerance  that  is  protected  by  FPR  (0.255  psi).  ®[092602-5669A] 
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A2-64  MANUAL  THROTTLE  CRITERIA 

MANUAL  THROTTLE  CONTROL  WILL  BE  PERFORMED  WHEN  REQUIRED  TO 
PROTECT  SYSTEMS  LIMITS,  GUIDANCE  SOFTWARE  PERFORMANCE,  OR  MISSION 
CAPABILITY.  REFERENCE  RULES  {A2-61},  Q-BAR/G-CONTROL ;  {A4-59}, 

MANUAL  THROTTLE  SELECTION;  {A5-112},  MANUAL  THROTTLEDOWN  FOR  L02 
NPSP  PROTECTION  AT  SHUTDOWN;  {A5-152DJ.1,  PRE-MECO  MPS  HELIUM 
SYSTEM  INTERCONNECTS  [OIL];  AND  {A5-155},  LIMIT  SHUTDOWN  CONTROL 
AND  MANUAL  THROTTLING  FOR  LOW  LH2  NPSP,  FOR  SPECIFIC  CASES 
INVOLVING  MANUAL  THROTTLE.  @[090894-1 676A]  @[041 097-491 0A]  ®[ED  ] 

Normally,  all  SSME  throttling  action  will  be  commanded  by  the  flight  software.  However,  manual 
throttling  can  relieve  certain  failure  conditions,  some  potentially  catastrophic,  which  are  not  protected 
by  software;  examples  include  low  SSME  NPSP,  an  unstable  guidance  solution,  or  any  generic  failure  of 
the  software  throttling  logic  itself.  In  addition,  manual  throttle  can  be  used  to  maximize  performance  in 
propellant-critical  TAL  cases  as  well  as  to  avoid  a  TAL  or  RTLS  abort  when  design  underspeed  is  limited 
by  NPSP.  In  these  scenarios,  the  use  of  manual  throttle  control  is  preferred  to  the  alternatives.  The 
referenced  rules  spell  out  the  background  and  criteria  for  manual  throttle  usage  in  each  case. 
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A2-65  QMS— 1  DELAYED  TARGET  CRITERIA 

THE  OMS-1  BURN  WILL  UTILIZE  DELAYED  TARGET  FOR: 

A.  MAIN  PROPULSION  SYSTEM  (MPS)  PROPELLANT  DISCONNECT  VALVE 
FAILED  OPEN. 

B.  ANY  OMS  PROPELLANT  FAIL/LEAK  OR  OMS  HE  TANK  FAIL. 

C.  TWO  OMS  ENGINES  FAILED. 

NOTE:  UNDERSPEED  MECO  CONDITIONS  MAY  REQUIRE  USE  OF  ON-TIME 

(MECO  +  2)  OMS-1  TARGETS. 

Delayed  targets  are  designed  for  nominal  or  small  underspeed  MECO  conditions  only.  Larger 
underspeeds  ( mission-dependent )  may  require  on-time  targets  to  remain  within  orbiter  delta  V  capability. 

For  OMS  propellant  or  helium  tank  leaks/failures,  significant  delta  V  capability  will  be  lost.  Also,  loss 
of  two  OMS  engines  implies  that  all  the  delta  V  maneuvers  will  be  accomplished  with  the  RCS  4  +X 
thrusters.  Performing  delta  V  maneuvers  with  the  RCS  requires  a  significant  amount  of  additional 
propellant  to  compensate  for  the  reduced  engine  efficiency  of  the  RCS  jets  as  compared  to  the  OMS 
engines.  For  these  cases ,  a  delayed  ATO  OMS-1  burn  is  performed  to  minimize  delta  V  requirements  for 
insertion  and  deorbit  and  allow  time  for  a  thorough  assessment  of  the  delta  V  capability  remaining. 
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A2-70  DELAYED  TRANSATLANTIC  LANDING  (TAL)  ABORT 

IN  THE  WINDOW  BETWEEN  TWO-ENGINE  TAL  PLUS  10  SECONDS  AND  PRESS- 
TO-ABORT  TO  ORBIT  (ATO)  FOR  51.6  DEGREE  INCLINATION  MISSIONS,  THE 
SELECTION  OF  THE  TAL  ABORT  MAY  BE  DELAYED.  THIS  DELAY  WILL 
MAXIMIZE  EAST  COAST  ABORT  LANDING  (ECAL)  ABORT  COVERAGE  WHILE 
PRESERVING  INTACT  TAL  ABORT  MARGIN.  THE  FOLLOWING  GROUND  RULES 
SHALL  APPLY  TO  THE  EXECUTION  OF  A  DELAYED  TAL  ABORT:  ©[092602-5667A] 

A.  PRIOR  TO  ABORTING  TAL,  A  MANUAL  OMS  DUMP  WILL  BE  INITIATED 
THROUGH  A  CREW  ITEM  ENTRY. 

B.  THE  TAL  ABORT  SHALL  BE  SELECTED  NO  LATER  THAN  THE  3-SIGMA 
MAIN  PROPULSION  SYSTEM  (MPS)  FLIGHT  PERFORMANCE  RESERVE  (FPR) 
PERFORMANCE  BOUNDARY  OR  THE  SINGLE-ENGINE  OPS  3  BOUNDARY 
(REF.  RULE  {A4-56G},  PERFORMANCE  BOUNDARIES),  WHICHEVER  COMES 
FIRST . 

C.  DELAYING  THE  SELECTION  OF  THE  TAL  ABORT  SHALL  NOT  APPLY  FOR 
THE  FOLLOWING  SCENARIOS: 

1.  LOSS  OF  COMMUNICATION 

2.  SIGNIFICANT  UNCERTAINTY  EXISTS  IN  THE  3-SIGMA  MPS  FPR 
PERFORMANCE  BOUNDARY. 

In  accordance  with  feasibility  studies  and  risk  trade  assessments  brought  to  the  Ascent/Entry  Flight 
Techniques  Panel  and  the  Space  Shuttle  Program  Office,  delayed  TAL  shall  be  implemented  on  all  ISS 
missions  starting  with  STS-110.  The  delayed  TAL  trajectory  results  in  a  groundtrack  that  is  closer  to  the 
Eastern  coast  of  the  United  States  than  if  the  TAL  abort  had  not  been  delayed.  The  benefits  of  a  delayed 
TAL  trajectory  include  increased  ECAL  landing  opportunities  and  improved  bailout  survival/recovery 
probabilities  while  maintaining  intact  TAL  performance  margins  to  no  less  than  a  3-sigmci  confidence 
level.  These  benefits  come  at  the  expense  of  delayed  single-engine  performance  boundaries  and  cm 
extended  Space  Shuttle  Main  Engine  (SSME)  run  time  that  vary  as  a  function  of  the  TAL  delay  time. 

An  ITEM  9  OMS  propellant  dump  will  be  initiated  prior  to  the  TAL  abort  to  improve  intact  TAL 
performance  margins  during  the  TAL  delay  period.  The  ECAL  trajectory  will  also  benefit  from  cm  early 
ITEM  9  OMS  propellant  dump  because  of  cm  overall  reduction  in  orbiter  weight  that  should  improve 
safety  margins  with  respect  to  External  Tank  (ET)  separation  dynamics  and  overall  orbiter  load  factors. 
©[092602-5667 A  ] 
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A2-70  DELAYED  TRANSATLANTIC  LANDING  (TAL)  ABORT 

(CONTINUED) 


The  TAL  abort  shall  be  initiated  at  the  earlier  of  the  3 -sigma  MPS  FPR  performance  boundary  for  the 
prime  TAL  site  or  the  single-engine  OPS  3  performance  boundary.  It  is  expected  for  early  engine-out 
cases  close  to  the  two-engine  TAL  performance  boundary  that  TAL  aborts  will  be  initiated  based  on  the 
3-sigma  MPS  FPR  performance  boundary.  Later  engine-out  cases  and  cases  that  implement  an  early 
ITEM  9  OMS  propellant  clump  are  likely  to  initiate  TAL  aborts  based  on  the  single-engine  OPS-3 
boundary.  ®[092602-5667A] 

Av  discussed  with  the  Flight  Director  Office  and  the  Space  Shuttle  Program  Office,  TAL  delay  will  not 
be  implemented  during  loss  of  communication  situations,  since  the  crew  may  not  be  aware  of  ground- 
determined  performance  boundaries  used  to  terminate  the  TAL  delay.  More  specifically,  if  there  is  no 
comm  at  the  time  of  the  SSME  failure,  the  crew  will  follow  the  normal  no-comm  mode  boundaries  and 
abort  as  required.  For  all  other  cases,  if  comm  is  subsequently  lost,  then  the  crew  will  abort  TAL  at 
the  no  comm  Vi  per  the  MCC  Delayed  TAL  abort  call.  Also,  TAL  delay  will  not  be  implemented  for 
any  scenario  that  results  in  a  significant  uncertainty  in  the  real-tune  determination  of  the  3 -sigma 
MPS  FPR  performance  boundary  in  the  ground  Abort  Region  Determination  (ARD)  processor.  In  this 
instance,  where  significant  uncertainty  exists,  it  is  conservative  to  abort  TAL  prior  to  the  3-sigma 
MPS  FPR  boundary  to  ensure  adequate  performance  margin  in  support  of  the  intact  TAL  trajectory. 
©[092602-5667A] 
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A2-102  MISSION  DURATION  REQUIREMENTS  (CONTINUED) 


A  risk  assessment  of  the  IMU,  FCS,  APU /hydraulic  system,  and  MDM  was  completed  by  the  AEFTP  in 
1996  (reference  AEFTP  # 131  and  6/96  AEFTP  splin  ter  meeting).  This  assessment  was  quantitative  for 
those  items  which  have  a  sufficient  statistical  failure  database,  but  relied  on  engineering  judgment  for 
other  items.  This  assessmen  t  concluded  that  the  relative  risk  of  remaining  on-orbit  to  NEOM  rather  than 
returning  MDF  for  the  first  failure  in  these  systems  is  less  than  the  launch  risks  and  orbital  debris  risks. 
This  risk  is  acceptable  as  long  as  the  remaining  systems  are  good  and  generic  problems  are  exonerated. 

The  following  should  be  considered  when  making  a  flight  determination  decision:  crew  and  vehicle 
health,  vehicle  mass  properties,  weather,  trajectory,  and  landing  site. 

Reference  Rule  / A2-1001 },  ORBITER  SYSTEMS  GO/NO-GO,  for  the  number  of  failures  in  each  system 
which  result  in  early  mission  termination.  Reference  Rules  {A2-207J,  LANDING  SITE  SELECTION; 
{A10-21A},  LOSS  OF  APU /HYDRAULIC  SYSTEM(S)  ACTIONS;  and  {A10-23A},  APU  ENTRY  START 
TIME.  @[101796-4561  A]  ®[ED  ] 

C.  FOR  A  SECOND  FAILURE  AFFECTING  ANY  ENTRY-CRITICAL  SYSTEM 
@[101 796-4561  A] 

1.  TERMINATE  THE  FLIGHT  NEXT  PLS  IF  THE  AFFECTED  SYSTEM  HAS 
LOST  ALL  FAULT  TOLERANCE  OR  IF  THE  FAILURE  IS  CONSIDERED 
TO  BE  GENERIC. 

2.  CONTINUE  THE  FLIGHT  TO  MDF  IF  THE  ORBITER  IS  ONLY  SINGLE¬ 
FAULT  TOLERANT  IN  ORDER  TO  ACCOMPLISH  DEPLOYMENT  OF  A 
PRIMARY  PAYLOAD  AND  TO  ENSURE  CREW  ADAPTATION,  BOTH  OF 
WHICH  REDUCES  THE  OVERALL  RISK  TO  THE  CREW  AND  ORBITER. 

NOTE:  AN  MDF  WILL  LAST  APPROXIMATELY  72  HOURS  AND 

LANDING  WILL  OCCUR  AT  THE  PLS  PRIOR  TO  THE  END  OF 
THE  FLIGHT  DAY  4. 

Multiple  failures  in  an  entry  critical  system,  even  though  it  remains  single-fault  tolerant,  may  be 
indicative  of  a  generic  failure;  Exposure  to  additional  failures  should  be  minimized  by  early  termination 
of  the  mission. 
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A2-102  MISSION  DURATION  REQUIREMENTS  (CONTINUED) 

D.  MDF  GENERIC  PAYLOAD  RULES 

1.  THE  DEORBIT  OPPORTUNITY  WILL  NOT  BE  DELAYED  FOR  THE 
PURPOSE  OF  ACCOMPLISHING  PAYLOAD  OBJECTIVES. 

2.  FIRST  PRIORITY  WILL  BE  THE  ACCOMPLISHMENT  OF  THE  MINIMUM 
MISSION-SUCCESS  OBJECTIVES  OF  THE  PRIMARY  PAYLOAD (S). 

3.  LOWER  PRIORITY  MISSION  OBJECTIVES  WILL  BE  CONSIDERED  IN 
THE  PRIORITY  ORDER  AS  STATED  FOR  A  NOMINAL  MISSION. 
@[101796-4561  A] 

4.  SIGNIFICANT  CONTINGENCY  OPERATIONS,  E.G.,  AN  UNSCHEDULED 
EVA  OR  A  CONTINGENCY  RENDEZVOUS,  WILL  BE  UNDERTAKEN  ONLY 
IF  ALL  THE  FOLLOWING  ARE  MET  :  @[101796-4561  A] 

a.  IT  IS  NEEDED  TO  ACCOMPLISH  A  MINIMUM  MISSION-SUCCESS 
OBJECTIVE  FOR  A  PRIMARY  PAYLOAD. 

b.  THE  OPERATION  WOULD  NOT  RESULT  IN  AN  IMPACT  TO  THE 
MINIMUM  MISSION  SUCCESS  OF  ANOTHER  PRIMARY  PAYLOAD. 

C.  RULE  { A1 3-1 01},  SCHEDULED  AND  UNSCHEDULED  EVA 
CONSTRAINTS,  IS  SATISFIED. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  FLIGHT  OPERATIONS  2-96 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A2-102  MISSION  DURATION  REQUIREMENTS  (CONTINUED) 

E.  A  NEXT  PLS  DEORBIT  WILL  BE  EXECUTED  AT  THE  EARLIEST  PRACTICAL 
TIME  TO  A  CONUS  LANDING  SITE  FOR  FAILURES  WHICH  PLACE  THE 
ORBITER  SYSTEM  AT  THE  ZERO-FAULT  TOLERANT  LEVEL  OR  RESULT  IN 
A  CONDITION  WHERE  ONE  MORE  FAILURE  CAUSES  A  SEVERE  ORBITER 
CONFIGURATION  MANAGEMENT  CONDITION.  CONUS  LANDING  SITE 
SELECTION  SHALL  PROVIDE  FOR: 

1.  LANDING  SITE  PRIORITY  (REF.  RULE  {A2-207},  LANDING  SITE 
SELECTION) 

a.  PLS 

b.  SLS 

c.  ANY  CONUS  SITE 

2.  EOM  LANDING  CONSTRAINTS  (CROSSRANGE,  LIGHTING,  WEATHER, 
AND  BACKUP  OPPORTUNITIES) 

3.  CREW  SCHEDULE  CONSTRAINTS 

4.  A  NOMINAL  DEORBIT  PREPARATION  TIMELINE  IF  POSSIBLE; 
OTHERWISE,  A  MINIMUM  OF  3.5  HOURS  DEORBIT  PREPARATION 

@[101796-4561  A] 
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A2-102  MISSION  DURATION  REQUIREMENTS  (CONTINUED) 

F.  IF  A  FAILURE  OCCURS  THAT  WOULD  NORMALLY  CAUSE  AN  MDF  BUT  THE 
TIME  OF  FAILURE  IS  PAST  72  HOURS  FLIGHT  DURATION,  A  LANDING 
WILL  BE  ACCOMPLISHED  AT  THE  NEXT  PLS  OPPORTUNITY  THAT 
PROVIDES  ADEQUATE  TIME  FOR  THE  NORMAL  EOM  TIMELINE  FOR 
VEHICLE  STOWAGE  AND  ENTRY  PREPARATION.  @[101796-4561  A] 


Since  a  failure  that  would  cause  declaration  of  an  MDF  is  a  reason  to  shorten  a  normal  flight,  further 
operations  of  a  payload/experiment  are  not  sufficien  t  reason  to  continue.  The  flight  would  be  terminated 
at  the  next  PLS  that  affords  time  to  accomplish  adequate  stowage  for  entry  and  also  allow  the  crew  to 
have  a  sufficient  sleep  period. 

G.  FOR  SOME  FAILURE  SITUATIONS  AND/OR  VIOLATION  OF  GO/NO-GO 

CRITERIA  FOR  FLIGHT  CONTINUATION,  IT  IS  SAFER  TO  REMAIN  IN 
ORBIT  INSTEAD  OF  ENTERING  AT  THE  NEXT  LANDING  OPPORTUNITY. 
THAT  IS,  IF  THE  ADDITIONAL  TIME  CAN  BE  USED  TO: 

1.  BETTER  UNDERSTAND  THE  FAILURE  AND  ITS  IMPLICATION  ON 
ENTRY 

2.  VERIFY  SYSTEMS  CONFIGURATION  PROCEDURES  AND  PERFORMANCE 
PRIOR  TO  ENTRY 

3.  PROVIDE  ADEQUATE  TIME  FOR  CREW  REST  THE  NIGHT  BEFORE 
ENTRY 

4.  PROVIDE  THE  OPPORTUNITY  TO  ACCOMPLISH  ACTIVITIES  THAT 
COULD  ENHANCE  ORBITER  ENTRY/LANDING  CONDITIONS  @[101 796-4561  A] 

Rules  {A2-202},  EXTENSION  DAY  GUIDELINES;  (A7-1001J,  DPS  GO/NO-GO  MATRIX;  and  { A8-4B }. 
FA  ULT  TOLERANT  PHILOSOPHY  reference  this  rule.  ®[ED  ] 
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A2-104  SYSTEMS  REDUNDANCY  REQUIREMENTS  (CONTINUED) 

B.  PAYLOAD  OPERATIONS 

ONCE  THE  DECISION  HAS  BEEN  MADE  FOR  EARLY  FLIGHT  TERMINATION, 
PAYLOAD  OPERATIONS  MAY  CONTINUE  UNTIL  DEORBIT  MINUS  6  HOURS 
PROVIDED  THAT  THE  OPERATIONS  WOULD  NOT  JEOPARDIZE  DEORBIT 
CAPABILITY.  PAYLOAD  OR  SPACE  SHUTTLE  ARTICLES  WHICH  MUST  BE 
MECHANICALLY  SECURED  FOR  SAFE  ENTRY/LANDING  WILL  BE  SECURED 
PRIOR  TO  PRESLEEP  ON  DEORBIT  MINUS  2  DAYS.  IF  STOW 
REDUNDANCY  CAN  BE  DEMONSTRATED,  OPERATIONS  WILL  BE  ALLOWED  TO 
CONTINUE  UNTIL  THE  MORNING  OF  DEORBIT  MINUS  1  DAY. 


If  a  payload  activity  has  no  failure  mode  that  could  delay  PLBD  closing,  there  is  no  risk  associated  with 
allowing  it  to  operate  until  deorbit  minus  6  hours.  If  however,  the  payload  or  space  shuttle  article  must 
be  mechanically  or  operationally  secured  prior  to  PLBD  closure,  then  this  operation  should  begin  early 
enough  to  conduct  an  EVA  (if  required)  without  extending  beyond  the  selected  deorbit  opportunity.  This 
correlates  to  securing  2  days  prior  to  deorbit  which  allows  for  an  EVA  on  deorbit  minus  1  day.  If  the 
poten  tial  of  having  to  do  an  EVA  has  been  significan  tly  reduced  (i.e.,  by  demonstrating  stow 
redundancy),  then  operation  may  con  tinue  until  the  morning  of  deorbit  minus  1  day.  Stowing  in  the 
morning  will  cdlow  time  for  troubleshooting  any  unforeseen  difficulties. 

Rule  { A9-4j ,  CAUTION  AND  WARNING  (C&W),  references  this  rule.  ®[ED  ] 
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A2-105  IN-FLIGHT  MAINTENANCE  ( IFM) 

A.  DEFINITIONS: 

1.  SCHEDULED  IN-FLIGHT  MAINTENANCE  (IFM)  IS  ACCOMPLISHED  ON 
A  PERIODIC  (NOT  NECESSARILY  TIMELINED)  BASIS  TO  KEEP 
EQUIPMENT  OPERATIONAL  AND  EXTEND  ITS  LIFE.  SCHEDULED  IFM 
TASKS  INCLUDE  INSPECTION,  CLEANING,  AND  REPLACING  FILTERS 
AND  CONSUMABLES.  SPECIFICALLY  EXCLUDED  FROM  THIS 
DEFINITION  ARE  REPAIR  TYPE  ACTIVITIES  TO  CORRECT  OR  WORK 
AROUND  MALFUNCTIONS. 


Examples  of  this  type  of  maintenance  are  filter  cleaning,  LiOH  canister  replacement,  and  calibration  of 
equipment. 

2.  UNSCHEDULED  IFM  IS  UNDERTAKEN  AS  A  RESULT  OF  ANOMALIES 

AND  SPECIFICALLY  INCLUDES  TEST,  MEASUREMENT,  INSPECTION, 
AND  REPAIR  TYPE  ACTIVITIES  TO  CORRECT  OR  WORK  AROUND 
MALFUNCTIONS . 


Definitions  of  categories  of  maintenance  provide  common  terms  for  activities  which  may  be  constrained 
by  flight  rules.  For  example,  scheduled  maintenance  is  planned  and  approved  preflight  and  usually 
accomplished  without  real-time  consultation  with  the  MCC-H.  Unscheduled  maintenance,  which  is 
conducted  as  a  result  of  a  hardware  malfunction,  is  usually  reviewed  real  time  by  the  MCC-H  whether 
or  not  it  was  preflight  approved.  This  real-time  review  is  conducted  to  determine  orbiter/crew  safety 
impacts. 
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A2-132  THERMAL  CONDITIONING  FOR  FLIGHT  DAY  1  LANDING 

(CONTINUED) 


For  a  launch  day  deorbit,  time  may  not  be  available  to  meet  all  thermal  constraints,  due  to  other 
constraints  such  as  landing  opportunity,  burn  attitudes,  IMU  alignment  and  verification,  and 
communications.  Within  these  other  constraints,  attitudes  will  be  chosen  to  meet  thermal  constraints, 
such  as  tail-sun  for  bondlines  or  biased  starboard-sun  for  OMS  Ox  Hi  Point  Bleedline  QD  and  aft-firing 
RCS  thrusters.  ®[0921 95-1 787B] 


*  TABLE  NOTES: 

ORBIT  AND  THEN”  REFERS  TO  THE  TIME  FROM  NOMINAL  PLBD  OPENING  ATTITUDE  (1 :12)  UNTIL  MANEUVER  TO 
DEORBIT  IMU  ATTITUDE  (OR  DEORBIT  COMM  ATTITUDE  FOR  REV  3). 

TIMES  IN  PARENTHESES  SHOW  THE  ATTITUDE  DURATIONS  WHICH  WERE  ASSUMED  AND  ANALYZED.  THESE 
TIMES  ALSO  REFLECT  THE  DESIRED  DURATIONS.  IF  MORE  (LESS)  ATTITUDE  TIME  IS  AVAILABLE  BETWEEN  THE 
ACTUAL  OMS-2  AND  DEORBIT  COMM  ATTITUDES,  THE  'ORBIT  ATTITUDE  MAY  BE  LENGTHENED  (SHORTENED). 

IF  TWO  ATTITUDES  ARE  SHOWN,  I.E.,  ‘ORBIT’  AND  ‘THEN’,  THE  DURATIONS  MAY  BE  ADJUSTED 
PROPORTIONALLY. 

ORB  RATE  DEFINITION:  ORBITER  WILL  ROTATE  ABOUT  A  SUN  POINTING  VECTOR  OF  P=1 80,  Y=40  OR  45  AT 
ORBIT  RATE,  KEEPING  THE  ORBITER  BOTTOM  TOWARD  SPACE  DURING  ROTATION  (I.E.,  EQUIVALENT  TO 
OMICRON  90  FOR  POSITIVE  BETA  AND  OMICRON  270  FOR  NEGATIVE  BETA  AT  NOON). 

-ZLV  AND  ORB  RATE  ATTITUDES  REQUIRE  GNC  OPS  2  SOFTWARE.  IF  GNC  OPS  2  IS  NOT  AVAILABLE, 
“THERMALLY  SIMILAR”  SOLAR  INERTIAL  ATTITUDES  WILL  BE  SELECTED. 


DOCUMENTATION:  CCB  February  28,  1995,  May  16,  1995,  SODB  Volume  V.  ®[092i  95-1 787B] 
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A2-133  POCC  THROUGHPUT  COMMAND  RATES 

THE  GENERIC  COMMAND  SERVER  (GCS)  WILL  BE  CONFIGURED  TO  ALLOW  ONLY 
ONE  POCC  THROUGHPUT  COMMAND  PER  SECOND  TO  BE  OUTPUT  INTO  THE 
ORBITER  UPLINK  DATA  STREAM.  @[121197-6398]  @[062702-5513] 

The  Network  Signal  Processor  (NSP)  interface  with  the  Flight  Software  (FSW)  Systems  Management 
(SM)  command  application  may  require  as  much  as  960  msec  to  completely  process  a  single  uplinked 
payload  throughput  command  (PTC)  without  error.  The  POCC  INPUT  RATE  CONTROL  adjusts  the 
rate  at  which  commands  will  be  accepted  into  the  GCS.  By  setting  this  control  to  one  command  per 
second,  first  word/last  word  (FW/LW)  rejects  of  commands  by  the  SM  GPC  caused  by  too  rapid  payload 
commanding  can  be  eliminated.  Any  setting  of  this  control  above  one  command  per  second,  even  if  the 
commands  are  routed  to  the  same  vehicle  address,  will  allow  the  potential  for  onboard  rejects  of 
commands  to  exist.  See  Section  6. 2. 2. 5  of  the  Space  Shuttle  Computer  Program  Development 
Specifications  (CPDS)  -  SS  Downlist/Uplink  Software  Requirements  (SS-P-0002-140).  @[062702-551 3  ] 

Rejection  of  commands,  for  whatever  reason,  requires  analysis  of  the  command  system  to  ensure  that  it 
remains  intact  with  no  failures.  By  eliminating  this  source  of  command  rejects,  resources  can  be  more 
efficiently  used.  Limitation  of  payloads  to  one  PTC  per  second  should  not  present  a  significant  impact  if 
command  timelines  are  planned  appropriately.  @[121197-6398  ] 
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A2-206  DEROTATION  SPEED 

A.  NOMINAL  DEROTATION  WILL  BE  TARGETED  FOR  185  KEAS  USING  BEEP 
TRIM. 

B.  IN  THE  EVENT  OF  A  BEEP  TRIM  FAILURE,  THE  CDR  WILL  INITIATE 
MANUAL  DEROTATION  BY  APPROXIMATELY  175  KEAS  AND  TARGET  FOR  A 
1-2  DEG/SEC  RATE. 

C.  FOR  A  LEAKING/FLAT  MAIN  GEAR  TIRE,  BEEP  TRIM  DEROTATION  MAY 
BE  DELAYED  TO  NO  SLOWER  THAN  165  KEAS  TO  ACHIEVE  A  1 0  KT 
DELTA  FROM  THE  ACTUAL  DRAG  CHUTE  DEPLOY  VELOCITY.  ®[041097-4009E] 

Nominal  derotation  is  initiated  by  the  crew  using  beep  trim  at  185  KEAS  on  both  concrete  and  lakebed 
runways  and  for  all  vehicles.  Based  on  a  nominal  195  KEAS  lightweight  MEG  touchdown,  the  drag 
chute  is  deployed  immediately  after  touchdown.  Flight  data  and  testing  at  Ames  (1/96  and  7/96)  show 
that,  to  ensure  disreef  prior  to  NGTD,  the  chute  should  be  deployed  10  knots  prior  to  derotation.  If  the 
drag  chute  is  deployed  at  195  knots  (post  MGTD),  the  chute  will  be  in  the  full-open  configuration  just 
prior  to  nose  gear  touchdown,  thus  reducing  the  slapdown  loads.  Faster  touchdowns  result  in  more  time 
spent  in  the  2-pt  attitude  hold  stance  waiting  for  the  velocity  to  decelerate  to  the  nominal  chute 
deploy/vehicle  derotation  cues.  Although  a  nominal  drag  chute  deploy  and  derotation  sequence  will 
usually  result  in  a  chute  disreef  prior  to  NGTD,  dispersions  in  touchdown  speed,  chute  deploy,  and 
derotation  velocities  may  result  in  chute  disreef  after  NGTD.  Derotation  may  therefore  be  delayed  until 
10  knots  below  the  actual  chute  deploy  velocity  to  ensure  maximum  load  relief  for  a  leaking/flat  tire.  The 
165  KEAS  minimum  derotation  velocity  protects  nose  gear  slap  down  loads,  assinning  no  beep  trim 
failures.  (Reference  AEFTP  Splinter,  October  8,  1996.)  ®[041097-4009E] 

Reference  Rules  {A4-108A},  TIRE  SPEED,  BRAKING,  AND  ROLLOUT  REQUIREMENTS,  and 
{A10-142},  TIRE  PRESSURE  [CIL ].  ®[050495-i774A] 
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A2-207  LANDING  SITE  SELECTION 

NORMAL  LANDING  SITE  SELECTION  WILL  BE  BASED  ON  THE  FOLLOWING 
PRIORITIES.  ALL  REQUIREMENTS  FOR  ACCEPTABLE  WEATHER,  LIGHTING 
CONDITIONS,  RUNWAY  CONDITIONS,  AND  ENTRY  CONSTRAINTS  MUST  BE 
SATISFIED  FOR  A  SITE/RUNWAY  TO  BE  USED.  ®[1 02402-5804C] 

NOTE:  REFERENCE  THE  FLIGHT-SPECIFIC  FLIGHT  RULE  ANNEX  FOR  ANY 

EXCEPTIONS  TO  THE  FOLLOWING  LANDING  SITE  PRIORITIES  DUE 
TO  SPECIAL  CIRCUMSTANCES/REQUIREMENTS. 

A.  RTLS/TAL  PRIORITIES: 


RTLS  [1] 

INCLINATION  <39° 

INCLINATION  >39° 

KSC  15 

KSC  33 

KSC  33 

KSC  15 

NOTE: 

[1]  FOR  INCLINATIONS  OF  EXACTLY  39  DEGREES,  THERE  IS  NO  DIFFERENCE  IN  DOWNMODE  RANGING 
BETWEEN  KSC  15/33.  RUNWAY  WILL  BE  CHOSEN  BASED  ON  WEATHER,  SURFACE  WINDS, 
TOUCHDOWN/ROLLOUT  MARGINS,  ETC.  @[0201 96-1 802A] 


TAL 

28.5 

39 

51.6 

57 

BEN  GUERIR  (BEN) 

BEN  GUERIR  (BEN) 

ZARAGOZA  (ZZA) 

ZARAGOZA  (ZZA) 

MORON  (MRN) 

MORON  (MRN) 

MORON  (MRN) 

MORON  (MRN) 

ZARAGOZA  (ZZA) 

BEN  GUERIR  (BEN) 

BEN  GUERIR  (BEN) 

@[0201 96-1 802A]  ®[1 02402-5804C] 


RUNWAY  SELECTION  FOR  RTLS  OR  TAL  SHOULD  BE  IN  PRIORITY  ORDER  OF  GO  RUNWAYS.  HOWEVER,  IF  A 
RUNWAY  APPROACHES  FLIGHT  RULE  LIMITS  OR  OTHER  CONDITIONS  MAKE  A  RUNWAY  LESS  DESIRABLE  (I.E., 
SUN  GLARE,  STA  EVALUATION,  ETC.),  THEN  CONSIDERATION  MAY  BE  GIVEN  TO  SELECTING  A  LOWER  PRIORITY 
RUNWAY.  @[0201 96-1 802A]  ®[1 02402-5804C] 


Run  way  priorities  for  RTLS  are  based  solely  on  energy  downmode  capability.  For  inclinations  less  than 
39  degrees,  GRTLS  range-to-go  analysis  has  shown  that  a  larger  range  recovery  capability  exists  for  an 
OVHD  KSC  15  downmode  to  STIN  KSC  33  than  OVHD  KSC  33  downmode  to  STIN  KSC  15. 


TAL  runway  priorities  were  determined  based  on  the  site  that  provides  the  best  single-engine  coverage 
once  a  TAL  abort  has  been  selected. 
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A2-207  LANDING  SITE  SELECTION  (CONTINUED) 

B.  AOA  PRIORITIES  ®[1 02402-5804C] 

NOTE:  AOA  PRIORITIES  ARE  MODIFIED  BY  INCLINATION.  AT 

28.5  AND  39  DEGREE  INCLINATIONS,  ALL  AOA  SITES 
ARE  AVAILABLE  FOR  SELECTION.  AT  57  DEGREES, 
ONLY  NOR  IS  AVAILABLE,  AND  AT  51.6  DEGREES,  NOR 
AND  KSC  ARE  AVAILABLE.  @[0201 96-1 802A] 

1.  EDWARDS  22/04 

2  .  KSC 

3 .  NORTHRUP 


Since  AOA  landings  are  typically  heavyweight,  the  Edwards  complex  provides  more  margin  in  the  event 
of  landing/rollout  or  vehicle  energy  problems.  For  high  inclination  missions,  Northrup  may  be  the  only 
AOA  landing  site  available  due  to  the  large  crossrange  required  to  land  at  Edwards  or  KSC.  ( ref.  Rule 
I A4-107 j,  PLS/EOM  LANDING  OPPORTUNITY  REQ  UIREMENTS).  ®[i  1 1 094-1 622B] 

C.  EOM  PRIORITIES 

1  .  KSC 

2.  EDWARDS  22/04 

3 .  NORTHRUP 

Due  to  the  advantages  in  vehicle  turnaround,  the  Space  Shuttle  Program  has  directed  that  nominal  end 
of  mission  (EOM)  landings  utilize  KSC  as  the  first  priority  landing  site. 

After  KSC,  next  in  the  EOM  runway  selection  priority  is  Edwards,  because  of  the  availability  of  the 
concrete  runway  and  because  of  the  significant  vehicle  post  landing  and  turnaround  operations 
capabilities.  NOR  is  generally  last  priority,  because  although  it  provides  an  excellen  t  orbiter 
landing  site  ( laser-leveled  runways,  crossing  runways,  significant  runway  lateral  and  longitudinal 
margin,  all  required  landing  aids  and  NAVAIDS  for  day  and  night,  etc.),  the  ability  to  support  the 
orbiter  systems  postlanding  and  for  turnaround/ferry  operations  is  much  reduced  as  compared  to 
KSC  or  Edwards,  resulting  in  the  potential  for  significant  (several  weeks)  shuttle  schedule/manifest 
impacts.  ®[1 02402-5804C] 

Reference  Rule  { A4-109J ,  DEORBIT  PRIORITY  FOR  EOM  WEATHER. 

Reference  Rule  (A2-202J,  EXTENSION  DAY  GUIDELINES,  for  cases  where  the  PLS  is  NO-GO. 
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A2-207  LANDING  SITE  SELECTION  (CONTINUED) 

D.  SYSTEMS  FAILURE  PRIORITIES  [1  ]  [3  [5]  [6]  ®[1 02402-5804C] 

FOR  SYSTEMS  FAILURES  THE  LANDING  SITE  PRIORITY  SHALL  FOLLOW 
THE  EOM  PRIORITIES.  CONSIDERATION  WILL  BE  GIVEN  TO  THE 
FOLLOWING  EXCEPTIONS: 


SYSTEM  FAILURES  [1] 

PRIORITY 

1  OR  2  APU/HYD  SYSTEMS 

LANDING  SITES  WITHIN  SINGLE  APU  WX  PLACARDS 

[2] 

2  IMU’S 

EDW  22/04 

2  NORM/LAT  AA’S 

NORTHRUP 

KSC 

2  RGA’S 

2  ADTA’S 

LANDING  SITE  WITH  MOST  FAVORABLE  ATMOSPHERIC  CONDITIONS 

[4] 

2  FCS CHANNELS 
(SAME  SURFACE) 

NORTHRUP 

EDW  22/04 

KSC 

®[1 02402-5804C] 


NOTES: 

[1]  ALL  FAILURES  OCCUR  PRIOR  TO  DEORBIT  BURN. 

[2]  WX  PLACARDS  ARE  AS  FOLLOWS: 

A.  CEILING  -  GREATER  THAN  OR  EQUAL  TO  1 0K  FEET 

B.  VISIBILITY  -  GREATER  THAN  OR  EQUAL  TO  7  STATUTE  MILES 

C.  CROSSWIND  -  LESS  THAN  OR  EQUAL  TO  1 0  KNOTS  (PEAK) 

D.  NO  GREATER  THAN  LIGHT  TURBULENCE 

E.  ACCEPTABLE  ROLLOUT  MARGIN/BRAKE  ENERGY  ON  HALF  BRAKES  WITHOUT  NOSEWHEEL  STEERING 
(DIFFERENTIAL  BRAKING) 

(REF.  RULE  {A1 0-23A},  APU  ENTRY  START  TIME.)  LANDING  SITE  PRIORITY  SHALL  MINIMIZE  CROSSWINDS  AND 
TURBULENCE. 

[3]  IF  THE  PRIMARY  LANDING  SITE  IS  NO-GO  AND  IF  THE  FORECAST  CONDITIONS  ARE  PREDICTED  TO  IMPROVE, 
DEORBIT  WILL  BE  DELAYED,  IF  PRACTICAL. 

[4]  UNFAVORABLE  ATMOSPHERIC  CONDITIONS  ARE  DEFINED  AS  UPPER  LEVEL  HAC  WINDS  IN  EXCESS  OF  80 
KNOTS,  HAC  DYNAMICS  THAT  COULD  AFFECT  THE  VEHICLES  ENERGY  STATE  (I.E.,  ENERGY  DUMP  MANEUVERS), 
OR  DENSITY  ALTITUDE  AFFECTS  THAT  BIAS  THE  INDICATED  AIRSPEED.  PRESENCE  OF  ANY  OF  THESE 
CONDITIONS  INCREASES  THE  WORKLOAD  ASSOCIATED  WITH  MANUALLY  FLYING  THETA  LIMITS,  COULD  RESULT 
IN  ADDITIONAL  ENERGY  LOSS,  AND  INCREASES  THE  POSSIBILITY  OF  LANDING  FASTER  OR  SLOWER  THAN  THE 
TARGETED  AIRSPEED.  (REF.  RULE  {A8-1 1 1},  AIR  DATA  SYSTEM  MANAGEMENT). 

[5]  LIGHTED  RUNWAY  REQUIRED  AT  NIGHT. 

[6]  REFERENCE  RULE  {A2-202},  EXTENSION  DAY  GUIDELINES,  FOR  WAVE-OFF  CRITERIA.  ®[1 02402-5804C] 
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The  NEOM  landing  site  priority  of  KSC,  EDW  22/04,  NOR  is  driven  by  Space  Shuttle  Program  directive, 
based  on  the  cost  in  time  and  money  for  vehicle  turn-around.  Exceptions  to  this  standard  priority  order 
will  be  reviewed  on  a  case-by-case  basis  for  orbiter  systems  failures.  Factors  in  selecting  the  best 
landing  site  include,  but  are  not  limited  to,  weather  conditions,  runway  lateral  and  rollout  margins,  and 
touch-down  margins  for  flight  control  or  navigation  issues.  KSC  15/33  is  a  300ft  wide  grooved  concrete 
runway  with  50  ft  loadbearing  paved  shoulders  and  has  a  total  length  of  17,000 ft  including  the  1,000ft 
underrun  and  1,000ft  overrun.  The  KSC  runway  is  surrounded  by  a  non-loadbearing  grassy  area  and  a 
moat.  EDW  22/04  is  a  300ft  wide  non-grooved  concrete  runway  with  25  ft  Icikebed  material  shoulders 
that  are  not  generally  considered  loadbearing.  EDW  22/04  has  a  total  length  of  16,975 ft.  The  EDW  04 
end  has  a  1,000ft  underrun  and  an  1,800ft  overrun  with  the  possibility  of  rollout  onto  another  9,588ft 
of  prepared  Icikebed  surface.  The  EDW  22  end  has  a  1,800ft  underrun  and  no  overrun.  NOR  17/35  and 
05/23  are  300ft  wide  leveled  Icikebed  runways  with  300ft  shoulders  of  the  same  hard  mantle  material. 
Each  runway  has  a  total  length  of 39,000 ft  including  ci  12,000ft  underrun  and  12,000ft  overrun.  For 
all  runways,  the  existence  and  location  of  obstructions  in  the  shoulders  should  be  discussed  in  situations 
where  lateral  margins  are  a  factor  in  landing  site  selection.  ®[1 02402-5804C] 

The  following  cases  have  been  addressed  in  the  developmen  t  of  this  rule  (ref  AEFTP  #187): 

1  or  2  APU  HYP  SYSTEMS:  For  loss  of  ci  single  APU /hydraulic  system,  vehicle  hydraulic  capability  is 
unimpaired.  However,  loss  of  a  second  APU,  results  in  potential  system  losses  (nosewheel  steering, 
braking  capability,  control  effectiveness  at  derotcition,  etc.)  requiring  more  stringent  weather  placards  to 
assure  a  safe  landing.  If  two  APU /hydraulic  systems  are  lost,  it  is  desirable  to  provide  significant  lateral 
and  longitudinal  margins  while  providing  a  surface  that  is  hard  enough  to  cdlow  better  control  of 
derotcition  rate  in  order  to  limit  nose  gear  touchdown  loads.  Concrete  runways  provide  a  lower 
coefficient  of  friction  than  Icikebeds,  including  Northrup.  A  lower  coefficient  of  friction  reduces  the  pitch 
down  moment  and,  thus,  reduces  hydraulic  load.  With  only  one  APU  remaining  for  flight  control,  an 
evaluation  of  appropriate  weather  conditions,  including  upper  level  and  surface  winds,  is  critical  in  the 
planned  landing  site  selection  criteria.  Since  the  control  degradation  and  systems  losses  would  only  be 
apparent  with  a  single  operating  APU  during  approach  and  landing,  derotation,  and  rollout,  it  is 
prudent  to  pick  the  best  runway  within  the  stated  weather  placards.  The  stability  of  the  weather,  and 
minimizing  cross-winds  and  turbulence,  are  the  key  consideration  if  more  than  one  landing  site  is  within 
placards.  ®[i  02402-5804C] 
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A2-207  LANDING  SITE  SELECTION  (CONTINUED) 

2  IMU's,  2  NORM/LAT  AA's.  2  RGA’s:  The  IMU’s,  AA  ’s,  and  RGA  ’s  provide  feedback  to  the  orbiter 
flight  control  loops.  Specifically,  the  IMU’s  are  used  to  propagate  the  vehicle  navigation  state  vector 
and  provide  attitude  and  attitude  rate  information  to  the  flight  control  system.  Lettered  AA's  provide 
feedback  to  the  flight  control  system  to  improve  stability  during  turn  coordination  and  roll  reversals,  and 
are  used  to  provide  feedback  during  use  of  nose  wheel  steering  (NWS)  on  the  runway.  Normal  AA’s  are 
used  to  sense  normal  acceleration  (Nz)  during  TAEM  to  prevent  from  overstressing  the  vehicle’s 
structure  by  maintaining  the  pitch  angle  such  that  the  vehicle  stays  below  the  Nz  limits.  The  RGA ’s  are 
used  to  stabilize  the  flight  control  system  by  providing  high  frequency  rate  information  between  IMU  rate 
samples.  The  IMU’s,  AA ’s,  and  RGA ’s  are  used  by  the  Aerojet  DAP  during  the  EI-5  through  landing 
and  rollout  timeframe  (MM304  and  MM305).  A  critical  failure  in  one  of  these  systems  could  result  in 
degraded  vehicle  control  and/or  significan  t  energy  loss  during  the  entry  profile.  The  inten  t  of  selecting 
Edwards  22/04  as  the  primary  landing  site  is  to  provide  the  maximum  n  umber  of  contingency  energy 
downmode  options  in  the  event  the  next  LRU  fails  early  in  the  entry  profile  and  results  in  significant 
energy  loss.  Downmode  options  in  the  vicinity  of  Edwards  22/04  include  Palmdale,  China  Lake,  the 
Edwards  Icrkebed,  etc.  If  Edwards  is  not  available,  then  Northrup  provides  the  next  best  energy 
downmode  capability  because  the  Northrup  landing  site  complex  has  multiple  runways  available,  and  it 
is  collocated  with  several  other  contingency  landing  sites  ( i.  e. ,  Holloman,  etc).  If  Edwards  and  Northrup 
are  unavailable,  then  a  KSC  landing  should  be  targeted  since  the  probability  of  the  next  worst  failure  is 
low  and  it  is  the  prime  landing  site  with  significant  ground  forces  available.  ®[1 02402-5804C] 

2  APT  A 's:  The  ADTA  ’s  are  only  used  during  TAEM,  provide  altitude  data  to  navigation,  and  determine 
the  Mach  number  and  angle  of  attack  (Alpha)  for  use  by  flight  control.  This  limits  the  window  of 
exposure  for  another  ADTA  problem  to  only  the  last  portion  of  entry.  Next  worst  failures  could  include  a 
loss  of  all  cur  data  measurements  (due  to  dilemma  or  a  probe  problem).  Landing  site  selection  with  two 
ADTA ’s  failed  protects  for  landing  without  air  data.  Flying  without  air  data  requires  use  of  manual 
flying  techn  iques  (i.e.,  theta  limits).  The  level  of  difficulty  associated  with  main  tain  ing  theta  limits  and 
survivability  is  significantly  affected  by  the  atmospheric  conditions.  Av  such,  only  the  landing  site  with 
the  most  benign  atmospheric  conditions  should  be  targeted.  Unfavorable  atmospheric  conditions  that 
could  result  in  a  loss  of  con  trol,  significant  energy  loss  due  to  flying  outside  the  HAC,  or  difficulty  in 
maintaining  theta  limits  include  high  upper  level  winds  on  the  HAC  (i.e.,  winds  in  excess  of  80  knots)  or 
other  HAC  dynamics  such  as  an  energy  dump  pull-up  maneuver.  Density  altitude  effects  should  also  be 
considered  when  targeting  a  landing  site,  because  the  density  altitude  could  bias  the  indicated  airspeed 
and  result  in  a  landing  that  is  considerably  faster  or  slower  than  the  targeted  touchdown  airspeed.  This 
is  due  to  the  fact  that  the  flight  control  system  assumes  a  standard  atmosphere  as  the  default  with  no  air 
data  and  that  default  may  differ  significantly  from  the  actual  atmospheric  conditions  of  the  day  at  the 
selected  landing  site.  (Ref.  rule  {A8-1 1 1 },  AIR  DATA  SYSTEM  MANAGEMENT.)  ®[i  02402-5804C] 
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A2-207  LANDING  SITE  SELECTION  (CONTINUED) 

2  FCS  CHANNELS:  The  FCS  channels  con  trol  the  orbiter  aerosurfaces  du  ring  the  later  portion  of  entry 
once  sufficient  atmospheric  density  has  built  up  to  give  those  aerosurfaces  effective  control  authority. 

This  limits  the  window  of  exposure  of  a  next  worse  failure  ( i.e.,  a  1-on-l  force  fight,  bad  feedback  going 
into  flight  control,  etc.)  to  the  later  portion  of  entry.  Such  a  failure  could  result  in  a  control  transien  t  or 
persistent  vehicle  control  problems  that  impact  the  vehicle’s  energy  state.  Most  flights  require  a 
concrete  runway  landing  (or  equivalent  runway  hardness )  due  to  the  large  mass  moment  at  nose  gear 
touchdown.  Northrup  provides  the  most  flexibility  of  the  available  primary  landing  sites  due  to  the 
availability  of  several  runways  of  sufficient  hardness.  If  Northrup  is  unavailable,  then  Edwards  should 
be  targeted  because  it  provides  the  option  to  downmode  to  the  large  lakebed  landing  complex  in  the  event 
that  it  is  not  possible  to  reach  the  concrete  runway.  The  Edwards  lakebed  would  only  be  used  in  a 
con  tingency.  If  Edwards  and  Northrup  are  unavailable,  then  a  KSC  landing  should  be  targeted  since  the 
probability  of  the  next  worst  failure  occurring  is  low  and  KSC  is  the  prime  landing  site  with  significant 
ground  forces  available.  The  landing  site  selection  philosophy  for  FCS  channels  assumes  that  sufficient 
aft  RCS  margin  is  available  to  perform  the  entry  with  Wrap-DAP  active.  Use  ofWrcip-DAP  provides 
yaw  jet  con  trol  authority  to  fight  any  drag  that  may  be  caused  by  degraded  aerosurface  movemen  t  above 
Mach  1  (i.e.,  performing  an  entry  with  no-yaw-jet  selected  does  not  limit  window  of  exposure  to  TAEM 
because  sufficient  RCS  jet  control  authority  does  not  exist  to  fight  a  bad  aerosurface).  ®[i  02402-5804C] 

MEG  TIRE  PREDICTED  TO  BE  BELOW  THE  MINIMUM  ACCEPTABLE  PRESSURE  AT 
TOU  CHD  O  WN:  If  a  tire  pressure  is  low,  due  to  temperature  or  leakage,  such  that  sufficient  load- 
carrying  capability  of  that  tire  may  not  exist  (ref.  rule  {A10-142},  TIRE  PRESSURE  [ CIL]),  total  loss  of 
that  tire  may  occur  at  derotcition,  when  the  highest  tire  loading  is  reached.  Based  on  Northrup  hardness 
data,  Northrup  is  acceptable  for  blown  tire  cases.  However,  the  coefficient  of  friction  on  the  strut  if  both 
tires  on  a  MLGfciil  is  greater  than  at  a  concrete  runway,  indicating  that  the  vehicle  would  be  harder  to 
control  on  the  Northrup  lakebed  than  at  KSC  or  EDW  22/04.  Runway  prioritization,  consequently,  gives 
preference  to  concrete  runways.  Consideration  should  be  given  to  minimizing  crosswind  during  landing 
site  selection  to  reduce  loads  on  the  remaining  tires.  Landing  with  the  crosswind  on  the  side  of  the 
vehicle  with  the  flat  tire  will  help  reduce  loads  on  the  affected  landing  gear,  reducing  the  risk  of  blowing 
the  remaining  tire.  Loads  on  the  NLG  tires  are  low  enough  that  if  one  tire  is  failed,  the  remaining  tire  is 
not  likely  to  blow.  Loss  of  one  or  both  NLG  tires  is  not  considered  a  directional  control  problem,  since 
the  vehicle  should  be  controllable  with  differential  braking. 

NWS  FAILED  (ALL):  With  the  loss  of  NWS,  differential  braking  remains  as  the  only  method  of 
directional  control.  Sufficient  braking  system  redundancy  exists  to  accept  the  risk  of  landing  at  KSC  or 
EDW  vs.  NOR.  Consideration  should  be  given  to  minimizing  crosswind  during  landing  site  selection. 

®[1 02402-5804C] 
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E.  PREDEORBIT  LANDING  SITE  EVALUATION  ®[1 02402-5804C] 

1.  AFTER  DEORBIT  MINUS  2.5  HOURS,  IF  UNACCEPTABLE  WEATHER 
CONDITIONS  EXIST  (OBSERVED  OR  FORECAST)  OR  ENTRY 
REQUIREMENTS  CANNOT  BE  SATISFIED  (TAEM,  A/L,  TOUCHDOWN, 
ROLLOUT,  ETC.),  THE  AFFECTED  LANDING  SITE  MAY  BE 
ELIMINATED  AS  A  PRIMARY  OPTION. 

2.  AFTER  DEORBIT  MINUS  1.5  HOURS,  ONLY  A  SINGLE  LANDING  SITE 
WILL  CONTINUE  TO  BE  EVALUATED.  OTHER  LANDING  SITE 
OPTIONS  MAY  BE  REEVALUATED  IN  THE  EVENT  OF  A  DEORBIT 
WAVE-OFF . 

The  above  guidelines  will  allow  the  evaluation  of  multiple  run  ways  at  multiple  landing  sites  for  multiple 
deorbit  opportunities  without  significantly  compromising  the  required  evaluation  of  the  actual  runway 
where  landing  will  occur.  It  is  always  prudent  to  eliminate  landing  site/runway  options  as  they  become 
unlikely  to  remain  within  limits  .  This  is  especially  true  after  deorbit  minus  2.5  hours,  the  standard  time 
at  which  deorbit  pads  will  be  voiced  to  the  crew.  Up  until  deorbit  minus  1.5  hours,  sufficient  time  is 
available  to  evaluate  multiple  landing  sites  for  the  nominal  deorbit  as  well  as  preliminary  evaluation  of 
landing  sites  on  the  next  deorbit.  Due  to  multiple  wind  sets,  landing  sites,  runways,  aimpoints,  etc.  being 
evaluated,  a  toted  team  focus  on  the  primary  runway  on  the  last  orbit  prior  to  deorbit  is  necessary. 

Rules  (A2-102J,  MISSION  DURATION  REQUIREMENTS,  and  (A2-6J,  LANDING  SITE  WEATHER 
CRITERIA  [ HC ],  reference  this  rule. 
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A2-208 

ACES  PRESSURE  INTEGRITY  CHECK  @[012402-5089] 

DEORBIT  WILL  NOT  BE  DELAYED  FOR  FAILURE  OF  ANY  ADVANCED  CREW 
ESCAPE  SUIT  (ACES)  PRESSURE  INTEGRITY  CHECK. 

ACES  pressure  integrity  is  not  required  for  the  present  bailout  scenario.  In  addition,  beyond  verifying 
the  proper  connections,  there  is  little  that  the  crew  could  do  during  flight  to  locate  the  source  of  a  leak  in 
an  ACES  or  to  repair  it.  @[012402-5089  ] 
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A2-209  LANDING  SITE  SELECTION  FOR  AN  INFLIGHT  EMERGENCY 

A.  AN  INFLIGHT  EMERGENCY  WILL  BE  DECLARED  AND  AN  ATTEMPT  WILL  BE 
MADE  TO  PERFORM  AN  EMERGENCY  LANDING  IF  A  LANDING  AT  THE 
TARGETED  SITE  IS  IMPOSSIBLE.  ®[1 20894-1 744B] 

NOTE:  THE  DETERIORATION  OF  WEATHER  (WINDS,  TURBULENCE, 

CEILING,  PRECIPITATION,  ETC.)  AND/OR  LANDING  AND 
ROLLOUT  MARGINS,  WHICH  RESULT  IN  FLIGHT  RULE 
EXCEEDANCES  POST-DEORBIT  BURN,  ARE  NOT  CAUSE  TO 
REDESIGNATE  FROM  THE  TARGETED  SITE. 

B.  LANDING  WILL  BE  ATTEMPTED  AT  AN  EMERGENCY  LOCATION  THAT  MEETS 
THE  FOLLOWING  CRITERIA: 

1.  THE  LANDING  FIELD  IS  WITHIN  THE  ENERGY  CAPABILITY  OF  THE 
ORBITER  AS  DEFINED  IN  RULE  {A2-251},  BAILOUT. 

2.  THE  LANDING  FIELD  FACILITIES  SATISFY  THE  REQUIREMENTS 
DOCUMENTED  IN  RULE  {A2-264},  EMERGENCY  LANDING  FACILITY 
CRITERIA. 

C.  TIME  PERMITTING,  WITH  MULTIPLE  SITES  OF  SIMILAR  ENERGY 
CAPABILITY,  SELECTION  OF  THE  EMERGENCY  LANDING  FIELD  WILL  BE 
BASED  ON  THE  FOLLOWING  PRIORITY: 

1.  ANOTHER  NASA  AUGMENTED  LANDING  SITE 

2.  A  DOD  AIRFIELD  WITH  COMPATIBLE  SHUTTLE  UHF  COMMUNICATIONS 

3.  A  DOD  AIRFIELD  WITHOUT  COMPATIBLE  SHUTTLE  UHF 
COMMUNICATIONS 
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A2-209  LANDING  SITE  SELECTION  FOR  AN  INFLIGHT  EMERGENCY 

(CONTINUED) 

4.  A  COMMERCIAL  AIRFIELD  WITH  COMPATIBLE  SHUTTLE  UHF 
COMMUNICATIONS 

5.  A  COMMERCIAL  AIRFIELD  WITHOUT  COMPATIBLE  SHUTTLE  UHF 
COMMUNICATIONS 

Should  orbiter  or  facility  problems  be  encountered  which  make  landing  at  the  designated  NASA  landing 
field  impossible,  the  actions  to  be  taken  are  identified  in  order  of  priority  in  an  attempt  to  save  the  crew 
and  orbiter  (national  resource),  while  at  the  same  time  minimizing  public  exposure  to  additional  risk. 
During  entry  should  the  need  arise,  an  “inflight  emergency”  (as  declared  by  all  aircraft  if  in  trouble ) 
will  be  declared,  and  a  landing  at  an  ELS  will  be  attempted  if  energy  is  sufficient  to  reach  the  landing 
site  (reference  Rule  {A2-251  j,  BAILOUT )  and  the  facility  meets  the  minimum  requirements  (reference 
Rule  (A2-264),  EMERGENCY  LANDING  FACILITY  CRITERIA).  ®[i  20894-1 744B] 

Weather  forecasts  for  shuttle  landings  are  made  by  well-trained,  experienced  meteorologists  with  the 
best  tools  available  and  within  90  minutes  of  landing.  At  the  A/E  FTP  #73,  the  results  of  a  multimonth 
study  of  forecasting  accuracy  showed  that  these  forecasts  were  extremely  accurate  and  in  the  very  small 
percentage  of  cases  where  a  GO  prediction  turned  into  a  NO-GO  situation,  the  violations  were  minor 
and  survivable.  It  is  inconceivable  that  these  forecasts  would  be  in  error  by  a  degree  that  would  entail 
greater  risk  by  continuing  to  the  landing  site  than  would  be  incurred  by  diverting  to  an  emergency  field 
with  its  lack  of  facilities,  navigation  aids,  trained  personnel,  and  flightcrew  familiarity. 

Diverting  from  the  targeted  site  will  not  be  done  just  for  deteriorating  weather  conditions  which  will 
violate  weather  flight  rules  or  landing  and  rollout  margin  reductions.  We  will  accept  the  nonoptimum 
conditions  rather  than  divert  to  another  site  since  it  is  believed  that  this  option  provides  less  risk  to  the 
orbiter  and  crew  as  well  as  the  general  public.  ®[1 20894-1 744B] 

Should  it  be  necessary  to  divert  from  the  primary  landing  field,  another  NASA  augmented  landing  field 
will  be  selected  if  available.  Otherwise,  site  selection  will  be  based  on  facility  type  (DOD  uv  commercial ) 
and  the  availability  of  compatible  shuttle  UHF  communications.  The  facility  priority  has  been  selected 
to  minimize  risk  to  the  general  public.  ®[1 20894-1 744B] 

A2-210  THROUGH  A2-250  RULES  ARE  RESERVED 
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A2-251  BAILOUT 

A.  THE  CDR  IS  RESPONSIBLE  FOR  BAILOUT  ACTION. 

B.  THE  MCC  WILL  EVALUATE  ALL  POSSIBLE  ENERGY  MANAGEMENT  ACTIONS 
PRIOR  TO  RECOMMENDING  BAILOUT.  ®[1 20894-1 744B] 

C.  THE  FOLLOWING  DEFINITIONS  APPLY  TO  THE  BAILOUT  REGIONS 
DEFINED  BELOW: 

1.  MCC  MAX  RANGE  LINE:  THIS  LINE  IS  GENERATED  ON  LANDING 
DAY  AND  BASED  ON  A  STRAIGHT-IN  APPROACH  TO  THE  MINIMUM 
ENTRY  POINT  HAC,  WITH  MAXIMUM  L/D  STRETCH  TECHNIQUES  AND 
ACTUAL  WINDS  AND  ATMOSPHERIC  CONDITIONS. 

2.  MCC  RTLS  MINIMUM  ENERGY  LINE:  THIS  LINE  IS  GENERIC  FOR 
ALL  FLIGHTS  AND  ASSUMES  A  FORWARD  CG,  MID-WEIGHT, 
HEAVYWEIGHT  I-LOADS,  COLD  ATMOSPHERE,  AND  NO  WINDS. 

3.  MCC  BAILOUT  LINE:  THIS  LINE  IS  GENERIC  FOR  ALL  FLIGHTS 
AND  REPRESENTS  A  BEST-ON-BEST  MAXIMUM  CAPABILITY,  BASED 
ON  3  SIGMA  FAVORABLE  WINDS,  MAXIMUM  HAC  SHRINK,  AND 
MAXIMUM  ORBITER  L/D. 

D.  AN  MCC  BAILOUT  RECOMMENDATION  WILL  BE  MADE  BASED  ON  THE 
FOLLOWING  CRITERIA,  USING  THE  BEST  AVAILABLE  SITE,  RUNWAY, 
AND  STATE  VECTOR  SOURCE,  AND  WITHOUT  REGARD  TO  TOUCHDOWN, 
BRAKE  ENERGY  AND  ROLLOUT  MARGIN  PLACARDS: 
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A2-251  BAILOUT  (CONTINUED) 

1.  GREEN:  BAILOUT  NOT  REQUIRED  (CALL  ONLY  REQUIRED  IF 
TRANSITIONING  FROM  THE  "YELLOW"  REGION) . 

a.  EOM  LANDINGS:  ORBITER  ENERGY/WEIGHT  ABOVE  THE  MAX 
RANGE  LINE. 

b.  ALL  OTHER  LANDINGS:  ORBITER  ENERGY/WEIGHT  ABOVE  THE 
MCC  RTLS  MINIMUM  ENERGY  LINE.  ®[1 20894-1 744B] 

2.  YELLOW:  BAILOUT  IF  DEEMED  NECESSARY  BY  THE  CDR;  MCC 
CONTINUES  TO  MONITOR.  ®[1 20894-1 744B] 

a.  EOM  LANDINGS:  ORBITER  ENERGY/WEIGHT  BELOW  THE  MAX 
RANGE  LINE  AND  ABOVE  THE  MCC  BAILOUT  LINE. 

b.  ALL  OTHER  LANDINGS:  ORBITER  ENERGY/WEIGHT  BELOW  THE 
MCC  RTLS  MINIMUM  ENERGY  LINE  AND  ABOVE  THE  MCC 
BAILOUT  LINE. 

3.  RED:  MCC  RECOMMENDS  BAILOUT. 

ORBITER  ENERGY/WEIGHT  BELOW  THE  MCC  BAILOUT  LINE. 

E.  IF  POSSIBLE,  BAILOUT  WILL  BE  DECLARED  NO  LOWER  THAN  50K  FT 
ALTITUDE  ( 7  OK  FT  FOR  ECAL)  . 
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A2-251  BAILOUT  (CONTINUED) 

F.  NORMALLY,  ZERO  DEGREES  OF  BANK  WILL  BE  USED  FOR  BAILOUT 
GUIDANCE  "FREEZE"  CONDITIONS.  HOWEVER,  THE  MCC  MAY  PROVIDE  A 
DESIRED  BANK  ANGLE  (UP  TO  10  DEG)  IF  REQUIRED  TO  AVOID 
ORBITER  IMPACT  IN  POPULATED  AREAS. 

G.  IF  BAILOUT  IS  DECLARED  FOR  ECAL,  A  TURN  SHALL  BE  EXECUTED  TO 
A  HEADING  OF  120  DEG,  UNLESS  FDO  DETERMINES  IN  REAL  TIME  A 
HEADING  MORE  FAVORABLE  FOR  SAR  OPERATIONS  (E.G.,  PARALLEL  THE 
COAST,  ETC.) 

Reference  Rule  (A1-6J,  SHUTTLE  COMMANDER  AUTHORITY,  for  CDR  responsibilities. 

The  MCC  has  more  accurate  evaluation  tools  with  which  to  determine  energy  capability  and  uses  radar 
tracking  data  ( when  available)  as  the  prime  state  vector  source.  All  energy  management  and  recovery 
procedures  will  be  evaluated  prior  to  any  bailout  recommendation  being  issued  by  the  MCC.  Three 
bailout  zones,  green,  yellow,  and  red,  have  been  identified  for  MCC  bailout  recommendation,  based  on 
areas  delineated  on  FDO  Energy fW eight  versus  Rcmge-to-go  displays. 

The  bailout  green  zone  is  defined  as  that  area  above  the  MCC  maximum  ranging  capability  line  which  is 
generated  for  EOM  on  landing  day,  based  on  a  straight-in  approach  to  the  minimum  entry  point  HAC, 
with  maximum  L/D  stretch  techniques  and  actual  winds  and  atmospheric  conditions.  For  all  other  cases, 
this  flight  and  landing  day-specific  actual  capability  line  does  not  exist,  and  the  MCC  RTLS  minimum 
energy  line  will  be  used.  This  line  is  generic  for  all  flights  and  assumes  a  forward  CG,  mid-weight, 
heavyweight  I-loads,  cold  atmosphere,  and  no  winds.  These  two  lines  generally  lie  very  close  together. 

In  the  green  region,  bailout  is  not  required.  A  green  zone  call  is  not  made  unless  the  vehicle  has 
recovered  from  the  yellow  zone  below.  ®[1 20894-1 744B] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  FLIGHT  OPERATIONS  2-236 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A2-251  BAILOUT  (CONTINUED) 

The  bailout  yellow  zone  is  defined  as  that  area  below  the  MCC  maximum  ranging  capability  line, 
described  above  (again,  when  a  max  range  line  is  not  available,  the  generic  MCC  RTLS  minimum 
energy  line  will  be  used),  but  above  the  MCC  bailout  line.  The  bailout  line  is  generic  for  all  flights  and 
represents  a  best-on-best  maximum  capability,  based  on  3  sigma  favorable  winds,  maximum  HAC  shrink, 
and  maximum  orbiter  L/D.  In  this  region,  the  a  “bailout  yellow  zone”  call  will  be  made.  Requests  are 
likely  to  be  made  for  runway/HAC  redesignation,  stretch  techniques,  arid  relaxation  ofNZ,  surface  wind, 
touchdown  point,  and  rollout  margin  constraints  to  increase  available  runways.  Below  the  maximum 
ranging  capability  line,  there  is  less  than  a  50  percent  chance  of  reaching  the  field.  In  this  region,  the 
MCC  will  only  advise  the  crew  of  the  energy  situation  and  continue  to  monitor  their  progress  in  making 
up  the  energy  shortfall.  A  final  bailout  decision  is  the  CDR’s  call.  ®[1 20894-1 744B] 

The  bailout  red  zone  is  defined  as  that  area  below  the  MCC  bailout  line  described  above.  In  this  region, 
there  is  no  chance  of  reaching  the  runway  threshold  and  the  MCC  will  recommend  bailout.  To  provide 
adequate  time  for  bailout  operations,  bailout  will  be  declared  at  an  altitude  no  lower  than  50Kft,  if 
possible.  For  ECAL  trajectories,  70Kft  is  used  to  allow  adequate  time  to  execute  a  maximum  turn  of 
180  deg  prior  to  initiating  bailout,  thus  ensuring  bailout  over  water. 

The  MCC  will  recommend  a  bank  angle  in  order  to  improve  recovery  effectiveness  or  to  steer  away  from 
populated  areas.  Analysis  has  shown  that  a  bank  angle  of  greater  than  10  deg  can  cause  the  vehicle  to 
turn  a  full  360  deg  of  heading  with  impact  occurring  in  the  crew  bailout  landing  area.  If  bailout  is 
required  during  an  ECAL,  a  turn  to  a  standard  heading  of  120  deg  will  be  made  to  avoid  orbiter  land 
impact  and  to  provide  search  and  rescue  (SAR)  forces  with  a  consistent  heading  with  which  to  begin 
rescue  operations,  un  less  the  FDO  can  determine  a  more  favorable  heading  based  on  knowledge  of  the 
positions  and  poten  tial  ranging  capability  of  the  SAR  forces.  ®[1 20894-1 744B] 


A2-252  GCA  CRITERIA 

IF  THE  TRAJECTORY  DIVERGES  AND  APPROACHES  ENERGY  LIMITS  POST¬ 
TRACKING,  CSS  WILL  BE  SELECTED  AND  GCA  PERFORMED.  AUTO  GUIDANCE 
WILL  BE  RESELECTED  WHEN  ENERGY  AND  NAVIGATION  ARE  WITHIN  LIMITS, 
THE  GCA  WILL  ALSO  BE  TERMINATED  WHEN  THE  CREW  TAKES  OVER  AFTER 
VISUAL  ACQUISITION  OF  THE  RUNWAY.  @[120894-1663] 


Generally,  the  entry  trajectory  can  get  into  an  off-nominal  emergency  situation  by  (1)  incorporating 
erroneous  navigation  data  into  guidance  and  flight  control,  and  (2)  selecting  an  incorrect  or  invalid 
landing  site.  Performing  GCA  provides  a  possibility  of  making  the  runway. 
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A2-253  ENERGY  MANAGEMENT 

IF  INSUFFICIENT  OR  EXCESS  ENERGY  EXISTS  TO  ACHIEVE  THE  TARGETED 
APPROACH  TO  THE  SELECTED  RUNWAY,  THE  FOLLOWING  OPTIONS  WILL  BE 
EVALUATED  FOR  CORRECTION  OF  THE  ENERGY  ERROR. 

A.  OVERHEAD/STRAIGHT-IN  HAC  RESELECTION 

B.  NOMINAL/MINIMUM  ENTRY  POINT  SELECTION 

C.  RUNWAY  REDESIGNATION  -  MAY  RESULT  IN  VIOLATION  OF  TOUCHDOWN, 
BRAKING,  AND/OR  ROLLOUT  MARGIN  CONSTRAINTS 

D.  GROUND  CONTROLLED  APPROACH  (GCA) 

Several  options  are  available  to  correct  a  bad  energy  situation.  These  options  include  HAC  reselection 
(overhead/straight-in),  runway  redesignation,  final  approach  entry  point  downmoding  (NEP/  MEP),  or 
GCA.  No  action  will  be  recommended  until  data  shows  that  the  energy  error  is  large  enough  that  the 
prime  selected  runway/HAC  cannot  be  achieved  or  will  cause  the  vehicle  to  exceed  H-dot  or  g-Iimits 
while  following  auto  guidance. 

Runway  redesignation  or  HAC  reselection  are  both  very  powerful  methods  of  changing  the  required 
range-to-go  (energy  requirements).  These  two  methods  are  preferred  since  valid  guidance  commands 
are  available.  Runway  redesignation  may  be  recommended  over  HAC  reselection,  based  on  the  amount 
of  energy  correction  required.  The  approach  direction  relative  to  the  run  way  layout  will  define  which  is 
the  most  effective  option  for  correcting  the  energy  error  (range  error).  Redesignation  may  result  in 
selection  of  a  runway  which  violates  some  of  the  touchdown,  rollout,  or  brake  energy  constraints. 
Reaching  the  runway  final  approach  within  an  acceptable  energy  corridor  has  priority  over  satisfying 
the  touchdown  and  rollout  constraints.  All  efforts  will  be  made  to  redesignate  to  runways  which  satisfy 
the  touchdown  and  rollout  criteria. 

Downmoding  the  final  approach  entry  point  (NEP  to  MEP)  does  provide  valid  guidance  commands; 
however,  the  MEP  selection  greatly  reduces  the  amount  of  time  available  for  trajectory  corrections  on 
final  approach.  (NEP  intercepts  final  approach  at  approximately  12Kfeet;  MEP  is  at  approximately  6K 
feet.)  Once  each  of  the  above  options  has  been  evaluated  and  excessive  energy  error  persists,  a  GCA 
will  be  required.  The  GCA  may  include  HAC  or  runway  reselection  and  will  require  action  outside  of 
the  current  guidance  capability  in  order  to  correct  the  range  error. 
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A2-254  ENTRY  STRING  REASSIGNMENT 

A.  PRIOR  TO  MM  304,  RESTRINGING  WILL  BE  PERFORMED  TO  REGAIN  FULL 
CAPABILITY  FOLLOWING  A  GPC  FAILURE. 

The  timeframe  between  post-deorbit  burn  and  the  transition  to  MM  304  is  generally  quiet  from  a 
computer  point  of  view  and  crew  workload.  As  such,  the  risk  of  restringing  is  considered  to  be  low. 
Consequently,  restringing  will  be  performed  to  regain  full  capability  for  the  dynamic  phases  of  entry 
(MM  304/305). 

B.  RESTRING  GPC/STRING  COMBINATIONS  WILL  BE  SELECTED  WHICH 
MOVE  THE  LEAST  NUMBER  OF  STRINGS  WHILE  SATISFYING  CRITICAL 
CAPABILITY  OR  ONE-FAULT  TOLERANT  REQUIREMENTS  AS  IDENTIFIED 
IN  PARAGRAPH  C. 

The  greater  the  number  of  strings  moved  during  a  restring  attempt,  the  more  complicated  the  restring 
process.  With  this  in  mind,  “good”  strings  should  not  be  taken  from  “good”  GPC’s  unless  there  is  no 
other  method  of  satisfying  the  identified  requirements  in  orbiter  systems. 

C.  DURING  ENTRY/GRTLS  (MM  304,  305,  602,  AND  603),  RESTRINGING 

WILL  BE  PERFORMED  AS  FOLLOWS  (TIME  PERMITTING)  TO  REGAIN  THE 
FOLLOWING  CRITICAL  SYSTEMS  CAPABILITY: 

Certain  systems  capabilities  are  required  to  be  maintained  for  safety  considerations  where  the  BFS 
cannot  provide  additional  systems  capability. 

1.  NOSE  WHEEL  STEERING  (FOR  RTLS/TAL/AOA  (KSC)  OR  ANY  SITE 
WITH  KNOWN  DIRECTION  CONTROL  PROBLEMS) . 

NWS  is  required  to  maintain  lateral  control  during  rollout  at  landing  sites  where  the  lateral  runway 
environment  is  limited.  BFS  engage  at  touchdown  to  recover  NWS  is  an  option.  However,  it  was 
determined  to  attempt  restring  during  entry  to  regain  NWS  and  accept  risk  of  BFS  engage  as  a  result 
of  the  restring  instead  of  nominally  engaging  the  BFS  for  this  case  at  NGTD.  Reference  Rule  (A10- 
141A},  NOSE  WHEEL  STEERING  (NWS),  for  NWS  directional  control  requirements. 
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A2-254  ENTRY  STRING  REASSIGNMENT  (CONTINUED) 

2.  ASA  COMMAND  (MAINTAIN  TWO  ELEVON,  RUDDER,  AND  SPEEDBRAKE; 

MAINTAIN  ONE  BODY  FLAP) . 

Two  elevon,  rudder,  and  speedbrake  FCS  command  channels  (each  of  which  have  four  command 
channels)  are  required  since  flying  with  only  one  FCS  channel  on  an  actuator  is  an  uncertified  flight 
control  mode.  Only  one  of  three  body  flap  command  channels  is  required  to  maintain  acceptable  drive 
capability.  Control  may  be  available  long  enough  to  allow  restring  procedures  to  be  completed  to 
regain  the  required  FCS  channels  rather  than  defaulting  over  to  the  BFS. 

3 .  VENT  DOORS : 

a.  FORWARD/AFT  VENT  DOORS  IF  REQUIRED  TO  REGAIN  THE 
CAPABILITY  TO  OPEN  AT  LEAST  ONE  SIDE  OF  THE  FWD  AND 
AFT  COMPARTMENTS  FOR  SUFFICIENT  VENTING. 

Data  presented  at  the  Ascent/Entry  Flight  Techniques  Panel  (A/E  FTP)  #43  (August  1988)  showed  that 
adequate  venting  margins  could  be  main  tained  if  at  least  one  side  of  the  forward  and  aft  compartmen  ts  is 
opened  by  70,000 feet  altitude.  Failures  resulting  in  loss  of  open  capability  on  both  sides  of  the  forward 
or  aft  compartmen  ts  would  result  in  structured  failure  and  loss  of  crew/vehicle.  Therefore,  a  critical  bus 
reassignment  prior  to  or  at  TAEM  to  regain  the  open  capability  on  at  least  one  side  should  be 
performed,  when  applicable. 

b.  MIDBODY  VENT  DOORS:  ®[051 1 94-1 586A] 

(1)  FOR  LOSS  OF  MORE  THAN  TWO  MIDBODY  VENT  DOORS 
OR 

(2)  FOR  LOSS  OF  OPPOSING  MIDBODY  VENT  DOORS 

JSC  Engineering  presented  a  venting  analysis  of  the  modified  vent  door  configuration  (vents  4  and  7 
deleted)  at  the  A/E  FTP  #87  (February  1992).  The  data  showed  that  positive  structured  margins  exist  for 
a  nominal  entry  trajectory,  even  after  two  midbody  vent  doors  have  failed  closed.  This  analysis  was 
performed  only  for  scenarios  that  could  result  from  two  electrical/avionics  failures.  Because  opposite 
vent  door  failures  (i.e.,  left/right  5)  require  more  than  two  failures,  they  were  not  specifically  analyzed, 
but  to  assure  adequate  venting,  a  restring  should  be  performed.  JSC  Engineering  also  presented  data 
which  suggested  that  opposite  forward  and  aft  compartment  vent  doors  are  redundant  to  each  other  in 
providing  adequate  ven  ting  for  a  nominal  entry.  ®[051 1 94-1 586A] 
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A2-254  ENTRY  STRING  REASSIGNMENT  (CONTINUED) 

The  A/E  FTP  # 87  members  concluded  that  a  critical  bus  reassignment  should  only  be  performed  after 
loss  of  more  than  two  midbody  vents  has  occurred  for  either  vehicle  configuration.  Restringing  for  these 
cases  provides  the  most  pruden  t  ven  ting  management  plan,  trading  the  effects  of  a  poten  tially  dispersed 
entry  trajectory  with  the  potential  risks  of  a  dynamic  restring  of  flight-critical  buses. 

4.  MPS  LH2  MANIFOLD  ENTRY  PRESSURIZATION  (FOR  RTLS/TAL) . 

@[022802-5221  ] 

There  is  insufficien  t  time  on  RTLS  and  TAL  entries  to  dump  all  hydrogen  from  the  Main  Propulsion 
System  (MPS)  LH2  manifold.  The  pressurization  of  the  LH2  manifold  with  helium  prevents  air  from 
being  ingested  into  the  manifold  during  entry.  The  loss  of  this  helium  pressurization  will  result  in  the 
creation  of  cm  explosive  mixture  in  the  LH2  manifold  as  air  is  ingested  and  mixes  with  the  hydrogen 
residuals.  Although  difficult  to  quantify,  the  hazard  to  the  flight  crew  from  an  explosive  mixture  in  the 
MPS  LH2  manifold  represents  cm  unnecessary  risk.  At  the  A/E  FTP  # 168  ( October  27,  2000),  it  was 
decided  that  the  recovery  technique  for  the  loss  ofLH2  manifold  pressurization  could  be  a  switch  throw, 
temporary  port  mode  (to  latch  the  LH2  manifold  pressurization  commands),  or  restring.  In  general,  a 
switch  throw  will  be  attempted  before  a  port  mode,  which  will  be  attempted  before  a  restring;  however, 
the  recovery  technique  used  will  depend  upon  the  specific  flight  phase  and  failure  scenario  present  in  the 
orbiter.  @[022802-5221  ] 

D.  RESTRINGING  WILL  NOT  BE  PERFORMED  WITHOUT  PRIOR  MCC 
COORDINATION. 

The  MCC  is  prime  for  determin  ing  when  restringing  is  required  as  a  result  of  mu  ltiple  failures  and  the 
resulting  GPC/string  assignments  required  to  satisfy  critical  capability  and  systems  fault  tolerance  as 
iden  tified  in  the  preceding  rules.  The  MCC  is  prime  for  determin  ing  the  acceptability  of  restringing 
based  upon  the  failure  signature  and  conditions  and  for  determining  cm  acceptable  data  bus 
reassignmen  t  configuration.  As  a  min  imum,  voice  description  of  the  failu  re  and  identification  of  the 
proposed  bus  reassignment  must  be  coordinated  with  the  MCC  prior  to  performing  any  restring. 

E.  FOR  A  SINGLE  GPC  FAILURE,  RESTRINGING  WILL  NOT  BE  PERFORMED 
AFTER  El  MINUS  5  MINUTES. 

El  minus  5  minu  tes  was  selected  as  the  last  time  for  which  restringing  would  be  performed  as  a  result  of 
a  single  GPC  failure  in  order  to  allow  recovery  time  prior  to  El  to  regain  PASS  capability  should  the 
restring  be  unsuccessful. 
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A2-254  ENTRY  STRING  REASSIGNMENT  (CONTINUED) 

F.  RESTRINGING  WILL  NOT  BE  PERFORMED  AFTER  HAC  INTERCEPT. 

Crew  workload  increases  after  HAC  acquisition  as  concentration  is  directed  towards  the  immediate 
landing  tasks.  Restringing  will  not  be  performed  during  this  timeframe  so  as  not  to  divert  crew  attention 
away  from  the  critical  landing  phase  tasks.  Although  no  fault  tolerance  exists,  the  exposure  to  the  next 
failure  is  minimized  since  the  time  between  HAC  intercept  and  touchdown  is  relatively  short. 

G.  RESTRINGING  WILL  BE  PERFORMED  TO  REGAIN  CRITICAL  CAPABILITY 
INDEPENDENT  OF  THE  BFS  STATUS.  FOR  CASES  WHERE  RESTRINGING 
IS  ACCEPTABLE  TO  REGAIN  FAULT  TOLERANCE  (REF.  PARAGRAPH  A), 
AN  ENGAGEABLE  BFS  MUST  BE  AVAILABLE. 

The  BFS  is  normally  required  when  restringing  is  performed  as  a  precaution  against  the  low  probability 
occurrence  that  the  restring  action  may  result  in  loss  of  the  PASS  set.  However,  when  the  vehicle  has 
sustained  failures  such  that  less  than  critical  capability  remains  (a  capability  which  must  be  maintained 
or  a  loss  of  crew/vehicle  will  result),  restringing  will  be  performed  to  regain  the  needed  capability 
independent  of  the  BFS  status  in  order  to  main  tain  the  flying  status  of  the  orbiter. 

If  the  BFS  is  not  available  and  less  than  critical  capability  remains,  restring  is  allowed  to  recover  the 
PASS  capability  to  con  trol  the  orbiter.  If  the  BFS  is  available  and  conditions  are  such  that  either  a  BFS 
engage  or  a  dynamic  restring  will  recover  the  critical  capability,  restring  will  be  attempted  if  time 
permits  completion  of  the  restring  while  still  maintaining  the  BFS  engage  option. 

Rules  {A2-5j,  PORT MODING/RESTRINGING  GUIDELINE;  {A5-209},  ENTRY MPS  HELIUM 
PURGING  FOR  CRITICAL  VEHICLE  POWER/COOLING;  {A7-6},  DATA  PATH  FAILURE;  {A7-102J, 
PASS  DATA  BUS  ASSIGNMENT  CRITERIA;  {A7-105},  MDM  PORT  MODING;  {A7-52J, 
ASCENT/ENTRY  BFS  MANAGEMENT  GUIDELINES;  and  {A10-25},  APU  HIGH  SPEED 
SELECTION/SHIFT  reference  this  rule.  @[022802-5221  ]  ®[ED  ] 
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A2-255  CREW  TAKEOVER 

CREW  TAKEOVER  (DOWNMODING  FROM  AUTO  TO  CSS)  PRIOR  TO  NOMINAL 
TAKEOVER  ALTITUDE  WILL  BE  PERFORMED  FOR  THE  FOLLOWING  REASONS 
ONLY  (REF.  RULE  {A4-208},  ENTRY  TAKEOVER  RULES): 

A.  TO  AVOID  LOSS  OF  CONTROL  OF  THE  VEHICLE. 

B.  TO  PRESERVE  THE  TRAJECTORY  WITHIN  THE  TARGETED  RUNWAY  LANDING 
CAPABILITY. 

Whenever  the  crew  must  override  the  guidance  limitations  to  maintain  adequate  energy  capability  for 
reaching  the  prime  selected  runway,  the  CSS  mode  must  be  selected.  Whether  under  GCA  control  or 
manually  flying  with  visual  assistance,  the  crew  must  select  CSS  and  bypass  the  onboard  guidance 
commands. 

C.  DELTA  STATE  UPDATES: 

1.  ANY  POSITION  AND  VELOCITY  DELTA  STATE. 

2.  A  POSITION-ONLY  DELTA  STATE  BETWEEN  M5  AND  TAEM  (M2 . 5  FOR 
EOM/AOA,  M3. 2  FOR  RTLS) . 

CSS  mode  is  required  for  all  position/velocity  delta  states  to  avoid  severe  attitude  transients  once  the 
onboard  NAV  is  updated.  For  OPS  3  position-only  delta  states  between  M5  and  TAEM,  CSS  must  be 
selected  to  avoid  strong  attitude  transients.  MM  304  entry  guidance  will  very  aggressively  attempt  to 
remove  energy  errors  by  TAEM  interface  (M2. 5).  Above  M5,  the  guidance  has  more  time  to  correct 
energy  errors.  Therefore,  position  delta  states  above  M5  should  not  cause  severe  transients.  After  the 
energy  has  converged  close  to  nominal,  the  crew  can  reselect  auto.  GRTLS  guidance  is  not  as 
aggressive  as  OPS  3  guidance  in  removal  of  energy  errors  by  TAEM  in  terface  (M3. 2).  @[052401 -4524A] 

D.  GPS  NAVIGATION  UPDATES  WHEN  PERFORMED  AS  AN  ALTERNATIVE  TO 
DELTA  STATE  UPDATES. 

Once  GPS  state  vector  accuracy  has  been  confirmed  with  ground  filter  solutions,  a  GPS  update  is 
preferred  over  the  delta  state  update  process  to  correct  onboard  navigation  errors  that  exceed  flight  rule 
limits.  Metering  logic,  which  limits  the  updates  to  the  user  parameter  reset  state,  may  be  overridden 
prior  to  the  GPS  force  procedure  to  expedite  the  time  required  to  update  the  user  parameter  reset  state. 

If  metering  is  overridden,  CSS  mode  is  required  for  all  GPS  to  NAV  force  operations  to  avoid  severe 
attitude  transients  once  the  user  parameter  reset  state  is  updated.  @[052401 -4524A] 
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A2-256  EARLY  POWERDOWN 

EARLY  POWERDOWNS  ARE  DEFINED  AS  REMOVAL  OF  POWER  FROM  THE  ORBITER 
ELECTRICAL  BUSES  PRIOR  TO  EOM  POWERDOWN.  EARLY  POWERDOWN  WILL 
BE  ACCOMPLISHED  FOR  ELS  LANDINGS,  FAILURE  OF  THE  COOLING  CART, 

ANY  ORBITER  MALFUNCTIONS  THAT  CONSTITUTE  A  SAFETY  HAZARD  (E.G., 
FUEL  LEAK) ,  OR  THE  THREAT  OF  SIGNIFICANT  ORBITER  EQUIPMENT 
DAMAGE.  IN  ALL  CASES,  THIS  WILL  BE  WITHOUT  REGARD  TO  THE 
INTEGRITY  OF  ANY  RETURNED  PAYLOAD. 

A2-257  DEORBIT  BURN  TERMINATION 

THE  DEORBIT  BURN  WILL  BE  TERMINATED  (PRIOR  TO  EXCEEDING  A  SAFE 
PERIGEE  AS  PROVIDED  ON  THE  DEORBIT/ENTRY/LANDING  (DEL)  PAD  FOR 
THE  FOLLOWING  FAILURES: 

A.  OMS  PROPELLANT  TANK  (ABOVE  SINGLE  TANK  COMPLETION  HP  ON  DEL 
PAD)  . 

B.  PASS  REDUNDANT  SET  FAIL  OR  RS  SPLIT  FOR  WHICH  RECOVERY  HAS 
NOT  BEEN  ATTEMPTED. 

C.  IMU  DILEMMA. 

D.  TWO  MAIN  BUSES. 

E.  TWO  OMS  ENGINES  (IF  RCS  DOWNMODE  CAPABILITY  DOES  NOT  EXIST). 


The  deorbit  burn  will  be  terminated  for  systems  failures  which  preclude  controllability  or  the  ability  to 
perform  a  safe  entry.  Loss  of  fault-tolerance  will  not  be  cause  for  terminating  the  deorbit  burn. 

For  failure  of  both  OMS  engines,  propellant  may  not  be  available  to  complete  the  deorbit  burn  with  the 
RCS  +X  jets  to  the  original  targets.  The  deorbit  burn  must  be  terminated  and  retargeted  to  shallower 
targets.  This  retargeting  will  require  a  24-hour  deorbit  delay. 


A2-258  BFS  ENGAGE 

BFS  WILL  BE  ENGAGED  IN  ENTRY  FOR  THE  FOLLOWING: 

A.  LOSS  OF  REDUNDANT  SET. 

B.  LOSS  OF  CONTROL. 

Reference  Rule  (A7-1 },  PASS  DPS  FAILURE.  ®[07i 494-1 636  ] 
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A2-259  CHASE  AIRCRAFT  OPERATIONS 

A.  T-38  CHASE  AIRCRAFT  WILL  BE  UTILIZED  ON  AN  "AS  REQUIRED" 
BASIS . 


T-38  chase  aircraft  can  be  used  to  provide  photo  documentation  of  orbiter  condition  and  damage  prior 
to  touchdown  and  rollout,  visual  inspection  for  fluids,  flames,  gear  door  damage,  etc.,  backup  for 
altitude  and  airspeed,  visual  call  to  orbiter  crew  in  case  of  wind  screen  obscurations,  and  downlink  TV  to 
NASA/PAO. 

B.  T-38  CHASE  RENDEZVOUS  WILL  BE  DISCONTINUED  IF: 

1.  VISUAL/RADAR  CONTACT  NOT  ESTABLISHED  WITHIN  1  MINUTE  OF 
ORBITER  RENDEZVOUS  POINT  AT  40K  FEET  MSL 

2.  VISUAL  CONTACT  NOT  ESTABLISHED  WHEN  WITHIN  4  NM  AS 
REPORTED  BY  RADAR  CONTROLLER  DIRECTING  THE  INTERCEPT 

3.  CHASE  RENDEZVOUS  NOT  COMPLETE  BY  PREFLARE 

4.  VISUAL  CONTACT  LOST  AFTER  RENDEZVOUS 

The  T-38  chase  aircraft  will  break  off  from  the  rendezvous  attempt  when  it  is  considered  unsafe  to 
con  tinue.  Attempting  a  join-up  without  visual  contact  could  result  in  vehicle  collision  or  create  a 
situation  that  would  cause  the  orbiter  to  maneuver  to  avoid  impact.  Chase  aircraft  procedures  are  found 
in  Aircraft  Operating  Procedures,  Volume  1,  T-38A  Aircraft. 

C.  CHASE  AIRCRAFT  WILL  MAINTAIN  A  MINIMUM  LATERAL  SEPARATION  OF 
200  FEET  FROM  THE  ORBITER  DURING  THE  AUTOLAND  PORTION  OF  THE 
LANDING  APPROACH. 

The  orbiter  autoland  flight  path  characteristics  are  unpredictable  and  may  be  abrupt.  A  200-foot  T-38 
chase  aircraft  separation  will  allow  the  chase  pilot  adequate  time  to  safely  avoid  unexpected  orbiter 
maneuvers. 
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A2-260  ENTRY  LOAD  MINIMIZATION 

IF  IT  IS  REQUIRED  TO  MINIMIZE  ENTRY  LOADS,  THE  FOLLOWING  STEPS 
WILL  BE  CONSIDERED: 

A.  DELETE  ENTRY  TEST  MANEUVERS  . 

B.  SELECT  RUNWAY  AND  HAC  TO  MINIMIZE  TAILWIND  COMPONENT  AT  HAC 
INTERCEPT . 

C.  SELECT  AN  SLS  IF  SIGNIFICANT  WINDS  AND/OR  TURBULENCE  CANNOT 
BE  AVOIDED  AT  THE  PLS  . 

Reference  Rule  {A10-203B},  PLBD  CRITICAL  LATCHES. 
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A2-261  ENTRY  DTO/AUTO  MODE /CROSSWIND  DTP  GO/NO-GO 


FAILURE  OF 

AERO  PTI  DTO 

AUTO  MODE 

XWIND  DTO 

NO-GO 

NO-GO  [11 

NO-GO 

[10[ 

APU/HYD 

1  APU 

[3] 

X 

2  APU 

f31 

X 

X 

DISPLAYS 

2  ADI’S 

X 

CDR  HUD 

X 

(IF  NO  PAPI’S  AND  BALL  BAR) 

CONTROLLERS 

RHC:  1  LCH 

X 

L  RHC 

X 

2LAND2R 

[3] 

X 

X 

RPTA:  2LOR2R 

X 

[91 

GNC 

2  AA’S  (LAT) 

[3] 

X 

X 

2  AA'S  (NORM) 

[12] 

X  (<M  2.5) 

X  (<M  2.5) 

2  RGA’S 

[3] 

X 

X 

2  IMU  (OR  1  IMU  +  BITE) 

[3] 

X 

X 

2  ADTA’S 

[5] 

X 

ADTA  NOT  INCORP 

X  (<M  2)  [7] 

FCSCH:  2ELEV 

[3] 

X 

X 

2  S/B 

[3] 

X 

X 

2  RUD 

[3] 

X 

X 

2  BF 

[3] 

X 

X 

RDDU:  2  POWER  SUPPLY  (A,  B,  OR  C) 

X 

LOSS  OF  WOW/WONG  NO  SSME  REPOSITIONING 

X 

DPS 

GPC  1  (NOT  RSTNG) 

X 

GPC  2  (NOT  RSTNG) 

X 

GPC  3  (NOT  RSTNG) 

X 

2 GPC  (RSTNG) 

X 

2  GPC  (NOT  RSTNG) 

X 

X  (<M  2.5)  [12] 

X 

FF1 

X 

FF2 

X 

FF3 

X 

2  FF 

X 

X  (<M  2.5)  [12] 

X 

2  FA 

X 

X 

AFT  RCS 

LEAK 

X 

2  YAW  JETS  ON  SAME  SIDE 

X 

1  YAW  JET  AND  CG  OUTSIDE  NOM  LIMITS 

X 

2  P  JETS,  SAME  SIDE,  SAME  DIR 

X  (q<40) 

MIN  RCS  QTY 

X 

FWD  RCS  (FWD  RCS  DTO  ONLY) 

2  YAW  JETS  SAME  SIDE 

X 

MIN  FWD  RCS  QTY 

[2] 

X 

LEAK 

X 

LOSE  LK  DETECT 

[8] 

LOSE  FAIL  OFF  DETECT 

[8] 

LOSS  OF  FRCS  GAUGING 

X 

PROP  BULK  TK  TEMP  <70°  F 

X 

@[090894-1562]  ®[1 1 1094-1 690B]  @[0411 96-1 782A]  @[041 097-4890A] 
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A2-261 


ENTRY  DTO/AUTO  MODE/CROSSWIND  DTP  GO/NO-GO 
(CONTINUED) 


FAILURE  OF 


LANDING/DECEL 


TIRE  (LEAK) 
ISOL  VLV 
<100%  BRAKES 
NWS 


XRANGE  >  DTO  XRANGE  LIMIT 


?  PRIOR  TO  FIRST  ROLL  REVERSAL 
?  AFTER  FIRST  ROLL  REVERSAL 


TRIM/RATES 

AIL  >±1.5° 

ELEV  >  3°  (FROM  EXPECTED) 
RATES  (PTI) 

PITCH  >  3  DEG/SEC 
YAW  >  3  DEG/SEC 
ROLL  >  7  DEG/SEC 


DOWNMODE 

FCS  PROBLEM  [3 

AOA 


ENERGY  OFF  NOMINAL 

ROLL  REF.  ALERT 
ABOVE  UPPER  TRAJ  LINE 
NAV  PROBLEM  REQ  MCC  GCA  OR  VEL 
AND  POS  UPDATE 
NO  A/L  BY  6K 


PLB 

PLBD LATCHES 


DATA 

OPS  RECORDERS 


GROUND  SYSTEMS 


NO  RUNWAY  AIMPOINT 


XWIND 

<10  KNOTS  PEAK 
>15  KNOTS  PEAK 
>10  KNOTS  GUST 


VENT  DOORS  (FWD  RCS  DTO  ONLY 


ANY  OPEN  VENT  DOOR  (FWD,  MID, 
AFT) 


®[1 11 094-1 690B]  @[0411 96-1 782A]  @[041 097-4890A] 


AERO  PTI  DTO 
NO-GO 
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A2-261  ENTRY  DTO/AUTO  MODE/CROSSWIND  DTP  GO/NO-GO 

(CONTINUED) 

NOTES: 

[1]  GROUND  OR  CREW  CALL. 

[2]  PROVIDED  BY  FLIGHT-SPECIFIC  ANNEX. 

[3]  RETARGET  TO  REQUIRED  RUNWAY  IF  AVAILABLE  (REF.  RULE  {A2-207},  LANDING  SITE  SELECTION). 

®[ED  ] 

[4]  CRITICAL  LATCH  RULE  {A1 0-203B},  PLBD  CRITICAL  LATCHES,  APPLIES. 

[5]  PTI’s  AUTOMATICALLY  INHIBITED  BELOW  M  =  2.5  WITHOUT  AIR  DATA. 

[6]  GROUND  CALL  REQUIRED  FOR  INITIATION  OF  PTI’s  (REF.  RULE  {A4-209},  AERO  TEST  MANEUVERS).  VALID 
TELEMETRY  REQUIRED  FOR  EVALUATION  OF  ORBITER  ENERGY  STATE  AND  DRAG  PROFILE.  ®[ED  ] 

[7]  RESERVED  ®[041 196-1 782A] 

[8]  DESELECT  AFFECTED  JET. 

[9]  RESERVED  ®[041 196-1 782A] 

[1 0]  CONSIDER  RUNWAY  REDESIGNATION  (>M  6)  TO  AVOID  CROSSWIND  LANDING. 

[11]  RESERVED 

[1 2]  PITCH  AUTO  MODE  NO-GO  FOR  M  <  2.5. 

[13]  PTI’s  AUTOMATICALLY  TERMINATED  WHEN  RATE  LIMITS  EXCEEDED. 

[14]  RESERVED 

[15]  RESERVED 

[16]  RESERVED 

[17]  RESERVED  ®[041097-4890A] 

[18]  RESERVED  ®[1 1 1094-1 690B] 

[19]  RESERVED  ®[041097-4890A] 

[20]  FWD  RCS  DTO  IS  GO.  H2  CONCENTRATIONS  PREDICTED  TO  BE  WELL  BELOW  FLAMMABILITY  HAZARD. 
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A2-261  ENTRY  DTO/AUTO  MODE/CROSSWIND  DTP  GO/NO-GO 

(CONTINUED) 

a.  AERO  PTI DTO  NO-GO: 

The  AERO  PTI  and  Xwind  DTO’s  will  not  be  performed  when  navigation  or  flight  control  systems 
are  fail  critical.  Maintaining  single-fault  tolerance  for  AUTO  flight  control,  and  allowing  an 
acceptable  crew  workload  are  required  for  performing  the  DTO’s.  In  addition  to  be  GO  for  the 
Xwind  DTO,  single-fault  tolerance  is  required  for  the  CDR's  displays  and  controls. 

(1)  APU/HYD 

2  APU  -  If  two  APU/HYD  systems  are  lost,  the  remaining  system  must  supply  all  necessary 
loading  to  perform  entry.  PRL  will  limit  the  available  hydraulic  power  in  an  optimum 
management  scheme  in  order  to  prevent  overloading  the  single  remaining  system.  Data  has 
shown  that  entry  PTI’s  place  a  short  duration  high  load  on  a  hydraulic  system.  For  this 
reason,  aero  PTI'S  should  not  be  performed  in  order  to  minimize  stress  on  the  single 
APU/HYD  system. 

(2)  DISPLAYS 

(a)  ADI 

AERO  PTI  DTO: 

The  ADI  is  required  to  monitor  vehicle  attitude  and  rates  for  crew  takeover. 

(b)  CDRHUD 
XWIND  DTO: 

The  CDR  relies  on  the  HUD  for  critical  landing  data  and  cues.  Flying  is  more  difficu  lt 
withou  t  this  instrument,  and  landing  in  high  crosswinds  increases  the  level  of  difficulty. 
The  CDR’s  HUD  is  not  required  if  PAPE  s  and  ball  bar  are  available,  since  these 
landing  aids  provide  guidance  for  the  approach  and  glide  slope. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-261  ENTRY  DTO/AUTO  MODE/CROSSWIND  DTP  GO/NO-GO 

(CONTINUED) 

(3)  CONTROLLERS 

(a)  RHC 

L  RHC- ONE  CHNL  FAILED  L  RHC  FAILED 
XWIND  DTO: 

The  left  RHC  is  either  zero-fault  tolerant  or  failed.  It  is  very  desirable  for  the  CDR  to 
manually  control  the  vehicle  during  approach  and  landing.  For  this  reason,  the  PLT  will 
not  execute  the  DTO.  If  the  PLT  must  fly  ( left  RHC  failed),  then  it  is  prudent  to 
redesignate,  if  possible,  to  a  runway  with  more  nominal  conditions. 

TWO  RHC  CHNL ’S  FAILED  EACH  SIDE 

AERO  PTI  DTO,  XWIND  DTO: 

The  next  failure  could  cause  vehicle  control  problems  since  the  output  from  the 
remaining  two  channels  is  summed.  The  additional  maneuvers  associated  with  the 
DTO’s  increase  the  possibility  of  having  vehicle  control  problems  with  the  next  failure. 
For  these  failures,  at  least  one  of  the  flight  controller  power  switches  should  be  turned 
OFF,  and  both  when  not  being  used  (ref.  Rule  {A8-105J,  CONTROLLERS). 

(b)  RPTA 

TWO  RPTA  CHNL 's  FAILED  ONE  SIDE 
XWIND  DTO: 

The  RPTA  channels  are  zero-fault  tolerant  and  the  DTO  is  NO-GO  since  NWS  must  be 
powered  off  (ref.  Rule  {A10-141E},  NOSE  WHEEL  STEERING  (NWS)). 
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(4)  GNC 

(a)  AA’s 

TWO  LATERAL  AA  's  FAILED 
AERO  PTI  DTO: 

The  AA  lateral  feedback  is  used  for  turn  coordination  to  reduce  the  effects  ofIMU 
errors.  It  is  also  used  in  the  roll/yciw  channel  to  help  form  the  lateral  (Ny)  command. 
The  next  failure  could  cause  bad  vehicle  control. 

XWIND  DTO: 

The  lateral  AA  feedback  is  zero-fault  tolerant  and  the  DTO  is  NO-GO  since  NWS  must 
be  powered  off  (ref.  Rule  {. A10-141E },  NOSE  WHEEL  STEERING  (NWS)). 

(b )  TWO  NORMAL  AA ’s  FAILED 
AERO  PTI  DTO ,  AUTO  MODE: 

The  NORM  AA  feedback  is  used  by  guidance  to  form  the  Nz  command  for  flight  control 
in  MM  305.  After  two  failures  the  system  is  zero-fault  tolerant  in  AUTO.  The  crew  is 
required  to  fly  CSS  in  pitch  in  MM  305  (ref.  Rule  (A8-5f  ACCELEROMETER 
ASSEMBLIES  (AA)  FAULT  TOLERANCE),  and  aero  PTI's  are  automatically  inhibited 
while  in  CSS. 

(c)  RGA’s 

AERO  PTI  DTO,  XWIND  DTO: 

The  system  is  zero-fault  tolerant  for  feeding  bad  vehicle  rate  data  to  the  flight  control 
system.  It  is  not  pruden  t  to  perform  the  DTO’s  since  the  added  maneuvers  increase  the 
risk  for  control  problems  with  the  next  failure. 
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IMU’s 

AERO  PTI DTO ,  XWIND  DTO: 

After  the  second  IMU  failure  or  when  one  of  the  remaining  two  IMU’s  has  a  BITE,  the 
system  is  fail  critical.  In  either  case,  the  next  failure  can  cause  navigation  and  flight 
control  to  use  bad  IMU  data.  The  additional  maneuvers  associated  with  the  DTO’s 
increase  the  probability  of  vehicle  con  trol  problems  with  the  next  failure. 

ADTA’s 

TWO  ADT A’ s  FAILED 
XWIND  DTO: 

The  system  is  zero-fault  tolerant  because  the  next  failure  requires  the  crew  to  fly  theta 
limits.  Manual  flying  is  more  difficult  with  no  air  data,  and  the  higher  crosswinds 
increase  the  piloting  task. 

ADTA  NOT  INCORPORATED 

AERO  PTI  DTO,  AUTO  MODE: 

If  AD  is  not  incorporated  into  G&C  below  M=2.5,  aero  PTI’s  are  automatically 
inhibited.  If  below  M=2.0  and  AD  is  not  incorporated  into  G&C,  the  crew  is  required  to 
fly  CSS  in  the  pitch  axis  to  control  theta  limits.  Manual  speedbrake  is  required  below  5k 
feet  (ref.  Rule  / A8-111 },  GNC  AIR  DATA  SYSTEMS  MANAGEMENT  [CIL]).  Note  that 
the  XWIND  DTO  is  NO-GO  if  it  is  known  that  AD  will  not  be  incorporated  and  it  is  still 
possible  to  redesignate. 

FCSCHNL’s 

AERO  PTI  DTO,  XWIND  DTO: 

The  system  is  zero-fault  tolerant  for  being  in  an  uncertified  flight  control  mode.  The 
additional  maneuvers  associated  with  the  DTO’s  incur  more  risk  with  the  next  failure. 
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(g)  RIGHT  DDU 
XWIND  DTO: 

The  right  DDU  provides  power  for  NWS.  With  two  power  supplies  failed  the  DTO  is 
NO-GO  since  NWS  must  be  powered  off  (ref.  Rule  {A10-141E},  NOSE  WHEEL 
STEERING  (NWS). 

(h)  LOSS  OF  WOW/WONG 
XWIND  DTO: 

The  crosswinds  further  complicate  the  piloting  task  for  loss  of  WOW  or  WONG.  Both 
WOW  and  WONG  are  required  in  order  to  enable  NWS,  activate  AUTO  load  relief  and 
enter  the  rollout  DAP  mode  at  nose  gear  TD.  A  known  loss  of  WOW  or  WONG  requires 
the  crew  to  manually  set  the  WOW  and  WONG  discretes  by  pushing  the  SRB  or  ET  Sep 
pushbutton  after  nose  gear  TD.  Potential  delays  in  enabling  NWS  and  increased  piloting 
task  cause  the  DTO  to  be  NO-GO. 

Av  a  result  of  01-21  WOW  modifications,  the  only  two-failure  scenarios  of  concern 
in  volve  the  loss  of  both  WONG  discretes  (MDM,  BUS,  or  the  discretes  themselves). 

(5)  AFTRCS 

(a)  Once  a  leak  is  detected,  the  PTI’s  will  be  inhibited.  This  action  prevents  the  PTI’s  from 
occurring  while  performing  leak  troubleshooting.  The  leak  procedures  isolate  a  leg  of 
RCS  jets  at  a  time  thus  minimizing  the  amount  of  jets  available  for  attitude  control. 
Inhibiting  the  PTEs  ensures  that  any  off-nominal  perturbations  that  could  possibly  occur 
during  PTI  execu  tion  will  be  preven  ted.  If  a  nonisolatable  leak  is  presen  t  or  the  NO-GO 
criteria  is  violated  due  to  isolation  of  the  leak  (minimum  RCS  quantity,  loss  of  jets),  no 
further  PTEs  will  be  performed. 

(b)  Due  to  the  loss  of  fail-safe  redundancy  for  orbiter  control,  the  PTEs  will  not  be 
performed. 

(c)  RCS  quantity  checks  are  performed  at  different  points  during  entry.  The  minimum 
quantity  includes  3-sigma  entry  usage  at  the  check  and  PTI  usage  to  the  next  check. 

PTEs  will  be  inhibited  to  protect  3-sigma  entry  redlines.  ®[041 1 96-1 782A] 
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(6)  FWD  RCS 

(a)  Loss  of  two  FWD  RCS  yaw  jets  on  the  same  side  would  result  in  unbalanced  jet  firings 
during  PTFs.  The  entry  command  SOP  software  will  prevent  the  PTFs  from  occurring 
as  long  as  RCS  RM  has  deselected  the  jets.  If  the  FRCS  yaw  jets  have  become 
unavailable  prior  to  entry,  the  PTFs  will  not  be  enabled  @[090894-1562  ] . 

(b)  FWD  RCS  quantity  checks  are  performed  at  different  points  during  entry.  The  minimum 
quantity  includes  PTI  usage  to  the  next  check  and  ensures  positive  propellant  flow  from 
the  FWD  RCS. 


Tank  residual  required  to  preven  t  screen  breakdown 


6771b 

( FWD  RCS  tanks  not  designed  for  entry  use) 

+  84  lb 

Gauge  error 

761  lb 

Total  tank 

-307  lb 

Hardware  trapped 

4541b 

Minimum  usable  FWD  RCS 

+PT1  lb 

PTI  usage 

XXX  lb 

Total  quantity  check 

(c)  Once  a  leak  is  detected,  the  PTFs  will  be  inhibited.  This  action  ensures  that  the  PTFs 
will  not  occur  during  leak  isolation.  Leak  troubleshooting  consists  of  securing  the  entire 
system.  If  the  leak  is  nonisolatable  or  the  minimum  FWD  RCS  quantity  is  violated  or 
minimum  jets  violated,  the  PTFs  will  remain  inhibited. 

(d)  For  the  loss  of  RCS  RM.  the  jets  will  be  deselected  and  not  utilized  for  the  PTFs.  Per 
Rule  {A6-156},  RCS  RM  LOSS  MANAGEMENT,  jets  with  loss  ofRM  will  only  be 
selected  if  required  for  attitude  hold  or  to  maintain  fail-safe  redundancy.  Because  of  the 
risk  of  firing  jets  without  RM  and  the  low  priority  of  FWD  RCS  PTFs,  the  jets  will  not  be 
reselected  to  perform  PTFs. 

(e)  FWD  RCS  gaging  is  required  to  monitor  the  propellant  quantity  to  ensure  that  minimum 
FWD  RCS  quantity  will  not  be  violated. 

(f)  The  FWD  RCS  bulk  propellant  temperature  must  be  70  deg  F  or  greater  at  deorbit  TIG. 
This  is  required  to  prevent  ZOT’s  from  occurring  during  PTFs.  This  is  an  MCC  call 
since  the  crew  has  no  insight  into  the  parameter  during  OPS-3.  @[090894-1562  ] 
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(7)  TRIM/RATES/CG  ®[04ii 96-1 782A] 

TRIM 

( a )  AILERON  TRIM  >  ±2.0  DEGREES  ®[04i  1 96-1 782A] 

AERO  PTIDTO: 

The  aileron  trim  saturation  limit  is  3.0  degrees.  When  the  trim  reaches  2.0  degrees ,  the 
PTI’s  should  be  inhibited  to  avoid  possible  control  problems  or  high  RCS  usage.  Based 
on  SES  analysis  and  previous  flight  data,  2.0  degrees  is  a  comfortable  margin  for 
control,  while  not  being  too  restrictive.  ®[041 1 96-1 872A] 

(b )  ELEVON  TRIM  >3.0  DEGREES  (FROM  EXPECTED ) 

AERO  PTIDTO: 

The  elevator  schedule  has  a  1-degree  deadband.  Performing  PTI’s  with  large  elevator 
trim  could  increase  the  level  of  difficulty  in  trimming  the  vehicle.  Three  degrees  off 
schedule  is  a  sufficiently  large  elevator  trim  limit  to  permit  aero  maneu  vers  in  any 
reasonable  flight  condition,  yet  provides  adequate  safety  margins  for  con  trol. 

XWIND  DTO: 

This  elevon  trim  condition  indicates  that  the  vehicle  is  in  an  off-nominal  configuration 
which  may  lead  to  additional  problems.  It  is  prudent  then  to  NO-GO  the  XWIND  DTO 
and  avoid  complicating  the  situation  during  A/L  and  rollout. 

(c)  VEHICLE  RATES  (PTI) 

AERO  PTIDTO: 

These  limits  are  in  the  software  and  will  automatically  inhibit  (terminate)  any  PTI  in 
progress.  The  additional  maneuvers  associated  with  the  PTEs  could  make  it  more 
difficult  for  the  FCS  to  damp  the  rates  and  regain  good  control. 
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(d)  CG 

AERO  PTI  DTO: 

With  the  X  or  Y  CG  out  of  the  nominal  CG  box,  continuous  firing  of  ARCS  jets  may  be 
required  to  maintain  attitude  control.  To  ensure  maximum  control  authority  in  cm 
uncertified  configuration,  as  well  as  to  save  propellant,  PTI’s  will  not  be  performed. 

®[041 196-1 782A] 

(8)  DOWNMODE 
FCS  PROBLEM 

AERO  PTI DTO,  AUTO  MODE,  XWIND  DTO: 

If  the  vehicle  is  experiencing  problems  with  the  FCS,  due  to  mu  ltiple  systems  failures  and/or 
unpredicted  effects  of  the  environment,  then  all  flight  control  DTO’s  are  NO-GO,  and  the 
crew  should  fly  CSS,  if  required.  The  risks  associated  with  performing  the  DTO’s  are  too 
great  while  vehicle  control  is  off-nominal. 

(9)  PLB 

PLBD  LATCHES  -  It  is  acceptable  to  perform  an  entry  with  any  one  latch  gang  (bulkhead  or 
centerline)  failed  open.  Entry  loads  should  be  minimized  (per  Rule  {A10-203B},  PLBD 
CRITICAL  LATCHES,  and  SODB  3. 4. 2. 3).  Aero  PTI's  will  not  be  performed  in  order  to 
ensure  a  nominal  entry. 

(10)  DATA 

According  to  the  sponsor  of  the  aero  PTI  DTO,  the  crew  cannot  evaluate  the  results  from 
onboard  indications.  Either  real-time  or  recorded  telemetry  is  required.  This  is  in  agreement 
with  the  DTO  requirements  as  documented  in  NSTS  16725,  Flight  Test  and  Supplementary 
Objectives  Document. 
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b.  XWIND  DTO  NO-GO 

(1)  APU/HYD 

1  APU  and  2  APU 

Loss  of  one  APU/HYD  system  places  the  orbiter  a  single  failure  away  from  performing 
entry/rollout  on  a  single  system.  Orbiter  handling  qualities  have  been  demonstrated  to  be 
degraded  when  only  a  single  APU/HYD  system  is  operating.  If  only  one  APU/HYD  system 
remains,  conditions  that  could  adversely  affect  the  already  degraded  handling  qualities 
should  be  avoided  if  possible.  Therefore,  if  one  or  two  APU/HYD  systems  are  lost,  the 
crosswind  DTO  should  be  NO-GO. 

(2)  LANDING/DECEL 

(a)  TIRE  (LEAK) 

For  a  confirmed  main  gear  tire  leak,  a  landing  with  a  crosswind  from  the  side  of  the 
affected  tire  is  desirable.  If  a  leak  is  confirmed  in  a  main  or  nose  gear  tire,  the  load- 
carrying  capability  of  that  tire  is  reduced. 

(b)  BRAKE  ISOLVLV 

Loss  of  the  ability  to  open  one  brake  isolation  valve  puts  the  orbiter  one  failure  away 
from  having  only  50  percent  braking  capability.  Full  braking  capability  is  required  for 
the  crosswind  DTO  in  order  to  ensure  good  con  trol  of  the  vehicle  in  high  crosswind 
conditions. 
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(c)  <100  PERCENT  BRAKES 


Full  braking  capability  is  required  for  the  crosswind  DTO  in  order  to  ensure  good 
con  trol  of  the  vehicle  in  high  crosswind  conditions. 

(d)  NWS 


NWS  is  the  primary  means  of  steering  the  vehicle  during  rollout.  In  a  strong  crosswind, 
differential  braking  may  not  be  sufficient  to  maintain  directional  control. 


(3)  XWIND 


(a)  <10  KNOTS  PEAK  ®[041 097-4890A] 

Winds  less  than  10  knots  are  not  within  the  DTO  limits  and  would  not  produce 
conditions  appropriate  for  collecting  the  required  DTO  data. 

(b)  >15  KNOTS  PEAK 

Crosswinds  greater  than  15  knots  peak  violate  nominal  crosswind  limits. 

(c)  >10  KNOTS  GUST  ®[041 097-4890A] 

Crosswinds  with  gusts  greater  than  10  knots  above  the  steady-state  wind  violate  nominal 
limits. 
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c.  DPS 

In  general,  DPS  failures  that  cause  aero  PTI DTO,  auto  mode,  and  crosswind  DTO  to  be  NO-GO 
are  driven  by  various  failures  in  the  GNC,  MMACS,  and/or  PROP  systems. 

GPC  1  (NOT  RSTNG),  GPC  2  (NOT  RSTNG),  FF1,  FF2  -  Crosswind  DTO  is  NO-GO  due  to  loss  of 
a  left  RHC  channel,  and  for  vehicles  without  improved  NWS,  loss  of  GPC  NWS. 

GPC  3  (NOT  RSTNG),  FF3  -  Crosswind  DTO  is  NO-GO  due  to  loss  of  a  left  RHC  channel. 

2  GPC  (RSTNG)  -  Aero  PTI  DTO  is  NO-GO  due  to  the  inherent  risk  of  another  GPC  failure  which 
would  cause  GNC  systems  violations  for  the  DTO. 

2  GPC  (NOT  RSTNG),  2  FF  -  Aero  PTI  DTO,  auto  mode  ( <M2.5),  and  crosswind  DTO  are  all  NO- 
GO  due  to  multiple  GNC  LRU  failures. 

2  FA  -  Aero  PTI  DTO  and  crosswind  DTO  are  NO-GO  due  to  multiple  GNC  LRU  failures.  The 
aero  PTI  DTO  is  also  NO-GO  due  to  two  aft  jets  being  down. 

For  additional  technical  information  concerning  the  rationale  for  aero  PTI  DTO,  auto  mode,  and 
crosswind  DTO  NO-GO  requiremen  ts,  refer  to  the  rationale  for  the  GNC,  MMACS,  and  PROP 
systems.  ®[041 097-4890A] 
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A.  BRAKING  OR  NOSE  WHEEL  STEERING  DTO  TASKS  MAY  BE  PERFORMED  ON 
DAYLIGHT  LANDINGS  REGARDLESS  OF  THE  WEIGHT / CG  OR  FLIGHT 
DURATION.  ®[1 1 1 894-1 690B] 

B.  BRAKING  DTO  TASKS  MAY  BE  PERFORMED  ON  NIGHT  LANDINGS  SO  LONG 
AS  THEY  INVOLVE  ONLY  VARIATIONS  IN  BRAKING  PROFILE  OR 
DECELERATION  LEVEL.  NO  DTO  STEERING  TASKS  USING  DIFFERENTIAL 
BRAKING  WILL  BE  PERFORMED  ON  NIGHT  LANDINGS  .  ®[1 11 894-1 690B] 

C.  NO  DTO  STEERING  TASKS  USING  DIFFERENTIAL  BRAKING  OR  NWS  WILL 
BE  PERFORMED  ON  NIGHT  LANDINGS.  ®[1 1 1894-1 690B] 

D.  CROSSWIND  LANDING  DTO' S  ABOVE  12  KNOTS  PEAK  WILL  NOT  BE 
PERFORMED  ON  NIGHT  LANDINGS  OR  EXTENDED  DURATION  ORBITER 
(EDO)  FLIGHTS.  ®[111 894-1 690B] 

Braking  or  nose  wheel  steering  testing  is  acceptable  during  daylight  landings  since  vehicle  weight  and  CG 
have  minimal  effects  on  the  rollout  piloting  task,  and  visual  cues  are  available  to  the  crew  to  assess  test 
inputs/results.  Braking  tests  at  night  are  acceptable  if  they  only  involve  basic  braking  functions  such  as 
varying  the  deceleration  levels  or  specific  braking  profile.  Steering  task  DTO’s  involving  either 
differen  tial  braking  or  nosewheel  steering  are  not  acceptable  at  night  due  to  the  loss  of  visual  cues  and 
runway  shadowing  effects  which  put  the  crew  and  orbiter  at  unnecessary  additional  risk.  The  crosswind 
limit  for  EDO  or  night  flights  has  been  set  at  12  knots  regardless  of  where  you  land.  You  may  land  with  a 
crosswind  between  8  and  12  knots  and  still  meet  the  crosswind  DTO  requirements,  but  the  peak  wind  will 
not  be  allowed  to  exceed  12  knots  and  approach  the  15-knot  normal  crosswind  DTO  limit.  ®[ED  ] 

E.  THE  CROSSWIND  DTO  MAY  RESULT  IN  EXCEPTIONS  TO  RULE  {A10-143}, 
DRAG  CHUTE  DEPLOY  TECHNIQUES. 

If  the  crosswincl  DTO  is  GO  per  Rule  (A2-261J,  ENTRY  DTO/AUTO  MODE/CROSSWIND  DTO 
GO/NO-GO,  the  drag  chute  will  be  deployed  after  NGTD,  as  stated  in  the  applicable  Flight  Rule  Annex. 
®[041097-4890A] 

F.  LANDING  AND  ROLLOUT  DTO' S  WILL  NOT  BE  PERFORMED  ON  ABORTS 
(RTLS ,  TAL,  AOA,  FD1  PLS)  UNLESS  THEY  ARE  DATA  GATHERING 
ONLY,  INVOLVE  NO  CREW  ACTIONS,  AND  POSE  NO  ADDITIONAL  RISK  TO 
THE  CREW  OR  VEHICLE.  HOWEVER,  DATA  FROM  ANY  ABORT  LANDING 
MAY  BE  USED  TO  SATISFY  PROGRAM  DTO  OBJECTIVES.  ®[1 00997-6294A] 

Programmatic  risk  is  high  during  an  abort.  Additional  risk  or  crew  distraction  should  not  be  incurred 
for  the  sake  of  engineering  data  that  can  more  safely  be  obtained  on  another  flight.  However,  some 
DTO’s  are  data  gathering  only  and  are  transparent  to  the  crew;  these  are  allowed.  Some  DTO’s  cannot 
be  avoided  ( e.  g. ,  crosswincl  landings )  during  aborts  and  thus  will  be  accomplished  anyway.  This  rule 
means  that  off-nominal  crew  actions  (such  as  delayed  drag  chute  deploy  for  the  crosswind  DTO)  will  not 
be  performed.  ®[1 00997-6294A] 
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A2-263 


STA/WEATHER  AIRCRAFT  RUNWAY  APPROACH  OPERATIONS 
FOR  SITES  WITH  ONLY  ONE  RUNWAY 


A.  PRELAUNCH  (RTLS/TAL) /PREDEORBIT  ( AOA/EOM) 

STA  AND/OR  WEATHER  AIRCRAFT  APPROACHES  TO  PLANNED  LANDING 
SITES  WITH  ONLY  ONE  RUNWAY  (OPPOSITE  END  MAY  OR  MAY  NOT  BE 
AVAILABLE)  MAY  BE  PERFORMED  AS  REQUIRED  TO  ASSESS 
NAVAID /VIS IBI LITY  STATUS.  ONCE  THE  FINAL  GO  FOR  LAUNCH  OR 
THE  DEORBIT  BURN  HAS  BEEN  GIVEN,  THESE  OPERATIONS  WILL  BE 
TERMINATED  UNLESS  REQUIRED  PER  PARAGRAPH  B. 


B  . 


POSTLAUNCH 


(RTLS/TAL) /POSTDEORBIT  BURN  (AOA/EOM) 


POSTLAUNCH  OR  POSTDEORBIT  BURN,  STA  OR  WEATHER  AIRCRAFT 
APPROACHES  TO  THE  SELECTED  RUNWAY  AT  LANDING  SITES  WITH  ONLY 
ONE  RUNWAY  (OPPOSITE  END  MAY  OR  MAY  NOT  BE  AVAILABLE) ,  WILL 
ONLY  BE  DONE  IF  CONDITIONS  MAKE  SUCH  AN  APPROACH  NECESSARY. 
APPROACHES  WILL  BE  MINIMIZED  AND  WILL  BE  PERFORMED  TO  REDUCE 
THE  RISK  OF  RUNWAY  LOSS  DUE  TO  AIRCRAFT  PROBLEMS  ON  APPROACH. 
TO  REQUIRE  AN  APPROACH  POSTLAUNCH  OR  POSTDEORBIT,  A  CHANGE  OR 
CONCERN  IN  ONE  OR  MORE  OF  THE  FOLLOWING  AREAS  MUST  EXIST: 


1.  VISIBILITY. 

2.  NAVAID  STATUS /CAPABILITY. 


For  the  case  where  a  landing  facility  has  only  one  runway  ( availability  of  its  alternate  end  does  not 
matter),  approaches  to  landing  runways  are  still  performed  prelaunch  or  predeorbit  burn  to  aid  in 
assuring  that  landing  flight  rules  are  met  with  respect  to  navaid  and  visibility  status.  Such  approaches 
are  not  considered  a  threat  to  landing  prior  to  launch  or  the  deorbit  burn. 


Once  committed  to  a  runway,  approaches  to  that  runway  or  its  alternate  end,  should  not  be  done  unless 
necessary  to  confirm  the  ability  to  land  on  that  runway.  There  is  no  reason  to  continue  to  shoot 
approaches  to  the  selected  runway  if  conditions  have  not  changed  since  the  commitment  to  use  the 
runway.  If  changes  are  suspected,  however,  addition  al  approaches  may  be  performed.  If  required,  they 
will  be  done  such  that  risk  of  losing  the  runway  due  to  approach  aircraft  problems  will  be  minimized  in 
order  to  preserve  shuttle  landing  capability.  Techniques  to  accomplish  this  include  breaking  off  an 
approach  early  or  runway  flybys  vice  approaches. 
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A2-264  EMERGENCY  LANDING  FACILITY  CRITERIA 

THIS  RULE  DOCUMENTS  THE  MINIMUM  ACCEPTABLE  LANDING  FACILITY 
REQUIREMENTS  FOR  COMMITMENT  TO  AN  EMERGENCY  LANDING  VERSUS 
BAILOUT.  IT  APPLIES  FOR  ALL  LANDINGS.  ®[1 20894-1 744B] 

A.  RUNWAY  AT  LEAST  7500  FT  LONG  AND  130  FT  WIDE.  ®[1 1 0900-3733C] 

B.  RUNWAY  COORDINATES  RESIDENT  IN  THE  ONBOARD  SOFTWARE  OR 
AVAILABLE  FOR  UPLINK. 

C.  OPERATIONAL  TACAN  OR  DME  WITHIN  50  NM  OF  THE  SITE,  AVAILABLE 
FOR  INCORPORATION  INTO  THE  NAV  (MAY  REQUIRE  UPLINK) . 

D.  AIRSPACE  AND  RUNWAY  CLEAR. 

E.  CONFIRMATION  OF  FACILITY  READINESS  FOR  ORBITER  LANDING  VIA 
MCC  OR  CREW  VOICE  CONTACT  WITH  THE  AIRFIELD. 

F.  ACCEPTABLE  WEATHER  FOR  ORBITER  EMERGENCY  LANDING  OPERATIONS 
(REFERENCE  RULE  {A2-6},  LANDING  SITE  WEATHER  CRITERIA  [HC] ) - 

G.  ACCEPTABLE  LIGHTING  FOR  ORBITER  EMERGENCY  LANDING  OPERATIONS. 
IF  LANDING  AT  NIGHT  WITHOUT  XENONS,  THE  FOLLOWING  MINIMUM 
REQUIREMENTS  APPLY: 

1.  OPERATIONAL  RUNWAY  EDGE  LIGHTS 

2.  ONE  HUD  OPERATIONAL 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-264  EMERGENCY  LANDING  FACILITY  CRITERIA  (CONTINUED) 

Due  to  the  inherent  hazards  of  an  orbiter  landing,  especially  at  a  non-augmented  facility,  adequate  site 
readiness  must  be  ensured  before  a  landing  will  be  attempted.  The  runway  to  be  used  must  be  of 
sufficient  length  and  width  to  accommodate  a  safe  orbiter  landing.  The  130  ft  value  corresponds  to  the 
narrowest  approved  ELS  runways  in  NSTS-07700,  Volume  X,  Book  3.  Although  the  effects  of  landing  on 
130  ft  wide  run  ways  have  not  been  evaluated  directly,  examination  of  data  from  the  2/00  Ames  VMS 
study  on  minimum  acceptable  runway  length  indicates  adequate  performance  should  be  expected.  This 
study  included  crosswinds  up  to  15  kt  on  runways  between  148ft  to  200ft  wide.  The  maximum  lateral 
excursions  seen  in  this  study  were  less  than  that  required  to  stay  on  a  130  ft  wide  runway.  Rio  Gallegos, 
Argentina,  the  only  Program-approved  Emergency  Site  <  148ft  wide,  is  considered  acceptable  given  the 
significant  gain  in  emergency  deorbit  capability  it  provides.  However,  until  a  minimum  runway  width 
study  is  performed,  any  new  runways  less  than  148  ft  being  considered  for  SSP  use  should  be  evaluated 
on  a  case-by-case  basis.  The  7500ft  length  is  based  on  studies  performed  in  the  2/00  NASA  Ames  VMS 
session  that  showed  acceptable  performance  can  be  obtained  if  additional  TD  energy  is  removed  from 
the  system.  ®[i  1 09-3733C  ] 

Prior  to  01-30,  a  manual  speedbrake  technique  can  be  used  to  stop  the  orbiter  on  a  7500ft  runway  and 
assumes  the  following:  short  field  speedbrake  logic  is  selected;  Auto  speedbrake  is  used  down  to  3000 
ft;  the  speedbrake  is  manually  set  to  the  Auto  speedbrake  retract  command  plus  20  percent  at  3000ft; 
limiting  the  maximum  speedbrake  setting  to  75  percent;  no  speedbrake  adjustment  made  at  500 ft; 
touchdown  at  195  KEAS;  at  maingear  touchdown  deploy  the  chute,  derotate,  and  set  the  speedbrake  to 
100  percent;  use  maximum  braking  at  nose  gear  touchdown.  01-30  software  changes  will  eliminate  the 
need  for  the  maimed  speedbrake  procedure.  Rule  {A4-110},  A1MP01NT,  EVALUATION  VELOCITY, 
AND  SHORT  FIELD  SELECTION,  will  define  when  the  manual  technique  is  to  be  employed.  Minimum 
runway  length  for  Space  Shuttle  purposes,  as  defined  in  Vol  X,  Book  3,  considers  usable  underruns  and 
overruns  for  runway  length.  Usable  runway  length  is  measured  from  the  threshold  (actual  or  displaced ) 
to  the  end  of  the  usable  overrun.  If  no  overrun  is  available,  usable  runway  length  is  measured  to  the 
end  of  the  usable  runway.  Refer  to  AEFTP  # 165  minutes  for  further  details.  The  runway  must  be 
resident  in  the  onboard  software  or  available  for  uplink  to  allow  guidance  and  navigation  aids  to  be 
used.  ®[1 10900-3733C] 
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A2-264  EMERGENCY  LANDING  FACILITY  CRITERIA  (CONTINUED) 

An  operational  TACAN  or  DME  is  required  to  provide  sufficient  onboard  navigation  accuracy.  The 
coordinates  must  be  resident  in  the  onboard  software  or  available  for  uplink  to  cdlow  incorporation  into 
the  navigation  state.  Fifty  miles  distance  from  the  TACAN  to  the  field  is  based  on  Monte  Carlo  analysis 
of  various  TAL  scenarios.  Redundancy  in  the  TACAN  or  its  power  supply  is  desirable  but  not  required. 
®[1 20894-1 744B] 

The  airspace  and  the  chosen  runway  must  be  clear.  MCC  or  crew  voice  contact  with  the  airfield  is 
required  to  ensure  that  the  facility  is  prepared  for  the  landing.  In  order  to  reduce  the  risk  to  the  orbiter, 
crew,  and  the  general  public/civilian  population,  it  is  necessary  that  an  intended  landing  site  be  notified 
of  an  attempted  landing  as  soon  as  possible.  This  will  allow  the  airspace  and  runways  to  be  cleared  as 
well  as  emergency  equipment  prepared.  Notification  may  be  via  state  department  prearranged  channels, 
NASA  agreed  to  communication  channels,  or  via  communication  directly  with  the  orbiter  crew. 

®[1 20894-1 744B] 

Acceptable  weather  for  orbiter  landing  operations  is  required.  These  criteria  are  documented  in  rule 
I A2-6 },  LANDING  SITE  WEATHER  CRITERIA  [HC]. 

Restrictions  are  placed  on  night  landings  due  to  a  significant  loss  of  visual  cues.  Av  a  min  imum,  runway 
edge  lights  and  a  HUD  must  be  operational  to  assist  in  visually  acquiring  the  runway  and  the  outer  glide 
slope  (if  MLS  is  not  available)  and  to  provide  a  visual  reference  during  braking  and  rollout  (regardless 
of  MLS  status). 

Rules  (A2-205J,  EMERGENCY  DEORBIT,  and  {A2 -209},  LANDING  SITE  SELECTION  FOR  AN 
INFLIGHT  EMERGENCY,  reference  this  rule.  ®[i  20894-1 744B]  ®[ED  ] 
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A2-265  SINGLE  STRING  GPS  OPERATIONS  ®[072398-6586A]  @[040899-6847  ] 

A.  THE  GPS  A/I/F  FLAGS  WILL  REMAIN  IN  INHIBIT  FOR  ANY  CERTIFIED 
FLIGHT  MODE  (NOMINAL  ASCENT,  ATO,  AO A,  TAL,  RTLS ,  ORBIT,  AND 
NOMINAL  ENTRY) .  GPS  USE  IN  THE  PASS  AND/OR  BFS  IN  OTHER  THAN 
THE  INHIBIT  MODE  MAY  BE  CONSIDERED  FOR  CONTINGENCY  CASES 
WHERE  ITS  USE  COULD  PREVENT  A  CREW  BAILOUT  AND  LOSS  OF  THE 

0  RB I T  E  R  .  ®[072398-6586A]  @[040899-6847  ] 

The  PASS  and  BFS  have  been  certified  for  flight  only  if  the  GPS  to  NAV  and  GPS  to  G&C 
auto/inhibit/force  flags  remain  in  the  inhibit  position.  Testing  has  been  performed  to  confirm  the  PASS 
and  BFS  continue  to  function  with  incorporation  of  GPS;  however,  full  certification  testing  has  not  been 
completed.  Performance  testing  of  GPS  data  incorporated  into  the  onboard  navigation  has  not  been 
completed.  Potential  contingency  scenarios  in  which  GPS  may  be  used  could  include,  but  are  not  limited 
to,  a  contingency  landing  to  a  site  with  no  ground  TACAN  or  DME  and  no  radar  tracking  support;  a 
con  tingency  landing  to  a  site  with  no  ground  MLS  and  a  low  cloud  ceiling  and  visibility;  multiple 
onboard  problems  resulting  in  an  unacceptable  navigation  state  requiring  a  command  or  manual  delta 
state  update;  multiple  IMJJ  problems  resulting  in  a  runaway  navigation  state  which  is  not  manageable 
with  delta  state  updates.  In  OPS  1  and  Major  Mode  (MM)  601,  GPS  is  only  available  for  incorporation 
in  the  BFS.  Contingency  use  of  GPS  in  OPS  1  and  MM  601  in  the  BFS  would  require  CSS  in  the  PASS  to 
fly  out  the  BFS  ADI  digital  errors,  unless  the  commander  deemed  it  necessary  to  engage  in  order  to  fly 
the  vehicle.  If  possible,  contingency  use  of  GPS  should  be  delayed  until  OPS  3  or  MM  602/603.  GPS 
state  vector  accuracies  can  be  degraded  during  powered  flight  due  to  external  tank  blockage  of  GPS 
satellite  signals.  BFS  navigation  updates  with  GPS  during  powered  flight  would  only  be  required  to 
correct  extreme  errors  which  could  result  in  unsafe  MECO  conditions.  Caution  should  be  taken  when 
using  GPS  state  vectors  with  FOM’s  >5  (650 feet  position  error  one  sigma),  since  the  estimated  position 
error  increases  rapidly  with  higher  FOM  values.  The  GPS  DTO  objectives  expected  to  be  performed  on 
single  string  GPS  missions  may  call  for  the  GPS  A/I/F  function  to  be  in  a  position  other  than  inhibit.  If 
so,  the  flight  specific  flight  rules  annex  will  document  the  exception  to  this  rule  and  specify  the  conditions 
under  which  the  DTO  objectives  will  be  performed.  @[040899-6847  ]  @[052401-4525  ] 

B.  EXCEPTIONS  TO  THIS  RULE  WILL  BE  DOCUMENTED  IN  THE  FLIGHT 
SPECIFIC  FLIGHT  RULES  ANNEX.  ©[072398-6586A] 
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A2-266  SUBSONIC  PILOT  FLIGHT  CONTROL 

AT  THE  DISCRETION  OF  THE  COMMANDER  ( CDR) ,  THE  PILOT  (PLT )  MAY  FLY 
CONTROL  STICK  STEERING  (CSS)  FOR  A  SINGLE  PERIOD  (APPROXIMATELY 
20  SECONDS)  BELOW  MACH  1.00  WITH  THE  FOLLOWING  CONSTRAINTS: 
@[082202-5636  ]  ®[ED  1 1 1 302  ] 

A.  THE  CDR  WILL  FLY  THE  ORBITER  FROM  15  SECONDS  PRIOR  TO  HAC 
INTERCEPT  THROUGH  THE  INITIAL  ROLL  ONTO  THE  HAC. 

B.  THE  CDR  WILL  FLY  FRCM  AN  ALTITUDE  AGL  OF  20,000  FT  THROUGH 
LANDING  AND  ROLLOUT. 

C.  WHEN  CSS  IS  ENGAGED,  ONBOARD  GUIDANCE  COMMANDS  WILL  BE 
FOLLOWED . 

D.  THE  CDR  WILL  FLY  (NO  TRANSFER  OF  CONTROL)  FOR  THE  FOLLOWING 
CASES : 

1.  IF  THE  MCC  RECOMMENDS  "DELAYED  CSS  PREFERRED"  PER  RULE 
{ A4- 1 56},  HAC  SELECTION  CRITERIA. 

2.  SYSTEMS  OR  NAVIGATION  PROBLEMS  THAT  REQUIRE  CSS,  PER 
RULES  { A2-2  61 } ,  ENTRY  DTO/AUTO  MODE/CROSSWIND  DTO  NO-GO, 
AND  { A4-208 } ,  ENTRY  TAKEOVER  RULES. 

3.  VEHICLE  ENERGY  PROBLEMS  REQUIRING  A  GROUND  CONTROLLED 
APPROACH  (GCA) . 

4.  ANY  ABORT  LANDING. 

5.  BFS  ENGAGED.  @[082202-5636] 
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A2-266  SUBSONIC  PILOT  FLIGHT  CONTROL  (CONTINUED) 

6.  ANY  GUIDANCE,  NAVIGATION,  OR  FLIGHT  CONTROL  SYSTEM (S) 
FAILURE  (E.G.,  CDR  HUD)  THAT  INCREASES  THE  PROBABILITY 
OF  A  TRAJECTORY  TRANSIENT  RESULTING  FROM  THE  TRANSFER 
OF  CONTROL  (MCC  CALL)  .  LOSS  OF  A  SINGLE  STRING  OF 
REDUNDANCY  IN  ANY  SYSTEM  (E.G.,  ONE  AA,  ONE  FCS 
CHANNEL,  ONE  RHC  CHANNEL,  ETC.)  WITH  NO  OTHER  FAILURES 
IS  NOT  CAUSE  FOR  PRECLUDING  TRANSFER  OF  CONTROL.  @[082202- 
5636] 

7.  IF  THE  MCC  RECOMMENDS  NO-GO  FOR  PLT  FLYING  BASED  ON  HAC 
DYNAMICS  (E.G.,  HIGH  TAIL  WINDS  AT  HAC  INTERCEPT). 

E.  THE  PLT  IS  THE  BACKUP  TO  THE  CDR  FOR  ANY  FLIGHT  PHASES 

REQUIRING  CSS  CONTROL.  IF  REQUIRED  FOR  VEHICLE  SAFETY,  THE 
CDR  MAY  TRANSFER  CONTROL  TO  THE  PLT  AT  ANY  TIME. 

Allowing  the  PLT  to  fly  for  a  short  period  of  time  during  entry  enhances  training  and  better  prepares  the 
pilot  for  future  orbiter  flying  tasks.  Regular  in-flight  exercise  of  transfer  of  vehicle  control  between  the 
CDR  and  PLT  during  nominal  approaches  will  better  prepare  crews  for  poten  tial  off  nominal  situations 
where  an  efficien  t  transfer  of  con  trol  would  be  required  to  ensure  vehicle  and  crew  safety.  The  in  ten  t  of 
this  rule  is  to  allow  the  PLT  to  fly  for  approximately  20  seconds  during  a  single  period,  either  prior  to 
HAC  intercept  or  once  established  on  the  HAC.  During  a  normal  entry,  there  is  sufficient  time  below 
Mach  1.00  to  cdlow  the  PLT  to  control  the  orbiter  and  still  cdlow  the  CDR  sufficient  time  to  complete  the 
more  critical  maneuvers,  such  as  the  initial  roll  onto  the  HAC  and  lining  up  on  final.  For  periods  prior 
to  HAC  intercept,  control  must  be  transferred  back  to  the  CDR  no  later  than  15  seconds  prior  to  HAC 
intercept  to  allow  the  CDR  sufficient  time  to  prepare  for  the  time-critical  maneuver  to  roll  onto  the  HAC. 
The  15-second  limit  was  chosen  based  on  flight  experience  (STS-102,  100,  108,  109,  and  110)  and  to 
make  the  best  use  of  the  onboard  cues,  primarily  the  HAC  predictor  ( the  HAC  predictor  begins  flashing 
20  seconds  prior  to  HAC  intercept  and  begins  moving  10  seconds  prior  to  HAC  intercept).  For  periods 
after  HAC  intercept,  or  for  straight-in  approaches,  control  must  be  transferred  back  to  the  CDR  prior  to 
20,000 feet  altitude  above  ground  level  (AGL).  For  an  overhead  HAC  approach  this  equates  to 
approximately  the  90-degrees  to  go  point  on  the  HAC.  When  CSS  is  engaged,  onboard  guidance  will  be 
followed,  and  no  inputs  will  be  made  other  than  those  required  to  fly  to  the  glideslope  and  course 
centerline,  or  otherwise  ensure  a  safe  landing.  @[082202-5636  ]  ®[ED  1 11302  ] 
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A2-266  SUBSONIC  PILOT  FLIGHT  CONTROL  (CONTINUED) 


There  are  some  cases  in  which  it  is  not  prudent  to  allow  the  PLT  to  have  this  training  time,  however.  If 
the  6  degrees  of  freedom  entry  simulation  as  explained  in  Rule  {A4-156j,  HAC  SELECTION  CRITERIA, 
indicates  that  delaying  CSS  until  a  HAC  turn  angle  of  180  degrees  is  preferred,  the  CDR  should  fly  from 
CSS  initiation  through  rollout.  For  these  HAC  cases,  energy  stops  diverging  at  the  180-degree  point  and 
begins  to  slowly  recover.  Handing  control  of  the  vehicle  between  the  CDR  and  PLT  in  this  timeframe  is 
not  prudent,  since  the  vehicle  energy  is  already  lower  than  typical  and  the  time  to  correct  any  energy 
problems  is  diminished.  Likewise  a  vehicle  problem  as  outlined  in  Rules  {A2-261},  ENTRY DTO/AUTO 
MODE/CROSSWIND  DTO  NO-GO  or  {A4-208}, ENTRY  TAKEOVER  RULES,  requires  significant 
concentration  on  the  flying  task,  and  a  handover  of  control  is  inappropriate.  Systems  failures  that  would 
invoke  this  rule  are  two  AA  failures,  no  or  single  air  data,  no  yaw  jet  flight  control  mode,  or  a  navigation 
system  anomaly  that  affects  the  vehicle  energy  state  (GCA).  In  the  event  of  an  abort,  flight  control 
handovers  between  CDR  and  PLT  should  be  avoided  due  to  the  increased  risk  inherently  associated  with 
the  abort,  and  to  eliminate  the  possibility  of  introducing  any  handover  dispersions  to  an  already 
challenging  abort  landing.  The  transfer  of  control  is  assumed  to  have  an  insignificant  impact  on  the 
vehicle  trajectory  and  energy  state,  although  arguably  that  impact  is  non-zero.  That  is,  in  most  cases  it 
is  nearly  impossible  to  transfer  vehicle  control  without  introducing  some  very  small  transient,  which  for 
the  nominal  case  is  acceptable.  However,  the  transfer  of  control  is  not  warranted  for  any  guidance, 
navigation,  or  flight  control  system(s)  problem)  s)  that  could  cause  a  transfer  of  control  to  result  in  more 
than  an  insignificant  impact  on  the  trajectory.  Additionally,  for  certain  HAC  dynamics  ( e. g. ,  high  tail 
winds  at  HAC  intercept),  the  flying  task  requires  more  setup  time  prior  to  HAC  intercept,  and  more  time- 
critical  inputs  before,  during,  and  after  HAC  intercept.  In  these  cases,  vehicle  energy  state  can  be  less 
forgiving  for  delayed  piloting  response  (at  HAC  intercept,  and  for  the  first  180  deg  of  HAC)  and  transfer 
of  vehicle  control  is  not  warranted.  @[082202-5636  ] 


Flight  crews  are  trained  preflight  to  transfer  control  positively  and  verbally  in  a  CRM  environment.  Any 
time  that  a  situation  occurs  that  detracts  from  the  CDR’s  ability  to  fly  the  vehicle,  it  is  acceptable  for  the 
CDR  to  hand  control  of  the  vehicle  over  to  the  PLT,  regardless  of  the  constraints  imposed  by  this  rule,  if 
required  to  ensure  a  safe  landing.  Ref.  A/E  FTP  #174,  March  30,  2001,  A/E  FTP  #184,  May  17,  2002 
and  A/E  FTP  #185,  June  28,  2002.  @[082202-5636  ] 

A2-267  THROUGH  A2-300  RULES  ARE  RESERVED  @[082202-5636] 
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A2-301  CONTINGENCY  ACTION  SUMMARY 


FAILURE 


R 

T 

L 

S 


A 

O 

A 


A 

T 

O 


ENTER 

FIRST 

DAY 

PLS 

ENTER 

ASAP 

(PLS, 

SLS 

ELS) 

ENTER 

IMMED. 

MAX 

DEORBIT 

DELAY 

[84] 

[1] 

[1] 

1 

ORB 

24 

HR 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

A.  GROUND  INSTRUMENTATION 

1.  REMOTE  STATIONS 

a.  EDW  LANDING 

(1)  LOSS  OF  DFRF,  GDS,  AND  TDR 
(HDRANDLDR) 

(2)  LOSS  OF  ALL  DFRF,  GDS,  AND 
TDRS  VOICE  (S-BAND  AND  UHF) 

(3)  LOSS  OF  DFRF,  GDS,  AND  TDRS 
CMD 


[2] 

[2] 


b.  KSC  LANDING 

(1)  LOSS  OF  MIL,  PDL,  AND  TDRS  TLM 

(HDRANDLDR)  [2] 

(2)  LOSS  OF  MIL,  PDL,  AND  TDRS 

VOICE  (S-BAND  AND  UHF)  [2] 

(3)  LOSS  OF  MIL,  PDL,  AND  TDRS  CMD 

c.  NOR  LANDING 

(1)  LOSS  OF  ALL  UHF  AND  TDRS  S 

BAND  VOICE  [2] 

(2)  LOSS  OF  TDRS  TLM  [2] 

(3)  LOSS  OF  TDRS  CMD 

2.  TRACK 

a.  LOSS  OF  DUAL  TRACK  SOURCES  TO 
100K  FT  ALT 

b.  LOSS  OF  ALL  LANDING  AREA 

3.  MCC 

a.  LOSS  OF  MOC  AND  DSC  [3] 

b.  LOSS  OF  ALL  TPC’S 

c.  LOSS  OF  ALL  A/G  CAPABILITY 


@[121593-1590] 
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FAILURE 


B.  TRAJECTORY/GUIDANCE 

1.  TRAJECTORY 

a.  PERFORMANCE  VIOLATIONS  [5] 

b.  PROTECT  ATO  CAPABILITY 

c.  PROTECT  3  ENGINE  RTLS  GUIDANCE 
MECO 

d.  ONBOARD  PREDICTED  MECO  2  SEC 
DIFFERENT  THAN  GND  (CONFIRMED 
BY  NAV  VEL  ERRORS)  (MAN  C/O  ON 
GND  COMP  VALUE) 

e.  CG  OUTSIDE  OF  NOMINAL 
BOUNDARY 

f.  CG  OUTSIDE  CONTINGENCY 
BOUNDARY 

g.  MNVR  COMP  DOES  NOT  INCLUDE  AT 
LEAST  1  REPEAT  STDN  SITE  PASS 
FOLLOWING  A  PERIGEE  ADJUST  MNVR 

h.  PREDICTED  DOWNTRACK  ERROR  AT 
El  >20  NM 

i.  EOM  WEATHER  FORECAST 

VIOLATIONS  [38] 

2.  RANGE  SAFETY 

a.  RSO  ARM  CMD  RECEIVED  [7] 

b.  DEVIATION  TOWARDS  LIMIT  LINE  [7] 


X 

X 


X 


X 

X  X 


X 


XXX 


[9]  [9]  [9] 
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M 

A 
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S 
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D 

X 

X 

X 

X 

X 

X 

R 
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T 

A 

L 

X 

X 

X 

A 

o 

A 

X 

[31] 

A 

T 

O 

X 

ENTER 

FIRST 

DAY 

PLS 

[84] 

ENTER 

ASAP 

(PLS, 

SLS 

ELS) 

[1] 

ENTER 

IMMED. 

[1] 

MAX 

DEORBIT 

DELAY 

1 

ORB 

24 

HR 

C.  MPS 

1 .  MANUAL  THROTTLE  REQUIRED  FOR 

lh2  npsp 

2.  He  TK  LOST  (<750  PSI)  W/LMT  S/D  INH 

3.  CMD  PATH  FAIL 

4.  DATA  PATH  FAIL  WITH  UNVERIFIED 

CMD  PATH 

5.  CMD  AND  DATA  PATH  FAIL 

6.  2  STUCK  THROTTLE  W/3  SSME’S  ON  [8] 

7.  1  STUCK  THROTTLE  W/3  SSME’S  ON  [6] 

8.  3  ET  LOW  LVL  SENS  FAIL  DRY  SAME  TNK 

D.  OMS/RCS 

1.  QMS 

a.  LOSS  OF  1  OMS  He  TK  PRIOR  TO  OMS  1 

BBI 

b.  2  OMS  He  TK  FAIL 

(1)  PRIOR  TO  OMS  1 

D 

D 

KB1 

(2)  BETWEEN  OMS  1  AND  OMS  2  [1 2][1 5] 

[62] 

c.  1  OMS  PROP  TK  LK/FAIL  OR  2  TKS 

SAME  SIDE  LK/FAIL 

(1)  BEFORE  OMS  2  [25] 

ESI 

ran 

X 

(2)  BEFORE  DEORBIT  TIG  [1 5][1 6] 

[56] 

(3)  AFTER  DEORBIT  TIG  BUT  BEFORE 

HP  <  PROP  FAIL  HP  [1 4][1 5] 

X 

d.  2  OMS  PROP  TK  LK/FAIL,  DIFF  SIDE 

continued... 

■ 

■ 

■ 

X 

m 

■ 

■ 

X 

[13] 
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FAILURE 


D.  OMS/RCS  (continued) 

e.  2  OMS  ENG  FAIL 

(1)  BEFORE  OMS  1 

(2)  AFTER  OMS  1  [12] 

(3)  AFTER  DEORBIT  TIG  BUT  BEFORE 
HP  <  SAFE  HP 

f.  1  OMS  FAIL  AND  1  +  X  RCS  JET  FAIL 

g.  1  OMS  INLET  LINE  OR  2  SAME  SIDE 

(1)  BEFORE  OMS-2  [25] 

(2)  BEFORE  DEORBIT  TIG  [15][63] 

h.  2  OMS  INLET  LINES,  DIFF  SIDES,  SAME 
PROPELLANT 

i.  2  OMS  INLET  LINES,  DIFF  SIDES,  DIFF 

PROPELLANT  [25] 

2.  RCS 

a.  2  AFT  RCS  He/PROP  TK  LK/FAIL-DIFF 
SIDE 

(1)  DIFF  PROP  [19] 

(2)  SAME  PROP 

b.  2  AFT  JETS  SAME  AXIS/POD  FL’D  OFF 

BY  RM  [10] 

c.  1  AFT  RCS  He/PROP  TK  LK/FAIL  OR  2 
TKS  SAME  SIDE  LK/FAIL 


@[121593-1590] 
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FAILURE 


E.  DPS 

1.  LOSS  OF  1  GPC 

2.  REDUNDANT  SET  FAILURE  OR  GPC 

SPLITS  [20]  [53] 

3.  LOSS  OF  BFS  WITH  A  2  OR  MORE  GPC 
PASS  SET 

4.  LOSS  OF  2  GPC’S  (SPARE  AVAILABLE) 


5.  LOSS  OF  2  PL  MDM’S 

6.  LOSS  OF  2  FA  MDM’S 

7.  LOSS  OF  2  FF  MDM’S 

8.  GPC  BITE  (MULTIPLE  GPC’S) 

9.  LOSS  OF  2  MMU’S  [83] 

F.  EECOM 

1.  FIRE  (AV  BAY  OR  CABIN)  [58] 

2.  ARS/PCS 

a.  LOSS  OF  2  CABIN  FANS  [60][39] 

b.  LOSS  OF  AV  BAY  COOLING  IN  BAY  1 

OR  2  [30] 

c.  LOSS  OF  AV  BAY  COOLING  IN  BAY  3  [30] 

d.  LOSS  OF  3  OF  6  AV  BAY  FANS  [74] 

e.  LOSS  OF  3  IMU  FANS 

f.  LOSS  OF  CABIN  PRESS  INTEGRITY  [37] 

g.  LOSS  OF  PP02  CONTROL  [78] 

h.  LOSS  OF  1  H20  LOOP 

i.  LOSS  OF  2  H20  LOOPS  [28] 


@[090894- 1 675  ]  ®[1 02402-5804C] 
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F.  EECOM  (CONCLUDED) 

2.  ATCS 

a.  LOSS  OF  1  FREON  LOOP 

b.  LOSS  OF  2  FREON  LOOPS 

c.  LOSS  OF  FES  (TOPPING  AND  HI  LOAD 

EVAPS)  [24]  [26] 

d.  LOSS  OF  HI  LOAD  EVAP 

e.  RESERVED 

f.  FREON  TO  CABIN  H20  LOOP  LEAK 

g.  LOSS  OF  2  RFCA’S 

G. EGIL 

1.  CRYO 

a.  LOSS  OF  ALL  CRYO  02  TANKS  OR  ALL 


CRYO  H2  TANKS  IMPENDING  [51] 

b.  H2  MANIFOLD  OR  TANK  LEAK  [43] 

2.  FUEL  CELL 

a.  LOSS  OF  2  FUEL  CELLS  [32] 

b.  FC  PRIMARY  H20  FLOW  TO  ECLSS  (3)  [72] 

3.  EPDC 

a.  MNAANDB  [46] 

b.  MN  B  AND  C  [46] 

c.  MN  A  AND  C  [46] 

d.  ANY  MN,  AC,  OR  CNTL  BUS 

e.  MULTI-F  ON  AN  AC  BUS  (NOT  SHORTED) 

f.  CNTLCA1  [71] 


@[020196-1 81 OA] 
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H.  MMACS 

1.  APU/HYD/WSB 

a.  LOSS  OF  2  WSB 

b.  LOSS  OF  1  APU/HYD 

c.  LOSS  OF  2  APU/HYD 

d.  DELETED 

e.  IMPENDING  LOSS  OF  ALL  APU/HYD 
CAPABILITY 

f.  LOSS  OF  2  LND  GEAR  DEPLOY 
METHODS 

2.  MECHANICAL 

a.  PBD  CENTERLINE  NOT  WITHIN  LIMITS 

b.  ANY  PBD  LATCH  GANG  FAILED 
CLOSED 

c.  LOSS  OF  ONE  MOTOR  ON  TWO 
DIFFERENT  PBD  C/L  OR  BULKHEAD 
LATCH  GANGS 

d.  PBD  C/L  OR  BULKHEAD  LATCH  GANG 
FAILS  IN  TRANSIT  (NOT  CLEAR  OF 
ROLLERS) 

e.  STARBOARD  PBD  FAILS  IN  TRANSIT 
(READY-TO-LATCH  INDICATORS 
PRESENT 

f.  CONFIRMED  TIRE  LEAK 

g.  LOSS  OF  NWS 

3.  STRUCTURAL 

a.  THERMAL  WINDOWPANE  FAILURE 

b.  PRESSURE  OR  REDUNDANT 
WINDOWPANE  FAILURE 


®[1 1 1699-7070B] 
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I.  COMM 

1.  LOSS  OF  ALL  A/G  VOICE 

2.  LOSS  OF  BOTH  A/G  VOICE  AND  CMD 

3.  LOSS  OF  TLM  (HDR  AND  LDR) 

4.  RESERVED 

5.  LOSS  OF  CMD 

J.  GNC/AERO 

1.  TVC  PROBLEM  RESULTING  IN 
HARDOVER  ACTUATOR 

2.  LOSS  OF  CONTROL 

a.  IN  1ST  STG  AND  NOT  REGAINED  BY 
BFS 

b.  IN  2ND  STG  AND  NOT  REGAINED  BY 
MAN  TVC  OR  BFS  ENGAGE 

3.  LOSS  OF  4  OF  6  RHC  CH 


4.  LOSS  OF  2  AA’s  (LAT),  2  RGA’s,  OR  2 
ADTA’s  (CONCRETE  RUNWAY) 

5.  LOSS  OF  3  AA’s  (LAT)  3  RGA’s,  OR  3 
ELEV/BF  FDBK’s  (SAME  SURFACE) 

6.  LOSS  OF  2  FCS  CHANNELS  (SAME 
SURFACE)  (CONCRETE  RUNWAY) 

7.  LOSS  OF  3  ADTA’s 

8.  LOSS  OF  2  IMU’s 

9.  IMU  DILEMMA 

10.  LOSS  OF  1  IMU,  2  TACAN/GPS,  OR  1  MLS 


@[041196-1914]  @[092602-5640] 
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LEGEND 

X  =  PERFORM  CONTINGENCY  ACTION 

[]  =  NOTE 

( )  =  QUANTITY _ 


NOTES: 

[1]  CERTAIN  RAPID  ENTRY  CONDITIONS  COULD  REQUIRE  ENTRY  PRIOR  TO  MCC  AND  LANDING  SITE  NOTIFICATION. 

[2]  COMM/DATA  LINES  TO  SUPPORT  LISTED  REQUIREMENTS  ALSO  MANDATORY. 

[3]  24  OF  64  DTE  CHANNELS  MANDATORY. 

[4]  ASSUMES  THREE  UNRECOVERABLE  GPC’S. 

[5]  ACCEPT  HIGHEST  ABORT  MODE  AVAILABLE. 

[6]  REFERENCE  RULE  {A5-108},  MANUAL  SHUTDOWN  FOR  HYDRAULIC  OR  ELECTRICAL  LOCKUP.  ®[ED  ] 

[7]  SECOND  STAGE  ONLY  (REF.  RULES  {A4-260},  RANGE  SAFETY  LIMIT  AVOIDANCE  ACTIONS. 

[8]  REFERENCE  RULE  {A5-109},  MANUAL  SHUTDOWN  FOR  TWO  STUCK  THROTTLES  (NOT  DUAL  APU  FAILURES). 
®[ED  ] 

[9]  TAL/AOA  IS  ACCEPTED  TO  PROTECT  THE  CONTINGENCY  CG  BOX.  IF  TAL/AOA  DUMP  MGMT  WILL  NOT  RECOVER 
CG,  CONTINUE  UPHILL. 

[1 0]  TO  ALLOW  TESTING  JETS  PRIOR  TO  ENTRY. 

[11]  IF  PRIOR  TO  OMS-1,  PERFORM  DELAYED  ATO.  FOR  DIRECT  INSERTION  CUTOFF  OMS-2  AT  MINIMUM  HP.  FOR 
DELAYED  ATO,  THE  RAISE  ORBIT  MANEUVER  WILL  NOMINALLY  BE  PLANNED  FOR  TTA  =  2  (TIME  TO  APOGEE). 

[12]  AFTER  OMS-1.  CUTOFF  OMS-2  AT  MINIMUM  HP. 

[13]  WHERE  LEAK  IN  BOTH  SIDES  SAME  PROPELLANT.  IF  LEAK  RATE  SUPPORTS  (PROPELLANT  ONLY) 

(IF  RCS  MUST  SUPPORT  TO  A  Q-BAR  =  20). 

[14]  AFTER  DEORBIT  TIG,  TERMINATING  BURN  FOR  THIS  FAILURE  REQUIRES  DEORBIT  24  HOURS  LATER. 

[15]  SHALLOW  ENTRY  IF  REQUIRED. 

[16]  IF  LEAK,  PERFORM  PERIGEE  ADJUSTMENT  AT  PLANNED  DEORBIT  TIG  IF  LEAK  RESULTS  IN  PROJECTED 
VIOLATION  OF  POD  THERMAL  CONSTRAINTS. 

[17]  THIS  HP  ALLOWS  DEORBIT  OPPORTUNITY  24  HOURS  LATER  WITH  WORST  CASE  ATT  PROFILE  (PTC). 

[18]  DEORBIT  DELAY  ONLY  REQUIRED  IF  RCS  DOWNMODE  CAPABILITY  DOES  NOT  EXIST. 

[19]  IF  BOTH  LEAKS  IN  SAME  SIDE  OR  BOTH  SIDES  LEAKING  BUT  DIFFERENT  PROPELLANT,  PERFORM  NOM. 

[20]  IF  UNABLE  TO  OBTAIN  VIABLE  GNC  3  OPERATION,  ENTER  ON  BFS. 

[21]  FAILURE  PRECLUDES  SINGLE  FAULT  TOLERANCE.  DELAY  TO  VERIFY  RM  DECLARED  FAILURES  OR  TO  RESOLVE 
A  DILEMMA  CASE  (REF.  RULE  {A8-7},  ENTRY  SYSTEMS  SINGLE-FAULT  TOLERANCE  VERIFICATION;  AND  RULE  {A8- 
8},  ENTRY  SYSTEMS  RM  DILEMMA). 

[22]  A  ONE-ORBIT  WAVE-OFF  MAY  OR  MAY  NOT  ALLOW  SUFFICIENT  TIME  TO  REGAIN  SINGLE-FAULT  TOLERANCE. 

IN  MANY  CASES,  DELAYING  UP  TO  ONE  DAY  WILL  BE  NECESSARY  IN  ORDER  TO  ALLOW  SYSTEM 
COMPENSATION/RECONFIGURATION  (REF.  RULE  {A8-7},  ENTRY  SYSTEMS  SINGLE-FAULT  TOLERANCE 
VERIFICATION). 

[23]  POST-MECO  OMS-1/OMS-2,  SHALLOW  ENTRY  IF  REQUIRED. 

[24]  IF  NECESSARY  TO  RECONFIGURE  TO  REDUCED  POWER  LEVEL. 

[25]  AFTER  OMS-1 ,  CHECKOUT  OMS-2  WHEN  MINIMUM  HP.  NEXT  PLS  DEORBIT  WITH  MIXED  CROSSFEED  IF 
REQUIRED. 
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[26]  GO  TO  ORBIT  AND  OPEN  PLBD’S  ASAP. 

[27]  ATTITUDE  ERROR  (>3  DEGREES  IN  PITCH  OR  YAW  OR  >10  DEGREES  IN  ROLL)  WITHOUT  CONVERGING  RATES 
OR  RATES  GREATER  THAN  3  DEG/SEC  WITHOUT  CORRESPONDING  ATTITUDE  ERRORS  (REF.  RULE  {A8-1},  FCS 
DOWNMODE). 

[28]  IMMEDIATE  POWERDOWN  REQUIRED. 

[29]  POWER  DOWN  TO  SURVIVAL  POWER  LEVEL. 

[30]  DELAY  IF  REQUIRED  TO  RECONFIGURE  DPS  TO  TWO  PASS  AND  ONE  BFS  OR  ALLOW  3.5  HOURS  OF  GPC 
COOLDOWN  TO  REGAIN  ALL  GPC’S. 

[31]  IF  A  2-SIGMA  CONFIDENCE  LEVEL  OF  ACHIEVING  AOA  CAPABILITY  EXISTS.  (REF.  RULE  {A5-157},  ET  LOW  LEVEL 
CUTOFF  SENSOR  FAILED  DRY). 

[32]  POWER  DOWN  FOR  SINGLE  FC  ENTRY. 

[33]  RESERVED. 

[34]  IF  INSUFFICIENT  DELTA  V  AVAILABLE  TO  ACHIEVE  ATO,  PERFORM  AOA  SHALLOW  OMS-1  ,-2. 

[35]  REFERENCE  RULE  {A8-2},  SSME  THRUST  VECTOR  CONTROL  (TVC)  HARDOVER. 

[36]  REFERENCE  RULES  [A1 1 -52A  AND  B},  LOSS  OF  BOTH  VOICE  AND  COMMAND. 

[37]  WITH  CABIN  AT  14.7  PSIA  AND  BOTH  14.7  PSI  REGULATORS  CLOSED,  DP/DT  DECAY  RATE  >  0.15  PSI/MIN,  RTLS 
ORTAL.  IF  ?  0.15  AND  >0.02  PSI/MIN  PLS  OR  AOA  (REF.  RULE  {A17-201},  CABIN  PRESSURE  INTEGRITY).  ®[ED  ] 

[38]  OTHER  OPTIONS  AND  PRIORITIES  PER  RULE  {A4-109},  DEORBIT  PRIORITY  FOR  EOM  WEATHER. 

[39]  LOSS  OF  BOTH  CABIN  FANS  WILL  REQUIRE  IMMEDIATE  POWERDOWN  AND  EXTENSIVE  HARDWARE  CYCLING  TO 
OBTAIN  ORBIT  AND  ENTRY. 

[40]  LIMITING  TIME  OF  ~18  MINUTES  (BASED  ON  2.76  KWH/FC  FOR  FC  FLOOD  WITHOUT  PURGING). 

[41]  ASSUMES  PLBD  NOT  OPEN. 

[42]  REF.  RULE  [A1 0-23A},  APU  ENTRY  START  TIME. 

[43]  DELAY  DEORBIT  TO  DEPLETE  A  LEAKING  H2  TANK  OF  ANY  SIZE.  IF  TANK  CANNOT  BE  DEPLETED  OR  IF  LEAK  IS 
IN  MANIFOLD,  DELAY  DEORBIT  TO  ALLOW  PRESSURE  BLOWDOWN  TO  REDUCE  LEAK  RATE  TO  <1  LB/HR. 
REFERENCE  RULE  [A9-260C},1 ,  CRYO  SYSTEM  LEAKS  [CIL], 

[44]  DELAYED  ATO  IF  SUFFICIENT  PROPELLANT  AVAILABLE  IN  BLOWDOWN.  FOR  DELAYED  ATO,  THE  RAISE  ORBIT 
MANEUVER  WILL  NOMINALLY  BE  PLANNED  FOR  TTA  =  2  (TIME  TO  APOGEE). 

[45]  RESERVED 

[46]  RTLS  UNTIL  NEGATIVE  RETURN  BECAUSE  OF  INABILITY  TO  CLOSE  ET  DOORS. 

[47]  RESERVED 

[48]  IF  DEPLOYABLE  PAYLOADS  ARE  ONBOARD,  PERFORM  NEXT  PLS  ENTRY  AFTER  ATTEMPTS  HAVE  BEEN  MADE  TO 
DEPLOY  THE  PAYLOADS.  OTHERWISE  ENTER  FIRST  DAY  PLS  (REF.  RULES  {A1 0-21  A}. 2,  LOSS  OF 
APU/HYDRAULIC  SYSTEM(S)  ACTIONS,  AND  {A1 0-1 22},  LOSS  OF  WSB(S)  ACTIONS. 

[49]  IF  FREEZEUP  SUSPECTED,  REMAIN  ON  ORBIT  TO  ATTEMPT  TO  THAW  OUT  THE  HI-LOAD  EVAPORATOR. 

[50]  THE  SIMULTANEOUS  CLOSE  PROCEDURE  IS  AN  OPTION  FOR  THE  EXCESSIVE  OVERLAP  CASE  (REF.  RULE  [A10- 
207},  PLBD  OVERLAP). 

[51]  SELECT  ABORT  MODE  WITH  SHORTEST  RETURN  TIME. 
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[52]  IF  BOTH  LOOPS  FAILED  IN  BYPASS  OR  MEDIUM  FLOW. 

[53]  AFTER  DEORBIT  TIG,  TERMINATE  BURN  FOR  FAILURE  IF  HP  >  SAFE  HP.  REQUIRES  DEORBIT  24  HOURS  LATER. 

[54]  RATES  >  5  DEG/SEC  IN  PITCH  OR  YAW.  REFERENCE  RULE  {A8-54},  FIRST  STAGE  LOSS  OF  CONTROL 
DEFINITION.  ®[ED  ] 

[55]  AT  LEAST  ONE  CHANNEL  REQUIRED  EACH  SIDE.  REFERENCE  RULE  {A8-1001},  GNC  GO/NO-GO  CRITERIA. 

[56]  IF  ONE  ORBIT  DELAY  NOT  AVAILABLE,  DELAY  1  DAY.  FOR  PROPELLANT  LEAKS,  IT  MAY  BE  NECESSARY  TO 
DELAY  LONGER  THAN  ONE  ORBIT  IN  ORDER  TO  ALLOW  POD  THERMAL  ENVIRONMENT  TO  SUPPORT  ENTRY. 

[57]  IF  TIG  BETWEEN  45  AND  15  MINUTES  AND  ONE  REV  LATE  DEORBIT  IS  AVAILABLE,  REOPEN  PLB  DOORS  AND 
WAVE  OFF  ONE  REV.  IF  RADS  ARE  COLDSOAKED  AND  ONE  REV  LATE  DEORBIT  NOT  AVAILABLE,  UTILIZE  THE 
COLDSOAK  TO  CONTINUE  WITH  PLANNED  TIG.  IF  RADS  ARE  NOT  COLDSOAKED  AND  ONE  REV  LATE  IS  NOT 
AVAILABLE,  REOPEN  PLB  DOORS  AND  WAVE  OFF  1  DAY.  @[0201 96-1 81 0A  ] 

[58]  IF  TOXIC  COMBUSTION  PRODUCTS  CANNOT  BE  SATISFACTORILY  REMOVED  FROM  THE  CABIN  ATMOSPHERE, 
THE  CREW  WILL  REMAIN  ON  QDM/LES  UNTIL  ORBITER  EGRESS.  EOM  IS  BASED  UPON  AVAILABLE  N2 
CONSUMABLES  FOR  MAINTAINING  THE  02  CONCENTRATION  WITHIN  ACCEPTABLE  LIMITS.  REF.  RULE  {A13- 
152C},  CABIN  ATMOSPHERE  CONTAMINATION  AND  [A1 7-254},  CABIN  02  CONCENTRATION.  @[070201 -4726A] 

ON  ASCENT,  FIRST  DAY  PLS  WILL  ONLY  BE  NECESSARY  IF  THE  CABIN  ATMOSPHERE  CANNOT  BE  CLEANED  UP. 
IF  THE  EXTENT  OF  THE  DAMAGE  TO  EQUIPMENT  AND  WIRE  BUNDLES  IS  UNKNOWN,  EVEN  IF  THE  ATMOSPHERE 
HAS  BEEN  CLEANED  UP,  A  NEXT  DAY  PLS  WILL  BE  PERFORMED  TO  MINIMIZE  THE  RISK  OF  THE  OCCURRENCE 
OF  AN  ADDITIONAL  FIRE  OR  ARC  TRACKING.  @[072795-1779]  @[070201 -4726A] 

[59]  PROPELLANT  LEAK  ONLY. 

[60]  ELS  WILL  PROBABLY  BE  REQUIRED  IF  THE  NEXT  PLS  OR  SLS  IS  GREATER  THAN  8  HOURS.  AS  LONG  AS  CABIN 
ENVIRONMENT  IS  ACCEPTABLE,  A  PLS  WILL  BE  TARGETED.  @[0201 96-1 81 0A] 

[61]  CAUSES  LOSS  OF  ONE  MOTOR  IN  EACH  OF  TWO  SEPARATE  PLBD  LATCH  GANGS  (REF.  RULE  {A10-209B},  PLBD 
RULE  REFERENCE  MATRIX).  DC  AND  AC  SUB-BUSES  THAT  CAUSE  THIS  FAILURE  ARE: 

MNA  MPC1 ,  MMC1 ,  MMC3 
MNB  MPC2,  MMC2,  MMC4 
MNC  MPC3,  MMC2,  MMC4 
AC1  MMC1 ,  MMC3 
AC2  MMC2,  MMC4 
AC3  MMC2,  MMC4 

[62]  ENTER  FIRST  DAY  PLS  UNLESS  DELTA  V  IMPROVEMENT  POSSIBLE. 

[63]  PERFORM  PERIGEE  ADJUST  BURN  SEPARATION. 

[64]  ORBIT  2  DEORBIT  REQUIRED.  (REF.  RULE  {All-52},  LOSS  OF  BOTH  VOICE  AND  COMMAND.) 

[65]  RESULTS  IN  LOSS  OF  TWO  FCS  CHANNELS. 

[66]  EXCEPT  COMBINATION  OF  MDM’S  FF4  AND  ANY  OTHER  FF  MDM.  OTHERWISE,  THE  FAILURE  OF  ANY 
COMBINATION  OF  MDM’S  FF1 ,  FF2,  OR  FF3  WILL  RESULT  IN  THE  LOSS  OF  TWO  IMU’S.  MDM  IFM  MAY  BE 
PERMITTED  TO  MEET  IMU  REQUIREMENT.  REFERENCE  RULE  {A7-109},  IN-FLIGHT  MAINTENANCE  (IFM). 
@[090894-1684] 

[67]  RESERVED 

[68]  REFERENCE  RULE  {A9-1 58B],  AC  POWER  TRANSFER  CABLE. 

[69]  IF  REQUIRED  TO  MAINTAIN  TWO-FC  ENTRY  CAPABILITY. 
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[70]  FIRST  DAY  PLS  FOR  CONFIRMED,  UNRECOVERABLE  LOSS  OF  TWO  AFT  RCS  PITCH  JETS,  SAME  AXIS,  SAME  POD 
(N/A  YAW  JETS). 

[71]  LOSS  OF  CNTL  CA1  LOSES  BFS  ENGAGE  CAPABILITY  FOR  GPC  3  AND  5.  A  DELAY  WILL  BE  INVOKED  TO  SWITCH 
BFS  MACHINES.  REFERENCE  RULE  {A7-53B},  ON-ORBIT  BFS  MANAGEMENT  GUIDELINES. 

[72]  LOSS  OF  COMPLETE  PRIMARY  SYSTEM  MAY  HAVE  RESULTED  FROM  FREEZING  OF  THE  FC  H20  RELIEF  PANEL. 
THIS  COULD  ALSO  CAUSE  LOSS  OF  OVERBOARD  RELIEF  AND  LEAVE  ONLY  THE  ALTERNATE  SYSTEM  FOR  FC 
H20  REMOVAL.  REFERENCE  RULE  {A9-1001},  ELECTRICAL  GO/NO-GO  CRITERIA. 

[73]  RESERVED 

[74]  ENTER  NEXT  PLS  IF  A  SINGLE  ELECTRICAL  FAILURE  (AC  BUS)  COULD  CAUSE  THE  LOSS  OF  AIR  COOLING  TO 
TWO  AVIONICS  BAYS. 

[75]  DELAY  TO  VERIFY  POWER,  MDM,  AND  BITE  RELATED  FAILURES,  AND  TO  ASSESS  THE  RISKS  OF  FLYING  THETA 
LIMITS  VS.  INCORPORATING  THE  LAST  ADTA  (REF.  RULE  {A8-7},  ENTRY  SYSTEMS  SINGLE-FAULT  TOLERANCE 
VERIFICATION,  AND  RULE  {A8-1 1 1 B},  GNC  AIR  DATA  SYSTEM  MANAGEMENT  [CIL]). 

[76]  DELAY  TO  TARGET  FOR  REQUIRED  RUNWAY  (REF.  RULE  {A2-207},  LANDING  SITE  SELECTION). 

[77]  A  LANDING  WILL  BE  REQUIRED  WITHIN  4  HOURS  OF  THE  FAILURE. 

[78]  PLS  REQUIRED  IF  AUTO/MANUAL  PP02  CONTROL  CANNOT  MAINTAIN  AEROMED  MINIMUM  (REF.  RULE  [A1 3- 
53 A}.  1 ,  MINIMUM  PP02  CONSTRAINTS)  AND  LESS  THAN  30  PERCENT  02  AT  TOUCHDOWN.  ELS  REQUIRED 
IF  40  PERCENT  02  IS  EXPECTED  TO  BE  EXCEEDED  PRIOR  TO  NEXT  PLS  TOUCHDOWN. 

[79]  ENTER  NEXT  PLS  IF  TIRE  PRESSURE  WILL  BE  £  275  PSI  MAIN,  260  PSI  NOSE  AT  NEXT  PLS  LANDING 
OPPORTUNITY  PLUS  2  DAYS. 

[80]  RESERVED 

[81]  RESERVED  ®[1 02402-5804C] 

[82]  REFERENCE  RULE  {A8-61},  SSME  SHUTDOWN  DUE  TO  HYDRAULIC  SYSTEM  FAILURES. 

[83]  FOR  LOSS  OF  TWO  MMU’S  DURING  ASCENT,  CONSIDERATION  WILL  BE  GIVEN  TO  PERFORMING  THOSE  MISSION 
OBJECTIVES  THAT  DO  NOT  REQUIRE  MASS  MEMORY  RESIDENT  FUNCTIONS  (I.E.,  GNC  2,  SM,  SM  ROLL-IN 
DISPLAYS,  OR  TELEMETRY/DECOM  FORMAT  LOADS). 

[84]  REFERENCE  RULE  {A2-2},  ABORT  LANDING  SITE  REQUIREMENTS.  IF  FD  1  LANDING  SITE  IS  GO,  LAND  FD  1.  IF  FD 
1  LANDING  SITE  IS  NO-GO,  IF  POSSIBLE,  DELAY  DEORBIT  TO  FD  2.  @[121593-1590  ] 

[85]  IF  HIGH-SPEED  C-BAND  RADAR  NOT  SCHEDULED  FOR  ENTRY,  DELAY  AS  REQUIRED  TO  SCHEDULE  (REF.  RULE 
{A3-1},  GROUND  AND  NETWORK  DEFINITIONS),  UNLESS  GPS  IS  AVAILABLE  AND  FUNCTIONING  PROPERLY  (REF. 
RULE  {A8-1 15},  GPS  SYSTEM  MANAGEMENT).  IF  MLS  FAILURE,  DELAY  ONLY  IF  MLS  REQUIRED  PER  RULE  [A3- 
202},  MLS.  @[041196-1914]  ®[ED  ]  @[092602-5640] 

[86]  A  TOTAL  COMBINATION  OF  2  TACAN/GPS  LRU'S  MUST  BE  LOST  FOR  THIS  RULE  TO  APPLY  GIVEN  THAT  THE 
REMAINING  2  LRU’S  PROVIDE  AT  LEAST  FAIL-SAFE  CAPABILITY  WITHOUT  REGARD  FOR  TRACKING  AVAILABILITY. 
@[092602-5640  ] 
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A2-311  SPACEHAB  SAFETY  DEFINITION  AND  MANAGEMENT 

A.  DEFINITIONS:  @[102793-1552] 

1 .  RAPID  SAFING  -  SECURING  OF  ANY  PAYLOAD  ELEMENT  IN  A 
TIME-CRITICAL  MANNER  AS  DEFINED  BY  THE  SPACE  SHUTTLE 
PROGRAM  FOR  ABORTS  AND  CONTINGENCY  RETURN  OF  THE 
ORBITER.  ®[1 11501-4981 E] 

2.  UNSAFE  -  ONLY  TWO  INHIBITS  CAN  BE  VERIFIED  TO  A 
CATASTROPHIC  HAZARD. 

3.  HAZARDOUS  -  ONLY  ONE  INHIBIT  CAN  BE  VERIFIED  TO  A 
CATASTROPHIC  HAZARD. 

4.  SAFE  -  SHALL  BE  DEFINED  AS  ANY  ONE  OF  THE  FOLLOWING: 

a.  AT  LEAST  THREE  INHIBITS  REMAIN  TO  A  CATASTROPHIC 
HAZARD,  TWO  OF  WHICH  MUST  BE  MONITORABLE. 

b.  RESTRAINT/SECURING  OF  ANY  PAYLOAD  ELEMENT  CAPABLE  OF 
PENETRATING  A  MODULE  AS  A  RESULT  OF  ORBITER  INDUCED 
ENTRY/LANDING  LOADS. 

Reference:  NSTS  18798A,  MA2-96- 190,  “CONTINGENCY  RETURN  AND  RAPID  SAFING,”  memo 
dated  January  9,  1997.  ®[1 11501 -4981 E] 
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A2-311  SPACEHAB  SAFETY  DEFINITION  AND  MANAGEMENT 

(CONTINUED) 


B.  GENERALIZED  RESPONSES  TO  UNSAFE/HAZARDOUS  CONDITIONS: 

1.  RAPID  SAFING  -  FOR  SPACEHAB,  CONTINGENCY 
DEACTIVATION/EGRESS  PROCEDURES  ARE  USED  FOR  OFF 
NOMINAL/EMERGENCY  SITUATIONS  REQUIRING  AN  EXPEDITED 
RESPONSE  TO  SECURE  THE  MODULE  FOR  A  SAFE  ENTRY  AS  DEFINED 
IN  RULE  {A2-329},  SPACEHAB  DEACTIVATION/ENTRY  PREP. 
@[102793-1552]  ®[1 1 1501-4981 E]  ®[ED  ] 

2.  UNSAFE  -  NO  IMMEDIATE  ACTION  IS  REQUIRED.  IF  POSSIBLE, 
RESTORATION  OF  THE  SAFE  CONDITION  WILL  NORMALLY  BE 
ATTEMPTED,  BUT  SUCH  ACTION  WILL  NOT  BE  ALLOWED  TO 
JEOPARDIZE  MISSION  SUCCESS. 

3.  HAZARDOUS  -  QUICK  RESPONSE  IS  MANDATORY:  TAKE  POSITIVE 
ACTION  TO  RESTORE  THE  SYSTEM  TO  NO  WORSE  THAN  AN  UNSAFE 
CONDITION.  IF  UNSUCCESSFUL,  TERMINATE  THE  EXPERIMENT  AS 
SOON  AS  POSSIBLE  (ASAP)  .  ®[1 11501  -4981 E] 
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A2-312  REAL-TIME  SAFETY  COORDINATION 

A.  ANY  SPACEHAB  PAYLOAD  FAILURE  WHICH  POSES  AN  IMMEDIATE  THREAT 
TO  ORBITER  SYSTEMS  OR  CREW  HEALTH  (FOR  EXAMPLE:  BROKEN 
GLASS,  TOXIC  SPILLS,  SMOKE/FIRE,  ANIMAL  WASTE,  AND  FREE 
WATER)  WILL  BE  COORDINATED  BY  THE  CREW  DIRECTLY  WITH  HOUSTON 
FLIGHT  THROUGH  EECOM  AND  SURGEON,  WITH  ASSISTANCE  FROM 
HOUSTON  PAYLOADS/ACO.  HOUSTON  PAYLOADS/ACO  WILL  IMMEDIATELY 
NOTIFY  THE  PAYLOAD  OPERATIONS  CONTROL  CENTER  (POCC)  AND  WILL 
PROVIDE  ANY  ADDITIONAL  COORDINATION  WITH  OTHER  MCC  FCT 
DISCIPLINES,  IF  NECESSARY.  @[060800-7124]  ®[11 1501 -4981 E] 

This  approach  allows  the  MCC  FCT  to  prioritize,  coordinate,  and  address  the  immediate  health  threat  to 
the  crew.  All  payload-specific  questions  will  be  relayed  to  the  POCC.  It  is  understood  that  the  crew  will 
work  the  appropriate  onboard  contingency  procedures  to  reduce  the  immediate  threat  without  talking  to 
the  ground  first.  Crew  indication  of  an  electrical  short  is  fire/smoke  ( covered  in  paragraph  A),  popped 
circuit  breaker  ( covered  in  paragraph  B),  or  maintained  increase  in  current  (covered  in  paragraph  B). 

For  coordination  of  electrical  problems/ shorts,  reference  Rule  {A9-355J,  FUSE/CIRCUIT  BREAKER 
MANAGEMENT.  ®[i  1 1501-4981 E]  ®[ED  ] 

B.  ANY  PAYLOAD  FAILURES,  WHICH  ORIGINATE  FROM  PAYLOAD  HARDWARE 
AND  DO  NOT  POSE  AN  IMMEDIATE  THREAT  TO  ORBITER  SYSTEMS  OR 
CREW  HEALTH  AS  DEFINED  IN  PARAGRAPH  A,  WILL  BE  COORDINATED  BY 
THE  CREW  DIRECTLY  WITH  THE  POCC.  THE  POCC  WILL  IMMEDIATELY 
NOTIFY  HOUSTON  PAYLOADS/ACO  OF  ANY  SITUATION  AFFECTING  SAFETY 
(I.E.,  LOSS  OF  CONTAINMENT  LEVEL,  LOSS  OF  REDUNDANCY, 
POTENTIAL  SHORT  WITHIN  PAYLOAD  HARDWARE,  ETC.).  IF  THE 
SITUATION  IS  NOT  WITHIN  THE  SCOPE  OF  THE  PREMISSION-DEFINED 
FLIGHT  RULES  AND  PROCEDURES,  NO  ACTION  (OTHER  THAN  REMOVAL  OF 
THE  HAZARD  POTENTIAL)  WILL  BE  TAKEN  WITHOUT  FULL  AND  PRIOR 
COORDINATION  WITH  THE  MCC  FCT.  ®[1 1 1 501 -4981 E] 

Safety  related  payload  failures  which  can  be  addressed  directly  between  the  crew  and  POCC  are  those 
which  originate  in  payload  equipment  and  which  do  not  affect  the  atmosphere  leading  to  an  immediate 
threat  to  orbiter  systems  or  crew  health.  These  payload-originated  failures  must  be  specifically 
addressed  in  premission-defined  flight  rules  and  procedures.  Although  the  MCC  Flight  Director  is 
ultimately  responsible  for  the  safety  of  the  orbiter/Spacehab  and  crew,  it  is  recognized  that  the  POCC 
has  the  expertise  on  and  sufficient  data/insight  into  the  payload  hardware.  As  soon  as  the  POCC  is 
cognizant  of  a  payload  safety  situation;  however,  the  MCC  must  be  notified  for  further  assessment  of 
orbiter/Spacehab  and  crew  impacts.  The  only  action(s)  which  may  be  taken  that  is  (are)  not  in  the  scope 
of  the  premission  defined  flight  rules  or  procedures  and  without  prior  coordination  with  the  MCC  is 
(are)  to  eliminate  the  hazard  cause(s)  ( i.  e. ,  remove  power,  etc.).  For  coordination  of  electrical 
problems/ shorts,  reference  Rule  { A9-355 j,  FUSE/CIRCUIT  BREAKER  MANAGEMENT.  @[060800-7124] 

®[1 11501-4981 E]  ®[ED  ] 
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A2-313  GROUND  COMMANDING 

A.  ALL  PAYLOAD  COMMANDING  WILL  BE  COORDINATED  WITH  HOUSTON 
FLIGHT  THROUGH  HOUSTON  PAYLOADS /ACO .  NOMINALLY,  POCC 
COMMANDING  WILL  BE  THROUGHPUT  COMMANDS.  TWO-STAGE 
COMMANDING,  CONTINGENCY  COMMANDING,  AND  KU-BAND  128  COMMAND 
LINK  (RDM  ONLY)  WILL  REQUIRE  COORDINATION  WITH  INCO.  @[060800- 
7125]  ®[1 11501-4981 E] 

HOUSTON  FLIGHT  is  responsible  for  all  commanding  to  the  shuttle  vehicle,  and  all  commanding  must 
be  done  with  the  cognizance  of  HOUSTON  FLIGHT.  The  specific  coordination  tasks  and  configuration 
authority  is  usually  delegated  on  Spacehab  missions  to  the  Instrumentation  And  Communications 
Officer,  call  sign  HOUSTON  INCO,  HOUSTON  PAYLOADS/ ACO,  and  their  support  personnel. 

Payload  commanding  will  be  identified  premission  with  POCC  command  windows  reflected  in  the 
command  timeline.  Nominally,  the  Payload  Operations  Control  Center  (POCC)  will  only  be  enabled 
during  these  premission-defined  windows.  If  off-nominal  conditions  arise  real  time  which  necessitate 
sending  commands  outside  the  premission-defined  windows,  coordination  between  the  POCC  and 
HOUSTON  PAYLOADS/ ACO  will  be  required  to  discuss  these  changes  to  the  Command  Timeline  during 
the  Tracking  and  Data  Relay  Satellite  (TDRS)  pre-pass  briefing  and/or  just  prior  to  the  command 
sequence.  As  a  minimum,  the  need  to  use  a  premission  scheduled  command  window  will  be  identified  to 
HOUSTON  PAYLOADS/ ACO  during  the  TDRS  pre-pass  briefing. 

The  Ku-band  128-command  link,  in  addition  to  PSP  commanding,  is  used  for  Spacehab  RDM  experiment 
and  experiment  data  system  commanding.  ®[1 11501  -4981 E] 

B.  IF  COMMAND  VOLUMES  ARE  SUCH  THAT  COMMAND  COORDINATION  IS  A 
SIGNIFICANT  DETRIMENT  TO  MISSION  SUCCESS,  CONSIDERATION  WILL 
BE  GIVEN  TO  SIMULTANEOUS  (SIMO)  POCC  COMMANDING  THROUGHOUT 
EACH  TDRS  PASS  UNDER  THE  FOLLOWING  CONDITIONS.  SIMO 
COMMANDING  MUST  BE  APPROVED  BY  HOUSTON  FLIGHT. 

1.  THE  COMMANDING  PARTY  IS  RESPONSIBLE  FOR  DETECTING  AND 
RETRANSMITTING  ANY  LOST  COMMANDS. 

2.  ALL  POCC  HAZARDOUS  COMMANDING  WILL  BE  COORDINATED  WITH 
HOUSTON  PAYLOADS/ACO  PRIOR  TO  COMMAND  INITIATION. 
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A2-313  GROUND  COMMANDING  (CONTINUED) 

3.  LARGE  COMMAND  BLOCKS  WILL  BE  COORDINATED. 

SIMO  commanding  includes  two  or  more  POCC’s  enabled  for  commanding.  The  addition  of  the  payload 
throughput  buffer  in  the  systems  managemen  t  ( SM )  GPC  allows  for  con  tinuous  commanding  by  both  the 
MCC  and  the  POCC’s;  therefore,  MCC  and  POCC  commanding  is  not  considered  SIMO  commanding. 
@[060800-7125] 

SIMO  commanding  is  possible,  with  the  risk  of  the  ground  system  rejecting  commands  that  have 
insufficient  spacing.  The  ground  system  is  set  to  cdlow  a  maximum  of  one  command  per  second.  If  this 
rate  is  exceeded,  then  the  ground  system  will  reject  the  additional  commands.  This  method  of 
commanding  is  less  desirable  than  a  more  structured  method  where  ground  system  rejects  are 
procedurally  avoided.  If  the  overhead  of  the  coordination  is  judged  to  be  a  significant  impact  to  payload 
operations  and  the  overhead  of  retransmitting  the  commands  is  judged  to  be  less,  consideration  will  be 
given  to  SIMO  commanding.  Due  to  safety  considerations,  hazardous  commands  must  always  be 
coordinated.  Since  large  blocks  of  commands  require  more  command  system  time,  more  care  must  be 
used  to  avoid  ground  system  rejects  and  loss  of  these  types  of  commands;  therefore,  large  command 
blocks  will  still  require  coordination.  @[060800-7125] 

C.  IF  TWO-STAGE  POCC  COMMANDING  IS  REQUIRED,  POCC  COMMANDING 
AND  MCC  COMMANDING  TO  THE  SAME  GENERAL  PURPOSE  COMPUTER 
(GPC)  TWO-STAGE  BUFFER  WILL  BE  MANAGED  SO  THAT  ONLY  ONE 
IS  COMMANDING  AT  A  TIME.  ®[1 1 1 501 -4981 E] 

A  POCC  may  require  two-stage  commanding  for  critical  commanding  or  troubleshooting  command 
problems.  To  avoid  two-stage  buffer  contention,  POCC  and  MCC  commanding  will  be  coordinated. 
@[060800-7125] 

D.  FOR  FAILURE  OF  THE  SPACEHAB  FAN  IN  USE  OR  FAILURE  OF  A  WATER 
COOLING  LOOP  PUMP  DURING  ASCENT/ENTRY,  CONTINGENCY  COMMANDS 
WILL  BE  SENT  TO  SWAP  FANS  OR  PUMPS  ASAP  POST  MAIN  ENGINE  CUT 
OFF  (MECO)  OR  DURING  ENTRY  PER  RULES  {A17-706},  SPACEHAB  FAN 
CONFIGURATIONS  OR  {A18-553},  SPACEHAB  SUBSYSTEM  PUMP 
OPERATIONS . 

Air  circulation  is  required  to  maintain  module  airflow  over  the  Spacehcib  fire/ smoke  detectors.  Without 
switching  fans  following  the  loss  of  the  fan  in  use,  all  fire/smoke  detection  capability  is  lost.  The 
Spacehcib  water-cooling  loop  is  required  for  achieving  thermal  control  of  the  module  environment. 

Withou  t  switching  pumps  following  a  pump  failure,  all  module  cooling  is  lost.  Withou  t  smoke  detection 
or  adequate  cooling,  the  module  would  need  to  be  powered  down.  Powering  the  module  down  has  the 
potential  for  a  significant  mission  success  impact.  No  on-board  command  capability  exists  in  OPS  1  or 
OPS  3  (SM  GPC  not  available),  so  reconfiguration  during  ascent/entry  must  be  performed  via  ground 
commands.  The  water  line  heaters  must  be  turned  ON,  to  prevent  freezing  of  the  PLHX,  if  the  PLBD’s 
are  open.  ®[i  1 1 501  -4981 E] 
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A2-314  SPACEHAB  MINIMUM  DURATION  FLIGHT  CRITERIA 

FOR  AN  ORBITER  FREON  LOOP  TO  SPACEHAB  WATER  LOOP  LEAK,  THE 
SPACEHAB  MODULE  WILL  BE  PREPARED  FOR  ENTRY,  EGRESSED,  ISOLATED, 
AND  A  MINIMUM  DURATION  FLIGHT  (MDF )  WILL  BE  INSTITUTED.  @[111501- 
4981 E] 

Entry  prep  and  egress  of  the  Spacehab  module  are  performed  to  configure  the  module  for  entry  and  to 
avoid  the  possibility  of  the  crew  being  exposed  to  toxic  Freon.  Although  the  water  loop  is  compatible 
with  Freon  21,  a  relatively  high  pressure  in  the  water  loop  (caused  by  Freon  leaking  into  the  water  loop ) 
increases  the  chances  of  the  water  loop  developing  a  leak  into  the  module  and  exposing  the  crew  to 
Freon. 

An  MDF  is  called  for  a  heat  exchanger  leak  between  dissimilar  fluids  because  the  possibility  exists  that  a 
generic  problem,  such  as  corrosion,  exists  in  the  heat  exchanger.  This  problem  could  eventually  result  in 
a  total  loss  of  the  heat  exchanger  and  orbiter  due  to  the  subsequent  loss  of  two  Freon  loops.  The  risk  of 
losing  the  heat  exchanger  does  not  warrant  a  next  primary  landing  site  (PLS)  but  does  warrant  an  MDF. 
®[ 11 1501 -4981 E] 

A2-315  POWERING  OFF  AND  REPOWERING  SPACEHAB  EQUIPMENT 

A.  SPACEHAB  EQUIPMENT/COMPONENTS  WILL  BE  POWERED  OFF  IF  THEY 
HAVE  FAILED  AND  HAVE  ON/OFF  CAPABILITY.  REFERENCE  FAILURE 
DEFINITIONS  IN  SECTION  9,  SPACEHAB  SUPPORT  AND  SPACEHAB 
ELECTRICAL  POWER  SUBSYSTEM  (EPS)  MANAGEMENT.  ®[1 1 1 501 -4981 E] 

Failed  equipment  will  be  powered  off  to  prevent  possible  intermittent  operation  and/or  shorting. 

Powering  off  failed  equipment  also  saves  power.  Equipment  powered  by  the  Emergency  Bus  cannot 
be  powered  off  unless  both  the  PL  AUX  and  PL  AFT  B  busses  are  powered  off. 

B.  SPACEHAB  EQUIPMENT  NOT  CONCERNED  WITH  SAFETY  MAY  BE  OPERATED 
OUTSIDE  THE  QUALIFICATION  LIMITS  BASED  ON  CUSTOMER  CALL. 

Operation  to  the  qualification  limits  may  result  in  unpredictable  operation  and/or  violation  of  lifetime 
limits.  The  Spacehab  customer  has  chosen  to  allow  for  equipment  operations  (ops)  outside  of 
qualification  limits  based  on  preflight  test  experience. 

C.  REPOWERING  SPACEHAB  EQUIPMENT  AFTER  FAILURE  OR  AFTER 
EXCEEDING  QUALIFICATION  TEST  LIMITS  WILL  BE  ON  MCC  CALL  ONLY. 

The  MCC  has  the  ability  to  evaluate  data  on  the  equipment.  Consideration  must  be  given  to  possible 
damage  to  orbiter  systems  or  further  damage  to  the  affected  equiptnent  if  repowered.  MCC  may  give 
consideration  to  an  inflight  maintenance  ( IFM )  procedure,  trend  data,  etc.,  after  careful  review. 
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A2-316  ORBITER-TO-SPACEHAB  HATCH  CONFIGURATION 

A.  FOR  THOSE  OPERATIONS  REQUIRING  THE  ORBITER  INNER  HATCH  OR  THE 
SPACEHAB  HATCH  TO  BE  CLOSED  AND  LATCHED,  ALL  CREWMEMBERS  ARE 
REQUIRED  TO  REMAIN  ON  THE  ORBITER  SIDE  OF  THE  CLOSED  AND 
LATCHED  HATCH.  ®[1 1 1 501 -4981 E] 


There  is  no  air  exchange  between  the  orbiter  and  the  Spacehab  module  with  the  hatch(es)  closed.  In 
addition,  conditions  could  occur,  such  as  an  airlock  leak  or  hatch  malfunction,  which  could  trap  a 
crewmember  in  the  Spacehab  module. 

B.  THE  SPACEHAB  HATCH  WILL  REMAIN  OPEN  FOR  NOMINAL  OPERATIONS, 
UNLESS  REQUIRED  TO  BE  CLOSED  FOR  EXTRAVEHICULAR  ACTIVITY 
(EVA)  OPERATIONS  OR  DOCKING  OPERATIONS. 


Reference:  Rule  / A2-317J ,  EVA  CONSTRAINTS. 

C.  THE  MODULE  WILL  BE  CONFIGURED  FOR  A  SAFE  ENTRY  AS  REQUIRED  BY 
PAYLOAD  SAFETY  PRIOR  TO  CLOSING  THE  HATCH. 


The  module  is  configured  for  safe  entry  ( i.  e. ,  all  penetration  hazards  restrained/stowed)  in  the  event  the 
module  cannot  be  re-entered.  ®[1 11501  -4981 E] 
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A2-317  EVA  CONSTRAINTS 

A.  PREBREATHING  AT  10.2  PS  I  CAN  BE  DONE  WITH  THE  SPACEHAB  MODULE 
AT  14.7  PSI  AND  THE  SPACEHAB  HATCH  CLOSED  OR  WITH  THE 
SPACEHAB  AT  10.2  PSI.  THE  STRATEGY  WILL  BE  DETERMINED  ON  A 
MISSION  SPECIFIC  BASIS  AND  DOCUMENTED  IN  THE  FLIGHT  SPECIFIC 
ANNEX.  ®[1 11501-4981 E] 


The  minimum  design  operating  pressure  for  Spacehab  components  is  10  psia.  Freon  flow  to  the  payload 
heat  exchanger  will  be  reduced  in  order  to  keep  the  orbiter  cabin  within  temperature  limits.  This  is 
accomplished  by  moving  one  of  the  orbiter' s  Freon  flow  proportioning  valves  (FPV’s)  from  the  nominal 
on-orbit  payload  heat  exchanger  position  to  the  interchanger  position.  This  will  reduce  the  cooling 
capability  in  the  Spacehab  water  loop. 

Spacehab  may  be  able  to  operate  at  the  reduced  pressure  (and  cooling  level)  of  10.2  psi  if  these 
conditions  are  compatible  with  experiment  science  and  hardware  requirements  and  if  overall  module 
thermal  loads  allow.  The  benefit  of  open  hatch  operations  at  10.2  psi  is  increased  crew  access  time  to 
the  module  during  prebreathe. 

Assessment  of  10.2  psi  prebreathe  strategy  will  be  conducted  on  a  flight  specific  basis.  ®[1 11501  -4981 E] 

B.  SPACEHAB  LEAK  DURING  EVA  ®[1 1 1 501 -4981 E] 

SCHEDULED/UNSCHEDULED  EVA 

1.  IF  A  SPACEHAB  CABIN  LEAK  OCCURS  DURING  AIRLOCK/TUNNEL 
ADAPTER  DEPRESS  WHICH  IS  NOT  UNDERSTOOD  OR  WHICH  IS 
PREDICTED  TO  REDUCE  CABIN  PRESSURE  BELOW  10.2  POUNDS  PER 
SQUARE  INCH  ABSOLUTE  (PSIA)  BEFORE  NOMINAL  EVA  COMPLETION 
TIME,  THE  EVA/AIRLOCK  DEPRESS  WILL  BE  TERMINATED. 

2.  IF  A  SPACEHAB  CABIN  LEAK  OCCURS  DURING  EVA,  THE  EVA  WILL 
BE  TERMINATED  AND  THE  AIRLOCK/TUNNEL  ADAPTER 
REPRESSURIZED  BEFORE  THE  SPACEHAB  IS  PREDICTED  TO  REACH 
10.2  PSIA. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-317  EVA  CONSTRAINTS  (CONTINUED) 

CONTINGENCY  EVA 

3.  IF  THE  EVA  IS  AN  ORBITER  CONTINGENCY  EVA,  IT  WILL 

CONTINUE  AND  THE  SPACEHAB  WILL  BE  UNPOWERED  EXCEPT  FOR 
EMERGENCY  POWER  (AUX  A  AND  AFT  B)  PRIOR  TO  REACHING  10 
PSIA. 


The  Spacehab  systems  are  certified  to  operate  above  a  cabin  pressure  greater  than  or  equal  to  10  psia. 

For  example,  a  leak  rate  of  7.3  lb/hrfor  4  hours  based  on  14. 7  equivalent  will  bring  the  cabin  to  10  psia. 
PL  AUX  A  and  AFT  MN  B  provide  redundan  t  power  to  Spacehab  sensors.  AFT  MN  B  is  the  only  source 
of  power  to  the  Spacehab  water  line  heaters  that  protect  the  Spacehab  water  line  from  freezing. 
Additionally,  smoke/fire  detection  sensors  are  powered  by  the  emergency  circuits. 

C.  EXPERIMENT  IMPACTS  TO  A  10.2  PSI  PREBREATHE  ARE  DOCUMENTED  IN 
THE  FLIGHT  SPECIFIC  ANNEX.  ®[1 1 1 501 -4981 E] 

A2-318  ORBITAL  MANEUVERING  SYSTEM/REACTION  CONTROL  SYSTEM 

(OMS/RCS)  CONSTRAINTS 

ORBITAL  MANEUVERING  SYSTEM/REACTION  CONTROL  SYSTEM  (OMS/RCS) 
CONSTRAINTS  ARE  EXPERIMENT  COMPLEMENT  DEPENDENT  AND  ARE 
DOCUMENTED  IN  THE  FLIGHT  SPECIFIC  ANNEX.  ®[1 1 1 501 -4981 E] 

A2-319  CONTAMINATION  AND  MICROGRAVITY  CONSTRAINTS 

ANY  CONSTRAINTS  SPACEHAB  HAS  ON  WATER  DUMPS,  FES  OPS,  OMS/RCS 
LEAKS,  ORBITER  LEAKS,  OR  FUEL  CELL  PURGES  WILL  BE  DOCUMENTED  IN 
THE  FLIGHT  SPECIFIC  ANNEX.  ®[1 1 1 501 -4981 E] 
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A2-320  COMMAND  AND  DATA  SYSTEM  CONSTRAINTS 

A.  FOR  A  NONRECOVERABLE  LOSS  OF  THE  DATA  MANAGEMENT  UNIT  (DMU) , 
SPACEHAB  ACTIVITIES  WILL  CONTINUE.  HOWEVER,  THE  WATER  LINE 
HEATERS  WILL  BE  TURNED  ON  TO  PREVENT  FREEZING.  ®[1 1 1 501 -4981 E] 

Loss  of  the  DMU  results  in  loss  of  all  Payload  Data  Interleaver  (PDI )  data  to  the  Orbiter  Display 
System,  Payload  General  Support  Computer  (PGSC)  downlink,  and  all  subsystem  control  capabilities 
( except  that  which  is  routed  through  the  orbiter  multiplexer/demultiplexer  (MDM)).  All  experiment  data 
to  the  DMU  would  also  be  lost.  However,  safety  critical  monitoring  and  control  is  all  routed  through  the 
PL  MDM  and  Caution  and  Warning  Electronics  Assembly  ( CWEA).  Water  line  heaters  are  turned  on 
because  a  DMU  failure  results  in  loss  of  water  pump  monitoring  capability. 

B.  FOR  LOSS  OF  THE  MODULE  SYSTEMS  PGSC  CAPABILITY,  SPACEHAB 
OPERATIONS  WILL  CONTINUE. 

The  PGSC  is  used  for  backup  monitoring  only.  Primary  monitoring  still  exists  at  the  Orbiter  Display 
System,  as  well  as  through  the  Fault  Detection  and  Annunciation  {FDA)  and  CWEA  systems.  Ground 
monitoring  via  the  PDI  downlink  is  also  still  available. 

C.  PDI  DECOM  LOSS  IMPACTS  WILL  BE  DOCUMENTED  IN  THE  FLIGHT 
SPECIFIC  ANNEX.  ®[1 1 1 501 -4981 E] 
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A2-321  SPACEHAB  AIR-TO-GROUND  (A/G)  USAGE 

A.  THE  STANDARD  ORBITER  A/G  CHANNEL  (A/G  1)  WILL  BE  USED  FOR  ANY 
DISCUSSIONS  RELATED  TO  SPACEHAB  SUBSYSTEMS.  THE  SSP  CAPCOM 
WILL  BE  THE  GROUND  COMMUNICATOR.  ®[1 1 1 501 -4981 E] 

Since  the  module  is  integrated  to  the  orbiter,  it  is  necessary  that  any  systems  issues  be  discussed  on  A/G 
1,  which  all  Space  Shuttle  Program  (SSP)  flight  control  team  members  monitor.  In  addition,  this 
strategy  guarantees  that  emergency/time  critical  issues  are  discussed  on  the  prime  A/G  loop. 

B.  EITHER  A/G  1  OR  A/G  2  WILL  BE  USED  FOR  ANY  DISCUSSIONS 
RELATED  TO  SPACEHAB  EXPERIMENTS  DEPENDING  ON  THE  AMOUNT  OF 
A/G  USAGE.  A  SPACEHAB  CREW  INTERFACE  COORDINATOR  (CIO)  WILL 
BE  THE  GROUND  COMMUNICATOR. 


Spacehab  is  responsible  for  all  experiment  procedures  and  the  experiment  flight  datafile.  Therefore,  the 
most  efficient  communication  path  is  directly  between  the  crew  and  the  CIC.  The  CIC  will  be  in  the  JSC 
POCC.  The  Flight  Director  will  decide  which  A/G  loop  is  the  most  appropriate  to  use.  ®[1 11501  -4981 E] 

C.  ANY  SAFETY-RELATED  ISSUES,  INCLUDING  THOSE  RELATED  TO 

EXPERIMENTS,  WILL  BE  CONDUCTED  ON  THE  PRIME  A/G  LOOP  (A/G 
1)  .  ®[1 1 1501-4981 E] 


Self-explanatory. 

D.  ROUTINE  CONVERSATIONS  DURING  SPACEHAB  EXPERIMENTS  OPERATIONS 
BETWEEN  THE  CIC  AND  THE  CREW  ON  A/G  1  OR  A/G  2  WILL  NORMALLY 
BE  INITIATED  BY  CREW  REQUEST.  THE  FOLLOWING  RESTRAINTS  SHALL 
APPLY  TO  CIC  PROTOCOL  AND  A/G  1  OR  A/G  2  USAGE. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-321  SPACEHAB  AIR-TO-GROUND  (A/G)  USAGE  (CONTINUED) 

1.  THE  VOICE  PROTOCOL  SHALL  BE  THE  SAME  AS  THAT  USED  BY  THE 
JSC  CAPCOM . 

2.  THE  SPACEHAB  OPERATIONS  DIRECTOR  (SHOD)  IS  RESPONSIBLE 
FOR  APPROVING  ALL  CALLS  INITIATED  FROM  THE  GROUND  TO  THE 


CREW. 

3. 

DIRECT  EXPERIMENTER  CALLS  TO  THE  CREW  ON  A/G 
SHALL  BE  UPON  CREW  REQUEST  ONLY. 

1  OR  A/G  2 

4  . 

THE  CALL  SIGN  FOR  THE  SPACEHAB  POCC  SHALL  BE 

POCC. " 

"SPACEHAB 

5  . 

OCA  S-BAND  (MFX)  OPERATIONS  WILL  TAKE  PRECEDENCE  OVER 
ROUTINE  SPACEHAB  A/G  2  USAGE. 

6. 

EXCEPTIONS  TO  THIS  RULE  ARE  DOCUMENTED  IN  THE 

SPECIFIC  ANNEX. 

FLIGHT 

Past  flight  crew  comments  on  overuse  of  A/G  by  payloads  point  out  the  need  for  more  rigid  control  of 
the  traffic  and  voice  protocol.  In  addition,  use  of  the  OCA  S-Bcind  ( OCA  Ku-Band  is  nominal)  adds 
complexity  to  the  scheduled  use  of  one  of  the  A/G  links.  With  the  many  users  as  well  as  the  many 
experimenters  on  a  Spacehab  flight,  careful  definition  of  the  A/G  1  or  A/G  2  usage  is  required.  This 
rule  represents  an  agreed  to  baseline  with  the  customer  for  Spacehab  flights.  ®[1 11501  -4981 E]  ®[1 11501- 
4981 E]  ®[1 11501 -4976A]  @[092701  -4872  ] 


A2-322  SPACEHAB  CAUTION  AND  WARNING  ANNUNCIATION  IN  MODULE 

LOSS  OF  ALL  CAUTION  AND  WARNING  ANNUNCIATION  CAPABILITY  IN  THE 
SPACEHAB  MODULE  IS  NOT  CAUSE  TO  TERMINATE  SPACEHAB  ACTIVITIES 
PROVIDED:  ®[1 11501  -4981 E] 

A.  ANNUNCIATION  CAPABILITY  EXISTS  IN  THE  ORBITER  AND, 

B.  VOICE  COMMUNICATION  BETWEEN  THE  ORBITER  AND  SPACEHAB  IS 
AVAILABLE . 


All  emergency  safety  parameters  are  redundantly  monitored  by  the  orbiter  GPC  and  CWEA.  In  addition, 
both  of  these  monitoring  systems  cause  annunciating  in  both  Spacehab  and  the  orbiter.  Loss  of  the 
Spacehab  C&W  annunciating  capability  is  therefore  only  loss  of  redundancy.  The  orbiter  crew  would 
alert  the  Spacehab  crew  of  any  emergencies.  ®[1 11501  -4981 E] 
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A2-323  COMMUNICATIONS  CONSTRAINTS 

LOSS  OF  VOICE  COMMUNICATION  BETWEEN  THE  ORBITER  AND  SPACEHAB 
CREWMEMBERS  IS  NOT  CAUSE  TO  TERMINATE  SPACEHAB  OPERATIONS 
PROVIDED  CAUTION  AND  WARNING  ANNUNCIATION  CAPABILITY  STILL  EXISTS 
IN  SPACEHAB.  ®[1 1 1501-4981 E] 

Loss  of  voice  communication  does  not  present  a  hazard  to  the  crew  if  caution  and  warning  alarms  are 
still  available  from  the  audio  control  system  (ACS).  Spacehab  operations  would  be  impacted,  but  may  be 
continued  in  the  best  possible  manner.  Coordination  can  be  carried  out  by  voice  calls  down  the  tunnel 
or  possibly  by  using  the  BPSMU  or  a  wireless  crew  comm  unit  (WCCU)  connected  in  the  airlock. 

®[1 11501-4981 E] 


A2-324  SPACEHAB  IN-FLIGHT  MAINTENANCE  (IFM)  PROCEDURES 

A.  IN  SUPPORT  OF  ALL  FLIGHTS  RULE  {A2-105},  IN-FLIGHT 

MAINTENANCE  (IFM),  ALL  SPACEHAB  UNSCHEDULED  IFM  PROCEDURES 
CONTAINED  IN  THE  SPACEHAB  OPERATIONS  CHECKLIST  (JSC-48089) 

AND  SPACEHAB  RDM  MALFUNCTION  PROCEDURES  (JSC-48099)  HAVE  BEEN 
PREMISSION  COORDINATED  AND  REQUIRE  REAL-TIME  MCC  APPROVAL 
ONLY  PRIOR  TO  IMPLEMENTATION,  EXCEPT  THOSE  LISTED  IN 
PARAGRAPH  B.  EXPERIMENT  IFM' S  ARE  DOCUMENTED  IN  THE  FLIGHT 
SPECIFIC  ANNEX.  ®[1 1 1 501 -4981 E] 


These  IFM’s  have  been  reviewed  preflight  and  identified  as  acceptable;  however,  because  of  their  nature, 
implementation  must  be  coordinated  with  the  MCC. 

B.  THE  FOLLOWING  ARE  LISTS  OF  SPACEHAB  SCHEDULED  IFM  PROCEDURES 
IN  THE  SPACEHAB  OPERATIONS  CHECKLIST  (JSC-48089)  WHICH  DO  NOT 
REQUIRE  REAL-TIME  APPROVAL  OR  COORDINATION  PRIOR  TO 
IMPLEMENTATION. 

1.  FAN  CLAMP  REMOVAL  (IFM- 1.3) 

2.  FAN  CLAMP  REPLACEMENT  (IFM- 1.4) 

C.  ALL  REAL-TIME  DEVELOPED  SPACEHAB /EXPERIMENT  IFM  PROCEDURES 
WILL  BE  COORDINATED  AND  APPROVED  BY  THE  MCC. 


Implementation  of  unplanned  IFM’s  may  require  activities  which,  if  not  properly  reviewed  and 
coordinated,  could  result  in  an  array  of  unsafe  conditions.  Therefore,  unplanned  IFM  activity  must  be 
coordinated  with  MCC  to  ensure  the  safety  of  the  orbiter,  payloads,  and  crew.  If  no  previous  IFM  work 
has  been  done,  a  minimum  of  24  hours  may  be  expected  before  an  experiment  IFM  may  be  approved  and 
uplinked.  ®[i  1 1 501  -4981 E] 
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A2-325  IFM  PROCEDURES  ON  EXPERIMENTS  WITH  TOXIC  HAZARDS 

NO  IFM  PROCEDURES  WILL  BE  INITIATED  BY  THE  CREW  ON  AN  EXPERIMENT 
KNOWN  TO  REPRESENT  A  TOXIC  HAZARD  UNTIL  CONCURRENCE  FOR  THE 
REPAIR  PROCEDURE  IS  OBTAINED  FROM  THE  MCC  FLIGHT  DIRECTOR. 
SPACEHAB  EVACUATION  AND/OR  PROTECTIVE  EQUIPMENT  MAY  BE  REQUIRED 
(SEE  RULE  { A1 3-1 5 6 } ,  SPACEHAB  HAZARDOUS  SUBSTANCE  SPILL 
RESPONSE) .  ALL  PAYLOAD  EXPERIMENTS / SAMPLES  CONTAINING  HAZARDOUS 
MATERIALS  ARE  DEFINED  IN  THE  FLIGHT  SPECIFIC  ANNEX.  ®[1 1 1 501 -4981 E] 


A  real-time  assessment  of  the  possibility  of  repairing  an  experiment  and  the  risk  of  exposing  the  crew  to 
a  toxic  substance  during  the  repair  will  need  to  be  made.  The  IFM  may  require  that  the  cleanup 
equipment  specified  in  Rule  {A13-156},  SPACEHAB  HAZARDOUS  SUBSTANCE  SPILL  RESPONSE,  be 
used  to  minimize  risk  of  crew  exposu  re  to  toxic  substances.  ®[111501-4981E] 
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A2-326  EQUIPMENT  EXCHANGE  BETWEEN  ORBITER  CABIN  AND 

SPACEHAB  MODULE 

A.  ELECTRICAL  EQUIPMENT  OR  EXPERIMENTS,  SELF-POWERED  OR 

FACILITY-POWERED,  SHALL  NOT  BE  TRANSFERRED  BETWEEN  THE 
ORBITER  AND  SPACEHAB  UNLESS  CERTIFIED  FOR  USE  IN  BOTH 
LOCATIONS.  APPROVED  EQUIPMENT  WILL  BE  IDENTIFIED  IN 
PARAGRAPH  B.  ®[1 1 1501-4981 E] 


Equipment  may  only  be  used  in  areas  where  it  has  been  approved  from  an  electromagnetic  compatibility 
standpoint.  In  addition,  power  budgeting/planning  can  only  be  accomplished  effectively  if  equipment 
movement  strategy  is  coordinated  preflight  via  this  rule. 

B.  SPACEHAB  SUBSYSTEM  GENERIC  EQUIPMENT 

1.  WIRELESS  CREW  COMMUNICATION  SYSTEM  (WCCS) 

2.  ORBITER  COMM  EQUIPMENT 

3.  VACUUM  CLEANER  AND  ACCESSORIES  (CABLE  AND  ATTACHMENT) 

4.  ORBITER  CAMCORDER  AND  ACCESSORIES 

5.  PAYLOAD  AND  GENERAL  SUPPORT  COMPUTER  (PGSC)  AND 
ACCESSORIES 

6.  ORBITER  CAMERA  AND  ACCESSORIES 

7.  ELECTRONIC  STILL  CAMERA  (ESC) 

EXCEPTIONS  TO  THIS  RULE  ARE  DOCUMENTED  IN  THE  FLIGHT  SPECIFIC 
ANNEX.  ®[1 11501-4981 E] 
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A2-327  SPACEHAB  MODULE/TUNNEL  SLEEP  CONSTRAINTS 

A.  NO  CREWMEMBERS  SHALL  SLEEP  IN  THE  SPACEHAB-TO-ORBI TER  TUNNEL. 
®[1 11501-4981 E] 

In  the  event  it  was  necessary  to  rapidly  evacuate  the  module,  a  sleeping  crewmember  either  tethered  or  in 
a  sleeping  bag  would  pose  a  hazard.  In  addition,  the  tunnel  does  not  offer  the  same  amount  of  protection 
for  radiation  that  is  provided  by  the  module  or  orbiter  cabin. 

B.  CREWMEMBERS  MAY  SLEEP  IN  THE  SPACEHAB  MODULE  IF: 

1.  SPACEHAB  SYSTEM  DATA  IS  BEING  NOMINALLY  TRANSMITTED  TO 
THE  ORBITER' S  SM  GPC  AND  TELEMETERED  TO  THE  GROUND. 

2.  THE  CAUTION  AND  WARNING  LINK  BETWEEN  THE  ORBITER  AND 
SPACEHAB  IS  OPERATIONAL. 

3.  AT  LEAST  ONE  SPACEHAB  SMOKE  SENSOR  IS  OPERATIONAL. 

4.  THE  AUDIO  LINK  BETWEEN  THE  ORBITER  AND  SPACEHAB  IS 
OPERATIONAL . 

5.  THE  ARS  FAN  AND  AT  LEAST  ONE  ARS  FAN  DELTA  PRESSURE 
SENSOR  ARE  OPERATIONAL  IN  ADDITION  TO  THE  FOLLOWING: 

a.  (LDM  ONLY)  THE  AFT  MODULE  FAN  AND  ITS  ASSOCIATED 
DELTA  PRESSURE  SENSOR  ARE  OPERATIONAL. 

b.  (RDM  ONLY)  AT  LEAST  ONE  HAB  FAN  ASSEMBLY  (HFA)  FAN 
AND  ONE  HFA  FAN  DELTA  PRESSURE  SENSOR  ARE 
OPERATIONAL . 


Nominal  safety  monitoring  is  via  the  SM  GPC  and  the  Caution  and  Warning  Electronics  Assembly 
( CWEA).  Ground  monitoring  of  safety  parameters  provides  a  further  safety  monitoring  capability.  The 
audio  link  to  the  Spacehab  is  desirable  for  communication  in  the  case  of  a  contingency  commencing 
during  sleep.  The  ARS  fan  and  the  ARS  fan  delta  pressure  sensor  are  required  to  verify  that  the  ARS  fan 
is  operating,  thus  ensuring  air  exchange  with  the  orbiter.  In  addition  to  the  ARS  fan  and  ARS  fan  delta 
pressure  sensor,  one  HFA  fan  and  one  HFA  fan  delta  pressure  sensor  in  the  RDM  configuration  are 
required  for  cooling,  or  the  aft  module  fan  and  its  associated  delta  pressure  sensor  in  the  LDM 
configuration  are  required  to  ensure  adequate  airflow  through  the  aft  module.  Any  one  AC  fan  ( Cabin 
or  ARS)  in  the  SM/LDM  or  one  HFA  fan  in  the  RDM  is  adequate  for  smoke  detection. 

Reference:  Rule  {A17-706},  SPACEHAB  FAN  CONFIGURATIONS,  Boeing  memo,  2 C-SPA CEHAB- 
01044,  A90-SPACEHAB-97088,  A90-SPACEHAB-2000192,  MDC92W5610,  and  MDC95W5829. 

®[1 1 1501-4981 E] 
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A2-328  CREW  LIMITATIONS  IN  THE  SPACEHAB  MODULE 

A.  THE  MAXIMUM  NUMBER  OF  CREWMEMBERS  PERMITTED  IN  THE  MODULE  MAY 
BE  LIMITED  BASED  ON  REAL-TIME  EVALUATION  OF  (£  AND  CO2 
LEVELS,  RELATIVE  HUMIDITY,  AND  CABIN  TEMPERATURE  .  ®[11 1501 -4981 E] 

Spacehab  SM/LDM  is  designed  to  reject  1400/1000  watts  (respectively)  of  waste  heat  from  surface  air¬ 
cooled  experiments  with  two  crewmembers  in  the  module.  Spacehab  RDM  is  designed  to  reject  2000 
watts  of  waste  heat  from  surface  air-cooled  experiments  with  three  crewmembers  in  the  module. 
Boeing/Spacehab  analysis  shows  that  each  additional  crewmember  over  the  design  value  of  two  will 
decrease  the  available  experiment  air  heat  rejection  accommodations  by  115  watts  minimum  and  265 
watts  maximum  ( SM/LDM  only).  Each  additional  crewmember  is  expected  to  increase  module  dew  point 
by  about  1  deg  F.  Moisture  is  not  a  limiting  factor  for  the  Spacehab  RDM  since  it  has  moisture  removal 
capability.  The  RDM  with  the  53  cfin  air  exchange  rate  with  the  orbiter  is  designed  to  accommodate 
three  crewmembers  continuously.  In  the  RDM,  CO  2  generation  may  be  the  limiting  factor  for  crew 
occupancy  above  its  design  limit.  Increases  in  oxygen  (O2)  consumption  show  no  immediate  concern  for 
nominal  operations  in  all  module  configurations. 

B.  ORBITER  CREWMEMBERS  MAY  ASSIST  IN  OPERATIONS  IN  THE  SPACEHAB 
MODULE  OR  SERVE  AS  TEST  SUBJECTS  (SUBJECT  TO  ALL  FLIGHTS  RULE 
{ A2-135 } ,  COMMANDER  ( CDR)  AND  PILOT  (PLT )  PARTICIPATING  AS 
TEST  SUBJECTS)  AS  NEGOTIATED  PREFLIGHT. 

Preflight  coordination  will  guarantee  that  the  workloads  of  the  orbiter  crewmembers  are  acceptable  and 
that  All  Flights  Rule  {A2-135}  COMMANDER  (CDR)  AND  PILOT  (PLT)  PARTICIPATING  AS  TEST 
SUBJECTS,  is  not  violated.  ®[i  1 1 501-4981 E] 
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A2-32  9  SPACEHAB  DEACTIVATION/ENTRY  PREP  ®[1 11501  -4981 E] 

SPACEHAB  DEACTIVATION  WILL  PROCEED  BY  ONE  OF  THE  FOLLOWING 
METHODS  DEPENDING  ON  CIRCUMSTANCES:  ®[1 1 1 501 -4982A] 

A.  NOMINAL  ENTRY  PREP  -  SECURING  OF  THE  SPACEHAB  BY  NOMINAL 

CHECKLIST  PROCEDURES.  THE  NOMINAL  ENTRY  PREP  WILL  BE  DONE 
FOR: 

1.  NOMINAL  END -OF -MISS ION 

2.  ANY  FAILURE  THAT  RESULTS  IN  A  PRIMARY  LANDING  SITE  (PLS) 
WITH  DEORBIT  TIME  OF  IGNITION  (TIG)  OCCURRING  BEYOND  12 
HOURS . 


Nominal  entry  prep  requires  approximately  1-2  hours  and  is  scheduled  in  the  Flight  Plan.  A  PLS  TIG 
greater  than  12  hours  away  will  allow  the  crew  to  perform  the  desirable,  nominal  module  entry  prep. 

The  procedure  will  include  equipment  stowage,  nominal  deactivation  of  experiments,  and  an  orderly 
reconfiguration  to  the  Spacehab  entry  configuration. 

B.  SPACEHAB  30-MINUTE  CONTINGENCY  DEACTIVATION  -  SECURING  OF 
SPACEHAB  AND  EXPERIMENT  HARDWARE  IN  MINIMUM  TIME  WITHOUT 
INCURRING  DAMAGE  TO  SPACEHAB,  AND  WHEN  POSSIBLE,  EXPERIMENT 
EQUIPMENT.  SPACEHAB  30-MINUTE  CONTINGENCY  DEACTIVATION 
PROCEDURES  WILL  BE  DONE  FOR: 

1.  ANY  FAILURE  THAT  RESULTS  IN  A  PLS  WITH  DEORBIT  TIG 
OCCURRING  BETWEEN  3.5  TO  12  HOURS. 

2.  UNRECOVERABLE  LOSS  OF  ALL  SPACEHAB  AIR  CIRCULATION  FANS. 

Spacehab  30-minute  contingency  deactivation  is  intended  to  perform  as  much  of  the  normal  deactivation 
of  the  module  as  possible.  It  also  provides  a  balance  between  deactivating  the  module  in  a  shorter-than- 
nominal  time  and  preserving  equipment  (and  science,  if  possible).  The  procedure  will  include  critical 
entry  stowage,  an  abbreviated  but  orderly  Spacehab  shutdown,  and  safing  of  experiments,  if  time 
permits.  ®[1 1 1 501 -4982A] 
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A2-329  SPACEHAB  DEACTIVATION/ENTRY  PREP  (CONTINUED) 

C.  SPACEHAB  EMERGENCY  DEACTIVATION  -  IMMEDIATE  STOW  OF  ANY 

PENETRATORS,  EGRESS,  AND  CLOSURE  OF  THE  HATCH  WITHOUT  ANY 
OTHER  ACTIVITIES  WITHIN  THE  3-MINUTE  CONSTRAINT.  IF 
CIRCUMSTANCES  WARRANT,  ALL  POWER,  EXCEPT  PL  AFT  MN  B,  WILL  BE 
REMOVED.  SPACEHAB  EMERGENCY  DEACTIVATION  PROCEDURES  WILL  BE 
DONE  FOR:  ®[1 1 1501-4982A] 

1.  ORBITER  PROBLEMS  REQUIRING  EMERGENCY  DEORBIT 

2.  AN  ORBITER/MODULE  LEAK  (DEACTIVATION  STEPS  ONLY  NEEDED  IF 
LEAK  CANNOT  BE  ISOLATED) .  IF  THE  LEAK  IS  ISOLATED  TO  THE 
SPACEHAB  MODULE  AFTER  EGRESS,  THE  CREW  MAY  REOPEN  THE 
SPACEHAB  TO  PERFORM  ADDITIONAL  DEACTIVATION/ENTRY  PREP, 

IF  CONSUMABLES  PERMIT  PER  RULE  {A17-751},  MODULE  PRESSURE 
INTEGRITY. 

3.  FOR  SPACEHAB  MODULE  FIRE  (DEACTIVATION  STEPS  ONLY  NEEDED 
IF  FIRE  SUPPRESSION  NOT  SUCCESSFUL.) 

4.  DISCHARGE  OF  ALL  HALON  SYSTEM  BOTTLES  (EGRESS  STEPS  ONLY) 

5.  SPACEHAB  MODULE  LEVEL-4  TOXIC  SPILL  (EGRESS  STEPS  ONLY) 

In  emergency  situations  (i.e.,fire,  depress,  or  toxic  spill),  the  crew  must  be  able  to  safe  and  isolate  the 
module  within  3  minutes.  Safe  return  of  the  crew  is  paramount  in  these  cases.  Only  payload  procedures 
required  for  safe  entry  (restraint  of  penetrators,  crew  module  egress,  and  hatch  closure)  are  allowed  in 
these  time  critical  situations.  No  attempt  is  made  to  prevent  damage  to  the  module  or  experiments, 
except  stowing  any  penetrators.  Reference  NSTS  18798A,  MA2-96-190,  “CONTINGENCY  RETURN 
AND  RAPID  SAFING,  ”  memo  dated  January  9,  1997.  The  Spacehcib  Emergency  Deactivation 
procedure  includes  steps  for  egress  and  power  removal.  All  mean  AC  and  DC  power,  except  PL  AFT  MN 
B,  which  is  required  to  power  the  Spacehcib  water  line  heaters,  is  removed  for  an  emergency 
deactivation.  In  some  cases,  Spacehab  emergency  egress  steps  are  integrated  into  the  applicable  orbiter 
procedures  (i.e.,  cabin  leak)  and  Payload  powerdowns,  when  it  is  appropriate.  ®[1 1 1 501 -4982A] 
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A2-330  EXTENSION  DAY  GROUND  RULES 

A.  POWER  LEVELS  ®[1 1 1501-4981 E] 

THE  SPACEHAB  AND  ITS  EXPERIMENTS  WILL  BE  POWERED  DOWN  TO  THE 
GREATEST  EXTENT  POSSIBLE  (SURVIVAL  POWER  CONFIGURATION)  AS 
DEFINED  IN  RULE  {A9-357},  SPACEHAB  SURVIVAL  POWER 
CONFIGURATION.  ®[ED  ] 

The  amount  of  consumables  remaining  at  the  nominal  end  of  flight  does  not  allow  for  operations  of 
experiments  without  degrading  the  capability  of  the  orbiter  to  remain  in  orbit.  For  those  cases  which 
require  that  additional  power  be  provided  to  allow  for  presentation  of  experiment  samples/data,  the 
consumable  must  be  allocated  preflight  and  thus  affect  the  mission  duration. 

B.  CONSUMABLES 

NO  SPACEHAB  EXPERIMENT  ACTIVITIES  WHICH  REQUIRE  ORBITER 
CONSUMABLES  WILL  NORMALLY  BE  PLANNED.  FLIGHT-SPECIFIC 
OPTIONS  ARE  DEFINED  IN  THE  FLIGHT  SPECIFIC  ANNEX. 

Extension  days  would  generally  be  required  only  for  weather ,  orbiter,  and/or  landing  site  problems  that 
would  benefit  from  extra  time  before  landing.  To  preven  t  further  complications,  the 
Spacehab/ experiments  should  be  maintained  in  a  safe,  deactivated  state.  This  should  not  impact  the 
Spacehab/experiments  since  all  payload  activities  should  have  already  been  completed  by  the  nominal 
end  of  mission.  In  addition,  the  crew  must  be  available  to  perform  necessary  orbiter  activities  to  ensure 
a  safe  return. 

C.  SPACEHAB  CONSTRAINTS  ON  EXTENSION  DAY  ATTITUDE  WILL  BE 
DOCUMENTED  IN  THE  FLIGHT  SPECIFIC  ANNEX. 

-ZLV  attitude  will  normally  provide  a  stable  thermal  environment  for  the  orbiter  and  Spacehab  module 
during  an  extension  day  and  is  accomplished  with  a  minimum  amount  of  propellant  for  attitude 
maintenance.  With  radiators  deployed,  the  -ZLV  attitude  will  provide  sufficient  orbiter  heat  rejection 
when  flying  with  any  beta  angle.  With  radiators  stowed,  the  -ZLV  attitude  may  be  acceptable,  or  a  flight- 
specific  attitude  can  be  determined.  If  a  cooler  attitude  is  required,  the  orbiter  can  execute  passive 
thermal  control  (PTC)  which  gives  the  advantage  of  providing  a  consistent  thermal  environment  for  the 
entire  vehicle.  ®[1 11501  -4981 E] 


VOLUME  A  11/21/02  FINAL,  PCN-1  FLIGHT  OPERATIONS  2-302 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A2-331  CONSTRAINTS  ON  CABLES  THROUGH  THE  SPACEHAB  HATCH 

AND  TUNNEL 

THE  SPACEHAB  HATCHWAY  AND  TUNNEL  SHALL  BE  FREE  AND  CLEAR  OF 
OBSTRUCTION  TO  ENSURE  THAT  THE  CREW  IS  CAPABLE  OF  SAFING  AND 
ISOLATING  THE  MODULE  WITHIN  3  MINUTES  FOR  AN  EMERGENCY. 

@[111501-4984] 

Every  effort  shall  be  made  to  preclude  routing  cables  through  the  Spacehab  hatch  and  tunnel.  In 
emergency  situations  ( i.  e. ,  fire,  depress,  or  toxic  spill),  the  crew  must  be  able  to  secure  penetrators  and 
isolate  the  module  within  3  minutes.  The  hatch  closure  itself  takes  approximately  1  minute,  which  leaves 
approximately  2  minutes  to  safe  the  module  and  clear  the  hatchway.  Cables,  in  addition  to  anything  that 
may  pose  interference  with  hatch  closure,  are  considered  “drag-throughs.  ” 

IN  THE  EVENT  DRAG-THROUGH  ROUTING  CANNOT  BE  PRECLUDED,  THE 
FOLLOWING  CRITERIA  SHALL  APPLY: 

A.  THE  ABILITY  TO  SAFE  AND  ISOLATE  THE  MODULE  WITHIN  3  MINUTES 
SHALL  BE  RETAINED. 


The  3-minute  constraint  is  paramount  for  the  crew  to  have  the  ability  to  respond  to  any  emergency 
situation  ( i.e.,  fire,  depress,  or  toxic  spill )  and  allow  the  hatch  to  be  closed  regardless  of  whether  or  not 
drag-throughs  are  present  across  the  hatchway.  Tests  show  it  takes  approximately  10  seconds  to  break 
each  quick  disconnect  ( QD )  by  a  single  crewmember. 

B.  IF  THE  DRAG-THROUGH  IS  NOT  UNDER  THE  CONTROL  OF  A  CREWMEMBER, 
IT  SHALL  BE  RESTRAINED  TO  AVOID  CREW  ENTANGLEMENT  WHILE 
TRANSLATING  THROUGH  THE  HATCH  AND  TUNNEL.  IF  A  QUICK 
DISCONNECT  RELATED  TO  THE  DRAG-THROUGH  HAS  BEEN  POSITIONED  IN 
PROXIMITY  TO  THE  HATCH,  THE  RESTRAINT  SHALL  NOT  BE  LOCATED 
BETWEEN  THE  DISCONNECT  AND  THE  HATCH. 


A  drag-through  that  is  under  the  control  of  a  crewmember  implies  short-term  use  and  will  be  taken  back 
through  the  hatch  as  a  crewmember  exits  when  circumstances  dictate  hatch  closure.  A  restraint  between 
the  hatch  and  the  quick  disconnect  complicates  the  effort  to  clear  the  hatchway  and  close  the  hatch. 
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A2-331 


CONSTRAINTS  ON  CABLES  THROUGH  THE  SPACEHAB  HATCH 
AND  TUNNEL  (CONTINUED) 


C.  DRAG-THROUGHS  SHALL  NOT  IMPEDE  CREW  NAVIGATION  THROUGH  THE 
HATCHWAY.  A  TRANSLATION  CORRIDOR,  SUFFICIENT  TO  ALLOW  A 
CREWMEMBER  TO  PASS  THROUGH  THE  HATCH,  SHALL  BE  MAINTAINED. 


A  32-inch  minimum  diameter  must  be  maintained  through  the  Spacehab  hatch.  ®[1 11501-4984  ] 


D.  WHERE  PRACTICAL,  AND  WITHIN  DESIGN  LIMITATIONS  AND  TIME 
CONSTRAINTS  IMPOSED  BY  THE  HARDWARE  AND  OPERATIONAL 
REQUIREMENTS,  THE  FOLLOWING  CONSTRAINTS  WILL  BE  IMPLEMENTED: 

@[111501-4984] 

1.  ALL  DRAG-THROUGHS  ROUTED  THROUGH  THE  SPACEHAB  HATCH  SHALL 
BE  CONFIGURED  WITHIN  A  SINGLE  90-DEGREE  SECTION  OF  THE 
HATCH  AS  SHOWN  BY  THE  FIGURE  BELOW: 


DRAG-THROUGHS 


Drag-throughs  should  be  routed  within  the  90-degree  section  of  the  Spacehab  hatch  to  aid  in  the  ability 
of  the  crew  to  quickly  locate  and  remove  hatch  obstructions. 
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A2-331  CONSTRAINTS  ON  CABLES  THROUGH  THE  SPACEHAB  HATCH 

AND  TUNNEL  (CONTINUED) 

2.  DRAG-THROUGHS  SHOULD  BE  ROUTED  SUCH  THAT  A  QUICK  RELEASE 
CONNECTOR  IS  LOCATED  WITHIN  2  FEET  ON  EITHER  SIDE  OF  THE 
SPACEHAB  HATCH.  DISCONNECT  FEATURES  FOR  ALL  DRAG- 
THROUGHS  ROUTED  THROUGH  THE  HATCH  SHOULD  BE  ON  THE  SAME 
SIDE  OF  THE  HATCH. 


The  quick  release  connector  features,  and  constraints  on  having  all  such  connectors  lie  within  2  feet  of 
the  Spacehcib  hatch  and  on  the  same  side  of  the  hatch  for  all  drag-throughs,  allows  quick  location  and 
removal  (tests  show  at  10  seconds  per  quick  release  connector )  of  drag-through  obstructions(s)  to  hatch 
closure.  ®[1 1 1 501  -4984  ] 

3.  DRAG-THROUGHS  SHOULD  BE  LIMITED  TO  NO  GREATER  THAN  FOUR 
DURING  CREW  AWAKE  TIME  AND,  IF  LEFT  IN  PLACE  DURING  THE 
CREW  SLEEP  PERIOD,  THE  NUMBER  OF  DRAG-THROUGHS  ROUTED 
THROUGH  THE  SPACEHAB  HATCH  AND  TUNNEL  SHOULD  BE  REDUCED 
TO  TWO.  @[111501-4984] 


An  operational  limit  of  two  drag-throughs  across  the  Spacehcib  hatch  during  the  crew  sleep  period  has  a 
better  chance  of  accommodating  the  3 -minute  constraint  on  scifing  and  isolating  the  module.  Limiting 
the  number  of  drag-throughs  to  a  maximum  of  four  drag-throughs,  whether  temporary  or  permanent,  will 
minimize  the  risk  in  not  being  able  to  meet  the  3-minute  rapid  scifing  constraint. 

4.  IF  TIME  ALLOWS,  PRIOR  TO  DEMATING  AN  ELECTRICAL 

CONNECTION  EXCEEDING  32  VOLTS  UPSTREAM,  POWER  WILL  BE 
REMOVED . 

E.  THE  BPSMU  IS  THE  ONLY  DRAG-THROUGH  APPROVED  GENERICALLY  FOR 

USE  IN  SPACEHAB.  ADDITIONAL  DRAG-THROUGHS  MAY  BE  APPROVED  ON 
A  MISSION  SPECIFIC  BASIS  AND  LISTED  IN  THE  FLIGHT  SPECIFIC 
ANNEX . 


The  BPSMU  meets  the  requiremen  ts  for  drag-throughs  in  this  rule  and  was  the  only  drag-through 
iden  tified  at  the  time  this  rule  was  written.  It  can  be  used  nominally  for  communication  between  the 
Spacehcib  and  orbiter  or  Spacehcib  and  ISS  when  the  Spacehab  ACS  is  not  available  or  operational. 
®[1 1 1501  -4984]  @[111 501  -4981 E]  ®[1 11501 -4962A]  @[111 501 -4982A  ] 
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A2-332  LOSS  OF  SM  GPC  DURING  SPACEHAB  ACTIVATION/ENTRY 

PREP  ®[1 11501-4981 E] 

A.  LOSS  OF  THE  SYSTEMS  MANAGEMENT  (SM)  GPC  PRIOR  TO  ARS  FAN 
ACTIVATION  WILL  REQUIRE  SUSPENSION  OF  SPACEHAB  ACTIVITIES 
UNTIL  THE  SM  GPC  IS  RECOVERED  OR  THE  ARS  FAN  IS  POWERED. 
CONSIDERATION  WILL  BE  GIVEN  TO  WHICH  EXPERIMENTS  COULD  BE 
OPERATED  IN  THE  SPACEHAB  ASCENT  CONFIGURATION.  @[060800-71 1 6A] 

Nominal  Spacehab  ARS  fan  activation  and  subsystem  reconfiguration  are  achieved  via  the  SM  GPC. 

The  ARS  fan  provides  the  only  means  for  conditioned  air  exchange  with  the  orbiter.  Therefore, 

Spacehab  operations  must  be  postponed  until  the  ARS  fan  can  be  activated.  When  the  Spacehab  is 
powered  for  ascen  t,  the  water  pump  and  several  experimen  t  utility  outlets  are  powered  in  addition  to  the 
ARS  fan  or  Cabin/HFA  fan.  In  the  SM  and  LDM  configurations,  the  ARS  fan  is  the  preferred  fan  to 
operate  during  ascen  t.  In  the  RDM  configuration,  one  HFAfan  is  preferred  over  the  ARS  fan.  Spacehab 
RDM  is  always  powered  for  ascent.  Reference  Rule  / A17-706 },  SPACEHAB  FAN  CONFIGURATIONS. 

B.  LOSS  OF  THE  SYSTEMS  MANAGEMENT  (SM)  GPC  AFTER  SPACEHAB 
ACTIVATION  AND  BEFORE  ENTRY  PREP  IS  NOT  CAUSE  TO  TERMINATE 
SPACEHAB  ACTIVITIES.  @[111094-1733] 

Spacehab  activities  may  continue  because  the  module  remains  in  a  good  configuration  for  operation. 
Nominal  reconfiguration  of  Spacehab  subsystems  during  entry  prep  cannot  be  achieved  without  the  SM 
GPC.  Consideration  will  be  given  to  leaving  Spacehab  equipment  configured  on  orbiter  power  for  entry 
provided  orbiter  resources  are  available.  ®[1 1 1 501-4981 E] 
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A2-333  LOSS  OF  PAYLOAD  MDM  DURING  SPACEHAB  ACT/ENTRY  PREP 

®[1 11501-4981 E] 

A.  PAYLOAD  MDM  FAILURE 

LOSS  OF  PAYLOAD  (PL)  MDM  PL1,  PRIOR  TO  ARS  FAN  ACTIVATION, 
WILL  REQUIRE  SUSPENSION  OF  SPACEHAB  ACTIVITIES  UNTIL  THE  MDM 
IS  RECOVERED  OR  THE  ARS  FAN  IS  POWERED.  CONSIDERATION  WILL 
BE  GIVEN  TO  WHICH  EXPERIMENTS  COULD  BE  OPERATED  IN  THE 
SPACEHAB  ASCENT  CONFIGURATION.  @[060800-71 1 7A] 

Spacehab  Activation  and  subsystem  reconfiguration  are  achieved  via  the  Payload  MDM  1  (PL1 )  and 
otherwise  cannot  be  nominally  performed.  The  ARS  fan  is  important  because  it  provides  the  only  means 
for  conditioned  air  exchange  with  the  orbiter.  Spacehab  operations  must  be  postponed  until  the  ARS  fan 
can  be  activated.  Hard  failure  ofPLl  will  result  in  the  inability  to  activate  Spacehab.  All  Flights  Rule 
{. A7-109F },  IN-FLIGHT  MAINTENANCE  (IFM),  specifies  that  a  PL  MDM  will  only  be  swapped  to 
regain  PLBD  close  capability.  When  the  Spacehab  is  powered  for  ascent,  the  water  pump  and  several 
experiment  utility  outlets  are  powered  in  addition  to  the  ARS  fan  or  Cabin/HF A  fan.  In  the  SM  and  LDM 
configurations,  the  ARS  fan  is  the  preferred  fan  to  operate  during  ascent.  In  the  RDM  configuration,  one 
HFAfan  is  preferred  over  the  ARS  fan.  Spacehab  RDM  is  always  powered  for  ascent.  Reference  Rule 
(A1 7-706},  SPACEHAB  FAN  CONFIGURATIONS. 

B.  LOSS  OF  PAYLOAD  MDM  PL2  DURING  SPACEHAB  ACTIVATION  WILL  NOT 
REQUIRE  SUSPENSION  OF  SPACEHAB  ACTIVITIES.  @[111094-1734] 

Spacehab  activation  does  not  require  Payload  MDM  PL2.  @[060800-71 17A] 

C.  LOSS  OF  EITHER  PAYLOAD  MDM,  PL1  OR  PL2 ,  AFTER  ACTIVATION  AND 
BEFORE  ENTRY  PREP  IS  NOT  CAUSE  TO  TERMINATE  SPACEHAB 
ACTIVITIES . 

Caution  and  warning  parameters,  which  are  nominally  redundantly  monitored  by  the  CWEA  directly  and 
via  the  PL1-GPC-PL2  string,  are  still  monitored  by  the  CWEA  if  either  PL  MDM  fails.  Significant 
command  capability,  including  that  used  during  the  nominal  deactivation  process  (ARS  fan,  cabin/HF A 
fan,  and  water  pump  reconfiguration  for  powered  entry),  is  lost  ifPLl  is  lost.  However,  some  operations 
may  still  be  conducted.  Safety-related  redundant  command  capability  for  fire  suppression  still  exists 
(Standard  Switch  Panel  and  C3A5). 

D.  IF  A  CHOICE  EXISTS  BETWEEN  PL1  AND  PL2 ,  SPACEHAB  PREFERS  PL1 . 

The  majority  of  MDM  discretes  are  through  PL1.  The  impact  of  losing  PL1  is  greater  than  the  impact  of 
losing  PL2.  ®[1 11501-4981 E] 
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A2-334  LOSS  OF  SM  MAJOR  FUNCTION 

TEMPORARY  LOSS  OF  SM  MAJOR  FUNCTION  AFTER  SPACEHAB  ACTIVATION  AND 
BEFORE  SPACEHAB  ENTRY  PREP  IS  NOT  A  CONSTRAINT  TO  CONTINUING 
SPACEHAB  OPERATIONS  IF:  ®[1 11501  -4981 E] 

A.  THE  SPACEHAB-TO-CWEA  INTERFACE  IS  OPERATING  NOMINALLY. 

B.  THE  FOLLOWING  SAFETY  SENSORS  ROUTED  TO  THE  CWEA  ARE 
OPERATIONAL : 

1.  FIRE/SMOKE  DETECTOR  A  OR  B 

2 .  ARS  FAN  DELTA  P  -  SENSOR  2 

3.  (RDM  ONLY)  HFA  FAN  DELTA  P  -  SENSOR  2 

If  the  SM  interface  is  down,  one  of  two  redundant  methods  of  monitoring  safety-critical  parameters  is 
lost.  Module  operations  may  continue  if  the  CWEA  is  still  monitoring  safety  parameters  and  the  sensors 
feeding  the  CWEA  (at  least  one  fire/smoke  and  the  ARS  fan)  are  nominal.  Note  that  monitoring  of 
Spacehab  parameters  is  still  available  on  the  ground  and  via  the  PGSC  in  the  module.  Redundancy  for 
partial  pressure  of  oxygen  ( PPO2 )  and  total  cabin  pressure  is  provided  by  the  orbiter  sensors  via 
hardware  caution  and  warning. 

Loss  of  SM  also  eliminates  a  significant  amoun  t  of  command  capability;  however ,  redundant  methods 
are  still  available  for  fire  suppression.  ®[1 11501  -4981 E] 
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A2-335  LOSS  OF  ORBITER  MASTER  TIMING  UNIT  (MTU) /PAYLOAD 

TIMING  BUFFER 

A.  LOSS  OF  THE  MTU  DURING  SPACEHAB  ACTIVATION  OR  DEACTIVATION  IS 
NOT  A  CONSTRAINT  TO  CONTINUING  SPACEHAB  ACTIVITIES;  HOWEVER, 
NOMINAL  ACTIVATION/DEACTIVATION  CANNOT  BE  PERFORMED. 
CONSIDERATION  WILL  BE  GIVEN  TO  WHICH  EXPERIMENTS  CAN  OPERATE 
IN  THE  SPACEHAB  ASCENT/ENTRY  CONFIGURATION.  ®[1 1 1 501 -4981 E] 


Loss  of  the  MTU  results  in  loss  of  a  clock  signal  to  the  Payload  Signal  Processor  (PSP),  which  causes 
loss  of  commanding  to  Spacehab.  PSP  commanding  is  required  to  perform  a  nominal  Spacehab 
activation  and  deactivation.  Operations  may  still  be  conducted  in  the  ascent/entry  configuration.  If 
Spacehab  is  unpowered  during  ascent,  operations  may  still  be  conducted  using  SSP  and  MDM 
commanding.  ®[1 11501  -4981 E] 

B.  LOSS  OF  THE  MTU  AFTER  SPACEHAB  ACTIVATION  AND  BEFORE  SPACEHAB 
DEACTIVATION  IS  NOT  A  CONSTRAINT  TO  CONTINUING  SPACEHAB 
ACTIVITIES;  HOWEVER,  THE  FOLLOWING  IMPACTS  OCCUR:  ®[1 11501  -4981 E] 

1.  LOSS  OF  PSP  UPLINK  COMMANDING  IS  DOCUMENTED  IN  THE  FLIGHT 
SPECIFIC  ANNEX. 


PSP  commanding  is  lost  when  the  MTU  fails.  All  nominal  uplink  commanding  to  Spacehab  subsystem 
equipment  and  to  some  experiments  is  through  the  PSP. 

2.  LOSS  OF  GREENWICH  MEAN  TIME  (GMT)  TIMETAG  INFORMATION 
INSERTED  BY  THE  DMU  INTO  THE  PDI  DATA  STREAM. 


The  GMT  timetag  is  inserted  into  the  PDI  data  stream  by  the  DMU  for  subsystem  information.  It  is  not 
used  onboard  Spacehab. 

3.  LOSS  OF  GMT  AND  MISSION  ELAPSED  TIME  (MET)  TO  SPACEHAB 
EXPERIMENTS  IS  DOCUMENTED  IN  THE  FLIGHT  SPECIFIC  ANNEX. 


The  MTU  is  the  only  source  of  synchronized  GMT  and  MET  to  Spacehab  and  experimen  ts.  This  could 
cause  degraded  experiment  results.  ®[1 11501  -4981 E] 

A2-336  THROUGH  A2-400  RULES  ARE  RESERVED 
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ORBITER  SYSTEMS  GO/NO-GO 


A2-1001  ORBITER  SYSTEMS  GO/NO-GO 


FOR  LOSS  OF  THE  FOLLOWING:  MDF  NXT  PLS 


PROP 


OMS  ENG 

- 

2? 

OMS  PROP  TNK  LK 

- 

X? 

OMS  ENG  and  1  +X  PROS  JET 

- 

X? 

OMS  ENG  and  <  RCS  STEEP  DEORB  CAP 

- 

X? 

OMS/RCS  FLOW  PATH  (XFD) 

1? 

2? 

AFT  RCS  He  OR  PROP  TNK  LK 

- 

X? 

AFT  PROS  MANIFOLDS 

- 

2?  SAME  SIDE 

OMS  INLET  LNE  LEAK 

- 

1? 

DPS 

GPC’s 

2? 

3? 

MDM’s  SAME  TYPE:  (FF,  FA,  or  PL) 

- 

2? 

MMU 

2? 

- 

FWD  KEYBOARD  (1) 

- 

1? 

DEU/CRT  (4) 

2? 

2 FWD  ?  (1) 

IDP  (4)  DPS  FUNCTION 

2? 

[15] 

2 FWD  ?  (1) 

[14]  [15] 

IDP  (4)  FLIGHT  INSTRUMENT  FUNCTION 

MDU  (11) 

ADC  (4) 

2FWD  ?  (1) 

[14]  [15] 

GNC 

RHC  CHAN  (LFTOR  RT)  (1) 

2? 

SAME  SIDE 

5? 

THC  (LFT)  and  OMS  ENG  (1) 

- 

X?  +X  ONLY 

SBTC  (LFT  OR  RT)  (CHAN) 

3? 

ONE  SIDE 

5?  AD  NOT  AVAILABLE  TO  G&C 

1? 

OTHER  SIDE 

FCS  MODE  AUTO  SW 

" 

2?  ONE  SIDE  and 

1?  OTHER  SIDE 

FCS  MODE  B/F 

2? 

2?  ONE  SIDE  and 

1?  OTHER  SIDE 

SBTC  (LFT  OR  RT)  T/O  SW 

3? 

ONE  SIDE  and 

5?  AD  NOT  AVAILABLE  TO  G&C 

1? 

OTHER  SIDE 

STAR  TRACKER 

2? 

1? 

AND 

COAS  OR  ATT  REF  OR  DAP  PULSE  PB  (2) 

1? 

ADTA 

2? 

3? 

ADI  (LFT  AND  RT)  (2) 

1? 

[13] 

- 

AFT  ADI  (1) 

- 

[13] 

- 

HUD/AMI  (4) 

2? 

[13] 

3? 

[13] 

HUD/AVVI  (4) 

2? 

[13] 

3? 

[13] 

HUD/FWD  ADI  (4) 

2? 

[13] 

3? 

[13] 

HUD  (2) 

- 

- 

HIS  (2) 

- 

[13] 

- 

SPI  (1) 

- 

[13] 

- 

G-METER  (1) 

- 

[13] 

- 

AFT  RCS 

- 

2?  SAME  AXIS  SAME  SIDE 

ELEV,  RUD,  S/B  OR  BF  ACT  CHAN 

- 

2?  SAME  ACT 

ELEVOR  BF  POSN  FDBK 

2? 

3?  SAME  ACT 

ELEV  PRI  DELTA  P 

2? 

3?  SAME  ELEV 

AA  (LAT) 

2? 

3? 

IMU 

- 

2? 

CG  ANOMALY  AND  1  YAW  JET 

- 

X? 

RGA 

2? 

3? 

TACAN 

2? 

3? 

@[101796-4561  A]  ©[040899-2459B]  @[031 500-71 72 D] 
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A2-1001  ORBITER  SYSTEMS  GO/NO-GO  (CONTINUED) 


FOR  LOSS  OF  THE  FOLLOWING: 

MDF 

NXT  PLS 

COMM 

VOICE  (3)  (A/G  1 ,2,UHF) 

- 

2? 

COMMAND  (2) 

2? 

VOICE  +  COMMAND 

- 

ALL? 

PCMMU  (2) 

1? 

2? 

NSP  (2) 

1  D/L? 

2?  (U/L  OR  D/L) 

XPONDER  (2)  1 

2  D/L?? 

2  U/L?  OR  2  D/L+  (1)?? 

ACCU  (2)  (1) 

2? 

1  ?  (1)? 

TELEMETRY 

- 

ALL? 

EECOM 

FES  (TOPPER) 

1? 

- 

FES  (HI-LOAD) 

- 

1? 

FES  PRIMARY  CNTLR 

2? 

3? 

FES  FEED  LINE 

- 

2? 

FREON  LOOP 

- 

1? 

FREON  LOOP  LEAK 

[12] 

FREON  PUMPS 

- 

2?  (IF  FCL  1  PMP  B  AND  FCL  2  PMP  A) 

RFCA  (FAIL  IN  BYPASS/MIN  FLOW) 

1? 

[16] 

RAD  ISOL  VALVE  (FAILED  IN  ISOLATE  OR  LEAK 

1? 

[16] 

ISOLATED  TO  THE  RADIATOR) 

h2o  LOOP 

- 

1? 

h2o  LOOP  LEAK 

1? 

- 

HX  LEAK  (FREON  TO  CABIN  H20) 

- 

1? 

HX  LEAK  (EXCEPT  FREON  TO  CABIN  H20) 

1? 

- 

CABIN  FANS 

1? 

2?  (LANDING  REQUIRED  WITHIN  8  HRS) 

AV  BAY  COOLING 

[1] 

[3]  [4] 

IMU  FANS 

- 

2? 

H20  TANKS  (SUPPLY) 

- 

2? 

H20  TANK  (WASTE) 

- 

(ULLAGE  WILL  DETERMINE  EOM) 

CAB  PRESS  INTEGRITY 

- 

X? 

165  MIN,  8  PSI  RTN 

- 

X? 

PP02  CNTL 

- 

X? 

C02  CNTL 

- 

X? 

CAB  T  CNTL 

- 

X? 

CAB  HUM  CNTL 

- 

X? 

RCRS 

[7] 

[7] 

SPLY  H20  DMP 

- 

X?  (ULLAGE  WILL  DETERMINE  EOM) 

WST  H20  DMP 

- 

X?  (ULLAGE  WILL  DETERMINE  EOM) 

WCS  (ALL  FECAL  OR  ALL  URINE  COLLECTION 

[6] 

[6] 

CAPABILITY) 

SMOKE  DETECTION  (AV  BAY  3A) 

2? 

[2] 

SMOKE  DETECTION  (CABIN) 

3? 

[9] 

FIRE  DETECTED  /SUPPRESSED 

[10]  [11] 

HALON  DISCHARGE  (W/O  FIRE  CONFIRMATION) 

[11] 

HALON  DISCHARGE  (W/O  FIRE  CONFIRMATION) 

[11] 

®[020196-1810A]  ®[061 396-31 04A]  @[050400-7192]  ®[ED  ] 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  FLIGHT  OPERATIONS  2-312 


Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A2-1001  ORBITER  SYSTEMS  GO/NO-GO  (CONTINUED) 


FOR  LOSS  OF  THE  FOLLOWING: 

MDF 

NXT  PLS 

1  EGIL 

h2  or  o2  tanks 

- 

2? 

[8] 

02,  h2  manifolds 

1? 

2? 

FUEL  CELL 

r 

2? 

FC  COMMOM  VENT  LINE  BLOCKAGE 

- 

X? 

FUEL  CELL 02 PURGE 

- 

-  (PERFORMANCE  WILL  DETERMINE  EOM) 

FUEL  CELL  PRIMARY  H20  FLOW  TO  ECLSS 

2? 

3? 

PRI  &  B/U  C&W 

- 

2? 

MAIN  DC  BUSES 

DAI ,  DA2,  OR  DA3 

- 

1? 

FPC1  OR  FPC2  OR  FCP3 

1? 

- 

FLC2  OR  FLC3 

1? 

- 

MPC1 ,  MPC2,  OR  MPC3 

- 

1? 

MNAMMC  1  OR  3 

- 

1? 

MNBMMC2  0R4 

- 

1? 

MNCMMC2  0R4 

- 

1? 

MNC  016 

1? 

- 

CONTROL  BUSES 

AB1 ,  AB2,  AB3,  BC1,  BC2,  BC3, 

- 

1?  (1) 

[17]  [18] 

CA1 ,  CA2,  OR  CA3 

- 

1?  (1) 

[17] 

ESSENTIAL  BUSES 

1 BC  DAI ,  1 BC  MPC1 ,  OR  1 BC  FD 

1?  (FC1  LOST) 

- 

2CA  DAI ,  2CA  MPC1 ,  OR  2CA  FD 

1?  (FC2  LOST) 

- 

3AB  DAI ,  3AB  MPC1 ,  OR  3AB  FD 

1?  (FC  3  LOST) 

- 

AC  INVERTERS  OR  NONSHORTED  BUS 

X(l) 

- 

(2  OF  3  PHASES) 

AC  BUSES 

ANY  AC  PHASE  (SHORT) 

- 

1? 

AC1  MMC  1  OR  3 

- 

1? 

AC2  MMC  2 

- 

X? 

AC2  MMC  4 

- 

X? 

AC3  MMC  2  OR  4 

- 

1? 

AC2  OR  AC3  (ANY  PHASE) 

- 

1?  +  CAB  FAN 

1  MMACS 

APU  OR  HYD 

- 

2? 

WSB 

- 

2? 

LDG  GEAR  DPLY  METHODS 

- 

2? 

PBD  DRIVE  MTRS 

1  CLS  ? 

2  OPEN  ? 

PBD  NOT  OPEN 

1  C/L? 

X? 

PRESS/REDUN  WNDW  FL 

- 

X? 

CONFIRMED  TIRE  LEAK 

- 

[51 

@[101796-4561  A]  ®[ED  ]  @[011801-3851] 

1  LEGEND 

- 

= 

NO  REQUIREMENT 

? 

= 

(DOWN  ARROW)  SYSTEM/CAPABILITY  LOSS 

1? 

= 

ONE  SYSTEM  INOPERATIVE 

X? 

= 

ANY  NUMBER  OF  SYSTEM/CAPABILITIES  LOST 

i!) _ 

= 

IFM  CAPABILITY  EXISTS 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-1001  ORBITER  SYSTEMS  GO/NO-GO  (CONTINUED) 


NOTES: 

[1]  MDF  FOR  LOSS  OF  COOLING  TO  TWO  GPC’s  (DUE  TO  UNACCEPTABLE  TEMPERATURE). 

[2]  PLS  FOR  POWERDOWN  OF  C&W.  C&W  MAY  REMAIN  POWERED  IF  IT  WAS  NOT  THE  SOURCE  OF  A  POTENTIAL 
FIRE  INDICATION  AND  IF  THE  AVIONICS  BAY  IS  EXPOSED  TO  THE  CABIN  FOR  USE  OF  THE  CABIN  SMOKE 
DETECTORS.  REF  RULES  {A1 7-51  A}. 3,  MANAGEMENT  FOLLOWING  LOSS  OF  SMOKE  DETECTION,  AND  [A17- 
1001  A},  LIFE  SUPPORT  GO/NO-GO  CRITERIA.  @[090894-1675]  ®[ED  ] 

[3]  PLS  FOR  LOSS  OF  COOLING  TO  THE  C&W. 

[4]  ENTER  NEXT  PLS  IF  A  SINGLE  ELECTRICAL  FAILURE  (AC  BUS)  COULD  CAUSE  THE  LOSS  OF  AIR  COOLING  TO 
AVIONICS  BAYS. 

[5]  ENTER  NEXT  PLS  IF  TIRE  PRESSURE  WILL  BE  <l275  PSIG  (290  PSIA)  MAINS,  260  PSIG  (275  PSIA)  NOSE  AT  NEXT  PLS 
LANDING  OPPORTUNITY  PLUS  2  DAYS.  @[090894-1675  ] 

[6]  THE  NUMBER  OF  ALTERNATE  WASTE  COLLECTION  BAGS,  NUMBER  OF  CREW  AND  THEIR  DEFECATION/ 
URINATION  RATE  WILL  DETERMINE  EOM. 

[7]  QUANTITY  OF  LIOH  CANISTERS  AND  CREW  SIZE  WILL  DETERMINE  EOM.  A  MINIMUM  OF  2  DAYS  OF  UNUSED 
LIOH  MUST  BE  HELD  IN  RESERVE  TO  PASS  A  PLS  OPPORTUNITY.  REF.  RULE  [A17-157],  LIOH  REDLINE 
DETERMINATION.  @[092293-15316] 

[8]  EDO  PALLET  TANKS  ARE  EXEMPT  FROM  THIS  RULE  UNLESS  THE  FAILURES  ARE  DETERMINED  TO  BE  GENERIC. 

[9]  PLS,  UNLESS  AT  LEAST  ONE  CREWMEMBER  REMAINS  AWAKE  IN  ORBITER  CABIN  TO  MONITOR  SMOKE 
CONDITIONS  AT  ALL  TIMES.  REF  RULE  [A17-51 B],  MANAGEMENT  FOLLOWING  LOSS  OF  SMOKE  DETECTION. 

[10]  ELS  OR  PLS  IS  REQUIRED  BASED  UPON  AVAILABLE  N2  FOR  02  CONTROL  SINCE  CREW  MUST  REMAIN  ON 
QDM/LES  IF  TOXIC  COMBUSTION  PRODUCTS  CANNOT  BE  SATISFACTORILY  REMOVED  FROM  THE  CABIN 
ATMOSPHERE.  REF  RULE  [A13-152C],  CABIN  ATMOSPHERE  CONTAMINATION.  FOR  AV  BAY  FIRES,  THE 
EXTENT  OF  THE  DAMAGE  TO  EQUIPMENT  AND  WIRE  BUNDLES  IS  UNKNOWN;  THEREFORE,  EVEN  IF  THE 
ATMOSPHERE  HAS  BEEN  CLEANED  UP,  A  PLS  WILL  BE  PERFORMED  TO  MINIMIZE  THE  RISK  OF  THE 
OCCURRENCE  OF  AN  ADDITIONAL  FIRE  OR  ARC  TRACKING. 

[11]  EOM  IS  BASED  UPON  HALON  EXPOSURE  CRITERIA.  REF  RULE  [A13-152],  CABIN  ATMOSPHERE  CONTAMINATION. 
@[090894-1675] 

[12]  FOR  A  LEAKING  FREON  LOOP  THAT  WILL  SUPPORT  NEXT  PLS  BUT  NOT  THE  FOLLOWING  PLS,  A  PLS  WILL  BE 
DECLARED  IN  ORDER  TO  ACHIEVE  A  NOMINAL  D/O  PREP  AND  ENTRY.  A  LOSS  OF  ONE  FREON  LOOP  ENTRY 
REQUIRES  A  POWERDOWN  TO  14  KW.  @[061 396-31 04A] 

[13]  N/A  FOR  MEDS  CONFIGURED  VEHICLES.  ©[040899-2459B] 

[14]  IDP’S  ARE  REQUIRED  FOR  PASS  AND  BFS  INTERFACE  AND  TO  DISPLAY  THE  ADI,  AMI,  AND  AVVI  AND  HSI. 
©[040899-2459B]  @[031 500-71 72D] 

[15]  LOSS  OF  EITHER  FUNCTION,  DPS  OR  FLIGHT  INSTRUMENT,  IN  ANY  THREE  SEPARATE  IDP’S  IS  PLS. 

[16]  NEXT  PLS  IS  REQUIRED  (NOT  INCLUDING  FIRST  DAY  PLS),  FOR  LOSS  OF  RADIATOR  COOLING  IN  ONE  LOOP,  IF 
SUPPLY  H20  QUANTITIES  AND  MANAGEMENT  PLAN  WILL  NOT  SUPPORT  THE  FOLLOWING  PLS  WITH  THE  NEXT 
WORST  FAILURE  (LOSS  OF  THE  GOOD  FREON  LOOP).  ASSUMING  WATER  QUANTITIES  WILL  SUPPORT  THE  NEXT 
WORST  FAILURE,  THE  MISSION  MAY  BE  EXTENDED  TO  THE  SUBSEQUENT  PLS  OPPORTUNITIES.  @[050400-7192  ] 
@[092701 -4865D] 

ELS  WILL  BE  REQUIRED  IF  THE  NEXT  WORSE  FAILURE  OCCURS  BEFORE  SUPPLY  WATER  QUANTITIES  CAN 
SUPPORT  NEXT  PLS.  @[050400-7192]  @[092701 -4865D] 

[17]  FOR  FAILURES  OF  CONTROL  BUSSES  AB1 ,  AB2,  BC1 ,  BC2,  CA1 ,  OR  CA2  SUCH  THAT  A  PUBLISHED  IFM  WOULD 
RECOVER  PLBD  FUNCTIONS  LOST  WITH  THE  FAILED  BUS,  THE  IFM  MAY  BE  CONSIDERED  A  LEVEL  OF 
REDUNDANCY  FOR  MISSION  PLANNING  PURPOSES.  (REF  RULE  [A9-57],  REUSABLE  FC.)  @[011801-3851  ] 

[18]  FAILURE  OF  CNTLAB1  RESULTS  IN  LOSS  OF  OMS  X-FEED  AND  REPRESS  CAPABILITY.  A  G-MEM  MAY  BE  SENT  TO 
REGAIN  THE  LOST  FUNCTION.  @[011801-3851  ] 
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GENERAL 


A3-1  GROUND  AND  NETWORK  DEFINITIONS 

A.  MCC  IS  DEFINED  AS  THE  EQUIPMENT  AND  FUNCTIONALITY  PROVIDED  BY 

THE  JSC  BUILDING  30  COMPLEX  AND  ASSOCIATED  INFRASTRUCTURE  AT 
JSC  WHICH  PROVIDES  POWER,  COOLING,  AND  COMMUNICATIONS  TO 
BUILDING  30.  ©[062702-5502C] 

B.  INTEGRATED  NETWORK  INCLUDES  THE  FOLLOWING : 

1.  THE  NASA  GROUND  TRACKING  AND  DATA  STATIONS  AT  MILA,  DFRC, 
WLP ,  PDL ,  AND  INCLUDING  JDI . 


Even  though  JDI  is  part  of  the  Eastern  Range  operated  by  the  USAF  45th  Space  Wing  at  the  Jonathan 
Dickinson  Missile  Test  Annex  (JDMTA),  for  the  purposes  of  this  rule  it  is  considered  part  of  the  NASA 
network. 

2.  THE  SPACE  NETWORK  INCLUDING  THE  WHITE  SANDS  COMPLEX  (WSC) 
FACILITY  AND  FUNCTIONALITY  AS  WELL  AS  THE  TDRS 
SATELLITES . 

3.  GSFC  FACILITIES  THAT  PROVIDE  COMMUNICATIONS  RELAY  AND 

SCHEDULING:  THE  MISSION  OPS  SUPPORT  AREA  (MOSA) ,  FLIGHT 

DYNAMICS  FACILITY  (EDF )  AND  THE  NETWORK  CONTROL  CENTER 
(NCC)  AND  ASSOCIATED  INFRASTRUCTURE  AT  GSFC  WHICH 
PROVIDES  POWER,  COOLING,  AND  COMMUNICATIONS  TO  THOSE 
FACILITIES . 

4.  NASA  AND  USAF  RADAR  TRACKING  SITES  AS  SHOWN  IN  THE  MATRIX 
IN  RULE  { A3-102 } ,  INTEGRATED  NETWORK  FAILURE  DECISION 
MATRIX.  ®[ED  ] 

5.  COMMERCIAL  LINKS  CONNECTING  JSC,  GSFC,  WSC,  KSC,  DFRC, 

ETC  . 

6.  INTERCONNECTIVITY  TO  USAF  RTS  SITES  ©[062702-5502C] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A3-1  GROUND  AND  NETWORK  DEFINITIONS  (CONTINUED) 

C.  CRITICAL  SHUTTLE  FLIGHT  PHASES  ARE  DEFINED  AS  LAUNCH  THROUGH 

GO  FOR  ORBIT  OPS  OR  INTACT  ABORT  LANDING  AND  GO  FOR  DEORBIT 
BURN  THROUGH  WHEELSTOP  .  ®[062702-5502C] 

D.  TRAJECTORY  PROCESSING  IS  DEFINED  AS  THE  CAPABILITY  OF  THE  MCC 
TO  TAKE  TRAJECTORY  DATA  FROM  VARIOUS  SOURCES  (RADAR  TRACKING, 
S-BAND  DOPPLER,  ONBOARD  INERTIAL  NAVIGATION,  ONBOARD  GPS)  AND 
IN  REAL  TIME  COMPUTE  CURRENT  STATE  AND  PERFORMANCE  CAPABILITY 
THAT  ARE  USED  TO  DETERMINE  ABORT  MODE  CAPABILITY,  MANEUVER 
TARGETS,  AND  TO  MAKE  OTHER  MISSION  CRITICAL  DECISIONS. 
REFERENCE  RULE  {A3-51},  TRAJECTORY  PROCESSING  REQUIREMENTS. 
®[062702-5502C] 

A3-2  GROUND  AND  NETWORK  OVERALL  PHILOSOPHY 

A.  MANDATORY  REQUIREMENTS:  AIR  TO  GROUND  VOICE,  COMMAND,  HDR 
TELEMETRY,  AND  TRAJECTORY  PROCESSING  DURING  CRITICAL  PHASES 
OF  FLIGHT  IS  MANDATORY.  THE  MCC  AND  INTEGRATED  NETWORK 
EQUIPMENT  AND  ASSOCIATED  SOFTWARE  TO  PROVIDE  THESE  MANDATORY 
FUNCTIONS  MUST  BE  AVAILABLE  AND  SCHEDULED  TO  INITIATE  A 
CRITICAL  ACTIVITY.  ®[062702-5502C] 


The  MCC  and  network  provide  the  ability  to  collect,  process,  and  display  the  information  needed  to 
invoke  mission  rule  decision,  analyze  subsystem  performance  to  prevent  failures,  and  to  relieve  the  flight 
crew  of  the  need  to  monitor  subsystems  in  detail.  Command  provides  the  means  to  configure  onboard 
systems  for  nominal  operations  as  well  as  for  anomaly  resolu  tion.  Command  is  required  to  provide 
uplink  remedies  to  systems  problems  which  require  off-nominal  systems  configurations  that  can  be  most 
effectively  accomplished  or  in  some  cases  only  accomplished  from  the  ground.  A/G  voice  provides  the 
means  to  communicate  between  the  flight  crew  and  the  flight  control  team  for  mission  activities,  abort 
region  definition,  anomaly  resolutions,  and  many  other  activities. 

This  rule  states  a  general  principle  which  must  be  understood  in  the  light  of  what  is  technically  feasible. 
For  example,  the  mandatory  requirement  is  not  meant  to  imply  that  there  can  be  no  short  gaps  since  site 
handovers,  etc.,  will  lead  to  momentary  outages.  Additionally,  the  next  rule  gives  greater  detail  to  parts 
of  critical  periods  when  longer  outages  can  be  allowed.  ®[062702-5502C] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A3— 2  GROUND  AND  NETWORK  OVERALL  PHILOSOPHY  (CONTINUED) 

B.  REDUNDANCY:  ©[062702-5502C] 

1.  SCHEDULING:  REDUNDANCY  IN  MANDATORY  MCC  AND  INTEGRATED 
NETWORK  FUNCTIONS  SHALL  BE  SCHEDULED  AND  PLANNED  TO  BE 
AVAILABLE  AT  THE  INITIATION  OF  A  CRITICAL  ACTIVITY. 

NOTE:  REDUNDANCY  IS  NOT  REQUIRED  WHEN  SCHEDULING  FOR  THE 

TDRSS  NETWORK. 

TDRSS  network  redundancy  is  well  demonstrated  and  tying  up  resources  by  scheduling  redundant 
services  is  not  required.  Loss  of  TDRSS  service  has  been  demonstrated  in  practice  to  be  very  remote  and 
emergency  rescheduling  using  alternate  equipment  is  very  rapid.  TDRSS  network  redundancy  is  based 
on  having  multiple  satellites  in  both  eastern  and  western  locations,  two  independent  ground  stations, 
multiple  communication  paths  between  WSC  and  MCC,  and  full  redundancy  in  scheduling  and  other 
supporting  equipment.  The  TDRSS  network  has  more  users  than  can  be  scheduled  so  it  is  prudent  to  not 
explicitly  schedule  redundant  TDRSS  coverage. 

2.  LOSS  OF  REDUNDANCY:  REDUNDANCY  IS  NOT  REQUIRED  TO 
INITIATE  A  CRITICAL  ACTIVITY.  FOLLOWING  A  FAILURE  THAT 
CAUSES  LOSS  OF  REDUNDANCY,  IF  FEASIBLE,  THE  REMAINING 
SINGLE  STRING  SHOULD  BE  DEMONSTRATED  TO  BE  FUNCTIONAL 
PRIOR  TO  THE  INITIATION  OF  A  CRITICAL  ACTIVITY. 

It  is  prudent  to  support  mission  critical  operations  with  redundancy.  MCC  and  Network  functions  are  by 
design  very  reliable.  Operational  history  has  demonstrated  that  MCC  and  Network  functional  reliability 
is  very  high.  When  operating  on  a  single  string  of  equipment  that  is  demonstrated  to  be  functioning, 
which  is  not  annunciating  an  alarm  or  operating  in  an  anomalous  manner,  there  is  a  very  low 
probability  of  failure  in  the  short  time  duration  of  a  shuttle  critical  phase.  Unless  there  is  direct 
evidence  to  conclude  a  failure  is  imminen  t  on  operating  equipmen  t,  there  is  no  reason  to  delay  a  critical 
scheduled  event  for  failure  of  a  redundant  string.  Conversely,  if  analysis  of  a  failed  system  clearly 
indicates  a  threat  to  the  remaining  equipment,  it  is  prudent  not  to  initiate  a  critical  activity  if  possible. 

3.  RECOVERY  OF  LOST  REDUNDANCY:  RECOVERY  OF  REDUNDANT 
EQUIPMENT  SHOULD  NOT  BE  ATTEMPTED  IF  THERE  IS  RISK  TO  THE 
PLANNED  T=0  OR  DEORBIT  TIG. 

Recovery  of  redundant  equipment  or  function  generally  has  a  non-zero  risk  of  operator  error  or  other 
reason  causing  loss  of  the  functioning,  mandatory  equipmen  t  string.  At  pre-defined  times  for  launch  or 
deorbit,  this  risk  should  not  be  incurred.  ©[062702-5502C] 
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A3-3  GROUND  AND  NETWORK  DETAILED  REQUIREMENTS 

A.  ASCENT 

1.  NOMINAL  ASCENT:  AIR  TO  GROUND  VOICE,  COMMAND,  TELEMETRY, 
AND  TRAJECTORY  PROCESSING  ARE  MANDATORY  FROM  LIFTOFF 
THROUGH  MET  15  MINUTES.  FROM  MET  15  MINUTES  THROUGH  GO 
FOR  ORBIT  OPS,  IT  IS  HIGHLY  DESIRABLE  TO  HAVE  THE  MAXIMUM 
DURATION  OF  COVERAGE  POSSIBLE  FOR  AIR  TO  GROUND  VOICE, 
COMMAND,  TELEMETRY,  AND  TRAJECTORY  PROCESSING.  ®[062702-5502C] 

IN  ADDITION  TO  MANDATORY  S-BAND  TWO-WAY  VOICE,  UHF  TWO- 
WAY  VOICE  IS  REQUIRED  AS  A  BACKUP  DURING  LAUNCH  FROM 
LIFTOFF  THROUGH  NOMINAL  HANDUP  TO  TDRS  AND  IS  HIGHLY 
DESIRABLE  THROUGH  MILA  LOS  OR  UNTIL  RTLS  LANDING. 

Redundant  A/G  voice  is  necessary  for  abort  request  and  abort  region  calls  and  to  rapidly  convey  verbal 
responses  to  observed  subsystem  anomalies  and  rule  violations.  The  availability  of  both  S-band  and 
UHF  ensures  that  SRB  plume,  station  handovers,  and  most  onboard  and  ground  subsystem  failures  will 
not  result  in  disruption  of  A/G  voice  capability  causing  critical  calls  to  be  missed.  Early  in  ascent, 

TDRS  is  not  thought  to  be  acceptable  due  to  antenna  look  angles,  structural  blockage,  etc.  Therefore, 
MILA,  PDL,  and  JDI  provide  communications  link  capability. 

The  latter  stages  of  ascent,  after  TDRS  handup  between  7  and  8  minutes  MET,  are  supported  by  TDRS. 
The  TDRS  network  has  more  user  requirements  than  can  be  accommodated  thus  requiring  priority 
scheduling.  TDRS  schedule  should  include  uninterrupted  communications  through  the  latest  underspeed 
MECO  that  occurs  no  later  than  MET  13  minutes.  An  additional  2  minutes  to  assess  the  situation  and 
provide  maneuver  direction  to  the  crew  can  be  accomplished  by  a  well-practiced  MCC  team.  This  means 
that  TDRS  scheduling  should  support  through  MET  15  minutes  at  a  minimum. 

To  ensure  mission  success  for  rendezvous  missions  and  to  resolve  any  anomalies  that  may  have  occurred 
during  ascent,  it  is  prudent  and  highly  desirable  to  have  the  maximum  available  communications 
capability  through  OMS-2  cutoff.  Following  that,  to  ensure  timely  anomaly  resolution  and  to  provide  the 
maximum  efficiency  and  mission  success  through  the  complex  tasks  of  early  post  insertion  (OPS  2 
transition,  opening  payload  bay  doors,  initiating  radiator  cooling,  etc.),  communications  is  vital.  Go  for 
Orbit  Ops  normally  occurs  at  about  1  hr  30  min  MET. 

From  the  TDRS  perspective,  command,  telemetry,  and  voice  are  either  both  available  simultaneously  or 
not;  they  are  not  independent.  ©[062702-5502C] 
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A3-3  GROUND  AND  NETWORK  DETAILED  REQUIREMENTS 

(CONTINUED) 

2.  RTLS ,  TAL:  CONTINUOUS  AIR  TO  GROUND  VOICE,  COMMAND, 
TELEMETRY,  AND  TRAJECTORY  PROCESSING  ARE  MANDATORY  FOR 
RTLS  OR  TAL  FOLLOWING  ABORT  DECLARATION  THOUGH  INTACT 
ABORT  LANDING  INCLUDING  POST-LANDING.  ©[062702-5502C] 

This  requirement  for  TAL  may  be  met  by  the  use  of  an  emergency  SHO  for  the  TDRS  network  since 
landing  occurs  at  approximately  MET  37  minutes.  RTLS  requirements  may  be  covered  by  scheduling 
MILA  alone.  The  declaration  of  cm  RTLS  or  TAL  abort  results  in  procedures  that  involve  additional 
risk.  MCC  support  is  required  and  will  normally  be  available  throughout  the  RTLS  or  TAL.  This 
increased  insight  into  systems  performance  and  additional  expertise  significantly  increases  the 
probability  of  a  successful  landing  with  a  vehicle  that  has  already  had  a  major  systems  failure.  A/G 
voice  is  required  to  coordinate  any  recommendations  to  the  crew  and  to  relay  to  the  crew  fined  weather , 
runway,  landing  aid,  and  major  systems  status. 

3.  ATO,  AOA :  FOR  THE  PERIOD  FROM  MET  15  MINUTES  THROUGH 
LANDING  FOR  AOA  OR  LANDING  FOR  FIRST  DAY  PLS  OR  THROUGH 
GO  FOR  ORBIT  OPS  FOR  ATO,  IT  IS  HIGHLY  DESIRABLE  TO  HAVE 
THE  MAXIMUM  DURATION  OF  COVERAGE  POSSIBLE  FOR  AIR  TO 
GROUND  VOICE,  COMMAND,  TELEMETRY,  AND  TRAJECTORY 
PROCESSING. 

4.  ASCENT  TRAJECTORY  PROCESSING  SUPPORT: 

a.  ASCENT  RADAR  TRACKING:  DUAL  TRACKING  IS  HIGHLY 

DESIRABLE  FROM  EITHER  ONE  S-BAND  AND  ONE  C-BAND,  OR 
TWO  C-BANDS  FROM  LIFT-OFF  THROUGH  MECO  PLUS  1  MINUTE. 

Dual  source  tracking  is  desired  to  allow  monitoring  of  the  health  of  onboard  navigation  during  powered 
flight,  to  provide  delta  state  uplink  capability  to  correct  extreme  onboard  navigation  errors  which  could 
result  in  unsafe  or  mission  -limiting  MECO  conditions  for  an  ascen  t  to  orbit  or  an  RTLS,  and  to  provide 
cm  independen  t  ground  navigation  source  for  ascen  t  performance  boundary  calls.  To  obtain  an  accurate 
post-MECO  ground  filter  vector,  a  minimum  of  1  minute  of  tracking  post-MECO  is  required  for 
processor  convergence.  An  accurate  post-MECO  ground  filter  vector  may  be  used  to  update  onboard 
navigation  before  OMS-2  if  required  to  significantly  decrease  deltcr-V  cost  due  to  planar  error  for 
ground-up  rendezvous  flights,  or  before  OMS-1  or  OMS-2  if  the  gain  in  deltci-V  capability  would  prevent 
ascent  capability  downmoding.  ®[062702-5502C] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A3-3  GROUND  AND  NETWORK  DETAILED  REQUIREMENTS 

(CONTINUED) 


Ground  tracking  through  MECO+1  is  highly  desirable  rather  than  mandatory  because  flight  history  and 
Mean  Time  Between  Failure  (MTBF)  data  show  that  the  probability  of  either  software  or  hardware 
failures  corrupting  onboard  navigation  during  ascent  are  extremely  small.  MTBF  studies  for  the  HAINS 
IMU’s,  GPC’s,  and  MDM’s  indicate  a  probability  of  loss  of  two  IMU’s  to  be  on  the  order  of  10'^. 
Although  recovery  of  corrupted  onboard  navigation  by  means  of  a  powered  flight  delta  state  is 
theoretically  possible,  and  would  be  attempted  if  required,  success  at  all  times  during  the  ascent  is  not  a 
certainty.  With  regard  to  onboard  navigation  errors  which  are  not  large  enough  to  pose  a  safety 
concern,  but  which  could  affect  the  mission,  the  history  of  post-MECO  state  vector  updates  shows  that 
although  there  are  worthwhile  paybacks  in  propellant  margin,  their  absence  would  not  adversely  impact 
propellant  budgets.  For  these  reasons,  ground  tracking  requirements  through  MECO  for  due  east 
launches  were  abandoned  by  the  shuttle  program  as  a  cost  savings  measure.  Ground  tracking  through 
MECO  +1  is  only  available  for  high  inclination  launches.  ©[062702-5502C] 

Upon  removed  of  the  Range  Safety  destruct  package  from  the  external  tank,  the  flight  crew/MCC  assumes 
responsibility  for  public  safety  during  second  stage.  The  tracking  navigation  state  precludes  limit  line 
violation  due  to  severe  onboard  navigation  problems  (state  vector  update  or  manual  MECO)  and 
prevents  loss  of  External  Tank  Impact  Point  prediction  due  to  telemetry  loss/data  dropouts.  At  the 
existing  limits  of  ground  tracking,  ET  IP  no  longer  endangers  North  American  landmasses  or  islands. 

Ground  radar  tracking  is  only  highly  desirable  for  NASA  pu  rposes  during  the  early  phases  of  ascen  t  as 
shown  by  the  table  in  Rule  {A3-102J,  INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX.  Note 
that  the  Eastern  Range  has  a  more  constraining  requirement.  If  all  east  coast  radars  are  functioning,  for 
high  inclination  launches  radar  tracking  can  be  extended  to  nominal  MECO  +1  minute.  For  low 
inclination  launches,  radar  tracking  is  lost  prior  to  8  minutes  MET.  It  is  desirable  to  have  ground  radar 
verification  of  the  MECO  state.  ®[ED  ] 

b.  RTLS  ENTRY  RADAR  TRACKING:  TRACKING  IS  HIGHLY 

DESIRABLE  FROM  EITHER  ONE  S-BAND  AND  ONE  C-BAND,  OR 
TWO  C-BANDS  FROM  RTLS  MECO  TO  100K  FEET. 

The  TSU  trajectory  processor  Kalman  filter  cannot  meet  ground  accuracy  requiremen  ts  with  only  one 
source  of  tracking  data;  the  filter  requires  at  least  two  sources.  The  100k  feet  altitude  constraint  was 
chosen  to  allow  sufficient  time  to  assess  the  vehicle  energy  conditions  and  to  update  onboard  navigation 
state  (after  nominal  TACAN  acquisition)  in  order  to  correct  a  violation  of  delta  state  limits.  Dual 
tracking  capability  also  allows  time  to  GCA  to  within  guidance  limits  prior  to  TAEM.  ©[062702-5502C] 
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c.  AOA/PLS :  DUAL  TRACKING  CAPABILITY  ABOVE  100K  FEET  IS 

HIGHLY  DESIRABLE  BUT  IS  NOT  SCHEDULED  FOR  AOA  AND  PLS 
D  E  0  RB I  T  .  ®[062702-5502C] 

In  the  event  that  a  delta  state  is  uplinked,  it  allows  proper  onboard  verification  to  be  performed  through 
100k  feet  (tracking  not  required  below  100k  feet). 

d.  FD1  PLS  ONLY:  AT  LEAST  ONE  TDRS  OR  TWO  C-BAND  RADAR 
PASSES  ARE  REQUIRED  TO  SUPPORT  PRE-DEORBIT  STATE 
VECTOR  ACCURACY. 

For  AOA  and  PLS  deorbits,  best  effort  call  up  of  high  speed  tracking  resources  is  accepted  (ref  Rule 
{A3- 102},  INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX).  The  time  between  launch  and 
landing  for  an  AOA  deorbit  is  short  enough  to  consider  onboard  navigation  autonomous,  and  although 
best  effort  tracking  call  up  will  be  requested,  it  is  not  mandatory.  There  is  a  high  probability  of 
obtaining  PLS  tracking  support  from  KSC  or  EDW  area  radars  on  a  best  effort  basis  if  the  ranges  are 
given  more  than  3  hours  advance  notice.  There  is  little  chance  of  obtaining  such  support  for  a  NOR  PLS 
deorbit  unless  the  request  is  made  during  duty  hours.  Tracking  support  is  virtually  assured  at  all  three 
CONUS  sites,  given  24  hours  notice  (ref.  AEFTP  #82  minutes).  ®[ED  ] 

Post  MECO  tracking  is  required  for  flight  day  1  deorbit  cases  in  order  to  ensure  the  onboard  state 
vector  meets  deorbit  burn  accuracy  requirements.  For  high  inclination  launches  (57  deg  and  51.6  deg), 
at  least  one  TDRS  is  required  for  orbit  3  cases,  because  the  ground  tracks  for  orbits  1  through  3  do  not 
permit  adequate  C-Band  coverage  (ref.  Rules  { A4-101 },  ONBOARD  NAVIGATION  MAINTENANCE, 
and  (A3- 102},  INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX  -  Note  [2]).  ®[ED  ] 

e.  FOR  COMMIT  TO  LAUNCH  AND  SCHEDULING  PURPOSES,  EOM 
DUAL  TRACKING  CAPABILITY  (TWO  C-BANDS  OR  ONE  S-BAND 
AND  ONE  C-BAND)  FROM  ABOVE  10  OK  FEET  TO  THE  GROUND  IS 
NOT  MANDATORY.  IF  ANY  OF  THE  CAPABILITIES  LISTED  IN 
PARAGRAPH  B3  BELOW  ARE  NOT  EXPECTED  TO  BE  AVAILABLE 
PRIOR  TO  DEORBIT  TIG,  SCHEDULING  EOM  DUAL  TRACKING 
BECOMES  MANDATORY.  ®[062702-5502C] 
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5.  REDUNDANCY  FOR  ASCENT  INCLUDING  INTACT  ABORTS: 

©[062702-5502C] 

a.  REDUNDANCY  IN  EQUIPMENT  AND  NETWORK  SCHEDULING  FOR 
AIR  TO  GROUND  VOICE,  COMMAND,  TELEMETRY,  AND 
TRAJECTORY  PROCESSING  SHALL  BE  PLANNED  AND  SCHEDULED 
FOR  LAUNCH  THROUGH  GO  FOR  ORBIT  OPS  OR  INTACT  ABORT 
LANDING.  NOTE:  FOR  TDRS  SCHEDULING  REDUNDANCY  IS 
NOT  REQUIRED. 

b.  CONSIDERATION  WILL  BE  GIVEN  TO  ATTEMPTING  TO  REGAIN 
FAILED  REDUNDANT  EQUIPMENT  IF  THE  RECOVERY  WILL  NOT 
AFFECT  THE  REMAINING  MANDATORY  EQUIPMENT  AND  RECOVERY 
PROCEDURES  ETRO  IS  PRIOR  TO  THE  NOMINAL  PLANNED  TIME 
FOR  COMING  OUT  OF  THE  T-9  MINUTE  HOLD. 

C.  RECOVERY  EFFORTS  FOR  FAILED  REDUNDANT  EQUIPMENT  IN 

THE  MCC  AND  INTEGRATED  NETWORK  WILL  NOT  BE  PERFORMED 
BETWEEN  T-9  MINUTES  AND  COUNTING  AND  MET  15  MINUTES 
OR  LANDING  FOR  RTLS  OR  TAL . 

B.  DEORBIT/ENTRY 

1.  PRE-DEORBIT:  IT  IS  HIGHLY  DESIRABLE  TO  HAVE  THE  MAXIMUM 

DURATION  OF  COVERAGE  POSSIBLE  FOR  AIR  TO  GROUND  VOICE, 
COMMAND,  TELEMETRY,  AND  TRAJECTORY  PROCESSING  FROM  TIG-4 
HR  TO  DEORBIT  DECISION.  REDUNDANCY  IS  DESIRABLE  BUT  NOT 
REQUIRED . 


Preparing  the  orbiterfor  entry  includes  a  number  of  complex  and  critical  steps  such  as  moding  flight 
software  to  OPS  3,  closing  the  payload  bay  doors,  activating  FES  cooling.  Having  MCC  connectivity 
troubleshoot  any  anomalies  that  may  occur  is  very  useful.  Additionally,  MCC  is  prune  to  provide  deorbit 
maneuver  targets  and  to  assess  landing  site  readiness  including  weather.  Deorbit  decision  time  is 
normally  TIG  -  23  minutes.  ®[062702-5502C] 
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2.  DEORBIT  DECISION:  GROUND  AND  INTEGRATED  NETWORK 

EQUIPMENT  FUNCTIONALITY  AND  SCHEDULING  MUST  PROVIDE  AIR 
TO  GROUND  VOICE,  COMMAND,  TELEMETRY,  AND  TRAJECTORY 
PROCESSING  FROM  THE  MCC  GO  FOR  DEORBIT  TO  POST  LANDING. 
REDUNDANCY  FOR  MANDATORY  FUNCTIONS  IS  HIGHLY  DESIRABLE 
BUT  NOT  REQUIRED.  ©[062702-5502C] 

UHF  TWO-WAY  VOICE  IS  HIGHLY  DESIRABLE  DURING  ENTRY  TO  KSC 
OR  DFRC  WHEN  IN  RANGE  OF  THE  GROUND  STATION  AS  A  BACKUP 
TO  S-BAND  VOICE.  S-BAND  VOICE  IS  MANDATORY  AS  DESCRIBED 
ABOVE . 


Monitoring  vehicle  systems,  energy  management,  anomaly  resolution,  and  landing  site  evaluation  from 
touchdown  parameters  to  weather  conditions  is  the  primary  job  of  the  MCC  du  ring  shu  ttle  entry. 

3.  TRAJECTORY  PROCESSING  SUPPORT  FOR  ENTRY: 

IF  ALL  OF  THE  CAPABILITIES  LISTED  BELOW  ARE  EXPECTED  TO 
BE  AVAILABLE  PRIOR  TO  DEORBIT  TIG,  C-BAND  TRACKING  IS  NOT 
MANDATORY.  S-BAND  TRACKING  IS  HIGHLY  DESIRABLE  IN  THE 
ABSENCE  OF  C-BAND  TRACKING.  IF  DURING  THE  MISSION  ANY  OF 
THE  FOLLOWING  CAPABILITIES  ARE  LOST,  EOM  DUAL  TRACKING 
CAPABILITY  BECOMES  MANDATORY  FOR  COMMIT  TO  DEORBIT: 

a.  IMU'S:  FULL  REDUNDANCY  (THREE  LRU'S  AND  ASSOCIATED 
DPS  AND  EPS  FUNCTIONALITY) . 

b.  ONBOARD  TACAN:  AT  LEAST  TWO-FAULT  TOLERANCE  IN  THE 
TACAN/GPS  SYSTEM  AND  ASSOCIATED  DPS  AND  EPS 
FUNCTIONALITY)  (REF.  RULE  {A8-115},  GPS  SYSTEM 
MANAGEMENT).  @[092602-5641] 

C.  ONBOARD  MLS:  FULL  REDUNDANCY  (THREE  LRU'S  AND 

ASSOCIATED  DPS  AND  EPS  FUNCTIONALITY)  REQUIRED  IF 
MLS  IS  REQUIRED  FOR  LANDING  (REF.  RULE  {A3-202}, 

MLS).  ®[062702-5502C]  @[092602-5641] 
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d.  GROUND  TACAN  STATIONS:  TWO  STATIONS  AVAILABLE  AND 
CONFIRMED  OPERATIONAL  WITHIN  SPECIFICATIONS  (REF. 
RULE  { A8-52B }  .  2 ,  SENSOR  FAILURES),  OR  ONE  STATION 
AVAILABLE  AND  CONFIRMED  OPERATIONAL  WITHIN 


SPECIFICATIONS 
FAILURES)  WITH 
RULE  { A8-115 } , 
SPECIFICATIONS 
VOL  X,  BOOK  3, 

@[092602-5641  ] 


(REF.  RULE  { A8-52B} . 2 ,  SENSOR 
A  GPS  LRU  FUNCTIONING  PROPERLY  (REF 
GPS  SYSTEM  MANAGEMENT).  FAA/USAF 
ARE  NOT  ADEQUATE  (REF.  NSTS  07700, 
PARAGRAPH  1 . 3 . 1  .  1  .  1 )  .  ©[062702-5502C] 


In  order  to  maximize  launch  probability  by  alleviating  C-Bcmd  tracking  data  scheduling  conflicts  with 
the  Eastern  Range  Operations  Control  Center  (ROCC),  the  mandatory  requirement  for  scheduling  dual 
source  high  speed  tracking  for  EOM  is  eliminated ,  provided  that  sufficien  t  redundancy  is  available 
(TACAN/GPS  and  IMU)  to  correct  the  navigation  state  prior  to  violation  of  entry  guidance  limits.  If 
sufficient  redundancy  is  lost  during  the  mission,  dual  source  high-speed  tracking  becomes  mandatory 
for  commit  to  deorbit.  The  TSU  trajectory  processor  Kalman  filter  cannot  meet  ground  accuracy 
requirements  with  only  one  source  of  tracking  data.  The  filter  requires  at  least  two  sources.  The  100k 
feet  altitude  constraint  was  chosen  to  allow  sufficient  time  to  assess  the  vehicle  energy  conditions  and  to 
update  onboard  navigation  state  (after  nominal  TACAN  acquisition )  in  order  to  correct  a  violation  of 
delta  state  limits.  This  requirement  also  allows  time  to  GCA  to  within  guidance  limits  prior  to  TAEM. 
©[062702-5502C] 

With  three  functioning  IMU’s  and  the  associated  DPS/EPS  equipment,  the  first  failure  is  fully  protected 
by  redundancy  management.  When  two  IMU’s  are  available,  95  percent  of  the  cases  in  volving  the 
second  failure  are  properly  resolved  by  the  IMU  RM  which  uses  the  IMU  BITE  logic. 


With  three  functioning  onboard  TACAN  transceivers  and  their  associated  DPS  equipmen  t,  the  first 
failure  is  fully  protected  by  redundancy  management.  When  two  TACAN’s  are  available,  90  percent  of 
the  cases  involving  the  second  failure  are  covered  with  TACAN  self -test.  GPS  provides  additional 
redundancy  to  the  onboard  TACAN  transceivers  (particularly  at  the  TACAN  1-LRU  level)  assuming  that 
the  conditions  in  Rule  {A8-115},  GPS  SYSTEM  MANAGEMENT,  are  satisfied.  @[092602-5641  ] 

With  three  functioning  onboard  MLS  transceivers  and  their  associated  DPS  equipment,  the  first  failure 
is  fully  protected  by  redundancy  management.  When  two  MLS’s  are  available,  a  dilemma  between  the 
LRU’s  will  remain  unresolved  unless  a  BITE  had  been  previously  set  against  one  of  the  LRU’s.  If  the 
dilemma  is  unresolved,  MLS  may  not  process  at  all  (for  range/azimuth  dilemmas)  or  only  partially 
process  (for  elevation  dilemmas).  For  days  when  MLS  is  required,  as  defined  in  Rule  {A3 -202},  MLS, 
ground  tracking  is  required  to  resolve  dilemmas  in  order  to  make  the  MLS  useable.  Reference  Rule 
{A8-18A},  LANDING  SYSTEMS  REQUIREMENTS.  ©[062702-5502C]  @[092602-5641  ] 
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To  ensure  that  valid  TACAN  data  are  available,  both  primary  and  secondary  ground  stations  must  be 
confirmed  to  be  within  programmatically  required  limits  (NASA  operational  requirements  of  1  deg  and 
0.3  mile  per  Rule  {A8-52BJ.2,  SENSOR  FAILURES,  rather  than  FAA/DOD  certification  (2.5  deg  and  0.5 
mile  per  NSTS  07700,  Vol  X  specification) ).  With  the  pre-deorbit  ground  station  checks,  full  single  fault 
tolerance  exists.  If  both  the  primary  and  the  secondary  ground  station  were  to  fail  after  deorbit,  the 
MCC  can  uplink  another  TACAN  station.  ®[062702-5502C]  @[092602-5641  ] 

If  GPS  is  functioning  properly  (ref.  Rule  { A8-115 j,  GPS  SYSTEM  MANAGEMENT),  then  the  following 
failures  will  result  in  requiring  high  speed  tracking  for  EOM 

a.  Any  failure  in  either  the  onboard  IMU’s  or  MLS  LRU’s. 

b.  Loss  of  two-fault  tolerance  in  the  GPS/TACAN  system. 

c.  No  TACAN  ground  stations  available. 

If  GPS  is  NOT  functioning  properly  (ref.  Rule  (A8-115J,  GPS  SYSTEM  MANAGEMENT),  then  the 
following  failures  will  result  in  requiring  high  speed  tracking  for  EOM: 

a.  Any  failure  in  either  the  onboard  IMU’s,  TACAN’ s,  or  MLS  LRU’s. 

b.  Only  1  TACAN  ground  station  available.  @[092602-5641  ] 

S-band  data  is  highly  desired  because  it  may  provide  insight  in  the  case  of  a  TACAN  bias,  although  it 
cannot  by  itself  be  used  as  a  source  of  “ground  truth.  ” 

In  relaxing  the  tracking  data  requirement  from  mandatory  to  highly  desirable,  it  is  understood  and 
acknowledged  to  be  an  acceptable  risk  to  rely  totally  on  TACAN  and  GPS  as  required  to  achieve  a  safe 
landing.  If  the  normal  ceiling  limit  exists,  arid  TACAN  data  is  not  processed  by  navigation,  and  no 
independent  valid  tracking  data  are  present,  the  vehicle  is  unlikely  to  achieve  the  runway  unless  GPS  is 
incorporated.  @[092602-5641  ] 

4.  POST  LANDING:  GROUND  EQUIPMENT  WILL  PROVIDE  FOR  AIR  TO 
GROUND  VOICE,  COMMAND,  AND  TELEMETRY  FROM  LANDING  UNTIL 
VEHICLE  HANDOVER  TO  GOM .  REDUNDANCY  IS  NOT  REQUIRED. 
©[062702-5502C] 
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MCC  INSTRUMENTATION  PRELAUNCH  REQUIREMENTS 

A3- 51  TRAJECTORY  PROCESSING  REQUIREMENTS  ®[061 396-4005A]  ©[022802- 

Si  98] 

A.  HIGH-SPEED  TRAJECTORY  DETERMINATION: 

1.  HIGH  SPEED  S-BAND  -  HIGHLY  DESIRABLE  FOR  LAUNCH  AND 
LANDING  @[061297-6004] 

2.  HIGH  SPEED  C-BAND  -  HIGHLY  DESIRABLE  FOR  LAUNCH  AND 
LANDING 

3.  KALMAN  FILTER  PROCESSING  -  HIGHLY  DESIRABLE  FOR  LAUNCH 
AND  LANDING  @[061297-6004] 

B.  ARD/AME  PROCESSING  -  MANDATORY  FOR  LAUNCH  @[022802-5198] 

C.  EPHEMERI S  MAINTENANCE  PROCESSING  -  MANDATORY 

D.  ORBIT  DETERMINATION  PROCESSING: 

1 .  LOW  SPEED  TRACKING  DATA  -  MANDATORY 

2.  BATCH  RADAR  PROCESSING  -  MANDATORY 
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A3— 51  TRAJECTORY  PROCESSING  REQUIREMENTS  (CONTINUED) 

E.  DEORBIT  PLANNING  PROCESSING  -  MANDATORY 

F.  ENTRY  PROFILE  PROCESSING  -  MANDATORY 

G.  COMMAND /TRAJECTORY  INTERFACE  PROCESSING  -  MANDATORY 

H.  TRAJECTORY/TELEMETRY  AND  TELEMETRY/ TRAJECTORY  INTERFACE 
PROCESSING  -  MANDATORY 

I.  HIGH  SPEED  ENTRY  RGO  AND  TAEM  PROCESSING  -  MANDATORY  FOR 
LAUNCH  AND  LANDING  @[022802-5198] 

J.  RENDEZVOUS  TARGETING  PROCESSING  -  MANDATORY  FOR  RENDEZVOUS 
FLIGHT  @[061 396-4005A] 

K.  LAUNCH  WINDOW/LAUNCH  TARGETING  PROCESSING  -  MANDATORY  UNTIL 
THE  LAUNCH  TARGET  COMMANDS  HAVE  BEEN  GENERATED.  THIS  ONLY 
APPLIES  TO  GROUND-UP  RENDEZVOUS  AND  INERT IALLY  TARGETED 
FLIGHTS.  ®[061396-4005A] 

All  mandatory  trajectory  processing  is  required  to  be  operational  prior  to  launch,  including  support 

processors  as  well.  Any  loss  of  trajectory  processing  will  be  assessed  in  reed  time  in  order  to  determine 

applicability  of  the  lost  capability  to  the  flight  at  hand. 

L.  DOLILU  STRUCTURAL  LOADS  AND  TRAJECTORY  ANALYSIS  TOOLS  - 
MANDATORY  UNTIL  THE  DOLILU  I-LOAD  HAS  BEEN  TRANSFERRED  INTO 
THE  MCC  COMMAND  SYSTEM;  THEREAFTER,  HIGHLY  DESIRABLE  (REF. 
RULE  {  A4  -4  }  ,  DOLILU  OPERATIONS).  ©[091098-6622C] 


DOLILU  and  Loads  assessments  are  nominally  run  concurrently  by  JSC  and  USA/Systems  Integration. 
In  the  event  that  JSC  fails  to  complete  analysis  after  the  MCC  I-locid  transfer,  USA/Systems  Integration 
becomes  prime  for  providing  the  remaining  prelaunch  assessments.  This  contingency  condition  is 
considered  acceptable  to  proceed  based  on  the  joint  system  checkouts  that  have  occurred  (L-3  week,  L-2 
day,  and  completed  launch  day  verifications).  @[091 098-6622C] 

M.  DESCENT  DESIGN  SYSTEM  (DDS )  -  MANDATORY  ©[061396-4005A]  @[022802-5198] 
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A3-52  MCC  INTERNAL  VOICE 

LOSS  OF  INTERNAL  VOICE  LOOPS  FD,  A/G  1,  OIS  232  AND  FLIGHT 
CONTROL  OFFICER  (FCO) ,  WOULD  NOT  CAUSE  A  LAUNCH  HOLD  BECAUSE  OF 
SUFFICIENT  AVAILABLE  WORKAROUNDS: 

A.  MCC  FLIGHT  CONTROL  TEAM  COORDINATION  CAPABILITY  -  ONE  OF 
THREE  MANDATORY: 


1 . 

FD 

2  . 

AFD 

CONF 

3. 

LOOP 

CONFERENCING 

One  common  voice  loop  between  all  MCC  flight  control  team  members  is  required  for  expedient 
communication  of  system  conditions/anomalies. 

B.  A/G  TALK  CAPABILITY  -  TWO  OF  FOUR  MANDATORY: 


1  . 

A/G 

1 

2  . 

A/G 

2 

3. 

A/G 

UHF 

4  . 

OTHER  LOOP  WITH  KEYING  CAPABILITY 

Two  MCC  voice  loops  with  keying  capability  are  required  to  provide  continuous  S-band  A/G  and  UHF 
A/G  (ref  Rule  {A3-lA}.l.d,  GROUND  AND  NETWORK  DEFINITIONS).  ®[ED  ] 

C.  COMMUNICATIONS  INTERFACE  WITH  LAUNCH  TEST  DIRECTORS  -  ONE  OF 
FOUR  MANDATORY: 


1  . 

OIS  131 

2  . 

OIS  232 

3. 

FD  (EXTENDED  TO  LAUNCH 

SITE) 

4  . 

OTHER  LOOP  PATCHING  TO 

LAUNCH  SITE 

One  MCC  voice  loop  (extended  to  launch  site  long  lines )  is  required  to  call  an  MCC-initiated  countdown 
hold. 
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A3-52  MCC  INTERNAL  VOICE  (CONTINUED) 

D.  COMMUNICATIONS  INTERFACE  WITH  FCO  -  TWO  OF  FOUR  MANDATORY: 
@[101096-4550] 

1.  FCO  PVT  LINE 

2.  FD  (EXTENDED  TO  FCO) 

3.  FCO  PRIME 

4.  OTHER  LOOP  PATCHING  TO  FCO  LONG  LINE 

A  minimum  of  two  MCC  voice  loops,  extended  to  the  Eastern  Range  45th  Space  Wing,  are  required 
for  FD  and  FDO  voice  communication  with  the  FCO.  Removed  of  the  FT  Range  Safety  Flight 
Termination  System  resulted  in  additional  flightcrew  responsibility  as  agents  of  the  45th  Space 
Wing  Commander  for  public  safety  during  second  stage  flight,  with  crew-initiated  manual  MECO 
replacing  range  safety  command  destruct  capability.  Redundant  FCO/MCC  communications  is 
therefore  mandatory  to  provide  the  interaction  and  situational  awareness  necessary  to  implement 
this  requirement.  ®[1 01 096-4550  ] 

Rules  {A3 -15 1C}  and  D,  MCC/KSC/45  SPW  INTERFACE,  reference  this  rule. 

E.  COMMUNICATIONS  CAPABILITY  WITH  REQUIRED  ASCENT  ABORT  SITES  - 

1  OF  3  MANDATORY:  ®[1 11094-1 71 6A]  ®[ED  ] 

1.  LONGLINE  ( LFP 1 ) 

2  .  INMARSAT 

3.  COMMERCIAL  TELEPHONE 

Prelaunch,  the  MCC  must  be  able  to  communicate  with  the  required  ascent  abort  landing  sites  (ref. 

Rule  { A2-2},  ABORT  LANDING  SITE  REQUIREMENTS ).  This  insures  that  there  has  not  been  a 
change  in  weather  or  nav/lcmding  aid  status.  It  also  insures  that  anomalies  can  be  passed  to  the 
ground  support  team  and  that  the  runway  and  airspace  are  clear  for  a  safe  landing.  This  can  be 
accomplished  by  insuring  that  at  least  one  of  the  communications  capabilities  listed  above  are 
available.  ®[111094-1716A] 

®[051 697-6008A] 
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A3-53  MCC  POWER 

A.  BUILDING  3  0M  POWER  BUSES  ®[061 396  4006A] 

BUS  Al,  A2,  Bl,  B2  -  THREE  OF  FOUR  MANDATORY. 

All  mandatory  MCC  equipment  can  be  configured  to  operate  on  any  three  of  the  four  power  buses. 
Equipment  which  cannot  tolerate  a  20-second  power  outage  is  configured  on  bus  Al  or  A2.  These 
buses  are  supported  with  online  UPS  (uninterrupted  power  supply)  (critical  A  power )  during  ascent. 
Equipment  which  can  tolerate  a  20-second  power  outage  is  configured  on  bus  Bl  or  B2.  These  buses 
are  supported  with  backup  offline  (20-second  startup)  diesel  generators  (critical  B  power)  during 
ascent.  ®[061 396  4006A] 

B.  BUILDING  30S  POWER  BUSES 

1.  POWER  BUSES  AX1 ,  AX 2  -  ONE  OF  TWO  MANDATORY. 

(SEE  NOTE  #1) 

NOTE  #1:  IF  ONLY  ONE  POWER  BUS  IS  AVAILABLE,  IT  MUST  HAVE 
A  NON-INTERRUPTIBLE  POWER  SUPPLY  (EITHER  UPS  OR  A 
RUNNING  DIESEL)  FEED. 


2  . 

POWER 

BUSES 

BX1 , 

BX2 

-  ONE 

OF 

TWO 

MANDATORY . 

3. 

POWER 

BUSES 

CXI, 

CX2 

-  ONE 

OF 

TWO 

MANDATORY 

(SEE  NOTE  #2) 


NOTE  #2:  MANDATORY  FOR  FLIGHTS  WITH  POCC  WORKSTATION 

REQUIREMENTS  ONLY;  SEE  THE  FLIGHT  SPECIFIC  ANNEX. 

®[061 396-4006B] 

All  equipment  on  the  A  and  B  buses  can  be  configured  entirely  onto  either  single  bus,  with  each  capable 
of  carrying  the  en  tire  load.  The  AX1  and  AX2  buses  are  supported  with  UPS  (un  in  terrupted  power 
supply).  The  BX1  and  BX2  buses  are  backed  up  with  diesels  (20-second  startup). 

The  AX  buses  provide  power  for  most  mandatory  technical  equipment  and  emergency  lighting  in  the 
MCC.  The  BX  buses  provide  power  to  IPS  system,  utility  outlets,  AX1  and  AX2  uninterruptible  power 
supplies,  and  back-up  power  feed  to  the  AX  buses  in  case  of  a  UPS  failure.  The  CX  buses  provide  power 
to  the  third  floor  POCC  consoles. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A3-53  MCC  POWER  (CONTINUED) 

C.  BUILDING  3  OS  AIR  HANDLERS  ©[061396-4006A] 

1 .  SOFT  AIR  HANDLERS  -  ONE  OF  THREE  MANDATORY 

2 .  HARD  AIR  HANDLERS  -  ONE  OF  THREE  MANDATORY 

The  hard  air  handlers  provide  cooling  to  the  FCR,  SVO,  GOSR,  CDE  and  fifth  floor  areas  of  building 
30S.  The  soft  air  handlers  provide  cooling  to  all  other  areas  not  supplied  by  hard  air  handlers.  One  of 
each  type  air  handler  is  required  to  adequately  provide  cooling  for  mission  essential  hardware  and 
personnel.  ®[061 396  4006A] 

A3-54  THROUGH  A3-100  RULES  ARE  RESERVED 
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45  SPW/GSFC/STDN  PRELAUNCH  REQUIREMENTS 


A3-101  GSFC 

A.  MESSAGE  SWITCHES  -  ONE  OF  TWO  MANDATORY  @[121593-1582] 

These  computers  route  mandatory  telemetry,  command,  tracking  and  configuration  data  between  MCC 
and  tracking  stations.  Each  message  switcher  can  handle  the  total  traffic  rate. 

B.  NETWORK  CONTROL  CENTER  (NCC)  COMPUTERS  -  ONE  OF  TWO  MANDATORY 

®[1 21 593-1 582  ]  @[051 697-6008A] 

For  TDRSS  to  support  TAL  aborts,  acquisition  data  must  be  generated  and  sent  to  WSGT for  TDRS 
pointing.  The  NCC  computers  and  associated  equipment  manage  this  acquisition  message  data  for 
forwarding  to  WSGT. 
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A3-102 


INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX 


ASCENT  AND  INTACT  ABORT  LANDINGS  AT  KSC 

SITE 

STATIO 

N  ID 

TYPE 

RQMNT 

ASCENT/RTLS 

TAL 

(POST 
LAUNCH) 
KSC  AOA  & 

1  ST  DAY  PLS 

28.5  INC 

HIGHER 

INC 

JONATHAN 
DICKINSON  MISSILE 
TRACKING  ANNEX 
(JDMTA) 

JDIS 

S-BD 

TLM 

D/L  VOICE 

1  OF  2  M 

1  OF  2  M 

PONCE  DE 

LEON 

PDL 

S-BD  14 

CMD 

U/L  VOICE 

1  OF  2  HD 
[1] 

1  OF  2  M 
[2] 

FIXED 

DIPOLE 

UHF 

VOICE 

MILA 

MILS 

S-BD  30-1 

CMD 

TLM 

VOICE 

1  OF2M 

1  OF2M 

1  OF  2  HD 

MLXS 

S-BD  30-2 

TELTRAC 

UHF 

VOICE 

1  OF  2  M 

1  OF  2  M 

1  OF  2  HD 

QUAD 

HELIX 

TDRSS 

WSC 

S-BD 

CMD 

TLM 

VOICE 

M  [3] 

M  [3] 

M 

M  [6] 

TRK 

HD 

HD 

M  [5] 

WALLOPS 

WLPS 

S-BD  30 

CMD 

TLM 

VOICE 

HD 

QUAD 

HELIX 

UHF 

VOICE 

1  OF  1  HD 

MERRITT 

ISLAND 

MLAC 

MLMC 

FPQ-14 

MCB-17 

RADAR  TRK 

2  OF 7HD 

2  OF  7  HD 

NOT 

SCHEDULED 

ACCEPT 

BEST 

EFFORT 

CALLUP 

PATRICK 

PATC 

FPQ-14 

RADAR  TRK 

CANAVERAL 

CNVC 

CMTC 

FPS-16 

MOTR 

RADAR  TRK 

JONATHAN 

DICKINSON 

JDIC 

FPQ-14 

RADAR  TRK 

MILA 

MILS 

OR 

MLXS 

S-BD 

RANGING 

TRK 

WALLOPS 

WLPC 

WLRC 

WLIC 

WLMC 

FPQ-6 

FPS-16 

FPS-16 

RIR-778 

RADAR  TRK 

2  OF  4  HD 
[4] 

@[072795-1722]  ®[ED 


@[121 296-41 77D] 


072398-6565A]  @[021 199-6817  ]  @[070899-6882  ]  ©[062702-5502C] 
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A3-102  INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX 

(CONTINUED) 


|  INTACT  ABORT  LANDINGS  AT  EDWARDS  OR  NORTHRUP  STRIP  | 

SITE 

STATION  ID 

TYPE 

RQMNT 

(POST 

LAUNCH) 

EDW 

AOA  &  1  ST 
DAY  PLS 

(POST 

LAUNCH) 

NOR 

AOA  &  1  ST 
DAY  PLS 

ATF1 

S-BD-21 

TLM 

1  OF  2  HD 

DRYDEN 

ATF2 

CMD 

VOICE 

PARABOLIC 

DISH 

UHF 

VOICE 

1  OF  3  HD 

CMD 

TDRSS 

WSC 

S-BD 

TLM 

VOICE 

TRK 

M  [5],  [6] 

M  [5],  [6] 

NORTHRUP 

STRIP 

SAL 

UHF  OMNI 

NORTHRUP 

STRIP 

UHF  OMNI 

VOICE 

2  OF  2  HD  [9] 

PT.  PILLAR 

PPMC 

MPS-36 

RADAR  TRK 

PTPC 

FPQ-6 

VDHC 

FPQ-14 

VANDENBURG 

VDBC 

TPQ-18 

RADAR  TRK 

NOT 

VDSC 

FPS-16 

SCHEDULED 
ACCEPT  BEST 

VDMC 

MOTR 

EFFORT 

CALLUP 

FRCC 

RIR-716 

[10] 

EDWARDS/ 

FDRC 

RIR-716 

RADAR  TRK 

DRYDEN 

FRFC 

FPS-16 

EFFC 

FPS-16 

HOLC 

FPS-16 

NOT 

WHITE  SANDS 
MISSILE  RANGE 

WHSC 

FPS-16 

RADAR  TRK 

SCHEDULED 
ACCEPT  BEST 
EFFORT 

WSSC 

FPS-16 

WSMC 

MOTR 

CALLUP 

@[072795-1722]  @[061396-3198]  ©[072398-6565A]  ©[062702-5502C] 
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A3-102  INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX 

(CONTINUED) 


END  OF  MISSION  -  2ND  DAY  PLS  THROUGH  NOMINAL  EOM 


SITE 

STATION  ID 

TYPE 

RQMT 

KSC 

EDWARDS 

NORTHRUP 

STRIP 

TDRSS 

WEST 

S-BD 

TLM 

CMD 

VOICE 

M 

M 

M 

EAST 

M 

ANY 

TRK 

M 

M 

M 

MILA 

RANGING 

TRK 

HD 

MILS 

S-BD  30-1 

TLM 

CMD 

VOICE 

1  OF  2  HD 
[7] 

MLXS 

S-BD  30-2 

TELTRAC 

UHF 

VOICE 

1  OF  2  HD 

QUAD  HELIX 

MERRITT 

ISLAND 

MLAC 

FPQ-14 

RADAR 

TRK 

2  OF  5  HD 

MLMC 

MCB-17 

PATRICK 

PATC 

FPQ-14 

CANAVERAL 

CNVC 

FPS-16 

CMTC 

MOTR 

DRYDEN 

ATF1 

S-BD  12 

TLM 

CMD 

VOICE 

1  OF  2  HD  [8] 

ATF2 

PARABOLIC 

DISH 

UHF 

VOICE 

1  OF  3  HD 

PT.  PILLAR 

PPMC 

MPS-36 

RADAR 

TRK 

ANY  2 
RADARS 
FROM 

PT.  PILLAR 
VANDENBURG 
EDWARDS 

OR 

DRYDEN 

HD 

[10] 

PTPC 

FPQ-6 

VANDENBURG 

VDHC 

FPQ-14 

RADAR 

TRK 

VDBC 

TPQ-18 

VDSC 

FPS-16 

VDMC 

MOTR 

EDWARDS/ 

DRYDEN 

FRCC 

RIR-716 

RADAR 

TRK 

FDRC 

RIR-716 

FRFC 

FPS-16 

EFFC 

FPS-16 

NORTHRUP 

STRIP 

SAL 

UHF 

VOICE 

2  OF  2  HD  [9] 

NORTHRUP 

STRIP 

UHF  OMNI 

WHITE  SANDS 
MISSILE  RANGE 

HOLC 

FPS-16 

RADAR 

TRK 

2  OF  4  HD 

WHSC 

FPS-16 

WSSC 

FPS-16 

WSMC 

MOTR 

®[1 


21593-1590]  @[072795-1772]  @[121 296-41 77D]  ®[ 


072398-6565A]  ©[062702-5502C] 
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A3-102  INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX 

(CONTINUED) 


NOTES: 

[1]  FOR  MISSIONS  WITH  AN  INCLINATION  OF  28.5  DEG,  PDL  S-BAND  AND  UHF  UPLINK  IS  HIGHLY  DESIRABLE. 
©[062702-5502C] 

[2]  FOR  MISSIONS  WITH  AN  INCLINATION  GREATER  THAN  28.5  DEG,  PDL  CMD  OR  UHF  UPLINK  IS  REQUIRED  SINCE 
MIL  UHF  IS  BLOCKED  BY  THE  SRB  PLUME. 

[3]  ANY  TDRS  EAST  IS  MANDATORY. 

[4]  WLPC  AND  WLRC  ARE  SCHEDULED  FOR  ALL  MISSIONS  GREATER  THAN  28.5  DEG.  WLIC  OR  WLMC  ONLY 
SCHEDULED  FOR  57-DEG  MISSIONS  OR  WHEN  WLPC  OR  WLRC  ARE  UNAVAILABLE. 

[5]  ONE  TDRS  REQUIRED  TO  ENSURE  PRE-BURN  STATE  VECTOR  ACCURACY  FOR  1ST  DAY  PLS  DEORBIT  IF 
ONBOARD  GPS  IS  FAILED. 

[6]  ANY  TDRS  WEST  IS  MANDATORY  FOR  AOA  AND  1ST  DAY  PLS. 

[7]  ANY  TDRS  EAST  OR  MILA  IS  MANDATORY  TO  COVER  THE  LAST  PHASE  OF  KSC  LANDING  AND  POST  LANDING 
SUPPORT  UNTIL  VEHICLE  IS  HANDED  OVER  TO  GOM. 

[8]  ANY  TDRS  WEST  OR  DFRC  IS  MANDATORY  TO  COVER  THE  LAST  PHASE  OF  EDW  LANDING  AND  POST  LANDING 
SUPPORT  UNTIL  VEHICLE  IS  HANDED  OVER  TO  GOM. 

[9]  FOR  A  LANDING  AT  NORTHRUP  STRIP  (WSSH),  THE  UHF  SYSTEMS  DO  NOT  PROVIDE  REDUNDANT  COVERAGE 
FROM  AOS  THROUGH  WHEELSTOP,  SO  BOTH  SYSTEMS  ARE  REQUIRED. 

[1 0]  POINT  PILLAR  RADAR  MAY  BE  SCHEDULED  IN  PLACE  OF  VANDENBURG  RADAR  WHEN  EXPECTED  MAXIMUM 
ELEVATION  IS  GREATER  THAN  5  DEGREES.  ©[062702-5502C] 
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A3-103 


CRITICAL  LAUNCH  SYSTEMS  RECOVERY  TIMES 


SYSTEM 

SERVICE 

DESCRIPTION  OF 
EQUIPMENT 

QUANTITY  OF 
EQUIPMENT 
REQUIRED/ 
SCHEDULED/ 
TOTAL 

AVERAGE 

SELECTOVER 

TIME 

(AUTO  OR 
MAN) 

AVERAGE 

TIME  TO 
RESTORE 
REDUNDANCY 
FOLLOWING 
REPAIR 

CCF 

CMD  &  A/G  VOICE 

FEP  -  UPLINK 

1  OF  2/3 

30  SEC  (M) 

10  MIN 

FEP  RESTORI 

CONSOLIDATED 

TLM  &  A/G  VOICE 

FEP  -  DOWNLINK/ 

1  OF  2/3 

30  SEC  (M) 

10  MIN 

AND  REBOOT 

COMMUNICATION 

REALTIME 

CONSISTS  OF 

FACILITY 

TRK  DATA 

FEP-GROUND-TO- 

1  OF  2/2 

20  SEC  (M) 

10  MIN 

GROUND 

ALL 

CDSS 

BUILT  IN 

N/A 

BUILT  IN 

CDSS  CRITIC/ 

PROCESSES  AND 

REDUNDANCY 

REDUNDANCY 

ROUTING.  RE 

ROUTES  ALL 

ALL 

NASCOM  IP 

1  OF  2/2 

30  SEC  (M) 

15  MIN 

LAUNCH. 

DATA  COMING  IN 

EQUIP. 

AND  OUT  OF  THE 

MCC 

ALL 

NASCOM  IP 

MULTIPLE 

1  SEC  (A) 

SEE  NOTE  1 

NOTE  1  -  30  M 

CIRCUITS 

REPAIR  FOR  E 

SERVICE  MAY 

UPLINKS. 

MDM 

1  OF  2/2 

30  SEC  (M) 

10  MIN 

DOWNLINK 

GIGASWITCH 

1  OF  2/2 

30  SEC  (A) 

REBOOT  1  MIN 

TLM  8.  CMD  LAN  l/F 

CEM  (CCF 

1  OF  2/2 

4  MIN  (M) 

REBOOT  6  MIN 

FAILURE  OF  C 

ELEMENT 

AND  CONTRO 

MANAGER) 

CONFIGURAT 

VOICE 

S-BAND  A/G  VOICE 

AGVE 

1  OF  2/3 

5  SEC  (M) 

HARDWARE 

ASSUMES  ALL 

ALL  VOICE 

REPAIR 

COMMUNICATION 

UHF  A/G  VOICE 

UHF 

1  OF  2 

1  MIN  (M) 

S  IN/OUT  OF  MCC 

ALL  VOICE 

DVIS 

BUILT  IN 

BUILT  IN 

HARDWARE 

REDUNDANCY 

REDUNDANCY 

REPAIR 

BUILT  IN 

DVIS  CPU  FAII 

REDUNDANCY 

AND  RECONF 

LAUNCH. 

©[062702-5502C] 
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A3-103  CRITICAL  LAUNCH  SYSTEMS  RECOVERY  TIMES  (CONTINUED) 


SYSTEM 

SERVICE 

DESCRIPTION  OF 
EQUIPMENT 

QUANTITY 

OF 

EQUIPMENT 

REQUIRED/ 

SCHEDULED/ 

TOTAL 

AVERAGE 

SELECTOVER 

TIME 

(AUTO  OR 
MAN) 

AVERAGE 

TIME  TO 
RESTORE 
REDUNDANCY 
FOLLOWING 
REPAIR 

LANS 

DATA 

COMMUNICATION 
TRANSFER  FOR 
W/S’S 

BRIDGES 

CONCENTRATORS 

1  OF  2/2 

1  OF  2/2 

30  SEC  (A) 

1  SEC  (A) 

REBOOT:  1  MIN 

REBOOT:  1  MIN 

BRIDGES  AUT 

WS’S  FAILOV1 
IMMEDIATELY 
CARD  FAILUR 
TOTAL  LAN  SI 
LOW,  1  IN  200 
LESS  THAN  1 

TRAJECTORY 
SERVER 
-  PROVIDES 
TRAJECTORY 
PROCESSING 

TRAJECTORY 

PROCESSING 

TRAJECTORY 

SERVER 

-  HARDWARE/OS 
TRAJECTORY 
SOFTWARE 
APPLICATION - 
SOFTWARE 

1  OF  2/3 

1  SEC  (M) 

REBOOT:  5  MIN 

TRAJECTORY 
REDUNDANC 
REBOOT  AND 
THE  FAILED  S 

PLATFORM 

SERVERS 

MCC  NETWORK 

USER  SERVICES 

CM  SERVERS - 

PLATFORM 

SERVICES 

1  OF  2/2 

45  SEC  (A) 

REBOOT:  25  MIN 

CM  SERVER  F 
SECONDS. 

CMD,  TRAJECTORY 
&  TLM  PROCESSING 
DELAYS 

HA  SERVERS 
(READ/WRITE) 

1  OF  1/2 

50  MIN  (A) 

REBOOT:  15  MIN 

SERVER  FAIL 
USERSERVIC 
MINUTES  FOF 

NETWORK 

REGISTRATION 

NAME  SERVERS 

(NETWORK 

SERVICES) 

1  OF  2/2 

1  MIN  (A) 

REBOOT:  5  MIN 

CLOCK  &  GROUP 
DISPLAYS 

VTS SERVER 

1  OF  2/4 

30  SEC  (A) 

REBOOT:  5  MIN 

©[062702-5502C] 
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A3-103  CRITICAL  LAUNCH  SYSTEMS  RECOVERY  TIMES  (CONTINUED) 


SYSTEM 

SERVICE 

DESCRIPTION  OF 
EQUIPMENT 

QUANTITY  OF 
EQUIPMENT 
REQUIRED/ 
SCHEDULED/ 
TOTAL 

AVERAGE 

SELECTOVER 

TIME 

(AUTO  OR 
MAN) 

AVERAGE 

TIME  TO 
RESTORE 
REDUNDANCY 
FOLLOWING 
REPAIR 

COMMAND 

COMMAND 

PROCESSING 

COMMAND 

SERVERS 

1  OF  1/5 

1  MIN  (A) 

REBOOT:  5  MIN 

FOLLOWING  1 
COMMAND  SE 
ESTIMATED  A 

W/S’S 

USER  l/F  DEVICE 

USER 

WORKSTATION 

DEC  ALPHA 
STATIONS 

MULTIPLE 

GO  TO  B/U 
POSITION  (M) 

REBOOT:  15  MIN 

RIS  DL:  30  MIN 

REPLACE  UNIT 

USER  REBOO 
RESTARTS  AC 
OPERATING  S 
REBOOT 

W/S  HARDWA 
REQUIRE  ~  1  1 

DOLILU 

DAY  OF  LAUNCH 
ILOAD  UPDATE 

DOLILU  PROCESSING 

IPS  W/S’S  &  FILE 
SERVERS, 

COMM  MUX,  FSH 
&  MOC, 

NASCOM  2000 

1  OF  2/2 

6  MIN  (M) 

6  MIN 

ILOAD  COMPL 

EQUIPMENT  AIR 
HANDLERS 

BUILDING  30S 

CRITICAL 

EQUIPMENT 

4  OF  6/6 

AUTOMATIC 

AIR  HANDLERS 

WITHOUT  COi 
DOWN  WITHII 

DVIS  UNDER  FLOOR 

DVIS  UNDER 

FLOOR 

1  OF  2/2 

AUTOMATIC 

HARDWARE 

REPAIR 

WITHOUT  COi 
SHUT  DOWN  ' 

DVIS  OVERHEAD 

DVIS  OVERHEAD 

1  OR  2/2 

AUTOMATIC 

HOURS 

SHUT  DOWN  1 
PERMANENT 

EQUIPMENT 

POWER 

CRITICAL 

EQUIPMENT 

BUILDING  30S  AX 
BUS 

1  OF  2/2 

AUTOMATIC 

AUTOMATIC 

AUTOMATIC  F 
BACKUP,  GEN 

CRITICAL 

EQUIPMENT 

BUILDING  30S  A 
BUS 

1  OF  2/2 

AUTOMATIC 

AUTOMATIC 

BLACK  STAR! 
POWER  IS  LO 

HIGHLY  DESIRABLE 

BUILDING  30S  BX 
BUS 

1  OF  2/2 

MANUAL 

30  MIN 

MANUAL  GEN 
TRANSFER  IF 

HIGHLY  DESIRABLE 

BUILDING  30S  B 
BUS 

1  OF  2/2 

MANUAL 

30  MIN 

LOST. 

®[062702-5502C] 


NOTE:  RECOVERY  TIMES  DO  NOT  INCLUDE  FAULT  ISOLATION,  HARDWARE,  AND  SOFTWARE  REPAIR  TIME.  ®[062702-5502C] 
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MCC  EXTERNAL  INTERFACE  (VOICE  DATA)  PRELAUNCH  REQUIREMENTS 


A3-151  MCC/KSC/45  SPW  INTERFACE 

A.  7.2-KB  LAUNCH /LANDING  RADAR  CIRCUIT  -  ONE  OF  TWO  HIGHLY 
DESIRABLE.  ®[061 297-6004  ] 

These  circuits  provide  launch/landing  C-band  tracking  data  from  45  SPW/CCC  to  the  MCC.  These  are 
redundant  circuits  providing  backup  capability;  each  one  capable  of  carrying  the  total  traffic.  @[061297-6004  ] 

B.  9.6  KB  WIND  DATA  CIRCUIT  -  ONE  OF  TWO  MANDATORY.  ®[ED  ] 

NOTE:  CHANGES  TO  HD  AFTER  STRUCTURAL  GO/NO-GO  DECISION  IS  MADE. 

®[ED  ] 

These  circuits  support  processing  of  ascent  structural  loads.  There  are  two  redundant  circuits  providing 
backup  capability;  each  one  capable  of  carrying  the  total  traffic. 

C.  9.6  KB  FCO  ABORT  SWITCH  INTERFACE  CIRCUITS  -  ONE  OF  TWO 
MANDATORY  @[101096-4551]  @[110900-3701] 

Removal  of  the  ET  Range  Safety  Flight  Termination  System  resulted  in  additional  flightcrew 
responsibility  as  agents  of  the  45th  Space  Wing  Commander  for  public  safety  during  second  stage  flight. 
During  this  timeframe,  crew-initiated  manual  MECO  replaces  range  safety  command  destruct  capability. 

One  of  the  elements  agreed  upon  to  satisfy  this  requirement  is  to  provide  the  FCO  with  the  ability  to 
illuminate  the  orbiter  cockpit  abort  light  via  pushbutton  as  an  independent  method  for  the  FCO  to 
communicate  a  manual  MECO  requirement  to  the  crew. 

The  Launch  Commit  Criteria  states  that  at  least  one  of  two  FCO  abort  light  command  paths  must  be 
available  until  T-10  seconds.  A  path  consists  of  one  abort  switch  circuit  connected  to  one  of  three  MCC 
workstations  (FD  WFCR-28,  FDO  WFCR-10,  and  SVO-9)  to  enable  FCO  abort  light  conmianding  through 
the  MCC  Command  System.  Ref.  Rule  {A3-2J,  GROUND  AND  NETWORK  OVERALL  PHILOSOPHY. 

The  two  external  FCO  abort  circuits  and  the  MCC-internal  lines  to  the  three  workstations  go  to  a  patch 
panel  to  allow  any  combination  of  one  abort  circuit  and  one  workstation  to  complete  an  FCO  abort  light 
path.  @[110900-3701]  ®[ED  ] 
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A3— 151  MCC/KSC/45  SPW  INTERFACE  (CONTINUED) 

D.  FCO  INTERFACES: 

1.  VOICE  INTERFACE  -  TWO  OF  FOUR  MANDATORY: 

a.  FDO/FCO  PRIVATE  LINE 

b.  FCO  PRIME  LOOP 
C.  FD  LOOP 

d.  OTHER  LOOP  PATCHING  TO  FCO  LONG  LINE 

2.  CONTROLLABILITY  VERIFICATION  -  TWO  OF  FIVE  MANDATORY: 

a.  45  SPW  RANGE  SAFETY  TELEMETRY  DISPLAY  SYSTEM  (RTDS ) 

b.  CONTROLLABILITY  LIGHT  (GNC  CONSOLE  TO  FCO) 

c.  FCO  PRIME  LOOP 

d.  FDO/FCO  PRIVATE  LINE 

e.  FD  LOOP 

During  second  stage  flight,  removal  of  the  ET  Range  Safety  Flight  Termination  System  resulted  in 
additional  flightcrew  responsibility  as  agents  of  the  45  th  Space  Wing  Commander  for  public  safety, 
with  crew-initiated  manual  MECO  replacing  range  safety  command  destruct  capability.  Redundant 
FCO/MCC  communications  are  therefore  mandatory  to  provide  the  interaction  and  situational 
awareness  necessary  to  implement  this  requirement.  <@[101096-4551  ] 

During  first  stage,  range  safety  mission  rules  outline  flight  termination  criteria  and  provide  the  FCO 
with  the  ability  to  determine  shuttle  controllability  status  in  the  event  of  complete  loss  of  communication 
with  MCC.  For  purposes  of  making  the  con  trollability  determination  ,  range  safety  launch  commit 
criteria  require  at  least  two  pathways  by  which  vehicle  control  status  may  be  confirmed.  The  available 
sources  include  the  items  listed  under  paragraph  D.2  of  this  rule.  <@[101096-4551  ] 
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A3— 151  MCC/KSC/45  SPW  INTERFACE  (CONTINUED) 

E.  KSC  TEST  DIRECTORS  VOICE  INTERFACE  -  ONE  OF  THREE  MANDATORY: 

1.  OIS  131 

2.  OIS  232/212 

3 .  FD 

NOTE:  OIS  232  IS  USED  PRIOR  TO  T  MINUS  20  MINUTES  AND  OIS  212 
IS  USED  AFTER  T  MINUS  20  MINUTES  AS  THE  PRIMARY  VOICE 
COMMAND  CHANNEL. 

Same  rationale  as  Rule  (A3 -52 },  MCC  INTERNAL  VOICE. 
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A3-152  GSFC/STDN  INTERFACE 

A.  SITE  TO  GSFC : 

1.  MIL/PDL  ONLY  224-KB  CIRCUIT  -  ONE  OF  TWO  MANDATORY. 

©[072398-6565A] 

One  of  two  redundant  circuits  is  required  to  support  mandatory  telemetry  from  MIL/PDL. 
Reference  Rule  { Ad-102  },  INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX ,  for 
mandatory  site  requirements  and  Rules  { A3-lA}.l.b  and  (A3-1AJ.2,  GROUND  AND  NETWORK 
DEFINITIONS,  for  HDR/LDR  telemetry  requirements.  ®[ED  ] 

2.  MIL  9.6-KB  S-BAND  HIGH  SPEED  TRACKING  DATA  CIRCUIT  - 
HIGHLY  DESIRABLE.  ®[061 297-6004  ]  ®[072398-6565A] 


This  circuit  supports  high  speed  S-band  tracking  data  from  MIL. 

3.  22  4-KB  CIRCUITS:  ®[06i 396-31 98] 

DFRF  -  ONE  OF  ONE  MANDATORY .  ®[092398-6565A]  ®[ED  ] 

NOTE:  MANDATORY  ONLY  WHEN  THE  SITE  IS  THE  ONLY  SOURCE  FOR 

LANDING  TELEMETRY  (REF.  RULE  {A3-102},  INTEGRATED  NETWORK 
FAILURE  DECISION  MATRIX)  .  ®[ED  ] 

One  circuit  is  required  from  each  site  which  is  mandatory  for  telemetry. 

B.  GSFC  TO  SITE: 

1.  22  4-KB/ 5  6 -KB  VOICE/COMMAND  CIRCUITS,  MIL/PDL  ONLY  -  ONE 
OF  TWO  MANDATORY.  @[061396-3198]  ®[072398-6565A] 

The  prime  voice  command  circuit  from  GSFC  to  MIL/PDL  is  a  224-kb  line,  with  a  56-kb  circuit  as 
backup.  The  circuit  is  required  to  provide  uplink  command  and  voice. 

2.  UHF  ANALOG  A/G  VOICE  CIRCUITS:  @[061396-3198] 

MIL  -  ONE  MANDATORY 


MIL  is  the  only  site  which  UHF  A/G  and  S-band  A/G  are  both  mandatory  (ref.  Rule  (A3 -102}, 
INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX).  The  UHF  A/G  must  be  sent  to  GSFC/STDN 
via  analog  circuits.  ©[072398-6565A]  ®[ED  ] 
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A3-152  GSFC/STDN  INTERFACE  (CONTINUED) 

3.  DFRF  22 4 -KB  COMMAND/VOICE  CIRCUIT  -  ONE  OF  TWO  MANDATORY. 

©[072398-6565A]  ®[ED  ] 

NOTE:  MANDATORY  ONLY  WHEN  DFRF  IS  THE  ONLY  SOURCE  FOR 

LANDING  COMMAND  OR  S-BAND  VOICE  (REF.  RULE  {A3-102}, 
INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX)  .  ®[ED  ] 

This  circuit  provides  the  data  path  for  command  and  S-band  voice  from  GSFC  to  DFRF. 

4.  WLPS  224  -  KB  CIRCUIT  @[061396-3198]  ®[072398-6565A] 

WLPS  TLM/CMD/VOICE  MANDATORY  PER  RULE  {A3-102}, INTEGRATED 
NETWORK  FAILURE  DECISION  MATRIX.  @[121593-1579]  ®[ED  ] 

A3-153  45  SPW/VAFB  INTERFACE 

9.6-KB  LANDING  RADAR  CIRCUIT  -  ONE  OF  TWO  HIGHLY  DESIRABLE. 

@[061297-6004]  ®[ED  ] 

NOTE:  ONLY  USED  FOR  EDW  AOA/PLS .  ®[ED  ] 

This  circuit  supports  high  speed  tracking  data  from  the  west  coast  for  EDW  AOA/PLS.  @[061297-6004  ] 


A3-154  45  SPW/WSMR  INTERFACE 

2.4-KB  LANDING  RADAR  CIRCUIT  -  ONE  OF  TWO  HIGHLY  DESIRABLE. 

@[061297-6004]  ®[ED  ] 

NOTE:  ONLY  USED  FOR  NOR  AOA/PLS.  ®[ED  ] 

This  circuit  supports  high  speed  tracking  data  from  WSMRfor  NOR  AO  A  or  daily  prime  opportunity. 
@[061297-6004], 
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A3-155  MCC/GSFC/NGT  INTERFACE 

WB  MDM  NETWORK  (BROADCAST  MODE)  -  ONE  OF  TWO  MANDATORY. 

The  MCC/GSFC  and  MCC/NGT  satellite  data  links  (WB  MDM  networks)  provide  the  data  interface  for 
the  GSTDN  and  TDRSS  networks,  respectively.  Mandatory  telemetry,  command,  S-band  track,  and 
S-band  voice  are  routed  via  these  links.  There  are  two  completely  redundant  MDM  systems  to  provide 
backup  capability.  One  of  two  is  required  to  provide  mandatory  data. 

A3-156  MCC/ASCENT  ABORT  SITE  INTERFACE 

COMMUNICATIONS  CAPABILITY  WITH  REQUIRED  ASCENT  ABORT  SITES  -  ONE 
OF  THREE  MANDATORY:  ®[1 11094-1 71 6A] 

A.  LONGLINE  (LFP1) 

B.  INMARSAT 

C.  COMMERCIAL  TELEPHONE 

Prelaunch,  the  MCC  must  be  able  to  communicate  with  the  required  ascent  abort  landing  site,  (ref. 

Rule  {A2-2J,  ABORT  LANDING  SITE  REQUIREMENTS).  This  insures  that  there  has  not  been  a  change 
in  weather  or  nav/landing  aid  status.  It  also  insures  that  anomalies  can  be  passed  to  the  ground  support 
team  and  that  the  runway  and  airspace  are  clear  for  a  safe  landing.  This  can  be  accomplished  by 
insuring  that  at  least  one  of  the  communications  capabilities  listed  above  are  available.  ®[1 1 1094-1 71 6A  ] 

A3-157  THROUGH  A3-200  RULES  ARE  RESERVED 
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NAVAIDS  REQUIREMENTS 


A3-201  TACAN  REDUNDANCY  REQUIREMENTS  AND  ALTERNATE  TACAN 

SELECTION  PHILOSOPHY 

A.  REDUNDANCY  REQUIREMENTS  ®[0201 96-1 807B] 

1.  REDUNDANT  TACAN  TRANSPONDER  CAPABILITY  IS  MANDATORY  FOR 
LAUNCH  COMMIT  AT  THE  FOLLOWING  SITES: 

a.  RTLS 

b.  PRIMARY  TAL  IF  REQUIRED 
C.  AOA  IF  REQUIRED 

d.  FIRST  DAY  PLS  IF  REQUIRED  (ETRO  FOR  EQUIPMENT  OUTAGE 
MUST  BE  PRIOR  TO  DEORBIT  DECISION) 

NOTE:  REF  RULE  {A2-2} ,  ABORT  LANDING  SITE  REQUIREMENTS 

FOR  ABORT  SITE  LAUNCH  COMMIT  REQUIREMENTS. 

2.  REDUNDANT  TACAN  TRANSPONDER  CAPABILITY  IS  MANDATORY  FOR 
PLS  (OTHER  THAN  FIRST  DAY  PLS),  MDF ,  AND  END  OF  MISSION 
DEORBIT  COMMIT  (REF  RULE  {A4-107},  PLS/EOM  LANDING 
OPPORTUNITY  REQUIREMENTS) . 

3 .  THE  REDUNDANT  TACAN  TRANSPONDER  REQUIREMENT  CAN  BE 

SATISFIED  BY  ONE  GROUND  STATION  WITH  DUAL  STRING  (DS) 
TRANSPONDERS,  BY  TWO  STATIONS  WITH  SINGLE-STRING  (SS) 
TRANSPONDER  CAPABILITY,  OR  BY  ONE  GROUND  STATION  WITH 
SINGLE-STRING  (SS)  TRANSPONDER  CAPABILITY  AND  A  GPS  LRU 
FUNCTIONING  PROPERLY  (REF.  RULE  {A8-115},  GPS  SYSTEM 
MANAGEMENT)  .  @[0201 96-1 807B]  @[092602  5642] 

Rules  {A2-2},  ABORT  LANDING  SITE  REQUIREMENTS ,  and  (A2-1FJ.3,  PRELAUNCH  GO/NO-GO 
REQUIREMENTS,  reference  this  rule.  ®[i  21593-1 590  ] 

Landing  site  selection  will  be  based  on  priorities  specified  in  Rule  {A2-207j,  LANDING  SITE 
SELECTION.  @[022201  -3857  ] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A3— 201  TACAN  REDUNDANCY  REQUIREMENTS  AND  ALTERNATE  TACAN 

SELECTION  PHILOSOPHY  (CONTINUED) 

GPS  provides  acceptable  redundancy  to  a  TACAN  ground  station  that  has  only  a  single-string 
transponder.  In  the  event  that  the  single-string  transponder  becomes  unavailable,  the  onboard  GPS 
LRU  will  provide  a  means  to  keep  the  onboard  state  vector  within  the  Guidance  constraints.  This  is 
con  tingen  t  upon  GPS  functioning  properly  ( ref.  Rule  {A8-115},  GPS  SYSTEM  MANAGEMENT). 

@092602-5642  ] 

Landing  sites  and  TACAN’s  are  loaded  in  the  onboard  software  and  can  be  changed  in  OPS  1/6/3. 
Uplink  of  an  acceptable  alternate  TACAN  may  be  performed  to  meet  redundancy  requirements  for 
OPS  6/3  en  tries.  TACAN  requiremen  ts  for  EOM  and  other  landing  opportunities  are  not  considered 
in  the  decision  to  launch.  @[0201 96-1 807B]  @[022201-3857] 

RTLS 


TACAN  processing  is  required  to  protect  the  guidance-imposed  navigation  entry  constrain  ts  for 
an  RTLS.  An  offline  analysis  that  assumed  a  launch  on  time  using  IMU’s  and  ADTA  with  nominal 
performance  characteristics  and  random  noise  showed  that  3-sigma  navigation  performance  violated  the 
entry  guidance  constraints  of  downtrack  and  crosstrack  at  altitudes  of  85k  feet  and  40k  feet,  respectively. 

TAL  (IF  REQ  UIRED )  ®[i  21 593-1 590  ] 

TACAN  is  required  to  protect  against  navigation  dispersions  for  TAL  because  neither  delta  state  nor 
GCA  is  available  without  ground  tracking.  TACAN  is  the  primary  source  to  correct  downtrack  and 
crosstrack  errors  in  the  navigation  state.  ®[020i  96-1 807B] 

Redundant  TACAN  transponder  capability  near  the  selected  TAL  site  is  mandatory  for  launch  to  provide 
adequate  navigation.  If  weather  conditions  are  unacceptable  at  the  primary  TAL  site,  then  redundant 
TACAN  transponder  capability  becomes  mandatory  near  the  secondary  site. 

AOA/FIRST DAY PLS  (IF REQUIRED) 

Although  an  AO  A  landing  site  is  not  normally  required  for  launch  commit  ( ref.  Rule  (A2-2),  ABORT 
LANDING  SITE  REQUIREMENTS),  the  TACAN  requirements  are  shown  in  the  event  that  an  AO  A  site  is 
required.  Redundant  TACAN  transponder  capability  is  required  for  the  primary  AO  A  landing  site  only. 

The  navigation  state  conditions  are  worse  for  AO  A  compared  to  RTLS  or  TAL  because  the  vector  is  1 
hour  older  and  the  vehicle  requires  one  or  two  OMS  burns.  For  a  first  day  PLS,  the  site  may  be 
con  sidered  go  if  equipmen  t  ou  tage  resu  lting  in  less  than  single-fault  tolerance  has  an  ETRO  prior  to 
deorbit  decision  time.  ®[1 21 593-1 590  ]  @[0201 96-1 807B] 

B.  IN  GENERAL,  PROGRAM  APPROVED  TACAN' S  (LISTED  BELOW  FOR  END  OF 
MISSION  AND  INTACT  ABORT  SITES;  NOT  IN  ORDER  OF  PRIORITY)  THAT 
MEET  THE  CRITERIA  IN  PARAGRAPH  C  WILL  BE  USED  TO  MEET  THE 
REDUNDANCY  REQUIREMENTS.  CONSIDERATION  WILL  BE  GIVEN  TO  OTHER 
TACAN' S  THAT  MEET  THE  CRITERIA  IN  PARAGRAPH  C  IF  THEY  PROVIDE 
A  NAVIGATION  IMPROVEMENT  OVER  AN  APPROVED  TACAN.  @[0201 96-1 807B] 
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_ FLIGHT  RULES _ 

TACAN  REDUNDANCY  REQUIREMENTS  AND  ALTERNATE  TACAN 
SELECTION  PHILOSOPHY  (CONTINUED) 

KENNEDY  SPACE  CENTER: 

TITUSVILLE,  TTS  (DS) 

PATRICK,  COF  (SS) 

ORMOND  BEACH,  OMN  (SS) 

LAKELAND,  LAL  (SS)  ®[0201 96-1 807B] 

ORLANDO,  ORL  (SS)  ®[0201 96-1 807B]  @[022201-3857] 

EDWARDS  AFB : 

EDWARDS,  EDW  (SS) 

LAKE  HUGHES,  LHS  (SS) 

CHINA  LAKE,  NID  (DS) 

GORMAN,  GMN  (SS) 

PALMDALE,  PMD  (SS) 

POMONA,  POM  (SS) 

NORTHRUP : 

WHITE  SANDS  SPACE  HARBOR,  SNG  (SS) 

HOLLOMAN  AFB,  HMN  (SS) 

TRUTH  OR  CONSEQUENCES,  TCS  (SS) 

BANJUL : 

YUNDUM  INTL,  BYD  (DS)  @[0201 96-1 807B] 
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A3— 201  TACAN  REDUNDANCY  REQUIREMENTS  AND  ALTERNATE  TACAN 

SELECTION  PHILOSOPHY  (CONTINUED) 

5.  BEN  GUERIR: 

BEN  GUERIR,  BEN  (DS) 

6 .  MORON 

MORON,  MRN  (SS) 

ROTA,  AOG  (DS)  ®[0201 96-1 807B] 

7.  ZARAGOZA:  ®[0201 96-1 807B] 

ZARAGOZA,  ZZA  (DS) 


Program  approved  TACAN’ s  refer  to  those  TACAN’ s  listed  in  NSTS  07700,  Volume  X,  Book  3, 
controlled  by  the  PRCB,  approved  by  the  SASCB  for  use  in  the  onboard  I-loads,  or  contained  in  this 
flight  rule.  When  selecting  an  alternate  TACAN  station  to  meet  redundancy  requirements,  priority  will 
generally  be  given  to  program  approved  TACAN’s  that  meet  the  criteria  in  paragraph  C.  If  no  program 
approved  TACAN’s  meet  the  criteria  or  other  TACAN’s  that  meet  the  criteria  provide  a  navigation 
improvement,  non-program  approved  TACAN’s  may  be  used  to  meet  the  redundancy  requirements.  Note 
that  in  most  cases,  there  will  be  no  program  approved  alternate  TACAN  station  since  both  NSTS  07700 
and  the  onboard  I-locids  only  include  a  primary  and  secondary  TACAN  for  each  site.  @[022201-3857  ] 

C.  ALTERNATE  TACAN' S  THAT  SATISFY  THE  FOLLOWING  CRITERIA  (NOT  IN 

PRIORITY  ORDER)  MAY  BE  UPLINKED  IN  OPS  1/3  TO  MEET  THE 

REDUNDANCY  REQUIREMENTS  IN  PART  A.  @[022201-3857] 

NOTE:  THESE  CRITERIA  APPLY  TO  GROUND  STATIONS  REQUIRED  FOR 

LAUNCH  COMMIT  AND  COMMIT  TO  DEORBIT.  REFER  TO  RULE 
{ A2 -2  64 } ,  EMERGENCY  LANDING  FACILITY  CRITERIA,  FOR 
ELS  MINIMUM  REQUIREMENTS. 

1.  NO  COCHANNEL  INTERFERENCE  PREDICTED  BELOW  130K  FT 
ALTITUDE . 

NOTE:  IN  SOME  CASES,  COCHANNEL  INTERFERENCE  MAY  BE 

ELIMINATED  BY  POWERING  OFF  THE  INTERFERING  STATION (S) 
FOR  THE  PERIOD  OF  SHUTTLE  OPERATIONS. 
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A3— 201  TACAN  REDUNDANCY  REQUIREMENTS  AND  ALTERNATE  TACAN 

SELECTION  PHILOSOPHY  (CONTINUED) 

2.  TACAN  MUST  BE  OPERATING  PRIOR  TO  LAUNCH  OR  DEORBIT  COMMIT 
AS  APPLICABLE  PER  PARAGRAPH  A 

3.  WITHIN  50  NM  OF  THE  RUNWAY. 

4.  POWER  LEVEL  ?  1 . 5K  WATTS.  ®[0201 96-1 807B] 

5.  NIMA  OR  FAA  TACAN  DATABASE  COORDINATES  MUST  BE  AVAILABLE 
AS  A  MINIMUM.  SURVEY  DATA  IS  HIGHLY  DESIRABLE,  BUT  NOT 
MANDATORY.  ®[0201 96-1 807B]  @[022201-3857] 

6.  NASA  OR  FAA  CERTIFIED  AND  ACCURATE  WITHIN  0 . 3  NM  AND  1.0 
DEGREE  (REF  RULE  {A8-52},  SENSOR  FAILURES). 

CONSIDERATION  WILL  BE  GIVEN  TO  THE  USE  OF  A  TACAN  WHICH 
HAS  BEEN  EVALUATED  VIA  GPS  EQUIPPED  STA  BUT  WHICH  HAS  NOT 
BEEN  COMPLETELY  CERTIFIED.  ®[ED  ] 

Alternate  TACAN’s  may  be  uplinked  in  OPS  1/3  to  satisfy  the  redundancy  requiremen  ts  for  OPS  6/3 
entries.  The  process  of  selecting  an  alternate  TACAN  begins  with  the  TACAN  Cochannel  Interference 
Document  (NAV-98-4237-032)  which  includes  several  potential  TACAN  stations  for  space  shuttle 
landing  sites.  This  document  contains  cochannel  interference  data  which  is  generated  assuming  a 
nominal  range-altitude  profile,  constant  power  level  of  3.5  KW,  and  an  approximation  for  the  shape  of 
the  parabolic  TACAN  signed  propagation.  This  interference  data  along  with  the  expected  groundtrack 
can  be  used  to  approximate  the  altitude  below  which  a  given  TACAN  station  is  clear  of  interference  and 
to  determine  which  TACAN  stations  must  be  powered  off  to  reduce  or  eliminate  in  terference.  In  addition 
to  the  cochannel  in  terference  data,  the  TACAN  Cochannel  In  terference  Documen  t  lists  the  type  of  station 
{TACAN,  VORTAC,  VORDME,  or  DME),  data  source  (survey  or  NIMA/FAA  database),  and  the  distance 
and  direction  from  the  runway. 

Once  an  acceptable  TACAN  or  VORTAC  is  identified  based  on  runway  proximity  and  cochannel 
in  terference,  the  operating  hours  and  power  level  are  verified  to  ensure  the  TACAN  will  be  available 
during  entry.  TACAN’s  used  to  meet  the  redundancy  requirements  must  be  operational  prior  to  launch 
commit  for  RTLS,  TAL  (if  required),  and  AO  A  (if  required).  If  first  day  PLS  is  required,  the  TACAN(s) 
must  have  an  ETRO  prior  to  deorbit  decision  time.  For  PLS,  MDF,  and  end  of  mission,  the  TACAN(s) 
used  to  meet  the  redundancy  requirements  must  be  operating  prior  to  deorbit  commit  and  until 
touchdown.  The  TACAN(s)  must  be  available  throughout  entry  to  touchdown  to  ensure  continuous 
TACAN  processing. 
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A  maximum  distance  of  50  nmfrom  the  TACAN  to  the  runway  is  required  to  ensure  TACAN  lock-on  until 
MLS  acquisition.  The  groundtrack  proximity  may  also  be  considered  in  the  alternate  TACAN  selection 
process.  The  minimum  power  level  of  1.5 K  watts  and  cochannel  interference  requirements  were  chosen 
to  obtain  TACAN  lock-on  by  130K  ft,  which  is  the  altitude  where  3  sigma  downtrack  error  will  exceed  the 
guidance  constraints  if  TACAN  data  is  not  processed.  Interfering  TACAN’ s  may  be  powered  off  if 
possible  to  eliminate  predicted  interference  below  130Kft. 

Although  survey  data  is  preferred,  it  is  not  required,  provided  data  is  available  from  the  NIMA/FAA 
TACAN  database.  Non-survey  coordinates  provided  by  NIMA/FAA  are  accurate  within  about  1000ft. 

Past  TACAN  measurement  data  quality  observed  during  shuttle  missions  and  flight  tests  may  also  be 
considered  in  the  alternate  TACAN  selection  process.  ®[0201 96-1 807B]  @[022201-3857] 

The  FAA  or  NASA  certification  requirements  are  contained  in  NSTS  07700,  Volume  X,  Book  3.  The 
FAA  accuracy  requirements  are  outside  those  required  by  space  shuttle  navigation.  Therefore,  cm 
FAA  controlled  TACAN  must  also  meet  the  0.3  nm  and  1.0  degree  accuracy  requirements  contained 
in  Rule  {A8-52},  SENSOR  FAILURES.  ©[020196-1807B]  @[022201 -3857  ] 

D.  IF  A  TACAN  GROUND  STATION  FAILS  AFTER  LAUNCH  OR  DEORBIT  AND  A 
TACAN  THAT  MEETS  THE  CRITERIA  IN  PARAGRAPH  C  DOES  NOT  EXIST, 
OTHER  ALTERNATES  (DME'S  INCLUDED)  MAY  BE  CONSIDERED  FOR 
UPLINK  TO  PROVIDE  SOME  FORM  OF  BACKUP  CAPABILITY. 

The  criteria  in  paragraph  C  is  provided  to  ensure  an  acceptable  TACAN  is  used  to  meet  the  redundancy 
requirements  for  commit  to  launch  or  commit  to  deorbit.  However,  if  a  TACAN  fails  after  launch  or 
deorbit  and  a  TACAN  that  meets  the  criteria  in  paragraph  C  does  not  exist,  the  best  alternate  including 
DME’s  may  be  uplinked.  Although  this  alternate  may  not  protect  3  sigma  navigation  performance,  it 
provides  some  form  of  backup  capability.  @[0201 96-1 807B] 
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REDUNDANT  MLS  CAPABILITY,  INCLUDING  AZIMUTH,  ELEVATION,  AND  RANGE 
DATA,  IS  REQUIRED  FOR  THE  FOLLOWING:  ©[070899-6872A] 

A.  REDUCED  CEILING,  VISIBILITY,  OR  INCREASED  RTLS  CROSSWIND 
LIMITS  (REF.  RULE  {A2-6},  LANDING  SITE  WEATHER  CRITERIA  [HC] ) 
FOR  DAYLIGHT,  CONCRETE  RUNWAY  LANDINGS.  ®[1 11 094-1 622B]  @[0411 96-1 81 7B] 

Because  MLS  provides  improved  navigation  and  position  accuracy  with  respect  to  the  runway,  a 
reduction  in  ceiling,  visibility  or  an  increase  in  RTLS  crosswind  requirements  is  allowed.  However, 
because  of  the  dependence  on  MLS  during  the  critical  landing  phase  with  reduced  ceilings/  visibility, 
combined  with  the  more  stringent  navigation  requirements  for  concrete  runways,  single-fault  tolerant 
capability  must  exist  to  guarantee  MLS  availability.  Redundant  MLS  capability  can  be  either  the 
standard  primary /backup  MLS  ground  station  or  two  collocated  single-string  MLS  Jr.  stations.  The 
relatively  less  stringent  navigation  requirements  for  lakebed  runways  make  it  possible  to  relax  the 
redundancy  requirement  to  zero-fault  tolerant.  One-sigma  onboard  navigation  position  errors  improve 
from  approximately  400 feet  without  MLS  to  approximately  85  feet  after  the  first  MLS  measurement, 
decreasing  to  just  over  50  feet  1-sigma  by  touchdown.  Azimuth  and  range  measurements  are  required  to 
allow  MLS  processing,  and  elevation  is  required  to  correct  altitude  errors.  Detailed  definitions  of 
ceiling,  visibility  and  RTLS  crosswinds  are  covered  in  Rule  [A2-6J,  LANDING  SITE  WEATHER 
CRITERIA  [HC],  ®[111094-1622B]  @[0411 96-1 81 7B] 

B.  NIGHT  LANDINGS  ON  ALL  CONCRETE  RUNWAYS  OR  NIGHT  LANDINGS  ON 
LAKEBED  RUNWAYS  WITH  CEILINGS  LESS  THAN  THOSE  SPECIFIED  IN 
RULE  {  A2  -  6  }  ,  LANDING  SITE  WEATHER  CRITERIA  [  HC  ].  ®[1 1 1094-1 622B] 

MLS  is  required  due  to  the  loss  of  visual  cues  and  the  related  degradation  of  the  crew’s  ability  to 
visually  compensate  for  navigation  dispersions  during  night  landing  operations.  Because  of  this 
requirement,  single-fault  tolerant  capability  must  exist  to  guarantee  MLS  availability  (ref.  paragraph  A 
rationale)  for  landings  on  concrete  runways  where  large  lateral  dispersions  at  touchdown  are  less 
tolerable  than  for  lakebed  runways. 

For  lakebed  landings  only,  single-string  MLS  is  acceptable  if  the  lowest  ceiling  is  at  or  above  those 
specified  in  the  Rule  {A2-6j,  LANDING  SITE  WEATHER  CRITERIA  [HC].  The  increased  ceiling 
provides  additional  time  for  the  crew  to  compensate  for  navigation  dispersion  s  using  visual  cues.  In 
addition,  the  larger  area  provided  by  the  lakebed  environment  makes  navigation  dispersions  resulting 
from  the  possible  failure  of  the  single-string  MLS  more  tolerable.  ®[1 1 1094-1622B] 

Rules  (A2-1FJ.3,  PRELAUNCH  GO/NO-GO  REQUIREMENTS;  [A2-2j.  ABORT  LANDING  SITE 
REQUIREMENTS;  {A3-203},  LANDING  AID  REQUIREMENTS;  and  {A8-1001},  GNC  GO/NO-GO 
CRITERIA,  reference  this  rule.  ®[111 094-1 622B]  ®[070899-6872A] 
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A3-203  LANDING  AID  REQUIREMENTS 

LANDING  AIDS  ( CONCRETE / LAKEBED  )  @[070899-6881] 


PAPI 

LIGHTS 

AIMPOINT 

BALLBAR  [1] 

XENON 

LIGHTS 

EDGE  LIGHTS/ 

REFLECTORS 

ALS 

CENTER 

LINE 

LIGHTS 

RUNWAY 

REMAINING 

MARKERS 

CDR  HUD 
W/MLS 

1  OF  2  HD 

HD 

RUNWAY  LIGHTS  AND  MARKERS 

NOT  REQUIRED  FOR 

DAYLIGHT  LANDINGS 

CDR  HUD 
W/NO  MLS 

1  OF2M 

M 

NO  CDR  HUD 

M 

HD 

M 

NIGHT 

LANDING 

M 

N/R 

M 

M 

M 

HD 

HD 

M  [2] 

@[102402-5786] 


[1]  BALLBAR  IS  MANDATORY  FOR  TAL. 

[2]  RUNWAY  REMAINING  MARKERS  (RRM’S)  ARE  MANDATORY  FOR  NIGHT  LANDINGS  ON  CONCRETE  ONLY. 

PAPI  lights  are  required  at  the  proper  aimpoint  position  (nominal  or  close  in  as  recommended)  for  all 
lighting  and  surface  conditions.  The  exceptions  are  daylight  landings  where  the  use  of  an  aimpoint  and 
a  HUD  will  substitute  for  a  PAPI,  or  when  the  CDR  HUD  and  MLS  are  available.  PAPI  lights  allow  the 
pilot  to  visually  acquire  the  proper  outer  glide  slope  with  a  good  degree  of  accuracy.  In  daylight,  the  use 
of  an  aimpoint  and  a  HUD  (visual  glide  slope  information  provided  by  onboard  navigation )  will  provide 
the  crew  with  similar  cues  to  the  outer  glide  slope.  The  combination  of  the  HUD  and  MLS  can  also 
provide  the  necessary  cues  for  flying  the  outer  glide  slope  in  daylight.  In  this  case,  either  the  PAPI  lights 
or  aimpoint  are  only  highly  desirable.  For  purposes  of  this  rule,  the  MLS  capability  is  required.  For 
specific  MLS  ground  station  redundancy  and  LRU  requirements  reference  Rules  {A3 -202},  MLS,  and 
{ A8-18 },  LANDING  SYSTEMS  REQUIREMENTS.  If  MLS  is  not  available,  then  either  the  PAPI  lights  or 
aimpoint  are  mandatory  (PAPI  lights  preferred).  Without  MLS,  navigation  accuracy  may  not  be  good 
enough  to  provide  a  reliable  crosscheck  of  the  HUD  runway  overlay  for  confirming  and  flying  the  outer 
glide  slope.  PAPI  lights  are  mandatory  for  night  landings  or  landings  without  the  CDR  HUD  to  help 
offset  the  loss  of  visual  cues  and  references  and  the  degraded  ability  to  compensate  for  navigation 
errors.  @[070899-6881  ] 

Ball  bars  are  mandatory  for  TAL  sites  because  of  the  reduced  runway  length  and  width  ( <  300 feet)  as 
compared  to  CONUS  runways.  Without  the  ball  bar,  the  reduced  width  of  the  runway  can  result  in  a 
false  visual  perception  of  being  too  high  above  the  glide  slope  which  can  lead  to  descending  through 
the  inner  glide  slope  and  landing  short  of  the  run  way. 
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For  daylight  CONUS  landings  where  the  visual  scene  is  “as  trained  to,  ”  a  ball  bar  is  only  highly 
desirable  when  both  the  CDR  HUD  and  MLS  are  available.  MLS  plus  the  CDR  HUD  provides 
sufficient  cues  to  allow  an  accurate  transition  to  the  inner  glide  slope.  For  purposes  of  this  rule  the 
MLS  capability  is  required.  For  specific  MLS  ground  station  redundancy  and  LRU  requirements, 
reference  Rules  {A3-202J,  MLS,  and  {A8-18J,  LANDING  SYSTEMS  REQUIREMENTS.  Without  MLS, 
the  navigation  accuracy  (primarily  the  HUD  velocity  vector)  may  not  be  good  enough  to  guide  the  pilot 
on  the  H/Hdot  profile  required  to  capture  ( Pre-Flare )  and  fly  the  inner  glide  slope  through  threshold 
crossing;  therefore,  a  ball  bar  is  mandatory.  Ball  bars  are  mandatory  for  night  landings  or  landings 
without  the  CDR  HUD  to  help  offset  the  loss  of  visual  cues  and  references  and  the  degraded  ability  to 
compensate  for  navigation  errors.  @[070899-6881  ] 

Runway  remaining  markers  (RRM’s)  are  only  mandatory  for  night  concrete  landings.  The  length  of 
concrete  runways  and  night  conditions  necessitate  the  need  for  RRM’s  due  to  the  reduced  margin  of 
error  in  determining  runway  remaining.  These  markers  give  the  pilot  a  visual  cue  to  the  rollout  distance 
remaining  and  the  brake  profile  required  to  stop  on  the  field. 

Runway  lighting  is  required  for  night  landings  in  order  for  the  pilot  to  see  the  runway  on  approach, 
touchdown,  and  rollout.  The  Xenon  lights  are  considered  mandatory,  as  they  provide  the  primary 
means  for  lighting  the  immediate  runway  area  (approach  path,  threshold,  and  touchdown  point). 

Runway  edge  lights/reflectors  are  mandatory  as  they  provide  the  primary  visual  cue  for  lateral  margin 
during  touchdown  and  rollout.  Approach  Lighting  System  (ALS)  lights  are  not  mandatory  because  the 
Xenon  lights,  edge  lights/reflectors,  and  PAPI/ball  bar  requirements  suffice  for  centerline/threshold 
lighting  and  targeting  cues.  Centerline  lights  are  available  as  a  secondary  cue  at  the  KSC  SLF  and  are 
only  highly  desirable.  @[102402-5786  ] 

Reference  Ascent/Entry  Flight  Techniques  Panel,  April  16,  1999.  @[070899-6881  ] 

Rules  { A2-1} ,  PRELAUNCH  GO/NO-GO  REQUIREMENTS;  and  (A2-2J,  ABORT  LANDING  SITE 
REQUIREMENTS,  reference  this  rule.  ®[i 21593-1 590  ] 
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A4-59  MANUAL  THROTTLE  SELECTION  (CONTINUED) 

E.  THROTTLE  COMMAND  NOT  DECREASED  TO  MAINTAIN  3-G  ACCELERATION. 

The  3-g  acceleration-limiting  logic  is  provided  to  assure  that  vehicle  loads  do  not  exceed  design  constraints. 
Therefore,  manual  throttle  will  be  invoked  to  protect  this  limit  if  the  flight  software  fails  to  do  so.  Reference 
the  rationale  for  Rule  { A4-58C j,  AUTO  GUIDANCE  NO-GO,  for  further  background. 

F.  ANY  TIME  CSS  IS  SELECTED. 

Av  a  conservative  guideline,  any  time  the  AUTO  guidance  is  unacceptable  for  vehicle  attitude  control,  it 
should  not  be  allowed  to  control  the  mean  engines.  If  the  vehicle  attitude  is  not  maintained  to  satisfy  the 
guidance  solution,  the  guidance  may  go  unconverged  and  potentially  could  issue  an  undesired  MECO 
command.  Thus,  to  avoid  an  inadvertent  shutdown,  manned  throttle  should  be  selected  whenever  CSS 
takeover  is  initiated. 

Rule  (A2-64AJ,  MANUAL  THROTTLE  CRITERIA,  references  this  rule. 

G.  THROTTLES  WILL  BE  MANUALLY  COMMANDED  TO  THE  MINIMUM  POWER 
LEVEL  AT  2  PERCENT  PROPELLANT  REMAINING  IF  THE  EXPECTED  MECO 
UNDERSPEED  EXCEEDS  THE  VALUE  ASSURING  EXECUTION  OF  FLIGHT 
SOFTWARE  MECO  PREP  THROTTLING: 


1 . 

TWO 

OR  THREE  ENGINES  ON: 

500 

FPS 

2  . 

ONE 

ENGINE  ON: 

250 

FPS  @[0921 95-1 770A] 

Flight  software  MECO  preparation  throttling  is  triggered  by  K-locided  timing  values.  When  the 
guidance-computed  TGO  becomes  less  than  TGO_FCD  K-load,  the  MPS  guidance  cutoff  task  begin  s 
cyclic  execution.  This  task  determines  when  to  command  the  SSME’s  to  the  cutoff  power  level,  and 
assumes  that  they  will  remain  at  that  setting  for  K-load  DT_MIN_K  seconds.  However,  the  software  also 
assumes  a  guided  MECO  will  result  and  has  no  way  of  compensating  for  an  impending  early  (low-level) 
cutoff.  Therefore,  for  predicted  MECO  underspeeds  greater  than  a  threshold  value,  a  low-level 
shutdown  may  be  commanded  before  the  engines  reach  the  desired  cutoff  throttle  setting.  In  such 
instances,  the  throttles  will  be  manually  retarded  to  the  minimum  power  level  shortly  before  MECO  to 
provide  the  required  safe  shutdown  configuration. 

Under  most  circumstances,  the  onboard  propellant  remaining  computation  is  sufficiently  accurate  to  use 
as  a  throttledown  cue.  Ascent/Entry  Flight  Techniques  # 62  determined  in  January  1990  that  2  percent 
propellant  remaining  provided  a  generic  value  that  covered  both  the  pre-MECO  dump  and  no-dump 
cases.  However,  the  flight  software  computation  is  inaccurate  when  off-nominal  mixture  ratios  are 
in  volved,  due  to  the  buildup  of  unusable  LOX  or  LH2;  the  software  senses  the  extra  mass  but  does  not 
recognize  it  as  un  usable.  Likewise,  the  onboard  mass  estimation  algorithm  in  first  stage  assumes  all 
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A4-59  MANUAL  THROTTLE  SELECTION  (CONTINUED) 

engines  are  operating  at  the  commanded  power  level;  therefore,  an  engine  locked  before  the  bucket  will 
consume  more  propellan  t  than  the  mass  tracking  function  accoun  ts  for.  This  leads  to  the  second  stage 
software  believing  it  has  more  propellant  than  is  actually  available. 

Although  the  resultant  mass  dispersions  are  a  function  of  the  size  and  direction  of  the  mixture  ratio  upset 
or  the  depth  and  length  of  the  bucket,  the  2  percent  propellant  remaining  cue  still  provides  sufficient  time 
to  throttle  down.  ( Reference  Flight  Rule  {A5-112J,  MANUAL  THROTTLEDOWN  FOR  L02  NPSP 
PROTECTION  AT  SHUTDOWN.)  ®[ED  ] 

H.  FOR  LOW  LH2  NPSP  PER  FLIGHT  RULE  {A5-155},  LIMIT  SHUTDOWN 
CONTROL  AND  MANUAL  THROTTLING  FOR  LOW  LH2  NPSP. 

Rule  {A5-155},  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR  LOW  LH2  NPSP, 
addresses  scenarios  requiring  manucd  throttles.  Maimed  throttles  will  be  maintained  and  a  manual 
MECO  required  for  the  flow  control  valve  anomaly  case.  Uphill  capability  will  be  evaluated  at  each 
throttle  setting.  Two-engine  and  single-engine  performance  boundaries  will  be  made  based  on  minimum 
power  level  as  time  permits.  Since  this  dynamic  throttle  profile  is  difficult  to  model,  two-engine  and 
single-engine  capability  may  not  be  evaluated  accurately  until  the  failure  actually  occurs. 

Manual  throttles  will  be  selected  prior  to  aborting  TAL  for  a  LH2  leak.  OI-8D  software  (STS-38 
and  subs)  automatically  throttles  the  engines  down  if  TAL  is  selected  above  an  I-locided  inertial 
velocity.  To  preven  t  the  software  from  throttling  the  engines  down  when  there  is  an  LH2  tank  leak, 
manucd  throttles  are  selected  prior  to  selecting  TAL.  Once  TAL  is  selected,  the  throttles  will  be 
returned  to  auto  where  they  will  stay  at  104  percent  until  3  g’s  are  reached.  Three-g  throttling  may 
cause  engine  failures  but  this  is  cm  accepted  risk  to  avoid  vehicle  structured  damage.  Operating  the 
SSME’s  at  104  percent  results  in  a  higher  inertial  velocity  at  MECO  than  if  the  SSME’s  had  been 
throttled  down  to  67  percent.  ®[092195-1770A] 

I.  A  TAL  UNDERSPEED  IS  PREDICTED  AND  CAN  BE  REDUCED  BY  FLYING 
AT  A  LOWER  THROTTLE  SETTING.  THROTTLES  WILL  BE  RETARDED  TO 
MINIMUM  POWER  LEVEL  WHEN  THE  PERFORMANCE  GAIN  IS  MAXIMIZED. 

The  slope  of  the  TAL  range-velocity  target  line  results  in  a  point  in  the  powered  flight  trajectory  where 
MPS  propellan  t  margins  may  be  increased  by  flying  at  a  reduced  throttle  setting.  As  the  throttle  is 
retarded,  the  powered  flight  time  is  extended  which  in  turn  results  in  a  MECO  position  which  is  farther 
downrange  than  would  have  occurred  at  a  higher  power  level.  The  farther  downrange  position  equates 
to  less  distance  to  the  TAL  site  at  MECO,  and  hence,  a  lower  MECO  target  velocity.  This  in  turn 
translates  to  increased  MPS  margin  since  less  delta  V  is  required  to  reach  the  smaller  target  velocity. 
Early  in  powered  flight,  gravity  losses  at  the  lower  throttle  are  large  and  offset  any  R-V  target  benefit; 
however,  eventually  sufficient  velocity  is  achieved  such  that  the  inverse  is  true;  i.e.,  the  smaller  target 
velocity  offsets  the  gravity  losses,  which  diminish  with  time  and  the  square  of  the  curren  t  velocity. 
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A4-59  MANUAL  THROTTLE  SELECTION  (CONTINUED) 

In  real  time,  the  MCC  ARD  can  determine  when  this  boundary  condition  is  reached,  and  subsequently 
when  the  performance  gain  is  maximized.  The  FDO  will  then  call  for  throttledown  to  minimize  the  R-V 
underspeed.  Improving  proximity  to  the  R-V  line  in  this  manner  reduces  the  likelihood  of  requiring  low- 
energy  guidance  during  entry,  and  is  especially  critical  for  out-of-plane  sites  where  high  crossrange 
severely  limits  underspeed  tolerance.  @[120894-1663  ] 

Note  that  this  procedure  will  not  be  utilized  unless  an  underspeed  is  predicted  at  the  current  power  level. 

Rules  { A4-55 },  DESIGN  AND  CRITICAL  MECO  UNDERSPEED  DEFINITIONS;  and  { A5-112 }, 
MANUAL  THROTTLE  DOWN  FOR  L02  NPSP  PROTECTION  AT  SHUTDOWN,  reference  this  rule. 

®[ED  ] 

J.  THREE  ENGINES  RUNNING  AND  TWO  STUCK  THROTTLES  PRIOR  TO  TAL  OR 
RTLS  ABORT. 

1.  TAL:  SELECT  MANUAL  THROTTLES,  ABORT  TAL,  SELECT  AUTO 
THROTTLES . 

2.  RTLS:  SELECT  MANUAL  THROTTLES,  MINIMUM  THROTTLES,  WAIT 
10  SECONDS,  ABORT  RTLS,  SELECT  AUTO  THROTTLES. 

For  TAL,  it  is  undesirable  to  throttle  down  the  good  engine  due  to  the  guidance  transients  which  may 
occur  and  the  fact  that  little  time  would  be  gained  to  perform  the  abort  dump.  Therefore,  man  ual 
throttles  will  be  selected  to  prevent  an  automatic  throttledown  when  TAL  is  declared.  This  action  is  not 
required  if  TAL  is  declared  early  enough  that  automatic  throttling  will  not  occur  at  abort  selection. 
However,  since  there  is  no  disadvantage  to  selecting  manned  throttles  for  this  short  period  of  time, 
manual  throttles  will  always  be  selected  for  consistency.  AUTO  throttles  will  be  reselected  after  TAL  is 
declared. 

For  three-engine  RTLS  cases  with  two  stuck  throttles,  minimum  throttles  will  be  selected  prior  to  abort 
selection.  Doing  so  will  allow  guidance  to  converge  on  the  correct  average  thrust  level  and  will  reduce 
the  probability  of  cm  early  PPA.  For  gu  idance  to  have  enough  time  to  con  verge,  minimum  throttle  levels 
must  be  achieved  at  least  10  seconds  prior  to  RTLS  selection.  If  not,  an  early  PPA  may  occur,  resulting 
in  MECO  conditions  that  are  not  optimized.  AUTO  throttles  should  be  reselected  at  some  point  prior  to 
PPA,  but  are  not  mandatory  prior  to  RTLS  selection. 

Reference  Rules  {A5-109},  MANUAL  SHUTDOWN  FOR  TWO  STUCK  THROTTLES  (NOT  DUAL  APU 
FAILURES);  and  (A8-61 },  SSME  SHUTDOWN  DUE  TO  HYDRAULIC  SYSTEM  FAILURES.  ®[ED  ] 
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A4-59  MANUAL  THROTTLE  SELECTION  (CONTINUED) 

K.  TO  MAINTAIN  THROTTLES  AT  109  PERCENT  POWER  LEVEL  DURING  THE 
FLYBACK  PHASE  OF  AN  RTLS  ABORT. 

When  maximum  throttles  are  enabled  (SPEC  51  Item  4),  guidance  replaces  the  maximum  power  level 
(KMAX)  of  104  percen  t  with  109  percen  t.  However ,  during  the  flyback  phase,  the  commanded  power 
level  (KCMD)  is  not  simply  set  to  KMAX  but  is  adjusted  to  achieve  the  desired  mass  conditions  at  MECO 
(assuming  CSS  or  manual  throttles  did  not  occur  anytime  during  flyback).  For  two  engines  running,  the 
typical  throttle  command  during  flyback  is  about  100  percen  t  and  is  unaffected  by  KMAX.  Therefore,  if 
109  percen  t  power  level  is  desired  du  ring  the  flyback  phase  of  cm  RTLS  abort,  man  ual  throttles  are 
required. 

Reference  Rule  {A4-53E.1},  USE  OF  MAXIMUM  THROTTLES;  and  Rule  {A5-151D.3},  PRE-MECO 
MPS  HELIUM  SYSTEM  LEAK  ISOLATION  [CIL ]. 

L.  IF  A  LOWER  SSME  POWER  LEVEL  IS  REQUIRED  SUBSEQUENT  TO 
ENABLING  MAXIMUM  THROTTLES. 

When  maximum  throttles  are  enabled  (SPEC  51  Item  4),  guidance  replaces  the  maximum  power  level 
(KMAX)  of  104  percent  with  109  percen  t.  If  throttle  selection  is  auto  and  3-g  throttling  is  not  active,  the 
commanded  power  level  (KCMD)  is  set  to  the  new  maximum  power  level  of  109  percent  (except  during 
RTLS  flyback  phase,  see  paragraph  K.  above).  If  a  lower  power  level  is  required  subsequent  to  enabling 
maximum  throttles,  manual  throttles  must  be  selected  and  the  lower  power  level  commanded  manually. 
(Note,  if  throttle  selection  is  auto,  the  fine  count  throttle  setting  will  be  commanded  regardless  if 
maximum  throttles  have  been  enabled).  A  second  SPEC  51  Item  4  will  not  reset  the  maximum  or 
commanded  power  level  to  104  percent.  Therefore,  the  lower  power  level  must  be  commanded  manually. 
Once  the  desired  power  level  is  reached,  throttles  can  be  returned  to  auto.  However,  a  subsequent 
engine  failure  with  auto  throttles  selected  will  result  in  the  commanded  power  level  being  reset  to  109 
percent. 

Rule  (A2-64AJ,  MANUAL  THROTTLE  CRITERIA,  references  this  rule. 
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A4-60  MANUAL  SHUTDOWN  CRITERIA 

IF  THE  ONBOARD  PREDICTED  MET  OF  MECO  IS  2  SECONDS  DIFFERENT  THAN 
THE  GROUND  PREDICTED  MET  OF  MECO  AND  IF  CONFIRMED  BY  OBSERVED 
NAVIGATION  VELOCITY  ERRORS,  A  MANUAL  SHUTDOWN  WILL  BE  INITIATED 
AT  THE  GROUND-COMPUTED  TIME. 

If  the  ground  predicted  MET  of  MECO  is  2  seconds  differen  t  than  the  on  board  predicted  MET  of  MECO, 
a  manual  shutdown  will  be  initiated  on  the  ground-computed  value  to  maintain  the  capability  to  achieve 
a  nominal  mission.  A  difference  in  the  onboard  and  ground  predicted  times  indicates  an  auto  MECO 
will  not  achieve  the  target  cutoff  conditions.  An  early  cutoff  may  require  downmoding  because  ofOMS 
performance  limitations.  A  late  cutoff  may  cause  the  desired  thrust  direction  for  OMS-1  to  be  radially 
downward  and/or  retrograde.  The  uncertainty  in  the  ground  prediction  is  estimated  to  be  ±0.9  second. 
This  value  is  the  RSS  of  the  computational  uncertainties  of  ±0.6  second  for  3 -sigma  ground  navigation 
accuracy,  and  ±  0.5  second  for  onboard  response  to  throttledown  commands.  Allowing  a  1-second  pad 
to  ensure  detection  of  a  true  onboard  error  and  rounding  to  a  whole  number,  a  2-second  tolerance  is 
enforced. 

Reference:  CA4-79,  Ascent  Flight  Techniques  Meeting  #35,  dated  March  27,  1979.  Rule  {A2-60J, 
NAVIGATION  UPDATE  CRITERIA,  references  this  rule. 

A4-61  THRUST  LIMITING,  HYDRAULIC,  OR  ELECTRICAL  LOCKUP 

A.  BASED  ON  RECOMMENDATION  FROM  THE  BOOSTER  SYSTEM  ENGINEER,  AN 
ABORT  REGION  DETERMINATOR  (ARD)  ADJUSTMENT  WILL  BE  MADE  FOR: 

1.  THRUST  LIMITING  FLAG  SET. 

2.  Pc  SENSOR  SHIFT. 

3.  ELECTRONIC  LOCKUP. 

4.  HYDRAULIC  LOCKUP. 

5.  HPOT  EFFICIENCY  LOSS. 

6.  LH2  FLOW  METER  SENSOR  SHIFT. 

7.  LPFT  DISCHARGE  TEMPERATURE  SHIFT. 

8.  NOZZLE  LEAKS. 

The  ARD  FPR  is  designed  to  cover  only  those  SSME  failures  that  are  not  detectable  with  engine 
instrumentation,  but  are  sufficient  to  cause  performance  degradation.  Therefore,  it  is  necessary  to 
model  in  the  ARD  those  failures  with  performance  impacts  that  exceed  FPR  coverage.  Reference  Rule 
{A5-110J,  SSME  PERFORMANCE  DISPERSION.  ®[ED  ] 
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A4-61  THRUST  LIMITING,  HYDRAULIC,  OR  ELECTRICAL  LOCKUP 

(CONTINUED) 


B.  A  PERFORMANCE-LIMITED  SSME  WILL  BE  SHUT  DOWN  EARLY,  OR  A  MAIN 
ENGINE  CONTROLLER  CHANNEL  TURNED  OFF,  BASED  ON  BOOSTER 
SYSTEMS  ENGINEER  (BSE)  CONFIRMATION  OF  THE  FAILURE  AND  ARD 
PERFORMANCE  EVALUATION  FOR  THE  FOLLOWING  CASES: 

1.  LOW  MIXTURE  RATIO: 

Preservation  of  the  ATO  region  by  early  shutdown  of  an  SSME  has  priority  over  a  possible  abort 
downmode  to  an  AO  A. 

IF  THE  FOLLOWING  CRITERIA  ARE  MET,  THE  AFFECTED  SSME  WILL 
BE  SHUT  DOWN  EARLY  TO  PROTECT  3-SIGMA  ATO  CAPABILITY  OR 
THE  DESIGN  UNDERSPEED,  WHICHEVER  IS  THE  MOST 
CONSTRAINING: 

a.  THE  ACTUAL  NOMINAL  MARGIN  INDICATES  LOSS  OF  ATO 
CAPABILITY. 


The  ARD’s  actual  mode  nominal  margin  is  a  prediction  ofMECO  underspeed  on  a  2-sigma  bad  day. 

This  prediction  can  be  used  to  determine  if  ATO  capability  exists.  This  rule  refers  to  the  design 
underspeed  as  a  criterion  for  pressing  uphill  with  a  performance-limited  SSME.  In  addition,  the 
dispersed-performance  protection  level  (3 -sigma)  is  stated  explicitly  for  uphill  capability  assessmen  t. 

b.  THE  HYPOTHETICAL  AO A  MARGIN  (REFLECTING  THE  SICK 
ENGINE  OUT)  IS  DECREASING. 

The  ARD’s  hypothetical  mode  AO  A  margin  is  the  indicator  of  when  continued  sick  engine  operation  will 
degrade  performance.  A.v  long  as  the  margins  are  increasing,  the  three-engine  configuration  is 
improving  MECO  conditions.  When  the  margins  start  trailing  off,  the  sick  engine  is  degrading  uphill 
capability.  If  the  hypothetical  nominal  margin  is  greater  than  the  actual  nominal  value;  i.e.  it  is  better  to 
have  two  healthy  engines  than  two  healthy  and  one  sick,  the  bad  engine  will  be  shut  down. 

C.  THE  HYPOTHETICAL  NOMINAL  MARGIN  IS  GREATER  THAN  THE 
ACTUAL  NOMINAL  MARGIN. 

Rationale  is  the  same  as  for  paragraph  b  above. 
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A4-61  THRUST  LIMITING,  HYDRAULIC,  OR  ELECTRICAL  LOCKUP 

(CONTINUED) 

2.  Pc  SENSOR  SHIFT  (HIGH  OR  LOW) 

FOR  A  PC  SENSOR  SHIFT  THE  AFFECTED  MAIN  ENGINE  CONTROLLER 
CHANNEL  WILL  BE  TURNED  OFF  BY  THE  CREW  TO  PROTECT  3-SIGMA 
ATO  CAPABILITY  (i . e . ,  AVOID  AO A)  OR  THE  DESIGN 
UNDERSPEED,  WHICHEVER  IS  THE  MOST  CONSTRAINING.  THIS 
PROCEDURE  WILL  NOT  BE  IMPLEMENTED  IF  IT  WILL  CAUSE  ENGINE 
SHUTDOWN  OR  NOT  CORRECT  THE  PERFORMANCE  DISPERSION  (REF. 
RULE  {A5-110},  SSME  PERFORMANCE  DISPERSION,  FOR  CASES 
THAT  CAUSE  ENGINE  SHUTDOWN)  .  ®[ED  ] 

Large  Pc  shift  can  cause  mixture  ratio  excursions  that  will  result  in  a  LOX  or  LH2  depletion  prior  to 
ATO  capability.  Generally,  the  bad  Pc  sensor  can  be  isolated  and  turn  ed  off  with  the  other  sensor 
returning  the  mixture  ratio  to  a  nominal  value.  This  rule  refers  to  the  design  underspeed  as  a  criterion 
for  pressing  uphill  with  a  performance-limited  SSME.  In  addition,  the  dispersed-performance  protection 
level  (3 -sigma)  is  stated  explicitly  for  uphill  capability  assessment. 

3.  HYDRAULIC  OR  ELECTRICAL  LOCKUP 

AN  SSME  IN  HYDRAULIC  OR  ELECTRICAL  LOCKUP  WHEN  COUPLED 
WITH  LOW  VEHICLE  PERFORMANCE  MAY  BE  MANUALLY  SHUT  DOWN  TO 
PREVENT  A  VIOLATION  OF  THE  ENGINE  LC£  NET  POSITIVE 
SUCTION  PRESSURE  (NPSP)  REQUIREMENTS  NEAR  MECO .  IF  THE 
ARD  PREDICTED  DELTA  V  MARGIN  AFTER  SRB  SEPARATION 
INDICATES  LOW  PERFORMANCE,  THE  NONTHROTTLING  ENGINE  WILL 
BE  SHUT  DOWN  AT  Vj  >  23K  FPS  .  @[061297-4892] 

For  low  performance  in  first  stage  with  one  or  more  engines  in  hydraulic  or  electrical  lockup,  there  is 
potentially  insufficient  LOX  at  MECO  to  support  the  stuck  engine’s  shutdown  from  the  higher  throttle 
level.  This  results  in  a  LOX  depletion  and  subsequent  uncontained  engine  damage. 

C.  FOR  A  THREE-ENGINE  RTLS ,  AUTO  GUIDANCE  WILL  BE  PRESERVED  BY 
SHUTTING  DOWN  PERFORMANCE-LIMITED  SSME  WHEN  THE  PROBLEM  IS 
IDENTIFIED  BUT  NOT  LATER  THAN  POWERED  PITCHDOWN  (PPD)  MINUS  40 
SECONDS  TO  PROTECT  A  3-SIGMA  GUIDED  MECO  (RTLS  MARGIN  >  0  FPS) . 
CRITERIA  FOR  ET  SEPARATION  PROPELLANT  CONDITIONS  WILL  NOT  BE 
CONSIDERED  WHEN  DETERMINING  SSME  SHUTDOWN  REQUIREMENTS  DURING 
AN  RTLS. 


Manned  throttle,  maimed  guidance,  and  early  manual  turnaround  during  an  RTLS  is  more  risky  than 
shutdown  of  a  performance-limited  SSME.  There  is  no  real-time  determination  of  propellant  conditions 
at  ET  separation  currently  available.  It  is  highly  desirable  to  protect  a  3-sigma  guided  MECO.  This 
will  be  done  at  the  possible  expense  of  executing  an  RTLS  ET  separation  with  a  slightly  heavier  tank. 
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A4-62  QMS— 1 /QMS— 2  EXECUTION 

THE  OMS-1  AND/OR  OMS-2  TARGETS  AND  TIG  WILL  BE  SELECTED  TO 
ACHIEVE  THE  HIGHEST  PRIORITY  MISSION  MODE  POSSIBLE.  ALLOWABLE 
UNDERSPEEDS  FOR  EXECUTION  OF  NOMINAL  TARGETS  WILL  ENSURE 
ACCOMPLISHMENT  OF  HIGH  PRIORITY  MISSION  OBJECTIVES.  THE  AME  WILL 
BE  USED  TO  DETERMINE  THE  HIGHEST  PRIORITY  MISSION  MODE  THAT  CAN 
BE  ACHIEVED. 

For  standard  insertion  flights,  the  nominal  OMS-1  and  OMS-2  targets  are  designed  to  be  performance 
optimized.  The  nominal  targets  will  be  executed  and  the  nominal  flight  profile  flown  only  if  there  is 
stiff  cient  fuel  available  to  perform  the  required  on-orbit  burns  and  the  deorbit  burn.  Otherwise,  the 
highest  priority  mission  mode  that  can  be  supported  by  the  fuel  available  will  be  executed.  (Reference 
Rule  {A2-52D},  ASCENT  MODE  PRIORITIES  FOR  PERFORMANCE  CASES.  ) 

For  direct  insertion  flights,  a  range  of  underspeeds  will  result  in  no  OMS-1  being  required  but  the 
apogee  is  lower  than  nominal.  For  these  cases,  assuming  no  OMS  leaks  have  occurred,  it  is  desired  to 
circularize  at  the  resulting  pre-OMS-2  apogee  altitude  with  the  OMS-2  burn.  The  details  for  this  case 
with  and  without  OMS  propellant  problems  are  in  Flight  Rule  { A4-103J ,  OFF-NOMINAL  ORBITAL 
ALTITUDE  RECOVERY  PRIORITIES,  and  its  rationale. 

The  AME  will  be  used  in  real  time  to  determine  the  highest  priority  mission  mode  that  can  be  achieved. 
Actual  post-MECO  state  vectors  and  actual  OMS  quantities  are  used  by  the  AME.  Should  the  MOC  be 
unavailable,  the  backup  method  for  determining  the  correct  targets  is  the  crew  chart  in  the  Ascent 
Checklist. 
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A4-107  PLS/EOM  LANDING  OPPORTUNITY  REQUIREMENTS 

A.  ALL  OF  THE  FOLLOWING  CRITERIA  ARE  REQUIRED  FOR  A  PLS  (OTHER 
THAN  FIRST  DAY  PLS,  REF.  RULE  {A2-1F},  PRELAUNCH  GO/NO-GO 
REQUIREMENTS)  MDF ,  OR  EOM  LANDING  OPPORTUNITY  (NOT  IN 
PRIORITY  ORDER) : 

1.  NASA  CONUS  SITE:  KSC,  EDW,  NOR.  FOR  NO-COMM  PLS 
PLANNING,  EDW  IS  PREFERRED. 


Only  the  three  prime  NASA  CONUS  sites  should  be  considered  for  PLS  or  EOM.  The  daily  PLS 
planning  results  in  a  crew  message  for  no-comm  execution  if  total  communications  are  lost;  ref.  Rule 
{All-52},  LOSS  OF  BOTH  VOICE  AND  COMMAND.  In  the  case  of  other  problems,  ground  evaluation 
of  the  landing  site  can  be  made  very  shortly  before  deorbit  burn.  However,  for  the  no-comm  case,  the 
crew  may  be  required  to  execute  a  deorbit  to  a  site  that  was  picked  many  hours  previously.  Since  EDW 
weather  is  in  general  much  more  stable  than  KSC  and  additional  lateral  and  longitudinal  margins  are 
available  in  the  case  of  poor  navigation  (likely  for  a  no-comm  entry)  or  other  orbiter  systems  problems, 
EDW  is  the  preferred  no-comm  PLS  site  when  all  other  considerations  are  equal.  ®[ED  ] 

2.  WIND  AND  WEATHER  CONDITIONS  (REF.  RULE  {A2-6},  LANDING 

SITE  WEATHER  CRITERIA  [HC]  )  ®[1 20894-1 622B] 

3.  ACCEPTABLE  ENTRY  ANALYSIS  INCLUDING: 

NOTE:  ENTRY  ANALYSIS  IS  NOT  PERFORMED  FOR  DAILY  NO-COMM 

PLS  SELECTION. 

a.  APPROACH  AND  LAND  TRANSITION  (REF.  RULE  {A4-156},  HAC 
SELECTION  CRITERIA) . 

b.  NORMALIZED  TOUCHDOWN  DISTANCE  (REF.  RULE  {A4-110}, 

AIMPOINT,  EVALUATION  VELOCITY,  AND  SHORT  FIELD 
SELECTION)  .  ®[072795-1 788A  ] 

C.  MAXIMUM  TIRE  SPEED,  ROLLOUT  MARGIN,  AND  BRAKE  ENERGY 
CONSTRAINTS  (REF.  RULE  {A4-108},  TIRE  SPEED,  BRAKING, 
AND  ROLLOUT  REQUIREMENTS) . 
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A4-107  PLS/EOM  LANDING  OPPORTUNITY  REQUIREMENTS 

(CONTINUED) 

d.  NZ  AND  Q-BAR  CONSTRAINTS  (REF.  RULE  {A4-207},  ENTRY 
LIMITS)  .  ®[072795-1788A  ] 

Rule  { A4-112J ,  LOWER  LEVEL  MEASURED  WIND  AND  ATMOSPHERIC  DATA,  requires  accurate 
lower  level  atmospheric  data  that  is  used  for  analysis  of  the  entry  trajectory  to  ensure  safety.  The  main 
gear  tires  are  certified  to  225  knots  groundspeed.  This  constraint  may  limit  the  allowable  tailwind  based 
on  the  predicted  EAS  and  density  altitude.  Violation  of  brake  energy  and  rollout  constraints  may  result, 
in  dispersed  cases,  in  run  way  departure  or  excessive  braking  requiremen  ts  that  could  lead  to  tire  fires. 

Rule  {A2-6A},  LANDING  SITE  WEATHER  CRITERIA  [HC],  references  this  rule.  Since  the  no-comm 
PLS  landing  would  be  executed  many  hours  after  the  site  had  been  selected,  entry  analysis  using 
environmental  observations  are  not  relevant  and  therefore  will  not  be  performed.  ®[071 494-1 621  A] 

®[1 20894-1 622B]  ®[ED  ] 

4.  ENTRY  CROSSRANGE  LESS  THAN  DISPERSED  OR  THE  THERMAL 
CROSSRANGE  LIMIT,  WHICHEVER  IS  MORE  CONSTRAINING. 

The  dispersed  crossrange  limit  represen  ts  the  vehicle  capability  to  converge  to  nominal  conditions  by 
TAEM  in  terface  (Mach  2.5)  assuming  3 -sigma  combinations  of  navigation,  atmosphere,  energy,  and  winds. 
All  planned  and  acceptable  entries  must  have  a  crossrange  which  is  less  than  the  dispersed  crossrange 
limit.  Landing  sites  with  crossrange  between  the  dispersed  and  undispersecl  limits  should  not  be 
considered.  (Ref.  the  Annex  Flight  Rule,  TRAJECTORY  AND  GUIDANCE  PARAMETERS.)  ®[ED  ] 

The  flight  specific  thermal  crossrcmge  limit  protects  the  upper  surface  thermal  constraints  for  high 
crossrcmge  en  tries.  Du  ring  high  crossrcmge  en  tries,  the  orbiter  main  tains  a  roll  angle  for  a  long  period 
of  time  to  reduce  crossrcmge  prior  to  the  first  roll  reversed.  Heading  rates  incurred  by  non-zero  roll 
attitudes  will  be  sensed  by  the  FCS  pitch  rate  gyros  as  small  positive  pitch  rates.  As  a  result,  the  FCS 
will  main  tain  an  angle  of  attack  somewhat  less  than  that  desired  as  it  attempts  to  compensate  for  this 
pseudo  pitch  rate.  This  results  in  increased  heating  to  the  upper  surface,  which  may  result  in  excessive 
structural  temperatures.  The  actual  thermal  crossrcmge  limit  is  flight  specific.  (Ref.  the  Annex  Flight 
Rule,  TRAJECTORY  AND  GUIDANCE  PARAMETERS.)  ®[07i  494-1621  A]  ®[ED  ] 

5.  SUFFICIENT  GROUND  EQUIPMENT  SUPPORT  INCLUDING 
REDUNDANCY  MUST  BE  PROVIDED  TO  SATISFY  A/G  VOICE, 
TELEMETRY,  TRACKING,  AND  COMMAND  REQUIREMENTS  AND  FULL 
REDUNDANCY  TO  NAVIGATION  AIDS  AS  SPECIFIED  IN  SECTION 
3.  NOTE:  TRACKING  SUPPORT  IS  NOT  SCHEDULED  FOR  THE 
DAILY  PLS  OPPORTUNITY.  IF  A  PLS  IS  REQUIRED,  TRACKING 
SUPPORT  WILL  BE  ON  A  "BEST  EFFORT"  BASIS. 
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A4-110  AIMPOINT,  EVALUATION  VELOCITY,  AND  SHORT  FIELD 

SELECTION 


A.  AIMPOINT  SELECTION  -  AIMPOINT  EVALUATION  WILL  ASSUME  AUTO 

SPEEDBRAKE  AND  WILL  NOT  MODEL  ANY  MANUAL  PROCEDURES  DESIGNED 

TO  INCREASE  TOUCHDOWN  DISTANCE.  @[072795-1 788B] 

1.  IF  THE  PREDICTED  TOUCHDOWN  POINT  USING  THE  NOMINAL 
AIMPOINT  IS  <  1000  FEET  PAST  THE  RUNWAY  THRESHOLD,  THEN 
THE  CLOSE-IN  AIMPOINT  WILL  BE  SELECTED. 

2.  IF  THE  PREDICTED  TOUCHDOWN  POINT  IS  <  1000  FEET  PAST  THE 
RUNWAY  THRESHOLD  FOR  BOTH  THE  NOMINAL  AND  CLOSE-IN 
AIMPOINTS,  THE  RUNWAY  IS  NO-GO.  FOR  DAYLIGHT  LAKEBED 
LANDINGS  ONLY,  IF  AFTER  APPLYING  ALL  TECHNIQUES  (CLOSE-IN 
AIMPOINT,  ALTERNATE  RUNWAY)  THE  PREDICTED  TOUCHDOWN  POINT 
IS  STILL  <  1000  FEET,  CONSIDERATION  SHALL  BE  GIVEN  TO 
RELAXING  THE  1000-FOOT  CONSTRAINT  RATHER  THAN  DELAYING 
DEORBIT  OR  SELECTING  AN  ALTERNATE  LANDING  SITE. 

3.  FOR  RTLS  WITH  LIGHT  RAIN  SHOWERS  IN  THE  APPROACH  CORRIDOR 
(RULE  { A2-1C}  .  4,  PRELAUNCH  GO/NO-GO  REQUIREMENTS),  IF  THE 
PREDICTED  TOUCHDOWN  POINT  IS  <  2000  FEET  PAST  THE  RUNWAY 
THRESHOLD  FOR  BOTH  NOMINAL  AND  CLOSE-IN  AIMPOINTS,  THE 
RUNWAY  IS  NO-GO.  ®[ED  ] 

NOTE:  MANUAL  SPEEDBRAKE  RETRACTION  AT  3000  FEET  AGL  MAY  BE 

CONSIDERED  TO  ACHIEVE  THE  2000-FOOT  MINIMUM  TOUCHDOWN  ENERGY. 

@[0201 96-1 808A] 

This  rule  is  designed  as  a  planning  guide  and  represents  crew  and  flight  controller  inputs  developed  over 
many  flights.  All  of  these  criteria  were  discussed  at  Flight  Techniques  and  other  meetings. 

A  TD  point  1000 feet  from  the  runway  threshold  was  selected  to  accommodate  variations  in  actual  TD 
point  from  prelanding  predictions  due  to  off-nominal  EAS,  landing  gear  deploy  altitude,  and  deviations 
from  the  forecast  wind  profile.  With  the  increased  margins  available  on  a  lakebed  runway,  the  risks  of 
landing  closer  to  the  threshold  are  significan  tly  reduced.  Therefore,  engineering  judgmen  t  may  be  used 
to  accept  a  TD  point  of  less  than  1000 feet  in  order  to  avoid  an  otherwise  NO-GO  situation  on  a  lakebed 
runway  if  no  increased  risk  is  identified.  Factors  involved  in  making  this  assessment  include  visibility 
restrictions,  underrun  characteristics  (hardness,  surface  conditions,  obstructions,  etc.),  the  availability 
of  landing  aids,  wind  persistence  predictions,  and  pilot  (e.g.,  ST  A)  judgment  and  recommendations.  Due 
to  visibility  restrictions  at  night,  however,  the  1000-foot  criterion  always  applies  to  night  landings  on 
lakebed  runways. 
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A4-110  AIMPOINT,  EVALUATION  VELOCITY,  AND  SHORT  FIELD 

SELECTION  (CONTINUED) 


There  are  two  aimpoints  used  to  locate  the  base  of  the  outer  glide  slope,  one  at  7500 feet  from  the 
threshold  (nominal)  and  one  at  6500 feet  from  the  threshold  (close-in).  Aimpoint  selection  is  based  on 
an  evaluation  of  the  predicted  TD  point  and  speedbrake  setting  using  current  and  forecast  winds,  density 
altitude,  and  orbiter  weight.  The  descent  design  sy stern  (DDS)  and  the  Approach  and  Landing  Plan 
(ALP)  processor  are  used  to  compute  these  parameters.  ©[072795-1788B] 

Tile  damage  due  to  showers  encoun  tered  during  fly  back  could  result  in  a  loss  of  up  to  1000 feet  of 
touchdown  distance.  Typical  touchdown  distances  carry  adequate  margin  to  protect  this  type  of  energy 
loss.  A  dispersed  entry  that  is  flown  through  a  shower  on  a  day  that  predicted  touchdown  conditions  are 
at  the  limits  specified  in  Rule  {A4-110},  AIMPOINT  EVALUATION  VELOCITY,  AND  SHORT  FIELD 
SELECTION,  could  result  in  a  vehicle  touchdown  on  the  edge  of  the  underrun.  The  touchdown  distance 
is  increased  for  RTLS  to  handle  the  tile  damage  combined  with  the  other  dispersions.  ®[0201 96-1 808A] 
@[062801 -4307C] 

4.  IF  THE  PREDICTED  SPEEDBRAKE  RETRACT  CALCULATION 

INDICATES  THAT  THE  SPEEDBRAKE  WILL  BE  COMMANDED  CLOSED 
(15  PERCENT)  AT  BOTH  3000  FEET  AGL  AND  500  FEET  AGL 
USING  THE  NOMINAL  AIMPOINT,  THEN  THE  CLOSE-IN  AIMPOINT 
MAY  BE  SELECTED  TO  ACHIEVE  A  PREDICTED  TOUCHDOWN  POINT 
CLOSER  TO  THE  GUIDANCE  TARGET  (NOMINALLY  2500  FEET)  AND 
POSSIBLY  GAIN  ADDITIONAL  SPEEDBRAKE,  PROVIDED  THAT 
ROLLOUT  MARGIN  AND  BRAKE  ENERGY  CONSTRAINTS  (REF.  RULE 
{ A4 -1 0  8 } ,  TIRE  SPEED,  BRAKING,  AND  ROLLOUT  REQUIREMENTS) 
ARE  STILL  SATISFIED.  @[072795-1 788B]  @[0201 96-1 808A]  @[101096-4210] 

Approach  and  landing  guidance  was  designed  to  control  the  orbiter’ s  TD  energy  state  by  modulating 
the  speedbrake.  Using  the  speedbrake  retract  I-loads,  guidance  will  command  a  speedbrake  position 
that  should  result  in  a  targeted  energy  state  at  TD  of  195  knots  EAS  (205  KEAS  heavyweight)  at  2500 
feet  past  the  runway  threshold.  At  3000 feet  AGL,  if  guidance  predicts  that  the  TD  energy  state  will  be 
less  than  that  targeted,  the  speedbrake  will  be  commanded  fully  closed.  In  this  case,  selecting  the  close- 
in  aimpoin  t  will  provide  an  additional  1000 feet  of  energy  margin  at  TD  and  may  result  in  carrying  a 
small  amoun  t  of  speedbrake  for  energy  con  trol.  The  preference  for  open  speedbrake  and  touchdown  as 
close  as  possible  to  the  2500 foot  guidance  target  does  not  preclude  considering  either  aimpoint  for 
other  reasons,  such  as  conditions  which  result  in  a  different  aimpoint  recommendation  from  the  STA. 
Rollout  margin  and  brake  energy  requirements,  as  specified  in  Rule  {A4-108},  TIRE  SPEED, 

BRAKING,  AND  ROLLOUT  REQUIREMENTS,  must  still  be  satisfied  after  selection  of  the  close-in 
aimpoint.  If  selection  of  the  close-in  aimpoin  t  results  in  violation  of  these  criteria,  the  nominal 
aimpoint  will  be  used.  @[101096-4210  ] 
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A4-111  RUNWAY  ACCEPTABILITY  CONDITIONS 

A.  THE  FOLLOWING  CONDITIONS  WILL  NO-GO  USE  OF  ANY  EOM  OR  INTACT 
ABORT  RUNWAY  TO  WHICH  THEY  APPLY.  CONDITIONS  ARE  ASSESSED 
OVER  THE  ENTIRE  SURFACE  OF  THE  RUNWAY.  ®[1 11 094-1 622B]  @[062702-51 49C] 

1.  ALL  RUNWAYS  (GROOVED,  UNGROOVED,  LAKEBED) : 

STRUCTURAL  FAILURES  (BREAKTHROUGH,  POTHOLE,  FISSURE), 
STANDING  WATER,  SNOW,  OR  ICE 

2 .  UNGROOVED  RUNWAYS : 

VISIBLE  MOISTURE 

3.  LAKEBEDS: 

WET  OR  SLUSHY  SURFACE  MATERIAL 

THE  FOLLOWING  CHART  CATEGORIZES  THE  APPROVED  EOM  AND  INTACT  ABORT 
RUNWAYS : 


RUNWAY 

SURFACE 

KSC 

GROOVED 

EDW22/04 

UNGROOVED 

MRN 

UNGROOVED 

BEN 

UNGROOVED 

ZZA 

GROOVED 

NOR 

LAKEBED 

@[062702-51 49C]  ®[ED  ] 
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A4-111  RUNWAY  ACCEPTABILITY  CONDITIONS  (CONTINUED) 

a.  Due  to  the  large  load  bearing  requirements  of  the  orbiter,  structural  failures  are  not  acceptable  on 
any  runway  surface.  Fissures  or  cracks,  which  may  lead  to  or  be  evidence  of  structural  failures,  are 
not  allowable.  Potholes  are  not  acceptable  owing  to  the  possibility  of  tire  or  strut  damage  caused 
by  impact.  Standing  water,  snow  or  ice  on  any  runway  surface  may  result  in  hydroplaning,  loss  of 
traction,  and  loss  of  brake  effectiveness.  @[062702-51 49C] 

Grooves  on  a  runway  are  designed  to  provide  drainage  of  water  from  the  runway  surface.  Flooding 
occurs  when  the  water  cannot  be  shed  quickly  enough  and  the  grooves  fill.  Any  depth  of  water 
above  this  point  is  defined  as  standing  water  (depth  of  water  above  the  run  way  surface,  not 
including  groove  depth).  The  Shuttle  Landing  Facility  at  KSC  is  considered  grooved  although  the 
3500 feet  at  each  end  of  the  runway  are  ungrooved  and  treated  with  a  Skidabrader™  Shotpeening 
Process.  The  A/E  FTP#  176  members  concluded  that  the  effects  of  landing  in  the  ungrooved  region 
and/or  rolling  across  the  grooved/ungrooved  transition  zones  on  a  wet  KSC  runway  (grooves  not 
flooded )  were  not  significant  enough  to  alter  the  desired  landing  profile.  These  conclusions  were 
based  on  LRC  tire  track  testing,  SES  evaluations,  and  the  assumption  that  significant  lateral 
excursions  could  not  occur  since  the  time  spent  in  the  ungrooved  region  at  high  speeds  was  of  a  very 
short  duration  and  occurred  with  light  main  gear  loading. 

b.  Visible  moisture  on  an  ungrooved  concrete  runway  may  also  result  in  a  loss  of  lateral  directional 
control.  The  orbiter  MEG  tires  can  lose  up  to  75  percent  of  the  dry  friction  value  at  high  speeds  on 
a  wet  ungrooved  runway.  Ref  A/E  FTP  # 1 76. 

c.  Wet,  slushy  Icikebed  surface  materials  thrown  up  during  landing  and  roll  out  can  result  in  orbiter 
damage.  Reference  Entry  FTP  #42  and  A/E  FTP  #1 76. 

B.  FOR  EMERGENCY  LANDINGS,  THE  CONDITIONS  IN  PARAGRAPH  A  WILL  BE 
CONSIDERED  IN  RUNWAY  SELECTION  IF  MORE  THAN  ONE  SITE  IS 
AVAILABLE . 

Con  tingen  cy  aborts  (e.g.,  ECAL,  emergency  deorbit )  do  not  require  the  same  level  of  dispersion 
protection  as  NEOM  or  Intact  Abort  landings.  In  addition,  emergency  landings  typically  only  have 
capability  to  one  site,  so  runway  NO-GO  criteria  are  not  appropriate.  In  the  event  overlapping  coverage 
does  exist  (e.g.,  ECAL),  runway  condition  should  be  considered  when  selecting  the  landing  site. 
Emergency  landings  include,  but  are  not  limited  to,  ACLS,  ECAL,  and  ELS  sites.  Ref  A/E  FTP  #176. 
@[062702-51 49C]  ®[1 02402-5804C] 

Rules  (A2-1J,  PRELAUNCH  GO/NO-GO  REQUIREMENTS;  (A2-2J,  ABORT  LANDING  SITE 
REQUIREMENTS;  {A2-103},  EXTENSION  DAY  REQUIREMENTS;  and  {A4-107},  PLS/EOM 
LANDING  OPPORTUNITY  REQUIREMENTS,  reference  this  rule.  ®[111094-1622B] 
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A4-112  UPPER  AND  LOWER  LEVEL  MEASURED  WIND  AND 

ATMOSPHERIC  DATA  @[062801-4423] 

A.  UPPER  LEVEL  WINDS 

UPPER  LEVEL  MEASURED  WINDS  (HAC  ACQUISITION  TO  10K  FEET)  ARE 
USED  TO  ASSESS  HAC  SELECTION  OPTIONS  AND  TRANSITION  TO 
APPROACH  AND  LANDING  GUIDANCE. 

PREDEORBIT:  A  SOURCE  FOR  ACCURATE  UPPER  LEVEL  MEASURED 
WINDS  IS  HIGHLY  DESIRABLE  FOR  EOM .  IT  IS  HIGHLY 
DESIRABLE  THAT  THE  SOURCE  ENCOMPASS  ALTITUDES  FROM  HAC 
ACQUISITION  AND  BELOW  FOR  THE  HAC  SELECTION  ASSESSMENT 
AND  IT  IS  OBTAINED  NO  MORE  THAN  6.5  HOURS  FROM  TOUCHDOWN. 

B.  LOW  LEVEL  WINDS  @[111 094-1 622B] 

LOWER  LEVEL  MEASURED  WINDS  (0  TO  10K  FEET)  ARE  USED  TO  ASSESS 
TOUCHDOWN,  ROLL  OUT,  AND  BRAKE  ENERGY  CONDITIONS  IN  ORDER  TO 
SUPPORT  COMMIT  TO  LAUNCH  OR  DEORBIT  DECISIONS. 

1.  PRELAUNCH:  A  SOURCE  FOR  ACCURATE  LOWER  LEVEL  MEASURED 
WINDS  IS  MANDATORY  FOR  RTLS ,  TAL  AND  AOA(IF  REQUIRED) 

WITH  THE  FOLLOWING  EXCEPTIONS:  @[0201 96-1 799A] 

IF  A  SOURCE  FOR  LOWER  LEVEL  WINDS  IS  NOT  AVAILABLE  AT 
BEN  GUERIR,  BEN  36  WITH  CLOSE-IN  AIMPOINT  WILL  BE  USED 
UNLESS  UNUSUAL  WIND  CONDITIONS  ARE  SUSPECTED. 

2.  PREDEORBIT:  A  SOURCE  FOR  ACCURATE  LOW  LEVEL  MEASURED 
WINDS  IS  MANDATORY  FOR  FD1  OR  FD2  PLS,  NEXT  PLS,  AND  EOM. 
IT  IS  HIGHLY  DESIRABLE  THAT  THE  SOURCE  FOR  LOWER  LEVEL 
WINDS  IS  OBTAINED  NO  MORE  THAN  4.5  HOURS  FROM  TOUCHDOWN. 

NOTE:  FOR  AOA  OR  FD1  PLS  TO  NORTHRUP,  STANDARD  BALLOON  DATA  IS 

NOT  AVAILABLE.  FOR  THESE  CASES,  THE  WIND  PROFILERS  DATA 
(IF  AVAILABLE)  AND  FORECAST  WINDS  WITH  THE  62  STANDARD 
ATMOSPHERE  WILL  BE  USED  FOR  TOUCHDOWN  AND  ROLLOUT 
ANALYSIS.  @[0201 96-1 799A] 

C.  ATMOSPHERIC  CONDITIONS  @[062801-4423] 
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A4-202  DEORBIT  BURN  COMPLETION 

THE  FOLLOWING  TECHNIQUES,  IN  ORDER  OF  PRIORITY,  WILL  BE  UTILIZED 
IN  THE  EVENT  OF  DELTA  V  DEFICIENCY  AT  OMS  CUTOFF  FOR  THE  DEORBIT 
MANEUVER . 

A.  TRIM  WITH  THE  ARCS,  NOT  TO  EXCEED  ARCS  QUANTITY  1. 

B.  TRIM  WITH  THE  FORWARD  RCS  TO  DEPLETION. 

C.  PREBANK  TO  THE  REDESIGNATION  CONTINGENCY  LIMIT  FOR  THE  PRIME 
LANDING  SITE  (PROTECTS  THERMAL  CONSTRAINT  OR  NO  GREATER  THAN 
135-DEGREE  PREBANK) . 

D.  REDESIGNATE  TO  THE  BACKUP  SITE  (IF  AVAILABLE)  WITH  PREBANK  TO 
THE  REDESIGNATION  CONTINGENCY  LIMIT  (NORTHRUP  FOR  EDWARDS 
PLS )  . 

E.  TRIM  WITH  THE  AFT  RCS,  NOT  TO  EXCEED  ARCS  QUANTITY  2. 

F.  PREBANK  AS  REQUIRED  UP  TO  180  DEGREES. 

This  rule  was  developed  in  various  working  group  meetings  to  define  the  procedures  for  completing  the 
deorbit  burn  after  all  OMS  downmode  options  have  been  exercised  and  ARCS  fuel  to  the  ARCS  entry 
redline  has  been  used.  The  deorbit  burn  completion  cue  cards  incorporate  the  techniques,  according  to 
the  defined  priorities. 

ARCS  propellant  is  budgeted,  including  entry  DTO’s,  PTI’s,  etc.,  in  option  A  for  burn  completion.  If  the 
targets  can  be  accomplished  using  the  fuel  down  to  ARCS  quantity  1,  the  vehicle  integrity  and  crew 
safety  have  not  been  compromised.  This  ARCS  option  is  preferred  to  the  FRCS  because  no  large  attitude 
change  is  required,  nor  is  the  execution  of  the  more  complicated  FRCS  burn  procedure  required. 

Option  B  is  trimming  with  the  FRCS.  This  propellant,  if  not  used  for  trimming  the  bum,  is  either 
dumped  prior  to  entry  or  maintained  for  ballast.  Use  of  the  FRCS  fuel  is  preferred  over  an  equivalent 
prebank.  The  thermal  effects  of  the  prebank  are  considered  more  severe  than  execu  tion  of  the  FRCS  trim 
procedures. 

Options  C  and  D  incorporate  use  of  the  prebank  to  obtain  atmospheric  capture  while  maintaining  ARCS 
quan  tity  1  fuel.  Use  of  the  prebank  stresses  the  TPS.  Option  C  limits  the  prebank  to  the  redesignation  limit 
while  maintaining  the  capability  to  land  at  the  prime  site.  The  redesignation  limit  will  not  be  greater  than 
135  degrees  of  prebank,  or  exceedance  of  a  thermal  limit  based  on  35  mission  wing  leading  edge  reuse 
temperature  constraint  (TBD  degrees  F).  Current  analysis  tools  use  a  simplified  thermal  model  which 
overpredicts  wing  leading  edge  temperature  by  150  degrees  F.  For  analysis  purposes,  the  wing  leading  edge 
thermal  limit  will  be  2950  degrees  F.  Option  D  calls  for  a  prebank  to  the  redesignation  limit  to  the  backup 
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A4-202  DEORBIT  BURN  COMPLETION  (CONTINUED) 

landing  site  (if  available).  Vehicle  turnaround  may  be  lengthened  due  to  the  lack  of  postlanding  support  at 
the  backup  landing  site.  The  computations  ofL  OMS  Hp,  R  OMS  Hp,  PRI  Hp,  and  B/U  Hp  will  assume  the 
delta  Hp  due  to  prebank  to  the  redesignation  limit,  regardless  of  whether  a  backup  site  is  available  or  not. 

Option  E  uses  fuel  below  the  ARCS  entry  redline,  down  to  ARCS  quantity  2.  This  provides  enough  fuel 
for  attitude  control  to  Q-bar  -  20  psf  After  Q-bar  =  20,  aerodynamic  control  is  possible  but  risky 
without  the  yaw  jets.  NO  YAW  JET  is  now  a  certified  entry  mode. 

The  last  option  calls  for  using  prebank  between  the  redesignation  limit  up  to  the  maximum  of  180  degrees. 
This  is  the  last  resort  since  the  use  of  maximum  prebank  and  no  yaw  jet  control  after  Q-bar  =  20  psf 
indicate  that  the  capability  to  reach  the  landing  site,  vehicle  stability,  TPS  integrity,  and  crew  safety  are 
being  compromised.  Presenting  this  prebank  ( from  the  redesignation  limit  to  180  degrees)  as  the  very  last 
option  also  provides  some  margin  in  case  the  FRCS  burn  does  not  provide  the  delta  V predicted. 


A4-203  ENTRY  NAVIGATION  UPDATE  PHILOSOPHY  @[072601 -4530B] 

A.  GPS  WILL  BE  USED  TO  CORRECT  ONBOARD  NAVIGATION  ERRORS  THAT 
EXCEED  FLIGHT  RULE  LIMITS  (REF  RULES  {A4-204},  DELTA  STATE 
POSITION  UPDATES,  AND  {A4-205},  DELTA  STATE  VELOCITY  UPDATES) 
WHEN  GPS  IS  VERIFIED  TO  BE  FUNCTIONING  PROPERLY  AND  THE 
FOLLOWING  CRITERIA  ARE  SATISFIED:  @[062702-5439] 

1.  GPS  VERSUS  GROUND  FILTER  UVW  POSITION  DIFFERENCES  ?  3000 
FEET  FOR  EACH  COMPONENT  ABOVE  130  KFT  ALTITUDE  AND  ?  1000 
FEET  FOR  EACH  COMPONENT  BELOW  130  KFT  ALTITUDE. 

2.  GPS  COMPUTED  VERSUS  ACTUAL  TACAN  RANGE  DIFFERENCES  ?  0.5 
NM  FOR  TACAN  STATIONS  OPERATING  WITHIN  ACCEPTABLE  LIMITS 
(REF  RULE  {A8-52B}.2,  SENSOR  FAILURES). 

THE  GROUND  DELTA  STATE  PROCESSOR  WILL  BE  USED  AS  A  SECOND 
PRIORITY  TO  CORRECT  ONBOARD  NAVIGATION  ERRORS.  @[062702-5439] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A4-203  ENTRY  NAVIGATION  UPDATE  PHILOSOPHY  (CONTINUED) 

A  GPS  update  or  a  delta  state  update  will  be  performed  to  correct  onboard  state  vector  errors  that 
exceed  flight  rule  limits.  The  ground  delta  state  update  process  assumes  the  following:  the  ground 
Kalman  filter  solution  is  valid  (reference  Rule  { A4-51J ,  KALMAN  FILTER  SOLUTION ),  state  vector 
errors  are  linear  with  time,  velocity  errors  are  constant,  ground  and  onboard  runways  agree,  and  the 
onboard  navigation  update  time  will  be  close  to  the  predicted  update  time.  Ncivaid  inhibits  are  required 
for  velocity  delta  state  updates  and  navigation  corrections  after  HAC  intercept.  After  a  delta  state 
update  is  performed,  it  is  possible  that  the  remaining  onboard  navigation  errors  would  have  to  be 
corrected  with  cm  additional  delta  state  update.  The  use  of  GPS  to  correct  onboard  navigation  errors  is 
preferred  over  the  delta  state  update  process  as  long  as  GPS  is  verified  to  be  functioning  properly  (no 
hardware  problems  or  commfaults,  low  FOM,  tracking  four  satellites).  Caution  should  be  taken  when 
using  GPS  state  vectors  with  FOM’s  >5  (650 feet  position  error  one  sigma )  since  the  estimated  position 
error  increases  rapidly  with  higher  FOM  values.  If  GPS  receiver  performance  has  been  good,  the 
decision  to  perform  a  GPS  update  instead  of  a  delta  state  update  is  made  based  on  state  vector 
differences  between  GPS  and  the  ground  filter.  The  criteria  for  acceptable  UVW  position  differences 
were  discussed  at  the  AEFTP  # 182  on  February  15,  2002  and  were  established  based  on:  1 )  the  amount 
of  onboard  navigation  error  correction  and  associated  delta  state  update  accuracy,  2)  ground  filter 
errors  at  initial  low  elevation  tracking  angles,  3)  onboard  Ncivaid  processing  and  guidance  capability 
after  a  biased  GPS  state  vector  update,  and  4)  the  desire  to  have  a  simple  two-tier  console  limit 
procedure  which  reflects  the  increased  accuracies  at  lower  altitudes.  Once  the  criteria  for  GPS  versus 
ground  filter  position  differences  have  been  satisfied,  a  direct  verification  that  GPS  is  acceptable  for  the 
update  has  been  performed.  This  is  the  primary  method  for  GPS  state  vector  confirmation.  Ground 
filter  velocity  output  is  very  noisy  throughout  the  entry  period  and  is  therefore  not  used  in  the  criteria  for 
evaluating  the  GPS  vector.  Significant  errors  in  the  GPS  velocity  components  without  a  corresponding 
error  in  the  position  components  or  the  FOM  value  would  be  a  rare  condition.  @[062702-5439  ] 

Another  crosscheck  on  GPS  position  accuracy  is  the  difference  between  GPS  computed  and  actual 
TACAN  range  measurements.  The  MCC  has  a  ground  processor  that  computes  equivalent  TACAN 
measurements  based  on  downlisted  GPS  state  vectors.  If  the  TACAN  ground  station  is  confirmed  to  be 
within  acceptable  limits  (ref.  Rule  (A8-52Bj.2,  SENSOR  FAILURES),  the  difference  between  the  GPS 
computed  and  actual  TACAN  range  measurements  should  not  be  more  than  0.5  nm.  The  0.5  nm  range 
check  accounts  for  small  spec  errors  in  the  GPS  vector  at  the  FOM  =  5  limit  (0.1  nm)  and  for  potential 
spec-level  calibration  errors  in  both  the  TACAN  LRU  (0.1  nm)  and  ground  station  hardware  (0.3  nm). 
Ncivaid  inhibits  are  not  required  before  a  GPS  navigation  update.  Once  GPS  state  vector  accuracy  has 
been  confirmed  with  ground  filter  solutions,  a  GPS  update  would  provide  a  more  accurate  onboard 
navigation  correction  in  a  timelier  manner  compared  to  the  delta  state  update  process.  @[072601 -4530B] 
@[062702-5439  ] 
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A4-203  ENTRY  NAVIGATION  UPDATE  PHILOSOPHY  (CONTINUED) 

B.  GPS  OR  VELOCITY  DELTA  STATE  UPDATES  WILL  REQUIRE  CSS  MODE  TO 
PREVENT  EXCESSIVE  TRANSIENT  MANEUVERS.  @[072601 -4530B] 

If  a  GPS  update  is  incorporated  with  metering  logic  overridden  or  a  total  delta  state  update  is 
incorporated,  the  velocity  corrections  put  a  step  function  into  the  flight  control  system.  The  transients 
caused  by  the  step  function  can  cause  large  maneuvers  which  could  overstress  the  vehicle  or  cause  loss 
of  control.  Going  CSS  when  a  GPS  (with  metering  overridden)  or  velocity  delta  state  update  is 
incorporated  allows  the  crew  to  manually  filter  transients. 

C.  POSITION  DELTA  STATE  UPDATES  OCCURRING  NEAR  TAEM  INTERFACE 
(M  =  5  TO  M  =  2.5  FOR  EOM  AND  AOA  AND  M  =  5  TO  M  =  3.2  FOR 
RTLS )  WILL  REQUIRE  CSS  TO  PREVENT  EXCESSIVE  TRANSIENT 
MANEUVERS . 

Entry  guidance  is  targeted  towards  a  specific  set  of  end  conditions  at  TAEM  in  terface.  For  any  given 
position  error,  the  correction  needed  to  satisfy  the  interface  conditions  grows  as  you  approach  TAEM. 
Going  CSS  for  a  delta  state  update  close  to  TAEM  interface  allows  the  crew  to  filter  the  guidance 
commands  to  keep  from  overstressing  the  vehicle. 

D.  DELTA  STATE  UPDATES  WILL  NORMALLY  NOT  BE  PERFORMED  AFTER  HAC 
ACQUISITION.  HOWEVER,  IF  VISUAL  CONTACT  WITH  THE  RUNWAY 
CANNOT  BE  MAINTAINED  BY  THE  CREW,  GPS  OR  DELTA  STATE  UPDATES 
WILL  BE  CONTINUED  AS  LONG  AS  THE  ONBOARD  STATE  VECTOR  CAN  BE 
IMPROVED . 

After  HAC  intercept,  a  delta  state  update  will  normally  not  be  performed  if  the  crew  has  visual  contact 
with  runway  because  transients  caused  by  a  delta  state  could  prove  distracting.  Also,  the  external  data 
sources  (TACAN,  BARO,  MLS)  would  need  to  be  deselected  in  order  to  allow  the  ground  processor  to 
compute  the  proper  corrections.  A  GPS  update  may  be  performed  after  HAC  intercept  to  cdlow  the  crew 
to  fly  good  guidance  commands.  @[072601 -4530B] 
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A4-204  DELTA  STATE  POSITION  UPDATES 

A.  FOR  POSITION  COMPONENT  EXCEEDANCE,  A  GPS  OR  THREE-COMPONENT 
(POSITION  ONLY)  UPDATE  WILL  BE  EXECUTED  (REF  RULE  {A4-203}, 
ENTRY  NAVIGATION  UPDATE  PHILOSOPHY).  @[072601-4531]  @[062702-5440] 

The  use  of  GPS  to  correct  onboard  navigation  errors  is  preferred  over  the  delta  state  update  process  as 
long  as  GPS  is  verified  to  be  functioning  properly  (no  hardware  problems  or  commfaults,  low  FOM, 
tracking  four  satellites).  Caution  should  be  taken  when  using  GPS  state  vectors  with  FOM’s  >5  (650 feet 
position  error  one  sigma)  since  the  estimated  position  error  increases  rapidly  with  higher  FOM  values. 

B.  POSITION  REQUIREMENTS: 


RTLS 

EOM 

DELTA  POSITION 
(FT) 

DELTA  POSITION 
(FT) 

X  Y  Z 

X  Y  Z 

H  >  100K  FT...  18K  18K  6K 

H  <  100K  FT...  6K  6K  3K 

H  >  130K  FT... 

H  <  130K  FT... 

H  <  90K  FT... 

48 K  48 K  12K 

6K  6K  6K 

6K  6K  3K 

This  rule  con  tains  the  criteria  for  performing  a  position  -only  delta  state  update  to  correct  the  onboard 
navigation  for  both  GRTLS  and  end  of  mission.  The  delta  state  processor  is  a  ground  processor  that 
compares  the  onboard  vector  to  time-correlated  radar  tracking  data  and  outputs  the  deltas  in  runway 
Cartesian  coordinates.  This  data  is  observed  on  the  ground  as  three  components  of  position  and  three 
components  of  velocity.  The  position  update  limits  were  set  in  order  to  meet  guidance  imposed 
navigation  accuracy  requirements  (ref.  STS  81-0366,  appendix  A,  Navigation  Performance 
Requirements).  These  accuracy  requirements  were  identified  to  ensure  auto  guidance  capability  to 
achieve  the  runway  after  correcting  the  onboard  navigation  state.  The  guidance  requirements  are  ramp 
functions  of  altitude,  but  in  order  for  a  ground  operator  to  obser\’e  six  error  components  on  a  constantly 
updating  digital  display  and  compare  them  to  variable  error  limits,  it  was  necessary  to  simplify  the 
update  criteria.  When  the  errors  observed  in  the  onboard  state  exceed  the  limits  defined  in  this  rule,  a 
GPS  or  delta  state  update  is  initiated  on  the  ground.  For  GRTLS,  the  two  tier  set  of  limits  was  chosen 
with  a  breakpoint  at  100,000 feet  altitude,  since  it  is  desired  to  remove  state  errors  before  TAEM 
in  itiation.  The  limits  above  100,000 feet  altitude  are  tighter  than  for  EOM,  since  there  is  little  ranging 
control  exercised  in  GRTLS  until  TAEM,  which  is  initiated  at  M=3.2  or  around  92,000 feet  altitude.  For 
EOM,  the  guidance  requirements  dictate  that  the  errors  be  under  control  and  decreasing  with  altitude  by 
around  130,000 feet,  the  point  at  which  TACAN’s  are  usually  incorporated  into  the  onboard  navigation 
state.  Therefore,  this  point  was  chosen  as  the  breakpoint  for  the  EOM  three-tier  update  criteria. 
@[072601-4531  ] 
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VOLUME  A  11/21/02  FINAL,  PCN-1  TRAJECTORY  AND  GUIDANCE  4-112 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A4-204  DELTA  STATE  POSITION  UPDATES  (CONTINUED) 

The  third  tier  was  added  for  EOM  to  allow  a  further  breakdown  of  allowable  altitude  error.  Instead  of  a 
delta-Z  limit  of  3k  feet  at  an  altitude  of  130,000 feet,  a  6k-foot  error  is  permitted  between  130,000  and 
90,000 feet,  and  then  the  3k  limit  applies  below  90,000 feet  altitude.  This  additional  limit  may  preclude 
the  likelihood  of  an  unnecessary  delta  state  update  to  correct  a  delta-Z  error  that  could  be  reduced  by 
the  use  of  DRAG  processing  in  the  more  accurate  lower  region  of  the  onboard  altitude  atmospheric 
model.  TACAN processing  will  not  have  much  effect  on  the  altitude  error  unless  the  orbiter  passes  over 
the  TACAN  ground  station  so  that  the  majority  of  the  range  measurement  is  altitude  rather  than 
downtrack  and  crosstrack. 

Rule  (A4-151J,  IMU  ALIGNMENT,  and  Rule  {A4-206J,  NAVIGATION  FILTER  MANAGEMENT 
AUTO/INHIBIT/FORCE  (AIF),  reference  this  rule. 


A4-205  DELTA  STATE  VELOCITY  UPDATES 

DUE  TO  ONBOARD  DRAG  ALTITUDE  UPDATING,  THE  DELTA  STATE  VELOCITY 
COMPONENTS  ARE  NOT  SUFFICIENTLY  ACCURATE  TO  MONITOR  THE  ONBOARD 
VELOCITY  ERRORS;  THEREFORE,  THE  ONBOARD  VELOCITY  ERRORS  WILL  BE 
EVALUATED  USING  GPS  AND  THE  RADAR  HIGH  SPEED  FILTER  VELOCITY 
ERRORS.  AN  ONBOARD  VELOCITY  UPDATE  WILL  BE  PERFORMED  FOR  A 
VELOCITY  ERROR  >  75  FPS  IN  ANY  COMPONENT.  RADAR  VELOCITY  3  SIGMA 
UNCERTAINTIES  OF  UP  TO  60  FPS  COULD  RESULT  IN  ONBOARD  VELOCITY 
ERRORS  OF  UP  TO  135  FPS  PRIOR  TO  A  GROUND  UPDATE.  IF  ADELTA 
STATE  VELOCITY  UPDATE  IS  REQUIRED,  DRAG  ALTITUDE  UPDATING  WILL  BE 
INHIBITED  TO  ASSURE  VALID  COMPUTATION  OF  PROPAGATED  VELOCITY 
ERRORS,  AND  A  SIX-COMPONENT  UPDATE  (POSITIONS  AND  VELOCITIES) 

WILL  BE  EXECUTED.  GPS  WILL  BE  USED  TO  CORRECT  ONBOARD  VELOCITY 
ERRORS  IF  GPS  IS  VERIFIED  TO  BE  FUNCTIONING  PROPERLY.  NAVAID 
INHIBITS  ARE  NOT  REQUIRED  FOR  A  GPS  UPDATE  (REF  RULE  {A4-203}, 
ENTRY  NAVIGATION  UPDATE  PHILOSOPHY).  @[072601-4532]  @[062702-5441  A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A4-205  DELTA  STATE  VELOCITY  UPDATES  (CONTINUED) 

An  update  of  onboard  velocity  will  be  performed  for  velocity  errors  >  75  fps  in  any  runway  component. 
This  number  was  chosen  to  meet  a  flight  control  system  requiremen  t  when  the  FCS  is  using  navigation- 
derived  air  data,  while  at  the  same  time,  considering  the  radar  3 -sigma  velocity  uncertainty  of  60  fps. 
Drag  altitude  updating  of  the  onboard  navigation  must  be  inhibited  prior  to  computing  a  velocity  delta 
state  since  it  corrupts  the  computation  of  velocity  errors  in  the  delta  state  processor.  Two  sets  of  state 
vector  errors  are  available  on  a  ground  display  in  runway  coordinates.  The  output  of  the  high  speed 
radar  filter  is  referred  to  as  local  deltas,  whereas,  the  output  of  the  delta  state  processor  is  referred  to  as 
propagated  deltas.  The  local  deltas  represent  the  current  state  errors.  The  propagated  deltas  represent 
the  expected  state  errors  at  some  time  in  the  future;  these  deltas  are  used  to  generate  a  delta  state 
update.  They  are  computed  assuming  that  the  state  errors  are  linear,  that  the  current  velocity  errors  are 
constant  over  some  short  period  of  time,  and  that  the  update  will  be  applied  at  the  end  of  that  time. 

Since  the  velocity  errors  are  computed  from  changes  in  position,  any  external  update,  such  as  drag 
altitude  updating,  will  mask  the  true  state  error  and  cause  the  velocity  delta  to  be  wrong.  Therefore, 
external  navigation  aids  have  to  be  inhibited  prior  to  computing  a  delta  state  update  involving  velocities. 
Any  time  a  velocity  update  is  required,  a  position  and  velocity  delta  update  will  be  executed,  since 
velocity  errors  will  also  cause  position  errors. 

The  use  of  GPS  to  correct  onboard  navigation  errors  is  preferred  over  the  delta  state  update  process  as 
long  as  GPS  is  verified  to  be  functioning  properly  (no  hardware  problems  or  commfaults,  low  FOM, 
tracking  four  satellites).  Caution  should  be  taken  when  using  GPS  state  vectors  with  FOM’s  >5  (650 feet 
position  error  one  sigma)  since  the  estimated  position  error  increases  rapidly  with  higher  FOM  values. 
The  three-sigma  velocity  accuracy  requirement  for  GPS  is  0.1  meters/sec  for  the  horizontal  and  vertical 
components  when  GPS  is  operating  in  the  Precise  Positioning  Sendee  (PPS)  mode  and  satisfying  the 
assumptions  for  Table  3.4. 1-1  of  the  System  Requiremen  ts  Documen  t  for  Orbiter  GPS  Navigation  System 
(SSD94D0096).  Postflight  analyses  have  confirmed  very  good  GPS  state  vector  accuracies  in  the 
TACAN  processing  region.  Radial,  downtrack,  and  crosstrack  position  and  velocity  differences  between 
GPS  and  the  USA  Navigation  Best  Estimated  Trajectory  (BET)  product  have  been  less  than  200 feet  and 
2  fps,  respectively  the  majority  of  the  time.  Navaid  inhibits  are  not  required  before  a  GPS  navigation 
update.  @[072601  -4532  ] 
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A4-209  AERO  TEST  MANEUVERS 

AERO  TEST  MANEUVERS  WILL  NOT  BE  ATTEMPTED  IF  THE  CROSSRANGE  AT 
ENTRY  INTERFACE  IS  GREATER  THAN  THE  DTO  CROSSRANGE  LIMIT  (REF. 

THE  ANNEX  FLIGHT  RULE,  TRAJECTORY  AND  GUIDANCE  PARAMETERS)  UNTIL 
THE  FIRST  ROLL  REVERSAL  HAS  BEEN  COMPLETED  AND  THE  ORBITER  ENERGY 
STATE  AND  DRAG  PROFILE  ARE  NOMINAL.  VALID  TELEMETRY  IS  REQUIRED 
FOR  EVALUATION  OF  THE  ORBITER  ENERGY  STATE.  ®[ED  ] 

For  the  purposes  of  this  rule,  any  PTI  that  inhibits  entry  guidance  is  considered  an  aero  test  maneuver. 
Since  entry  guidance  is  locked  out,  there  is  no  attempt  to  follow  the  optimal  energy  profile  or  to  respond 
to  roll  reversals.  High  crossrange  at  entry  interface  requires  optimum  bank  angle  and  energy  control  to 
ensure  a  manageable  energy  state  at  TAEM  interface.  If  energy  is  nominal  and  the  orbiter  is  on  the 
nominal  drag  profile,  guidance  will  be  able  to  manage  energy  properly,  even  under  given  dispersions. 
Valid  telemetry  is  needed  to  verify  that  the  energy  and  drag  profiles  are  within  limits. 

Rule  (A2-261J,  ENTRY  DTO. /AUTO  MODE/CROSSWIND  DTO  GO/NO-GO,  references  this  rule. 
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A4-210  EOM  ENTRY  DTP/ RUNWAY  SELECTION  PRIORITIES 

DTO  805,  CROSSWIND  LANDING  PERFORMANCE,  WILL  BE  EXECUTED  AS  A  DTO 
OF  OPPORTUNITY.  DTO  805  WILL  NOT  BE  A  CONSIDERATION  IN  SELECTING 
LANDING  SITES  OR  RUNWAYS.  IF  CROSSWINDS  ARE  OBSERVED  TO  BE  10 
KNOTS  OR  GREATER  AS  THE  ORBITER  APPROACHES  THE  HAC,  DRAG  CHUTE 
DEPLOY  WILL  BE  DELAYED  UNTIL  POST  NOSE  GEAR  TOUCHDOWN  TO 
ACCOMPLISH  DTO  805.  @[022201 -3801  ] 

No  drag  chute,  braking,  or  nose  wheel  DTO’s  are  scheduled.  Drag  chute  deploy  will  be  per  nominal 
flight  rules  (ref  Rules  {A10-143},  DRAG  CHUTE  DEPLOY  TECHNIQUES,  and  {A10-144},  DRAG 
CHUTE  DEPLOY  CONSTRAINTS),  unless  the  crosswind  DTO  is  likely  to  be  performed.  In  this  case, 
drag  chute  deploy  will  be  delayed  until  post  nose  gear  touchdown  to  allow  for  pilot  handling  evaluation 
of  the  orbiter  without  any  complications  that  drag  chute  dynamics  may  induce.  Nominal  touchdown 
speed  is  195  keas  with  derotation  performed  using  the  beep  trim  switch  at  185  keas,  or  manually  (if  beep 
trim  fails)  at  175  keas.  Drag  chute  nominal  deploy  is  immediately  prior  to  the  initiation  of  derotation. 
However,  the  drag  chute  DTO  program  has  cleared  drag  chute  deploy  as  early  as  15  keas  prior  to  the 
initiation  of  derotation.  ®[1 02402-5804C] 

All  ISS  rendezvous  flights  have  a  probability  of  a  night  landing  which  would  mean  that  the  crosswind 
limit  is  12  knots.  Therefore,  DTO  805,  Crosswind  Landing  Performance  Evaluation,  which  requires  a 
crosswind  of  10  knots  or  greater  at  touchdown,  is  not  likely  to  be  achieved.  With  this  small  window  of 
environmental  conditions,  it  is  not  prudent  to  change  landing  sites  (e.g.,  from  KSC  to  EDW)  to  attempt 
DTO  805.  Also,  programmatic  priorities  make  it  highly  desirable  to  land  at  KSC  to  avoid  the  cost  and 
risk  associated  with  ferry  operations.  Since  a  decision  to  change  from  KSC  to  EDW  would  have  to  be 
made  approximately  2  to  4  hours  before  landing,  it  is  unlikely  that  confidence  in  wind  forecasts  would  be 
such  that  landing  at  EDW  solely  to  achieve  DTO  805  is  prudent.  @[022201 -3801  ]  ®[i  02402-5804C] 

A4-211  THROUGH  A4-250  RULES  ARE  RESERVED 
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SECTION  5  -  BOOSTER 


FAILURE  DEFINITIONS 


A5-1  LOSS  OF  SRB  THRUST  VECTOR  CONTROL  (TVC)  @[012402-4987] 

SRB  TVC  IS  LOST  WHEN  THE  HYDRAULIC  SUPPLY  PRESSURES  OF  BOTH  HPU' S 
ON  THE  SAME  SRB  ARE  100  0  PSIG  OR  LESS.  @[0411 96-1 874A] 

The  SRB  TVC  system  has  a  lock-out  style  valve  which  will  actuate  to  the  lock  position  when  the  hydraulic 
supply  pressure  is  1000  to  600  psig.  Two  hydraulic  power  units  (HPU’s)  are  installed  per  SRB ,  and  both 
can  supply  hydraulic  power  to  the  TVC  actuators.  Actuator  source  pressure  is  switched  from  the 
primary  HPU  to  the  secondary  HPU  when  the  hydraulic  supply  pressure  on  a  single  HPU  reaches  2050 
±150  psig.  This  switchover  is  indicated  by  an  Actuator  Primary  Pressure  OK  discrete  value  of  False  and 
it  effectively  loses  one  HPU.  However,  TVC  is  not  lost  until  neither  HPU  can  deliver  hydraulic  supply 
pressure  of  1000  psig  to  the  actuators.  ( Reference  System  Handbook  Drawing  9.14  and  USBI  documents 
10SPC-0055,  rev  B,  section  4.2.2.10,  and  10MNL-0045,  Rev  D).  ®[oi  2402-4987  ] 

Note:  Above  1000  psig,  the  lock-out  valve  opens,  and  TVC  is  still  available.  @[0411 96-1 875A] 

A5-2  SPACE  SHUTTLE  MAIN  ENGINE  OUT  ©[121197-6472A] 

PREMATURE  ENGINE  SHUTDOWN  IS  CAUSED  BY  AN  ENGINE  LIMIT  EXCEEDED, 
DUAL  CONTROLLER  ELECTRONICS  FAILURES,  OR  A  COMBINATION  OF  A  SINGLE 
CHANNEL  LIMIT  EXCEEDED  AND  A  CONTROLLER  ELECTRONIC  FAILURE.  THE 
CUES  FOR  DETERMINING  AN  ENGINE  SHUTDOWN  ARE  DEFINED  IN  PARAGRAPHS 
A,  B,  C,  AND  D  OF  THIS  RULE.  THE  SHUTDOWN  SOFTWARE  LIMITS  ARE 
DEFINED  IN  PARAGRAPH  E.  THE  AVIONIC  FAILURE  COMBINATIONS  ARE 
DEFINED  IN  PARAGRAPH  F. 

ENGINE  OUT  DETERMINATION  WILL  BE  BASED  ON  THE  FOLLOWING  CUES: 

A.  ONBOARD  (WITH  VALID  SSME  DATA) : 

1.  RED  MAIN  ENGINE  STATUS  LIGHT  IS  ILLUMINATED. 

2.  PC  <  30  PERCENT  (METER) 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A5-2  SPACE  SHUTTLE  MAIN  ENGINE  OUT  (CONTINUED) 

3.  SSME  FAIL  L  (C,R) 

Two  cues  are  required  for  calls  that  may  cause  an  abort.  The  MPS  dedicated  display  driver  sequence  in 
the  flight  software  illuminates  the  red  status  light  if  the  SSME  is  in  the  shutdown  or  post-shutdown  phase. 
The  SSME  operations  sequence  in  the  flight  software  uses  power  level  <  30  percent  as  the  indication  that 
the  SSME  has  shut  down.  The  30  percent  value  represents  a  power  level  below  which  the  engine  cannot 
operate.  The  PASS  SSME  fail  message  is  generated  by  the  GAX  when  the  engine  fail  flag  is  set  by  the 
SSME  OPS  sequence.  The  flag  is  set  when  either  the  engine  status  word  shows  shutdown  or  post 
shutdown  phase,  or  a  data  path  failure  has  occurred  and  the  engine  safing  command  flag  has  been  set. 

B.  MCC  (WITH  VALID  SSME  DATA) : 

AT  LEAST  TWO  OF  THE  FOLLOWING  CUES  ARE  REQUIRED: 

1.  SSME  FAILURE  IDENTIFIER  (FID)  "013"  INDICATING  SSME 
SHUTDOWN  FOR  REDLINE  VIOLATION. 

2.  SHUTDOWN  OR  POST-SHUTDOWN  PHASE  (REFLECTED  IN  ENGINE 
STATUS  WORD) . 

3.  PC  <  900  PSIA. 

4.  SSME  FAIL  L  (C,R) 

Two  cues  are  required  for  calls  that  may  cause  an  abort.  A  FID  013  issued  by  the  SSME  controller 
represents  an  engine  shutdown  due  to  a  redline  exceedance.  The  redline  that  was  exceeded  is  defined  by 
the  delimiter  part  of  the  FID.  Shutdown  and  post-shutdown  phases  are  set  in  the  engine  status  word  when 
the  SSME  controller  commands  shutdown.  Pc  of  900  psia  corresponds  to  approximately  30  percent  power 
level.  The  PASS  SSME  fail  message  is  generated  by  the  GAX  when  the  engine  fail  flag  is  set  by  the  SSME 
OPS  sequence.  The  flag  is  set  when  either  the  engine  status  word  shows  shutdown  or  post  shutdown  phase, 
or  a  data  path  failure  has  occurred  and  the  engine  safing  command  flag  has  been  set.  ®[1 21 1 97-6472A] 

C.  ONBOARD  (WITH  SSME  DATA  PATH  FAILURE) : 

AT  LEAST  THREE  OF  THE  FOLLOWING  ARE  REQUIRED: 

1.  G-LEVEL  DECREASE  (ON  DEDICATED  DISPLAY  G-METER  OR  BFS  CRT 
TRAJECTORY  DISPLAY  G-LINE) . 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A5-2  SPACE  SHUTTLE  MAIN  ENGINE  OUT  (CONTINUED) 

2.  A  HELIUM,  DP/DT  FAULT  MESSAGE  FOLLOWED  BY  CONSTANT  ENGINE 
HELIUM  TANK  PRESSURE  (IF  NO  PREVIOUS  FAULT  MESSAGE  FOR  A 
HELIUM  LEAK) . 

3.  MPS  H2  OUT  P  L  (C,R) 

4.  MPS  02  OUT  T  L  (C,R) 

During  second  stage  when  the  first,  second,  and  third  engines  shut  down  in  sequence,  the  g-Ievel  decreases 
by  33,  50,  and  100  percent,  respectively.  During  first  stage,  the  SRB  thrust  far  exceeds  the  SSME  thrust 
making  it  difficult  to  detect  an  engine  shutdown  based  upon  changes  in  vehicle  acceleration.  If  the  engine 
did  not  previously  have  a  helium  leak,  the  crew  will  get  a  helium  DP/DT  fault  message,  followed  by 
constan  t  helium  tank  pressure  on  the  affected  engine.  If  the  tank  pressure  remains  constan  t,  no  helium  is 
being  used  and;  therefore,  the  engine  has  shut  down.  In  01-22  and  subs,  the  crew  will  get  fault  messages 
for  both  the  GH2  outlet  pressure  and  GO2  outlet  temperature  dropping  below  1050  psia  and  125  deg  F, 
respectively.  Because  both  of  these  parameters  are  channelized  through  the  same  OIMDM  and  powered 
from  the  same  01  DSC,  the  two  fault  messages  could  be  generated  by  a  single  MDM  or  DSC  failure.  For 
this  reason,  the  crew  must  use  three  of  the  four  cues  when  determining  an  engine  out  behind  a  data  path 
failure.  @[020196-1812]  ®[1 21 1 97-6472A] 

D.  MCC  (WITH  SSME  DATA  PATH  FAILURE) : 

AT  LEAST  TWO  OF  THE  FOLLOWING  CUES  ARE  REQUIRED: 

1.  A  SUDDEN  DROP  IN  ACCELERATION  OR  THRUST  FACTOR  AS 
DETERMINED  FROM  TELEMETRY  DATA.  (THRUST  FACTOR  AVAILABLE  IN 
SECOND  STAGE  ONLY) . 

2.  ORBITER  GH2  OUTLET  PRESSURE  <  800  (1050)  PSIA  OR  ORBITER 

G02  OUTLET  TEMPERATURE  <260  DEG  (300  DEG)  F. 

3.  A  HELIUM  DP/DT  FAULT  MESSAGE  FOLLOWED  BY  CONSTANT  ENGINE 
HELIUM  TANK  PRESSURE  (IF  NO  PREVIOUS  FAULT  MESSAGE  FOR  A 
HELIUM  LEAK) . 

4.  A  DROP  IN  SECOND  STAGE  PERFORMANCE  AS  DETERMINED  BY  THE  ARD . 
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Two  cues  are  required  for  calls  that  may  cause  an  abort.  For  an  engine  failure  in  second  stage,  an  abrupt 
drop  in  vehicle  acceleration  will  result.  The  GH2  outlet  pressure  and  GO2  outlet  temperature  are  orbiter 
parameters  that  can  be  used  to  determine  the  status  of  cm  engine.  Both  the  GH2  and  GO 2  limits  are  set  to 
correspond  to  cm  engine  power  level  of  approximately  30  percen  t.  This  is  well  below  the  power  level  that 
an  engine  can  operate.  Flight  data  from  STS  51-F  indicates  the  GO2  outlet  temperature  was  <  125  deg  F 
for  about  15  seconds  post  engine  shutdown.  The  GO2  outlet  temperature  did  rise  again  post  shutdown  to  a 
value  of  approximately  300  deg  F.  Since  both  orbiter  parameters  are  channelized  through  the  same  01 
MDM  and  powered  from  the  same  01  DSC,  the  two  are  grouped  together  as  one  engine  out  cue.  If  cm 
engine  did  not  previously  have  a  helium  leak,  the  crew  will  get  a  DP/DT fault  message  while  the  engine 
initiates  shutdown  purges.  Once  the  helium  purges  have  terminated,  the  engine  will  no  longer  use  helium 
and;  therefore,  the  helium  tank  pressure  will  remain  constant.  Thrust  factor  (FT  FACTOR)  is  a  second 
stage  guidance  downlisted  parameter  from  the  vehicle  and  is  calculated  by  dividing  the  expected  thrust  by 
the  calculated  thrust.  If  cm  engine  shuts  down  behind  a  data  path  failure,  the  thrust  factor  will  drop  to  a 
value  less  than  1.0.  If  cm  engine  fails  in  first  stage,  thrust  factor  is  not  available,  but  the  second  stage 
performance  as  determined  by  the  ARD  would  reflect  the  loss  in  performance  from  the  engine  shutdown. 
®[032395-1 765A]  @[020196-1812]  ®[1 21 1 97-6472A] 
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E.  ENGINE  LIMIT  EXCEEDED  AND  SHUTDOWN  SENSOR  FAILURE 
DEFINITIONS : 


PARAMETERS 

(A) 

QUALIFICATION/ 

REASONABLENESS 

TESTING 

L ci 

SHUTDOWN  LIMITS 

(D) 

NOTES 

(B) 

HPFTP  COOLANT 

>4500  PSIA 

PHASE  II,  BLOCK  1,  &  IIA: 

LINER  PRESSURE 

>CNTL  CAL  LIMIT 

SENSORS  A  &  B 

<1800  PSIA 

(PSIA) 

NO  LOWER  LIMIT 

(E) 

HPFT  TURBINE 

A2  (A3,B2,B3)>  2650?  R 

PHASE  II  &  BLOCK  1: 

m 

DISCHTEMP 

A2-A3?>  50?  R  (D/Q  LWR) 

CH  A  >1960?R 

THERMOCOUPLE 

B2-B3?>  50?  R  (D/Q  LWR) 

CH  B  >1960?R 

[3] 

[7] 

SENSORS 

DOWN  TO  1  ON  BOTH/EITHER: 

A2,  A3,  B2  &  B3 

(B  AVG  -  AX)  >150?  R  (D/Q  AX) 

[4] 

[9] 

(?R) 

(A  AVG  -  BX)  >  150?  R  (D/Q  BX) 

BLOCK  IIA  &  BLOCK  II: 

AX-BY?>  150?  R  (D/Q  LWR) 

CH  A  >1 860?R 

[11] 

CH  B  >1860?R 

(F) 

NO  LOWER  LIMIT 

HPOT  TURBINE 

A2  (A3,B2,B3)>  2650?  R 

PHASE  II  &  BLOCK  1: 

[1] 

DISCHTEMP 

A2-A3?>  50?  R  (D/Q  LWR) 

>1 760?R 

THERMOCOUPLE 

B2-B3?>  50?  R  (D/Q  LWR) 

[3] 

[9] 

SENSORS 

DOWN  TO  1  ON  BOTH/EITHER: 

BLOCK  IIA  &  BLOCK  II: 

A2,  A3,  B2  &  B3 

(B  AVG  -  AX)  >150?  R  (D/Q  AX) 

>1 660?R 

[4] 

[11] 

(?R) 

(A  AVG  -  BX)  >  150?  R  (D/Q  BX) 

(G) 

AX-BY?>  150?  R  (D/Q  LWR) 

<720?  R 

HPOTP SECONDARY 

>300  PSIA 

PHASE  II: 

SEAL  PRESSURE 

>100  PSIA 

SENSORS  A  &  B 

<4  PSIA 

(PSIA) 

NO  LOWER  LIMIT 

(W 

ms 

HPOTP  INTERMEDIATE 

>650  PSIA 

NO  UPPER  LIMIT 

Hi 

[5] 

SEAL  PRESSURE 

SENSORS  A  &  B 

<0  PSIA 

PHASE  II: 

[3] 

(PSIA) 

<170  PSIA 

OR 

[4] 

BLOCK  1,  IIA,  &  II: 

(I) 

<159  PSIA 

MCC  PC  SENSOR 

NO  UPPER  LIMIT 

[1] 

[8] 

AVERAGE  SENSORS 

|  BRIDGE  1  -  BRIDGE  2  | 

A  &  B  (PSIA) 

?  125  PSI 

ALL  ENGINE  TYPES: 

[3] 

PC  CHANNEL  AVG 

PC  CHANNEL  AVG  < 

?3500  PSI 

PC  REF -200  PSI 

[4] 

?1000  PSI 

(STEADY  STATE) 

AND 

PC  REF  -  400  PSI 

(DURING  THROTTLING  OR 

_ 

WHEN  ?  75%  RPL) 

@[111094-1732]  @[032395-1 765A]  @[0921 95-1 792B]  @[020196-1812]  ®[121197-6472A] 
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NOTES: 

[1]  MUST  EXCEED  LIMIT  OR  FAIL  REASONABLENESS  FOR  60  MSEC. 

A  parameter  must  be  over  its  redline  or  reasonableness  limit  for  three  consecutive  20  msec  controller 
cycles  before  action  is  taken  by  the  con  troller.  This  requiremen  t  preven  ts  action  from  being  taken  on  a 
data  hit. 

[2]  THE  HPOTP  SECONDARY  SEAL  PRESSURE  REDLINE  IS  ONLY  ACTIVE  ON  THE  PHASE  II  SSME.  THIS  REDLINE  IS 
NOT  PRESENT  ON  THE  BLOCK  I  SSME,  BLOCK  IIA  SSME,  OR  THE  BLOCK  II  SSME.  @[032395-1 765A]  @[121197- 
6472A] 

[3]  SHUTDOWN  FOR  AN  OUT-OF-LIMIT  CONDITION  INITIATED  BY  MAIN  ENGINE  CONTROLLER  IF  LIMIT  ENABLED.  LIMIT 
INHIBIT/ENABLE  OPERATIONS  DEPENDENT  ON  THE  POSITION  OF  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SWITCH. 

This  indicates  that,  if  the  limit  shutdown  logic  is  enabled,  then  a  redline  violation  will  result  in  an  SSME 
shutdown. 

[4]  IF  ALL  SENSORS  FAIL  REASONABLENESS,  THAT  REDLINE  IS  DELETED.  @[0921 95-1 792B] 


Redline  monitoring  is  no  longer  performed  because  the  redline  sensors  have  failed. 

[5]  THE  HPOTP  INTERMEDIATE  SEAL  PRESSURE  LOWER  REDLINE  IS  170  PSIA  ON  THE  PHASE  II  SSME  AND  IS 
159  PSIA  ON  THE  BLOCK  I  SSME,  BLOCK  IIA  SSME,  AND  THE  BLOCK  II  SSME.  @[032395-1 765A]  @[020196- 
1812] 

[6]  THE  REDLINE  UPPER  LIMIT  IS  CALCULATED  IN  REAL  TIME  BY  CONTROLLER  SOFTWARE  AND  IS  A  FUNCTION  OF 
ENGINE  POWER  LEVEL.  THEREFORE,  THE  LIMITS  AT  67,  1 00,  1 04,  AND  1 09  PERCENT  POWER  LEVELS  ARE 
APPROXIMATELY  2436,  3543,  3677,  AND  3846  PSIA  FOR  A  PHASE  II  SSME,  2447,  3559,  3694,  AND  3862  PSIA  FOR  A 
BLOCK  I  SSME,  AND  2243,  3254,  3392  (@104.5),  AND  3530  PSIA  FOR  A  BLOCK  IIA  SSME,  RESPECTIVELY.  THIS 
REDLINE  HAS  BEEN  DELETED  FOR  THE  BLOCK  II  SSME.  @[111094-1732]  @[0921 95-1 792B]  ©[121197-6472A] 
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The  HPFTP  coolant  liner  pressure  varies  with  actual  chamber  pressure. 


[7]  THIS  REDLINE  MAY  BE  REVISED  ON  A  FLIGHT-BY-FLIGHT  BASIS  TO  ENSURE  COMPARABLE  MARGIN  ON  CHANNEL 
A  AND  CHANNEL  B  BETWEEN  THE  PREDICTED  NOMINAL  VALUE  AND  THE  REDLINE  VALUE.  IF  A  CHANNEL  A  TO  B 
BIAS  IS  ADDED,  THEN  THIS  BIAS  IS  CARRIED  OVER  INTO  THE  REASONABLENESS  CALCULATIONS  FOR  THE 
INTERCHANNEL  CHECKS.  @[0921 95-1 792B] 


Some  flight  SSME  HPFTP’s  may  operate  at  a  lower  temperature.  Engines  with  these  turbopumps  may 
have  their  channel  A  redline  adjusted  downward  to  provide  the  same  100  deg  R  difference  between  the 
main  stage  operating  temperature  and  the  redline  as  present  on  other  HPFTP’s.  ®[1 11094-1732  ] 


[8]  THE  INTRACHANNEL  CHECK  AND  THE  CHANNEL  AVERAGE  MUST  BE  WITHIN  THE  SPECIFIED  LIMITS  IN  ORDER 
TO  BE  PROCESSED  BY  THE  CONTROLLER'S  SHUTDOWN  LIMIT  LOGIC.  THESE  REASONABLENESS  CHECKS  ARE 
IN  ADDITION  TO  THE  NORMAL  SENSOR  MONITORING  PERFORMED  FOR  IGNITION  CONFIRMED  AND  CONTROL 
LOOP  PROCESSING  QUALIFICATION. 


The  MCC  Pc  channels  will  be  disqualified  for  control  purposes  for  an  intrachcmnel  difference  of  greater 
than  75  psi.  The  MCC  Pc  redline  logic  incorporates  two  reasonableness  criteria  to  ensure  that  only 
valid  pressures  will  be  used. 

[9]  THE  LOGIC  FOR  THE  HPFT  AND  THE  HPOT  DISCHARGE  TEMPERATURE  WAS  MODIFIED  BY  THE 

IMPLEMENTATION  OF  THE  THERMOCOUPLES.  THE  THERMOCOUPLE  MODIFICATION  UTILIZES  TWO  SENSORS 
PER  CHANNEL  FOR  A  TOTAL  OF  FOUR  SENSORS  PER  REDLINE.  @[0921 95-1 782B]  @[0921 95-1 782B] 


The  sensor  processing  logic  was  modified  to  accommodate  the  different  failure  modes  for  the 
thermocouple  sensors  (versus  the  previous  resistive  thermal  devices-RTD’s)  and  to  handle  the  additional 
number  of  sensors.  The  additional  sensors  were  added  to  increase  reliability  against  sensor  failures 
resulting  in  pad  aborts,  erroneous  in-flight  shutdown,  or  the  loss  of  redline  protection.  ©[121197-6472A] 

[10]  THE  HPFTP  COOLANT  LINER  PRESSURE  REDLINE  IS  ONLY  AVAILABLE  FOR  THE  PHASE  II,  BLOCK  I,  AND  BLOCK 
IIA  ENGINE  TYPES.  ®[1 21 1 97-6472A] 


The  Block  II  SSME  uses  a  Pratt  &  Whitney  HPFTP/AT  which  does  not  have  a  coolant  liner. 

[11]  A  COLD  JUNCTION  REFERENCE  TEMPERATURE  (TCj)  IS  PROVIDED  FOR  EACH  CONTROLLER  CHANNEL  TO 

PROCESS  THE  HOT  GAS  THERMOCOUPLE  SENSOR  DATA.  THE  TCJ  IS  USED  TO  CALIBRATE  THE  TEMPERATURE 
MEASUREMENT  INPUT.  EACH  CHANNEL  HAS  A  SINGLE  RTD  TCJ  WHICH  IS  USED  FOR  BOTH  THE  HPOT  AND  HPFT 
TEMPERATURE  MEASUREMENTS.  IF  ONE  CHANNEL'S  TCJ  IS  DISQUALIFIED,  THE  OTHER  CHANNEL'S  TCJ  WILL  BE 
USED  FOR  BOTH  CHANNELS.  IF  BOTH  TCJ  S  ARE  DISQUALIFIED,  THE  LAST  QUALIFIED  VALUE  WILL  BE  USED  FOR 
SENSOR  PROCESSING. 


Thermocouple  measurements  require  a  cold  junction  reference  temperature  to  provide  accurate 
readings.  The  controller  and  its  software  was  modified  to  accommodate  the  addition  of  these  two 
transducers,  which  are  required  for  use  with  the  thermocouples. 
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a.  PARAMETERS  -  This  table  covers  parameters  which  the  SSME  controller  qualifies,  monitors,  and 
uses  to  shut  down  the  engine. 

b.  CONTROLLER  SHUTDOWN  PROCESSING  -  All  qualified  sensors  must  vote  for  shutdown  for 
action  to  proceed.  ®[092i  95-1 792B] 

c.  QUALIFICATION/REASONABLENESS  TESTING  -  Qualification,  also  known  as  reasonableness 
testing,  is  required  to  qualify  the  sensors  for  application  to  shu  tdown  logic.  The  values  chosen 
screen  out  sensors  with  identified  sensor  problems.  ®[1 21 1 97-6472A] 

d.  SHUTDOWN  LIMITS  -  Redline  parameters  are  monitored  to  assure  that  the  engine  is  performing 
within  safe  operating  conditions.  Limits  are  set  to  guard  against  uncontained  SSME  damage.  The 
limits  are  based  upon  test  stand  data,  flight  experience,  and  engineering  analysis.  The  engine 
redline  design  criteria  was  defined  by  MSFC  and  approved  by  Level  II. 

e.  HPFTP  COOLANT  LINER  PRESSURE  ®[092195-1792B] 

Phase  II,  Block  I,  and  Block  IIA  SSME’s  -  The  redline  limit  was  selected  to  prevent  buckling  of  the 
coolant  liner  and  subsequent  stalling  of  the  HPFTP.  This  limit  was  derived  from  an  uncontained 
failure  of  SSME  0108  during  a  ground  test.  The  exhaust  turnaround  duct  buckled,  the  HPFTP 
stalled,  and  the  low  pressure  fuel  duct  ruptured.  Based  upon  this  incident  and  analysis,  the 
buckling  pressure  has  been  determined  to  be  595  psid  with  the  delta  pressure  being  measured 
between  the  coolan  t  liner  cavity  and  the  turnaround  duct.  The  redline  was  set  to  protect  for  a  delta 
pressure  of 400  psi  and  has  been  verified  by  lab  tests.  The  reasonableness  limits  of 4500  and  1800 
psi  were  established  because  they  bracket  the  sensor  range. 

f.  HPFT  TURBINE  DISCHARGE  TEMPERATURE  ®[092i  95-1 792B] 

The  limit  was  derived  from  analysis  and  protects  against  stress  rupture  of  the  HPFT  blades  due 
to  high  temperature  operation.  This  redline  was  developed  following  uncontained  failures  on 
engines  0204  and  2013  during  ground  testing.  These  failures  were  attributed  to  turbine  blade 
failu  re  which  resulted  in  HPFTP  seizure  and  low  pressure  fuel  duct  rupture.  Subsequent  analysis 
determined  a  2160  deg  R  maximum  turbine  blade  root  temperature  capability  for  109  percent 
power  level.  This  temperature  equates  to  a  2060  deg  R  turbine  exhaust  temperature.  The  1960 
deg  R  limit  provides  a  100  deg  R  margin  for  the  Phase  II  and  Block  I  SSME’s.  The  1860  deg  R 
limit  provides  a  200  deg  R  margin  for  the  Block  IIA  and  Block  II  SSME’s.  This  reduction  for  the 
Block  IIA  and  Block  II  SSME’s  still  leaves  satisfactory  margin  from  nominal  operating 
conditions  to  the  redline,  due  to  the  reduced  temperature  environment  facilitated  by  the  large 
throat  MCC  (reference  8/15/97  Ascent/Entry  Flight  Techniques  Panel).  The  channel  A  location 
on  some  HPFTP’s  may  run  cooler,  thus  necessitating  a  lower  redline  value  ( potentially  as  low  as 
1850  deg  Rfor  the  Phase  II  and  Block  I  or  1750  deg  Rfor  the  Block  IIA  and  Block  II).  ®[i  1 1 094- 

1732]  ®[1 21 1 97-6472A] 
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The  upper  reasonableness  limit  of  2650  deg  R  guards  against  open  circuits  and  analog-to-digital 
(A/D)  converter  failures.  The  intrachannel  and  interchannel  reasonableness  limits  are  screens  for 
interned  short  circuits.  An  absolute  lower  limit  is  not  feasible  since  a  short  will  result  in  cm  in-range 
failure  signature.  If  only  one  sensor  remains,  only  the  open  circuit  failure  mode  is  detectable. 
®[092195-1792B]  ®[1 21 1 97-6472A] 

g.  HPOT  TURBINE  DISCHARGE  TEMPERATURE  ®[092i  95-1 792B] 

The  upper  redline  limit  was  derived  from  analysis  to  protect  the  heat  exchanger  from  overheating 
and  rupturing  leading  to  catastrophic  failure.  The  limit  of  1760  deg  R  provides  a  100  deg  margin 
(1860  deg  R  is  based  on  meeting  one  mission  life  capability;  i.  e. ,  until  nominal  predicted  MECO) 
for  the  Phase  II,  and  Block  I  SSME’s.  The  1660  deg  R  limit  provides  a  200  deg  R  margin  for  the 
Block  IIA  and  Block  II  SSME’s.  This  reduction  for  the  Block  IIA  and  Block  II  SSME’s  still  leaves 
satisfactory  margin  from  nominal  operating  conditions  to  the  redline,  due  to  the  reduced 
temperature  environment  facilitated  by  the  large  throat  MCC  (reference  8/15/97  Ascent/Entry  Flight 
Techniques  Panel).  The  lower  redline  limit  of  720  deg  R  provides  protection  against  inadvertent 
deep  throttling  of  the  engine,  which  causes  ice  formation  in  the  HPOT  turbine,  subsequen  t  turbine 
imbalance,  and  potential  catastrophic  HPOTP  failure.  ®[1 21 1 97-6472A] 

The  reasonableness  limit  of  2650  deg  R  guards  against  open  circuits  and  A/D  converter  failures. 

The  in  trachannel  and  interchannel  reasonableness  limits  are  screens  for  in  ternal  short  circuits.  An 
absolute  lower  limit  is  not  feasible  since  a  short  will  result  in  cm  in-range  failure  signature.  If  only 
one  sensor  remains,  only  the  open  circuit  failure  mode  is  detectable.  ®[1 21 1 97-6472A] 

h.  HPOTP  SECONDARY  SEAL  PRESSURE 

PHASE  II SSME  -  The  redline  limit  was  derived  from  analysis  to  prevent  the  L02from  the  HPOTP 
pump  combining  with  the  hot  fuel-rich  turbine  gas  in  the  seed  purge  cavity.  The  redline  protects 
against  failures  of  the  HPOTP  primary  or  secondary  turbine  seals.  The  limit  is  set  to  ensure  that 
the  HPOTP  intermediate  seal  cavity  pressure  is  greater  than  the  HPOTP  secondary  seal  cavity 
pressure  by  9  psi  during  mean  stage,  with  a  minimum  seal  purge  flow  rate  and  a  maximum  seal  gap. 
Both  reasonableness  tests  provide  protection  against  avionics  failures  of  the  pressure  sensor  system. 
@[032395-1 765A]  @[0921 95-1 792B] 

BLOCK  1  SSME,  BLOCK  IIA  SSME,  and  BLOCK  II  SSME  -  Due  to  significant  design  changes  in  the 
alternate  HPOTP  seal  package  on  these  engines,  this  transducer  and  its  redline  have  been  eliminated. 
Rationale  for  this  is  the  oxidizer  and  secondary  H2  drain  pressure  margins  are  large,  and  a  secondary 
labyrinthine  (lab)  seal  analysis  at  more  than  six  times  its  maximum  possible  operating  clearance 
showed  helium  barrier  delta  pressure  is  insensitive  to  lab  seal  clearance  changes.  @[032395-1 765A] 
©[121197-6472A] 
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A5-2  SPACE  SHUTTLE  MAIN  ENGINE  OUT  (CONTINUED) 

i.  HPOTP  INTERMEDIATE  SEAL  PRESSURE  - 

PHASE  II SSME  -  The  redline  limit  was  derived  from  analysis  to  prevent  the  L02from  the  HPOTP 
pump  combining  with  the  hot  fuel-rich  turbine  gas  in  the  purge  cavity.  This  redline  guards  against 
excessive  seal  wear  or  loss  of  helium  purge  by  ensuring  that  the  HPOTP  intermediate  seed  cavity 
pressure  is  greater  than  the  HPOTP  secondary  seal  cavity  pressure  by  9  psi  during  main  stage  under 
the  worst  seal  gap  condition.  Both  reasonableness  tests  provide  protection  against  avionics  failu  res  of 
the  pressure  sensor  system.  @[032395-1 765A]  ®[0921 95-1 792B]  ®[1 21 1 97-6472A] 

BLOCK  I  SSME,  BLOCK  IIA  SSME,  and  BLOCK  II  SSME  -  The  redline  limit  was  derived  from 
analysis  to  prevent  L02fi'om  the  alternate  HPOTP  pump  combining  in  the  purge  cavity  with  H2from 
the  fuel  cooled  roller  and  ball  bearing  package.  This  redline  guards  against  excessive  seal  wear  or 
loss  of  helium  purge  by  ensuring  that  the  HPOTP  intermediate  seal  cavity  pressure  is  greater  than  the 
HPOTP  O2  cavity  and  secondary  H2  cavity  pressures  by  10  psi  during  mean  stage  under  the  worst  seal 
gap  condition.  Both  reasonableness  tests  provide  protection  against  avionics  failures  of  the  pressure 
sensor  system.  ©[032395-1765A]  ®[092195-1792B]  ®[1 21 1 97-6472A] 

j.  MCC  PC  SENSOR  AVERAGE  -  The  redline  was  initially  added  to  protect  the  engine  against  the 
type  of  failure  seen  on  engine  2106,  in  which  a  burnthrough  of  the  bellows  section  of  the  high 
pressure  oxidizer  turbopump  turbine  section  occurred.  This  failure  was  caused  by  an  oxidizer 
preburner  failure  and  resulted  in  a  bypass  of  hot  gas  flow  from  the  turbine  directly  into  the  hot 
gas  manifold  which  caused  a  massive  drop  in  MCC  Pc.  The  original  redline  limit  of 400  psi 
below  the  commanded  Pc  was  chosen  based  upon  the  amoun  t  of  damage  sustained  by  the  engine 
2106  high-pressure  oxidizer  turbopump  at  the  time  the  engine  was  shut  down  by  a  facility 
redline.  The  MCC  Pc  redline  was  updated  for  STS-89  and  subsequent  flights  to  200  psi  below 
the  commanded  Pc  during  steady  state  operations,  while  retaining  the  400  psi  during  throttling 
and  when  power  level  is  less  than  or  equal  to  75  percent  RPL.  This  update  was  based  upon  the 
amoun  t  of  damage  sustained  by  engine  0524  which  experien  ced  a  nozzle  failure  and  uncontained 
shutdown  during  test  901-933.  ®[1 21 1 97-6472A] 

The  intrachannel  reasonableness  limit  (I Bridge  1  -  Bridge  21  ?  125  psi)  protects  against  single- 
bridge  failures.  Due  to  hardware  and  software  limitations  in  the  controller  for  sampling  sensor 
inputs,  the  delta  value  must  be  set  large  enough  to  account  for  differences  in  the  actual  MCC  Pc  if 
the  actual  MCC  Pc  is  decreasing  rapidly  due  to  a  real  engine  combustion  problem.  If  the  value  is 
set  too  tight,  the  actual  MCC  Pc  could  drop  greater  than  the  reasonableness  limit  between  sampling 
the  bridge  1  and  bridge  2  sensor  measurements.  A  smaller  value  could  cdlow  one  or  both  MCC  Pc 
channels  to  be  erroneously  disqualified.  If  both  channels  are  disqualified,  the  MCC  Pc  redline  is 
disabled  at  a  time  it  is  most  needed.  The  redline  qualification  limit  was  increased  from  75  psi  to 
125  psi  in  response  to  the  catastrophic  failure  of  development  SSME  0212  (test  904-44),  during 
which  the  actual  decay  rate  of  the  MCC  Pc  was  105  psi  between  input  samples  of  the  A1/A2  and 
B1/B2  Pc  pairs.  The  channel  average  upper  reasonableness  limit  protects  against  an  off-scale  high 
sensor  pear  or  input  electronics  failure.  The  lower  limit  protects  against  a  failed  low  sensor  pear  or 
input  electron  ics  failure.  ®[1 21 1 97-6472A] 
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A5-2  SPACE  SHUTTLE  MAIN  ENGINE  OUT  (CONTINUED) 

F.  SSME  INSTRUMENTATION/ELECTRONICS  FAILURE  MATRIX: 
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@[030994-1 61 4A]  @[032395-1 765A]  @[0921 95-1 792B]  @[121 1 97-6472A] 

NOTES: 

[1]  CHANNEL  A  FAILURES  WHEN  ALIGNED  WITH  SPECIFIC  CHANNEL  B  FAILURES  THAT  CAUSE  SHUTDOWN  ARE 
DENOTED  BY  X  OR  es . 

[2]  ALL  QUALIFIED  SENSORS  EXCEED  REDLINE  LIMIT.  @[030994-1 61 4A]  @[0921 95-1 792B]  ©[121197-6472A] 

[3]  LOSS  OF  CONTROLLER  REDUNDANCY. 

[4]  DOES  NOT  APPLY  TO  THE  BLOCK  I  SSME,  BLOCK  IIA  SSME,  OR  THE  BLOCK  II  SSME  @[032395-1 765A] 

[5]  DOES  NOT  APPLY  TO  THE  BLOCK  II  SSME.  ®[1 21 1 97-6472A] 

LEGEND: 

X  SHUTDOWNS  THAT  CANNOT  BE  INHIBITED.  PNEUMATIC  SHUTDOWN  WILL  OCCUR  BEHIND  A  DATA  PATH 
FAILURE.  @[030994-1 61 4A] 

^  SHUTDOWNS  THAT  CAN  BE  INHIBITED  USING  MAIN  ENGINE  LIMIT  SHUTDOWN  SWITCH. 
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A5-2  SPACE  SHUTTLE  MAIN  ENGINE  OUT  (CONTINUED) 

This  matrix  identifies  failures  which  result  in  loss  of  controller  redundancy  and  in  premature  engine 
shutdown.  Shutdown  caused  by  dual  controller  failures  cannot  be  prevented  even  if  the  limit  shutdown 
monitoring  is  inhibited.  In  these  cases  when  the  second  failure  occurs,  the  engine  will  immediately  shut 
down  via  the  controller’s  fail-safe  pneumatic  shutdown  sequence.  Shutdowns  caused  by  redline  violations 
can  be  inhibited  manually  by  the  limit  shutdown  monitoring  switch  or  automatically  by  the  GPC  software 
after  an  engine  out  or  data  path  failure. 

Rules  (A5-5J,  SUSPECT  ENGINE;  {A5-6j,  SSME  REDLINE  SENSOR  FAILED;  { A5-7j ,  SSME  ONE 
REDLINE  SENSOR  FAILURE  AWAY  FROM  AN  ERRONEOUS  SHUTDOWN;  { A5-8 },  SPACE 
SHUTTLE  MAIN  ENGINE  TYPES;  ( A5-110 j,  SSME  PERFORMANCE  DISPERSION;  and  { A5-111 j, 

AC  BUS  SENSOR  ELECTRONICS  CONTROL  [ CIL],  reference  this  rule.  ®[i 21 1 97-6482B]  ®[i 21 1 97- 

6472A]  ®[1 1 1 298-6785A]  ®[ED  ] 

A5-3  STUCK  THROTTLE 

FAILURE  OF  A  MAIN  ENGINE  TO  THROTTLE  COULD  BE  CAUSED  BY 
COMBINATIONS  OF  ENGINE  AND  AVIONICS  FAILURES  WHICH  CAUSE  THE  ENGINE 
OPERATING  MODE  TO  CHANGE  TO  ELECTRICAL  OR  HYDRAULIC  LOCKUP,  OR  BY 
ORBITER  AND  MAIN  ENGINE  AVIONICS  FAILURES  CAUSING  A  COMMAND  PATH 
FAILURE . 

A.  ELECTRICAL  LOCKUP 

THE  ENGINE  PROPELLANT  VALVES  ARE  ACTIVELY  CONTROLLED  AT  THEIR 
LAST  COMMANDED  POSITION  THAT  EXISTED  PRIOR  TO  LOSS  OF  BOTH 
SENSOR  CHANNELS  OF  EITHER  THE  LIH>  FLOWMETER  TRANSDUCERS  OR  MAIN 
COMBUSTION  CHAMBER  PRESSURE  TRANSDUCER  PAIRS. 

The  SSME  valves  are  controlled  to  their  last  commanded  values  to  minimize  mixture  ratio  excursions. 

Mixture  ratio  is  a  function  of  measured  main  combustion  chamber  pressure  (Pc)  and  LH 2  flowrate.  The 
mass  flowrate  is  calculated  from  measured  volumetric  flowrate  and  calculated  fuel  density  (as  calculated 
from  LPFT  discharge  pressure  and  temperature).  Should  the  LPFT  discharge  pressure  or  temperature  be 
disqualified,  a  “fixed”  density  value  for  the  LH2  density  will  be  used.  Should  both  channels  of  either  the 
measured  Pc  or  volumetric  flowrate  be  disqualified,  or  a  combination  of  loss  of  controller  redundancy  and  a 
loss  of  the  remaining  channel’s  Pc  or  volumetric  flowrate,  the  engine  enters  into  the  “electrical  lockup” 
mode  and  all  valves  are  maintained  at  their  last  commanded  position  until  shutdown  is  commanded.  If  the 
controller  implements  the  shutdown,  it  will  be  a  hydraulic  shutdown.  If  the  crew  must  manually  shut  down 
the  engine  (ref.  Rules  { A5-108 },  MANUAL  SHUTDOWN  FOR  HYDRAULIC  OR  ELECTRICAL  LOCKUP, 
and  [A5-109],  MANUAL  SHUTDOWN  FOR  TWO  STUCK  THROTTLES  (NOT  DUAL  APU  FAILURES),  the 
shutdown  will  be  a  hydraulic  shutdown.  Reference  Computer  Program  CEI,  Block  II,  SSME  Controller 
Operational  Program,  CP406R0002.  @[030994-1 61 4A]  ®[ED  ] 
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A5-3  STUCK  THROTTLE  (CONTINUED) 

B.  HYDRAULIC  LOCKUP 

ALL  FIVE  ENGINE  PROPELLANT  VALVES  ARE  HYDRAULICALLY  ISOLATED 
AT  THEIR  LAST  POSITION  WHEN  BOTH  CHANNELS  OF  SERVOACTUATORS 
HAVE  BEEN  DISQUALIFIED  FOR  ANY  COMBINATION  OF  THE  FOLLOWING 
FAILURES:  ISSUANCE  OF  A  SERVOACTUATOR  ERROR  INDICATION 
INTERRUPT  (SEII),  FAILURE  OF  THE  DIGITAL-TO-ANALOG  CONVERTER 
(DAC)  TEST,  FAILURE  OF  THE  SERVOACTUATOR  MODEL,  OR  LOSS  OF 
CONTROLLER  REDUNDANCY.  THE  SEII  LIMIT  IS  6  PERCENT  FOR 
CHANNEL  A  AND  10  PERCENT  FOR  CHANNEL  B. 

Hydraulic  isolation  of  the  valves  minimizes,  but  does  not  preven  t,  valve  drift  which  could  result  in  further 
deviations  from  nominal  valve  positions  causing  loss  of  performance  and/or  possible  engine  shutdown. 
One  hydraulic  system  supplies  hydraulic  actuation  to  the  five  engine  valves  (a  differen  t  hydraulic  system 
for  each  engine).  Each  valve  has  a  redundant  servocontrol  system.  Channel  A  is  normally  controlling 
unless  it  has  been  disqualified.  Channel  A  disqualification  could  be  due  to  loss  of  channel  A  power,  loss 
of  channel  A  input  or  output  electronics,  failure  of  the  SEII  6  percent  test  (expressed  in  terms  of  percent 
full  range  valve  travel),  failure  of  the  output  electronics  (OE)  DAC  test,  or  failure  of  the  channel  A 
servoactuator  model.  The  SEII  test  compares  the  actual  valve  position  to  the  expected  valve  position 
based  on  an  internal  servoactuator  model.  The  OE  DAC  test  verifies  that  each  DAC’s  output  voltage 
level  is  equal  to  its  last  commanded  value,  and  that  the  command  decoder  addresses  the  correct  OE  DAC 
by  proper  decoding  of  the  four  LSB  ’s  of  the  OE  storage  register.  The  servoactuator  model/  monitor  test 
verifies  proper  operation  of  the  hardware  and  software  associated  with  SEII’s.  Channel  B 
disqualifications  could  be  due  to  the  same  type  of  failures  listed  for  channel  A,  except  channel  B  uses  an 
SEII  test  limit  of  10  percent  error  comparison  instead  of  6  percent  to  take  into  account  the  switchover 
transient  from  channel  A  to  B.  Should  both  channels  be  disqualified,  the  SSME  enters  into  “hydraulic 
lockup.  ”  In  this  mode,  the  engine  might  experience  loss  of  performance  due  to  valve  drift.  If  this  occurs 
and  a  redline  limit  is  exceeded,  the  engine  will  be  pneumatically  shut  down.  If  a  redline  is  not  exceeded, 
then  shutdown  of  the  engine  will  be  accomplished  by  engine  pneumatics  when  a  manual  or  commanded 
shut  down  occurs.  Reference  Computer  Program  CEI,  Block  II,  SSME  Controller  Operational  Program, 
CP406R0002. 
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A5-3  STUCK  THROTTLE  (CONTINUED) 

C.  COMMAND  PATH  FAILURE 

LOSS  OF  COMMAND  CAPABILITY  FROM  THE  GPC  TO  AN  SSME  ON  AT 
LEAST  TWO  COMMAND  CHANNELS  .  @[030994-1 61 4A] 

Without  GPC  commands,  the  SSME  will  not  be  able  to  accomplish  the  following  functions:  change 
throttle  settings,  inhibit/enable  shutdown  limits,  respond  to  shutdown  commands,  or  perform  an  LO2 
dump.  Shutdown  commands  could  be  issued  by  guidance  software,  from  a  low  level  cutoff,  or  from  a 
manual  shutdown  pushbutton.  Each  controller  normally  requires  two  of  three  valid  command  paths 
from  the  GPC’s  to  control  the  SSME  ( start  commands  require  three  of  three  functional  command 
paths).  SSME  controller  software  change  RCN  4354  implemented  in  version  OI-6  and  subs  added  the 
capability  for  the  engine  to  accept  a  shutdown  enable/shutdown  command  pair  on  a  single  channel 
under  special  circumstances:  an  in  ternal  timer  has  expired  (curren  tly  set  at  512.86  seconds  from  engine 
start);  limits  have  never  been  inhibited;  the  shutdown  enable/shutdown  command  pair  come  in  on  the 
same  channel,  sequentially  (with  no  other  command  in-between);  and  a  valid  command  is  not 
concurrently  being  received  on  the  other  two  channels.  Shutdown  of  the  SSME  without  GPC  control  is 
accomplished  by  the  removal  of  ac  power  to  the  controller.  This  action  activates  the  fail-safe  engine 
pneumatic  system,  shutting  the  engine  down  safely.  A  data  path  failure  will  also  result  from  this  action, 
requiring  the  crew  to  push  the  affected  engine’s  shutdown  pushbutton  to  inform  guidance  of  an  engine 
out  and  to  safe  the  engine  by  closing  the  LPI2  and  LO2  prevalves.  Reference  Computer  Program  CEI, 
Block  II,  SSME  Controller  Operational  Program,  CP406R0002.  @[030994-1 61 4A] 

A5-4  DATA  PATH  FAILURE 

LOSS  OF  ALL  PRIMARY  AND  SECONDARY  DATA  FROM  THE  SSME  CONTROLLER 
TO  GPC'S. 

Since  TREF,  engine  status  word  and  average  Pc  values  are  present  in  both  the  primary  and  secondary 
data,  the  loss  of  both  data  types  from  the  controller  is  required  for  the  GPC  to  acknowledge  a  data  path 
failu  re.  This  failure  is  identified  by  the  GPC  SSME  SOP  software.  The  loss  of  both  data  paths  will 
prevent  onboard  and  ground  monitoring  of  all  SSME  data.  (Ref.  FSSRfor  SSME  SOP). 
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A5-5  SUSPECT  ENGINE 

A  SUSPECT  ENGINE  IS  A  RESULT  OF  ANY  OF  THE  FOLLOWING  FAILURE 
CONDITIONS : 

A.  ALL  QUALIFIED  REDLINE  SENSORS  ON  A  PARAMETER  SHIFT  IN  THE 
SAME  DIRECTION,  WITH  AT  LEAST  ONE,  BUT  NOT  ALL,  QUALIFIED 
SENSORS  VIOLATING  THE  REDLINE  LIMIT  (S).  @[092195-1795] 

If  all  redline  sensors  pass  their  reasonableness  limits,  at  least  one,  but  not  all,  are  violating  their 
redline  limit(s)  and  all  non-voting  sensors  have  shifted  toward  their  redline(s),  the  SSME  can  continue 
to  operate  but  will  shut  down  if  the  remaining  qualified  sensors  exceed  their  shutdown  limits.  The  fact 
that  all  qualified  sensors  have  moved  toward  their  redlines  indicates  that  something  is  wrong  with  the 
engine  and  that  shutdown  could  occur  at  any  moment.  Reference  rule  {A5-2EJ,  SPACE  SHUTTLE 
MAIN  ENGINE  OUT,  for  reasonableness/qualification  limits  and  redline  limits.  ®[ED  ] 

B.  ALL  QUALIFIED  SENSORS  EXCEED  THE  LIMITS  FOR  A  PARTICULAR 
REDLINE  AFTER  SHUTDOWN  MONITORING  IS  INHIBITED. 

If  all  qualified  sensors  exceed  limits  with  the  shutdown  monitoring  inhibited,  the  SSME  is  approaching 
the  failure  situation  which  the  limits  were  designed  to  prevent.  The  redline  will  only  remain  inhibited 
as  long  as  the  vehicle  is  in  an  abort  region  gap.  While  the  limits  are  inhibited,  the  engine  may  fail  at 
any  moment  with  uncontained  engine  damage  and  loss  of  vehicle  and  crew,  since  the  shutdown  limit 
protection  is  not  available  for  this  case.  Reference  rule  {A5-2E},  SPACE  SHUTTLE  MAIN  ENGINE 
OUT,  for  redline  limits.  Reference  rule  {A5-103},  LIMIT  SHUTDOWN  CONTROL,  for  re-enabling 
boundaries.  @[092195-1795]  ®[ED  ] 

C.  NONISOLATABLE  MPS  HELIUM  LEAK 

Using  the  MPS  helium  leak  isolation  procedure,  the  crew  can  determine  if  isolating  a  given  leg  will  stop 
the  leak.  If  the  procedure  does  not  stop  the  leak,  it  is  nonisolatable  and  may  result  in  SSME  shutdown 
due  to  HPOT  intermediate  seal  pressure  dropping  below  the  redline.  The  SSME  with  a  helium  leak  is 
considered  suspect  since  its  leak  rate  could  increase  at  any  time  and  thus  could  cause  the  engine  to  shut 
down  earlier  than  predicted  by  the  MCC.  Reference  rule  {A5-153J,  PRE-MECO  SHUT  DOWN  OF 
ENGINES  DUE  TO  MPS  HELIUM  LEAKS.  @[032395-1 766  ] 

D.  LOW  LH2  NPSP 

IfLH2  NPSP  is  low  enough  to  require  manual  throttling  or  cause  a  TAL  due  to  an  LH2  tank  ullage 
leak  or  failed  closed  GH2flow  control  valves,  at  least  one  SSME  may  be  approaching  a  redline  limit 
shutdown  due  to  high  HPFTP  turbine  discharge  temperatures.  Reference  rules  {A5-155},  LIMIT 
SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR  LOW  LH2  NPSP,  and  {A5-156J, 

ABORT  PREFERENCE  FOR  SYSTEMS  FAILURES. 
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A5-5  SUSPECT  ENGINE  (CONTINUED) 

E.  DRIFTING  PERFORMANCE  WITH  ALL  QUALIFIED  CHANNELS  OF  ANY  GIVEN 
REDLINE  PARAMETER  APPROACHING  THEIR  REDLINE  LIMITS. 

An  engine  in  hydraulic  lockup  is  expected  to  drift.  This  performance  drift  should  elevate  HPOTP  turbine 
discharge  temperatures  which  may  eventually  exceed  the  redline  causing  the  engine  to  shutdown.  Nozzle 
leaks  and  PIPOTP  efficiency  loss  cases  may  cause  redline  exceedance  and  subsequent  shutdown  due  to 
violation  of  one  of  the  turbine  temperature  redlines  or  the  MCC  Pc  low  redline.  MCC  Pc  shifts  and  FFM 
shifts  may  cause  a  redline  exceedance  (probably  one  of  the  turbine  temperatures)  and  subsequent 
shutdown.  Electric  lockups  due  to  large  FFM  shifts  can  cause  a  redline  exceedance  (due  to  turbine 
temperatures  or  the  MCC  Pc  redline).  Reference  rule  {A5-2J,  paragraph  E,  SPACE  SHUTTLE  MAIN 
ENGINE  OUT,  for  redline  limits.  ®[ED  ] 

Rules  (A4-56J,  PERFORMANCE  BOUNDARIES;  and  (A5-156J,  ABORT  PREFERENCE  FOR  SYSTEMS 
FAILURES;  reference  this  rule.  ©[092195-1770A]  @[092195-1795] 

A5-6  SSME  REDLINE  SENSOR  FAILED 

AN  SSME  REDLINE  SENSOR  WILL  BE  DECLARED  FAILED  PER  THE  FOLLOWING 
CRITERIA:  @[092195-1794]  @[121296-4624] 

A.  AN  SSME  REDLINE  SENSOR  IS  DECLARED  FAILED  IF  IT  WAS 

DISQUALIFIED  BY  THE  SSME  CONTROLLER  DUE  TO  VIOLATION  OF 
ITS  REDLINE  QUALIFICATION  LIMIT  DURING  THE  START  PREP 
(PRELAUNCH),  START,  OR  MAINSTAGE  PHASE.  IN  ADDITION,  AN 
MCC  PC  CHANNEL  SHALL  BE  CONSIDERED  FAILED  IF  IT  HAS  FAILED 
ITS  CONTROL  INTRACHANNEL  QUALIFICATION  LIMIT.  @[111699-7096] 

Once  an  SSME  redline  sensor  has  been  disqualified,  it  can  no  longer  be  used  by  the  SSME  controller 
software  for  redline  monitoring  (reference  rule  {A5-2J,  paragraph  E,  SPACE  SHUTTLE  MAIN  ENGINE 
OUT,  for  qualification  limits).  Redline  pressure  sensors  that  fail  during  start  prep  ( prelaunch )  will 
generate  a  major  component  failure  (MCF)  and  preclude  launching.  However,  because  of  the  quadruple 
redundancy  scheme,  a  redline  temperature  sensor  can  fail  during  start  prep  (prelaunch)  without 
generating  an  MCF  and  without  an  LCC  violation.  For  the  purpose  of  limits  management,  this  is 
considered  a  failed  sensor.  (Ref.  Rule  (A5-103J,  LIMIT  SHUTDOWN  CONTROL).  ®[i  n  699-7096  ] 

A  failure  of  the  MCC  Pc  control  intrachannel  qualification  mon  itor  (pressure  delta  between  the  two 
bridges  exceeds  75  psia)  is  also  indicative  of  a  sensor  failure,  even  though  the  Pc  channel  is  still  used  for 
redline  monitoring.  The  redline  intrachannel  qualification  delta  is  larger  (125  psia)  to  account  for  the 
case  of  a  real  engine  failure  dropping  the  Pc  so  quickly  that  the  delta  between  bridges  could  exceed  the 
75  psia  in  the  time  it  takes  the  controller  to  read  in  the  two  values.  The  control  intrachannel  check  is 
included  in  the  failure  criteria  because  that  channel  could  degrade  at  any  time  and  violate  the  redline 
intrachannel  check.  ®[1 1 1 699-7096  ] 
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A5-6  SSME  REDLINE  SENSOR  FAILED  (CONTINUED) 

The  SSME  controller  performs  a  Pc  reference  (ref)  check  as  part  of  the  Pc  control  logic.  The  Pc  ref 
logic  evaluates  the  health  of  the  Pc  channel,  as  opposed  to  the  individual  sensors,  by  comparing  the  Pc 
channel  averages  to  the  reference  Pc.  It  checks  to  see  if  the  Pc  channel  average  is  greater  than  75  psi 
from  the  reference  Pc  (200  psi  when  throttling  or  below  75  percent  RPL).  In  order  for  sensors  to  cause 
this  check  to  fail,  both  sensors  would  have  to  fail  simultaneously  and  in  the  same  direction.  It  is  more 
likely  that  there  is  a  channel  failure  causing  the  Pc  ref  limits  to  be  violated,  and  thus  this  is  not 
considered  a  failed  sensor.  If  a  channel  f cals  the  Pc  discriminator  logic  check,  it  is  considered  a 
channel  failure,  not  a  sensor  failure. 

Rule  {A5-7j,  SSME  ONE  REDLINE  SENSOR  FAILURE  AWAY  FROM  AN  ERRONEOUS  SHUTDOWN, 

references  this  rule.  @[121296-4624]  ®[ED  ] 

B.  AN  HPOTP  DISCHARGE  PRESSURE  SENSOR  OR  AN  HPFTP  DISCHARGE 
PRESSURE  SENSOR  SHALL  BE  CONSIDERED  A  FAILED  REDLINE  SENSOR 
IF  IT  WAS  DISQUALIFIED  BY  THE  SSME  CONTROLLER  DUE  TO 
VIOLATION  OF  ITS  QUALIFICATION  LIMIT  DURING  THE  START  PREP 
(PRELAUNCH),  START,  OR  MAINSTAGE  PHASE. 

NOTE:  THE  DISCHARGE  PRESSURES  DO  NOT  HAVE  AN  ASSOCIATED 

REDLINE  BUT  ARE  ELECTRONICALLY  THE  SAME  AS  THE 
REDLINE  PRESSURE  SENSORS. 

The  HPOTP  and  HPFTP  discharge  pressure  sensors  are  electronically  the  same  as  the  redline  pressure 
sensors  and  thus  are  operationally  considered  the  same  as  a  redline  sensor.  Qualification  limits  were 
added  to  these  parameters  when  the  Pc  discriminator  logic  was  introduced  post  STS-91  (ref.  SSME 
Requirement  Change  Notices  #  6503  &  6524).  Once  an  HPOTP  DP  or  HPFTP  DP  sensor  is  disqualified, 
it  is  no  longer  used  in  the  controller’s  Pc  discriminator  logic.  The  first  of  these  two  sensors  to  fail  will 
not  generate  an  MCF  and  will  not  cause  an  LCC  violation.  Therefore,  if  this  sensor  fails  in  the  start  prep 
(prelaunch),  start,  or  mainstage  phase,  it  is  considered  failed  for  the  purpose  of  limits  management  (ref. 
Rule  {A5-I03},  LIMIT  SHUTDOWN  CONTROL).  Note:  a  second  discharge  pressure  sensor  failure  in 
start  prep  ( prelaunch )  or  start  will  post  cm  MCF  and  will  preclude  launching.  @[111699-7096  ] 

C.  IF  THE  FLIGHT  CONTROLLERS  CAN  POSITIVELY  IDENTIFY  THE  SENSOR 
FAILURE  MODE ( S )  AS  BEING  THE  CAUSE  OF  AN  ENGINE  SHUTDOWN,  THE 
AFFECTED  SSME  REDLINE  SENSOR (S)  WILL  BE  DECLARED  FAILED. 
@[092195-1794]  @[111699-7096] 
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A5-7  SSME  ONE  REDLINE  SENSOR  FAILURE  AWAY  FROM  AN 

ERRONEOUS  SHUTDOWN  ®[ED  ] 

A.  AN  SSME  WILL  BE  DECLARED  ONE  REDLINE  SENSOR  FAILURE  AWAY  FROM 
AN  ERRONEOUS  SHUTDOWN  IF  ONLY  ONE  OF  THE  HPFTP  COOLANT  LINER 
PRESSURE  TRANSDUCERS  (PHASE  II  AND  BLOCK  I  SSME  ONLY) ,  ONE  OF 
THE  HPOTP  SECONDARY  SEAL  PRESSURES  (PHASE  II  SSME  ONLY),  OR 
ONE  OF  THE  HPOTP  INTERMEDIATE  SEAL  PRESSURE  TRANSDUCERS,  IS 
QUALIFIED  FOR  REDLINE  SHUTDOWN  PROCESSING.  @[121296-4624] 

NOTE:  AN  SSME  IS  NOT  DECLARED  ONE  REDLINE  SENSOR  FAILURE 
AWAY  FROM  AN  ERRONEOUS  SHUTDOWN  IF  ONLY  ONE  OF  THE 
TWO  SSME  MCC  PC  CHANNELS  IS  DISQUALIFIED. 

The  HPFTP  coolant  liner  pressure  redline  ( Phase  II  and  Block  I  SSME  only),  the  secondary  seal 
pressure  redline  (Phase  II  SSME  only),  and  the  intermediate  seal  pressure  redline  each  have  two 
pressure  transducers  per  redline  (single  transducer  per  controller  channel).  Therefore,  if  one  or  more 
transducers  are  disqualified  for  either  a  controller  failure  (input  electronics  or  power  supply,  reference 
Rule  {A5-2},  SPACE  SHUTTLE  MAIN  ENGINE  OUT )  or  a  sensor  failure  (reference  Rule  (A5-6},  SSME 
REDLINE  SENSOR  FAILED),  causing  any  remaining  pressure  redline  to  have  a  single  qualified 
transducer,  the  engine  will  be  considered  one  redline  sensor  failure  away  from  an  erroneous  shutdown. 
This  definition  is  used  by  Rule  { A5-103 },  LIMIT  SHUTDOWN  CONTROL,  but  only  after  the  criteria 
outlined  there  (e.g.,  at  least  one  redline  sensor  has  failed)  has  been  met.  @[121296-4624]  ®[ED  ] 

No  single  main  combustion  chamber  pressure  (MCC  Pc)  transducer  failure  can  cause  an  engine  to  shut 
down  on  the  MCC  Pc  redline  when  only  one  channel  remains.  Engine  shutdown  is  prevented  because  of 
the  way  the  MCC  Pc  transducers  are  qualified  (redline  processing  is  performed  on  channel  pairs).  An 
MCC  Pc  channel  must  have  a  channel  average  between  1000  and  3500  psia,  arid  the  two  transducers  on 
the  channel  must  be  within  125  psia  of  each  other,  for  the  channel  to  be  qualified  to  vote  for  shutdown, 
reference  Rule  (A5-2),  SPACE  SHUTTLE  MAIN  ENGINE  OUT.  The  channel  is  disqualified  for  redline 
processing  if  either  of  these  conditions  is  not  met.  The  redline  is  violated  if  all  qualified  channel 
averages  are  400  psia  less  than  reference  Pc  (defined  by  the  SSME  controller  for  a  given  SSME  power 
level).  If  one  of  the  Pc  transducers  drifts  high,  with  only  one  channel  remaining,  the  con  troller  channel  ’s 
two  Pc  sensors  will  be  disqualified  for  thrust  control  processing.  This  disqualification  will  occur  when 
the  delta  between  the  two  channels  reaches  75  psia.  This  will  place  the  SSME  in  electrical  lockup. 
Additionally,  if  the  sensor  continues  to  drift  such  that  delta  between  the  two  sensors  is  125  psia,  the 
controller  channel’s  Pc  transducers  will  be  disqualified  for  redline  shutdown  processing.  This 
disqualification  will  occur  prior  to  the  400  psia  redline  being  violated.  For  cases  where  both 
transducers  are  on  the  remaining  channel  drift,  (thermal  isolator  problem  or  lee  jet/sense  tube  problem), 
the  engine  will  continually  rebalance  in  response  to  the  drifting  Pc.  If  the  drift  is  severe  enough,  the 
engine  may  exceed  the  400  psia  engine  redline.  In  either  case,  SSME  redline  limits  should  be  reenabled 
as  specified  in  Rule  {A5-103},  LIMIT  SHUTDOWN  CONTROL.  ®[ED  ] 
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A5-7  SSME  ONE  REDLINE  SENSOR  FAILURE  AWAY  FROM  AN 

ERRONEOUS  SHUTDOWN  (CONTINUED) 

B.  AN  SSME  IS  DECLARED  ONE  REDLINE  SENSOR  FAILURE  AWAY  FROM  AN 

ERRONEOUS  SHUTDOWN  IF  ONLY  ONE  HPOT  TURBINE  DISCHARGE 
TEMPERATURE  ( TDT )  TRANSDUCER  IS  QUALIFIED  FOR  REDLINE 
SHUTDOWN  PROCESSING. 

C.  AN  SSME  IS  NOT  DECLARED  ONE  REDLINE  SENSOR  FAILURE  AWAY  FROM 

AN  ERRONEOUS  SHUTDOWN  IF  ONLY  ONE  HPFT  TURBINE  DISCHARGE 
TEMPERATURE  TRANSDUCER  IS  QUALIFIED  FOR  REDLINE  SHUTDOWN 
PROCESSING. 

Once  a  sensor  has  been  disqualified,  it  can  no  longer  be  used  by  the  SSME  controller  software  for 
redline  monitoring.  Reference  Rule  { A5-2E '},  SPACE  SHUTTLE  MAIN  ENGINE  OUT,  for  information 
on  qualification/reasonableness  testing.  There  are  known  thermocouple  failure  modes  that  can  cause  a 
sensor  to  fail  below  the  lower  HPOT  turbine  discharge  temperature  redline,  but  above  the  qualification 
limit.  Therefore,  the  HPOT  turbine  discharge  temperature  redline  will  be  considered  one  redline  sensor 
failure  away  from  cm  erroneous  shutdown  if  only  one  qualified  HPOT  turbine  discharge  temperature 
Sensor  is  qualified.  Because  there  is  no  lower  HPFT  turbine  discharge  temperature  redline  limit,  an 
SSME  is  not  declared  one  redline  sensor  failure  away  from  an  erroneous  shutdown  if  only  one  qualified 
HPFT  turbine  discharge  temperature  transducer  is  qualified  for  shutdown.  @[121296-4624]  ®[ED  ] 

A  failure  causing  one  turbine  discharge  temperature  to  remain  qualified,  but  vote  for  shutdown  on  the 
upper  redline,  can  result  in  SSME  shutdown  -  if  there  are  three  or  less  qualified  transducers  at  the 
redline  location.  This  can  occur  because  the  redline  logic  disqualifies  the  “lower”  transducers. 
Reference  Rule  {A5-2E},  SPACE  SHUTTLE  MAIN  ENGINE  OUT,  for  information  on 
qualification/reasonableness  testing.  The  only  known  thermocouple  failure  mode,  where  the 
thermocouple  fails  in-qualification-range  high  while  violating  the  upper  redline  limit,  is  a  “smart” 
failure  in  the  SSME  controller  thermocouple  sensor  signed  conditioning  pre-cimp  circuit.  This  failure 
mode  has  a  very  low  probability  of  occurrence  (reference  the  specicd  Rocketdyne  briefing  on  this  topic  to 
the  Shuttle  Program  Manager  on  11/9/95).  The  entire  thermocouple  turbine  discharge  temperature 
redline  processing  philosophy  of  disqualifying  the  “lower”  transducer  depends  on  this  low  probability. 
Since  the  redline  processing  philosophy  does  not  protect  for  this  case,  this  flight  rule  does  not  protect  for 
this  case  either.  ®[ED  ] 

Rules  {A5-2j,  SPACE  SHUTTLE  MAIN  ENGINE  OUT;  { A5-6 j,  SSME  REDLINE  SENSOR  FAILED;  and 
{A5-103},  LIMIT  SHUTDOWN  CONTROL,  reference  this  rule.  ®[i  21 296-4624  ]  ®[ED  ] 


VOLUME  A  11/21/02  FINAL,  PCN-1  BOOSTER  5-19 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A5-8 


SPACE  SHUTTLE  MAIN  ENGINE  TYPES  ®[ED  ] 


HPOTP 

MCC 

HPFTP 

PHASE  II 

ROCKETDYNE 

STANDARD 

ROCKETDYNE 

BLOCK  I/I  A 

P&W 

STANDARD 

ROCKETDYNE 

BLOCK  IIA 

P&W 

LARGE  THROAT 

ROCKETDYNE 

BLOCK  II 

P&W 

LARGE  THROAT 

P&W 

®[1 21 1 97-6472A] 


THERE  ARE  MANY  HARDWARE  DIFFERENCES  ASSOCIATED  WITH  THE  VARIOUS 
SSME  TYPES.  ONLY  THE  DIFFERENCES  WITH  SIGNIFICANT  BOOSTER 
SYSTEMS  FLIGHT  CONTROLLER  OPERATIONAL  IMPACTS  ARE  LISTED  HERE. 

FROM  THE  BOOSTER  SYSTEMS  FLIGHT  CONTROLLER'S  PERSPECTIVE,  THE 
BLOCK  I  AND  THE  BLOCK  IA  OPERATIONAL  CHARACTERISTICS  ARE 
IDENTICAL.  FOR  THE  PURPOSES  OF  THE  FLIGHT  RULES,  THE 
NOMENCLATURE  'BLOCK  I'  WILL  BE  USED  FOR  BOTH. 

FOR  BLOCK  I/IIA/II:  INCORPORATION  OF  THE  PRATT  AND  WHITNEY 

(P&W)  ALTERNATE  HPOTP  IN  PLACE  OF  THE  ROCKETDYNE  BASELINE 
HPOTP  ELIMINATES  THE  SECONDARY  SEAL  REDLINE  AND  LOWERS  THE 
INTERMEDIATE  SEAL  REDLINE  (REF  RULE  {A5-2},  SPACE  SHUTTLE  MAIN 
ENGINE  OUT) . 

FOR  BLOCK  IIA/II:  INCORPORATION  OF  THE  LARGE  THROAT  MCC  IN 

PLACE  OF  THE  STANDARD  THROAT  MCC  REDUCES  THE  OVERALL  OPERATING 
PRESSURES  AND  TEMPERATURES  AT  A  GIVEN  POWER  LEVEL  AND  LOWERS  THE 
HPOTP  AND  HPFTP  TURBINE  DISCHARGE  TEMPERATURE  REDLINES  (REF  RULE 
{ A5 -2 } ,  SPACE  SHUTTLE  MAIN  ENGINE  OUT). 

FOR  BLOCK  II:  INCORPORATION  OF  THE  PRATT  AND  WHITNEY  ALTERNATE 

HPFTP  IN  PLACE  OF  THE  ROCKETDYNE  BASELINE  HPFTP  ELIMINATES  THE 
COOLANT  LINER  REDLINE  (REF  RULE  {A5-2},  SPACE  SHUTTLE  MAIN  ENGINE 
OUT)  . 

DETAILS  OF  THESE  CHANGES  ARE  COVERED  IN  BOOSTER  SYSTEMS'  CONSOLE 
TOOLS  AND  DOCUMENTATION. 


Rule  { A5-2 j,  SPACE  SHUTTLE  MAIN  ENGINE  OUT,  references  this  rule.  ®[121197-6472A] 
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A5-9  LH2  ULLAGE  LEAK  ®[ED  ] 

WITH  THREE  SSME'S  RUNNING  AT  MISSION  POWER  LEVEL,  AN  ET  L^ 
ULLAGE  LEAK  IS  CHARACTERIZED  BY  ALL  OF  THE  FOLLOWING:  @[040899-681 8A] 
®[1 02501 -4880A] 


lh2 

ULLAGE  PRESSURE  IS  STEADILY  DECAYING  AND 

• 

1 . 

HAS  DROPPED  BELOW  32 . 6 
MINUTES  30  SECONDS,  OR 

(32.2)  PSIA 

PRIOR 

TO 

AN 

MET 

OF  2 

2  . 

HAS  DROPPED  BELOW  31.0 
MINUTES  30  SECONDS 

(30.6)  PSIA 

AFTER 

AN 

MET 

OF 

2 

THE  GH2  2-INCH  DISCONNECT 
PSIA. 

PRESSURE  IS 

GREATER  THAN 

444 

(414 

The  ET  LH2  ullage  pressure  is  maintained  by  the  three  flow  control  valves  (FCV’s)  in  the  orbiter  GH2 
pressurization  system.  The  set  point  for  the  GH2  FCV  signal  conditioners  is  33.0  psia.  A  0.4  psi  signal 
conditioner  deadband  encompassing  the  set  point  results  in  actual  activation  values  as  low  as  32.6  psia  or 
as  high  as  33.4  psia.  A  significant  LH2  ullage  leak  or  an  orbiter  GH2  pressurization  system  anomaly 
(reference  Rule  {A5-155},  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR  LOW  LH2 
NPSP)  will  cause  the  LH2  ullage  pressure  to  drop  below  the  set  point  for  the  GH2  FCV  signal  conditioner. 
The  orbiter  GH2  pressurization  system  will  then  respond  by  opening  the  three  GH2  FCV’s  in  an  attempt  to 
increase  ullage  pressure.  The  FCV’s  have  been  shimmed,  such  that  an  open  FCV  provides  70  percent  flow 
through  the  valve  and  31  percen  t  flow  when  the  valve  is  commanded  closed.  These  settings  are  also 
referred  to  as  the  ‘high  flow’  and  ‘low  flow’  positions,  respectively. 

Data  provided  by  Lockheed  Martin/Michoud  (reference  PSIG  telecon  May  22,  2001)  indicates  that  a  GH2 
pressurization  system  operating  at  -3  sigma  could  cause  the  ullage  pressure  to  decay  to  a  minimum  pressure 
of  31.0  psia  (30.6  indicated  when  a  0.4  psi  worst  case  transducer  bias  is  included).  To  avoid  erroneously 
declaring  an  ullage  leak  when  the  GH2  pressurization  system  is  function  ing  nominally,  an  ullage  leak  will 
not  be  declared  unless  the  ullage  pressure  is  decaying  and  has  dropped  below  32.6  (32.2)  psia  prior  to  an 
MET  of  2  minutes  30  seconds  or  below  31.0  (30.6)  psia  after  an  MET  of  2  minutes  30  seconds.  These 
u  llage  pressures  (during  the  specified  time  periods)  are  the  lowest  that  could  possibly  occur  for  a  nominally 
operating  GH2  pressurization  system  (reference  PSIG  telecon  May  22,  2001).  ®[1 02501 -4880A] 
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A5-9  LH2  ULLAGE  LEAK  (CONTINUED) 

It  is  important  to  establish  the  difference  between  an  ullage  leak  and  an  orbiter  GH2  pressurization  system 
anomaly  since  the  required  actions  are  different  (reference  Rule  (A5-156J,  ABORT  PREFERENCE  FOR 
SYSTEMS  FAILURES).  The  2-inch  disconnect  pressure  cue  is  sufficient  to  distinguish  between  an  ullage 
leak  and  an  orbiter  GH2  pressurization  system  anomaly  once  the  LH2  ullage  pressure  has  decayed  below 
32.6  (32.2)  psici  or  31.0  (30.6)  psia  (depending  on  the  MET  that  it  occurs)  with  all  three  GH2  FCV’s  open. 
If  the  GH2  2-inch  disconnect  pressure  is  consisten  t  with  the  expected  value  for  three  open  FCV’s  (high  flow 
position),  then  the  LH2  ullage  pressure  problem  is  determined  to  be  the  result  of  cm  LH2  ullage  leak.  If  the 
GH2  2 -inch  disconnect  pressure  is  below  that  expected  for  three  open  FCV’s,  then  the  cause  of  the  low 
ullage  pressure  is  cm  orbiter  GH2  pressurization  system  anomaly.  ®[1 02501 -4880A] 

A  value  for  the  2-inch  disconnect  pressure  was  chosen  at  the  lowest  expected  value  for  three  flow  control 
valves  open  and  not  less  than  the  predicted  value  for  one  flow  control  valve  failed  closed  (low  flow  position) 
to  avoid  erroneously  calling  an  ullage  leak.  Data  provided  by  BN  A/Huntington  Beach  (reference  PSIG 
telecon  May  18,  2001),  on  all  flights  since  the  reshimming  of  the  flow  control  valves  (70  percent/31 
percent),  showed  that  the  lowest  2-inch  disconnect  pressure  seen  to  date  for  three  flow  con  trol  valves  open 
at  mission  power  level  was  448  psia  (on  STS-99,  97,  100,  and  106).  These  pressures  were  all  for  Block  IIA 
cluster  flights,  which  have  shown  to  provide  the  least  amount  of  ullage  pressurization  gas.  Subtracting  out 
a  one  sigma  dispersion  (4  psia)  and  a  3  percent  instrumentation  error  (30  psia)  yields  a  2-inch  disconnect 
pressure  value  of  414  psia.  Analysis  and  data  obtained  from  STS-104  (first  flight  of  a  single  Block  II 
engine)  indicates  a  Block  II SSME  will  provide  the  same  amount  of  ullage  pressurization  gas  as  a  Block  IIA 
engine;  therefore,  the  disconnect  pressure  of 444  (414)  psia  can  be  used  to  determine  the  presence  of  an 
ullage  leak  for  any  engine  configuration  of  a  Block  IIA  or  Block  II  type  SSME.  The  disconnect  pressure  cue 
is  only  valid  at  the  mission  power  level  with  three  SSME’s  running.  ®[1 02501 -4880A] 

Rule  {A5-155},  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR  LOW  LH2  NPSP, 
references  this  rule.  @[040899-681 8A] 
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A5-10  SIGNIFICANT  ENGINE  HELIUM  SYSTEM  LEAK  ®[ED  ] 

TANK  PRESSURE  DECAY  RATE  (DP/DT)  >  20  PSIA  OVER  3  SECONDS,  OR  AN 
INDICATED  HELIUM  USAGE  WHICH  IS  GREATER  THAN  0.055  LBM/SEC  AFTER 
AN  MET  OF  1  MINUTE  .  @[090894-1 676A] 

NOTE:  DECAY  RATE  CORRESPONDS  TO  THE  BFS  DECAY  RATE  COMPUTATION 
AND  THE  INDICATED  HELIUM  USAGE  IS  BASED  ON  MCC  MASS  FLOW  RATE 
COMPUTATIONS . 

Tank  pressure  decay  rate  (DP/DT)  >  20  psia/3  seconds  is  twice  the  nominal  value  of  approximately  10 
psia/3  seconds.  This  value  takes  into  account  normal  data  noise  and  the  10  psi  data  granularity  and 
represents  the  minimum  value  usable  to  detect  helium  leaks  on  board  the  vehicle.  In  addition  to  the 
DP/DT  computation,  the  MCC  uses  a  mass  flow  rate  computation  (Ibm/sec)  in  order  to  detect  helium 
leaks.  The  maximum  nominal  mainstage  usage  for  the  engine  HPOTP IMSL  purge  is  0.047  Ibm/sec  (ref. 
SSME-to-Orbiter  ICD  13M15000).  Usage  above  0.047  Ibm/sec  is  indicative  of  an  off-nominal  condition 
in  the  associated  MPS  helium  system  supply. 

Small  leaks  which  are  above  0.047  Ibm/sec  and  below  the  crew  alarm  criteria  (approximately  0.087 
Ibm/sec )  will  not  be  isolated  prior  to  an  MET  of  1  minute.  Action  to  isolate  small  helium  leaks  is  not 
taken  within  the  first  minute  after  liftoff  because  the  ground  computation  requires  20  seconds  of  data 
after  liftoff  for  proper  initialization  and  because  additional  time  is  required  by  the  MCC  for  leak 
evaluation.  Also,  a  leak  of  this  size  which  is  isolated  shortly  after  an  MET  of  1  minute  will  probably 
not  violate  the  single  regulator  zero-g  shutdown  requirements.  However,  continued  usage  at  this  rate 
may  significantly  reduce  the  helium  available  to  support  engine  shutdown  at  MECO. 

Even  though  helium  usage  above  0.047  is  off  nominal,  MCC  action  is  only  taken  for  leaks  with  a  usage 
above  0.055  Ibm/sec  or  greater.  This  number  accounts  for  noise  in  the  ground  computation  and  protects 
nominal  MECO  helium  requirements. 

Rule  {A5-151},  PRE-MECO  MPS  HELIUM  SYSTEM  LEAK  ISOLATION  [CIL],  references  this  rule. 

@[090894-1 676A] 
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A5-11  SIGNIFICANT  PNEUMATIC  SYSTEM  HELIUM  LEAK  ®[ED  ] 

ANY  LEAK  IN  THE  PNEUMATIC  TANK  SYSTEM  OR  PNEUMATIC  ACCUMULATOR 
WHICH  WILL  ANNUNCIATE  THE  CREW  SYSTEMS  MANAGEMENT  (SM)  ALERT 
(PNEU  TK  P  <  3800.0  PSIA)  PRIOR  TO  MECO  -30  SECONDS.  ©[090894-1676A] 
@[021199-6790] 

An  attempt  is  made  to  isolate  leaks  in  the  MPS  pneumatic  helium  supply  in  order  to  conserve  helium  for 
LO2  prevalve  closure  at  MECO.  Furthermore ,  if  the  leak  is  isolated,  the  pneumatic  helium  supply  will 
be  available  to  support  the  operation  of  a  leaking  MPS  helium  engine  supply. 

Isolation  will  only  be  performed  if  the  leak  is  large  enough  to  annunciate  the  crew  SM  Alert  prior  to 
MECO  -30  seconds.  ®[02i  1 99-6790  ] 

Rule  {A5-151},  PRE-MECO  MPS  HELIUM  SYSTEM  LEAK  ISOLATION  [CIL],  references  this  rule. 

@[090894-1 676A] 

A5-12  INSUFFICIENT  PNEUMATIC  HELIUM  ACCUMULATOR  PRESSURE 

®[ED  ] 

A  PNEUMATIC  ACCUMULATOR  PRESSURE  WHICH  IS  LESS  THAN  700  PSIA. 

@[090894-1 676A] 

Seven  hundred  psia  is  the  minimum  actuation  pressure  which  will  ensure  proper  LO2  cmcl  LH2  prevalve 
closu  re  timing  at  MECO.  Pressures  of 400  to  500  psia  will  fully  position  the  valves;  however,  timing 
requirements  may  not  be  satisfied  (ref.  SODB,  Vol.  ii,  Section  4.3.1).  Four  of  six  test  cases  of  three 
engine  prevalve  closures  at  an  initial  pressure  of 400  psia  were  within  the  timing  specification  of  1.15 
seconds  maximum  closing  time.  Of  the  two  that  violated  requirements,  one  was  0.03  seconds  slow  and 
the  other  was  0.06  seconds  slow  (reference  PSIG  telecon  charts,  5/19/93). 

It  is  critical  that  the  LO2  prevalves  close  within  timing  constraints  at  MECO.  LO2  prevalve  closure  and 
the  injection  of  helium  into  the  pogo  accumulator  are  used  to  main  tain  pressu  re  on  the  engine  high 
pressure  oxidizer  turbopump,  preventing  pump  cavitation  during  the  shutdown  sequence. 

Rule  (A5-151J,  PRE-MECO  MPS  HELIUM  SYSTEM  LEAK  ISOLATION  [CIL],  references  this  rule. 

@[090894-1 676A] 
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A5-13  MPS  DUMPS  AND  VACUUM  INERTING  DEFINITIONS  @[092701- 

4867A]  ®[ED  ] 

A.  MPS  DUMP 

A  PRESSURIZED  MPS  ID 2  AND  UNPRESSURIZED  LH2  DUMP  PERFORMED  IN 
MM  104  FOR  NOMINAL,  ATO,  AND  AOA  MISSIONS  THAT  IS  NORMALLY 
AUTOMATIC  AT  MECO  +  2  MINUTES,  BUT  CAN  BE  STARTED  OR  DELAYED 
MANUALLY  .  @[092195-1791  ] 

B.  MPS  GH2  INERT  @[092195-1791] 

A  MANUAL  INERTING  OF  GH2  THROUGH  THE  PRESS  LINE  VENT  VALVE 
PERFORMED  AFTER  THE  MPS  POWERDOWN  AND  ISOLATION  PROCEDURE  FOR 
NOMINAL,  ATO,  AND  AOA  MISSIONS.  @[111094-1719] 

C.  FIRST  AUTOMATED  VACUUM  INERT  @[092195-1791] 

AN  AUTOMATIC  INERTING  OF  THE  LH2  AND  L02  FEEDLINE  SYSTEMS 
THROUGH  THE  LH2  BACKUP  DUMP  VALVES  AND  THE  LC£  FILL/DRAIN 
VALVES  RESPECTIVELY.  THIS  INERT  IS  PERFORMED  AFTER  THE  MPS 
DUMP  FOR  NOMINAL,  ATO,  AND  AOA  MISSIONS  AT  MPS  DUMP  START  + 

17  MINUTES  (APPROXIMATELY  MECO  +19  MINUTES)  AND  CAN  ALSO  BE 
PERFORMED  MANUALLY. 

D  .  MANUAL  VACUUM  INERT  @[092195-1791  ] 

A  MANUAL  INERTING  OF  THE  LB^  OR  L02  FEEDLINE  SYSTEM  WHICH  IS 
PERFORMED  DUE  TO  INEFFICIENT  AUTOMATED  VACUUM  INERT (S).  THE 
MANUAL  VACUUM  INERT  IS  PERFORMED  ANY  TIME  AFTER  MPS  DUMP 
START  +  22  MINUTES  (APPROXIMATELY  MECO  +  24  MINUTES)  SUCH 
THAT  THE  AUTOMATED  COMMANDS  AND  THE  CREW'S  SWITCH  THROWS  WILL 
NOT  COINCIDE.  THE  LO2  FEEDLINE  SYSTEM  IS  MANUALLY  INERTED 
THROUGH  THE  L02  FILL/DRAIN  VALVES.  THE  LB^  FEEDLINE  SYSTEM 
IS  MANUALLY  INERTED  THROUGH  EITHER  THE  LBB?  BACKUP  DUMP  VALVES 
OR  THROUGH  THE  LH2  FILL/DRAIN  VALVES. 
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A5-13  MPS  PROPELLANT  DUMPS  AND  INERTING  DEFINITIONS 

(CONTINUED) 


E.  SECOND  AUTOMATED  VACUUM  INERT 

AN  INERTING  OF  THE  LH2  FEEDLINE  SYSTEM  THROUGH  THE  LR? 
BACKUP  DUMP  VALVES  PERFORMED  AFTER  THE  FIRST  AUTOMATED 
VACUUM  INERT  FOR  NOMINAL,  ATO,  AND  AOA  MISSIONS  THAT  IS 
AUTOMATICALLY  STARTED  AT  THE  MM  106  TRANSITION,  BUT  CAN 
ALSO  BE  PERFORMED  MANUALLY.  @[092701 -4867A] 

F.  ENTRY  MPS  DUMP  @[092195-1791]  @[092701 -4867A] 

AN  MPS  LH2  AND  L02  PROPELLANT  DUMP / INERT ING  STARTED 
AUTOMATICALLY  IN  MM  303  FOR  NOMINAL,  ATO,  AOA,  AND  TAL 
MISSIONS,  AND  IN  MM  602  FOR  AN  RTLS  ABORT. 


The  non-contingency  dumping  and  inerting  of  propellants  are  done  to  ensure  there  are  no  propellants  in 
the  man  ifolds  prior  to  landing.  The  orbiter  center  of  gravity  is  affected  by  dumping  the  residual  MPS 
propellants.  The  hazard  from  venting  LH2  during  entry  and  ingesting  it  into  the  aft  compartment  is 
removed  by  dumping  the  residual  LH2. 
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SRB  SYSTEMS  MANAGEMENT 


@[021694- ED  ] 

A5-51  LOSS  OF  SRB  THRUST  VECTOR  CONTROL  (TVC)  @[012402-4987] 

FOR  THE  LOSS  OF  TVC  ON  ONE  SRB,  THE  FLIGHT  WILL  BE  CONTINUED 
UNTIL  LOSS  OF  VEHICLE  CONTROL. 

The  loss  of  two  Hydraulic  Power  Units  (HPU’s)  on  one  SRB  results  in  no  TVC  control  on  that  SRB.  This 
may  result  in  loss  of  control  depending  on  nozzle  position.  There  is  no  manual  control  available; 
therefore,  there  is  no  crew  action  that  can  be  taken.  @[012402-4987  ] 

A5-52  THROUGH  A5-100  RULES  ARE  RESERVED 


VOLUME  A  11/21/02  FINAL,  PCN-1  BOOSTER  5-27 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


SSME  SYSTEMS  MANAGEMENT 


A5-101  ABORT  CUE  REQUIREMENT 

ANY  ENGINE  CONDITION  THAT  CAUSES  AN  ABORT  DECISION  WILL  BE 
CONFIRMED  USING  TWO  CUES. 

Two  cues  are  required  so  that  a  single  instrumentation  failure  will  not  cause  an  erroneous  abort 
decision. 


A5-102  AUTO/MANUAL  SHUTDOWN 

MANUAL  SHUTDOWN  OF  AN  ENGINE  WILL  NOT  BE  ATTEMPTED  IF  AUTOMATIC 
LIMIT  SHUTDOWN  CAPABILITY  IS  ENABLED  AND  AN  ENGINE  IS  APPROACHING 
A  SHUTDOWN  LIMIT.  AN  EXCEPTION  TO  THIS  RULE  IS  WHEN  EXCESSIVE 
HELIUM  LEAKAGE  REQUIRES  A  MANUAL  ENGINE  SHUTDOWN  AS  DISCUSSED  IN 
RULE  { A5-153 } ,  PRE-MECO  SHUT  DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM 
LEAKS  .  @[032395-1766  ] 

The  automatic  limit  shutdown  system  was  designed  to  prevent  a  catastrophic  failure  of  an  engine.  Due  to 
response  times  and  the  complexity  of  the  SSME,  the  ground  and  crew  will  not  try  to  interfere  with  this 
system. 


A5-103  LIMIT  SHUTDOWN  CONTROL 

A.  PREMATURE  MAIN  ENGINE  SHUTDOWN  @[121296-4625] 

THE  MAIN  ENGINE  LIMIT  SHUTDOWN  CONTROL  CAPABILITY  WILL  BE 
MANAGED  AS  FOLLOWS:  @[121296-4625]  ®[1 1 1298-6785A] 

1.  INHIBITED  AT  ONE  ENGINE-OUT 

GPC  AUTOMATICALLY  COMMANDS  INHIBIT  TO  THE  REMAINING  TWO 
ENGINES . 

The  main  engine  limit  shutdown  switch  is  a  three-position  switch:  ENABLE,  AUTO,  and  INHIBIT.  At 
lift-off,  the  switch  is  in  the  AUTO  position,  and  the  limit  shutdown  control  logic  is  enabled  on  all  three 
engines.  After  one  engine-out  occurs,  the  main  engine  limit  shutdown  control  capability  on  the  two 
remaining  engines  is  automatically  inhibited.  ®[1 1 1 298-6785A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A5-103  LIMIT  SHUTDOWN  CONTROL  (CONTINUED) 

2.  WITH  ONE  ENGINE  OUT  AND  BFS  NOT  ENGAGED,  THE  MAIN  ENGINE 
LIMIT  SHUTDOWN  SOFTWARE  WILL  BE  REENABLED  BY  PLACING  THE 
MAIN  ENGINE  LIMIT  SHUTDOWN  SWITCH  TO  "ENABLE"  THEN  "AUTO." 
REENABLING  WILL  BE  BASED  UPON  THE  FOLLOWING  CONDITIONS: 

a.  THE  CREW  WILL  MANUALLY  REENABLE  THE  LIMITS  AS  SOON  AS 
POSSIBLE  FOLLOWING  THE  ENGINE  OUT.  ®[1 1 1 298-6785A] 

The  reenabling  of  the  main  engine  limit  shutdown  software  is  required  to  regain,  as  soon  as  possible,  the 
engine  redline  shu  tdown  protection  in  the  event  of  a  second  engine  failure.  The  reenabling  of  the  main 
engine  limit  shutdown  software  will  be  accomplished  by  taking  the  main  engine  limit  shutdown  switch  to 
ENABLE  then  to  AUTO.  This  allows  one  of  the  running  engines  to  shut  down  due  to  a  limit  violation 
while  automatically  inhibiting  the  main  engine  limit  shutdown  control  capability  on  the  one  remaining 
engine.  Single-engine  flight  con  trol  capability  would  then  take  the  vehicle  to  MECO. 

The  philosophy  of  when  to  reenable  the  main  engine  limit  shutdown  software  attempts  to  balance  the  risk 
of  cm  engine  failing  catastrophically  while  the  limits  are  inhibited  against  the  risk  associated  with  a  two 
engine-out  contingency  abort. 

A  meeting  was  held  with  the  Shuttle  Program  Manager  on  September  10,  1998,  to  discuss  the  risks. 
Insufficien  t  data  is  available  to  perform  a  risk  trade  since  1)  The  likelihood  of  cm  SSME  running  safely 
above  a  redlin  e  limit  is  unknown,  and  2)  The  likelihood  of  surviving  a  con  tingency  abort  and  the 
associated  ET  separation,  flight  control,  thermal,  crew  bailout,  and  rescue  is  also  unknown.  The  two 
engine-out  contingency  abort  risks  were  accepted  over  running  an  SSME  with  limits  inhibited.  The  risk 
of  running  an  SSME  with  limits  inhibited  was  accepted  over  the  three  engine-out  contingency  abort. 

Based  on  this  philosophy,  the  mean  engine  limit  shutdown  software  will  remain  enabled  (or  reenabled ) 
for  one  engine-out  cases  and  inhibited  for  all  two  engine-out  cases.  @[121296-4625  ]  ®[1 1 1298-6785A] 

The  September  15  and  November  18,  1987,  and  June  2,  1995,  Ascent/Entry  Flight  Techniques  panels 
reviewed  the  failure  history  of  the  redline  sensors  and  came  to  the  conclusion  that  the  engine  redline 
sensors  are  reliable  and  should,  in  general,  be  trusted  to  not  cause  an  inadvertent  shutdown. 

b.  IF  THE  MCC  DETERMINES  ONE  OF  THE  REDLINE  SENSORS  IS 
FAILED  AND: 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A5-103  LIMIT  SHUTDOWN  CONTROL  (CONTINUED) 

(1)  EITHER  OF  THE  REMAINING  ENGINES  IS  ONE  REDLINE 
SENSOR  FAILURE  AWAY  FROM  AN  ERRONEOUS  SHUTDOWN, 

THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE 
INHIBITED  UNTIL  THE  FOLLOWING  BOUNDARY  IS  REACHED 
AND  THEN  REENABLED:  @[121296-4625]  ®[1 1 1 298-6785A] 

RTLS  -  SINGLE  ENGINE  RTLS  BOUNDARY 

TAL,  AOA,  ATO,  NOM  -  SINGLE  ENGINE  LIMITS  BOUNDARY 

FOR  A  PRIME  TAL  SITE  OR  OTHER 
AUGMENTED  TAL/CONTINGENCY  SITE 
IF  WEATHER  OR  LANDING  AIDS 
PERMIT  (REFERENCE  RULE  {A2-6}, 
LANDING  SITE  WEATHER  CRITERIA 
[HC] ) .  IF  WEATHER  AND/OR 
LANDING  AIDS  DO  NOT  PERMIT, 
REENABLE  AT  SINGLE  ENGINE 
PRESS.  @[092195-1793] 

(2)  NEITHER  OF  THE  REMAINING  ENGINES  IS  ONE  REDLINE 
SENSOR  FAILURE  AWAY  FROM  AN  ERRONEOUS  SHUTDOWN, 
REENABLE  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE 
AS  SOON  AS  POSSIBLE. 


The  MCC  is  responsible  for  evaluating  sensor  failures  since  the  flight  crew  has  no  visibility  into  the 
sensor  health.  Software  flags  issued  by  the  onboard  mean  engine  con  troller  sensor  reasonableness 
software  or  previously  observed  failure  modes  would  be  used  by  the  MCC  as  criteria  to  say  that  a  sensor 
had  failed.  If  previous  to  the  first  engine  shutdown,  a  sensor  failure  were  detected  and  then  the  engine 
shut  down  based  on  the  remaining  redline  sensor,  that  second  failure  would  not  be  counted  as  a  sensor 
failure  unless  the  flight  controllers  could  positively  identify  the  sensor  failure  mode.  A  subsequent 
sensor  failure  on  another  running  engine  would  have  to  occur  before  two  sensor  failures  could  be 
counted.  This  type  of  situation  occurred  on  STS  51-F.  All  sensor  failures  on  STS  51-F  were  detected  by 
the  onboard  mean  engine  sensor  reasonableness  software.  This  software  also  informed  the  flight 
controllers  of  the  failures  via  the  downlisted  failure  identifier  data  words.  ®[1 1 1298-6785A] 
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A5-103  LIMIT  SHUTDOWN  CONTROL  (CONTINUED) 

The  main  engine  limit  shutdown  software  will  be  enabled  at  an  appropriate  boundary  with  one  sensor 
failure  on  one  of  the  three  engines,  because  one  sensor  failure  does  not  indicate  a  trend  for  a  generic 
failure  of  the  sensors.  If  either  of  the  remaining  two  engines  is  one  sensor  failure  away  from  an 
erroneous  shutdown,  limits  will  remain  inhibited  until  an  abort  boundary  is  reached.  The  limits  will  be 
reenabled  when  an  abort  boundary  (as  defined  in  Rule  {A4-56},  PERFORMANCE  BOUNDARIES)  is 
reached  such  that  a  single-engine  abort  can  be  accomplished  to  the  desired  site.  On  cm  RTLS,  this  abort 
boundary  is  Single  Engine  RTLS  ( which  is  designated  by  the  “two-out  red  on  the  TRAJ  display”  call).  If 
neither  of  the  remaining  engines  is  one  sensor  failure  away  from  cm  erroneous  shutdown,  limits  can  be 
reenabled  as  soon  as  possible.  This  allows  the  redlines  to  provide  the  earliest  protection  against  a  real 
engine  hardware  failure.  ®[1 1 1 298-6785A] 

On  a  TAL,  AO  A,  ATO,  or  nominal  profile,  this  abort  boundary  is  Single  Engine  Limits  if  weather  or 
landing  aids  permit.  Otherwise,  the  limits  will  be  reenabled  at  Single  Engine  Press  (ref.  Rule  / A2-6 }, 
LANDING  SITE  WEATHER  CRITERIA  [HC]).  With  one  sensor  failure  and  either  of  the  remaining 
engines  one  sensor  failure  away  from  shutting  down  erroneously,  the  risk  of  cm  engine  shutdown  due  to 
another  sensor  failure  is  higher  than  that  due  to  an  actual  engine  failure  if  the  limits  were  reenabled. 
Because  of  this  increased  risk  of  cm  engine  shutdown  caused  by  sensor  failures,  the  exposure  to  bailout  is 
not  acceptable  unless  the  next  sensor  failure  will  not  cause  an  erroneous  shutdown.  For  these  reasons, 
the  limits  are  inhibited  until  the  single  engine  limits  boundary  to  minimize  the  need  for  a  contingency 
abort  and  crew  bailout.  ®[1 21 296-4625  ] 

C.  IF  THE  MCC  DETERMINES  TWO  OR  MORE  OF  THE  SAME  TYPE 

(TEMPERATURE  OR  PRESSURE)  ENGINE  REDLINE  SENSORS  HAVE 
FAILED  AND: 

(1)  EITHER  OF  THE  REMAINING  ENGINES  IS  ONE  REDLINE 
SENSOR  FAILURE  AWAY  FROM  AN  ERRONEOUS  SHUTDOWN, 
THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE 
INHIBITED  THROUGH  MECO . 

(2)  NEITHER  OF  THE  REMAINING  ENGINES  IS  ONE  REDLINE 
SENSOR  FAILURE  AWAY  FROM  AN  ERRONEOUS  SHUTDOWN, 
REENABLE  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE 
AS  SOON  AS  POSSIBLE: 

The  shutdown  sensors  on  the  same  redline  will  be  suspected  of  having  a  generic  problem  if  more  than 
one  sensor  fails  (two  or  more  sensors  failed  on  the  same  type  of  redline).  If  either  remaining  engine  is 
one  sensor  failure  away  from  an  erroneous  shutdown,  limits  will  remain  inhibited  through  MECO  in 
order  to  prevent  the  next  sensor  failure  from  shutting  down  a  good  engine.  The  two  failures  could  occur 
on  one  or  more  engines  including  the  failed  engine.  If  neither  engine  is  one  sensor  failure  away  from  an 
erroneous  shutdown,  then  limits  are  reenabled  as  soon  as  possible.  This  allows  the  earliest  possible 
protection  by  the  redline  sensors  against  a  real  engine  hardware  failure.  @[121296-4625  ]  ®[1 1 1298-6785A] 
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A5-103  LIMIT  SHUTDOWN  CONTROL  (CONTINUED) 

3.  WITH  ONE  ENGINE  OUT  AND  BFS  ENGAGED,  THE  MAIN  ENGINE 
LIMIT  SHUTDOWN  SOFTWARE  WILL  BE  INHIBITED  THROUGH  MECO 
BY  THE  BFS  AUTOMATIC  COMMAND.  @[121296-4625]  ®[1 1 1 298-6785A] 

The  main  engine  limit  shutdown  control  will  be  inhibited  on  two  remaining  engines  if  the  BFS  is 
engaged.  The  BFS  does  not  have  single-engine  flight  control  software  and  therefore  cannot  control  the 
vehicle  with  two  engines  shut  down.  If  the  engine  shuts  down  after  the  BFS  is  engaged ,  the  BFS  will 
automatically  command  inhibit  to  the  remaining  engines.  If  the  engine  shuts  down  while  on  the  PASS, 
limits  subsequently  reenabled,  and  then  BFS  engaged,  the  BFS  will  again  automatically  command  inhibit 
to  the  remaining  engines  since  the  BFS  reevaluates  and  responds  to  engine  out  status  when  engaged. 

4.  WITH  TWO  ENGINES  OUT,  THE  MAIN  ENGINE  LIMIT  SHUTDOWN 
SOFTWARE  WILL  REMAIN  INHIBITED  THROUGH  MECO. 

Since  three  engine-out  contingency  aborts  contain  “black  zones  ”  and  are  more  severe  than  the  two-engine 
contingency  aborts,  limits  will  remain  inhibited  on  the  last  running  engine. 

Rules  (A2-6J,  LANDING  SITE  WEATHER  CRITERIA  [HC];  { A2-55 j,  USE  OF  LOW-ENERGY 
GUIDANCE;  and  { A5-104 },  DATA  PATH  FAIL/ENGINE-ON  LIMIT  SHUTDOWN  CONTROL, 
reference  this  rule.  @[120894-1663  ] 

B.  STUCK  THROTTLE  IN  THE  THRUST  BUCKET 

IF  A  STUCK  THROTTLE  CONDITION  OCCURS  DURING  MAX  Q 
THROTTLING  SUCH  THAT  THE  POWER  LEVEL  IS  LESS  THAN  THE 
NOMINAL  FLIGHT  POWER  LEVEL,  THE  MAIN  ENGINE  LIMIT 
SHUTDOWN  SOFTWARE  WILL  REMAIN  ENABLED. 

When  an  engine  experiences  a  stuck  throttle  in  the  thrust  bucket,  performance  may  be  reduced 
sufficiently  that  an  abort  gap  may  occur  between  RTLS  capability  and  any  downrange  abort  capability. 
Uphill  capability  may  also  be  lost.  Main  engine  limit  shutdown  software  remains  enabled  to  allow  for 
the  stuck  engine  to  shut  down  if  it  exceeds  redline  limits.  In  the  case  of  a  hydraulic  lock-up,  valve  drift 
may  occur  resulting  in  potential  redline  limit  exceedance;  therefore,  the  main  engine  limit  shutdown 
software  remains  enabled.  It  has  been  accepted  that  the  loss  of  a  good  engine  could  result  in  a  1  and  2/3 
RTLS  contingency  abort. 

C.  WITH  ONE  ENGINE  OUT  AND  ONE  OF  THE  REMAINING  ENGINES  HAS  A 
NON- 1  SOL AT ABLE  MPS  HELIUM  LEAK,  THE  MAIN  ENGINE  LIMIT  SHUTDOWN 
SOFTWARE  WILL  BE  INHIBITED  BASED  ON  THE  FOLLOWING :  @[111 298-6785A] 
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A5-103  LIMIT  SHUTDOWN  CONTROL  (CONTINUED) 

1.  PRIOR  TO  THE  SINGLE  ENGINE  LIMITS  ( TAL  ABORT)  OR  SINGLE 
ENGINE  RTLS  (RTLS  ABORT)  BOUNDARY:  ®[1 1 1 298-6785A] 

WHEN  THE  PNEUMATIC  HELIUM  AND/OR  FAILED  ENGINE'S  MPS 
HELIUM  TANK  PRESSURE  REACHES  1150  PSIA  FOLLOWING  THE 
INTERCONNECT  TO  THE  LEAKING  SYSTEM'S  HELIUM  OR  WHEN  BOTH 
LEAKING  ENGINE'S  HELIUM  REGULATOR  PRESSURES  ARE  BELOW  715 
(679)  PSIA 

2.  OTHERWISE,  NO  ACTION  REQUIRED. 

IF  THE  SINGLE  ENGINE  LIMITS  (TAL  ABORT)  OR  SINGLE 
ENGINE  RTLS  (RTLS  ABORT)  BOUNDARY  IS  REACHED  WITHOUT 
INTERCONNECTING  TO  THE  NON-LEAKING,  RUNNING  ENGINE'S 
HELIUM,  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE 
REENABLED . 

IF  HELIUM  FROM  THE  NON-LEAKING,  RUNNING  ENGINE  IS 
REQUIRED  TO  SUPPORT  THE  LEAKING  ENGINE'S  OPERATION  (REF. 
RULE  { A5-152 } ,  PRE  MECO  MPS  HELIUM  SYSTEM  INTERCONNECTS 
[CIL] ) ,  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL 
REMAIN  INHIBITED  THROUGH  MECO.  @[090894-1 676 A]  @[121296-4625] 

For  the  case  of  two  engines  running  (one  with  a  non-isolatable  MPS  helium  leak),  the  main  engine  limit 
shutdown  software  will  be  reenabled  by  the  crew  per  paragraph  A.2.a.  If  the  leaking  engine  cannot 
support  the  SE  Limits  or  SE  RTLS  boundary  with  an  interconnect  from  pneumatic  and/or  the  failed 
engine’s  helium,  the  leaking  engine  will  be  allowed  to  operate  below  the  HPOTP IMSL  redline  to  avoid  a 
two  engine-out  contingency  abort  (per  Rules  {A5-152},  PRE-MECO  MPS  HELIUM  SYSTEM 
INTERCONNECTS  [CIL],  and  {A5-153},  PRE-MECO  SHUTDOWN  OF  ENGINES  DUE  TO  MPS 
HELIUM  LEAKS).  To  operate  below  the  redline,  limits  must  be  inhibited.  The  MCC  will  call  for  the 
mean  engine  limit  shutdown  switch  to  “inhibit”  when  the  pneumatic  helium  and/or  failed  engine’s  helium 
tank  pressure  reaches  1150  psici  following  the  interconnect  to  the  leaking  system  or  when  the  leaking 
system’s  regulator  pressures  are  below  715  (679)  psia.  The  1150  psia  tank  pressure  cue  was  selected  as 
the  operational  cue  corresponding  to  the  crew’s  MPS  helium  tank  pressure  C&W  (not  the  pneumatic 
helium  tank  pressure  C&W)  while  ensuring  that  the  HPOTP  IMSL  redline  limit  is  not  exceeded  prior  to 
inhibiting  the  limits.  It  also  minimizes  the  amoun  t  of  time  that  the  remaining  engines  are  exposed  to 
main  engine  limits  being  inhibited.  The  715  (679)  psia  regulator  pressure  cue  was  selected  as  a  backup 
cue  for  large  MPS  helium  leaks  to  ensure  that  the  HPOTP  IMSL  redline  limit  is  not  exceeded  before 
main  engine  shutdown  limits  are  inhibited.  The  main  engine  limit  shutdown  software  will  be  reenabled 
upon  reaching  the  first  single  engine  abort  landing  site  capability,  which  is  either  SE  Limits  or  SE  RTLS 
(ref.  AEFTP  #107,  11/4/93),  if  cm  in  terconnect  from  a  runn  ing  engine  has  not  been  performed.  This 
represents  the  earliest  time  after  which  cm  attempt  can  be  made  to  reach  a  landing  site  with  a  good 
engine  out.  ®[1 1 1 298-6785A] 
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A5-103  LIMIT  SHUTDOWN  CONTROL  (CONTINUED) 


The  main  engine  limit  shutdown  software  will  remain  inhibited  if  the  non-leaking,  running  engine’s 
helium  has  been  interconnected  to  a  leaking  engine  (no  three  engine-out  abort  capability).  Keeping 
limits  inhibited  in  this  configuration  will  allow  the  main  engine  with  the  leaking  MPS  helium  supply  to 
continue  to  operate  below  the  normal  HPOTP IMSL  redline.  Running  the  engine  below  the  normal 
redline  is  cm  acceptable  risk  while  the  vehicle  is  in  an  abort  gap  since  the  only  alternative  is  cm  early 
MECO  and  the  loss  of  the  vehicle  and  crew.  ®[i  21 296-4625  ]  ®[i  1 1 298-6785A] 

Reference  Rule  {A5-153},  PRE-MECO  SHUT  DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM  LEAKS. 

@[090894-1 676A] 

D.  IF  FLOW  CONTROL  VALVE  FAILURES  OR  AN  ULLAGE  GAS  LEAK  CAUSE  A 
LOW  LH2  NPSP  CONDITION,  THE  MAIN  ENGINE  LIMIT  SHUTDOWN 
SOFTWARE  WILL  BE  MANUALLY  ENABLED  BY  PLACING  THE  MAIN  ENGINE 
LIMIT  SHUTDOWN  SWITCH  TO  "ENABLE"  PER  FLIGHT  RULE  {A5-155}, 
LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR  LOW  LIJ 
NPSP.  @[121296-4625] 

Reference  Rule  and  rationale  {A5-155},  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING 
FOR  LOW  LH2  NPSP. 

E.  IF  A  DATA  PATH  FAILURE  OCCURS  ON  AN  ENGINE  THAT  IS  CONFIRMED 
RUNNING,  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE 
REENABLED  PER  FLIGHT  RULE  {A5-104},  DATA  PATH  FAIL/ENGINE-ON 
LIMIT  SHUTDOWN  CONTROL. 

Reference  Rule  and  rationale  {A5-104},  DATA  PATH  FAIL/ENGINE-ON  LIMIT  SHUTDOWN  CONTROL. 

F.  IF  A  GPC  SET  SPLIT  OCCURS  AND  THE  MAIN  ENGINE  LIMIT  SHUTDOWN 
SOFTWARE  ON  TWO  ENGINES  IS  AUTOMATICALLY  INHIBITED,  THE  MAIN 
ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE  MANUALLY  ENABLED. 


In  a  set  split  condition,  two  GPC’s  will  not  see  data  from  one  of  the  engines  and  will  automatically 
inhibit  the  main  engine  limit  shutdown  software  on  the  other  two  engines.  If  limits  are  reenabled  by 
taking  the  mean  engine  limit  shutdown  switch  to  ENABLE  then  AUTO,  the  limits  would  be  automatically 
inhibited  on  the  next  cycle.  Therefore,  the  mean  engine  limit  shutdown  switch  will  only  be  taken  to 
ENABLE.  Reference  Rule  and  rationale  {A5-104},  DATA  PATH  FAIL/ENGINE-ON  LIMIT 
SHUTDOWN  CONTROL. 
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A5-103  LIMIT  SHUTDOWN  CONTROL  (CONTINUED) 

G.  FOR  LOSS  OF  TVC  CONTROL  ON  AN  OPERATING  MAIN  ENGINE,  THE  MAIN 
ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE  INHIBITED  (THREE 
ENGINES  RUNNING)  UNTIL  TWO-ENGINE  TAL  CAPABILITY  IS  ACHIEVED 
OR,  ON  AN  RTLS ,  UNTIL  AFTER  POWERED  PITCH-AROUND  (PPA)  IS 
COMPLETE . 

The  risk  of  running  an  engine  with  the  main  engine  limits  inhibited  is  accepted  over  the  risk  of  loss  of 
con  trol  during  the  RTLS  powered  pitch  around  (PPA)  as  a  result  of  a  gimballing  engine  failure.  If  a 
mean  engine  has  lost  TVC  capability,  the  failu  re  of  a  gimballing  engine  could  result  in  a  loss  of 
con  trol,  even  if  single-engine  roll  control  (SERC)  is  active.  Since  an  RTLS  trajectory  is  much  more 
demanding  than  an  uphill  or  TAL  case  from  a  con  trol  standpoin  t,  avoiding  an  RTLS  abort  is  highly 
desirable.  Additionally,  if  the  loss  of  TVC  is  due  to  hydraulic  system  failures,  the  engines  in  hydraulic 
lockup  could  fail  due  to  valve  drift,  so  a  trajectory  that  provides  the  earliest  possible  single-engine 
capability  is  desirable.  If  a  three-engine  RTLS  is  performed,  the  main  engine  limit  shutdown  software 
will  be  inhibited  until  after  PPA,  since  a  loss  of  control  is  very  possible  if  PPA  is  attempted  with  one 
gimballing  and  one  nongimballing  engine.  ®[i  21 296-4625  ]  ®[i  1 1 298-6785A] 

Reference  rule  { A8-61  j,  SSME  SHUTDOWN  DUE  TO  HYDRAULIC  SYSTEM  FAILURES. 

H.  DURING  A  THREE  ENGINE  RTLS  ABORT,  TIME  PERMITTING,  THE  MAIN 
ENGINE  LIMIT  SHUTDOWN  SWITCH  WILL  BE  TOGGLED  TO  INHIBIT, 
ENABLE,  AND  BACK  TO  AUTO.  THIS  ACTION  WILL  BE  DELAYED  AS 
LONG  AS  POSSIBLE,  BUT  MUST  BE  COMPLETED  PRIOR  TO  AN  MET  OF  8 
MINUTES.  @[121296-4625]  ®[1 1 1 298-6785A] 

A  CPC  or  manual  toggle  of  the  main  engine  limit  shutdown  software  to  inhibit  will  be  required  on  a 
three  engine  RTLS  abort  due  to  the  incorporation  of  single  command  channel  shu  tdown  logic  in  the  main 
engine  controller  software.  The  intent  of  this  is  to  protect  the  vehicle  and  crew  from  exposure  to  a  latent 
orbiter/main  engine  command  path  failure  at  MECO  (catastrophic).  This  is  accomplished  by  reducing 
the  normal  2  of  3  shutdown  command  channel  agreement  criteria  to  I  of  3  shutdown  command  channel 
acceptance  processing.  The  software,  which  is  invoked  after  a  mission  specific  timer  has  expired,  will 
allow  acceptance  and  execution  of  the  following  two  sequen  tial  commands,  shutdown  -enable  followed  by 
a  shutdown  command  on  a  single  command  channel.  Should  a  limit’s  inhibit  command  be  processed  and 
accepted  by  the  con  troller  prior  to  the  execution  of  the  single  command  channel  logic,  single  command 
channel  processing  will  no  longer  be  performed.  The  mission  specific  timer  is  calculated  by  subtracting 
5.5  seconds  (3  sigma  dispersion)  from  the  predicted  MECO  time  referenced  to  SSME  start.  That  is,  the 
predicted  MECO  time  in  MET  plus  the  time  from  the  last  SSME  start  (6.36  seconds)  minus  3  sigma 
dispersion  (5.5  seconds).  ®[091 098-671 OA] 
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A5-103  LIMIT  SHUTDOWN  CONTROL  (CONTINUED) 

Toggling  of  the  main  engine  limit  shutdown  switch  on  a  three  engine  RTLS  is  performed  in  order  to 
preclude  the  possibility  of  losing  all  main  engines  due  to  a  failed-to-sync  GPC  after  the  controller  timer 
has  expired.  Normally,  exposure  to  this  condition  is  either  minimized  (to  approximately  5  seconds )  by 
projected  MECO  times  on  the  order  of  511  seconds  on  uphill  missions  and  TAL  aborts,  or  eliminated  by 
a  main  engine  out  (the  GPC’s  command  inhibit  on  the  remaining  engines  and  the  single  command 
channel  shutdown  processing  is  disabled).  However,  the  time  of  exposu  re  to  a  three  engine  out  condition 
may  be  sign  ifican  t  (120  seconds )  on  a  systems  RTLS  abort.  This  exposure  results  from  the  extended 
main  engine  burntime  (MECO  at  approximately  630  seconds  MET )  and  the  absence  of  an  engine-out 
limits  inhibit  command.  Consequently,  the  main  engine  limit  shutdown  software  will  be  manually 
toggled  to  inhibit  in  order  to  minimize  exposure  to  a  failed-to-sync  GPC.  This  action  will  be  delayed  as 
long  as  possible  in  order  to  retain  main  engine  shutdown  capability,  and  to  possibly  eliminate  cm 
unnecessary  action,  should  a  main  engine  out  occur  prior  to  the  expiration  of  the  controller  timer.  The 
cue  of  8  minutes  provides  margin  prior  to  expiration  of  the  timer.  ®[090894-l  679A]  @[121296-4625  ]  @[091098- 
671 0A] 
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A5-104  DATA  PATH  FAIL/ENGINE -ON  LIMIT  SHUTDOWN  CONTROL 

WITH  A  DATA  PATH  FAILURE  AND  THE  ENGINE  CONFIRMED  ON  BY  THE  MCC, 
THE  MAIN  ENGINE  LIMIT  SHUTDOWN  CONTROL  CAPABILITY  WILL  BE  MANAGED 
IN  THE  FOLLOWING  MANNER:  ©[121296-4594A] 

A  data  path  failure  occurs  when  the  GPC’s  (PASS  or  BFS)  either  do  not  see  the  main  engine  time  reference 
word  (TREF)  updating  or  when  the  two  main  engine  identification  words  (ID  words  1  &  2)  are  not  one’s 
complements.  If  this  occurs  in  the  controlling  GPC’s,  the  controlling  GPC’s  will  automatically  inhibit  the 
main  engine  limit  shutdown  software  on  the  other  two  main  engines.  However,  the  GPC  software  will  not 
inhibit  the  limits  on  the  engine  with  the  data  path  failure.  This  response  occurs  because  the  GPC’s  assume 
the  engine  has  failed  behind  the  data  path  failure. 

A.  BFS  NOT  ENGAGED: 

1.  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE  REENABLED 
BY  PLACING  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SWITCH  TO 
"ENABLE"  THEN  "AUTO". 

Once  the  MCC  confirms  that  the  engine  with  the  data  path  failure  is  running,  the  crew  will  remove  the 
inhibits  by  manually  placing  the  main  engine  limit  shutdown  switch  to  ENABLE,  then  AUTO.  This 
switch  movement  causes  the  main  engine  limit  shutdown  software  to  be  reenabled  on  all  running  engines. 

2.  FOR  AN  ENGINE  OUT:  ®[1 1 1 298-6785A] 

a.  IF  THE  ENGINE  THAT  SHUT  DOWN  WAS  THE  ONE  THAT  HAD  THE 
DATA  PATH  FAILURE,  THE  MAIN  ENGINE  LIMIT  SHUTDOWN 
SOFTWARE  WILL  REMAIN  ENABLED. 

If  the  engine  that  shuts  down  is  the  engine  with  the  data  path  failure,  the  GPC’s  will  not  automatically 
inhibit  the  main  engine  limit  shutdown  software.  The  main  engine  limit  shutdown  software  will  remain 
enabled  to  allow  for  a  second  engine  out  (ref  Rule  {A5-103J,  LIMIT  SHUTDOWN  CONTROL ). 

®[1 21 296-4594A]  ®[1 1 1 298-6785A] 
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A5-104  DATA  PATH  FAIL/ENGINE -ON  LIMIT  SHUTDOWN  CONTROL 

b.  IF  THE  ENGINE  THAT  SHUT  DOWN  WAS  NOT  THE  ONE  WITH  THE 
DATA  PATH  FAILURE,  THE  PASS  WILL  AUTOMATICALLY  INHIBIT 
LIMITS.  LIMITS  WILL  REMAIN  INHIBITED  UNTIL  MECO . 

®[1 21 296-4594A]  ®[1 1 1 298-6785A] 

If  the  engine  that  shuts  down  did  not  have  the  data  path  failure,  the  limit  shutdown  control  capability 
of  the  two  remaining  engines  will  automatically  be  inhibited  by  the  PASS  GPC’s.  In  this  case, 
however,  the  limits  will  remain  inhibited  until  MECO.  The  reason  is  that,  if  the  limits  were  reenabled 
and  the  remaining  engine  with  the  good  data  path  exceeds  a  redline  and  shuts  down,  MECO  confirmed 
conditions  would  be  satisfied  by  having  two  engines  with  main  combustion  chamber  pressure  less  than 
30  percen  t  power  level  and  one  engine  with  a  data  path  failure.  MECO  command  would  be  sent, 
resulting  in  the  shutdown  of  the  engine  with  the  data  path  failure.  This  early  MECO  could  result  in  an 
unacceptable  underspeed.  ®[i  21 296-4594A] 

B.  BFS  ENGAGED: 

1.  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE  ENABLED 
BY  PLACING  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SWITCH  TO 
"ENABLE"  (UNLESS  THE  BFS  AUTOMATICALLY  REENABLED  LIMITS 
UPON  BFS  ENGAGE)  .  ®[1 1 1 298-6785A] 

If  the  data  path  failure  occurs  before  BFS  engage,  when  the  BFS  is  engaged,  all  data  path  failure  flags 
are  reset  in  the  BFS  software.  The  BFS  immediately  attempts  to  establish  communication  with  the 
engines.  However,  if  this  is  not  successful  a  data  path  failure  is  annunciated  on  that  engine.  At  this 
point,  the  BFS  software  automatically  inhibits  the  mean  engine  limit  shutdown  software  on  the  other  two 
engines.  If  the  data  path  failure  occurs  after  BFS  engage,  the  BFS  will  inhibit  limits  on  the  other  two 
engines.  Once  the  MCC  confirms  the  engine  with  the  data  path  failure  is  running,  the  crew  will  remove 
the  inhibits  by  manually  placing  the  mean  engine  limit  shutdown  switch  to  ENABLE  to  prevent  running 
the  engines  for  the  remainder  of  the  flight  with  limits  inhibited.  The  BFS  mean  engine  limit  shutdown 
switch  logic  does  not  work  the  same  way  it  does  in  the  PASS  (in  the  BFS,  ENABLE/AUTO  will  cause  the 
limits  to  go  back  to  inhibit). 

The  BFS  will  automatically  reenable  limits  if  the  data  path  failure  is  recovered  when  the  BFS  is  engaged. 
®[1 21 296-4594A] 
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A5-104  DATA  PATH  FAIL/ENGINE -ON  LIMIT  SHUTDOWN  CONTROL 

2.  FOR  A  SUBSEQUENT  ENGINE  OUT:  ®[1 21 296-4594A] 

THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE  INHIBITED 
BY  PLACING  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SWITCH  TO 
"INHIBIT"  (UNLESS  THE  BFS  AUTOMATICALLY  INHIBITED  LIMITS 
AT  ENGINE  OUT) .  LIMITS  WILL  REMAIN  INHIBITED  UNTIL  MECO . 

If  the  BFS  has  been  engaged,  a  subsequen  t  engine  shutdown  will  require  the  limits  to  be  inhibited 
because  BFS  does  not  have  single  engine  roll  control  logic  (ref  Rule  {A5-103},  LIMIT  SHUTDOWN 
CONTROL ).  BFS  will  automatically  inhibit  limits  if  the  engine  that  shut  down  did  not  have  a  previous 
data  path  failure,  had  a  data  path  failure  at  shutdown,  or  had  a  previous  data  path  failure  prior  to  BFS 
engage  but  was  recovered  upon  BFS  engage.  Limits  will  have  to  be  manually  inhibited  by  taking  the 
main  engine  limit  shutdown  switch  to  INHIBIT  if  the  engine  that  shut  down  had  a  non-recovered  data 
path  failure  prior  to  shu  tdown. 

Rules  {A5-102},  AUTO/MANUAL  SHUTDOWN,  {A5-103},  LIMIT  SHUTDOWN  CONTROL,  and  {A5-113}, 
MANUAL  MECO/MECO  CONFIRMED,  reference  this  rule.  ®[i  21 296-4594A] 
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A5-105  DATA  PATH  FAIL/ENGINE -OUT  ACTION 

IF  THE  MCC  CONFIRMS  THAT  AN  ENGINE  WITH  A  DATA  PATH  FAILURE  HAS 
SHUT  DOWN,  THAT  ENGINE'S  SHUTDOWN  pb  WILL  BE  PUSHED  TO  MODE  THE 
GUIDANCE  AND  FLIGHT  CONTROL  LOGIC  AND  TO  CLOSE  THE  ASSOCIATED 
PREVALVES . 

SHOULD  THE  SAFING  FUNCTION  OF  THE  pb  BE  INOPERATIVE  DUE  TO 
SHUTDOWN  pb  OR  CONTROL  BUS  PROBLEMS,  THE  APPROPRIATE  MDM  PER  THE 
TABLE  BELOW  WILL  BE  POWER  CYCLED  FOR  1  SECOND  TO  ALLOW  THE  pb  TO 
OPERATE.  THE  POWER  CYCLED  MDM  MAY  BE  REGAINED  VIA  AN  I/O  RESET 
POST  SAFING.  @[021397-4823] 


S/D  pb  CONTACT 

CONTROL  BUS 

MDM 

CTR  A 

AB1 

FF1 

CTR  B 

BC1 

FF2  @[111699-7140] 

LEFT  A 

BC2 

FF2 

LEFT  B 

CA2 

FF3 

RT  A 

CA3 

FF3 

RT  B 

BC3 

FF4 

The  GPC  guidance  software  will  not  know  an  engine  has  shut  down  prematurely  if  the  data  path  from 
that  engine  has  also  failed.  Pushing  the  corresponding  shutdown  pb  will  set  the  safing  command  in  the 
GPC  for  that  engine.  When  the  safing  command  is  set,  the  SSME  OPS  sequence  will  close  the  prevalves 
and  set  the  engine  fail  flag  for  that  engine.  Closing  the  prevalves  is  essential  to  isolate  the  failed  engine 
if  the  engine  failure  caused  damage  to  the  engine  propellant  supply  lines.  There  is  a  potential  for  afire 
or  propellant  loss  with  the  prevalves  open.  The  engine  fail  flag  is  used  by  the  ascent  guidance  software 
to  mode  the  guidance  and  targeting  functions  to  correspond  to  the  number  of  SSME’ s  that  are  operating. 
This  is  required  for  proper  control  of  the  vehicle. 

If  the  two  contacts  on  the  shutdown  pb  disagree,  the  safing  command  will  not  be  set.  A  contact 
disagreement  can  be  caused  by  a  failure  of  a  contact,  the  loss  of  the  fuse  to  a  contact,  or  the  loss  of  the 
control  bus  providing  power  to  a  contact.  Power  cycling  the  MDM  associated  with  that  contact  will 
cause  the  failed  contact  to  be  comm  faulted;  this  will  allow  the  safing  command  to  be  set  when  the  pb  is 
pushed.  For  FF  1,  2  or  3,  the  power  cycle  must  be  of  approximately  1  second  in  duration  before  moding 
guidance.  This  is  to  ensure  that  the  MDM  is  off  long  enough  to  be  comm  faulted,  yet  repowered  quickly 
to  avoid  caging  the  associated  IMU.  The  comm  faulted  MDM  can  be  recovered  with  an  I/O  reset  after 
the  appropriate  shutdown  pb  is  pushed  and  guidance  has  been  moded.  @[021397-4823  ] 
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A5-106  MANUAL  SHUTDOWN  FOR  COMMAND/DATA  PATH  FAILURES 

MANUAL  SHUTDOWN  OF  AN  AFFECTED  ENGINE  WILL  BE  PERFORMED  PRIOR  TO 
OR  AT  MECO  FOR  THE  FOLLOWING  COMMAND  AND/OR  DATA  PATH  FAILURE 
CASES : 

A.  COMMAND  PATH  FAILURE. 

1.  NOMINAL/ ATO/AOA: 

a.  THREE  ENGINES  ON  -  SHUT  DOWN  AT  VI  =  23K  FPS  USING 
THE  AC  POWER  SWITCHES  AND  SHUTDOWN  PB. 

b.  TWO  ENGINES  ON  -  SHUT  DOWN  AT  VI  =  24. 5K  FPS  USING 
THE  AC  POWER  SWITCHES  AND  SHUTDOWN  PB. 

C.  MCC  CONFIRMS  COMMAND  PATH  FAILURE  BY  NO  THROTTLING  OF 
AFFECTED  ENGINE  WHEN  THE  ENGINES  ARE  COMMANDED  TO 
THROTTLE . 

2.  RTLS : 

TWO  OR  THREE  ENGINES  ON  -  SHUT  DOWN  DURING  POWERED 
PITCHDOWN  AT  ALPHA  =  -1  USING  THE  AC  POWER  SWITCHES  AND 
SHUTDOWN  P  B  .  @[032395-1759] 

3 .  TAL : 

TWO  OR  THREE  ENGINES  ON  -  SHUT  DOWN  AT  VI  =  22. 5K  FPS 
USING  AC  POWER  SWITCHES  AND  SHUTDOWN  PB. 


In  the  case  of  a  command  path  failure,  the  only  way  to  shut  down  an  engine  is  with  the  engine  ac  power 
switches.  Shutting  down  with  the  ac  power  switches  also  creates  a  data  path  failure.  Therefore,  the 
shutdown  pushbutton  is  pushed  to  tell  guidance  that  an  engine  is  out.  The  engine  is  shut  down 
approximately  30  seconds  before  MECO  to  prevent  depleting  LO2  through  an  SSME  and  causing 
uncontained  engine  damage.  A  velocity  which  equates  to  MECO  minus  30  seconds  also  gives  guidance 
time  to  compensate  for  late  engine  out  and  converge  to  the  proper  MECO  targets.  The  only  exception  is 
an  RTLS  where  the  engine  is  shut  down  during  powered  pitchdown  at  alpha  =  -1  degrees.  On  a  three-  or 
two-engine  abort  RTLS,  if  an  engine  is  shut  down  at  TGO  ?  60  seconds,  guidance  will  not  mode  to  the 
target  set  corresponding  to  the  remaining  number  of  engines.  @[032395-1 759A] 
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A5-106  MANUAL  SHUTDOWN  FOR  COMMAND/DATA  PATH  FAILURES 

(CONTINUED) 

The  cue  of  alpha  =  -1  degree  (approx  MECO-5  sec)  was  chosen  to  allow  SSME  shutdown  to  begin  prior  to 
predicted  MECO  while  the  LO2  is  still  under  G’s  from  the  other  engine(s).  This  alleviates  LO2  net 
positive  suction  pressure  concerns  for  the  high  pressure  oxidizer  tu  rbopump  (HPOTP).  Alpha  =  -1  degree 
also  protects  for  1-sigma  aerodynamic  dispersions.  Although  sizable  transien  ts  can  be  expected 
subsequent  to  engine  shutdown,  flight  control  has  been  demonstrated  to  null  these  transients  prior  to  ET 
separation  (in  some  cases  ET  separation  inhibits  of  approximately  1  second  will  occur,  reference  AEFTP 
# 87  and  # 122  minutes).  On  a  three-engine  press-to-MECO  case,  MECO  minus  30  seconds  occurs  at  a  VI 
=  23  kfps.  On  a  two-engine  press-to-MECO  case,  MECO  minus  30  seconds  occurs  at  a  VI  =  24.5  kfps. 

On  a  TAL  abort,  MECO  minus  30  seconds  occurs  at  a  VI  =  22.5  kfps.  ©[032395-1759A] 

B.  DATA  PATH  FAILURE 

1.  MCC  DECISION  (PRIME) 

NOMINAL/ ATO/AOA/ TAL/RTLS : 

a.  NO  ACTION  REQUIRED. 

b.  MCC  CONFIRMS  COMMAND  PATH  OPERATIONAL  BY  GH2  OUTLET 
PRESSURE  COMPARISON  TO  POWER  LEVEL  COMMAND. 

2.  ONBOARD  DECISION  (NO  COMMUNICATION). 

NOMINAL/ ATO/AOA/ TAL/RTLS : 

CREW  ACTION  SAME  AS  FOR  COMMAND  PATH  FAILURE. 

For  a  data  path  failure,  the  engine  will  accept  throttling  and  MECO  commands  so  that  no  action  is 
required.  The  crew  cannot  tell  the  difference  between  a  data  path  failure  and  a  command/data  path 
failure.  The  two  failures  that  caused  the  data  path  failure  may  also  have  caused  a  command  path  failu  re 
( i. e. ,  two  controller  interface  adapters  (CIA’s),  or  a  CIA  and  a  multiplexer  interface  adapter  (MIA)  in  the 
EIU).  Unless  the  command  capability  is  verified  by  the  MCC,  the  crew  will  assume  a  command  and  data 
path  failure  and  will  take  the  same  action  as  a  command  path  failure.  The  MCC  can  verify  the  command 
path  status  by  observing  that  the  GH2  outlet  pressure  changes  with  the  throttle  command.  If  an  engine 
throttles  down  when  commanded,  its  command  path  is  operational. 
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A5-106  MANUAL  SHUTDOWN  FOR  COMMAND/DATA  PATH  FAILURES 

(CONTINUED) 

C.  COMMAND  AND  DATA  PATH  FAILURE. 

1.  MCC  DECISION  (PRIME) 

NOMINAL /ATO/ AO A/ TAL/RTLS : 

a.  ACTION  SAME  AS  COMMAND  PATH  FAIL 

b.  MCC  CONFIRMS  CASE  BY  NO  CHANGE  IN  GH2  OUTLET  PRESSURE 
ON  THE  AFFECTED  ENGINE  WHEN  ENGINE  COMMANDED  TO 
THROTTLE . 

2.  ONBOARD  DECISION  (NO  COMMUNICATION) 

NOMINAL /ATO/ AO A/ TAL/RTLS : 

CREW  ACTION  SAME  AS  FOR  COMMAND  PATH  FAILURE. 

The  loss  of  an  EIU  or  the  loss  of  an  MIA  and  a  CIA  or  the  loss  of  two  CIA’s  will  cause  a  data  path 
failure  and  a  command  path  failure  on  the  same  engine. 

This  is  a  very  serious  failure  mode  because  this  failure  will  close  the  LO2  prevalves  on  an  operating 
engine  if  preventative  action  is  not  taken.  A  water-hammer  effect  could  occur  which  would  rupture  the 
LO 2  feedline  and  result  in  uncontained  engine  damage  and  loss  of  vehicle.  At  MECO,  the  GPC  logic 
assumes  an  engine  with  a  data  path  failure  does  not  have  a  command  path  loss  ( i.  e. ,  the  GPC  assumes 
the  engine  accepted  and  complied  with  the  shutdown  command);  therefore,  the  prevalves  are  commanded 
closed.  To  prevent  this  catastrophic  shutdown  of  the  engine  at  MECO,  the  engine  ac  power  switches 
must  be  used  to  shut  down  the  engine  before  MECO  is  commanded.  The  ac  power  switches  will  shut 
down  the  engine;  the  pushbutton  is  then  pressed  to  mode  guidance. 

Rules  (A2-59DJ,  BFS  ENGAGE  CRITERIA;  (A5-109),  MANUAL  SHUTDOWN  FOR  TWO  STUCK 
THROTTLES  (NOT  DUAL  APU  FAILURES);  {A5-110},  SSME  PERFORMANCE  DISPERSION;  {A5-107}, 
MANUAL  SHUTDOWN  FOR  SUSPECT  COMMAND  PATH  FAILURES;  {A5-153J,  PRE-MECO  SHUT 
DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM  LEAKS;  and  { A7-9 },  REDUNDANT  SET  SPLIT,  reference 

this  rule.  @[032395-1766]  @[061 296-61 47A]  ®[ED  ] 
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A5-107  MANUAL  SHUTDOWN  FOR  SUSPECT  COMMAND  PATH  FAILURES 

AN  ENGINE  WITH  SUSPECT  COMMAND  CAPABILITY  FOR  SHUTDOWN  WILL  BE 
MANUALLY  SHUT  DOWN  PRIOR  TO  MECO  USING  THE  SAME  CUES  LISTED  FOR  A 
COMMAND  PATH  FAILURE  IN  FLIGHT  RULE  {A5-106},  MANUAL  SHUTDOWN  FOR 
COMMAND/DATA  PATH  FAILURES. 

If  a  transient  failure  observed  during  powered  flight  results  in  the  temporary  loss  of  a  command 
channel,  the  respective  command  channel  will  be  considered  suspect  since  the  failure  could  return  at 
any  time.  If  another  avionics  failure  and  a  reoccurrence  of  the  previously  obsen’ed  transient  failure 
results  in  a  command  path  failure  (per  Rule  {A5-3J,  STUCK  THROTTLE),  the  command  capability  of 
this  engine  will  be  considered  suspect  even  if  the  engine  reacts  to  the  3g  throttle  back  command. 

Therefore,  this  engine  will  be  shut  down  pre-MECO  per  Rule  { A5-106 },  MANUAL  SHUTDOWN  FOR 
COMMAND/DATA  PATH  FAILURE.  The  engines  have  single  command  channel  shutdown  logic  that 
allows  the  engine  to  shut  down  by  accepting  shutdown  commands  on  only  one  out  of  three  command 
channels.  Operationally,  this  logic  is  only  relied  upon  for  late,  unexpected  failures.  ®[1 1 1501-4939  ] 

One  example  of  a  transient  failure  is  an  EIU  power-on-reset  failure.  A  power-on-reset  failure  causes  the 
temporary  loss  of  a  single  power  supply  in  an  EIU.  Since  the  EIU  MIA  ports  1  and  3  are  on  the  same 
power  source  (MIA  ports  2  and  4  are  on  another ),  this  failure  will  cause  the  temporary  loss  of  command 
and  data  transfer  capability  on  two  MIA  ports  (ground  data  only  shows  the  status  of  MIA  ports  1  and  4; 
therefore,  MIA  ports  3  and  2  are  assumed  bypassed  with  ports  1  and  4,  respectively).  After  this  failure  has 
occurred,  the  command  transfer  capability  will  be  regained  automatically  while  the  data  transfer 
capability  will  be  regained  via  an  I/O  Reset.  The  following  scenario  is  an  example  of  the  concern  that  this 
failure  raises:  If  an  engine  has  a  command  channel  B  failure  and  a  power-on-reset  failure  on  MIA  ports  1 
and  3,  the  engine  will  be  considered  to  have  suspect  command  capability  even  if  the  engine  responds  to 
throttle  commands  and  will  be  shut  down  pre-MECO.  ®[1 11501-4939  ] 


VOLUME  A  11/21/02  FINAL,  PCN-1  BOOSTER  5-44 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A5-108  MANUAL  SHUTDOWN  FOR  HYDRAULIC  OR  ELECTRICAL  LOCKUP 

AN  SSME  IN  HYDRAULIC  OR  ELECTRICAL  LOCKUP  MAY  HAVE  TO  BE  MANUALLY 
SHUT  DOWN  TO  PREVENT  A  VIOLATION  OF  THE  ENGINE  L(£  NPSP  REQUIREMENTS 
NEAR  MECO.  MANUAL  SHUTDOWN  WILL  BE  REQUIRED  UNDER  THE  FOLLOWING 
CONDITIONS  FOR  ANY  ENGINE  LOCKED  UP  ABOVE  THE  MINIMUM  POWER  LEVEL 
(KMIN)  .  @[061297-6171]  ©[090999-7052A] 

A.  NOMINAL/ ATO:  ®[ED  ] 

1.  THREE  ENGINES  ON: 

a.  ONE  STUCK  THROTTLE  -  SHUT  DOWN  THE  AFFECTED  ENGINE  AT 
VI  =  23K  FPS  USING  THE  SHUTDOWN  PB . 

b.  TWO  STUCK  THROTTLES  -  (REF.  RULE  {A5-109},  MANUAL 
SHUTDOWN  FOR  TWO  STUCK  THROTTLES  (NOT  DUAL  APU 
FAILURES),  AND  RULE  {A8-61},  SSME  SHUTDOWN  DUE  TO 
HYDRAULIC  SYSTEM  FAILURES)  .  ®[ED  ] 

2.  TWO  ENGINES  ON  -  NO  ACTION  REQUIRED. 

B.  RTLS  AND  TAL  -  NO  ACTION  REQUIRED. 

Manual  shutdown  of  an  engine  in  hydraulic  or  electrical  lockup  is  only  required  for  a  three-engine 
nominal  or  ATO  mission.  The  three-engine  LO2  low  level  cutoff  delay  timer  (as  defined  by  the  I-load 
N0M_L02_L0W _LVL_TIME_DELAY_L  -  currently  0.358  seconds )  is  designed  for  three  engines 
shutting  down  from  the  minimum  power  level  (as  defined  by  the  I-load  KMIN  -  currently  67  percent 
power  level).  If  one  engine  is  stuck  above  the  minimum  power  level,  the  LO2  net  positive  suction 
pressure  (NPSP)  and  post  shutdown  LO2  mass  requirements  may  be  violated.  Therefore,  an  LO2 
depletion  cutoff  at  power  levels  greater  than  that  accounted  for  by  the  low  level  timers  could  cause 
high  pressure  oxidizer  pump  overspeed  resulting  in  a  potentially  catastrophic  engine  shutdown.  Given 
the  potentially  catastrophic  nature  of  the  shutdown  and  given  that  an  LO2  low  level  cutoff  cannot 
always  be  predicted  (reference  the  STS-93  unpredicted  LO2  low  level  cutoff  which  was  caused 
primarily  by  an  SSME  nozzle  leak  which  was  smaller  than  the  minimum  criteria  of  Rule  (A5-110}, 

SSME  PERFORMANCE  DISPERSION,  and  therefore  not  modeled  in  the  Abort  Region  Determinator 
(ARD)),  it  was  decided  to  accept  the  operational  impacts  of  always  shutting  down  a  locked  up  engine 
when  three  engines  are  on  as  opposed  to  relying  on  the  ARD  to  make  a  real-time  performance 
evaluation  (reference  Ascent  Flight  Techniques  Panel  Meeting  #160,  August  27,  1999).  These  impacts 
include  up  to  60  feet  per  second  of  lost  performance  and  a  planar  error  at  MECO  of  up  to  10  feet  per 
second  (some  planar  error  is  inevitable  for  these  cases  even  if  the  stuck  engine  is  not  shut  down). 

©[090999-7052A]  @[092701  -481 9A]  ®[ED  ] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  BOOSTER  5-45 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A5-108  MANUAL  SHUTDOWN  FOR  HYDRAULIC  OR  ELECTRICAL  LOCKUP 

(CONTINUED) 


Analysis  performed  without  dispersions  indicates  the  LO2  residual  mass  requirement  is  satisfied  for  an 
engine  stuck  at  up  to  76  percent  power  level  (reference  PSIG  telecon,  August  25,  1999).  However,  to 
protect  for  dispersions  in  the  analytically  derived  LO2  mass  requirement,  to  protect  for  potential 
uncertainties  in  the  engine  power  level  prediction  at  shutdown,  to  maximize  the  NPSP  and  LO2  residual 
mass  provided,  and  to  provide  operational  simplicity,  a  manual  engine  shutdown  is  performed  for  any 
engine  stuck  greater  than  the  minimum  power  level.  By  shutting  down  the  stuck  engine  prior  to  MECO, 
the  two  remaining  engines  will  throttle  to  91  percent  power  level  for  fine  count.  The  low  level  cutoff 
delay  timer  for  the  two-engine  on  case  is  zero,  thereby  maximizing  the  NPSP  and  LO2  residual  mass  for 
two  engines  shu  tting  down  from  91  percent.  ®[061 297-61 71  ]  ®[090999-7052A] 

For  the  two-engine-on  case  with  stuck  throttles  at  any  power  level,  the  technical  community  determined 
that  the  NPSP  would  not  be  severely  violated  and  the  minimum  post  shutdown  LO2  mass  requirements 
would  be  satisfied.  Therefore,  no  action  was  required  (reference  the  24th  PSIG  in  November  1983  and 
Ascent  Flight  Techniques  on  May  21,  1984).  For  an  RTFS  or  TAL  abort,  the  FO2  residuals  should  be 
sufficient  enough  to  prevent  cm  LO2  low  level  shutdown. 

Shutdown  of  cm  engine  in  either  a  hydraulic  or  electric  lockup  will  be  performed  by  shutdown  pushbu  tton 
only.  The  shutdown  pushbutton  method  for  manual  shutdown  of  an  engine  in  either  hydraulic  or  electric 
lockup  minimizes  the  exposure  to  the  unnecessary  risk  of  a  pneumatic  shutdown  in  the  case  of  the 
electrically  locked-up  engine  and  simplifies  crew  procedures  in  the  case  of  the  hydraulically  locked-up 
engine.  ®[090999-7052A] 
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A5-109  MANUAL  SHUTDOWN  FOR  TWO  STUCK  THROTTLES  (NOT  DUAL 

APU  FAILURES) 

A.  THREE  ENGINES  RUNNING: 

1.  NOMINAL/ ATO  -  MANUALLY  SHUT  DOWN  ONE  ENGINE  AT  Vj  ?  23K  FPS  . 

2.  TAL  -  MANUALLY  SHUT  DOWN  ONE  ENGINE  AT  Vz  ?  22. 5K  FPS. 

ENABLE  MANUAL  THROTTLES  PRIOR  TO  ABORT  SELECTION 
TO  MAINTAIN  NOMINAL  POWER  LEVEL.  @[082593-1 464C] 

3.  RTLS  -  BEFORE  SELECTING  RTLS ,  MANUAL  THROTTLES  WILL  BE 

ENABLED  AND  MINIMUM  THROTTLES  SELECTED.  AT  LEAST 
10  SECONDS  OF  MINIMUM  THROTTLE  LEVEL  IS  DESIRED 
PRIOR  TO  RTLS  SELECTION.  AUTO  THROTTLES  WILL  BE 
RESELECTED  ANYTIME  PRIOR  TO  POWERED  PITCH-AROUND 
( PP A) .  IF  BOTH  ENGINES  WITH  STUCK  THROTTLES  ARE 

AT  MORE  THAN  85  PERCENT,  MANUALLY  SHUT  DOWN  ONE 
ENGINE  2  MINUTES  PRIOR  TO  MECO.  @[082593-1 464C] 

SHUTDOWN  PRIORITY:  (1)  COMMAND  PATH  FAIL,  (2)  HYDRAULIC 
LOCKUP,  (3)  ELECTRICAL  LOCKUP 

B.  TWO  ENGINES  RUNNING  -  NO  ACTION  REQUIRED. 

For  dual  command  path  failures,  reference  Rule  (A5-106J,  MANUAL  SHUTDOWN  FOR 
COMMAND/DATA  PATH  FAILURES.  For  dual  hydraulic  failures,  ref  Rule  {A8-61 },  SSME 
SHUTDOWN  DUE  TO  HYDRAULIC  SYSTEM  FAILURES. 

If  two  of  three  operating  engines  have  stuck  throttles,  manual  shutdown  of  an  engine  will  be  required  to 
prevent  violation  of  the  3.5 g  acceleration  limit.  This  limit  cannot  be  violated  with  only  two  engines 
operating.  Also,  this  limit  cannot  be  violated  on  a  three-engine  RTLS  if  at  least  one  of  the  stuck  throttles 
is  less  than  or  equal  to  85  percent.  Above  85  percent,  shutting  down  an  engine  2  minutes  prior  to  MECO 
ensures  that  it  will  not  be  violated.  @[110900-7242  ] 

For  all  RTLS  cases  with  two  stuck  throttles,  minimum  throttles  will  be  selected  prior  to  abort  selection. 

Doing  so  will  allow  guidance  to  converge  on  the  correct  average  thrust  level  and  will  reduce  the 
probability  of  an  early  PPA.  For  guidance  to  have  enough  time  to  converge,  min  imum  throttle  levels 
must  be  achieved  at  least  10  seconds  prior  to  RTLS  selection.  If  not,  an  early  PPA  may  occur,  resulting 
in  MECO  conditions  that  are  not  optimized.  AUTO  throttles  should  be  reselected  at  some  point  prior  to 
PPA,  but  are  not  mandatory  prior  to  RTLS  selection.  @[082593-1 464C] 
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A5-109  MANUAL  SHUTDOWN  FOR  TWO  STUCK  THROTTLES  (NOT  DUAL 

APU  FAILURES)  (CONTINUED) 

For  TAL,  it  is  undesirable  to  throttle  down  the  good  engine  due  to  the  guidance  transients  which  may 
occur  and  the  fact  that  little  time  would  be  gained  to  perform  the  abort  dump.  Therefore,  manual 
throttles  will  be  selected  to  prevent  cm  automatic  throttledown  when  TAL  is  declared.  This  action  is 
not  required  if  TAL  is  declared  early  enough  that  automatic  throttling  will  not  occur  at  abort 
selection.  However,  since  there  is  no  disadvan  tage  to  selecting  man  ual  throttles  for  this  short  period 
of  time,  manual  throttles  will  always  be  selected  for  consistency.  AUTO  throttles  will  be  reselected 
after  TAL  is  declared.  ®[082593-i  464C] 

Shutdown  priorities  are  established  to  protect  against  the  maximum  risk.  Command  path  failure  means 
the  engine  will  not  automatically  shut  down  at  MECO,  which  is  catastrophic.  Hydraulic  lockup  means 
shutdown  requires  the  nonredundant  pneumatic  system.  Electric  lockup  results  in  a  nominal  shutdown. 

Shutdown  will  be  performed  on  the  command  path  failed  engine  using  the  ac  power  switches  and  shutdown 
pushbu  tton.  Shutdown  of  an  engine  in  either  a  hydraulic  or  electric  lockup  will  be  performed  by  shutdown 
pushbutton  only.  The  shutdown  pushbutton  method  for  manual  shutdown  of  cm  engine  in  either  hydraulic 
or  electric  lockup  minimizes  the  exposure  to  the  unnecessary  risk  of  a  pneumatic  shutdown  in  the  case  of 
the  electrically  locked-up  engine  and  simplifies  crew  procedures  in  the  case  of  the  hydraulically  locked-up 
engine. 

Rule  { A2-301J ,  Note  8,  CONTINGENCY  ACTION  SUMMARY,  and  (A4-59J,  MANUAL  THROTTLE 
SELECTION,  reference  this  rule.  ®[092195-1770A] 
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A5-110  SSME  PERFORMANCE  DISPERSION  @[070899-6819] 

A.  SHOULD  AN  SSME  PERFORMANCE  DISPERSION  ARISE,  THE  ABORT  REGION 
DETERMINATOR  (ARD)  PROGRAM  IN  THE  MCC  WILL  BE  ADJUSTED  ASAP 
WITH  THE  FOLLOWING  INFORMATION:  @[070899-6819] 

1.  AFFECTED  SSME  CAUSING  THE  PERFORMANCE  DISPERSION 

2.  TIME  OF  OCCURRENCE 

3.  MODE  AND  LEVEL  OF  THE  PERFORMANCE  DISPERSION  CONDITION 
INCLUDING  INSTANTANEOUS  PERFORMANCE  INFORMATION. 


The  SSME  performance  dispersion  rule  defines  the  failures  and  the  minimum  criteria  which  must  be  met 
prior  to  updating  the  ARD  with  an  SSME  performance  case.  The  Booster  Mean  Engine  Tables  quantify 
each  of  the  performance  cases  and  include  the  minimum  criteria  for  calling  the  performance  cases. 

These  tables  are  generated  using  the  SSME  Power  Balance  Model  data  provided  by  Rocketdyne  in 
response  to  a  Shuttle  Operational  Data  Book  (SODB)  Request.  The  Engine  Status  Word  (ESW),  MCC 
Pc,  HPOT/HPFT  discharge  temperatures,  LPFP  discharge  temperature,  OPOV/FPOV position,  and/or 
HPOP/HPFP  discharge  pressures  are  the  primary  cues  used  for  determining  performance  cases. 

Updates  to  the  ARD  con  sist  of  changes  in  power  level  (thrust),  specific  impulse  (Isp),  and  mixture  ratio 
(MR).  The  ARD  uses  these  SSME  performance  parameters  to  predict  abort  mode  capabilities  real  time. 

A  change  in  any  of  these  parameters  could  affect  the  abort  boundaries  significantly. 

B.  AN  SSME  PERFORMANCE  EVALUATION  CAN  ONLY  BE  MADE  WHEN  THE  SSME 
COMMANDED  POWER  LEVEL  IS  KNOWN  AND  THE  SSME  IS  IN  A  STEADY- 
STATE  CONDITION.  QUANTIFIABLE  PERFORMANCE  DISPERSIONS  ARE  AS 
FOLLOWS : 

1.  SINGLE  MCC  PC  CHANNEL  SHIFT  HIGH  OR  LOW  WILL  BE  CALLED  IF 
THE  DELTA  BETWEEN  MCC  PC  CHANNEL  A  AND  MCC  PC  CHANNEL  B 
IS  ?  50  PSI: 

a.  FOR  PC  SHIFT  HIGH  ACTUAL  LOW,  THE  LOWEST  MCC  PC  CHANNEL 
WILL  BE  USED  FOR  PERFORMANCE  EVALUATION. 

b.  FOR  PC  SHIFT  LOW  ACTUAL  HIGH,  THE  HIGHEST  MCC  PC 
CHANNEL  WILL  BE  USED  FOR  PERFORMANCE  EVALUATION. 
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A5-110  SSME  PERFORMANCE  DISPERSION  (CONTINUED) 

C.  FOR  A  SINGLE  MCC  PC  CHANNEL  SHIFT,  THE  AFFECTED  MAIN 
ENGINE  CONTROLLER  CHANNEL  WILL  BE  POWER  CYCLED  FOR  1 
SECOND  BY  THE  CREW  IF  AN  ATO  CANNOT  BE  ACHIEVED. 

THIS  PROCEDURE  WILL  NOT  BE  IMPLEMENTED  IF  IT  WILL 
CAUSE  AN  SSME  SHUTDOWN  OR  NOT  CORRECT  THE  PERFORMANCE 
DISPERSION  AS  DEFINED  BELOW:  ®[061 297-61 47A]  @[070899-6819] 

(1)  LIMIT  EXCEEDED  ON  ANY  REMAINING  SHUTDOWN  SENSOR (S) 
ON  OTHER  CHANNEL  SO  THAT  IT  CAUSES  ENGINE 
SHUTDOWN. 

(2)  LOSS  OF  OTHER  CHANNEL'S  DCU,  INPUT  ELECTRONICS,  OR 
OUTPUT  ELECTRONICS  (CAUSES  SSME  SHUTDOWN)  .  @[070899-6819] 

(3)  WHEN  IN  ELECTRICAL  LOCKUP  OR  WHEN  CHANNEL  POWER 
CYCLE  CAUSES  ELECTRICAL  LOCKUP.  @[061 297-61 47A] 

(4)  WHEN  IN  HYDRAULIC  LOCKUP  OR  WHEN  CHANNEL  POWER 
CYCLE  CAUSES  HYDRAULIC  LOCKUP.  @[061 297-61 47A] 

NOTE:  IT  IS  ACCEPTABLE  TO  CAUSE  A  MOMENTARY  OR 

PERMANENT  SSME  COMMAND  PATH  FAILURE,  BECAUSE 
THE  SSME  CAN  STILL  REBALANCE  TO  CORRECT  FOR  THE 
PERFORMANCE  CASE  .  @[061 297-61 47A] 


The  SSME  thrust  is  controlled  using  the  MCC  Pc  channel  average.  A  single  MCC  Pc  channel  erroneously 
shifting  high  or  low  will  cause  the  SSME  to  shift  in  the  opposite  direction  in  an  attempt  to  rebalance  the 
SSME.  That  is,  for  an  MCC  Pc  channel  shift  high  case,  the  SSME  will  actually  shift  low.  The  good  MCC 
Pc  channel  will  shift  in  the  direction  of  the  actual  SSME  shift  causing  a  delta  between  the  two  MCC  Pc 
channels.  The  good  MCC  Pc  channel  will  be  used  for  performance  evaluation.  A  difference  of  50  psi 
between  the  two  MCC  Pc  channels  is  the  minimum  detectable  single  MCC  Pc  channel  shift,  and  it  equates 
to  an  actual  MCC  Pc  error  of  25  psi  (level  1,  MCC  Pc  Shift  Tables). 
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A5-110  SSME  PERFORMANCE  DISPERSION  (CONTINUED) 

A  shifted  MCC  Pc  channel  can  so  adversely  impact  SSME  performance  that  an  ATO  cannot  be  achieved. 
For  such  a  case,  the  Booster  will  call  for  the  controller  chann  el  with  the  malfunctioning  MCC  Pc  chann  el 
to  be  power  cycled  for  1  second.  Booster  must  be  ready  to  identify  the  channel  and  switch  to  be  cycled  by 
the  crew.  The  controller  channel  that  has  been  power  cycled  will  remain  available  for  command  and  data 
transfer,  but  the  controller  IE  (sensor  data  to  the  controller )  and  OE  (control  to  the  valve  servo-actuators 
and  servo-switches )  on  that  channel  will  be  disqualified.  Disqualification  of  a  shifted  Pc  sensor’s  IE  will 
restore  engine  operation  to  nominal  thrust  and  mixture  ratio  conditions.  This  action  should  not  be  taken  if 
it  will  cause  engine  shutdown  or  not  correct  the  performance  dispersion.  Cases  that  would  cause  engine 
shutdown  consist  of  redline  shutdown  sensor(s)  violating  redline  limits  on  the  remaining  channel  or  loss  of 
the  remaining  channel’s  DCU,  IE,  or  OE.  Reference  (Rule  A5-2},  SPACE  SHUTTLE  MAIN  ENGINE 
OUT,  paragraphs  E  and  F.  If  the  SSME  is  in  electrical  or  hydraulic  lockup  or  when  channel  power  cycle 
causes  electric  or  hydraulic  lockup,  disqualifying  the  faulty  sensor  (channel)  will  not  correct  the  dispersion 
since  the  engine  valves  cannot  be  repositioned.  It  is  acceptable  to  create  a  momentary  or  permanen  t 
command  path  failure  because  it  is  not  necessary  for  the  controller  to  have  good  GPC  commands  in  order 
for  the  SSME  to  rebalance.  However,  command  path  failures  are  unlikely  since  the  SSME  command 
channel  is  expected  to  be  regained  once  the  controller  power  is  turned  back  on.  If  a  command  path  failure 
does  occur,  the  affected  SSME  must  be  shut  down  prior  to  MECO  based  on  the  cues  listed  in  Flight  Rule 
{. A5-106 },  MANUAL  SHUTDOWN  FOR  COMMAND/DATA  PATH  FAILURES.  @[070899-6819  ] 

2.  A  DUAL  MCC  PC  CHANNEL  SHIFT  HIGH  OR  LOW  CASE  WILL  BE 

CALLED  WHEN  THE  MCC  PC  ERROR  IS  ?37.5  PSI .  A  MINIMUM  MCC 
PC  ERROR  OF  37.5  PSI  IS  DEFINED  BY  THE  BOOSTER  MAIN 
ENGINE  TABLES  WHEN  ALL  THREE  TELEMETRY  PARAMETER  DELTAS 
(HPOT  DISCHARGE  TEMPERATURE,  HPOP  DISCHARGE  PRESSURE,  AND 
HPFP  DISCHARGE  PRESSURE)  EXCEED  THE  LEVEL  1.5  CRITERIA 
PER  THE  MCC  PC  SHIFT  TABLES.  A  DELTA  BETWEEN  THE  MCC  PC 
CHANNELS  MAY  OR  MAY  NOT  BE  PRESENT.  @[070899-6819] 

Actual  MCC  Pc  error  can  also  result  from  shifts  in  both  the  MCC  Pc  channels  (shifting  by  the  same  or 
different  amounts)  or  a  shift  in  one  MCC  Pc  channel  with  the  other  channel  previously  disqualified;  this 
is  defined  as  a  dual  MCC  Pc  channel  shift.  For  this  case,  the  actual  SSME  MCC  Pc  error  will  be 
determined  using  the  HPOT  discharge  temperature,  HPOP  discharge  pressure,  and  HPFP  discharge 
pressure.  A  dual  MCC  Pc  channel  shift  will  be  assessed  when  all  three  of  these  telemetry  parameter 
deltas  exceed  the  minimum  criteria  (SSME  MCC  Pc  error  137.5  psi)  listed  in  the  Booster  Main  Engine 
Tables  (approved  at  the  A/EFTP  No.  152  on  September  18,  1998).  Both  the  single  and  the  dual  MCC  Pc 
channel  shift  cases  will  use  the  same  MCC  Pc  Shift  Tables  for  the  ARD  updates,  and  the  level  in  both 
cases  will  be  based  on  the  actual  MCC  Pc  error.  For  a  dual  MCC  Pc  shift  case,  waiting  for  MCC  Pc 
error  of  37.5  psi  (level  1.5)  protects  against  erroneously  calling  the  case  due  to  prediction  sigmas,  and  it 
reliably  differentiates  this  case  from  other  cases  that  have  similar  SSME  temperature  and  pressure 
movements. 
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A5-110  SSME  PERFORMANCE  DISPERSION  (CONTINUED) 

3.  LPFT  DISCHARGE  TEMPERATURE  SHIFT  CASE  WILL  BE  CALLED  WHEN 
THE  LPFT  DISCHARGE  TEMPERATURE  SENSOR  SHIFTS  LOW?  2  DEG  R. 


A  shift  in  LPFT  discharge  temperature  sensor  will  cause  cm  error  in  the  fuel  density  calculation.  This 
error  in  fuel  density  will  propagate  into  cm  error  in  the  mixture  ratio  calculation.  The  SSME  controller 
will  then  attempt  to  return  the  calculated  mixture  ratio  to  the  nominal  value  by  adjusting  the  SSME 
valves  causing  cm  off-nominal  engine  performance  dispersion.  A  performance  adjustment  to  the  ARD 
will  only  be  made  for  a  shift  low  of  the  LPFT  discharge  temperature  sensor  because  the  LPFT  discharge 
temperature  cannot  realistically  get  colder.  The  minimum  detectable  error  is  2  deg  R  to  cover 
instrumentation  accuracy,  run  to  run  variations,  and  to  ensure  sufficient  change  in  the  SSME 
parameters  for  failure  identification. 

4.  ELECTRICAL  LOCKUP  WILL  BE  CALLED  WHEN  THE  ENGINE  STATUS 
WORD  (ESW)  INDICATES  THAT  THE  SSME  IS  IN  ELECTRICAL 
LOCKUP . 

a.  IF  THE  MCC  PC  OR  THE  LH2  FLOWMETER  SENSORS  SHIFT 
PRIOR  TO  ELECTRICAL  LOCKUP  AND  IF  THE  SSME  IS  LOCKED 
UP  AT  THE  MISSION  POWER  LEVEL,  AN  ARD  ADJUSTMENT  WILL 
BE  MADE  USING  THE  MCC  PC  SHIFT  TABLES  OR  LH? 

FLOWMETER  SHIFT  TABLES.  @[070899-6819] 

b.  IF  THERE  IS  NO  QUANTIFIABLE  SHIFT  IN  THE  MCC  PC  OR  THE 
LH2  FLOWMETER  SENSORS  PRIOR  TO  ELECTRICAL  LOCKUP,  AN 
ARD  ADJUSTMENT  WILL  BE  MADE  USING  THE  BACKUP 
ELECTRICAL  LOCKUP  TABLES.  @[070899-6819] 

An  electrical  lockup  will  be  called  when  the  ESW  mode  indicates  that  the  SSME  is  in  electrical  lockup. 
Electrical  lockup  is  caused  by  disqualification  of  both  channels  of  either  the  MCC  Pc  or  the  LH2  flowmeter 
sensors  (reference  Flight  Rule  {A5-3J,  STUCK  THROTTLE).  If  the  MCC  Pc  or  LH2  flowmeter  sensor  shift 
caused  an  SSME  to  rebalance  prior  to  disqualification,  cm  ARD  adjustment  will  be  made  using  the  MCC 
Pc  shift  tables  or  the  LH2  flowmeter  shift  tables.  If  there  is  no  quan  tifiable  shift  in  the  SSME  performance 
prior  to  an  electrical  lockup,  then  an  ARD  adjustment  will  be  made  using  the  backup  electrical  lockup 
table. 

The  fuel  flow  meter  and  Pc  shift  tables  are  only  valid  at  the  mission  power  level.  For  electrical  lockups 
that  do  not  occur  at  the  mission  power  level,  the  backup  electrical  lockup  tables  are  used.  The  backup 
electrical  lockup  tables  adjust  thrust,  Isp  and  MR  for  LO2  inlet  pressure  at  the  time  of  the  lockup. 
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A5-110  SSME  PERFORMANCE  DISPERSION  (CONTINUED) 

5.  AN  LH2  FLOWMETER  SHIFT  HIGH  OR  LOW  WILL  BE  CALLED  WHEN  THE 
FUEL  FLOW  ERROR  IS  ?  450  GPM .  A  MINIMUM  FUEL  FLOW  ERROR 
OF  450  GPM  IS  DEFINED  BY  THE  BOOSTER  MAIN  ENGINE  TABLES 
WHEN  ALL  FOUR  TELEMETRY  PARAMETER  DELTAS  (HPOT  DISCHARGE 
TEMPERATURE,  HPOP  DISCHARGE  PRESSURE,  HPFP  DISCHARGE 
PRESSURE,  AND  FPOV  POSITION)  EXCEED  THE  LEVEL  1  CRITERIA. 

The  SSME  mixture  ratio  is  controlled  using  the  measured  volumetric  flowrate  from  the  LH2  flowmeter.  A 
shift  in  the  LH2  flowmeter  will  cause  the  SSME  con  troller  to  calculate  incorrect  values  for  LH2  mass 
flowrate ,  propagating  into  a  mixture  ratio  error.  The  controller  will  then  attempt  to  return  the  calculated 
mixture  ratio  to  the  nominal  value  by  adjusting  the  SSME  valves.  This  will  cause  the  real  thrust,  Isp,  and 
MR  to  be  off-nominal.  A  flowmeter  shift  low  will  cause  the  con  troller  to  increase  LH2flow,  ’’shift  low 
actual  high,  ”  causing  the  real  mixture  ratio  to  be  low.  A  LH2  flowmeter  shift  high  will  cause  the  controller 
to  decrease  the  LH2flow,  “shift  high  actual  low,  ”  causing  the  real  mixture  ratio  to  be  high.  The  LH2 
flowmeter  shift  case  will  be  assessed  only  when  all  four  telemetry  parameter  deltas  (HPOT  discharge 
temperature,  HPOP  discharge  pressure,  HPFP  discharge  pressure,  and  FPOV  position)  exceed  the  level  1 
criteria  (SSME  fuel  flow  error  ?  450  GPM )  listed  in  the  Booster  Main  Engine  Tables.  The  OPOV  position 
cue  was  replaced  by  the  HPFP  discharge  pressure  cue  after  the  Block  I  SSME’s  were  introduced  into  the 
fleet  -  due  to  OPOV  position  oscillations  (reference  PSIG  Action  No.  9401 12-DOl. 

6.  HYDRAULIC  LOCKUP  WILL  BE  DECLARED  WHEN  THE  HYDRAULIC 
SUPPLY  PRESSURE  DROPS  BELOW  1500  PSIA  OR  WHEN  THE  ESW 
INDICATES  HYDRAULIC  LOCKUP.  THE  INSTANTANEOUS  AND  DRIFT 
PERFORMANCE  WILL  BE  COMPUTED  IN  REAL-TIME,  AND  THE  ARD 
WILL  BE  ADJUSTED  ACCORDINGLY.  @[070899-6819] 

The  SSME  propellant  valves  will  not  properly  actuate  with  the  hydraulic  supply  pressure  below  1500 
psia  and  will  begin  to  drift  due  to  flow  torque  effects.  As  the  SSME  propellan  t  valves  drift  and  as  the 
SSME  controller  also  attempts  to  adjust  the  valves  to  account  for  vehicle  acceleration/inlet  pressure 
effects,  the  SSME  controller  will  disqualify  both  sen’o-actuators  and  mode  the  SSME  into  hydraulic 
lockup  as  indicated  by  the  ESW.  The  SSME  controller  can  also  mode  the  SSME  into  hydraulic  lockup  for 
reasons  other  than  loss  of  hydraulic  supply  pressure  (reference  Flight  Rule  (A5-3},  STUCK 
THROTTLE).  For  either  case,  the  ARD  will  be  updated  with  an  instantaneous  thrust,  Isp  and  MR.  If  the 
performance  is  changing  with  time  due  to  valve  drift,  the  mainstage  performance  during  lockup  will  be 
calculated  real  time  via  an  algorithm  in  the  Booster  Operational  Support  Software.  Once  the  drift 
performance  can  be  quantified,  the  drift  level  and  the  drift  time  used  in  these  calculations  will  be  passed 
to  the  Trajectory  Officer  for  ARD  update.  The  drift  rate  is  assumed  to  be  linear  (based  on  SSME  test 
stand  data).  Ground  testing  of  hydraulic  lockup  has  shown  that  significan  t  valve  drift  can  occur  on  an 
engine  in  hydraulic  lockup.  Design  changes  to  the  SSME  valve  actuators  have  been  incorporated  to 
min  imize  valve  drift  in  case  of  hydraulic  lockup.  @[070899-6819  ] 
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A5-110  SSME  PERFORMANCE  DISPERSION  (CONTINUED) 

7.  PRE-THRUST  LIMITING  NOZZLE  LEAK  WILL  BE  CALLED  AT  LEAK 
RATES  ?  7  LBM/SEC.  A  MINIMUM  LEAK  RATE  OF  7  LBM/SEC  IS 
DEFINED  BY  THE  BOOSTER  MAIN  ENGINE  TABLES  WHEN  ALL  FOUR 
TELEMETRY  PARAMETER  DELTAS  (HPOT  DISCHARGE  TEMPERATURE, 
HPFT  DISCHARGE  TEMPERATURE,  HPFP  DISCHARGE  PRESSURE,  AND 
OPOV  POSITION)  EXCEED  THE  LEVEL  1  CRITERIA. 

Leakage  from  the  nozzle  tubes  is  the  most  likely  source  of  a  fuel  leak  based  upon  SSME  experience,  but 
Booster  will  call  any  fuel  leak  downstream  of  the  fuel  flowmeter  a  nozzle  leak.  During  a  nozzle  leak,  fuel  is 
lost  overboard  causing  a  decrease  in  thrust,  and  the  SSME  will  command  the  OPOV  open  in  cm  attempt  to 
maintain  a  constant  SSME  thrust.  As  the  leak  rate  gets  larger,  the  OPOV  will  continue  to  open  causing  the 
actual  SSME  mixture  ratio  and  thrust  to  increase.  When  the  maximum  OPOV  command  limit  is  exceeded, 
the  SSME  will  enter  a  mode  called  thrust  limiting  where  the  OPOV  will  no  longer  be  commanded  to  open 
further.  If  the  leak  rate  continues  to  increase  after  thrust  limiting,  the  actual  SSME  mixture  ratio  and 
thrust  will  start  to  decrease.  Due  to  the  difference  in  performance  parameter  trends  for  pre-thrust  limiting 
and  post-thrust  limiting  nozzle  leaks,  the  Booster  Mean  Engine  Tables  considers  them  separate 
performance  cases  for  the  ARD  update.  @[070899-6819  ] 

Pre-thrust  limiting  nozzle  leaks  will  be  assessed  for  cm  ARD  update  only  when  all  four  telemetry  parameter 
deltas  (HPOT  discharge  temperature,  HPFT  discharge  temperature,  HPFP  discharge  pressure,  and  OPOV 
position)  exceed  the  level  1  criteria  (fuel  leak  rate  ?  7  Ibm/sec)  listed  in  the  Booster  Mean  Engine  Tables 
( approved  at  the  A/EFTP  #  152  on  September  18,  1998).  The  minimum  criteria  protects  against 
erroneously  calling  the  case  due  to  prediction  sigmas,  and  it  reliably  differentiates  this  case  from  other- 
cases  that  have  similar  SSME  temperature,  pressure,  and  valve  movements.  In  the  case  of  pre-thrust 
limiting  nozzle  leaks,  the  level  1  criteria  for  OPOV  position  delta  (approximately  3  percent)  is  large 
enough  to  prevent  the  Block  I  SSME  OPOV  position  oscillation  (approximately  1  percent)  from 
erroneously  exceeding  the  minimum  cue  during  nominal  operations.  The  approximately  1  percent  OPOV 
oscillation  is  only  present  on  Block  I  SSME  and  not  on  Phase  11/Block  IIA/Block  II  SSME’s.  @[070899-6819  ] 

8.  POST-THRUST  LIMITING  NOZZLE  LEAKS  WILL  BE  CALLED  WITH 
THRUST  LIMITING  FLAG  SET. 

9.  AN  HPOT  EFFICIENCY  LOSS  WILL  BE  CALLED  WITH  THRUST 
LIMITING  FLAG  SET. 

An  ARD  update  will  be  made  for  a  post-thrust  limiting  nozzle  leak  or  HPOT  efficiency  loss  case  only 
when  the  SSME  has  entered  the  thrust-limiting  mode.  Subsequent  to  thrust  limiting,  the  two  cases  are 
differentiated  by  using  the  HPOT  discharge  temperature.  The  HPOT  discharge  temperature  will  rise  in 
both  of  the  thrust  limiting  cases,  but  the  delta  value  is  much  greater  in  the  case  of  a  nozzle  leak.  In  order 
to  differentiate  between  the  two  cases,  the  HPOT  discharge  temperature  delta  cue  was  developed  as  the 
breakover  value  for  each  of  these  cases.  The  HPOT  efficiency  loss  will  not  result  in  off-nominal  SSME 
operation  prior  to  thrust  limiting;  therefore,  it  is  only  assessed  after  thrust  limiting  is  initiated. 
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A5-110  SSME  PERFORMANCE  DISPERSION  (CONTINUED) 

The  SSME  Project  Office  acknowledges  that  there  are  “Overall  Call  Uncertainties”  associated  with  each 
of  the  off-nominal  SSME  performance  cases.  Uncertainties  exist  in  mixture  ratio ,  power  level,  and  Isp 
values.  Subsequen  t  to  the  quantification  of  an  off-nominal  performance  case,  mixture  ratio,  power  level, 
and  Isp  are  passed  to  the  Flight  Dynamics  Officer  and  are  used  to  update  the  ARD.  The  uncertainties 
associated  with  each  of  these  parameters,  for  each  of  the  performance  cases,  are  documen  ted  in  MSFC 
letter  EE21/095-016  (Review  of  Booster  Real-time  Software  (BRTS)  Algorithm ’s,  D.  R.  Goslin  to  B.  R. 
Stone,  March  17,  1995).  On  February  6,  1996,  the  Integration  Control  Board  (ICB)  made  the  decision 
not  to  protect  these  uncertainties  ( ICB  Item  WACMO0167,  Booster  Console  Uncertainty  on  ARD 
Performance ).  Therefore,  ARD  Flight  Propellant  Reser\’e  (FPR)  will  not  reflect  these  uncertainties. 
@[041196  1877] 

Rules  {A4-61},  THRUST  LIMITING,  HYDRAULIC,  OR  ELECTRICAL  LOCKUP;  {A5-2},  SPACE 
SHUTTLE  MAIN  ENGINE  OUT;  {A5-3J,  STUCK  THROTTLE;  and  {A5-106},  MANUAL  SHUTDOWN 
FOR  COMMAND/DATA  PATH  FAILURES  reference  this  rule.  @[061 297-61 47A  ]  ®[ED  ]  @[070899-6819  ] 

A5-111  AC  BUS  SENSOR  ELECTRONICS  CONTROL  [CIL] 

THE  ORBITER  AC  BUS  SENSOR  ELECTRONICS  POWER  SWITCH  WILL  BE  PLACED 
TO  "OFF"  FOR  THE  FOLLOWING  ENGINE  FAILURE  CASES: 

A.  ENGINE  OUT  (REF.  RULE  {A9-152},  AC  BUS  SENSORS  SWITCH 
MANAGEMENT)  @[121296-4624] 

B.  LOSS  OF  SSME  CONTROLLER  REDUNDANCY  (REF.  RULE  {A5-2},  SPACE 
SHUTTLE  MAIN  ENGINE  OUT)  ®[ED  ] 

C.  ALL  QUALIFIED  REDLINE  SENSORS  ON  A  SINGLE  REDLINE ,  ON  A 
SINGLE  CHANNEL,  VOTING  FOR  SHUTDOWN.  @[121296-4624] 

There  are  single  point  failures  in  the  ac  bus  sensor  electronics  that  can  cause  loss  of  a  single  phase  of  an 
ac  bus  which  powers  the  SSME  controllers.  After  an  engine  failure  or  electrical/avionics  failures  that 
leave  an  engine  one  failure  away  from  shutdown,  the  bus  overvoltage  protection  is  less  important  than 
keeping  an  engine  running.  Therefore,  the  sensor  monitoring  electronics  power  is  terminated  by  moving 
three  switches  (AC  BUS  SNSR)  on  panel  R1  to  OFF. 
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A5-112  MANUAL  THROTTLEDOWN  FOR  LQ2  NPSP  PROTECTION  AT 

SHUTDOWN 

MANUAL  THROTTLING  TO  THE  MINIMUM  SSME  POWER  LEVEL  WILL  BE 
PERFORMED  TO  PROTECT  MECO  LC£  NPSP  REQUIREMENTS  WHEN  LC£ 
LOW-LEVEL  CUTOFF  IS  PREDICTED  TO  OCCUR  BEFORE  FINE  COUNT 
THROTTLEDOWN.  MANUAL  THROTTLING  TO  THE  MINIMUM  POWER  LEVEL 
WILL  BE  PERFORMED  WHEN  THE  ONBOARD  PROPELLANT  REMAINING 
COMPUTATION  REACHES  2  PERCENT,  AND  THE  MCC  FLIGHT  DYNAMICS 
OFFICER  (FDO)  IS  PREDICTING  A  VELOCITY  UNDERSPEED  AT  MECO 
WHICH  IS  GREATER  THAN  THE  FOLLOWING:  @[071494-1645]  ©[121296-4630B] 

A.  TWO  OR  THREE  ENGINES  ON:  500  FT/SEC 

B.  ONE  ENGINE  ON:  250  FT/SEC 

THE  CREW  WILL  PERFORM  SSME  THROTTLEBACK  FOR  THE  ONE  ENGINE-ON 
CASE  EXCEPT  FOR  CERTAIN  CONTINGENCY  ABORT  CASES  (AS  DOCUMENTED 
ON  THE  CONTINGENCY  ABORT  CUE  CARDS  IN  THE  ASCENT  CHECKLIST 
FLIGHT  DATA  FILE)  OR  UNLESS  INSTRUCTED  TO  DO  OTHERWISE  BY  THE 
MCC.  @[071494-1645]  ®[121296-4630B] 

If  FDO  is  predicting  a  low-level  cutoff  prior  to  the  guidance  software  issuing  the  fine  count  command 
(ref.  rationale  of  Rule  { A4-59GJ ,  MANUAL  THROTTLE  SELECTION),  the  engines  will  shut  down  at  an 
unsafe  power  level.  This  will  cause  the  LO2  NPSP  to  be  well  below  the  required  value,  possibly  causing 
uncontained  engine  damage  at  shutdown.  For  two  or  three  engine-on  cases,  analysis  indicates  that  the 
vehicle  acceleration  near  MECO  will  be  sufficient  to  prevent  SSME  shutdown  prior  to  fine  count  as  long 
as  the  predicted  underspeed  (based  on  2  sigma  MPS  propellant  protection)  is  no  greater  than  500 ft/sec. 
Because  of  low  vehicle  acceleration,  analysis  of  the  single  engine-on  case  indicates  that  SSME 
requirements  will  not  be  violated  as  long  as  the  predicted  underspeed  (based  on  2  sigma  MPS  propellant 
protection)  at  MECO  is  less  than  250 ft/sec.  The  two/three  engine-on  case  assumes  a  vehicle  mass  of 
379,000  lbs  at  MECO  minus  10  seconds  and  the  one  engine-011  case  assumes  368,000  lbs  (the  difference 
is  based  on  the  additional  11,000  lbs  MPS  propellant  needed  for  the  two  engine-on  case,  which  will  also 
protect  the  three  engine-on  case).  Both  cases  assume  that  the  thrust  provided  by  a  single  engine  at  104 
percent  is  488,800  Ibf  The  500 ft/sec  and  250 ft/sec  cues  are  derived  from  using  the  F  =  M*A  equation, 
as  well  as  those  used  by  the  fine  count  throttle  logic  in  the  guidance  software  (reference  NASA 
memorandum  DF6-94-08,  dated  5/11/94).  If  the  predicted  underspeed  is  greater  than  allowed  for  either 
case,  manual  throttling  will  be  performed  to  the  minimum  power  level,  thereby  reducing  the  NPSP 
requiremen  ts  prior  to  reaching  a  low-level  cutoff  condition.  The  minimum  throttle  level  was  selected 
because  it  provides  the  best  LO2  NPSP  shutdown  conditions.  The  throttledown  cue  of  2  percent 
propellant  remaining  was  selected  to  allow  sufficient  time  to  perform  the  manual  throttling  while 
minimizing  any  performance  impact. 
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A5-112  MANUAL  THROTTLEDOWN  FOR  LQ2  NPSP  PROTECTION  AT 

SHUTDOWN  (CONTINUED) 


Analysis  (reference  Ascen  t/Entry  Flight  Techniques  Panel  # 91 ,  7/17/92 )  shows  that  most  of  the  error  in 
the  onboard  propellant  remaining  computation  occurs  on  the  two-engine-out  press-to-MECO  abort  when 
no  OMS  dump  is  performed.  Engine  performance  problems  also  contribute  to  the  propellant  remaining 
error.  The  worst  case  engine  problem  is  low  specific  impulse  (Isp).  Worst-on-worst  analysis  with  two 
engines  out  simultaneously  at  the  press-to-MECO  boundary  and  the  third  engine  running  with  an  Isp 
which  is  10  seconds  below  nominal  shows  that  the  2  percent  cue  still  provides  sufficient  time  to  throttle 
the  engine  down  before  low-level  cu  toff  occurs.  @[071494-1645  ] 

After  throttledown,  the  crew  will  be  prepared  to  perform  a  manual  MECO  at  the  desired  MECO  velocity 
should  it  be  reached  prior  to  the  low-level  cutoff. 

The  crew  will  not  always  throttleback  for  the  one  engine-on  case.  For  certain  contingency  aborts,  the 
software  determines  and  performs  fine  count  throttles  (throttleback)  as  required  for  MECO.  No  manned 
throttles  are  required  in  these  cases  as  documented  on  the  contingency  abort  cue  cards  in  the  ascent 
checklist  flight  datafile.  ®[i  21 296-4630B] 

Rule  (A2-64},  MANUAL  THROTTLE  CRITERIA ,  references  this  rule. 
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A5-113  MANUAL  MECO/MECO  CONFIRMED  ®[1 1 0900-7230A] 

A.  PERFORMING  MANUAL  MECO 

MANUAL  MECO  IS  PERFORMED  BY  PRESSING  ALL  THREE  MAIN  ENGINE 
SHUTDOWN  PUSHBUTTONS  SIMULTANEOUSLY.  IF  FAILURE (S)  CAUSE  THE 
MAIN  ENGINE  SHUTDOWN  PUSHBUTTONS  TO  NOT  COMMAND  MECO,  THEN  THE 
MANUAL  MECO  WILL  BE  PERFORMED  VIA  THE  ALTERNATE  METHODS  FOR 
SETTING  THE  MECO  CONFIRMED  FLAG  OUTLINED  IN  PARAGRAPH  B. 

If  required,  manual  MECO  is  usually  performed  by  pressing  the  three  SSME  shutdown  pushbuttons 
simultaneously.  The  crews  are  trained  to  perform  manual  MECO  using  all  three  pushbuttons  rather 
than  just  the  pushbuttons  of  running  engines  because  pushing  all  three  pushbuttons  protects  against 
certain  failure  scenarios  without  creating  any  additional  risk.  However,  under  certain  conditions, 
pressing  all  three  pushbuttons  will  not  command  MECO.  If  a  failed  contact  ( i.  e. ,  due  to  control  bus  or 
bad  contact)  on  any  pushbutton  cannot  be  comm-faulted  prior  to  MECO  or  if  both  contacts  have  either 
failed  or  are  comm-faulted,  MECO  will  not  be  commanded  when  all  three  pushbuttons  are  pushed. 

These  failures  will  result  in  two  engines  being  shut  down  while  the  engine  associated  with  the  bad 
pushbutton  will  continue  to  run.  If  such  a  failure  is  recognized  prior  to  MECO  and  manual  MECO  is 
required,  the  crew  will  be  instructed  to  command  MECO  by  setting  the  MECO  confirmed  flag  via  the 
appropriate  alternate  method  outlined  in  paragraph  B. 

Performing  a  manual  MECO  on  any  trajectory  is  very  time  critical,  and  it  must  be  recognized  ahead  of 
time  if  the  three  pushbuttons  will  not  work  so  that  alternate  methods  may  be  employed  at  the  required 
moment. 

B.  SETTING  THE  MECO  CONFIRMED  FLAG 

THE  THREE  MAIN  ENGINE  SHUTDOWN  PUSHBUTTONS  WILL  BE  PUSHED 
POST  MECO  FOR  MULTIPLE  COMMAND/DATA  PATH  FAILURE  CASES  TO  SET 
THE  MECO  CONFIRMED  FLAG.  IF  THE  MECO  CONFIRMED  FLAG  WILL  NOT 
BE  SET  WHEN  THE  SHUTDOWN  PUSHBUTTONS  ARE  PRESSED,  IT  WILL  BE 
OBTAINED  VIA  THE  FOLLOWING  ALTERNATE  METHODS: 

1.  NOMINAL/ ATO/TAL :  MANUALLY  PROCEEDING  TO  OPS  104 

2.  RTLS :  PERFORMING  A  FAST  SEP  FROM  THE  EXTERNAL  TANK 

®[1 1 0900-7230A  ] 
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A5-113  MANUAL  MECO/MECO  CONFIRMED  (CONTINUED) 

The  SSME  operations  sequence  will  set  the  MECO  confirmed  flag  for  chamber  pressure  less  than  30 
percen  t  on  all  three  engines  or  a  data  path  failure  on  one  engine  and  the  chamber  pressure  less  than  30 
percen  t  on  the  other  two  engines.  If  two  engines  experience  a  data  path  failure,  the  software  will  never 
pass  this  check  and  MECO  confirmed  flag  will  not  be  set.  To  work  around  this  problem,  the  crew  can 
push  the  three  shutdown  pushbuttons  after  MECO  to  set  the  MECO  confirmed  flag.  Prior  to  01-22,  all 
three  SSME  pushbuttons  had  to  be  pressed  simultaneously  in  order  to  set  the  MECO  confirmed  flag  in 
the  BFS.  In  01-22  and  subsequent,  the  SSME  pushbuttons  can  be  pressed  individually  to  set  the  MECO 
confirmed  flag  ( CRH  89203 A).  The  MECO  confirmed  flag  must  be  set  to  start  the  ET  separation 
sequence.  ®[1 1 0900-7230A] 

In  the  event  that  multiple  avionics  failures  or  a  failed  pushbutton  contact  has  disabled  a  shutdown 
pushbutton,  alternate  methods  of  setting  the  MECO  confirmed  flag  must  be  performed.  On  nominal 
ATO  and  TAL  trajectories,  the  MECO  confirmed  flag  can  be  set  by  manually  keying  in  OPS  104 
PRO.  Since  the  OPS  104  transition  is  not  legal  on  cm  RTLS  trajectory,  the  MECO  confirmed  flag 
must  be  set  by  performing  a  fast  sep  from  the  external  tank.  A  fast  sep  is  performed  by  taking  the 
ET  SEPARATION  switch  to  MAN  and  pressing  the  ET  SEPARATION  pushbutton.  In  PASS,  fast  sep 
logic  is  only  supported  in  major  modes  102,  601,  or  in  major  mode  103  when  the  Second  SSME  Fail 
Confirm  flag  had  been  set.  BFS  only  supports  fast  sep  logic  in  major  mode  102.  ®[1 1 0900-7230A] 

The  above  steps  are  taken  post  MECO  because  setting  the  MECO  confirmed  flag  at  or  before 
MECO  causes  MECO  to  be  commanded.  On  uphill  and  TAL  trajectories,  setting  the  MECO 
confirmed  flag  to  cdlow  the  ET  separation  sequence  to  proceed  is  not  particularly  time  critical  so 
the  three  pushbuttons  can  be  tried  first  before  other  methods.  However,  setting  MECO  confirmed 
on  cm  RTLS  trajectory  is  very  time  critical.  In  time  critical  situations,  it  must  be  recognized  ahead 
of  time  if  the  three  pushbuttons  will  not  work  so  that  alternate  methods  may  be  employed  at  the 
required  moment.  ®[1 1 0900-7230A] 

Reference  Rule  {A5-104},  DATA  PATH  FAIL/ENGINE-ON  LIMIT  SHUTDOWN  CONTROL. 

®[1 21 296-4594A] 
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A5-114  SSME  HYDRAULIC  REPRESSURIZATION/POSTLANDING  SSME 

REPOSITIONING 

A.  ON-ORBIT/ENTRY-1  DAY  REPRESSURIZATION 

APPLICATION  OF  MPS  HELIUM  TO  SSME  VALVE  ACTUATORS  IS  NOT 
REQUIRED  DURING  HYDRAULIC  REPRESSURIZATION  AND  SSME 
REPOSITIONING  WHEN  THE  TVC  ACTUATORS  DRIFT  OUT  OF  POSITION 
PER  FLIGHT  RULE  {A8-106},  TVC-SSME  STOW/ACTUATOR  FLUID 
FILL  (REPRESSURIZATION) . 

B.  ENTRY/POSTLANDING  REPOSITIONING 

MPS  HELIUM  WILL  BE  PROVIDED  TO  THE  ENGINES  DURING  HYDRAULIC 
REPRESSURIZATION  AND  SSME  REPOSITIONING.  THIS  ENSURES  THAT 
ENGINE  VALVES  DO  NOT  DRIFT  OPEN.  HOWEVER,  LACK  OF  HELIUM  IS 
NOT  A  CONSTRAINT  AGAINST  PERFORMING  EITHER  PROCEDURE. 


Hydraulic  pressure  is  applied  to  the  TVC  actuators  to  prevent  SSME  movement  during  on-orbit,  entry,  and 
postlanding  operations.  Maintaining  helium  pressure  on  the  closed  side  of  the  engine  valves  will  keep  the 
valves  from  opening  when  hydraulic  pressure  is  applied  to  the  TVC  actuators.  Keeping  the  valves  closed 
prevents  engine  contamination  during  entry  and  postlanding.  On-orbit  SSME  contamination  is  unlikely; 
therefore,  the  application  of  helium  for  on-orbit  TVC  drift  is  not  required.  This  will  also  reduce  MPS 
helium  regulator  cycles. 


A5-115  THROUGH  A5-150  RULES  ARE  RESERVED 
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MPS  MANAGEMENT:  PRELAUNCH  THROUGH  MECO 


A5-151  PRE-MECO  MPS  HELIUM  SYSTEM  LEAK  ISOLATION  [CIL] 

A.  MPS  ENGINE  SYSTEM  HELIUM  LEAK  ISOLATION  WILL  BE  PERFORMED  FOR 

ANY  SIGNIFICANT  LEAK  (PER  RULE  {A5-10},  SIGNIFICANT  ENGINE 
HELIUM  SYSTEM  LEAK)  AS  LONG  AS  THE  ATTEMPT  TO  ISOLATE  THE 
LEAK  WILL  NOT  CAUSE  THE  ENGINE  TO  SHUT  DOWN.  @[090894-1 676A]  ®[ED  ] 

If  an  MPS  engine  helium  system  experiences  a  helium  leak  the  crew  will  perform  a  helium  leak  isolation 
procedure.  However,  since  certain  power  bus  failures  will  result  in  helium  leg  A  isolation  valves  failing 
closed  (MNA,  APC4  or  ALC1;  MNB,  APC5  or  ALC2;  or  MNC,  APC6  or  ALC3  failure  will  close  the 
center,  left,  or  right  SSME  isolation  valve,  respectively),  the  crew  must  be  reminded  not  to  attempt  leak 
isolation  for  these  cases.  The  closing  of  the  leg  B  isolation  valve  will  stop  helium  flow  to  the  engine  and 
cause  an  SSME  redline  limit  shutdown  due  to  low  HPOTP  intermediate  seal  (IMSL)  purge  pressure.  The 
shutdown  may  cause  engine  damage  since  both  regulator  isolation  valves  are  closed.  No  helium  will  be 
available  for  SSME  IMSL  purging  during  the  shutdown  sequence. 

B.  AN  ATTEMPT  WILL  BE  MADE  TO  ISOLATE  ANY  SIGNIFICANT  PNEUMATIC 
SYSTEM  LEAK  (REF.  RULE  {A5-11},  SIGNIFICANT  PNEUMATIC  SYSTEM 
HELIUM  LEAK)  .  ®[ED  ] 

A  significant  pneumatic  system  helium  leak  could  result  in  insufficient  pressure  for  prevalve  actuation  at 
MECO.  The  LO2  prevalves  are  required  to  close  at  MECO  in  order  to  maintain  pressure  at  the  HPOTP 
pump  inlet.  This  prevents  pump  cavitation  and  overspeed  which  could  result  in  uncontained  SSME 
damage.  An  attempt  is  made  to  isolate  the  pneumatic  helium  supply  so  the  remaining  helium  can  be  used 
to  pressurize  the  pneumatic  accumulator  and  support  prevalve  closure  at  MECO. 

C.  IF  AN  MPS  PNEUMATIC  HELIUM  SYSTEM  LEAK/ I SOLAT ION  CAUSES 
INSUFFICIENT  PNEUMATIC  HELIUM  ACCUMULATOR  PRESSURE  (REF. 

RULE  { A5-12 }  ,  INSUFFICIENT  PNEUMATIC  HELIUM  ACCUMULATOR 
PRESSURE),  THE  SYSTEM  WILL  BE  RECONFIGURED  AT  MECO-30 
SECONDS.  ®[ED  ] 

Seven  hundred  psia  in  the  pneumatic  accumulator  is  the  minimum  non-resupplied  pressure  which  will 
close  all  the  LO2  prevalves  within  timing  constraints  at  MECO.  If  the  pneumatic  helium  supply  has  been 
isolated  due  to  a  leak  or  is  used  to  support  the  mciinstage  operation  of  an  engine  with  a  helium  leak,  the 
pneumatic  accumulator  pressure  may  fall  below  700  psia.  Should  the  accumulator  pressure  fall  below 
700  psia  for  any  reason,  the  pneumatic  helium  isolation  valves,  the  left  engine  helium  crossover  valve 
and,  if  necessary,  the  engine  interconnect  valves,  will  be  reconfigured  to  repressurize  it.  This  will  be 
accomplished  at  MECO  minus  30  seconds  and  ensures  that  700  psia  is  available  in  the  pneumatic 
accumulator  until  the  start  of  prevalve  closure  at  MECO. 

Note:  Taking  the  interconnect  out-open  to  open  on  an  engine  when  the  pneumatic  tank  is  depleted  will 
not  cause  a  large  enough  flow  transient  to  cause  the  engine  to  shut  down  (documented  by  RI  Downey 
internal  letter  number  287-100-93-259,  dated  11/09/93).  ©[090894-1676A] 
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A.  TO  SUSTAIN  THE  OPERATION  OF  AN  ENGINE  WITH  AN  MPS  HELIUM  LEAK, 
FOR  SINGLE  REGULATOR  OPERATION,  OR  FOR  EXTENDED  BURN  TIME, 
HELIUM  SYSTEM  INTERCONNECTS  WILL  BE  PERFORMED  AT  THE  FOLLOWING 
CUES:  ®[090894-1676A]  @[050400-71 95A] 

If  a  helium  leak  develops  and  the  decay  rate  is  such  that  the  engine  will  not  meet  zero-g  shutdown 
requiremen  ts  or  will  cause  an  early  shutdown,  the  helium  system  of  an  engine  and/or  the  pneumatic 
helium  system  will  be  interconnected  to  that  engine’s  system.  This  action  may  allow  the  engine  to  meet 
the  zero-g  shutdown  requirements  and  will  maintain  engine  operation  as  long  as  possible.  Similar  action 
is  taken  if  the  leak  has  been  isolated  and  the  system  will  not  meet  shutdown  requirements. 

A  tank  pressure  of  920  psia  (900  psia  required  +  20  psia  instrumentation  error)  is  the  minimum  value, 
including  instrumentation  error,  which  will  support  the  normal  operating  range  of  the  helium  system 
regulators.  The  difference  between  the  actual  requirement,  920  psia,  and  the  C&W  value,  1150  psia, 
results  from  a  change  in  the  estimated  instrumentation  error  of  the  helium  tank  pressure  transducers  as  a 
result  of  vehicle  specific  calibration  curves.  With  calibration  curve  coefficients  unique  to  each  helium 
tank  pressure  transducer,  the  accuracy  of  each  reading  is  0.15  percen  t.  An  accuracy  of  0.15  percen  t 
over  the  5000  psia  transducer  range  equates  to  an  error  of  7.5  psia.  To  account  for  any  potential 
degradation  in  accuracy  ( e. g. ,  transducer  replacements  where  the  new  transducer  is  less  accurate  or 
calibration  equipment  changes),  one  PCM  count  (10  psia)  was  added  to  the  7.5  psia  error.  This  new 
instrumentation  error  of  17.5  psia  was  then  rounded  to  the  nearest  PCM  count  resulting  in  20  psia 
instrumentation  error  used  by  the  MCC  and  incorporated  into  crew  procedures.  The  interconnect  cues 
shown  in  the  subsequent  paragraphs  are  used  as  a  guideline  to  ensure  sufficient  helium  to  sustain  SSME 
operation  with  a  helium  leak.  It  is  important  to  note  that  the  interconnect  must  be  performed  above  the 
minimum  tank  pressure  required  to  support  the  shutdown  mode.  That  is,  the  interconnect  must  be 
performed  at  a  higher  tank  pressure  for  a  pneumatic  shutdown  than  for  a  pre-MECO  redline  shutdown 
due  to  helium  depletion  because  the  pneumatic  shutdown  requires  more  helium.  The  tank  pressure  of 
920  is  quoted  as  the  “no  later  than  ”  cue  in  order  to  provide  the  absolute  minimum  tank  pressure  above 
which  the  interconnect  must  be  performed.  Since  there  is  not  one  tank  pressure  interconnect  to  satisfy  all 
cases  (leak  types,  shutdown  mode,  leak  size,  etc.),  the  C&W  cue  of  1150  is  sufficient  for  the  crew  to  use 
in  no-comm  cases.  The  change  in  calculated  instrumentation  error  did  not  warrant  a  change  to  the 
onboard  software  or  hardware  caution  and  warning.  @[050495-1 767B]  @[100997-6298  ]  @[110900-7239  ] 
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(CONTINUED) 


Since  the  helium  tank  and  regulator  pressure  requirements  were  derived  using  vehicle  specific 
calibration  curves,  it  must  be  noted  that  the  onboard  readings  will  vary  between  the  BFS  GNC  SYS 
SUMM  1  display  and  the  OMS/MPS  MEDS  display  / MCDS  MPS  meter.  The  BFS  GNC  SYS  SUMM  1 
data  is  based  on  vehicle  specific  calibration  curve  coefficients;  whereas  due  to  system  limitations,  the 
OMS/MPS  MEDS  display  and  the  MCDS  MPS  meter  data  are  based  on  generic  calibration  curve 
coefficien  ts.  When  the  MCC  calls  for  cm  interconnect  or  SSME  shu  tdown  based  on  a  helium  tank  or 
regulator  pressure,  it  is  understood  that  the  crew  will  use  the  data  available  on  the  BFS  GNC  SYS 
SUMM  1  display.  This  understanding  was  accepted  by  CB,  DT,  and  DA8  (reference  AEFTP  #152, 
September  18,  1998).  @[110900-7239  ] 

Dropping  helium  system  regulator  outlet  pressure  is  also  used  to  detect  potential  SSME  HPOTP 
intermediate  seed  (IMSL)  purge  pressure  violations.  If  both  helium  regulators  have  been  in  steady  state 
operation  between  715  psia  and  785  psia  outlet  pressure,  a  sudden  decrease  in  outlet  pressure  may  be 
indicative  of  a  system  failure.  Action  is  taken  as  soon  as  both  regulator  outlet  pressures  fall  below  715 
(679)  psia  in  an  attempt  to  preven  t  the  engine  from  shutting  down.  Six  hundred  and  seventy  nine  psia 
was  derived  from  the  minimum  normal  regulator  outlet  pressure,  715  psia,  minus  36  psia 
instrumentation  error  prior  to  OI-26B.  For  OI-26B  and  subsequent  flights,  the  instrumentation  error 
was  reduced  to  5  psia.  However,  the  Caution  and  Warning  limit  remains  at  679  psia  because  the  change 
to  5  psia  would  result  in  a  Caution  and  Warning  value  very  close  to  the  nominal  con  trol  band  of  the 
regulator  (regulator  is  psig,  instrumentation  is  psia)  and  was  not  considered  worth  the  effort  in  updating 
Caution  and  Warning.  With  regard  to  helium  system  leaks,  a  regulator  outlet  pressure  below  715  psia 
does  not  indicate  that  the  regulator  is  malfunctioning.  Low  outlet  pressures  are  indicative  of  helium 
system  leaks  which  result  in  high  helium  mass  flow  rates  or  supply  tank  depletion  resulting  in  low  inlet 
pressures  to  the  system  regulators.  Taking  action  at  679  psia  not  only  prevents  premature  helium  system 
interconnecting,  but  also  gives  some  assurance  that  another  helium  system  can  be  interconnected  to  the 
leaking  supply  before  the  engine  interface  pressure  reaches  the  expected  shutdown  value  of  518  psia  for 
the  Phase  II  SSME,  or  576  psia  for  the  BLOCK  I  SSME,  BLOCK  IIA  SSME,  and  the  BLOCK  II  SSME 
(reference  SODB  data  requests  Rl-1507  and  Rl-1640,  respectively)  even  with  the  reduction  in 
instrumentation  error  with  OI-26B.  @[050495-1 767B]  @[020196-1812]  ®[1 21 197-6472A]  @[050400-71 95A]  @[110900- 
7239] 
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(CONTINUED) 

1.  FOR  A  NON-I SOLATABLE  UPPER  SYSTEM  LEAK:  @[050400-71 95A] 

a.  WITH  THREE  ENGINES  ON,  HELIUM  SYSTEM  INTERCONNECTS 

WILL  BE  PERFORMED  AS  LATE  AS  PRACTICAL,  BUT  ABOVE  THE 
MINIMUM  ENGINE  TANK  PRESSURE  REQUIRED  TO  SUPPORT  THE 
ENGINE  SHUTDOWN  MODE  PER  RULE  {A5-153},  PRE-MECO 
SHUTDOWN  OF  ENGINES  DUE  TO  MPS  HELIUM  LEAKS,  AND  NO 
LATER  THAN  900  PSIA  (920  PSIA)  TANK  PRESSURE  ON  THE 
AFFECTED  ENGINE  OR  WHEN  BOTH  HELIUM  SYSTEM  REGULATOR 
PRESSURES  ARE  BELOW  715  (679)  PSIA.  @[050495-1 767B] 

@[110900-7239] 

When  a  non-isolatable  upper  system  leak  occurs,  it  is  best  to  perform  helium  interconnects  as  close  to 
the  minimum  shutdown  requirement  as  possible.  If  the  interconnect  is  performed  too  early  and  the 
system  leak  is  a  tank  leak,  helium  in  the  leaking  tank  will  no  longer  be  used  to  support  engine  operation 
and  will  therefore  be  wasted. 

b.  WITH  LESS  THAN  THREE  ENGINES  ON,  HELIUM  SYSTEM 
INTERCONNECTS  WILL  BE  PERFORMED  AS  SOON  AS  PRACTICAL 
BUT  ABOVE  THE  CUES  GIVEN  IN  PARAGRAPH  A . 1 . a . 

When  a  non-isolatable  upper  system  leak  occurs  after  an  engine  has  shut  down,  helium  interconnects 
can  be  performed  as  soon  as  practical.  An  upper  system  leak  could  be  either  a  leak  in  the  engine’s 
helium  tank  or  an  upper  system  leak  above  the  helium  regulators.  If  the  leak  is  an  upper  system  leak, 
then  in  terconnecting  as  soon  as  practical  does  not  waste  any  helium.  If  the  leak  is  in  the  tank, 
in  terconnecting  as  soon  as  practical  will  result  in  the  helium  from  the  leaking  tank  being  wasted. 

However,  a  good  interconnect  from  a  previously  shutdown  engine  will  provide  a  nominal  feed  rate  to 
the  engine  with  the  tank  leak  and  will  allow  it  to  support  a  zero-g  shutdown.  Interconnecting  early  not 
only  allows  the  reconfiguration  to  take  place  while  the  crew  is  in  a  low  g  environment,  but  also  allows 
for  cm  earlier  assessmen  t  of  the  shut  down  requiremen  ts  of  the  leaking  engine.  @[050400-71 95A] 
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(CONTINUED) 

2.  FOR  A  NON-I SOLATABLE  LOWER  SYSTEM  LEAK,  HELIUM  SYSTEM 
INTERCONNECTS  WILL  BE  PERFORMED  AS  SOON  AS  PRACTICAL, 

BUT  ABOVE  THE  MINIMUM  ENGINE  TANK  PRESSURE  REQUIRED  TO 
SUPPORT  THE  ENGINE  SHUTDOWN  MODE  PER  RULE  {A5-153},  PRE- 
MECO  SHUTDOWN  OF  ENGINES  DUE  TO  MPS  HELIUM  LEAKS,  AND  NO 
LATER  THAN  900  PSIA  (920  PSIA)  TANK  PRESSURE  ON  THE 
AFFECTED  ENGINE  OR  WHEN  BOTH  HELIUM  SYSTEM  REGULATOR 
PRESSURES  ARE  BELOW  715  (679)  PSIA.  ©[050495-1767B]  @[050400-71 95A] 

@[110900-7239] 

For  non-isolatable  lower  system  leaks,  helium  interconnects  can  be  performed  immediately  after  leak 
iden  tification,  but  must  be  performed  above  the  minimum  tank  pressure  needed  to  support  engine 
shutdown.  A  leak  below  the  regulator  will  have  the  same  mass  flow  rate  after  the  interconnect  that  it  had 
prior  to  the  interconnect.  Interconnecting  early  allows  the  reconfiguration  to  take  place  while  the  crew 
is  in  a  low  g  environment. 

3.  FOR  A  NON  ISOLATABLE  LEAK  THAT  REQUIRES  INTERCONNECTING 
THE  HELIUM  SYSTEM  OF  A  NON-LEAKING  RUNNING  ENGINE,  THE 
INTERCONNECT  WILL  BE  PERFORMED  WHEN  THE  TANK  PRESSURES  ON 
ALL  PREVIOUSLY  INTERCONNECTED  SYSTEMS  REACH  500  PSIA  OR 
THE  AFFECTED  SSME  HPOTP  IMSL  PRESSURE  REACHES  70  PSIA. 

If  the  leaking  engine  supply,  the  previously  shut  down  engine  supply,  and  the  pneumatic  supply  are 
insufficient  to  obtain  single  engine  abort  capability  to  a  landing  site,  interconnecting  is  also  allowed, 
within  certain  limits,  from  the  remaining  engine  which  has  a  good  MPS  helium  supply  in  an  attempt  to 
regain  landing  site  abort  capability  per  paragraph  B.2.a.  Because  cm  attempt  is  being  made  to  avoid  a 
contingency  abort  due  to  insufficient  MPS  helium,  the  interconnect  from  a  non  leaking  running  SSME 
helium  supply  to  cm  engine  with  a  leaking  helium  supply  will  be  performed  as  late  as  is  reasonably 
possible.  The  interconnect  will  be  performed  once  the  leaking  system  reaches  500  psia  (500  psia  is  a 
generic  tank  pressure  which,  with  SSME  limits  inhibited,  should  ensure  that  crossover  margin  is 
maintained  in  the  SSME  HPOT  IMSL  package)  or  cm  HPOTP  IMSL  pressure  of  70  psia  (70  psia  provides 
10  psia  interconnect  margin  against  the  Block  I/IIA/II  SSME  limit  of  60  psia  in  rule  {A5-153Cj.2.a,  PRE- 
MECO  SHUT  DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM  LEAKS).  An  interconnect  cue  of  500  psia  in 
the  tank  or  70  psia  in  the  IMSL  package  should  also  preven  t  the  SSME  HPOT  IMSL  pressure  from 
decaying  below  60  psia  while  the  SSME  is  operating.  ®[050400-7i95A] 
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(CONTINUED) 

4.  FOR  SINGLE  REGULATOR  OPERATION  OF  THE  MPS  HELIUM  SYSTEM, 
HELIUM  SYSTEM  INTERCONNECTS  WILL  BE  PERFORMED  AS  SOON  AS 
PRACTICAL,  BUT  ABOVE  THE  MINIMUM  TANK  PRESSURE  REQUIRED 
TO  SUPPORT  THE  SINGLE  REGULATOR  SHUTDOWN  MODE  PER  RULE 
{ A5-153 } ,  PRE-MECO  SHUTDOWN  OF  ENGINES  DUE  TO  MPS  HELIUM 
LEAKS,  AND  NO  LATER  THAN  900  PSIA  (920)  OR  WHEN  BOTH 
HELIUM  SYSTEM  REGULATOR  PRESSURES  ARE  BELOW  715  (679) 

PSIA.  @[050495-1 767B]  @[050400-71 95A]  @[110900-7239] 


If  a  helium  system  is  operating  on  a  single  regulator,  due  to  an  isolated  leak  or  any  other  system 
failure,  the  resulting  mass  flow  rate  of  helium  through  the  system  is  nominal.  Therefore,  helium  system 
interconnects  may  be  accomplished  as  soon  as  convenient.  When  operating  on  a  single  regulator,  all 
shut  down  modes  must  protect  for  single  regulator  operation.  A  single  regulator  providing  helium 
flow  to  an  engine  must  flow  the  equivalent  helium  of  two  operating  regulators.  Higher  pressures  must 
be  main  tained  at  the  regulator  inlet  in  order  to  ensure  that  shutdown  pressu  re  and  mass  flow  rate 
requirements  are  satisfied. 

5.  FOR  AN  ENGINE  REQUIRING  EXTENDED  ENGINE  BURN  TIME,  HELIUM 
SYSTEM  INTERCONNECTS  WILL  BE  PERFORMED  AS  SOON  AS 
PRACTICAL,  BUT  ABOVE  THE  MINIMUM  ENGINE  TANK  PRESSURE 
REQUIRED  TO  SUPPORT  THE  ENGINE  SHUTDOWN  MODE  PER  THE 
HELIUM  CURVES  FOR  A  NON- I SOL AT ABLE  LOWER  SYSTEM  LEAK  WITH 
NOMINAL  FLOW  RATE  GIVEN  IN  RULE  {A5-153E}.1,  PRE-MECO 
SHUTDOWN  OF  ENGINES  DUE  TO  MPS  HELIUM  LEAKS,  AND  NO  LATER 
THAN  900  PSIA  (920  PSIA)  TANK  PRESSURE  ON  THE  AFFECTED 
ENGINE  OR  WHEN  BOTH  HELIUM  SYSTEM  REGULATOR  PRESSURES  ARE 
BELOW  715  (67  9)  PSIA.  @[110900-7239] 


If  the  predicted  MECO  time  is  extended  due  to  low  ascen  t  performance  or  cm  abort  requiremen  t  such 
that  interconnecting  is  necessary  to  meet  shutdown  requirements,  the  pneumatic  system  and  the  helium 
system  of  any  failed  engine  can  be  in  terconnected  to  a  running  engine  as  soon  as  practical.  The 
minimum  tank  pressure  which  will  support  a  zero-g  shut  down  of  cm  engine  with  two  good  regulators 
and  no  helium  leak  is  given  in  the  helium  curves  for  a  non-isolatable  lower  system  leak  with  nominal 
flow  rate  in  rule  {A5-153EJ.1,  PRE-MECO  SHUTDOWN  OF  ENGINES  DUE  TO  MPS  HELIUM 
LEAKS.  Since  cm  engine  with  extended  burn  time  has  a  constant  helium  usage,  the  curve  for  cm  engine 
with  a  non-isolatable  lower  system  helium  leak  is  used  to  define  the  minimum  zero-g  requirement. 
@[090894-1 676A]  @[050400-71 95A] 
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(CONTINUED) 

6.  IN  THE  NO-COMM  CASE,  THE  CREW  WILL  PERFORM  HELIUM  SYSTEM 
INTERCONNECTS  AT  A  SYSTEM  PRESSURE  OF  1150  PSIA  OR  WHEN 
BOTH  HELIUM  SYSTEM  REGULATOR  PRESSURES  ARE  BELOW  715 
(679)  PSIA.  @[050400-71 95A] 

In  the  loss  of  comm  case,  crew  action  is  taken  at  1150  psia.  1150  psia  is  the  C&W  limit.  The  alarms 
and  tones  annunciated  at  1150  psia  are  a  good  reminder  to  the  crew  that  action  needs  to  be  taken.  If 
the  tank  pressure  reaches  this  value  and  continues  to  fall,  the  engine  HPOTP IMSL  purge  redline  limit 
may  be  violated.  Action  is  taken  at  1150  psia  to  preclude  cm  early  engine  out  situation  while  making  as 
much  use  of  available  helium  as  possible.  The  engine  IMSL  seal  limit  should  not  be  violated  until  the 
pressure  decays  below  approximately  518  psia  at  the  engine  interface  for  the  Phase  II SSME  (ref.  SODB 
Vol.  3,  Section  4.3.1)  or  576  psia  at  the  engine  in  terface  for  the  BLOCK  I  SSME,  BLOCK  IIA  SSME, 
and  the  BLOCK  II  SSME  (ref.  SSME  test  901-835  and  the  09-13-95  PSIG).  @[050495-1 767B]  @[020196- 
1812]  @[100997-6298]  @[121 197-6472A]  @[110900-7239] 

B.  IF  THE  INTERCONNECT  CUES  IN  PARAGRAPH  A  ARE  MET,  THE 

INTERCONNECT  OF  THE  PNEUMATIC  HELIUM  SYSTEM  OR  THE  HELIUM 
SYSTEM  OF  ANOTHER  ENGINE  WILL  BE  PERFORMED  PER  THE  FOLLOWING 
CONDITIONS:  @[090894-1 676A]  @[100997-6298] 

If  an  engine  helium  supply  is  depleting  due  to  a  leak,  or  helium  shut  down  requirements  are  not  met  due 
to  extended  burn  times  or  single  regulator  operation,  interconnecting  other  helium  systems  will  be 
allowed  in  some  situations  to  sustain  the  operation  of  cm  engine. 

1.  WITH  THREE  ENGINES  ON: 

ONLY  THE  PNEUMATIC  HELIUM  SYSTEM  WILL  BE  INTERCONNECTED 
AND  THE  ENTIRE  SYSTEM  WILL  BE  USED  IF  REQUIRED. 

The  en  tire  pneumatic  helium  system  will  be  used  to  sustain  the  operation  of  cm  engine,  since  sufficient 
helium  margin  should  be  available  in  the  other  two  helium  systems  and  the  pneumatic  accumulator  to 
satisfy  the  zero-g  requirements  for  prevalve  actuation,  SSME  pogo  system  post-charge,  shutdown  and 
entry  environmental  purges,  and  entry  MPS  manifold  pressurization.  @[090894-1 676A] 
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2.  WITH  TWO  ENGINES  ON:  @[050400-71 95A] 

a.  INTERCONNECTING  THE  PNEUMATIC  HELIUM  SYSTEM  AND  THE 

HELIUM  SYSTEM  OF  THE  PREVIOUSLY  SHUT  DOWN  ENGINE  WILL 
BE  PERFORMED. 


For  the  two  engine  on  case ,  interconnecting  is  allowed  from  the  previously  shut  down  engine  and  the 
pneumatic  system.  This  will  not  only  maximize  the  leaking  engine  run  time  but  may  also  re-establish 
zero-g  shutdown  capability.  ®[i  1 0900-7239  ] 

b.  INTERCONNECTING  THE  HELIUM  SYSTEM  OF  THE  NON-LEAKING 
RUNNING  ENGINE  WILL  BE  PERFORMED  BY  TAKING  THE 
INTERCONNECT  VALVE  OF  THE  NON-LEAKING  RUNNING  ENGINE 
TO  OUT  OPEN  FOR  15  SECONDS  (ONE  TIME  ONLY)  AND  THEN 
BACK  TO  THE  GPC  POSITION  IF  ALL  OF  THE  FOLLOWING 
CONDITIONS  ARE  SATISFIED: 

(1)  THE  INTERCONNECTS  PER  PARAGRAPH  B.2.a  WILL  NOT 
ALLOW  THE  LEAKING  ENGINE  TO  SUPPORT  SINGLE 
ENGINE  ABORT  CAPABILITY  TO  A  LANDING  SITE 
(SINGLE  ENGINE  LIMITS  OR  SINGLE  ENGINE  RTLS 
BOUNDARY) ,  AND 

(2)  THE  TOTAL  FLOWRATE  OF  THE  LEAKING  SYSTEM  HAS 
NEVER  BEEN  GREATER  THAN  0.30  LBM/SEC. 


Margin  in  the  non-leaking,  running  SSME  MPS  helium  supply  will  be  used  to  support  the  operation  of 
another  SSME  with  a  leaking  supply.  Interconnecting  in  this  case  will  result  in  one  MPS  helium  supply 
supporting  two  SSME’s,  one  at  an  off-nominal  flowrate.  Consequently,  the  interconnect  of  a  running 
supply  will  only  be  performed  if  the  toted  flowrate  of  the  leaking  supply  has  never  been  greater  than  0.30 
Ibm/sec.  The  0.30  Ibm/sec  total  flowrate  requiremen  t  is  a  gen  eric  value  which  will  provide  at  least  15 
seconds,  and  at  most  1.5  minutes,  of  additional  runtime  for  the  SSME  with  the  leaking  supply.  Toted  flow 
rates  above  0.30  Ibm/sec  make  it  extremely  likely  that  either  a  second  SSME  will  fail  prior  to  reaching  a 
certified  abort  boundary,  or  that  helium  available  to  the  last  SSME  will  be  depleted  to  a  level  which  is 
below  MECO  requiremen  ts.  By  not  interconnecting  for  large  leaks,  three  SSME  out  contingency  aborts 
are  avoided  and  a  crew  survived  path  is  maintained  by  two  SSME  out  abort  coverage.  @[100997-6298  ] 
©[121197-6472A]  @[050400-71 95A] 
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Numerous  assumptions  had  to  be  made  in  order  to  cover  this  case  with  a  generic  rule.  All  the  variables 
were  assigned  generic  values  and  discussed  at  Ascent  Entry  Flight  Techniques  # 135  on  October  18, 

1996.  The  assumptions  were  as  follows.  The  maximum  allowable  flowrate  of  the  leaking  system  was 
derived  for  the  RTLS  abort  case  since  three  out  black  zones  occur  at  a  later  MET  than  on  a  TAL.  The 
first  SSME  shuts  down  at  liftoff  and  a  non  isolatable  lower  system  leak  develops  on  one  of  the  remaining 
engines  at  the  same  time.  There  is  a  toted  of  134  pounds  of  helium  available  from  both  the  leaking 
engine  and  the  one  that  shut  down.  Of  an  initial  13  pounds  of  helium  in  the  pneumatic  system,  10  are 
available  to  support  the  leaker.  Single  engine  operation  of  the  last  engine  must  be  maintained,  while 
preserving  the  zero  g  shutdown  helium  requirement,  until  an  RTLS  MECO  time  of  10:45  MET,  which 
assumes  109  SSME  throttles.  Given  this  MECO  time,  there  are  14  excess  pounds  of  helium  available 
from  the  running  engine  to  support  the  leaking  helium  supply,  resulting  in  a  toted  of  158  pounds  of 
helium  available  for  the  leaking  engine.  Assuming  2  1/2  minutes  is  the  maximum  run  time  needed  for 
single  engine  completion  of  an  RTLS  con  tingency  abort,  the  leaking  engine  must  support  a  run  time  of 
8:15  MET  ( MECO  time  minus  2  minu  tes  30  seconds).  Assuming  that  8  pounds  of  helium  are  required  to 
support  the  shutdown  of  the  leaking  engine,  the  remaining  150  pounds  would  support  the  engine’s 
operation  until  8:15  MET  as  long  as  the  leak  rate  is  not  greater  than  0.30  Ibm/sec.  AEFTP  was  also 
made  aware  that  a  real-time  or  non-real-time  redefinition  of  any  of  theses  variables  might  result  in  an 
outcome  which  varies  from  curren  t  predictions.  However,  in  any  case  it  is  agreed  that  helium  from  the 
last  SSME  should  be  interconnected  to  a  leaking  supply  in  an  attempt  to  reach  a  runway,  as  long  as  three 
SSME  out  black  zones  are  protected.  ®[i  00997-6298  ] 

The  running,  non-leaking  SSME  supply  will  only  be  interconnected  for  15  seconds.  This  will  keep  the 
SSME  running  while  the  pneumatic  system  is  repressurized.  The  interconnect  action  also  increases  the 
likelihood  that  the  last  running  SSME  with  a  non-leaking  MPS  helium  supply  will  retain  sufficient 
helium  in  its  supply  to  support  guided  MECO  once  the  second  SSME  with  a  leaking  MPS  helium 
supply  shuts  down.  ®[1 21 1 97-6472A]  ®[050400-7195A] 

The  in  terconnect  is  broken  by  taking  the  in  terconnect  switch  of  the  engine  with  the  non-leaking  helium 
system  to  the  GPC  position.  If  the  leaking  helium  supply  has  been  depleted  due  to  a  tank  leak,  or  an 
upper  system  leak  exists,  breaking  the  interconnects  in  this  manner  allows  the  pneumatic  system  to 
remain  interconnected  to  the  engine  with  a  leaking  helium  supply  in  order  to  support  its  shutdown. 
@[100997-6298] 
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3.  WITH  ONE  ENGINE  ON:  @[050400-71 95A] 

INTERCONNECTING  THE  PNEUMATIC  HELIUM  SYSTEM  AND  THE 
HELIUM  SYSTEMS  OF  ALL  PREVIOUSLY  SHUT-DOWN  ENGINES  WILL 
BE  PERFORMED. 

C.  THROTTLE  MANAGEMENT  FOR  TWO  ENGINES  ON  WITH  A  NON- I SOL AT ABLE 
MPS  HELIUM  LEAK  IN  ONE  OF  THE  RUNNING  SSMES  WILL  BE  PERFORMED 
PER  THE  FOLLOWING:  @[050495-1 753A]  @[100997-6298] 

With  three  engines  on,  there  are  no  regions  where  a  subsequent  engine  out  will  not  allow  the  remaining 
engines  to  perform  an  abort  to  a  landing  site.  Therefore,  109  percent  SSME  throttles  are  not  required 
for  that  case. 

1.  NOMINAL/ ATO : 

109  PERCENT  SSME  THROTTLES  IS  NOT  REQUIRED  FOR  THESE 
CASES . 

The  only  region  where  an  abort  cannot  be  performed  to  a  landing  site  with  the  leaking  engine  out  usually 
occurs  between  the  PRESS-TO-ATO  boundary  and  the  SINGLE  ENGINE  LIMITS  boundary.  Since  the 
time  between  these  boundaries  is  less  than  1.5  minutes,  it  is  extremely  unlikely  that  an  interconnect  from 
a  running  engine  to  a  running  engine  will  be  required.  Consequently,  the  maximum  time  spent  at  109 
throttles  (at  most  1.5  minutes)  will  not  significantly  reduce  the  predicted  MECO  time.  @[050495-1 753A] 
@[050400-71 95A] 
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2 .  TAL : 

THE  SSME'S  WILL  BE  IMMEDIATELY  THROTTLED  TO  109  PERCENT 
POWER  LEVEL  AFTER  THE  ISOLATION  PROCEDURE  IS  COMPLETED 
AND  MPS  HELIUM  LEAK  IS  DETERMINED  TO  BE  NON- I SOLATABLE . 
IF  SINGLE  ENGINE  TAL  104  ABORT  CAPABILITY  IS  ACHIEVED 
OR  IS  PREDICTED  TO  BE  ACHIEVED  WITHOUT  INTERCONNECTING 
A  RUNNING  ENGINE  SUPPLY,  SSME  THROTTLES  MAY  BE  RETURNED 
TO  104  PERCENT  POWER  LEVEL.  @[100997-6298]  @[050400-71 95A] 

For  this  case,  the  additional  risk  associated  with  operating  the  main  engines  at  109  power  level  is 
acceptable  in  order  to  provide  the  crew  and  vehicle  a  chance  to  reach  a  runway  (i.e.,  SE  LIMITS). 
Commanding  the  engines  to  109  percent  power  level,  while  the  vehicle  is  in  an  abort  gap  with  a  helium 
leak  on  one  of  two  running  SSME  supplies,  maximizes  the  use  of  the  remaining  helium  by  reducing  the 
time  required  to  achieve  abort  capability  to  a  landing  site.  Furthermore,  the  increased  power  level  does 
not  increase  helium  usage  in  the  engine  HPOTP IMSL  purge  package  (usage  remains  unchanged  from 
67-109  percent  power  level)  and  should  have  no  negative  effect  on  the  size  of  the  leak  in  the  MPS  helium 
system.  Operationally,  the  increased  internal  engine  pressures  and  temperatures  at  109  percent  do 
increase  the  likelihood  of  having  an  SSME  failure  (ref.  AEFTP  #108  charts,  12/17/93).  However, 
because  the  run  time  remaining  on  the  last  engine  to  MECO  cannot  be  determined  ( its  helium  supply  was 
compromised),  the  main  engines  will  remain  at  109  percen  t  power  level  until  fine  count  is  reached  and 
the  software  throttles  back  the  engines,  the  crew  initiates  manual  throttles  at  the  2  percent  propellant 
remaining  in  the  ET  cue  (reference  rule  {A5-112},  MANUAL  THROTTLEDOWN  FOR  LO2  NPSP 
PROTECTION  AT  SHUTDOWN,),  or  until  the  manual  MECO  (reference  rule  (A5-153),  PRE-MECO 
SHUT  DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM  LEAKS).  @[090894-1 676A]  ®[ED  ] 

If  single  engine  TAL  104  abort  capability  is  achieved,  or  is  predicted  to  be  achieved,  after  throttling  the 
SSME’s  to  109  percent  power  level  and  without  interconnecting  a  running,  non-leaking  SSME  helium 
supply,  sufficient  helium  will  be  available  in  the  non-leaking  MPS  helium  system  to  complete  a  single 
engine  abort  at  104  or  109  percen  t  power  level  and  eliminate  the  possibility  of  having  to  return  to  109 
percent  power  level  should  the  engine  with  the  helium  leak  shut  down  prior  to  single  engine  TAL  104. 
Additionally,  since  the  time  between  the  single  engine  limits  and  single  engine  TAL  104  boundaries  is 
short,  it  advisable  to  leave  the  throttles  at  109  percent  to  preclude  additional  work  for  the  crew  should 
an  engine  fail  in  this  region.  Single  engine  TAL  104  is  when  the  Flight  Dynamics  Officer  determines 
that  109  percent  power  level  is  no  longer  required  for  single  engine  abort  completion.  Per  the  rationale 
above,  it  is  desirable  that  the  SSME  throttle  setting  be  returned  to  104  percent  whenever  possible. 

®[ED  ]  @[050495-1 767B]  @[050400-71 95A] 
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3.  RTLS : 

THE  SSME ' S  WILL  BE  IMMEDIATELY  MANUALLY  THROTTLED  TO  109 
PERCENT  POWER  LEVEL  AFTER  THE  ISOLATION  PROCEDURE  IS 
COMPLETED  AND  THE  MPS  HELIUM  LEAK  IS  DETERMINED  TO  BE 
NON-ISOLATABLE .  IF  IT  IS  DETERMINED  BY  THE  MCC  THAT  THE 
ABORT  CAN  BE  COMPLETED  WITHOUT  COMPROMISING  THE  NON¬ 
LEAKING  SUPPLY  OF  A  RUNNING  SSME,  MAIN  ENGINE  THROTTLES 
WILL  BE  RETURNED  TO  AUTO  PRIOR  TO  POWERED  PITCH  AROUND 
INITIATION.  OTHERWISE,  AUTO  SSME  THROTTLES  WILL  BE 
RESELECTED  AT  THE  COMPLETION  OF  POWERED  PITCH  AROUND. 
@[050495-1 753A]  @[100997-6298]  @[050400-71 95A] 

If  a  non-isolatable  MPS  helium  leak  exists  in  the  supply  of  one  of  two  running  SSME’s  while  performing 
an  RTLS  abort ,  the  likelihood  that  the  associated  SSME  will  shut  down  early,  prior  to  reaching  single 
engine  abort  capability,  increases  significantly.  The  probability  that  the  shut  down  requirements  of  the 
last  SSME  are  violated  at  MECO  also  increases  significan  tly.  Both  possibilities  are  further  compounded 
on  the  RTLS  case  by  predicted  MECO  times  which  may  extend  by  as  much  as  3  minutes  longer  than  the 
nominal  uphill  MECO.  Furthermore,  since  the  maximum  SSME  operating  time  is  defined  at  liftoff  by  the 
prelaunch  loading  of  MPS  helium,  the  SSME  burn  time  cannot  be  extended  to  alleviate  these  concerns. 

The  only  available  option  is  to  use  a  higher  main  engine  power  level  in  order  to  minimize  the  predicted 
MECO  time. 

Analysis  by  flight  design  indicates  that  using  109  percent  throttles  on  an  RTLS  abort  can  decrease  the 
MECO  time  by  as  much  as  55  seconds,  assuming  109  is  maintained  throughout  the  trajectory  (reference 
Ascent  Abort  Panel  briefing  charts,  10/6/94,  “RTLS  MECO  Time  Reduction  for  MPS  Helium  Leaks”). 

The  resulting  decrease  in  predicted  MECO  time  may  be  the  difference  between  a  crew  bailout  and  cm 
in  tact  abort  landing.  However,  it  must  be  noted  that  the  trade  off  of  using  109  percen  t  throttles  during  the 
RTLS  flyback  phase  is  that,  the  ET  separation  QBAR  is  decreased  by  approximately  1.5  psf  with  respect  to 
the  designed  RTLS  condition,  and  the  ET  separation  MPS  propellant  residuals  are  increased  by 
approximately  0.5  percent  over  the  designed  RTLS  condition.  Since  manual  throttles  must  be  maintained 
until  the  initiation  of  powered  pitch  around  in  order  to  stay  at  109  throttles  during  flyback,  the  GPC’s  will 
not  perform  mass  control  throttling  (auto  throttles  required)  and  the  resulting  separation  conditions  are 
slightly  off-nominal.  These  conditions  are  considered  acceptable  when  compared  to  violations  which  may 
occur  on  cm  alternative  contingency  abort.  @[050400-71 95A] 
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To  minimize  violations  of  the  designed  QBAR  and  residual  constraints  for  this  case,  SSME  throttles  will 
be  returned  to  the  AUTO  position  prior  to  powered  pitch  around  initiation  if  the  MCC  determines  that  the 
abort  can  be  completed  without  compromising  the  non-leaking  helium  supply  of  a  running  SSME  while  in 
auto  throttles.  This  action  allows  the  GPC’s  to  perform  mass  control  throttling  during  flyback,  thereby 
controlling  ET  separation  conditions.  If  the  MCC  cannot  determine  abort  capability  prior  to  powered 
pitch  around  initiation,  then  manual  throttles  at  109  percent  are  maintained  until  powered  pitch  around  is 
complete.  Although  fine  mass  control  will  not  be  performed,  returning  to  auto  throttles  after  powered 
pitch  around  completion  minimizes  crew  actions  during  the  pitch  around  maneuver  and  allows  the  engines 
to  remain  at  109  percent  power  level  until  the  fine  count  throttle  command  is  received  from  guidance  near 
MECO.  @[050400-71 95A] 

Flight  design  analysis  indicates  that  for  cases  involving  manual  throttling  after  powered  pitch  around 
initiation,  the  ET  separation  QBAR  and  MPS  residual  violations  are  minimized  when  the  109  percent 
SSME  throttle  setting  is  used  during  flyback.  For  these  cases,  there  are  no  LO2  NPSP  concerns  since 
there  are  always  MPS  residuals  in  the  ET,  and  significant  NPSP  violations  only  occur  during  LO2  low 
level  cutoff.  Consequently,  SSME  shut  down  from  the  fine  count  throttle  setting  is  a  preferred,  not  a 
mandatory,  condition.  @[050495-1 753A]  @[050400-71 95A] 

Rules  (A2-64J,  MANUAL  THROTTLE  CRITERIA;  {A4-53},  USE  OF  MAXIMUM  THROTTLES;  {A5-5j, 
SUSPECT  ENGINE;  {A5-103},  LIMIT  SHUTDOWN  CONTROL;  and  {A5-156}.  ABORT  PREFERENCE 
FOR  SYSTEM  FAILURES,  reference  this  rule.  @[0921 95-1 770A]  ®[ED  ]  @[100997-6298] 
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LEAKS 

A.  IF  ALLOWABLE  HELIUM  INTERCONNECTS,  PER  RULE  {A5-152}, 

PRE-MECO  MPS  HELIUM  SYSTEM  INTERCONNECTS  [CIL] ,  WILL  NOT 
SATISFY  ZERO-G  SHUTDOWN  REQUIREMENTS  PER  PARAGRAPH  E, 

BUT  WILL  SATISFY  SHUTDOWN  REQUIREMENTS  AT  THE  CUES 
BELOW,  THE  AFFECTED  ENGINE  WILL  BE  SHUT  DOWN  MANUALLY 
(PUSH-BUTTON  ONLY  IF  POSSIBLE),  AS  FOLLOWS:  @[090894-1 676A] 

1.  MCC  DECISION  (PRIME) 

a.  NOMINAL/ ATO/AOA 


(1) 

THREE  ENGINES  ON: 

VI 

=  23  KFPS 

(2) 

TWO  ENGINES  ON: 

VI 

=  24.5 

KFPS 

b . 

TAL 

TWO 

OR  THREE  ENGINES  ON 

VI 

=  22.5 

KFPS 

C.  RTLS 

TWO  OR  THREE  ENGINES  ON:  ALPHA  =  -1  DEGREES 

@[032395-1 759A] 

In  this  case,  the  engine  will  run  with  the  helium  system  leak ,  but  the  helium  supply  pressure  may  not  be 
able  to  support  the  zero-g  shutdown  requirements  at  MECO.  The  required  helium  supply  pressure  for  a 
safe  shu  tdown  will  depend  upon  the  number  of  helium  regulators  operating,  the  helium  leak  rate,  and 
type  of  shutdown  ( i.  e. ,  hydraulic  or  pneumatic).  If  the  requirements  for  a  pre-MECO  hydraulic, 
pneumatic,  or  single  regulator  shutdown  will  be  satisfied  subsequent  to  the  cues  mentioned  in  paragraph 
C,  manual  action  is  taken  to  shut  the  engine  down  while  still  protecting  shutdown  requirements.  The 
engine  is  shut  down  approximately  30  seconds  before  MECO  at  a  velocity  which  equates  to  MECO  minus 
30  seconds.  This  gives  guidance  time  to  adjust  to  the  late  engine  out  and  converge  on  the  proper  MECO 
targets.  The  only  exception  to  this  is  the  RTLS  abort  where  the  engine  is  shut  down  during  powered  pitch 
down  (alpha  equals  -1  degree).  @[032395-1 759A] 
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The  shutdown  pushbutton  is  used  for  engine  shutdown  instead  of  the  AC  power  switches  in  order  to  shut 
the  engine  down  hydraulically.  A  pre-MECO  hydraulic  shutdown  requires  less  helium  than  a  pre-MECO 
pneumatic  shutdown  and  also  retains  post-MECO  LO2  dump  capability  through  the  affected  engine.  It 
also  avoids  the  zero  fault  tolerant  pneumatic  shutdown  mode.  ©[090894-1676A] 

2.  ONBOARD  DECISION  (NO  COMMUNICATION)  @[090894-1 676A] 

a.  IF  A  NON- IS OL AT ABLE  MPS  HELIUM  LEAK  EXISTS,  THE  CREW 
WILL  SHUT  DOWN  THE  AFFECTED  ENGINE  AT  THE  APPROPRIATE 
BOUNDARY  LISTED  IN  PARAGRAPH  A1 . 

If  a  leak  develops  in  an  engine  helium  supply  and  the  crew  cannot  communicate  with  the  MCC,  shutting 
the  affected  engine  down  early  may  preven  t  the  violation  of  shutdown  helium  requiremen  ts  on  that 
engine.  With  no  communication  with  the  ground  the  crew  has  no  way  to  tell  when  the  helium 
requirements  will  be  violated.  The  helium  margin  which  exists  in  each  supply  at  liftoff  will  very  likely 
keep  shu  tdown  requiremen  ts  from  being  violated  at  the  cues  listed. 

b.  IF  AN  MPS  HELIUM  SYSTEM  IS  OPERATING  ON  A  SINGLE 
REGULATOR,  THE  CREW  CANNOT  COMMUNICATE  WITH  THE 
MCC,  AND  THE  HELIUM  SYSTEM  TANK  PRESSURE  ON  THAT 
SUPPLY  IS  LESS  THAN  2163  (2200)  PSIA  AT  MECO-60 
SECONDS,  THE  CREW  WILL  SHUT  DOWN  THE  AFFECTED 
ENGINE  AT  THE  APPROPRIATE  CUE  LISTED  ABOVE  IN 
PARAGRAPH  A1  .  @[110900-7239] 

1963  psia  is  the  minimum  engine  system  tank  pressure  which  will  support  MECO  requirements  while 
operating  on  a  single  regulator  (ref.  paragraph  E).  In  this  configuration,  approximately  200  psia  of 
helium  ( 10  psici/3  sec  x  60  sec)  is  used  between  the  velocity  cues  mentioned  in  paragraph  Al  and  MECO. 
Therefore,  if  the  affected  engine  tank  pressure  is  less  than  2163  psia  (1963  psia  +  200  psia)  at  MECO 
minus  1  minute,  MECO  shutdown  requirements  will  not  be  satisfied  and  the  engine  is  shut  down  pre- 
MECO.  The  crew  shutdown  cue  of  2200  psia  is  derived  by  adding  20  psia  instrumentation  error  and 
rounding  up  to  the  nearest  hundred  (1963  psia  +  200  psia  +  20  psia  instrumentation  error  +17  psia 
rounding  =  2200  psia).  @[110900-7239  ] 
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B.  IF  AN  ENGINE  HELIUM  SUPPLY  DEVELOPS  A  LEAK  WITHIN  60  SECONDS 
OF  MECO,  WITH  OR  WITHOUT  COMMUNICATION  WITH  THE  MCC,  THE  CREW 
WILL  USE  THE  SHUTDOWN  PUSHBUTTON  TO  SHUT  DOWN  THE  AFFECTED 
ENGINE  PRIOR  TO  MECO.  @[041196-1876] 

When  helium  system  leaks  develop  late  inflight,  sufficient  time  to  evaluate  MECO  capability  may  not 
exist.  Since  pre-MECO  engine  shutdowns  consume  less  helium  than  zero-g  shutdowns,  it  is  safer  to  shut 
the  affected  engine  down  prior  to  MECO.  Shutting  the  engine  down  soon  after  a  helium  system  leak 
occurs  also  gives  guidance  software  time  to  converge  on  the  correct  MECO  velocity  targets. 

@[090894-1 676A] 

C.  IF  ENGINE  AND  PNEUMATIC  HELIUM  SYSTEMS  INTERCONNECTS  TO  AN 
ENGINE  WITH  A  LEAKING  MPS  HELIUM  SUPPLY  ARE  INSUFFICIENT  TO 
SUPPORT  ENGINE  SHUT  DOWN  AT  THE  CUES  OUTLINED  IN  PARAGRAPH 
Al,  ENGINE  SHUTDOWN  PRIOR  TO  THOSE  CUES  MUST  BE  ACCOMPLISHED 
IN  THE  FOLLOWING  MANNER  WHILE  TWO  OR  THREE  ENGINES  ARE 
RUNNING:  @[090894-1 676A]  ®[ED  ] 

1.  IF  NO  RUNNING  ENGINE  SUPPLIES  HAVE  BEEN  INTERCONNECTED: 

a.  THE  LEAKING  ENGINE  WILL  BE  ALLOWED  TO  SHUT  DOWN  ON 
THE  ENGINE  HPOTP  INTERMEDIATE  SEAL  (IMSL)  PURGE 
REDLINE  AS  LONG  AS  THE  ENGINE  HYDRAULIC  SYSTEM  IS 
FUNCTIONAL  AND  THE  SSME  REDLINE  LIMITS  ARE  ENABLED. 

On  the  Phase  II  SSME,  an  HPOTP  IMSL  purge  redline  violation  will  always  occur  when  the  intermediate 
seal  pressure  falls  below  170  psia.  However,  the  minimum  helium  system/engine  in  terface  pressure 
required  to  prevent  an  HPOTP  IMSL  violation  decreases  over  the  duration  of  engine  operation.  As  the 
turbine/pump  shaft  heats  up,  the  intermediate  seal  gap  becomes  smaller.  Consequently,  lower  interface 
pressures  will  keep  the  HPOTP  IMSL  purge  pressure  above  170  psia.  If  the  helium  system  regulator 
outlet  pressure  at  the  start  of  shutdown  is  below  the  minimum  helium  system  regulator  outlet  pressure, 
the  resulting  helium  purge  flow  rates  may  be  sign  ifican  tly  reduced  during  the  shutdown  sequence.  If  two 
engine  abort  capability  to  a  landing  site  exists,  while  three  engines  are  running,  or  single  engine  abort 
capability  to  a  landing  site  exists,  while  two  engines  are  running,  a  leaking  engine  will  be  allowed  to  shut 
down  on  the  HPOTP  IMSL  purge  redline.  Although  minor  engine  erosion  may  occur  during  the 
shutdown  sequence  due  to  reduced  helium  pressure,  the  shutdown  will  be  contained  and  engine  run  time 
is  maximized.  @[050495-1 767B] 

On  the  BLOCK  1  SSME,  BLOCK  IIA  SSME,  and  the  BLOCK  II  SSME,  an  HPOTP  IMSL  purge  redline 
violation  will  always  occur  when  the  in  termediate  seal  pressure  falls  below  159  psia.  The  alternate 
HPOTP  used  on  these  engines  has  a  true  con  trolled  gap  IMSL  package.  Due  to  this  feature,  the 
minimum  helium  system/engine  interface  pressure  required  to  prevent  an  HPOTP  IMSL  violation  does 
not  change  over  the  duration  of  engine  operation.  @[050495-1 767B]  @[020196-1812  ]  ®[121197-6472A] 
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b.  IF  A  HYDRAULIC  SHUTDOWN  CANNOT  BE  PERFORMED,  MANUAL 
SHUTDOWN  WILL  BE  PERFORMED  AT  THE  MINIMUM  REQUIRED 
PNEUMATIC  SHUTDOWN  HELIUM  INTERFACE  PRESSURE  PER 
PARAGRAPH  El  OR  E2  OF  THIS  RULE. 


If  hydraulic  shutdown  capability  is  lost  for  any  reason,  the  pneumatic  shutdown  requirements  must  be 
manually  protected  in  order  to  prevent  a  catastrophic  shutdown  from  occurring.  @[090894-1 676A1 
@[100997-6298] 

2.  IF  A  RUNNING  SSME  WITH  A  NON-LEAKING  HELIUM  SUPPLY  HAS 

BEEN  INTERCONNECTED  TO  A  RUNNING  SSME  WITH  A  LEAKING  MPS 
HELIUM  SUPPLY  (ABORT  GAP)  .  @[090894-1 676A] 

For  this  case,  the  desired  single  engine  abort  capability  is  unattainable.  However,  a  contingency  abort 
may  still  be  performed.  Getting  as  far  down  range  as  possible  prior  to  MECO  improves  ET  separation 
conditions  and  decreases  orbiter  pull-out  loads;  hence,  both  engines  will  be  allowed  to  run  as  long  as 
possible.  Shutting  the  leaking  engine  down  before  the  good  engine  may  allow  both  engines  to  shut  down 
in  a  contained  manner,  since  the  leaking  engine  will  be  shut  down  under  g  ’s  and  therefore  consume  less 
helium  during  the  sequence. 

a.  THE  LEAKING  ENGINE  WILL  BE  SHUT  DOWN  AT  AN  HPOTP 

IMSL  PURGE  PRESSURE  (ON  ALL  QUALIFIED  SENSORS)  OF: 


PHASE 

II 

SSME  : 

40 

PSIA 

BLOCK 

I, 

I I A,  AND  II  SSME: 

60 

PSIA 

®[1 00997-6298  ]  @[1211 97-6472A] 

Phase  II  SSME:  Shutting  down  the  engine  with  the  leaking  supply  at  an  HPOTP  IMSL  pressure  of  40 
psia  keeps  that  engine  running  as  long  as  feasible  (a  positive  barrier  pressure  exists  as  measured 
between  the  IMSL  and  SECONDARY  SEAL  cavities)  while  the  vehicle  is  in  an  abort  gap.  40  psia,  as 
measured  by  the  IMSL  transducers,  equates  to  approximately  25  psia  in  the  IMSL  cavity.  The  nominal 
pressure  in  the  secondary  seed  cavity  is  12  psia.  This  results  in  a  pressure  differential  of  13  psia  across 
the  carbon  seeds.  A  similar  barrier  pressure  margin  exists  across  the  carbon  seed  to  the  oxygen  (pump 
side)  drain.  Allowing  the  engine  with  the  leaking  MPS  helium  supply  to  run  to  an  IMSL  pressure  of  40 
psia  is  a  worst  case  scenario  which  assumes  that  the  desired  abort  boundary  has  not  been  achieved,  and 
that  the  turbopump  seal  packages  are  intact.  @[050495-1 767B] 
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BLOCK  I SSME,  BLOCK  IIA  SSME,  and  BLOCK  II SSME:  Shutting  down  the  engine  with  the  leaking 
supply  at  an  HPOTP IMSL  pressure  of  60  psia  keeps  that  engine  running  as  long  as  feasible  (a  positive 
barrier  pressure  exists  between  the  IMSL  and  the  O2  and  H2  cavities )  while  the  vehicle  is  in  an  abort  gap. 
60  psia,  as  measured  by  the  IMSL  transducers,  equates  to  approximately  42  psia  in  the  IMSL  cavity.  The 
nominal  pressure  in  the  O2  cavity  is  16  psia  and  the  nominal  pressure  in  the  H2  cavity  is  25  psia.  This 
results  in  a  pressure  differential  of  26  and  17  psia  across  the  carbon  seals.  Allowing  the  engine  with  the 
leaking  MPS  helium  supply  to  run  to  an  IMSL  pressure  of  60  psia  is  a  worst  case  scenario  which  assumes 
that  the  desired  abort  boundary  has  not  been  achieved  and  that  the  engine  seal  packages  are  intact. 
®[050495-1767B]  @[020196-1812]  @[100997-6298]  ®[1 21 1 97-6472A] 

b.  THE  NON-LEAKING,  RUNNING  ENGINE  WILL  BE  ALLOWED  TO 
RUN  UNTIL  MECO  OR  1150  PSIA,  WHICHEVER  COMES  FIRST. 

IF  A  MANUAL  SHUTDOWN  IS  REQUIRED,  IT  WILL  BE  WITH  THE 
SHUT  DOWN  PUSHBUTTON  ONLY.  @[090894-1 676 A]  @[100997-6298] 

Although  1288  psia  is  the  minimum  helium  system  tank  pressure  which  will  support  zero-g  shut  down  of 
an  engine  with  two  good  regulators  and  no  helium  system  leak,  the  last  engine  will  be  allowed  to  run 
until  the  MPS  supply  pressure  reaches  the  crew  C&W  limit  of  1150  psia.  Allowing  the  engine  to  run  to 
1150  psia  provides  a  clear  engine  shutdown  cue  for  the  crew  (C&W  alarm  at  1150)  and  also  takes 
advan  tage  of  any  instrumentation  error/margin  which  may  exist  in  the  onboard  measuremen  t  system  and 
the  ground  predicted  shut  down  requirements  respectively.  @[100997-6298  ] 

Reference  Rule  {A5-152},  PRE-MECO  MPS  HELIUM  SYSTEM  INTERCONNECTS  [CIL],  for 
in  terconnect  procedures. 

D.  IF  AN  MPS  HELIUM  SYSTEM  IS  OPERATING  ON  A  SINGLE  REGULATOR 
AND  DOES  NOT  MEET  THE  ZERO-G  SHUTDOWN  REQUIREMENTS  OF  THE 
ASSOCIATED  ENGINE  AS  PREDICTED  BY  THE  MCC,  THE  ENGINE  WILL 
BE  SHUT  DOWN  PER  PARAGRAPHS  A  OR  C  ABOVE,  WHILE  PROTECTING 
THE  SINGLE  REGULATOR  SHUTDOWN  REQUIREMENTS  OF  PARAGRAPH  E.6 
BELOW. 

When  an  MPS  helium  system  is  operating  on  a  single  helium  regulator,  the  supply  may  not  meet  the 
MECO  ( zero-g )  shutdown  requiremen  ts  of  the  affected  engine.  If  it  is  predicted  that  the  MECO 
requirements,  as  stated  in  paragraph  E.6  below,  will  be  violated,  the  engine  must  be  shut  down  early 
according  to  paragraphs  A.  1,  C.l  or  C.2  above.  @[090894-1 676A] 
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E.  HELIUM  SYSTEM  REQUIREMENTS  FOR  ENGINE  SHUTDOWN  @[090894-1 676A] 

1.  MINIMUM  SHUTDOWN  PRESSURES  FOR  AN  ENGINE  WITH  A  LOWER 
SYSTEM  MPS  HELIUM  LEAK. 


TOTAL  HELIUM  MASS  FLOW  RATE  AT  ENGINE  S/D 
(LBM/SEC) 


— • —  Zero-G  S/D 
— ■—  Pneu  S/D 
— A —  Phil  R/L  S/D 
— X —  BLKI/II  R/L  S/D 


@[110900-7239] 


ZERO  G  S/D,  630  PSIA  AT  S/D  +7  SEC 
SINGLE  REG:  1963  (1983)  PSIA  @[110900-7239] 


&  PNEU  S/D,  529  PSIA  AT  S/D  +7  SEC 
SINGLE  REG:  1457  (1477)  PSIA 

A  PHASE  II  SSME: 

REDLINE  S/D,  518  PSIA  AT  S/D 
SINGLE  REG:  600  (620)  PSIA 


x  BLOCK  I  SSME,  BLOCK  IIA  SSME,  AND  BLOCK  II  SSME: 
REDLINE  S/D,  576  PSIA  AT  S/D 
SINGLE  REG:  679  (699)  PSIA 

@[050495-1 767B]  @[0201 96-1812]  ®[1 21 1 97-6472A]  ®[1 1 0900-7239  ] 
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A  lower  system  MPS  helium  leak  is  a  leak  downstream  of  the  system  regulators.  The  resulting  leak  rate 
should  be  constant.  Lower  system  leaks  are  isolatable  only  when  they  occur  between  the  regulator  and 
the  downstream  check  valve. 

The  zero-g  line  represents  the  minimum  supply  pressure  to  support  a  hydraulic  or  pneumatic  shutdown 
at  MECO  (zero-g)  with  two  system  regulators,  with  or  without  a  lower  system  MPS  helium  leak.  This 
requirement  is  the  ICD  value  of 630  psia  interface  pressure  at  shutdown  plus  7  seconds  (ref.  SSME-to- 
Orbiter  ICD  13M15000).  The  pneumatic  shutdown  line  represents  the  minimum  supply  pressure  to 
support  a  pre-MECO  pneumatic  shutdown  with  two  system  regulators,  with  or  without  a  lower  system 
leak.  This  requirement  is  based  on  an  analytical  value  of  529  psia  interface  pressure  at  shutdown  plus 
7  seconds.  The  redline  shutdown  curve  is  the  minimum  supply  pressure  at  which  the  HPOTP IMSL 
purge  redline  will  be  violated  with  one  or  two  system  regulators,  with  or  without  a  lower  system  leak. 
For  the  Phase  II SSME,  this  value  is  518  psia  interface  pressure  at  shutdown  and  is  based  on  cm 
analysis  and  minimal  test  data  (reference  SODB  data  request  Rl-1507 ).  For  the  BLOCK  I  SSME, 
BLOCK  IIA  SSME,  and  the  BLOCK  II  SSME,  this  value  is  576  psia  interface  pressure  at  shutdown  and 
is  based  on  SSME  test  901-835  (reference  SODB  data  request  Rl-1640).  The  minimum  pressure  which 
will  support  the  expected  shutdown  mode  and  mass  flow  rate  should  always  be  protected.  These  curves 
include  20  psia  instrumentation  error.  @[090894-1 676A]  @[0201 96-1812]  ®[1 21 1 97-6472A]  ®[i  1 0900-7239  ] 
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2.  MINIMUM  SHUTDOWN  PRESSURES  FOR  AN  ENGINE  WITH  AN  UPPER 
SYSTEM  MPS  HELIUM  LEAK.  @[090894-1 676A] 


@[110900-7239] 

?  ZERO  G  S/D,  630  PSIA  AT  S/D +7  SECONDS 
PNEU  TK:  2800  (2820)  PSIA  (3  ENGINES  S/D) 

PNEU  TK:  2357  (2377)  PSIA  (1  ENGINE  S/D) 

&  PNEU  S/D,  529  PSIA  AT  S/D  +  7  SECONDS 
PNEU  TK:  2036  (2056)  PSIA 

A  PHASE  II  SSME: 

REDLINE  S/D,  518  PSIA  AT  S/D 
PNEU  TK:  600  (620)  PSIA 

x  BLOCK  I  SSME,  BLOCK  IIA  SSME,  AND  BLOCK  II  SSME: 
REDLINE  S/D,  576  PSIA  AT  S/D 
PNEU  TK:  639  (659)  PSIA 

@[050495-1 767B]  @[020196-1812]  ®[1 21 1 97-6472A]  @[110900-7239] 
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An  MPS  upper  sy stem  helium  leak  is  a  leak  upstream  of  the  system  regulators.  The  resulting  leak  rate 
should  decay  over  time.  Upper  system  leaks  are  isolatable  only  when  they  occur  between  the  helium 
isolation  valve  and  the  downstream  regulator. 

The  zero-g  line  represents  the  minimum  supply  pressure  to  support  a  hydraulic  or  pneumatic  shutdown 
at  MECO  (zero-g)  with  two  system  regulators,  with  or  without  an  upper  system  leak.  This  requirement 
is  the  ICD  value  of  630  psia  interface  pressure  at  shutdown  plus  7  seconds  (ref.  SSME-to-Orbiter  ICD 
13M15000).  The  pneumatic  shutdown  line  represents  the  minimum  supply  pressure  to  support  a  pre- 
MECO  pneumatic  shut  down  with  two  system  regulators,  with  or  without  an  upper  system  leak.  This 
requirement  is  based  on  an  analytical  value  of  529  psia  interface  pressure  at  shutdown  plus  7  seconds. 
The  redline  shutdown  curve  is  the  minimum  supply  pressure  at  which  the  HPOTP IMSL  purge  reclline 
will  be  violated  with  one  or  two  system  regulators,  with  or  without  an  upper  system  leak.  For  the 
Phase  II SSME,  this  value  is  518  psia  interface  pressure  at  shutdown  and  is  based  on  analysis  and 
minimal  test  data  (reference  SODB  data  request  Rl-1507).  For  the  BLOCK  I  SSME,  BLOCK  IIA 
SSME,  and  the  BLOCK  II  SSME,  this  value  is  576  psia  interface  pressure  at  shutdown  and  is  based  on 
SSME  test  901-835  (reference  SODB  data  request  Rl-1640).  The  minimum  pressure  which  will 
support  the  expected  shutdown  mode  and  mass  flow  rate  should  always  be  protected.  These  curves 
include  20  psia  instrumentation  error.  ©[050495-1767B]  ©[121197-6472A]  @[110900-7239] 

3.  IF  THE  ENGINE  CAN  SHUT  DOWN  HYDRAULICALLY  BUT  HPOTP 
IMSL  REDLINE  SHUT  DOWN  CAPABILITY  IS  LOST  FOR  ANY 
REASON,  A  MANUAL  SHUTDOWN  MUST  PROTECT  THE  MINIMUM 
INTERFACE  PRESSURES  FOR  A  PRE-MECO  HYDRAULIC  SHUT  DOWN 
AS  SHOWN  ABOVE  IN  PARAGRAPH  E.  @[090894-1 676A] 

If  both  HPOTP  IMSL  purge  pressure  transducers  have  failed  or  the  redline  limit  software  is  not 
available  for  any  reason,  a  redline  engine  shutdown  will  never  occur.  Manned  action  must  be  taken 
above  the  minimum  hydraulic  shutdown  interface  pressure. 

4.  IF  A  PNEUMATIC  SHUT  DOWN  IS  REQUIRED  FOR  ANY  REASON, 

A  MANUAL  SHUT  DOWN  MUST  PROTECT  THE  MINIMUM  INTERFACE 
PRESSURES  FOR  A  PRE-MECO  PNEUMATIC  SHUTDOWN  PER 
PARAGRAPH  E. 

For  all  four  SSME  types  (Phase  II,  BLOCK  I,  BLOCK  IIA,  and  BLOCK  II),  it  takes  sign  ifican  tly  more 
helium  to  support  a  pre-MECO  pneumatic  shutdown  than  it  does  to  support  a  pre-MECO  hydraulic 
shutdown.  Consequently,  pre-MECO  pneumatic  shutdown  capability  must  be  manually  protected  for  all 
cases  where  hydraulic  engine  function  has  been  lost  or  for  which  a  pneumatic  shutdown  will  occur. 
@[050495-1 767B]  ®[1 21 1 97-6472A] 
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A5-153  PRE-MECO  SHUT  DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM 

LEAKS  (CONTINUED) 

5.  IF  THE  PNEUMATIC  SYSTEM  ALONE  WILL  BE  USED  TO  SUPPORT  THE 
SHUTDOWN  HELIUM  REQUIREMENT  OF  AN  ENGINE,  AND  THE  ENGINE 
SYSTEM  HAS  TWO  OPERATIONAL  REGULATORS  AND  NO  DOWNSTREAM 
HELIUM  LEAK,  THE  FOLLOWING  NUMBERS  MUST  BE  PROTECTED: 

a.  ZERO-G  -  2800  (2820)  PSIA 

(3  ENG  S/D)  @[110900-7239] 

-  2357  (2377)  PSIA 

(1  ENG  S/D) 

b.  PRE-MECO  PNEUMATIC  -  2036  (2056)  PSIA 

c.  PRE-MECO  HYDRAULIC: 

PHASE  II  SSME  -  600  (  620)  PSIA 

BLOCK  I,  I I A,  AND  II  SSME  -  639  (  659)  PSIA 

@[050495-1 767B]  @[020196-1812]  @[121 197-6472A]  @[110900-7239] 

If  the  MPS  supply  system  has  an  upper  system  leak,  the  pneumatic  system  will  be  in  terconnected  to  the 
engine  as  late  in  the  flight  as  is  practical,  but  above  the  minimum  tank  pressure  required  to  support 
engine  shut  down.  After  the  interconnect  is  performed  a  determination  is  made  as  to  whether  or  not  the 
leak  is  an  upper  system  leak  or  a  tank  leak.  If  the  leak  is  found  to  be  a  tank  leak,  the  pneumatic  tank  only 
numbers  must  be  protected.  The  leak  in  the  tank  may  deplete  all  of  the  engine  sy stem  helium  before  the 
pneumatic  tank  and  engine  tank  equalize  in  pressure.  If  this  is  the  case,  the  pneumatic  tank  alone  must 
support  engine  shutdown.  @[090894-1 676A] 
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A5-153  PRE-MECO  SHUT  DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM 

LEAKS  (CONTINUED) 


6.  WHEN  AN  MPS  HELIUM  SUPPLY  OPERATION  OCCURS  THROUGH  A 

SINGLE  REGULATOR  BECAUSE  OF  AN  ISOLATED  LEAK  OR  SYSTEM 
FAILURE,  SINGLE  REGULATOR  SHUTDOWN  REQUIREMENTS  MUST  BE 
PROTECTED.  THE  MINIMUM  ENGINE  SYSTEM  HELIUM  TANK 
PRESSURE  REQUIREMENTS  FOR  SINGLE  REGULATOR  SHUTDOWN 
WITHOUT  A  HELIUM  LEAK  ARE:  @[090894-1 676A] 

a.  ZERO-G  -  1963  (1983)  PSIA  ®[i 1 0900-7239 ] 

b.  PRE-MECO  PNEUMATIC  -  1457  (1477)  PSIA 

c.  PRE-MECO  HYDRAULIC: 


PHASE 

II 

SSME 

600 

(  620) 

PSIA 

BLOCK 

I, 

I I A,  AND  II  SSME  - 

679 

(  699) 

PSIA 

@[050495-1 767B]  @[020196-1812]  @[121 197-6472A]  @[110900-7239] 

The  requirements  for  engine  shutdown  in  the  single  regulator  mode  are  represented  by  three  distinct 
pressures.  The  single  regulator  must  now  flow  two  times  nominal  mass  in  order  to  meet  shutdown 
requiremen  ts.  A  higher  initial  helium  tank  pressure  is  needed  to  meet  this  demand.  @[050495-1 767B] 
®[ED  ]  @[100997-6298] 

Rules  { A5-5J ,  SUSPECT  ENGINE;  {A5-102},  AUTO/MANUAL  SHUTDOWN;  { A5-103J ,  LIMIT 
SHUTDOWN  CONTROL;  { A5-106 }.  MANUAL  SHUTDOWN  FOR  COMMAND/DATA  PATH 
FAILURES;  and  {A5-152},  PRE-MECO  MPS  HELIUM  SYSTEM  INTERCONNECTS  [CIL],  reference 

this  rule.  @[121 197-6482B]  ®[1 1 1298-6785A] 
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A5-154  LH2  TANK  PRESSURIZATION  [CIL] 

THE  ET  LH2  TANK  ULLAGE  PRESSURE  WILL  BE  MANUALLY  CONTROLLED 
USING  THE  LH2  ULLAGE  PRESSURE  SWITCH  WHEN  THE  LH?  ULLAGE 
PRESSURE  IS  <  27.7  (28.0)  PSIA.  THE  PRESSURIZATION  WILL  BE 

CONTROLLED  SO  THAT  THE  ULLAGE  PRESSURE  DOES  NOT  EXCEED  35  (34.0) 

PSIA  TO  AVOID  THE  LOW  CRACKING  PRESSURE  OF  THE  TANK  VENT/RELIEF 
VALVE.  ®[101096-4474A] 

The  pressurization  flow  control  system  consists  of  three  tank  ullage  pressure  sensors,  signal  conditioners 
for  the  orbiter  flow  control  valve  electronics,  and  three  gaseous  hydrogen  flow  control  valves.  Each 
ullage  pressure  sensor  is  wired  to  a  signal  conditioner  which  in  turn  controls  the  GH2  pres  surant  flow 
from  its  respective  engine.  Each  control  system  is  single  string;  i. e. ,  ullage  pressure  no.  1  feeds  only  the 
electronics  for  the  center  SSME,  no.  2  to  the  left  SSME,  and  no.  3  to  the  right  SSME.  The  flow  con  trol 
valves  are  used  to  maintain  the  LH2  tank  ullage  pressure  between  32  and  34  psia.  The  signal 
conditioners  use  33.0  psia  as  the  set  point  for  the  ullage  pressure.  Failure  of  one  flow  control  valve  to 
the  closed  position  (low  flow)  does  not  cause  the  ullage  pressure  to  drop  below  28.0  psia  or  violate  the 
SSME  NPSP ICD.  However,  the  pressure  cannot  be  maintained  above  28.0  psia  when  two  flow  control 
valves  fail  closed.  Additionally,  failure  of  one  flow  control  valve  to  the  open  position  (high  flow)  does 
not  cause  the  ullage  pressure  to  rise  to  the  LH2  tank  vent  valve  relief  setting  of  36  psia  (reference 
December  22,  1995  PSIG  and  Rockwell  action  item  951208-02 ).  ®[02i  199-6791  A] 

There  are  several  failure  modes  associated  with  the  LH2  tank  pressurization  flow  control  system.  This 
flight  rule  addresses  the  case  of  two  ullage  pressure  sensors  failed  high  (i.e.,  above  the  ullage  pressure 
where  the  flow  con  trol  valve  is  commanded  closed)  which  will  cause  their  respective  flow  con  trol  valves 
to  remain  closed.  The  remaining  flow  control  system  will  not  maintain  the  tank  pressure.  When  the  true 
tank  pressure  decays  to  28.0  psia  on  the  remaining  good  sensor,  a  class  3  BFS  alert  will  be  set.  (The 
28.0  psia  value  was  reviewed  and  approved  as  DCR  3 581 A  arid  DCR  3586  at  the  July  11,  1996  SASCB.) 
An  LH2  ullage  pressure  of  28.0  psia  is  the  value  at  which  manual  action  will  be  taken.  This  pressure 
includes  crew  response  time  and  one  sigma  dispersions  of  the  instrumentation  error:  0.21  psia  (reference 
Booster  SCP  2.2.1).  Additionally,  this  lower  value  of  28.0  psia  protects  the  minimum  ullage  pressure  to 
support  the  NPSP  requirement  of  27.7  (reference  December  22,  1995  PSIG  and  Rockwell  action  item 
951208-02,  chart  1-18).  In  response  to  the  alert,  the  crew  will  use  the  LH2  ullage  pressure  switch  to 
open  the  flow  control  valves  by  overriding  the  electronics  on  all  flow  control  valves.  The  tank  pressure 
should  then  increase.  However,  the  pressure  could  go  through  the  control  band  and  reach  the  tank  vent 
valve  relief  setting  of  36  ?  1  psig.  Therefore,  the  value  of  34.0  psia  was  chosen  as  the  value  at  which  the 
crew  would  close  the  flow  con  trol  valves  before  venting  could  occur.  If  venting  occurs  while  the  vehicle 
is  in  first  stage,  afire  could  propagate  along  the  side  of  the  external  tank  (reference  PRCB  presentation 
February  10,  1987  and  the  32nd  PSIG).  The  high  flow  setting  of  the  -1301  FCV’s  (70  percent  instead  of 
100  percen  t  used  with  the  -0361)  allows  for  manual  action  to  be  taken  prior  to  staging.  For  this  failure 
case,  venting  GH2  is  not  a  concern  due  to  a  gradual  pressure  recovery  when  the  switch  is  placed  in  the 
high  flow  position  during  first  stage  (reference  May  8,  1996  PSIG  and  action  item-94 1005-03  Rev  3). 

®[101096-4474A]  ®[021 1 99-6791  A] 
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A5-154  LH2  TANK  PRESSURIZATION  [CIL]  (CONTINUED) 

Other  failure  modes  of  the  GH2  pressurization  system  include:  a  mechanical  failure  of  two  flow  control 
valves,  a  flow  restriction  in  either  an  SSME  GH2  repressurization  path  or  in  the  main  pressurization  line, 
a  hole  in  the  side  of  the  LH2  tank  or  a  vent  valve  not  closed.  However,  the  LH2  ullage  pressure  switch 
cannot  correct  conditions  caused  by  these  failure  modes.  For  these  cases,  all  three  ullage  pressures  could 
decay  below  28.0  psia  since  the  sensors  are  accurately  reading  the  decaying  tank  pressure.  If  the  pressure 
decay  continues,  the  minimum  NPSP  of  the  engines  will  be  violated.  ©[101096-4474A]  ®[021 199-6791  A] 

Rules  (A4-56HJ,  PERFORMANCE  BOUNDARIES,  and  {A5-1 55 j,  LIMIT  SHUTDOWN  CONTROL  AND 
MANUAL  THROTTLING  FOR  LOW  LH2  NPSP,  reference  this  rule.  ®[07i  494-1 646A] 

A5-155  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR 

LOW  LH2  NPSP  @[040899-681 8A] 

A.  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE  MANUALLY  ENABLED 
UPON  RECOGNITION  OF  EITHER  AN  LIH>  ULLAGE  LEAK  OR  FOR  ANY 
ORBITER  GH2  PRESSURIZATION  SYSTEM  ANOMALY  EXCEPT  ONE  Gt£ 

FLOW  CONTROL  VALVE  FAILED  CLOSED. 


For  LH2  net  positive  suction  pressure  (NPSP)  decaying  below  the  ICD  requirement,  the  engines  will 
eventually  violate  their  high  pressure  fuel  turbopump  (HPFTP)  turbine  discharge  temperature  (TDT) 
redlines.  Low  LH2  NPSP  causes  the  fuel  turbopumps  to  cavitate,  resulting  in  turbine  overspeed  and 
increased  discharge  temperatures.  Cavitation  is  possible  on  all  SSME’s;  therefore,  the  main  engine  limit 
shutdown  software  will  be  manually  enabled  to  allow  any  number  of  engines  to  shut  down  for  HPFT  TDT 
redline  exceedance. 

B.  ORBITER  GH2  PRESSURIZATION  SYSTEM  ANOMALY 

IF  ULLAGE  PRESSURE  IS  STEADILY  DECAYING  BELOW  THE  CONTROL  BAND  AND 
IS  NOT  THE  RESULT  OF  AN  ULLAGE  LEAK  (PER  RULE  {A5-9},  LH2  ULLAGE 
LEAK) ,  THE  ENGINES  WILL  BE  MANUALLY  THROTTLED  PER  THE  STEPS  GIVEN 
BELOW.  THE  MANUAL  THROTTLE  STEPS  WILL  BE  BASED  ON  THE  SETTINGS 
LISTED  IN  THE  TABLE  BELOW  WHEN  THE  LH?  NPSP  DROPS  BELOW  3.5  PSI  OR 
THE  HPFTP  TDT '  S  INCREASE  TO  WITHIN  75  DEG  R  OF  THEIR  REDLINES.  TO 
PREVENT  THE  VEHICLE  ACCELERATION  FROM  EXCEEDING  3.0  G' S  AFTER 
MANUAL  THROTTLING  IS  INVOKED,  THE  CREW  WILL  MANUALLY  THROTTLE  BACK 
TO  MAINTAIN  3.0  G' S  .  ®[ED  ]  @[040899-681 8A]  @[031500-71 81  A]  ®[ED  ] 

STEP  THROTTLE  SETTING  (PERCENT) 

1  95 

2  80 

3  67 
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A5-155  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR 

LOW  LH2  NPSP  (CONTINUED) 

ONCE  INITIATED,  MANUAL  THROTTLES  WILL  BE  MAINTAINED  UNTIL  MECO . 

A  MANUAL  MECO  WILL  BE  REQUIRED. 

A  GH2  pressurization  system  anomaly  could  be  caused  by  either  multiple  flow  con  trol  valves  failed 
closed  or  a  plugged  GH2  pressurization  leg.  Coverage  of  the  highly  unlikely  GH2  plugged 
pressurization  leg  failure  mode  is  a  result  ofPRCB  Directive  S050270DP,  “ Main  Propulsion  System 
(MPS)  Critical  Items  List  ( CIL)  Submittal  Waiver  Request,  ”  November  9,  1998.  @[040899-681 8A] 

Underspeeds  resulting  from  two  GH2flow  control  valves  failed  closed  or  a  plugged  GH2  pressurization 
leg  for  specific  engine  configurations,  or  three  GH2flow  control  valves  failed  closed  in  all  cases,  will 
poten  tially  result  in  loss  of  crew  and  vehicle  due  to  either  early  engine  shutdowns  (due  to  LH2  NPSP)  or 
ET  structural  failu  re.  Man  ually  throttling  to  a  lower  throttle  setting  increases  the  supplied  NPSP  by 
lowering  LH2  pressure  losses  across  the  LH2  manifolds  and  lines  and  also  reduces  the  SSME  NPSP 
requirement  for  engine  operation.  The  combination  of  higher  supplied  NPSP  and  reduced  NPSP 
requirement  enables  continued  engine  operation.  Once  initiated,  manual  throttles  are  maintained  until 
MECO  in  order  to  prevent  the  auto  throttle  up  to  the  mission  power  level  that  would  occur  following  cm 
SSME  failure.  Since  the  NPSP  drops  with  this  throttle  up,  maintaining  manual  throttles  protects  against 
the  potential  loss  of  additional  SSME(s).  ®[05i  500-7181  A] 

The  severity  of  the  LH2  NPSP  loss  is  not  only  dependen  t  upon  the  GH2  pressurization  system  failure 
mode  but  also  upon  the  engine  configuration  and  power  level  for  a  particular  mission.  Analysis  shows 
that  two  GH2JI0W  control  valves  failed  closed  on  a  nominal,  ATO,  or  AO  A  mission  using  three  Block  I 
or  Phase  II  SSME’s  at  104  percent  will  not  result  in  a  LH2  NPSP  degradation  which  requires  throttling 
(reference  February  19,  1997  PSIG,  Action  Item  970205-01).  Analysis  also  shows  that  missions  using 
specific  combinations  of  Block  I  and  Block  II  SSME’s  may  require  throttling  if  two  flow  control  valves 
are  failed  closed.  Further  analysis  suggests  that  throttling  may  be  expected  for  those  missions  using 
three  Block  IIA/II  SSME’s  if  two  flow  control  valves  are  failed  closed  or  one  of  the  SSME’s 
pressurization  legs  becomes  plugged  such  that  there  is  0  percent  flow  from  that  leg. 

A  GH2  pressurization  leg  refers  to  the  series  of  hardware  in  the  GH2  pressurization  line  that  carries 
flow  from  each  SSME’s  LPFTP  turbine  outlet  to  the  2-inch  pressurization  line  that  provides  ullage 
pressure  to  the  ET  LH2  tank.  Each  engine  con  tains  a  check  valve,  a  filter,  and  a  flow  con  trol  valve 
(reference  SSSH  10-12).  The  hardware  in  these  lines  could  potentially  fail  closed  or,  in  the  most  extreme 
case,  become  plugged  by  contamination.  @[040899-681 8A] 
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A5-155  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR 

LOW  LH2  NPSP  (CONTINUED) 


There  are  three  possible  scenarios  resulting  in  a  plugged  GH2  pressurization  system  leg.  The  first 
scenario  involves  the  filter  upstream  of  the  flow  control  valve  becoming  plugged,  resulting  in  0  percen  t 
flow  to  the  associated  valve.  The  second  and  third  scenarios  are  an  obstruction,  or  mechanical  failure, 
of  the  check  valve  upstream  of  the  flow  con  trol  valve  or  an  obstruction  of  the  flow  con  trol  valve  itself. 
This  would  result  in  0  percent  flow  being  provided  from  that  engine  to  the  2-inch  pressurization  line. 
Since  flow  from  all  three  pressurization  legs  is  required  to  maintain  ullage  pressure  above  32.6  psia,  all 
three  flow  control  valves  will  be  commanded  open  as  the  system  attempts  to  maintain  pressure  in  the  ET 
LH2  tank.  However,  since  flow  in  a  single  leg  is  obstructed,  ullage  pressure  will  steadily  decay  below 
the  con  trol  band  as  the  fuel  volume  in  the  ET  LH2  tank  decreases.  @[040899-681 8A] 

The  value  of  3.5  psifor  the  LH2  NPSP  was  chosen  as  the  primary  cue  to  avoid  LH2  NPSP  regions  where 
severe  cavitation  occurs  and  HPFTP  turbine  temperatures  increase  exponentially.  The  HPFTP  is 
expected  to  run  to  a  LH2  NPSP  of  1.0  to  2.0  psi  before  cavitation  becomes  critical.  The  ground  LH2 
NPSP  computation  assumes  a  3  sigma  worst  case  LH2  inlet  temperature  of  37.2  deg  Rfrom  liftoff  until 
MECO.  The  use  of  this  worst  case  temperature  provides  for  2  sigma  protection  (i.e.,  a  0.8  psi  bias)  in 
the  ground  NPSP  computation.  The  ground  computation  uncertainties  are  a  result  of  measurement 
inaccuracies  in  ullage  pressure,  head  pressure,  frictional  losses,  and  vapor  pressure  used  in  the 
derivation  of  NPSP.  On  average,  the  actual  vehicle  NPSP  will  be  0.8  psi  higher  than  the  NPSP  value 
displayed  by  the  MCC  ground  computation.  HPFTP  TDT’s  were  selected  as  a  backup  cue  in  case  an 
HPFTP  starts  to  severely  cavitate  at  a  higher  LH2  NPSP  value  than  expected.  Both  temperature  limits 
(channels  A  and  B)  are  calculated  by  subtracting  75  deg  R  from  the  redlines.  Larger  margins  from  the 
redline  may  overlap  the  nominal  operating  temperature  range  and  provide  false  cues  for  action  (ref. 
PSIG  Flight  Rule  Reviews  on  2/25/88,  3/23/88,  and  11/17/93).  ®[07i  494-1 646A] 

The  cue  of  3.0  g’s  of  acceleration  was  selected  to  ensure  protection  of  vehicle  acceleration  limits  (3.0  g). 
Various  vehicle  configurations  or  GH2  pressurization  system  failure  modes  may  or  may  not  result  in 
exceedance  of  vehicle  acceleration  limits.  However,  if  a  3.0  g  acceleration  limit  is  used  as  an  auto  or 
manual  throttling  cue  for  all  cases,  vehicle  structural  limits  are  protected  at  all  times.  Reference  Rule 
{A2-61},  Q-BAR/G-CONTROL.  Three-g  is  not  used  as  a  cue  for  the  first  manucd  throttle  step  since 
leaving  throttles  in  auto  will  throttle  at  3.0  g  ’s.  Once  manual  throttles  are  taken  for  an  NPSP  or  HPFTP 
TDT  cue,  throttles  will  remain  in  manual  and  3.0  g’s  will  be  protected  in  addition  to  the  NPSP  and 
HPFTP  TDT  cues.  The  shuttle  crews  are  trained  that  after  selecting  manual  throttles,  if  the  vehicle 
acceleration  exceeds  3.0  g’s,  they  will  need  to  manually  throttle  to  maintain  3.0  g’s.  ®[031 500-71 81  A] 

Throttling  in  three  steps  was  selected  to  minimize  crew/MCC  impact  and  workload.  The  steps 
approximately  divide  the  action  equally  into  thirds.  The  first  step,  95  percent,  was  originally  chosen  to 
avoid  the  Rocketdyne  HPFTP  impeller  resonance  region  (i.e.,  88  to  92  percent).  This  is  no  longer  a 
concern  as  a  result  of  a  redesign  of  the  impeller.  The  throttle  setting  of  95  percent  was  retained  for 
training  simplicity.  The  second  step,  80  percen  t,  is  midway  between  the  first  step  and  the  minimum 
power  level.  The  last  step,  67  percent,  is  the  minimum  power  level  and  further  commanded  power 
reduction  is  not  possible.  @[040899-681 8A] 
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A5-155  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR 

LOW  LH2  NPSP  (CONTINUED) 

C.  LH2  ULLAGE  LEAK  @[040899-681 8A] 

MANUAL  THROTTLES  WILL  BE  SELECTED  IMMEDIATELY  FOLLOWED  BY  A 
TAL  ABORT  TO  THE  MOST  IN-PLANE  SITE  (GO  TAL  SITE  OR  ACLS) . 
AFTER  TAL  SELECTION,  THE  THROTTLES  WILL  BE  RETURNED  TO  AUTO. 

Throttling  for  low  LH2  NPSP  due  to  an  LH2  ullage  leak  (reference  Rule  {A5-9},  LH2  ULLAGE  LEAK), 
or  an  open  LH2  vent/relief  valve,  delivers  less  ullage  pressurization  gas  causing  LH2  NPSP  to  decay 
faster  than  keeping  the  engines  at  104  percent.  ®[ED  ] 

GPC  software  automatically  throttles  the  engines  down  if  TAL  is  selected  above  an  I-loaded  inertial 
velocity.  To  preven  t  the  software  from  throttling  the  engines  down  when  there  is  an  LH2  ullage  leak, 
manual  throttles  are  selected  prior  to  selecting  TAL.  Once  TAL  is  selected,  the  throttles  will  be  returned 
to  AUTO  where  they  will  stay  at  104  percent  until  3  g’s  are  reached.  Three-g  throttling  may  cause 
engine  shutdowns,  but  this  is  an  accepted  risk  to  avoid  vehicle  structural  damage.  @[071 494-1 646A] 

Since  there  is  no  way  to  accurately  predict  when  engine  shutdown  will  occur  for  this  case,  it  is  important 
to  reach  multiple  engine-out  capability  and  an  acceptable  MECO  as  soon  as  possible.  The  earliest 
multi-engine  out  abort  site,  either  ACLS  or  TAL,  will  always  be  the  preferred  one  for  this  case  (reference 
rule  {A4-56J,  PERFORMANCE  BOUNDARIES). 

The  main  engine  limit  shutdown  software  will  be  manually  enabled  upon  recognition  of  this  failure  to 
protect  against  multiple  engine  shutdowns  without  limits  enabled. 

Rules  (A2-64J,  MANUAL  THROTTLE  CRITERIA;  (A2-61J,  Q-BAR/G-CONTROL;  (A2-301J, 
CONTINGENCY  ACTION  SUMMARY;  { A4-56 },  PERFORMANCE  BOUNDARIES;  {A4-59J,  MANUAL 
THROTTLE  SELECTION;  {A5-9j,  LH2  ULLAGE  LEAK;  { A5-103 j,  LIMIT  SHUTDOWN  CONTROL; 

(. A5-154 },  LH2  TANK  PRESSURIZATION  [CIL];  and  {A5-156},  ABORT  PREFERENCE  FOR  SYSTEMS 
FAILURES,  reference  this  rule.  ®[092195-1770A]  @[040899-681 8A]  ®[ED  ] 
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A5-156  ABORT  PREFERENCE  FOR  SYSTEMS  FAILURES 

A.  LH2  ULLAGE  LEAK  @[040899-681 8A] 

IF  LOW  LH2  NPSP  OCCURS  DUE  TO  AN  EXTERNAL  TANK  LH?  ULLAGE 
LEAK,  A  TAL  ABORT  WILL  BE  PERFORMED  TO  A  TAL  OR  ACLS  BASED 
ON  WHICHEVER  PROVIDES  THE  EARLIEST  MULTIPLE  ENGINE-OUT 
CAPABILITY.  ®[ED  ] 

B.  GH2  PRESSURIZATION  SYSTEM  ANOMALIES 

IF  THE  LOW  LH2  NPSP  OCCURS  DUE  TO  THREE  GH2  FLOW  CONTROL 
VALVES  FAILED  CLOSED,  A  TAL  ABORT  WILL  BE  PERFORMED  TO  A 
TAL  OR  ACLS  BASED  ON  WHICHEVER  PROVIDES  THE  EARLIEST 
MULTIPLE  ENGINE-OUT  CAPABILITY.  THIS  IS  THE  ONLY  GI£ 
PRESSURIZATION  SYSTEM  ANOMALY  FOR  WHICH  AN  ABORT  WILL  BE 
PERFORMED.  REFERENCE  RULE  {A5-155},  LIMIT  SHUTDOWN  CONTROL 
AND  MANUAL  THROTTLING  FOR  LOW  LH?  NPSP. 

A  TAL  abort  is  preferred  over  RTLS  because  TAL  MECO  conditions  are  satisfied  sooner  than  RTLS 
MECO  conditions.  If  an  LH2  ullage  leak  occurs ,  throttling  will  not  be  performed  for  low  LH2  NPSP 
(see  rationale  for  Rule  (A5-155C),  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING 
FOR  LOW  LH2  NPSP).  Once  an  ullage  leak  occurs ,  it  is  possible  for  the  leak  to  worsen.  In  this  case, 
the  NPSP  may  deteriorate  much  faster  than  the  failed  closed  flow  control  valve  case.  There  is  no 
method  to  predict  when  engine  shutdown  will  occur.  It  is  important  to  reach  multiple  engine-out 
capability  and  MECO  conditions  as  soon  as  possible.  The  earliest  MECO  conditions  and  multiple 
engine-out  capabilities  are  available  during  a  TAL  abort  or  an  abort  to  an  ACLS.  If  an  intact  abort  is 
not  performed,  the  risk  of  a  bailout  or  other  con  tingency  condition  will  increase.  @[021 199-6791  A] 

An  abort  will  not  be  performed  for  two  flow  control  valves  failed  closed  or  for  a  plugged  GH2 
pressurization  system  leg.  The  flow  control  valves  are  normally  open  valves  (must  be  powered  closed). 
The  close  power  will  cycle  the  valves  as  required  to  satisfy  the  ullage  pressure  control  band  (reference 
Rule  { A5-154 },  LH2  TANK  PRESSURIZATION  [ CIL]).  It  is  assumed  that  the  failure  will  occur  during 
power  cycling.  With  two  valves  failed  closed,  the  third  valve  will  not  be  power-cycled.  Therefore,  the 
third  valve  will  remain  open  ( unpowered )  and  nominal  MECO  conditions  may  be  achieved  by 
implementing  Rule  {A5-155},  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR 
LOW  LH2  NPSP.  For  a  plugged  GH2  pressurization  leg,  the  other  two  flow  control  valves  will 
operate  and  nominal  MECO  conditions  may  be  achieved  by  implementing  Rule  { A5-155 j,  LIMIT 
SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR  LOW  LH2  NPSP.  If  three  flow  control 
valves  are  failed  closed,  a  TAL  abort  will  be  selected.  ®[040899-68i8A] 
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A5-156  ABORT  PREFERENCE  FOR  SYSTEMS  FAILURES  (CONTINUED) 

C.  ENGINE-TO-ENGINE  HELIUM  INTERCONNECT 

A  TAL  ABORT  TO  EITHER  A  TAL  OR  ACLS,  BASED  ON  WHICHEVER 
PROVIDES  THE  EARLIEST  MULTIPLE  ENGINE-OUT  CAPABILITY,  WILL 
BE  PERFORMED  IF  THE  HELIUM  SYSTEM  FROM  A  RUNNING  ENGINE  IS 
INTERCONNECTED  TO  A  LEAKING  ENGINE  HELIUM  SUPPLY  IN  ORDER 
TO  ACHIEVE  INTACT  ABORT  CAPABILITY  (REF.  RULE  {A5H.52B}, 
PRE-MECO  MPS  HELIUM  SYSTEM  INTERCONNECTS  [CIL]  )  ®[090894-1 676A ] 

Because  of  the  severity  of  the  helium  leak  which  requires  the  implemen  tation  of  Rule  {A5-152B},  PRE- 
MECO  MPS  HELIUM  SYSTEM  INTERCONNECTS  [ CIL],  adequate  helium  may  not  be  available  to 
support  three-engine  operation  to  nominal  MECO.  In  this  case,  it  is  possible  that  a  non-leaking  engine  as 
well  as  the  leaking  engine  could  shut  down  due  to  inadequate  helium.  Therefore,  it  is  important  to  reach 
multiple  engine-out  capability  and  MECO  conditions  as  soon  as  possible.  This  will  be  accomplished  by 
performing  a  TAL  abort  or  an  abort  to  an  ACLS.  @[090894-1 676A]  ®[02i  199-6791  A] 

Rule /A5-9],  LH2  ULLAGE  LEAK,  references  this  rule.  @[040899-681 8A]  ®[ED  ] 
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A5-157  ET  LOW  LEVEL  CUTOFF  SENSOR  FAILED  DRY 

THE  FAILURE  TO  THE  DRY  STATE  OF  THREE  OR  MORE  ET  PROPELLANT  LOW 
LEVEL  SENSORS  ON  THE  SAME  TANK  WILL  REQUIRE  A  TAL  ABORT  TO  BE 
PERFORMED  (TO  A  TAL,  OR  ACLS  IF  NO  TAL  SITE  IS  AVAILABLE)  IF 
UPHILL  CAPABILITY  DOES  NOT  EXIST  (REF.  RULE  {A4-56H}.1, 
PERFORMANCE  BOUNDARIES) .  A  PREFLIGHT  EVALUATION  WILL  BE 
REQUIRED  TO  DETERMINE  UPHILL  CAPABILITY  FOR  THIS  FAILURE. 

@[021397-4824] 

NOTE:  THREE  OR  MORE  "DRY"  INDICATIONS  WILL  CAUSE  PREMATURE  MECO 

IF  THE  LOW  LEVEL  ARM  COMMAND  IS  PRESENT  PRIOR  TO  REACHING 
THE  REQUIRED  MECO  TARGET.  TWO  SENSORS  INDICATING  "DRY" 
WILL  NOT  REQUIRE  AN  ABORT. 

Propellant  low  level  shutdown  software  is  provided  to  protect  the  vehicle  from  an  uncontrolled  engine 
failure  which  would  be  caused  by  the  depletion  of  either  LO2  or  LH2  propellan  t  to  a  running  engine. 

The  software  logic  requires  two  qualified  sensors  to  indicate  dry  after  the  arming  mass  is  reached  in 
order  to  start  the  low  level  timer  and  issue  the  MECO  command.  On  the  first  pass  after  the  arming 
mass  is  reached,  the  software  will  disable  one  dry  low  level  sensor.  On  the  next  pass,  the  software 
will  comman  d  MECO  if  two  other  low  level  sensors  on  the  same  tank  are  failed  dry.  Therefore,  three 
sensors  dry  when  the  arming  mass  is  reached  will  result  in  an  early  MECO  which  may  require  a  TAL 
or  ACLS  abort.  The  failure  of  two  sensors  will  not  cause  a  premature  MECO  when  the  arming  mass 
is  reached,  since  one  will  be  disabled.  The  crew  will  be  required  to  abort  TAL  (or  ACLS  if  no  TAL 
site  is  available)  on  some  performance-critical  missions  (as  determined  by  flight  design)  to  prevent  a 
MECO  from  occurring  in  a  region  where  no  abort  capability  exists.  @[021397-4824  ] 

Rule  { A2-301J ,  Note  31,  CONTINGENCY  ACTION  SUMMARY,  references  this  rule. 

A5-158  THROUGH  A5-200  RULES  ARE  RESERVED 
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MPS  MANAGEMENT :  POST-MECO 


A5-201  MPS  DUMP  INHIBIT  [CIL]  ®[020196-1813A] 

A.  INSIGHT  INTO  ENGINE  INLET  CONDITIONS  AVAILABLE: 

IF  A  PROPELLANT  LEAK  IS  DETECTED  PRE-MECO  ON  ANY  ENGINE  WHICH 
SHUTS  DOWN  (MANUAL  OR  CONTROLLER  INITIATED)  PRIOR  TO  MECO,  IT 
WILL  BE  ISOLATED  FROM  DUMPING  IMMEDIATELY  FOLLOWING  MECO. 

THIS  DUMP  INHIBIT  DECISION  WILL  BE  BASED  ON  THE  FOLLOWING: 

1.  LO2  INLET  PRESSURE  <  40  PSIA, 

FOR  A  DUMP  INHIBIT  OF  THE  L02  SYSTEM,  AN  EARLY  APU 
SHUTDOWN  WILL  BE  REQUIRED  FOR  TAL  AND  RTLS  ABORTS 
(REFERENCE  FLIGHT  RULE  {A16-205A},  EARLY  APU  SHUTDOWN). 
®[0201 96-1 81 3A] 

2.  LH2  INLET  PRESSURE  <  30  PSIA. 

FOR  A  DUMP  INHIBIT  OF  THE  LH2  SYSTEM,  AN  EMERGENCY 
POWERDOWN/MODE  V  EGRESS  WILL  BE  REQUIRED  FOR  TAL  AND  RTLS 
ABORTS  (REFERENCE  FLIGHT  RULES  {A16-12B}.2,  EMERGENCY 
POWERDOWN) .  AN  EARLY  APU  SHUTDOWN  WILL  OCCUR  AS  A  RESULT 
OF  THE  EMERGENCY  POWERDOWN.  ®[0201 96-1 81 3A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A5-201  MPS  DUMP  INHIBIT  [CIL]  (CONTINUED) 

For  nominal,  RTLS,  TAL,  ATO,  and  AOA  missions,  the  dump  inhibit  will  be  performed  immediately  post- 
MECO  on  the  affected  SSME  if  insight  into  the  engine  inlet  conditions  is  available  and  the  above  criteria 
are  met.  The  dump  inhibit  is  performed  by  manually  closing  the  associated  prevalve  and  powering  down 
that  engine’s  controller.  To  minimize  dump  and  vacuum  inert  impacts,  only  the  associated  prevalve  will 
be  closed  on  the  side  which  was  determined  to  be  leaking.  The  engine  controller  is  powered  off  to  close 
the  bleed  and  hydraulic  valves.  These  actions  will  prevent  excessive  leakage  of  propellant  into  the  aft 
compartment  during  the  MPS  propellant  dump,  thereby  minimizing  a  potentially  hazardous  condition  in 
the  aft  compartmen  t  (reference  the  PSIG  Flight  Rule  Review  of 2/25/88).  Causes  for  early  shutdown 
include  redline  limit  shutdown,  multiple  loss  of  con  troller  avionics,  and  manual  shutdown  for  a  MPS 
helium  leak,  a  hydraulic  or  electrical  lockup,  or  a  command  path  failure.  Since  flight  data  indicates  that 
the  pump  inlet  pressures  drop  below  the  above  limits  after  MECO,  an  engine  propellan  t  leak  cannot  be 
detected  if  a  low  level  cutoff  occurs.  The  low  pressure  fuel  pump  discharge  pressure  can  be  used  as  a 
backup  to  the  LH2  inlet  pressure  and  would  also  use  30  psia  as  the  dump  inhibit  criterion.  If  a  breach  of 
one  or  more  of  the  LH2  propellant  lines  has  occurred,  the  possibility  exists  of  uncontained/uncontrolled 
LH2  propellant  in  the  aft,  which  constitutes  a  flammability  and  explosion  hazard  on  a  RTLS  or  TAL 
abort.  This  condition  requires  the  most  expeditious  powerdown  of  the  vehicle  (emergency  powerdown) 
and  crew  egress  ( Mode  V)  possible.  An  LO2  leak  is  not  considered  as  hazardous  as  an  LH2  leak  and 
therefore  does  not  require  an  emergency  powerdown  and  Mode  V  egress.  However,  both  kinds  of  leaks 
do  warrant  cm  early  APU  shutdown  after  cm  RTLS  or  TAL  abort  in  order  to  eliminate  an  ignition  source 
in  a  hydrogen  or  oxygen  enriched  environment.  These  postlanding  actions  are  not  required  after  a 
nominal,  ATO,  or  AOA  mission  since  no  uncontained  residuals  will  remain  in  the  aft  compartment  at  the 
time  of  landing. 

Rules  (A16-12BJ.2,  EMERGENCY  POWERDOWN,  and  {A16-205A},  EARLY  APU  SHUTDOWN, 
reference  this  rule.  ®[0201 96-1 81 3A] 
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A5-201  MPS  DUMP  INHIBIT  [CIL]  (CONTINUED) 

B.  INSIGHT  INTO  ENGINE  INLET  CONDITIONS  UNAVAILABLE: 

1.  NOM/ATO/AOA: 

FOR  ANY  ENGINE  WHICH  SHUTS  DOWN  (MANUAL  OR  CONTROLLER 
INITIATED)  PRIOR  TO  MECO,  THE  MPS  DUMP  INHIBIT  WILL  BE 
PERFORMED  IMMEDIATELY  POST-MECO  ON  THE  PROPELLANT 
SYSTEM (S)  ON  WHICH  INSIGHT  HAD  BEEN  LOST.  THIS  ACTION 
WILL  BE  TAKEN  ON  A  TIME  PERMITTING  BASIS  TO  MINIMIZE 
POTENTIAL  LEAKAGE.  THE  LPFP  DISCHARGE  PRESSURE  CAN  BE 
USED  AS  A  BACKUP  CUE  TO  ASSESS  LH2  INLET  CONDITIONS. 

Loss  of  insight  into  the  inlet  pressures  (and  the  LPFP  discharge  pressure  for  the  fuel  side )  results  in  the 
inability  to  assess  the  inlet  conditions.  Therefore,  the  dump  will  be  inhibited  for  any  engine  shut  down 
prior  to  MECO  for  the  nominal  case,  an  ATO,  or  an  AOA  if  the  inlet  condition(s)  cannot  be  assessed  (at 
the  time  of  shutdown)  due  to  avionics  failures  since  a  con  tained  shutdown  cannot  be  guaran  teed.  In  the 
case  where  there  was  no  leakage,  any  residuals  trapped  in  the  engine  by  the  dump  inhibit  procedure  will 
have  time  to  bleed  out  prior  to  landing. 

2.  TAL/RTLS: 

THE  MPS  DUMP  INHIBIT  WILL  NOT  BE  PERFORMED. 

Due  to  the  extremely  low  probability  of  a  noncatastrophic,  uncontained  shutdown,  and  the  additional 
failure  to  lose  insight,  the  cases  of  surviv able  shutdowns  with  leakage  hidden  due  to  loss  of  insight  on  a 
TAL  and  RTLS  will  not  be  covered.  If  the  MPS  dump  is  inhibited  for  the  RTLS  and  TAL  cases  due  to  loss 
of  insight  and  no  leakage  existed,  it  would  induce  an  unnecessary  risk  of  trapped  LH2  residuals 
(approximately  26  lbs.  LH2  on  a  RTLS  and  approximately  8  lbs.  LH2  on  a  TAL  abort,  at  touchdown). 
These  amounts  ofLH2  are  enough  to  cause  a  venting  concern  for  the  convoy  and  preclude  normal 
convoy  operations  and  would  require  as  a  minimum  an  expedited  powerdown  and  Mode  V  egress  per 
Rule  { A16-11F '},  EXPEDITED  POWERDOWN.  However,  if  leakage  was  assumed,  an  emergency 
powerdown  and  Mode  V  egress  would  be  performed  per  paragraph  A  of  this  rule.  ®[0201 96-1 81 3A] 


VOLUME  A  11/21/02  FINAL,  PCN-1  BOOSTER  5-95 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A5-202  ET  SEPARATION  INHIBIT  FOR  17-INCH  DISCONNECT 

FAILURE  [CIL] 


A.  NOMINAL 

IF  AN  ET/ORBITER  17-INCH  DISCONNECT  VALVE  IS  NOT  VERIFIED 
CLOSED,  ET  SEPARATION  WILL  BE  DELAYED  UNTIL  MECO  PLUS  6 
MINUTES  TO  ALLOW  THRUST  DECAY  FROM  THE  OPEN  VALVE  AND  THUS 
PREVENT  RECONTACT  BETWEEN  THE  ET  AND  ORBITER.  THE  MPS 
PROPELLANT  DUMP  WILL  BE  AUTOMATICALLY  PERFORMED  DURING  THE 
WAIT  PERIOD.  FOR  AN  UNDERSPEED  AT  MECO  WHICH  REQUIRES  THE 
OMS-1  BURN  TO  BE  PERFORMED  PRIOR  TO  MECO  PLUS  6  MINUTES,  ET 
SEPARATION  WILL  BE  PERFORMED  AT  OMS-1  TIG  MINUS  1  MINUTE  30 
SECONDS  OR  IMMEDIATELY  IF  REQUIRED,  AND  THE  MPS  DUMP  WILL  BE 
MANUALLY  DELAYED  UNTIL  AFTER  SEPARATION.  @[030994-1 61 8B] 

BOTTOM-SUN  WILL  BE  REQUIRED  FOR  THERMAL  CONDITIONING 
(REFERENCE  RULE  {A10-243},  ET  UMBILICAL  DOOR  CLOSURE 
DELAY  FOR  DISCONNECT  VALVE  FAILURE  [CIL]).  ©[021199-6795A] 

B.  RTLS/TAL 

ET  SEPARATION  IS  AUTOMATIC  FOR  17-INCH  DISCONNECT  VALVE 
FAILURE . 


The  ET  separation  sequence  software  in  the  GPC’s  will  inhibit  ET  separation  automatically  if  it  does  not 
receive  at  least  one  of  the  two  close  position  indications  from  each  of  the  orbiter  17-inch  disconnect 
valves.  The  closed  position  indicators  may  not  show  closed  for  real  valve  failures  or  loss  of  insight. 

This  prevents  a  recontact  problem  which  could  occur  between  the  ET  and  the  orbiter  after  separation 
due  to  the  large  venting  force  (>10,000  Ibf)  of  the  open  17-inch  valve  (reference  SODB,  volume  1, 
section  3.4.3. 1). 
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A5-202  ET  SEPARATION  INHIBIT  FOR  17-INCH  DISCONNECT 

FAILURE  [CIL]  (CONTINUED) 


The  crew  will  perform  a  manual  separation  6  minutes  after  the  nominal  separation  time.  This  waiting 
period  allows  the  tank  and  the  Orbiter  man  ifold  to  vent  to  a  level  where  the  ven  ting  force  <  1800  Ibf 
which  is  considered  safe  for  separation  (reference  SODB,  volume  1,  section  3. 4. 3.1).  For  underspeeds  at 
MECO,  which  require  an  OMS-1  to  be  performed  prior  to  MECO  plus  6  minutes,  ET  separation  has  to 
be  performed  1  minute  30  seconds  prior  to  OMS-1  ignition.  The  1  minute  30  second  time  was  selected  to 
ensure  that  the  crew  had  sufficien  t  time  to  prepare  for  the  OMS-1  ignition  (reference  SODB,  volume  1, 
section  3.4.3. 1).  The  MPS  dump  will  be  manually  delayed  by  placing  the  MPS  Propellant  Dump 
Sequence  Switch  in  the  STOP  position  if  the  separation  time  would  occur  during  the  scheduled  MPS 
dump.  The  switch  is  taken  back  to  the  GPC  position  after  the  ET  SEP  -Z  translation  to  allow  the 
automated  MPS  dump  to  commence.  The  MPS  dump  is  delayed  since  performing  the  MPS  dump  during 
ET  separation  is  not  a  certified  separation  mode.  Time  criticality  during  an  RTLS  and  TAL  aborts 
necessitates  an  automatic  ET  separation  for  01-22  and  subsequen  t  software.  The  RTLS  ET  separation 
software  allows  6  seconds  of  ven  ting.  Recon  tact  damage  will  be  risked  on  an  RTLS  to  avoid  rapid 
degradation  ofET  separation  conditions  and  possible  loss  of  control.  The  TAL  ET  separation  software 
allows  15  seconds  of  venting  to  avoid  recontact  while  minimizing  the  time  to  OPS  3  transition.  TAL 
aborts  incorporate  an  I-loaded  software  timer  expiration  (MSID  V97U9717C)  to  sequence  automatic  ET 
separation  while  RTLS  aborts  use  a  hardcoded  software  constant  for  separation. 

The  LO2  MPS  manifold  repressurization  valves  are  not  commanded  open  after  a  17 -inch  LO2 
disconnect  failure  to  prevent  excessive  loss  of  helium  during  the  MPS  dump.  The  LH2  MPS  manifold 
repressurization  valves  are  not  opened  during  this  timeframe. 

Rule  { A10-243J ,  ET  UMBILICAL  DOOR  CLOSURE  DELAY  FOR  DISCONNECT  VALVE  FAILURE 
[CIL],  references  this  rule.  ®[021 1 99-6795A] 
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A5-203  MPS  PROPELLANT  MANIFOLD  OVERPRESSURE  [CIL] 

A.  AN  MPS  PROPELLANT  MANIFOLD  OVERPRESSURE  CONDITION  (>  312 
(249)  PSIA  FOR  LO2  OR  >  66  (60)  PSIA  FOR  LH2)  WILL  BE 

RELIEVED  BY  THE  FOLLOWING  METHODS: 

1.  P RE -MPS  DUMP 

THE  MPS  DUMP  WILL  AUTOMATICALLY  BE  STARTED  IMMEDIATELY  IF 
THE  LH2  MANIFOLD  PRESSURE  IS  BETWEEN  60  AND  90  PSIA  AND 
NOT  COMMFAULTED  .  @[092701 -4867A] 

2.  POST-MPS  DUMP,  PRE-FIRST  AUTOMATED  VACUUM  INERT 

THE  LH2  OUTBOARD  FILL/DRAIN  AND  TOPPING  VALVES  WILL 
AUTOMATICALLY  OPEN  IF: 

a.  THE  LH2  MANIFOLD  PRESSURE  IS  BETWEEN  60  AND  90  PSIA 
AND  NOT  COMMFAULTED  AND 

b.  THE  LH2  BACKUP  DUMP  VALVES  SWITCH  WAS  NOT  TAKEN  TO 
OPEN. 

THE  LH2  OUTBOARD  FILL/DRAIN  AND  TOPPING  VALVES  WILL 
AUTOMATICALLY  CLOSE  AT  MPS  DUMP  START  +19  MINUTES 
(APPROXIMATELY  MECO  +  21  MINUTES) .  IF  THE  OUTBOARD 
FILL/DRAIN  DOES  NOT  CLOSE,  THE  SOFTWARE  WILL  COMMAND  THE 
LH2  INBOARD  FILL/DRAIN  VALVE  CLOSED.  ®[1 1 1094-1 730A  ]  ®[021 1 99-6792B] 

3.  POST-FIRST  AUTOMATED  VACUUM  INERT  @[092701 -4867A] 

THE  AFFECTED  L02  OR  LH2  OUTBOARD  FILL/DRAIN  VALVE  WILL  BE 
MANUALLY  OPENED  IMMEDIATELY.  THIS  VALVE  WILL  BE  CLOSED 
AFTER  THE  SYSTEM  HAS  BEEN  INERTED. 
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(CONTINUED) 


Because  of  the  characteristics  of  the  LO2  system ,  it  is  highly  unlikely  that  a  real  overpressure  condition 
will  occur  without  multiple  (>  2)  system  failures  prior  to  the  start  of  the  MPS  dump  (nominally  at  MECO 
+  2  minutes).  Therefore,  no  crew  action  is  taken  for  LO2  manifold  pressure  above  C&W  (249  psia). 

Heat  soak  back  will  vaporize  any  fluid  propellants,  increasing  the  pressure  in  the  lines.  On  the  LO2  side, 
the  pressure  can  be  relieved  by  either  the  MPS  dump  or  vacuum  inerting.  On  the  LH2  side,  the  pressure 
can  be  relieved  by  MPS  dump,  vacuum  inerting,  or  opening  the  LH2  backup  dump  valves  in  OPS  1.  An 
automatic  MPS  dump  will  be  performed  to  avoid  reaching  proof  pressure  (66  psig)  if  the  software  limit 
(greater  than  60  psia  and  less  than  90  psia)  is  reached  before  the  scheduled  MPS  dump  occurs.  If  the 
LH2  manifold  pressure  C&W  limit  of  65  psia  is  reached,  the  crew  will  open  the  LH2  backup  dump  valves 
and  both  LH2  inboard  and  outboard  fill/drain  valves  per  the  Ascent  Pocket  Checklist  procedure.  If  the 
LH2  manifold  pressure  is  between  60  and  90  psia  after  the  MPS  dump  terminates  but  prior  to  the  first 
automated  vacuum  inert  start  (dump  start  +17  minutes,  approximately  MECO  +  19  minutes)  and  the 
LH2  backup  dump  valves  switch  on  panel  R2  was  not  taken  to  OPEN,  an  automated  contingency  EH 2 
vacuum  inert  will  be  started  by  the  software  and  relieve  the  pressure.  This  contingency  inert  will  be 
performed  by  opening  the  LH2  topping  and  LH2  outboard  fill/drain  valves  (the  LH2  inboard  fill/drain 
valve  remains  open  following  the  MPS  dump).  If  the  LH2  manifold  pressure  is  between  60  and  90  psia 
after  the  MPS  dump  terminates  but  prior  to  the  first  automated  vacuum  inert  start  and  the  LH2  backup 
dump  valves  switch  on  panel  R2  was  taken  to  OPEN,  an  automated  contingency  LH2  vacuum  inert  will 
not  be  started  by  the  software  because  manual  action  has  already  been  taken.  @[092701 -4867A] 

If  either  the  LO2  or  LH2  C&W  limit  is  reached  after  the  first  automated  vacuum  inert,  the  affected  LO2  or 
LH2  outboard  fill/drain  valve  will  be  opened  manually  to  relieve  the  pressure.  Only  the  outboards  are 
opened  since  the  inboards  should  already  be  open.  This  is  only  performed  for  true  high  pressure  in  the 
affected  manifold  and  not  for  instrumentation  failures.  Procedures  in  the  Orbit  Pocket  Checklist  have  the 
crew  open  all  the  fill/drain  valves  since  the  crew  does  not  have  time  to  determine  which  system  has  the 
overpressure  condition.  The  LO2  manifold  pressure  C&W  limit  (249  psia)  is  approximately  midway 
between  the  relief  (190  psig )  and  proof  (312  psig)  pressures  (ref.  SODB,  volume  I,  section  4.3).  The  LH2 
manifold  pressure  C&W  limit  (65  psia)  is  set  to  avoid  having  system  delays  in  starting  the  MPS  dump 
allow  the  LH2  manifold  pressure  to  exceed  the  C&W  limit.  Rule  j A5-205C },  NOMINAL,  AOA,  AND  ATO 
MPS  DUMP  FAILURES,  references  this  rule.  ®[i  1 1 094-1 730A  ]  ®[02i  1 99-6792B]  ®[09270i-4867A]  ®[ED  ] 
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(CONTINUED) 

B.  IF  THE  LH2  RELIEF  ISOLATION  VALVE  FAILS  CLOSED  POST-MECO  AND 
ANY  OMS  BURN  TIG  IS  PRIOR  TO  THE  START  OF  THE  FIRST  AUTOMATED 
VACUUM  INERT  AT  MPS  DUMP  START  +  17  MINUTES  (APPROXIMATELY 
ME  CO  +  19  MINUTES):  ®[0211 99-6792  B]  @[090999-7035]  @[092701 -4867A] 

1.  THE  LH2  BACKUP  DUMP  VALVES  WILL  BE  MANUALLY  OPENED  PRIOR 
TO  THE  OMS  BURN.  THE  LH2  BACKUP  DUMP  VALVES  WILL 
AUTOMATICALLY  CLOSE  AT  THE  COMPLETION  OF  THE  FIRST 
AUTOMATED  VACUUM  INERT  AT  MPS  DUMP  START  +19  MINUTES 
(APPROXIMATELY  MECO  +  21  MINUTES) . 

2.  THE  AUTOMATED  LH2  MANIFOLD  REPRESSURIZATION  FOLLOWING  THE 
SECOND  AUTOMATED  VACUUM  INERT  WILL  BE  MANUALLY  INHIBITED 
BY  TAKING  THE  LH2  MANIFOLD  PRESS  SWITCH  TO  CLOSE  PRIOR  TO 
THE  MM  106  TRANSITION.  THE  LR?  MANIFOLD  PRESS  SWITCH 
WILL  BE  TAKEN  TO  GPC  AFTER  THE  MM  106  TRANSITION  +  3 
MINUTES . 

If  the  LH2  relief  isolation  valve  does  not  open,  the  LH2  manifold  cannot  be  relieved  through  the  relief 
valve.  The  nominal  pressure  buildup  post-MECO  is  not  expected  to  reach  the  manifold  relief  setting 
with  a  nominal  MPS  dump  and  nominal  vacuum  inerts.  If  the  manifold  pressure  builds  up  greater  than 
60  psia,  the  software  will  automatically  start  the  MPS  dump  or  an  automated  contingency  LH2  vacuum 
inert  (through  the  LH2  fill/drain  valves)  to  relieve  the  pressure.  The  LH2  backup  dump  valves  will  be 
manually  opened  if  an  OMS  burn  is  expected  to  occur  prior  to  the  nominal  first  automated  vacuum 
inert  start  time  of  MPS  dump  start  +  17  minutes  (approximately  MECO  +  19  minutes).  The  OMS  burn 
will  increase  the  sublimation  of  the  LH2  residuals,  resulting  in  a  pressure  buildup  that  may  reach  the 
relief  setting.  Although  the  software  will  automatically  provide  pressure  relief  if  needed,  the  LH2 
backup  dump  valves  are  opened  to  prevent  the  pressure  rise  from  nearing  the  proof  pressure  of  the 
manifold  (66  psig).  The  valves  will  be  left  open  until  the  end  of  the  first  automated  vacuum  inert  when 
they  will  automatically  close.  The  second  automated  vacuum  inert  will  be  allowed  to  proceed  normally 
except  for  the  LH2  manifold  repressurization.  The  repressurization  is  manually  inhibited  by  taking  the 
LH2  man  ifold  press  switch  to  close  because  there  is  no  manifold  relief  capability.  This  will  be 
performed  prior  to  the  MM  106  transition  because  the  second  automated  vacuum  inert  and  subsequent 
manifold  repressurization  will  initiate  at  the  MM  106  transition.  The  LH2  manifold  press  switch  will 
be  taken  to  GPC  after  the  MM  106  transition  +  3  minutes  (corresponding  to  the  completion  of  the 
second  automated  vacuum  inert  and  subsequent  manifold  repressurization)  in  order  to  avoid  powering 
the  valve  until  it  is  nominally  checked  in  the  Deorbit  Prep  timeframe.  @[092701 -4867A] 
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C.  IF  AUTOMATIC  LH2  VENT,  DUMP,  AND  RELIEF  CAPABILITY  IS  LOST 
AS  A  RESULT  OF  DUAL  GPC/FA  MDM  FAILURES  (GPC'S/FA  MDM' S  1 
AND  3,  1  AND  4,  OR  3  AND  4),  THE  CREW  WILL  MANUALLY  OPEN  THE 

LH2  FEEDLINE  RELIEF  ISOLATION  VALVE  IMMEDIATELY  POST-MECO. 
@[090999-7035  ] 

Certain  dual  GPC/FA  MDM  failure  combinations  occurring  during  ascent  will  prevent  the  LH2  relief 
isolation  valve  as  well  as  the  LH2  backup  dump  valves  and  LH2  fill/drain  valves  from  opening  after 
MECO.  Without  a  relief  path,  the  LH2  manifold  pressure  will  rapidly  rise  to  a  dangerous  pressure  level 
in  seconds.  During  the  STS-1  flight,  where  the  LH2  backup  dump  valves  were  not  commanded  open  at 
11.4  seconds  after  MECO  as  they  are  now,  the  LH2  manifold  pressure  went  from  34  psia  before  17-inch 
disconnect  closure  to  50  psia  within  15  seconds  and  subsequently  relieved  until  the  start  of  the  MPS 
dump.  The  LH2  manifold  burst  pressure  is  83  psig.  The  crew  can  manually  open  the  LH2  feedline  relief 
isolation  valve  with  a  single  switch  throw  on  panel  R4.  Pressure  rise  on  the  LO2  side  is  not  a  major 
concern  as  a  result  of  the  slower  pressure  rise  rate,  higher  manifold  burst  pressure,  and  the  available 
leak  path  through  the  SSME  oxidizer  pump  seal  packages.  For  any  dual  GPC/FA  MDM  failures,  the 
onboard  procedure  has  the  crew  take  both  the  LO2  and  LH2  feedline  relief  isolation  valve  switches  to 
open  for  procedural  simplicity.  @[030994-1 61 8B]  @[021 1 99-6792B]  @[092701 -4867A] 
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A5-204  MANUAL  MPS  DUMP  ®[09270i-4867A] 

THE  MPS  DUMP  WILL  BE  MANUALLY  DELAYED  BY  TAKING  THE  MPS  DUMP 
SEQUENCE  SWITCH  TO  "STOP"  UNTIL  AFTER  ET  SEPARATION  FOR  THE 
FOLLOWING  FAILURE  CASES  IN  ORDER  TO  AVOID  PERFORMING  THE  MPS  DUMP 
DURING  ET  SEPARATION: 

A.  AFT  RCS  LEAK. 

B.  FORWARD  RCS  LEAK. 

C.  MPS  FEEDLINE  DISCONNECT  FAILURE (S)  WITH  AN  OMS-1  TIG  PRIOR 
TO  MECO  +  6  MINUTES.  @[090999-7035] 

To  preven  t  orbiter  recon  tact  with  the  ET,  the  MPS  dump  is  delayed  until  after  ET  separation  for  RCS 
leaks  and  the  feedline  disconnect  failure(s).  With  an  RCS  leak,  the  potential  exists  for  the  MPS  dump 
forces  to  overwhelm  the  reduced  RCS  control  authority  during  ET  separation;  therefore,  the  MPS  dump 
is  delayed  until  after  separation  by  taking  the  MPS  dump  sequence  switch  to  stop.  With  a  feedline 
disconnect  failure  and  an  OMS-1  TIG  prior  to  MECO  +  6  minutes,  the  MPS  dump  is  delayed  per  Rule 
{A5-202},  ET  SEPARATION  INHIBIT  FOR  17-INCH  DISCONNECT  FAILURE  [CIL],  to  prevent  dump 
forces  from  interfering  with  the  separation  sequence  (dump  and  vent  forces  could  cause  recontact). 
Analysis  certifying  the  MPS  dump  during  ET  separation  (SSEIG  minutes,  April  26,  1999)  is  not  valid  in 
these  cases  because  the  analysis  assumed  1)  the  only  RCS  jets  that  are  failed  are  those  affected  by  a 
GPC  4  failure,  and  2 )  the  MPS  dump  can  occur  no  earlier  than  1.4  seconds  after  ET  structural 
separation.  @[090999-7035]  @[092701 -4867A]  ®[ED  ] 

Taking  the  MPS  dump  sequence  switch  to  stop  for  an  ET  toggle  switch  failure  along  with  an  LH2 
manifold  pressure  transducer  bias  between  60  and  90  psia  is  not  covered  per  the  direction  of  the  PRCB 
(PRCBD  #  S050270EF)  on  July  1,  1999.  Since  the  most  likely  time  that  the  ET  toggle  switch  failure 
( FMEA/CIL’s  05-6-2237-02  and  05-6-2237-03)  can  occur  is  post  MECO,  the  crew  would  not  have  time 
to  inhibit  the  MPS  dump  prior  to  MECO  +  20  seconds  (dump  start  time  for  the  LH2  transducer  failure). 
The  PRCB  also  considered  the  combination  of  these  two  failures  to  be  too  unlikely  to  be  specifically 
covered  by  crew  procedures  or  by  the  Flight  Rules.  Rule  {A5-205},  NOMINAL,  AO  A,  AND  ATO  MPS 
DUMP  FAILURES,  references  this  rule.  @[090999-7035]  ®[09270i-4867A]  ®[ED  ] 
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A5-205  NOMINAL,  AO  A,  AND  ATO  MPS  T  DUMP  FAILURES 

@[092701 -4867A]  ®[ED  ] 

A.  MPS  DUMP  SWITCH  FAILURE  -  IF  THE  MPS  DUMP  SEQUENCE  SWITCH  IS 
NEEDED  TO  DELAY  THE  MPS  DUMP  AND  IS  UNAVAILABLE  DUE  TO  A 
CONTROL  BUS  FAILURE,  THE  AFFECTED  CONTACT  WILL  BE  COMM 
FAULTED  BY  POWER  CYCLING  THE  APPROPRIATE  MDM  PER  THE  TABLE 
BELOW.  @[021 397-4825  ] 

SW  CONTACT  CONTROL  BUS  MDM 


A 

AB3 

FF1 

B 

BC3 

FF2 

The  MPS  dump  sequence  switch  can  no  longer  be  used  to  manually  con  trol  the  dump  if  the  switch  fails 
redundancy  management.  The  MPS  dump  sequence  switch  is  only  used  to  delay  the  automated  MPS 
dump  until  after  ET  separation  for  an  aft  RCS  leak,  a  forward  RCS  leak,  or  an  ET  separation  inhibit  due 
to  feedline  disconnect  failures  with  an  OMS-1  TIG  prior  to  MECO  +  6  minu  tes  per  Rule  {A5-204J, 
MANUAL  MPS  DUMP.  If  the  MPS  dump  sequence  switch  is  needed  to  delay  the  MPS  dump  and  one  of 
the  contacts  is  failed  due  to  loss  of  either  control  bus  AB3  or  BC3,  the  affected  contact  could  be  taken 
out  of  the  switch  RM  logic  by  power  cycling  either  MDM  FF1  or  FF2.  ®[i  1 1 094-1 720B]  ®[02i  397-4825  ] 
@[092701 -4867A]  ®[ED  ] 
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(CONTINUED) 

B.  LH2  DUMP  FAILURES  -  AN  LH2  DUMP  WILL  BE  PERFORMED  BY  MANUALLY 
OPENING  THE  LH2  BACKUP  DUMP  VALVES  PRIOR  TO  THE  END  OF  THE 
MPS  DUMP  FOR  THE  FAILURE  TO  OPEN  EITHER  THE  LH2  INBOARD  OR 
OUTBOARD  FILL/DRAIN  VALVE.  THE  LH2  BACKUP  DUMP  VALVES  WILL 
BE  MANUALLY  CLOSED  BETWEEN  MECO  +  7  MINUTES  AND  MECO  +10 
MINUTES  BY  TAKING  THE  LH2  BACKUP  DUMP  VALVE  SWITCH  TO  CLOSE 
THEN  GPC .  OTHERWISE,  THE  LH2  MANIFOLD  REPRESSURIZATION 
FOLLOWING  THE  SECOND  AUTOMATED  VACUUM  INERT  WILL  BE  MANUALLY 
INHIBITED  BY  TAKING  THE  LH2  MANIFOLD  PRESS  SWITCH  TO  CLOSE 
PRIOR  TO  THE  MM  106  TRANSITION.  THE  LH2  MANIFOLD  PRESS 
SWITCH  WILL  BE  TAKEN  TO  GPC  AFTER  THE  MM  106  TRANSITION  +  3 

MINUTES.  @[09270 1 -4867A] 

The  LH2  portion  of  the  MPS  dump  is  a  120-second  unpressurized  dump  through  the  LH2  fill/ 'drain 
valves,  the  LH2  topping  valve,  and  the  LH2  backup  dump  valves.  If  the  LH2  outboard  fill/drain  valve 
fails  closed  prior  to  the  start  of  the  MPS  dump,  approximately  57  Ibm  of  hydrogen  will  remain  at  the 
end  of  the  MPS  dump.  If  the  LH2  inboard  valve  fails  closed,  approximately  6  Ibm  of  hydrogen  will 
remain.  For  these  cases,  the  LH2  backup  dump  valves  will  be  taken  to  the  open  position  prior  to  the 
end  of  the  MPS  dump.  This  will  allow  all  but  approximately  5  Ibm  of  hydrogen  to  be  vented  off  before 
the  LH2  backup  dump  valves  are  manually  closed. 

If  no  other  crew  action  is  taken,  the  LH2  backup  dump  valves  will  remain  open  until  the  termination  of 
the  first  au  tomated  vacuum  inert  (dump  start  +19  min  u  tes,  approximately  MECO  +  21  minutes).  At  the 
termination  of  the  first  automated  vacuum  inert,  the  LH2  backup  dump  valves  will  automatically  close 
until  the  start  of  the  second  automated  vacuum  inert  at  the  MM  106  transition.  At  the  termination  of  the 
second  automated  vacuum  inert,  all  but  0.24  Ibm  of  hydrogen  will  be  vented.  This  amount  of  hydrogen 
residual  is  sufficiently  high  to  cause  concern  regarding  the  automatic  manifold  press  checkout  because 
the  manifold  pressure  is  expected  to  reach  approximately  41  psia  which  is  high  enough  to  open  the  LH2 
feedline  relief  valve.  In  order  to  avoid  opening  the  LH2  feedline  relief  valve  ( the  vent  port  is  located 
near  the  vertical  stabilizer),  the  automatic  manifold  press  checkout  will  be  manually  inhibited  by  taking 
the  LH2  manifold  press  switch  to  close.  This  will  be  performed  prior  to  the  MM  106  transition  because 
the  second  automated  vacuum  inert  and  subsequent  manifold  repressurization  will  initiate  at  the  MM 
106  transition.  The  LH2  manifold  press  switch  will  be  taken  to  GPC  after  the  MM  106  transition  +  3 
minutes  (corresponding  to  the  completion  of  the  second  automated  vacuum  inert  and  subsequen  t 
manifold  repressurization)  in  order  to  avoid  powering  the  valve  until  it  is  nominally  checked  in  the 
Deorbit  Prep  timeframe.  @[092701 -4867A] 
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A5-205  NOMINAL,  AO  A,  AND  ATO  MPS  T  DUMP  FAILURES 

(CONTINUED) 


If  the  crew  closes  the  LH2  backup  dump  valves  between  MECO  +  6  minutes,  40  seconds  and  MECO  + 

10  minutes,  (prior  to  the  start  of  the  first  automated  vacuum  inert),  the  hydrogen  residuals  following  the 
second  automated  vacuum  inert  will  be  between  0.09  Ibm  and  0.10  Ibm,  respectively.  For  simplicity,  the 
crew  action  to  take  the  LH2  backup  dump  valve  switch  to  close  then  GPC  will  be  performed  between 
MECO  +  7  minutes  and  MECO  +  10  minutes.  It  is  believed  that  these  residuals  are  insufficient  to 
cause  hydrogen  to  relieve  on  orbit.  All  residuals  are  based  on  Boeing  IL  SHA0-01-014  /  SI-01-044 
dated  February  19,  2001.  @[092701 -4867A] 

Manual  control  of  the  LH2  backup  dump  valves  is  only  available  in  OPS  1.  If  the  hydrogen  residuals 
were  not  properly  inerted  in  OPS  1,  the  manifold  pressure  may  rise  above  the  83  psig  burst  pressure  of 
the  manifold.  This  scenario  would  require  the  crew  to  pro  to  OPS  303  (via  OPS  301)  in  order  for  the 
software  to  automatically  open  the  LH2  backup  dump  valves.  Once  the  manifold  pressure  returns  to 
normal,  the  vehicle  may  be  transitioned  back  to  OPS  2.  For  this  reason,  the  hydrogen  residuals  are 
managed  in  OPS  1  via  the  LH2  backup  dump  valve  switch. 

Currently,  no  ops  code  exists  to  open  the  LH2  backup  dump  valves  via  real-tune  command  (RTC),  and 
due  to  the  fact  that  the  pressure  will  rise  from  the  max  relief  setting  to  the  burst  pressure  in  a  relatively 
short  amount  of  time  ( approximately  TO  hour),  the  decision  was  made  not  to  pursue  a  GPC  memory 
read/write  (GMEM).  In  the  case  of  cm  AO  A,  the  manifold  pressure  should  not  reach  burst  pressure 
prior  to  the  OPS  303  transition.  @[111 094-1 720B] 

C.  LC>2  DUMP  FAILURES  -  AN  INCOMPLETE  LC£  DUMP  MAY  REQUIRE  A 

MANUAL  LO2  VACUUM  INERT  TO  BE  PERFORMED  PER  RULE  {A5-206}, 
MANUAL  VACUUM  INERTING  REQUIREMENTS  (NOMINAL,  ATO,  AOA) . 

@[111 094-1 730A]  @[021397-4825] 

The  LO2  is  dumped  through  the  SSME  mean  oxidizer  valves.  There  is  no  secondary  dump  path  available 
during  the  MPS  dump.  However,  after  MPS  dump  termination,  residuals  will  vent  through  the  engine 
high  pressure  oxidizer  pump  seals,  and  the  relief  system  will  protect  the  manifold  from 
overpressurization.  @[092701 -4867A] 


VOLUME  A  11/21/02  FINAL,  PCN-1  BOOSTER  5-105 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A5-206  MANUAL  VACUUM  INERTING  REQUIREMENTS  (NOMINAL,  ATO, 

AO  A) 

A.  FOR  NOMINAL /ATO  MISSIONS,  A  MANUAL  LO2  VACUUM  INERTING  MAY  BE 
PERFORMED  BY  THE  CREW  IF  THE  LC£  MANIFOLD  PRESSURE  IS  GREATER 
THAN  30  PSIA  AFTER  THE  SCHEDULED  TERMINATION  OF  THE  FIRST 
AUTOMATED  VACUUM  INERT.  MANUAL  LC£  VACUUM  INERTING  WILL  NOT 
BE  PERFORMED  UNTIL  THE  LC£  MANIFOLD  PRESSURE  VENTS  BELOW  30 
PSIA.  ®[1 1 1094-1 71 8A  ]  @[092701 -4867A] 

LO2  vacuum  inerting  can  be  delayed  because  the  LO2  prevalves  remain  open  after  the  MPS  clump  which 
allows  the  pressure  to  vent  through  the  engine  high-pressure  oxidizer  pump  seals.  After  the  pressure 
decays  below  30  psia,  the  software  or  crew  can  then  perform  vacuum  inerting  without  any  vehicle  control 
problems.  The  software  can  only  perform  the  automated  LO2  vacuum  inert  between  MPS  clump  start 
+  17  minutes  (approximately  MECO  +  19  minutes)  and  MPS  dump  start  +  19  minutes  (approximately 
MECO  +  21  minutes). 

For  a  nominal  and  ATO  mission,  there  should  be  sufficient  time  to  allow  the  pressure  to  decay  and  then 
perform  the  LO2  vacuum  inert  if  required.  The  manual  vacuum  inert  may  not  be  necessary  depending  on 
the  effectiveness  of  the  pressure  relief  through  the  engine  high-pressure  oxidizer  pump  seals.  On  an 
AO  A,  there  may  not  be  sufficient  time  to  vent  below  30  psia,  however,  no  action  would  be  required 
because  the  LO2  manifold  will  be  inerted  automatically  in  MM  304  by  the  MPS  entry  dump  sequence. 

LO2  manifold  pressure  will  be  less  than  30  psia  if  the  MPS  dump  was  performed  successfully. 

However,  if  two  or  three  engine  main  oxidizer  valves  were  not  able  to  open  for  the  MPS  dump,  the 
residual  oxidizer  could  result  in  a  manifold  pressure  greater  than  30  psia.  Opening  the  LO2  fill/ drain 
valves  when  the  manifold  pressure  is  greater  than  30  psia  will  cause  the  vehicle  to  roll  significantly  as 
was  experienced  during  an  MPS  dump  detailed  test  objective  on  STS  51-D.  The  roll  was  due  to  the 
oxidizer  flow  force  at  the  LO2  outboard  fill/drain  valve  and  flow  impingement  on  the  wing. 

B.  FOR  A  BCE  STRING  2C  FAILURE,  A  MANUAL  LC£  VACUUM  INERT  WILL 
BE  PERFORMED  AFTER  MPS  DUMP  START  +  22  MINUTES  (APPROXIMATELY 
MECO  +  24  MINUTES)  IF  THE  LC£  MANIFOLD  PRESSURE  IS  CONFIRMED 
TO  BE  LESS  THAN  30  PSIA. 

The  loss  of  BCE  STRING  2C  commfaults  the  LO2  manifold  pressure  sensor.  The  MPS  dump  sequence 
will  not  perform  the  LO2  portion  of  the  first  automated  vacuum  inert  if  the  manifold  pressure  sensor  is 
commfaulted.  Any  LO2  inlet  pressure  sensor  can  be  used  by  the  MCC  as  a  backup  to  the  LO2 
manifold  pressure  if  the  corresponding  LO2  prevalve  is  open.  The  crew’s  manifold  pressure  meter  on 
panel  F7  should  also  be  available  to  determine  the  LO2  manifold  pressure.  The  BCE  STRING  X 
procedure  in  the  Ascent  Pocket  Checklist  directs  the  crew  to  perform  the  MPS  vacuum  inert  procedure 
for  the  STRING  2C  failure.  ®[09270i-4867A] 
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A5-206  MANUAL  VACUUM  INERTING  REQUIREMENTS  (NOMINAL,  ATO, 

AO A)  (CONTINUED) 

C.  ON  A  SYSTEMS  AO A,  A  MANUAL  VACUUM  INERT  MAY  BE  REQUIRED  IF 
OPS  3  IS  ENTERED  PRIOR  TO  INITIATION  OF  THE  FIRST  AUTOMATED 
VACUUM  INERT.  @[092701 -4867A] 


On  a  systems  AOA,  there  may  not  be  sufficient  time  for  the  software  to  initiate  the  first  automated 
vacuum  inert  and  the  crew  must  manually  perform  the  vacuum  inert  to  insure  no  residuals,  since  no  entry 
dump/inert  will  be  performed. 

D.  MANUAL  LH2  VACUUM  INERTING  WILL  BE  PERFORMED  BY  MANUALLY 

OPENING  THE  LH2  INBOARD  AND  OUTBOARD  FILL/DRAIN  VALVES  FOR 
THE  FAILURE  TO  OPEN  THE  LH2  BACKUP  DUMP  VALVES.  THE  FIRST 
MANUAL  VACUUM  INERT  WILL  BE  PERFORMED  AS  CLOSE  TO  THE 
AUTOMATIC  SEQUENCE  AS  POSSIBLE,  BETWEEN  MPS  DUMP  START  +  17 
MINUTES  (APPROXIMATELY  MECO  +19  MINUTES)  AND  MPS  DUMP  START 
+  19  MINUTES  (APPROXIMATELY  MECO  +  21  MINUTES) .  THE  SECOND 
MANUAL  VACUUM  INERT  WILL  BE  PERFORMED  POST  OMS-2  AND  PRIOR  TO 
THE  MM  106  TRANSITION.  @[092195-1791] 


If  either  of  the  LH2  backup  dump  valves  do  not  open  during  the  MPS  dump  or  automated  vacuum 
inert(s),  the  system  will  be  manually  inerted  using  the  LH 2  fill/drain  valves  in  order  to  minimize 
residuals  in  the  LH2  manifold.  The  first  manual  vacuum  inert  will  be  performed  as  close  to  the 
automatic  sequence  timing  as  possible  (to  minimize  hydrogen  residuals).  The  second  maimed  vacuum 
inert  will  be  performed  prior  to  the  MM  106  transition  in  order  to  cdlow  the  automatic  manifold  press 
checkout  and  to  minimize  hydrogen  residuals.  By  performing  the  manual  vacuum  inert(s),  the 
hydrogen  residuals  will  be  sufficiently  low  to  allow  for  the  automatic  manifold  press  checkout.  The 
MCC  will  direct  the  crew  to  perform  the  manual  vacuum  inerting  procedure  in  the  Ascent  Pocket 
Checklist  for  both  vacuum  inerts.  ®[ED  ]  @[092701 -4867A] 
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A5-206  MANUAL  VACUUM  INERTING  REQUIREMENTS  (NOMINAL,  ATO, 

AO A)  (CONTINUED) 

E.  IF  A  MANUAL  VACUUM  INERTING  IS  REQUIRED,  THE  MCC  WILL 
REQUEST,  WHENEVER  POSSIBLE,  THAT  THE  CREW  PERFORM  THE 
PROCEDURE  ON  THE  AFFECTED  SYSTEM  (S)  ONLY  L(£/LH2.  IF 
POSSIBLE,  THE  MER  MPS  ENGINEER  WILL  BE  CONSULTED  PRIOR  TO 
SCHEDULING  A  MANUAL  VACUUM  INERT.  ®[1 1 1 094-1 71 8A]  @[092701 -4867A] 

Although  several  crew  LO2/LH2  vacuum  inerting  procedures  are  integrated  in  order  to  cover  single 
failure  cases  which  affects  both  systems,  it  is  preferable  that  the  procedures  be  performed  on  only  the 
affected  system(s)  whenever  possible.  Performing  the  manual  vacuum  inert  for  only  the  affected  system 
will  minimize  cycling  of  the  MPS  fill/drain  valves  and  should,  consequently,  maximize  the  useful  life  of 
the  MPS  hardware.  ®[1 11094-1 71 8A]  ®[ED  ] 

Vacuum  inerting  will  be  repeated  if  propellants  are  believed  to  remain  in  the  manifolds.  Because  there 
are  several  potential  causes  for  propellant  residuals,  because  of  the  significant  technical  resources 
available  to  the  MER  MPS  engineer,  and  because  it  is  likely  that  there  will  be  a  significant  period  of  time 
to  discuss  the  situation,  the  Booster  Flight  Control  Team  will  consult  with  the  MER  MPS  engineer  if  at 
all  possible.  Based  on  reviews  of  Boeing  IL  SHA0-01-014  /  SI-01 -044  dated  February  19,  2001,  LH2 
manifold  pressures  above  40  psia  will  be  considered  high  enough  to  perform  a  manual  vacuum  inert  of 
the  LH 2  manifold.  @[092701 -4867A] 


A5-207  LH2  PRESSURIZATION  VENT  CONTROL 

AFTER  THE  ET/ORBITER  UMBILICAL  DOOR  IS  CLOSED,  THE  Lf£ 
PRESSURIZATION  LINE  VENT  WILL  NOT  BE  OPENED  TO  AVOID  VENTING  LIg 
INTO  THE  UMBILICAL  CAVITY.  @[021199-6793] 

Damage  to  the  door  or  cavity  may  occur  if  the  LH2  pressurization  line  vent  is  opened  while  line  pressure 
is  high  and  the  vent  door  is  closed  (ref.  SODB,  volume  /,  section  3. 4. 3. 1-6). 
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A5-208  POST-MECO  AND  ENTRY  HELIUM  ISOLATION  ®[ED  ] 

A.  MPS  ENGINE  OR  PNEUMATIC  HELIUM  REGULATOR  PRESSURE  >  800  (810) 

PS  I A  AND  THE:  ®[021 1 99-6787B] 

1.  VENT  DOORS  CLOSED:  CLOSE  THE  ASSOCIATED  MPS  HELIUM 
ISOLATION  VALVE  ASAP. 

2.  VENT  DOORS  OPEN:  CLOSE  THE  ASSOCIATED  MPS  HELIUM 
ISOLATION  VALVE  AS  TIME  PERMITS. 

Analysis  indicates  an  MPS  helium  regulator  failed  open  can  cause  an  over  pressurization  of  the  aft 
compartment  in  approximately  17  seconds  if  the  vent  doors  are  closed.  This  overpressurization  will  not 
result  in  a  loss  of  the  vehicle.  However,  the  safety  factor  for  the  1307  Bulkhead  will  be  reduced  to  1.31 
during  entry  arid  structural  damage  will  likely  occur  which  will  require  the  vehicle  to  be  taken  out  of 
service  for  thorough  inspection  and  refurbishment  as  necessary  (reference  Rockwell  In  ternational 
Analysis  PCIN  R76186,  July  15,  1988). 

Crew  action  is  required  above  800  psig  when  the  relief  valve  begins  to  flow  helium  into  the  aft 
compartment.  Since  any  action  will  be  taken  where  the  ambient  pressure  is  near  zero  psia,  800  psia 
will  be  equivalen  t  to  800  psig.  Crew  caution  and  warn  ing  is  set  to  810  psia  for  the  MPS  helium 
regulator  pressures.  810  psia  is  sufficiently  close  to  805  psia  (the  relief  valve  cracking  pressure  of  800 
psig  plus  5  psia  for  transducer  accuracy)  that  action  can  be  taken  at  the  crew  caution  and  warning  cue 
while  still  maintaining  adequate  margin  to  850  psig  where  the  relief  valve  goes  full  open. 

With  the  vent  doors  open,  no  action  is  required.  The  vent  doors  close  on  a  TAL  at  ET  SEP  command. 
During  an  RTLS,  the  vent  doors  close  at  the  MM  602  transition.  During  the  nominal  or  AT O  entry,  the 
vent  doors  close  at  the  transition  to  MM  304.  During  an  AO  A,  the  vent  doors  are  manually  closed  just 
prior  to  the  MM  304  transition.  For  all  of  these  entry  profiles,  the  vent  doors  open  at  Mach  2.4. 

Entry  MPS  helium  regulator  shifts  are  most  likely  to  occur  during  periods  of  high  flow  demand  such  as 
when  the  MPS  helium  isolation  valves  open  at  the  transition  to  MM  303  or  when  the  MPS  helium 
blowdown  valves  open  at  Mach  5.3.  For  simplicity,  the  crew  procedure  for  MPS  helium  regulator  shifts 
call  for  the  immediate  isolation  of  the  associated  MPS  helium  isolation  valve(s)  on  entry  prior  to  Mach 
2.4.  After  Mach  2.4,  MCC  may  direct  the  crew  to  close  the  associated  MPS  helium  regulator  valves,  time 
permitting.  Training  in  the  nominal  helium  leak  isolation  procedure  will  allow  the  crew  to  react  to  the 
caution  and  warning  system  in  less  than  15  seconds.  ®[021199-6787B] 
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A5-208  POST-MECO  AND  ENTRY  HELIUM  ISOLATION  (CONTINUED) 

B.  FOR  ALL  OTHER  POST-MECO  AND  ENTRY  HELIUM  OR  PNEUMATIC  SYSTEM 
LEAKS,  THE  SYSTEM  WILL  BE  ISOLATED  AS  TIME  PERMITS.  POST¬ 
ISOLATION,  AN  ATTEMPT  WILL  BE  MADE  TO  MANUALLY  RECONFIGURE 
THE  MPS  HELIUM  SYSTEM  TO  SUPPORT  THE  ENTRY  PURGE  IF  TIME 
PERMITS.  ®[021 1 99-6787B] 

If  a  leak  occurs  on  an  engine  or  pneumatic  helium  system,  the  affected  system  will  be  isolated  as  time 
permits.  Helium  is  required  for  manifold  pressurization  during  the  MPS  dump  and  entry,  for  valve 
actuation,  and  for  the  entry  aft  compartment  purge.  Since  the  crew  has  no  insight  into  the  configuration 
of  the  MPS  helium  system  interconnect  valves,  it  is  likely  that  the  crew  will  need  assistance  from  MCC 
in  order  to  isolate  any  post-MECO  helium  leak.  These  procedures  may  be  complicated  and  will  be 
performed  as  time  permits. 

For  nominal  missions,  if  a  leak  occurs  prior  to  the  MPS  dump,  the  leak  may  be  isolated  and  the  helium 
system  subsequently  reconfigured  to  support  the  MPS  dump.  On  entry,  if  time  permits  after  the  leak  is 
isolated,  the  helium  system  may  be  manually  reconfigured  to  support  the  entry  purge.  The  entry  purge 
is  highly  desirable  for  the  nominal  end  of  mission  but  is  considered  mandatory  during  aborts.  If  a 
hazardous  gas  leak  is  evident  in  the  aft  compartment  or  OMS  pods,  the  entry  purge  will  be  required. 
Also,  contamination  may  be  ingested  into  the  evacuated  MPS  manifolds  if  the  helium  pressurization  is 
not  performed.  The  contamination  in  the  lines  would  require  cleaning  before  the  next  flight  which 
would  increase  the  vehicle’s  turnaround  time. 

During  an  RTLS  abort,  post-MECO  isolation  may  not  be  performed.  Because  of  the  limited  flight 
duration  and  the  crew  workload,  there  may  not  be  adequate  time  to  reconfigure  the  MPS  helium  system 
to  support  the  entry  purge. 

C.  IF  ALL  CAUTION  AND  WARNING  IS  LOST  FOR  ANY  MPS  HELIUM 
REGULATOR  PRESSURE  TRANSDUCER ( S ) : 

1.  NOMINAL/ ATO : 

a.  PRIOR  TO  MACH  2.4:  MCC  WILL  HAVE  THE  CREW  CLOSE  THE 
ASSOCIATED  MPS  HELIUM  ISOLATION  VALVE ( S ) . 

b.  AFTER  MACH  2.4:  NO  ACTION  REQUIRED.  ®[021 1 99-6787B] 

2.  AOA/TAL/RTLS  :  NO  ACTION  REQUIRED  .  ®[021 1 99-6787B] 
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A5-208  POST-MECO  AND  ENTRY  HELIUM  ISOLATION  (CONTINUED) 

Without  hardware  or  software  caution  and  warning,  it  is  unlikely  that  MCC  could  diagnose  cm  MPS 
helium  regulator  failed  open  and  tell  the  crew  to  close  the  associated  MPS  helium  isolation  valve  before 
the  aft  compartmen  t  is  overpressurized  (17  seconds).  For  a  nominal  or  ATO  entry,  if  hardware  and 
software  caution  and  warning  is  unavailable,  the  crew  will  preemptively  close  the  associated  MPS  helium 
isolation  valve(s).  Caution  and  warning  may  be  lost  due  to  the  loss  (or  bias)  of  the  MPS  helium 
regulator  pressure  transducer,  loss  of  the  associated  01  DSC  or  OlMDM,  or  loss  of  the  BFS. 

After  the  vent  doors  open  at  Mach  2.4,  the  overpressurization  of  the  aft  compartment  is  no  longer  a 
concern  and  preemptively  closing  the  MPS  helium  isolation  valve(s)  to  protect  for  a  potential  MPS 
helium  regulator  failed  open  is  not  required.  Preemptive  helium  isolation  is  also  not  required  on  the 
AOA,  TAL,  or  RTLS  entry.  Protecting  for  the  additional,  unrelated  failure  of  cm  MPS  helium  regulator 
following  the  loss  of  caution  and  warning  will  not  be  performed  because  of  the  relatively  short  exposure 
period  and  high  crew  workload  during  aborts. 

Preemptive  closure  of  MPS  helium  isolation  valves  for  the  loss  of  caution  and  warning  will  require  cm 
MCC  call  except  for  a  failure  of  the  BFS  GPC.  The  BFS  FAIL  crew  procedure  in  the  Entry  Pocket 
Checklist  and  Ascent/Entry  Systems  Procedures  directs  the  crew  to  close  the  MPS  helium  B  isolation 
valves  and  the  pneumatic  helium  isolation  valves  since  caution  and  warn  ing  for  these  pressure 
transducers  is  only  available  in  the  BFS.  This  procedure  does  not  differentiate  between  a  nominal  and 
abort  entry  profiles.  ®[021 1 99-6787B] 
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A5-209  ENTRY  MPS  HELIUM  PURGE /MAN I FOLD  PRESSURIZATION 

@[022802-5080  ]  ®[ED  ] 

THE  ENTRY  MPS  HELIUM  PURGE  AND  MANIFOLD  PRESSURIZATION  FUNCTIONS 
ARE  HIGHLY  DESIRABLE  TO  PURGE  THE  AFT  COMPARTMENT  OF  ANY 
HAZARDOUS  FLUID  BUILDUP  AND  TO  PREVENT  AIR  INGESTION  INTO  THE  MPS 
LO2  AND  LH2  MANIFOLDS.  IF  THIS  FUNCTION  IS  LOST,  THEN  THE 
FOLLOWING  ATTEMPTS  WILL  BE  MADE,  TIME  PERMITTING,  TO  RECOVER 
THEM: 

A.  NOMINAL/ AOA : 

EFFORTS  TO  RECOVER  THE  ENTRY  MPS  HELIUM  PURGE  AND  LC£  AND  LH2 
MANIFOLD  PRESSURIZATION  WILL  ONLY  BE  ATTEMPTED  IF  IT  WILL  NOT 
IMPACT  CRITICAL  CAPABILITY  IN  OTHER  ORBITER  SYSTEMS.  FOR 
CRITICAL  POWER/COOLING  CASES  (I.E.,  LOSS  OF  TWO  FUEL  CELLS  OR 
TWO  FREON  LOOPS) ,  THE  ENTRY  PURGE  AND  MANIFOLD  PRESSURIZATION 
WILL  BE  INHIBITED  PER  CREW  PROCEDURES. 

B.  RTLS/TAL : 

1.  FOR  THE  ENTRY  MPS  HELIUM  PURGE,  RECOVERY  EFFORTS  WILL 
ONLY  BE  ATTEMPTED  IF  IT  WILL  NOT  IMPACT  CRITICAL 
CAPABILITY  IN  OTHER  ORBITER  SYSTEMS. 

2.  FOR  THE  MPS  LH2  MANIFOLD  PRESSURIZATION,  IF  THE  SITUATION 
PERMITS,  THE  FUNCTION  WILL  BE  RECOVERED  (BY  A  SWITCH 
THROW,  PORT  MODE,  OR  RESTRING)  IN  ORDER  TO  AVOID 
INGESTION  OF  AIR  INTO  THE  LB^  MANIFOLD. 

NOTE:  FAILURE  TO  PRESSURIZE  THE  LH2  MANIFOLD  WITH  MPS 

HELIUM  REQUIRES  AN  EXPEDITED  POWERDOWN  AND  MODE  V 
EGRESS  PER  RULE  {A16-11F},  EXPEDITED  POWERDOWN. 
@[022802-5080  ] 
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The  MPS  entry  helium  purge  is  used  to  purge  the  aft  compartmen  t  of  hazardous  fluids  ( e.  g. ,  LH2,  LO2, 
N2H4.  NHj  or  hydraulic  oil)  during  entry.  For  nominal  and  AO  A  entries,  hazardous  MPS  propellants 
will  have  had  time  to  be  fully  inerted  as  part  of  the  MPS  dump  sequence;  and  therefore,  the  importance 
of  the  purge  is  low.  On  RTLS  and  TAL  entries,  residual  MPS  propellants  may  be  present,  thereby 
increasing  the  importance  of  the  purge.  If  the  presence  of  hazardous  fluids  is  suspected  due  to  system 
leaks  or  failures,  the  purge  may  help  to  reduce  the  potential  for  combustion  by  reducing  the  hazardous 
fluid  concentrations  in  the  aft  compartment.  The  effectiveness  of  the  MPS  entry  purge  is  unknown; 
therefore,  critical  capability  in  other  Shuttle  systems  should  not  be  traded  off  to  regain  the  purge.  At  the 
Ascent  Entry  Flight  Techniques  Panel  Meeting  (AEFTP  # 168  on  10/27/00),  it  was  decided  that  if  it  was 
deemed  appropriate  by  the  flight  control  team  to  regain  the  purge,  a  temporary  port  mode  (to  latch  the 
purge  valve  commands)  could  be  attempted,  but  a  restring  was  determined  to  not  be  warranted  due  to  the 
unknown  effectiveness  of  the  purge.  The  decision  to  port  mode  will  depend  upon  the  specific  flight  phase 
and  failure  scenario  present  in  the  orbiter  as  established  in  Flight  Rule  (A2-5f,  PORT 
MODING/RESTRINGING  GUIDELINES.  @[022802-5080  ] 

It  is  desirable  to  pressu  rize  the  MPS  propellan  t  manifold  du  ring  entry  because  failure  to  do  so  will  result 
in  the  ingestion  of  air  into  the  MPS  propellan  t  lines  requiring  additional  turnaround  time  to  clean  the 
contaminated  manifolds.  Also,  loss  of  the  LH2  manifold  pressurization  on  RTLS  and  TAL  aborts  will 
result  in  the  creation  of  cm  explosive  mixture  in  the  LH2  manifold  as  air  is  ingested  and  mixes  with  the 
hydrogen  residuals.  This  scenario  will  require  an  expedited  powerdown  per  Flight  Rule  (A16-11}, 
EXPEDITED  POWERDOWN.  At  the  AEFTP  Meeting  ( AEFTP  #168  on  10/27/00),  it  was  decided  that 
the  recovery  technique  for  the  loss  ofLH2  manifold  pressurization  could  be  a  switch  throw,  temporary 
port  mode  (to  latch  the  LH2  manifold  pressurization  commands),  or  restring.  In  general,  a  switch  throw 
will  be  attempted  before  a  port  mode,  which  will  be  attempted  before  a  restring;  however;  the  recovery 
technique  used  will  depend  upon  the  specific  flight  phase  and  failure  scenario  present  in  the  orbiter  as 
established  in  Flight  Rule  {A2-5j,  PORT  MODING/RESTRINGING  GUIDELINES.  The  importance  of 
the  LO2  manifold  pressurization  function  is  insufficient  to  justify  recovery  actions  during  cm  RTLS  or 
TAL  entry  (contamination/reflight  issue). 

To  accomplish  a  safe  entry  on  a  nominal  or  AO  A  entry  with  the  loss  of  two  Freon  loops  or  the  loss  of  two 
fuel  cells,  critical  power  and  cooling  capability  must  be  conserved  via  power  reductions  in  all  orbiter 
systems.  MPS  valves  that  are  normally  closed  valves  will  be  positioned  to  the  CLOSE  position  in  order 
to  conserve  power  (as  documented  in  the  Orbit  Pocket  Checklist,  Entry  Pocket  Checklist,  Contingency 
Deorbit  Prep,  and  Systems  AO  A  Procedures  Flight  Data  File).  This  reconfiguration  will  save 
approximately  218.4  watts.  @[022802-5080  ] 
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A.  NOMINAL/ ATO  :  @[110900-7240] 

NO  ACTION  IS  REQUIRED. 

During  nominal/ ATO  missions,  automatic  software  or  crew  procedures  will  insure  dumping  and/or 
inerting  of  the  LOj  and  LH2  residuals  prior  to  entry.  A  complete  LH2  dump  can  be  done  if  either  the 
LH2  backup  dump  valves  or  LH2  fill/ drain  valves  are  open.  A  complete  LO2  dump  can  be  done  if  two  or 
three  SSME’s  perform  LO2  dumps,  or  if  the  LO 2  fill/ drain  valves  are  both  open  (reference  Rockwell 
Internal  Letter  no.  287-104-87-004,  dated  January  8,  1987).  The  LH2  backup  dump  valves  are  the  only 
dump  path  opened  during  the  nominal/ ATO  entry  MPS  dump  sequence,  and  no  action  is  required  in  the 
event  that  these  valves  do  not  open. 

B.  AOA/TAL : 

IN  MM  304,  IF  GPC/MDM  FAILURES  CAUSE  ALL  LH?  DUMP  PATHS  TO  BE 
LOST  (INCLUDING  THE  LH2  BACKUP  DUMP  VALVES),  THE  AFFECTED  LH? 
FILL/DRAIN  VALVE (S)  WILL  BE  MANUALLY  OPENED.  IF  THE  SOFTWARE 
CANNOT  CLOSE  THE  LH2  OUTBOARD  FILL/DRAIN  OR  THE  LB^  INBOARD 
FILL/DRAIN  AND  TOPPING  VALVES,  THE  LH?  OUTBOARD  FILL/DRAIN 
VALVE  WILL  BE  MANUALLY  CLOSED  AT  A  RELATIVE  VELOCITY  (^EL) 

OF  5300  FT/SEC. 

In  the  LH2  system,  there  are  single  GPC/MDM  failures  which  result  in  the  loss  of  GPC  control  of  the 
LH2  fill/ drain  valves  and  the  LH2  topping  valve.  In  these  cases,  the  affected  LH2  fill/ drain  valve(s)  will 
be  manually  opened  on  a  TAL  only  if  the  LH2  backup  dump  valves  are  not  open.  Sufficient  time  exists  to 
dump  LH2  residuals  through  the  backup  LH2  valves  for  AO  A  or  TAL  aborts,  leaving  approximately  3  lbs 
of  hydrogen  residuals  (per  Rockwell  In  ternational  internal  letter  287-100-94-164,  dated  August  9,  1994). 
There  are  also  combinations  of  GPC/MDM  failures  which  result  in  the  loss  of  all  LH2  dump  paths.  On  a 
TAL  abort,  the  crew  will  manually  open  the  affected  LH2  fill/ drain  valve(s).  The  LH2  backup  dump 
valves  cannot  be  manually  opened  in  these  cases  because  the  switch  is  software  driven  and  only  read  in 
OPS  1.  The  LH2  outboard  fill/drain  valve  will  be  closed  in  order  to  preserve  helium  for  the  aft 
compartment  purge  arid  to  prevent  the  combination  of  atmospheric  O2  with  the  residual  LH2  in  the 
manifold.  The  velocity  cue  used  to  close  the  LH2  outboard  fill/drain  valve  represents  the  nominal 
closing  time  and  corresponds  to  an  altitude  at  which  possible  ignition  of  residual  LH2  can  occur. 

®[1 1 1 094-1 730A  ]  ®[1 1 0900-7240  ] 
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C.  RTLS :  @[110900-7240] 

IN  MM  602,  IF  GPC/MDM  FAILURES  CAUSE  THE  LH2  OUTBOARD 
FILL/DRAIN  DUMP  PATH  TO  BE  LOST  (DUE  TO  A  FAILURE  OF  THE  LiJ 
OUTBOARD  FILL/DRAIN,  OR  THE  LB^  INBOARD  FILL/DRAIN  AND 
TOPPING  VALVES),  THE  AFFECTED  LR>  FILL/DRAIN  VALVE ( S )  WILL  BE 
MANUALLY  OPENED.  IF  THE  SOFTWARE  CANNOT  CLOSE  EITHER  THE  LiJ 
OUTBOARD  FILL/DRAIN  VALVE  OR  THE  LH?  INBOARD  FILL/DRAIN  AND 
TOPPING  VALVES,  THE  LH2  OUTBOARD  FILL/DRAIN  VALVE  WILL  BE 
CLOSED  AT  A  VREL  OF  3800  FT/SEC. 

NOTE:  AN  EXPEDITED  POWERDOWN/MODE  V  EGRESS  WILL  BE  REQUIRED 

IF  A  DUMP  PATH  THROUGH  THE  LH2  OUTBOARD  FILL/DRAIN 
VALVE  CANNOT  BE  ACQUIRED  (REFERENCE  RULE  {A16-11F}, 
EXPEDITED  POWERDOWN)  .  @[0201 96-1 81 3A] 

In  the  LH2  system,  there  are  GPC/MDM  failures  which  result  in  the  loss  ofGPC  control  of  the  LH2 
fill/drain  valves  and  the  LH2  topping  valve.  The  failure  of  the  LH2  outboard  fill/drain  valve  will  result 
in  an  incomplete  LH2dump  on  RTLS  aborts.  Analysis  has  shown  that  approximately  40.8  pounds  ofLH2 
residuals  will  remain  in  the  MPS  LH2  manifold  if  the  only  LH2  dump  path  is  through  the  backup  LH2 
valves  (reference  Rockwell  interned  letter  287-100-04-164,  dated  August  9,  1994).  Venting  LH2 
residuals  will  preclude  normal  convoy  operations  (reference  rule  (A16-1  IF},  EXPEDITED 
POWERDOWN).  In  order  to  avoid  this  ground  hazard,  the  affected  LH2  fill/drain  valve(s)  will  be 
opened.  The  LH2  outboard  fill/drain  valve  will  be  closed  in  order  to  preserve  helium  for  the  aft 
compartment  purge  and  to  prevent  the  combination  of  atmospheric  O2  with  the  residual  LH2  in  the 
manifold.  The  velocity  cue  used  to  close  the  LH2  outboard  fill/drain  valve  represents  the  nominal 
closing  time  and  corresponds  to  an  altitude  at  which  possible  ignition  of  residual  LH2  can  occur. 

@[111 094-1 730A]  @[110900-7240] 
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A6-3  QMS  ENGINE  (CONTINUED) 

D.  PROPELLANT  LEAK  DOWNSTREAM  OF  BALL  VALVES,  PC  <  76  (80) 

PERCENT,  AND  OMS  RM  ENGINE  SELECT  DOWN  ARROW  ( '? " )  ON 
MANEUVER  EXECUTE  DISPLAY  OR  FUEL  INJECTION  TEMP  >260  DEG  F. 

A  propellant  leak  large  enough  to  cause  low  Pc  and  decayed  acceleration,  as  indicated  by  the  down 
arrow  or  fuel  injector  temperature  high,  during  a  burn  results  in  the  loss  of  the  affected  engine. 

( Reference  SODB,  volume  I,  paragraphs  3.4. 3. 3  and  3. 4. 4. 3.) 

E.  PREVIOUS  FUEL  OR  OXIDIZER  DEPLETION  CUTOFF. 

Although  WSTF  tests  with  a  fuel  depletion  cutoff  did  not  damage  an  OMS  engine,  there  is  significant  risk 
that  engine  damage  may  occur  during  shutdown.  This  is  due  to  the  loss  of  engine  cooling  when  fuel  no 
longer  passes  through  the  cooling  jacket  around  the  combustion  chamber.  Uncontained  damage  did  not 
occur  during  WSTF  tests  but  zero-g  effects  are  unknown. 

It  is  not  desirable  to  reuse  an  OMS  engine  following  an  oxidizer  depletion  cutoff.  A  period  of  time  is 
required  for  oxidizer  from  a  different  propellant  source  to  reach  the  engine  during  the  first  engine  start 
following  oxidizer  depletion  cutoff.  During  this  time,  unburned  fuel  accumulates  in  the  combustion 
chamber  because  of  the  very  low  vapor  pressure  of  monomethylhydrazine.  When  the  oxidizer  reaches  the 
injector,  extremely  rough  combustion  will  result.  Uncontained  engine  damage  could  result. 

There  have  not  been  any  tests  to  verify  reuse  of  cm  engine  which  has  experienced  a  previous  oxidizer  or 
fuel  depletion  cutoff. 

Reference:  SODB  3.4.3. 3.  Rule  { A6-106J ,  OMS  ENGINE  BURN  TO  DEPLETION,  references  this  rule. 

F.  PRE-MECO  PC  ?  76  (80)  PERCENT  CONFIRMED  BY  ENGINE  BALL 

VALVE  POSITION  <  47  (70)  PERCENT  OR  OXIDIZER  INLET  PRESSURE 

>  235  (227)  PSIA. 

The  crew  will  get  a  class  2  alarm  at  Pc  <  76  (80)  percent,  but  there  is  no  MNVR  EXEC  display  or  ENG 
SEL  down  arrow  pre-MECO  to  indicate  loss  of  acceleration.  Therefore,  oxidizer  inlet  pressure  or  ball 
valve  position  is  checked  for  an  additional  indication  of  cm  engine  failure.  The  rationale  used  for 
paragraphs  A  and  C  ( CAUTION :  SODB,  volume  III,  contains  engineering  estimates  for  non-nominal 
evaluation.  Data  may  not  be  supported  by  test.)  applies  here  also.  ( Reference  SODB,  volume  I,  3. 4. 3. 3, 
table  3.4. 3. 3  and  SODB  request  response  R921.) 
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G. 


OXIDIZER  RESTRICTION:  PC  <  76  (80) 
SELECT  DOWN  ARROW  ( "? " )  ON  MANEUVER 
OXIDIZER  INLET  PRESSURE  >  235  (227) 


PERCENT,  OMS  RM  ENGINE 
EXEC  DISPLAY,  AND 
PSIA. 


The  engine  can  also  fail  if  the  oxidizer  injector  is  restricted,  which  causes  the  upstream  oxidizer  inlet 
pressure  to  increase.  Operating  at  this  low  oxidizer  inlet  pressure  will  result  in  an  engine  failure 
indicated  by  low  Pc  and  acceleration.  { Reference  SODB,  volume  I,  paragraph  3. 4. 3. 3.  A  request  has 
been  submitted  for  inlet  pressure  verification.) 

H.  OMS  BALL  VALVE  POSITION  >  0  PERCENT  (FAILED  OPEN  RANGE  LOWER 
LIMIT)  AND  <  47  (70)  PERCENT  POSTBURN  AND  INSTRUMENTATION 

FAILURE  CANNOT  BE  POSITIVELY  IDENTIFIED. 


ENGINE 

SERIAL# 

OMS  BALL  VALVE  FAILED 

OPEN  RANGE  LOWER  LIMIT 

BV1  % 

BV2  % 

101 

6 

5 

105 

3 

5 

106 

4 

6 

107 

6 

6 

108 

4 

5 

109 

4 

6 

110 

3 

4 

111 

6 

3 

113 

4 

4 

114 

5 

3 

115 

3 

3 

116 

2 

4 

117 

5 

4 

@[110900-7251]  ©[1112102-ED  ] 


For  failure  definition  purposes,  the  OMS  ball  valves  are  considered  a  functionally  integral  part  of  the 
OMS  engine.  OMS  ball  valve  position  indicators  are  single-point  instrumentation  on  the  series  ball 
valves.  To  distinguish  cm  instrumentation  failure  from  a  hardware  failure,  it  is  necessary  to  examine  the 
time-ordered  history  of  the  anomaly. 


The  normal  position  of  the  ball  valves  when  not  operating  is  0  percent  open  (decimals  of  percent  open  are 
rounded).  If  the  ball  valves  are  failed  to  <  47  percen  t,  the  affected  OMS  Pc  will  be  <  80  percen  t  which  is 
level  at  which  the  engine  is  considered  failed.  (Refer  to  rationale  of  Rule  { A6-108 j,  OMS  BALL  VALVE 
FAILURE  MANAGEMENT. )  The  position  indicators  have  cm  instrumentation  accuracy  of  5  percent. 
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SECTION  8  -  GUIDANCE,  NAVIGATION,  AND  CONTROL 
(GN&C) 

GENERAL 

A8-1  FCS  DOWNMODE . 8-1 

A8-2  SSME  THRUST  VECTOR  CONTROL  (TVC)  HARDOVER .  8-3 

A8-3  LOSS  OF  GNC  SYSTEM . 8-4 

A8-4  FAULT  TOLERANCE  PHILOSOPHY . 8-5 

A8-5  ACCELEROMETER  ASSEMBLIES  (AA)  FAULT  TOLERANCE.  8-6 

A8-6  CONTROLLERS /FCS  SWITCHING  FAULT  TOLERANCE . 8-6 

A8-7  ENTRY  SYSTEMS  SINGLE-FAULT  TOLERANCE 

VERIFICATION  .  8-7 

A8-8  ENTRY  SYSTEMS  RM  DILEMMA . 8-7 

A8-9  AFT  STATION  GNC  REDUNDANCY . 8-8 

A8-10  POWER/DATA  PATH  REDUNDANCY . 8-8 

A8-11  LOSS  OF  BFS . 8-8 

A8-12  HEAD  UP  DISPLAY  (HUD)  AND  CREW  OPTICAL 

ALIGNMENT  SIGHT  (COAS)  ALIGNMENT . 8-9 

A8-13  RTLS  ET  SEPARATION . 8-10 

A8-14  POWER  MANAGEMENT . 8-11 

A8-15  GNC  PARAMETERS /LRU  FAILURES . 8-11 

A8-16  GNC  SYSTEMS  FAILURES . 8-11 

A8-17  EQUIPMENT  REQUIRED  FOR  EMERGENCY  AUTOLAND....  8-12 

A8-18  LANDING  SYSTEMS  REQUIREMENTS . 8-12 

A8-19  YAW  JET  DOWNMODE . 8-15 

A8-20  ENTRY  ELEVON  SCHEDULE  SELECTION  CRITERIA . 8-16 

A8-21  THROUGH  A8-50  RULES  ARE  RESERVED . 8-16 
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FAILURE  DEFINITIONS 

A8-51  PHILOSOPHY . 8-17 

A8-52  SENSOR  FAILURES . 8-17 

A8-53  OMS  TVC  LOSS . 8-19 

A8-54  FIRST  STAGE  LOSS  OF  CONTROL  DEFINITION . 8-22 

A8-55  ET  SEPARATION  RCS  REQUIREMENTS . 8-22 

A8-56  BFS  LRU  REQUIREMENTS . 8-23 

A8-57  PRELAUNCH  IMU  HOLD . 8-25 

A8-58  ADI  LOSS . 8-31 

A8-59  IMU  BITE  FAILURE  DEFINITION . 8-32 

A8-60  LOSS  OF  VERNIER  RCS  DAP  MODE . 8-33 

A8-61  SSME  SHUTDOWN  DUE  TO  HYDRAULIC  SYSTEM 

FAILURES . 8-35 

A8-62  THROUGH  A8-100  RULES  ARE  RESERVED . 8-38 

MANAGEMENT 

A8-101  BEEP  TRIM  DEROTATION . 8-39 

A8-102  RGA  SYSTEM  MANAGEMENT  [CIL]  .  8-40 

A8-103  PRIORITY  RATE  LIMITING  (PRL )  SYSTEMS 

MANAGEMENT . 8-41 

A8-104  FCS  CHECKOUT . 8-42 

A8-105  CONTROLLERS  .  8-44 

A8-106  TVC-SSME  STOW/ACTUATOR  FLUID  FILL 

(REPRESSURIZATION) . 8-45 

A8-107  FCS  CHANNEL  MANAGEMENT  .  8-47 

A8-108  HUD/COAS  SYSTEM  MANAGEMENT . 8-50 

A8-109  STAR  TRACKER  SYSTEM  MANAGEMENT  [CIL] .  8-51 

A8-110  IMU  SYSTEM  MANAGEMENT . 8-52 

A8-111  GNC  AIR  DATA  SYSTEM  MANAGEMENT  [CIL] .  8-56 

A8-112  AEROSURFACE  ACTUATOR  PROTECTION . 8-58 

A8-113  OMS  TVC  SYSTEM  MANAGEMENT . 8-58 

A8-114  ENTRY  BODY  BENDING  FILTER  SELECTION . 8-60 

A8-115  GPS  SYSTEM  MANAGEMENT  .  8~60a 
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A8-116  THROUGH  A8-150  RULES  ARE  RESERVED . 8~60a 
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A8-19  YAW  JET  DOWNMODE 

A.  IF  NO  YAW  JETS  ARE  AVAILABLE  ON  EITHER  LEFT  OR  RIGHT  SIDE, 

THE  NO-YAW- JET  DAP  MODE  WILL  BE  SELECTED  IF  ABOVE  MACH  =  1. 

The  no-yaw-jet  mode  for  emergencies  is  a  certified  flight  control  mode  from  Q-bar  =  20  psf  through 
landing.  This  mode  should  be  selected  between  Q-bar  =  20  psf  and  Mach  1  ( yaw  jets  inhibited)  if  no¬ 
yaw-jets  are  available  on  a  side.  In  the  low  Q-bar  regime  (Q-bar  <  20),  vehicle  response  will  be 
sluggish  and  pilot  workload  increased,  but  control  will  be  better  than  with  the  baseline  DAP.  Once 
selected,  it  is  not  necessary  to  deselect  the  no-yaw-jet  mode.  Flight  Rule  {A6-305},  AFT  RCS 
REDLINES,  defines  when  to  engage  no-yaw-jet  based  on  aft  RCS  quantity.  Reference  DA8-88-20  (FT), 
Entry  Flight  Techniques  Meeting  #41. 

B.  IN  OPS  3,  IF  THE  AEROJET  DAP  BASELINE  MODE  IS  SELECTED  AND 
ADDITIONAL  LATERAL  CONTROL  MARGIN  IS  REQUIRED,  THE  WRAPAROUND 
DAP  MODE  WILL  BE  ENABLED  IF  ABOVE  MACH  1.  ®[021998-6485B] 

The  aerojet  DAP  wraparound  mode  is  normally  enabled  for  EOM,  AOA/ATO,  and  contingency  payload 
return  entry  but  is  not  enabled  for  TAL  abort  entries,  due  to  lack  of  certification  for  TAL  aborts.  The 
wraparound  DAP  is  not  available  in  OPS  6.  If  lateral  control  margin  is  reduced  due  to  three  yaw  jets 
failed  on  one  side  or  aileron  trim  saturation,  a  loss  of  control  may  occur.  In  addition,  ifLVAR  9 
aerodynamic  uncertainties  are  experienced  (a  low-probability  potential  below  Mach  6),  excessive  jet 
firings  and  high  RCS  propellant  usage  may  result.  Enabling  wraparound  mode  eliminates  these 
problems  by  providing  increased  aileron  authority.  Reference  DA8-88-20  (FT),  Entry  Flight  Techniques 
Meeting  #41,  and  Ascent/Entry  Flight  Techniques  Panel  meeting  #141  minutes.  ®[021998-6485B] 

Rules  { A6-206J ,  RCS  MANIFOLD/LEG  LEAK  REPRESSURIZATION,  and  {A8-1001},  GNC  GO/NO-GO 
CRITERIA,  reference  this  rule.  ®[ED  ] 
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A8-20  ENTRY  ELEVON  SCHEDULE  SELECTION  CRITERIA 

THE  AUTO  ELEVON  SCHEDULE  WILL  NOMINALLY  BE  SELECTED  INDEPENDENT 
OF  X-AXIS  CENTER-OF -GRAVITY  (X  CG)  LOCATION  WITH  THE  FOLLOWING 
EXCEPTIONS : 

A.  THE  FIXED  ELEVON  SCHEDULE  WILL  BE  SELECTED  AS  REQUIRED  ON  A 
FLIGHT-SPECIFIC  BASIS  IN  ORDER  TO  SUPPORT  AERODYNAMIC  PTI'S. 
IF  AERO  PTI'S  ARE  SCHEDULED  AND  IT  IS  SUBSEQUENTLY  DECIDED 
NOT  TO  EXECUTE  THEM,  THEN  THE  AUTO  SCHEDULE  WILL  BE  SELECTED. 

B.  IF  THE  NO-YAW- JET  MODE  OF  THE  AEROJET  DAP  IS  REQUIRED  DURING 
ENTRY,  THE  FIXED  SCHEDULE  WILL  BE  SELECTED  IF  IT  IS  I -LOADED 
WITH  THE  AFT  SCHEDULE.  IF  EITHER  THE  FORWARD  OR  MID  SCHEDULE 
IS  LOADED,  THE  AUTO  SCHEDULE  WILL  BE  SELECTED. 

The  smart  body  flap  logic  incorporated  with  01-20  software  eliminates  the  need  for  selecting  elevon 
schedules  based  on  the  X  CGfor  entry.  The  smart  body  flap  is  enabled  anytime  the  auto  schedule  is 
selected  and  will  maintain  the  elevons  on  a  schedule  that  is  similar  to  the  previous  mid-CG  schedule  but 
will  allow  the  elevons  to  move  off-schedule,  within  limits,  in  order  to  thermally  protect  the  body  flap  and 
main  engines. 

The  fixed  elevon  schedule  main  tains  the  body  flap  logic  used  prior  to  01-20  and  allows  one  of  the  three 
previously  used  schedules  (fwd,  mid  or  aft)  to  be  loaded  into  this  slot.  It  is  planned  to  use  this  schedule 
to  support  aero  PTI’s  as  required  on  a  flight-specific  basis. 

Low  RCS  propellant  quantity  or  loss  of  yaw  jets  may  require  that  the  no-yaw-jet  mode  of  the  Aerojet 
DAP  be  selected  during  entry.  Selecting  a  schedule  with  more  positive  elevon  deflection  (down) 
increases  the  control  authority  of  the  elevons  by  moving  them  into  the  air  stream.  For  flights  in  which 
aero  PTI’s  are  not  planned,  the  aft  schedule  will  be  loaded  into  Prefixed  slot  and  this  schedule  will  be 
selected  if  the  no-yaw-jet  mode  is  required  even  though  this  may  thermally  impact  the  main  engine 
nozzles  (turnaround  issue).  The  auto  elevon  schedule  is  certified  for  use  with  the  no-yaw-jet  mode; 
however,  the  aft  schedule  provides  better  control  authority  (ref.  A/E  FTP  #76,  held  3/15/91).  The  fwd 
schedule  is  not  certified  for  use  with  the  no-yaw-jet  mode.  The  RCS  critical  entry  cue  card  contains  the 
procedural  callou  t  for  selecting  the  correct  schedule  to  be  used  with  the  no-yaw-jet  mode. 
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A8-57  PRELAUNCH  I MU  HOLD  (CONTINUED) 

2.  G1  GYRO  BIAS  UPLINK  MAY  BE  USED  FOR  IMU  REALIGNMENT 
SUBJECT  TO  THE  FOLLOWING  CONSTRAINTS: 

a.  IRAMS  IS  REQUIRED  TO  CALCULATE  GYRO  BIAS  UPLINK 
TERMS . 


IRAMS  is  required  to  monitor  individual  IMU  prelaunch  misalignment  and  calculate  gyro  bias  uplink 
values  to  correct  the  misalignment. 

b.  THE  LAUNCH  WINDOW  MUST  SUPPORT  THE  15  MINUTES 

REQUIRED  TO  GENERATE  AND  VERIFY  THE  GYRO  BIAS  UPLINK. 
THE  GYRO  BIAS  TERMS  (AS  COMPUTED  BY  THE  IMU  PREFLIGHT 
CALIBRATION)  WILL  BE  ON-BOARD,  AND  THE  PERFORMANCE 
WILL  BE  VERIFIED  PRIOR  TO  LIFT-OFF.  IT  IS  HIGHLY 
DESIRABLE  TO  VERIFY  THE  PERFORMANCE  PRIOR  TO  RESUMING 
THE  COUNT  AT  T  MINUS  5  MINUTES. 


Five  minutes  is  required  for  the  uplink  decision  and  implementation  process.  This  process  consists  of  the 
MERJMCC  decision  that  an  uplink  is  required;  coordination  of  required  compensation  values  between 
MER  and  MCC;  uplink  load  generation;  uplink  load  verification;  coordination  between  MER,  MCC  and 
KSC  prior  to  uplink  execution;  uplink  execution;  and  I  minute  for  torquing  out  IMU  misalignmen  t.  An 
additional  10-minute  monitoring/verification  period  is  required  after  the  realignment  is  complete  prior 
to  committing  to  launch. 


A8-58  ADI  LOSS 

AN  ADI  IS  CONSIDERED  FAILED  ONLY  IF  THE  ATTITUDE  BALL  IS  FAILED 
(N/A  FOR  MEDS  VEHICLES)  .  ©[040899-2459B] 

The  entry-critical  parameters  required  by  the  crew  can  be  monitored  using  the  attitude  ball  (or  sphere). 
While  rate  and  error  needles  are  desirable  (especially  for  monitoring  vehicle  control),  the  attitude  ball  is 
sufficient  in  providing  the  required  information.  As  a  result,  an  ADI  will  be  considered  failed  only  if  the 
attitude  sphere  is  not  providing  accurate  or  stable  attitude  reference.  This  rule  is  needed  for  making 
decisions  regarding  early  flight  termination,  night  landings,  and  IFM.  (Ref.  Rules  {A8-1001E},  GNC 
GO/NO-GO  CRITERIA,  for  dedicated  displays  and  {A8-18},  LANDING  SYSTEMS  REQUIREMENTS.) 
(Ref.  Entry  Flight  Tech.  Panel  #34,  8/21/87.) 
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A8-59  I MU  BITE  FAILURE  DEFINITION 

FOR  PURPOSES  OF  EARLY  MISSION  TERMINATION  AND  LANDING  SITE 
DOWNMODING,  AN  IMU  WITH  A  BITE  SHOULD  BE  CONSIDERED  FAILED  WITH 
THE  FOLLOWING  EXCEPTIONS: 


A. 

TRANSMISSION 

WORD 

2 

BITE 

B. 

TRANSMISSION 

WORD 

1 

BITE 

C. 

TEMPERATURE 

SAFE  BITE 

D  . 

TEMPERATURE 

READY 

BITE  ®[011 295-1 752A] 

IF  REAL-TIME  ASSESSMENT  DETERMINES  THE  BITE  TO  BE  FALSE  OR  NO 
IMPACT,  THEN  THE  IMU  WILL  NO  LONGER  BE  CONSIDERED  FAILED. 

At  the  three-level,  redundancy  management  (RM)  will  not  downmode  an  IMU  with  a  BITE  because  there 
is  no  risk  of  incorporating  bad  data.  At  the  two-level,  RM  will  downmode  the  IMU  with  the  BITE  should 
the  attitude  or  velocity  disagree  by  more  than  the  RM  threshold. 

A  BITE  is  an  indication  that  the  IMU  has  experienced  a  failure  and  may  be  operating  outside  of  spec. 
BITE  will  almost  always  indicate  an  actual  problem  with  the  IMU.  In  most  cases,  data  can  be  used  to 
determine  whether  or  not  the  BITE  is  real.  There  is,  however,  the  possibility  of  a  failure  in  the  BITE 
circuitry  itself  -  termed  false  BITE.  Also,  it  cannot  necessarily  be  determined  whether  or  not  an  IMU  will 
continue  to  operate  in  a  consistent  manner  while  outside  of  spec.  For  several  BITE’s,  performance  will 
remain  unknown  until  data  is  observed  during  entry.  It  is  logical,  therefore,  to  assume  that  the  BITE 
logic  has  correctly  identified  a  real  failure  and  to  consider  the  unit  failed.  Since  RM  provides  for 
BITE’s,  there  is  no  requirement  for  manned  deselection  of  the  affected  IMU. 

A  next  PLS  should  be  declared  after  the  second  BITE  (or  the  first  BITE  at  the  two-level)  to  reduce  the 
risk  of  losing  the  last  IMU.  Reference  Rule  {A2-207},  LANDING  SITE  SELECTION,  for  runway 
priorities.  ®[1 02402-5804C] 

The  Transmission  Word  2  Fail  BITE  (loss  of  slew)  only  impacts  the  IMU  if  an  IMU/IMU  alignment  is 
required.  Even  if  an  IMU/IMU  is  required,  other  options  exist  to  fully  recover  the  IMU. 
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A8-61  SSME  SHUTDOWN  DUE  TO  HYDRAULIC  SYSTEM  FAILURES 

(CONTINUED) 

Av  with  the  NOM/ATO/TAL  cases,  it  is  preferable  to  leave  the  nongunballing  engine  running  through 
single-engine  press  to  MECO  and  accept  the  risk  of  the  loss  of  a  gimballing  engine  to  this  point.  Due  to 
the  possibility  of  SSME  failures  resulting  from  valve  drift  on  the  engines  in  hydraulic  lockup,  the  time  to 
single-engine  press  should  be  minimized,  since  engine  failures  prior  to  this  point  can  result  in  loss  of 
vehicle  and  crew  bailout.  Unfortunately,  shutting  an  engine  down  at  single-engine  press  on  an  RTLS 
with  two  stuck  throttles  can  lead  to  undesirable  results. 

For  the  con  tingency  case  in  which  two  hydraulic  system  failures,  in  addition  to  another  independen  t 
failure,  result  in  a  three-engine  RTLS  with  two  SSME  throttles  stuck  high,  it  is  possible  for  g  forces  to 
get  as  high  as  3.9g.  Therefore,  if  both  stuck  throttles  are  above  85  percent,  an  engine  must  be  shut 
down  before  MECO-20  seconds  in  order  to  avoid  the  possibility  of  exceeding  3.5g.  However,  analysis 
has  shown  that  shutting  down  the  nongimballer  with  85  seconds  of  MECO  in  this  scenario  leaves  more 
than  2  percent  propellant  remaining  in  the  ET  at  MECO,  resulting  in  orbiter/ET  recontact  after  ET 
SEP.  Therefore,  MECO-2  minutes  was  selected  as  an  operationally  convenient  shutdown  cue  that 
would  eliminate  both  the  recontact  and  the  g-load  concerns.  One  drawback  to  shutting  down  at  this 
point  (or  any  later  point)  is  that  guidance  commands  a  large  pitch-up.  Although  the  vehicle  adequately 
follows  the  guidance  commands,  this  pitch  transient  causes  the  dedicated  displays  to  pass  through  the 
singularity  point,  degrading  the  crew’s  capability  to  monitor  vehicle  control.  The  only  way  to  avoid  this 
pitch  transien  t  would  be  to  shut  the  engine  down  just  after  powered  pitcharound  (PPA),  which  would 
extend  the  time  to  single-engine  press  by  more  than  1  minute,  compared  to  shutting  down  at  MECO-2 
minutes.  Since  the  pitch  transient  is  due  to  a  guidance  command  and  not  a  control  problem  and  since 
the  risk  of  engine  failure  due  to  valve  drift  was  considered  to  be  a  greater  concern  than  the  momentary 
loss  of  crew  monitoring  capability,  it  was  decided  that  MECO-2  minu  tes  is  the  optimal  shutdown  time. 
(Reference  Ascent/Entry  Flight  Techniques  Panel  #105,  10/22/93.) 

For  the  case  in  which  at  least  one  throttle  is  stuck  at  or  below  85  percent,  there  is  no  threat  of  exceeding 
3.5 g.  Depending  on  the  throttle  levels  of  the  stuck  engines,  it  also  may  not  be  acceptable,  from  a 
performance  standpoint,  to  shut  down  the  nongimballing  engine  before  single-engine  press.  Since 
shutting  down  after  single-engine  press  can  result  in  an  undesirable  pitch  transient  and  is  not  required  to 
protect  for  excessive  g-loads,  it  is  preferable  to  leave  all  three  engines  running  to  MECO  for  this  case. 
The  only  risk  incurred  with  this  philosophy  is  that  the  window  of  exposure  to  the  failure  of  a  gimballing 
engine  remains  open  until  MECO  for  this  case. 

The  85-percent  throttle  level  provides  an  operationally  convenient  breakpoint  which  ensures  that  a 
shutdown  will  never  be  performed  if  the  engine  is  needed  to  achieve  the  desired  MECO  targets,  while 
also  ensuring  that  an  engine  will  always  be  shut  down  if  any  threat  of  exceeding  3.5g  exists.  For 
scenarios  in  which  engines  are  stuck  at  intermediate  throttle  settings,  acceptable  results  can  sometimes 
be  obtained  regardless  of  whether  or  not  an  engine  is  shut  down. 
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A8-61  SSME  SHUTDOWN  DUE  TO  HYDRAULIC  SYSTEM  FAILURES 

(CONTINUED) 


For  all  RTLS  cases  with  two  stuck  throttles,  minimum  throttles  will  be  selected  prior  to  abort  selection. 
Doing  so  will  allow  guidance  to  converge  on  the  correct  average  thrust  level  and  will  reduce  the 
probability  of  a  early  PPA.  For  guidance  to  have  enough  time  to  converge,  minimum  throttle  levels  must 
be  achieved  at  least  10  seconds  prior  to  RTLS  selection.  If  not,  an  early  PPA  may  occur,  resulting  in 
MECO  conditions  that  are  not  optimized.  AUTO  throttles  should  be  reselected  at  some  point  prior  to 
PPA,  but  are  not  mandatory  prior  to  RTLS  selection.  ®[082593-l464C] 

C.  SHUTDOWN  MATRIX: 


FAILED 

NONGIMBALLING 

ENGINES  WITH 

HYDRAULIC  SYSTEM 

ENGINE 

STUCK  THROTTLES 

1  AND  3 

CENTER 

CENTER  AND  RIGHT 

1  AND  2 

LEFT 

CENTER  AND  LEFT 

2  AND  3 

RIGHT 

LEFT  AND  RIGHT 

The  failure  of  two  hydraulic  systems  will  cause  two  engines  to  lock  up  hydraulically  and  eliminate  TVC 
capability  on  one  of  these  two  engines.  The  engine  shutdown  matrix  identifies  which  engines  have  lost 
TVC  and/or  throttle  capability. 

Rules  (A4-59J,  MANUAL  THROTTLE  SELECTION ;  {A5-109},  MANUAL  SHUTDOWN  FOR  TWO 
STUCK  THROTTLES  (NOT  DUAL  APU  FAILURES);  {A5-103},  LIMIT  SHUTDOWN  CONTROL;  and 
{A2-301},  CONTINGENCY  ACTION  SUMMARY,  reference  this  rule.  ©[092195-1770A]  ®[ED  ] 
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A8-115  GPS  SYSTEM  MANAGEMENT 

CERTIFIED  SINGLE  STRING  GPS  WILL  BE  CONSIDERED  TO  BE  FUNCTIONING 
PROPERLY  AND  AVAILABLE  FOR  USE  DURING  ON-ORBIT  AND  ENTRY 
OPERATIONS  GIVEN  THE  FOLLOWING  CRITERIA:  @[092602-5643] 

A.  NO  COMMFAULT,  HARDWARE,  OR  POWER  FAILURES 

B.  NO  EXTENDED  PERIODS  OF  HIGH  FOM 

1.  ORBIT  FOM  LIMITS  -  CAN  BE  >  175  FT  (FOM  >  2)  FOR  NO  MORE 
THAN  5  MIN. 

2.  ENTRY  FOM  LIMITS  -  CAN  BE  >  650  FT  (FOM  >  5)  FOR  NO  MORE 
THAN  3  MIN. 

C.  PERIODS  OF  TRACKING  LESS  THAN  FOUR  SATELLITES  LIMITED  TO  NO 
MORE  THAN  5  MIN. 

GPS  is  certified  to  be  used  for  on  orbit  as  well  as  an  additional  entry  navaid  with  the  consideration  given 
to  the  above  criteria  for  evaluating  the  status  and  availability  of  GPS.  The  above  limits  for  FOM  and 
periods  of  tracking  less  than  four  satellites  were  established  to  meet  the  requirements  for  on-orbit  state 
vector  maintenance  as  well  as  loss  of  service  requirements  for  entry  certification.  Antenna  pointing, 
structural  blockage,  and  other  constellation  and  environmental  surroundings  should  be  considered  as 
having  a  possible  impact  on  the  GPS’s  ability  to  track  satellites  and  maintain  low  FOM  conditions. 

These  specifications  will  be  used  to  consider  mission  duration  impacts,  single-fault  tolerance,  and  zero- 
fault  tolerance  for  orbit  and  entry  operations.  ( Ref.  AEFTP  #176  July  27,  2001,  #185  June  28,  2002 ) 
@[092602-5643  ] 
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GNC  GO/NO-GO  CRITERIA 


A8-1001  GNC  GO/NO-GO  CRITERIA 


SYSTEMS 

INVOKE 

MDF  IF: 

ENTER  NEXT 
PLS  IF: 

ENTER  FIRST 
DAY  PLS  IF: 

A.  CONTROLLER  AND  SWITCHES: 

1.  LH  RHC  (3) . 

2.  RH  RHC  (3) . 

3.  AFT  RHC  (3) . 

4.  LH  THC  (3) . 

5.  AFT  THC  (3) . 

6.  LH  RPTA  (3) . 

7.  RH  RPTA  (3) . 

8.  LHSBTC  (3) . 

9.  RH  SBTC  (3) . 

10.  LH  BF  UP  &  DN  SW  (2) . 

11.  RH  BF  UP  &  DN  SW  (2) . 

12.  LH&RH  RHC  TRIM  SW  (2) . 

13.  LH  PANEL  TRIM  SW  (2) . 

14.  RH  PANEL  TRIM  SW  (2) . 

15.  LH  &  RH  BFS  ENG  SW  (3) . 

16.  LH  FCS  MODE  AUTO  SW  (3) . 

17.  RH  FCS  MODE  AUTO  SW  (3) . 

18.  LH  &  RH  FCS  MODE  CSS  SW  (3) . 

19.  LH  FCS  MODE  BF  A/M  SW  (3) . 

20.  RH  FCS  MODE  BF  A/M  SW  (3) . 

21.  LH  &  RH  FCS  MODE  SB  A/M  (3) . 

22.  LH  SBTC  TAKEOVER  SW  (3) . 

23.  RH  SBTC  TAKEOVER  SW  (3) . 

24.  ENTRY  MODE  (4) . 

25.  ABORT  MODE  SW  (3) . 

26.  ORBIT  DAP  PBI’S  (2) . 

[2] 

2  ?  SAME  SIDE 
[5] 

[16]  [2] 

5  ? 

[5] 

[3]  3  ?  [2] 

3  ?  SAME  SIDE 

1  ?  OTHER  SIDE 

[4] 

2  ? 

[4] 

3  ?  SAME  SIDE 

1  ?  OTHER  SIDE 

[6] 

[6] 

®[1 02402-5804C] 
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SYSTEMS 

INVOKE 

MDF  IF: 

ENTER  NEXT 
PLS  IF: 

ENTER  FIRST 
DAY  PLS  IF: 

B.  TVC  AND  DRIVERS: 

1.  SSME  ACT  CHNL  (4) . 

2.  SSME  SEC  ?P  (4) . 

3.  SRB  ACT  CHNL  (4) . 

4.  SRB  SEC  ?P  (4) . 

5.  LOMS  PITCH  TVC  (2) . 

6.  L  OMS  YAW  TVC  (2) . 

7.  R  OMS  PITCH  TVC  (2) . 

8.  ROMS  YAW  TVC  (2) . 

9.  FORWARD  RCS  JETS  (16) . 

10.  LEFT  RCS  JETS  LEFT  (4) . 

11.  RIGHT  RCS  JETS  RIGHT  (4) . 

12.  L/R  RCS  JETS  VERNIER  (4) . 

13.  LEFT  RCS  JETS  UP  (3) . 

14.  LEFT  RCS  JETS  DOWN  (3) . 

15.  RIGHT  RCS  JETS  UP  (3) . 

16.  RIGHT  RCS  JETS  DOWN  (3) . 

17.  LEFT  RCS  JETS  AFT  (2) . 

18.  RIGHT  RCS  JETS  AFT  (2) . 

[7]  [8] 

[7]  [8] 

[7]  [8] 

[7]  [8] 

[7  [8] 

[7]  [8] 

[7]  [8] 

[7]  [8] 

2  ?  [11] 

2?  [11] 

2  ? 

2  ? 

2  ? 

2  ? 

2  ? 

2  ? 

2  ? 

2  ? 

[8] 

[8] 

[8] 

[8] 
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SYSTEMS 

INVOKE 

MDF  IF: 

ENTER  NEXT 
PLS  IF: 

ENTER  FIRST 
DAY  PLS  IF: 

C.  AEROSURFACES: 

1.  FCS  CHNL  (4)  . 

2.  BF  ACT  CHNL  (3) . 

3.  ELEVON/BF  POS  FDBK  (4) . 

4.  RUDDER  POS  FDBK  (4) . 

5.  SPDBK  POS  FDBK  (4) . 

6.  ELEVON  PRI  ?P  (4) . 

7.  SEC  ?P  (4) . 

D.  SENSORS 

1.  AA  (LATERAL)  (4) . 

2.  AA  (NORMAL)  (4) . 

3.  RGA-ORB  (4) 

4.  RGA-SRB  (4) . 

5.  IMU  (3) . 

6.  STAR  TRACKER  (2)  &  HUD  (2) . 

7.  -ZCOAS  (1) . 

8.  ATT  REF  PB  (3) . 

9.  TACAN  (3)  &  SINGLE  STRING  GPS  (1) . 

10.  TACAN  MODE  SW  (3) . 

11.  TACAN  ANT  SEL  (3) . 

12.  TACAN  CHNL  SEL  (3) . 

13.  ADTA  (4) . 

14.  MSBLS  (3) . 

15.  RA  (2) . 

[16]  2  ?  [9] 

[16]  2  ?  [9] 

[16]  2  ? 

[12]  2  ?  [9] 

[12]  3  ?  [9] 

[12]  3  ?  [9] 

[12] 

[12] 

[12] 

[12] 

2  ?  [9] 

3  ?  [9] 

[16]  2  ? 

[16]  3  ? 

[16]  3  ? 

[16]  2  ? 

[16]  3  ? 

[16]  3  ? 

[16]  2  ? 

[16]  2  ? 

[6]  4  ? 

[19] 

[6]  3  ? 

[19] 

AND 

1  ? 

[10] 

[10]  2  ? 

[14]  3  ?  [21] 

[15]  4  ?  [21] 

[16]  2  ? 

[16]  3  ? 

[16]  3  ? 

@[121296-4610]  ®[ED  ]  @[111298-6750]  @[092602-5718] 
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SYSTEMS 

INVOKE 

MDF  IF: 

ENTER  NEXT 
PLS  IF: 

ENTER  FIRST 
DAY  PLS  IF: 

DEDICATED  DISPLAYS: 

1.  LH  &  RH  ADI  (2) . 

2.  AFT  ADI  (1) . 

3.  HUD/AMI  (4) . 

4.  HUD/A VVI  (4) . 

5.  HUD/FWDADI  (4) . 

6.  HUD  (2) . 

7.  HSI  (2) . 

8.  SPI  (1) . 

9.  G-METER  (1) . 

[20]  1  ?  [2] 

[20] 

[20]  2  ?  [2] 

[20]  3  ?  [2] 

[20]  2  ?  [2] 

[20]  3  ?  [2] 

[20]  2  ?  [2] 

[20]  3  ?  [2] 

[20] 

[20] 

[20] 

©[040899-2459B] 


LEGEND:  NO  REQUIREMENT 


REQUIRED 


QUANTITY  (  ) 

NOTE  REFERENCE  [  ] 
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NOTES: 

[1]  RESERVED 

[2]  THE  AVAILABILITY  OF  A  GOOD  REPLACEMENT  UNIT  MAY  BE  USED  TO  SATISFY  THE  MINIMUM  REQUIREMENTS 
FOR  NEXT  PLS  OPPORTUNITY.  (REPLACEMENT  MAY  OCCUR  SUBSEQUENT  TO  NEXT  PLS  DECISION  POINT.) 

[3]  +  X  ONLY.  REQUIRED  ONLY  IF  RCS  DEORBIT  REQUIRED. 

[4]  EITHER  TWO  OF  THREE  PER  SIDE  OR  THREE  OF  THREE  ON  EITHER  SIDE  IS  REQUIRED. 

[5]  FOR  FOUR  OR  MORE  CHANNELS  DOWN,  REQUIRE  ALL  SYSTEMS  NEEDED  FOR  AN  EMERGENCY  AUTOLAND 
(ADTA,  MLS,  AA-NZ).  REF.  RULE  {A8-1 7},  EQUIPMENT  REQUIRED  FOR  EMERGENCY  AUTOLAND. 

[6]  ROTATIONAL  PULSE  OR  DISC  RATE  DAP  MODE  IS  REQUIRED  IN  APPROPRIATE  AXES  FOR  -Z  COAS  (PITCH  AND 
ROLL)  AND  HUDS  (PITCH  AND  YAW).  ®[1 11298-6750  ] 

[7]  ENGINE  IS  NO-GO  IF  TVC  CAPABILITY  IS  LOST  AS  DEFINED  IN  RULE  {A8-53},  OMS  TVC  LOSS. 

[8]  REF.  RULE  {A6-1001},  OMS/RCS  GO/NO-GO  CRITERIA  [CIL],  FOR  MDF  AND  NEXT  PLS. 

REF.  RULE  {A2-301 },  CONTINGENCY  ACTION  SUMMARY,  FOR  FIRST  DAY  PLS. 

[9]  SAME  SURFACE. 

[1 0]  REQUIRED  ONLY  IF  COAS  AND/OR  HUD  IS  REQUIRED.  ANY  LOCATION  ACCEPTABLE. 

[11]  ONE  FAILED  YAW  JET  AND  ORBITER  CG  OUTSIDE  NOMINAL  EOM  BOUNDARY  IS  CAUSE  FOR  NEXT  PLS  ENTRY 
PROVIDED  THAT  THE  CG  CANNOT  BE  RESTORED  BY  RECONFIGURATION,  PAYLOAD  DEPLOYMENT,  ETC. 

[12]  ENTER  PLS  IF  POSITION  FEEDBACK  FAILURE(S)  RESULTS  IN  TWO  FCS  CHNLS  FAILED.  ®[1 02402-5804C] 

[13]  RESERVED 

[14]  MDF  IF  SINGLE-FAULT  TOLERANCE  CAPABILITY  EXISTS  WITH  THE  REMAINING  ENTRY  NAVAIDS  (TACAN  OR 
SINGLE  STRING  GPS)  AND  COMMAND  DELTA  STATE  CAPABILITY.  IF  HIGH-SPEED  C-BAND  RADAR  IS  NOT 
SCHEDULED  AND  NOT  AVAILABLE  TO  BE  SCHEDULED  FOR  ENTRY  (REF.  RULE  {A3-1},  GROUND  AND  NETWORK 
DEFINITIONS)  THEN  DEORBIT  NEXT  PLS.  @[041196-1914]  @[092602-5718] 

[15]  ENTER  NEXT  PLS  (NOT  FIRST  DAY  PLS)  IF  ALL  FOUR  ENTRY  NAVAIDS  (THREE  TACANS  AND  SINGLE  STRING  GPS) 
ARE  FAILED  AND  COMMAND  DELTA  STATE  CAPABILITY  EXISTS. 

[1 6]  REFERENCE  RULE  {A2-207},  LANDING  SITE  SELECTION,  FOR  RUNWAY  PRIORITIES. 

[17]  RESERVED 

[18]  RESERVED  ®[1 02402-5804C] 

[19]  THIS  ASSUMES  MANUAL  CALIBRATION  INSTRUMENTS  ARE  CALIBRATED  AND  VERIFIED.  ANY 
UNCALIBRATED/UNVERIFIED  INSTRUMENT  SHOULD  BE  CONSIDERED  FAILED  FOR  MISSION  DURATION 
DETERMINATION.  @[111298-6750] 

[20]  N/A  FOR  MEDS  CONFIGURED  VEHICLES.  ©[040899-2459B] 

[21]  REFERENCE  RULE  [A8-1 15},  GPS  SYSTEM  MANAGEMENT.  @[092602-5718] 

Reference  Rule  { A2-102 },  MISSION  DURATION  REQUIREMENTS. 

Rules  (A8-4J,  FAULT  TOLERANCE  PHILOSOPHY;  {A2-301 },  CONTINGENCY  ACTION  SUMMARY; 
and  {A8-58},  ADI  LOSS,  reference  this  rule. 

When  failure(s)  require  a  next  PLS  entry  but  do  not  require  a  first  day  PLS  entry,  the  rationale  is  that  the 
risks  associated  with  performing  a  first  day  PLS  entry  are  greater  than  those  associated  with  remaining 
on  orbit  until  the  next  PLS  opportunity. 
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A.  CONTROLLERS  and  SWITCHES 

If  necessary  or  desirable ,  most  entry-critical  con  trollers  and  switches  can  be  reconfigured  in  OPS  8 
and/or  OPS  2  ( ref  Rule  {A8-6J  CONTROLLERS/FCS  SWITCHING  FAULT  TOLERANCE). 

LH,  RHRHC 

For  the  loss  of  two  RHC  channels  on  the  same  controller ,  MDF  is  required.  Subsequent  failures  can  be 
tolerated  on  orbit,  either  by  RM  or  by  channel  reconfiguration.  For  four  or  more  RHC  channels  failed, 
the  next  failure  results  in  the  loss  of  at  least  one  RHC,  and  possibly  both.  For  five  channels  failed,  a  next 
PLS  is  required  since  the  RHC’s  are  zero-fault  tolerant  for  manual  flight  of  the  vehicle.  There  are  no 
first  day  PLS  requiremen  ts  for  RHC  channel  failu  res,  since  an  IFM  will  be  done  to  recover  the  failed 
RHC. 

LHTHC 

There  are  no  first  day  PLS  requiremen  ts  for  the  left  THC  since  an  IFM  will  be  performed  to  regain  RCS 
deorbit  capability,  if  required. 

AFT  RHC,  THC 

Loss  of  aft  station  capability  does  not  require  early  mission  termination  since  these  systems  are  not 
available  for  entry  (ref.  Rule  { A8-9 },  AFT  STATION  GNC  REDUNDANCY). 

LH.  RHRPTA 

There  are  no  mission  duration  impacts.  Although  manual  control  capability  is  desirable,  RPTA  control 
is  not  required  for  a  safe  entry. 

LH,  RH  SBTC 

For  three  SBTC  channels  foiled  on  one  side  (loss  of  that  SBTC)  and  one  foaled  on  the  other  side,  MDF  is 
required.  The  next  failure,  unless  a  commfault,  will  result  in  the  loss  of  manned  speedbrake  operations. 
Reference  A/E  FTP  #128,  12/8/95.  ®[i  02402-5804C] 

LH.  IIH  BF  UP  and  DN  SW 

There  are  no  mission  duration  impacts  since  the  body  flap  can  be  manually  driven  UP  for  any  number  of 
body  flap  UP/DOWN  switch  failures.  Manual  control  is  only  required  for  off-nominal  CG  or  aero 
conditions,  to  use  the  body  flap  as  a  trim  device  and  allow  better  elevon  control  authority. 
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LH  RH  PANEL  and  RHC  TRIM  SW 

These  switches  are  not  considered  critical  for  entry  and  do  not  impact  mission  duration. 

LH.  RH  BFS  ENGAGE  SW 

Failures  associated  with  the  BFS  engage  switches  do  not  require  early  mission  termination  ( ref.  Rule 
{A8-11},  LOSS  OF  BFS). 

LH,  RHFCS  MODE  AUTO  SWITCH 

For  three  or  more  FCS  MODE  AUTO  switch  ( PITCH  and  ROLL/YAW)  contacts  failed  (at  least  two 
failed  one  side,  one  failed  other  side),  a  next  PLS  is  required.  The  system  is  zero-fault  tolerant  since  the 
next  failure  results  in  no  capability  to  mode  the  flight  control  system  to  AUTO. 

LH,  RH  FCS  MODE  CSS  SW 

Failures  in  these  switches  are  not  considered  critical  and  do  not  require  early  mission  termination.  RHC 
hot  stick  (to  manned  control)  is  available  any  time  in  OPS  3. 

LH.  RH  FCS  MODE  BF  A/M  SW 

The  body  flap  will  be  in  AUTO  under  most  flight  conditions,  but  manual  (MAN)  may  be  required  ( off- 
nominal  CG  or  aero  conditions).  For  two  BF  AUTO/MAN  (A/M)  switch  contacts  failed,  changing  the 
body  flap  flight  control  mode  is  single-fault  tolerant,  and  MDF  is  required.  For  three  or  more  contacts 
failed  (at  least  two  failed  one  side,  one  failed  other  side),  a  next  PLS  is  required.  At  least  two  con  tacts 
on  each  side,  or  cdl  three  contacts  on  one  side,  are  required  to  maintain  single-fault  tolerance  on  these 
switches. 

LH.  RH  FCS  MODE  SB  A/M  SW 

The  SB  A/M  switch  is  used  to  mode  the  speedbrcike  from  MAN  to  AUTO  only,  since  MAN  is  achieved  with 
the  SBTC  takeover  switch.  If  the  crew  is  required  to  take  over  MAN  speedbrcike  and  subsequen  t  failures 
result  in  the  loss  of  capability  to  mode  back  to  AUTO,  the  crew  can  remain  in  manual  with  no  added 
workload. 

LH  RH  SBTC  TAKEOVER  SW 

Reference  rationale  for  LH,  RH  SBTC  rationale. 
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ENTRY  MODE 

This  switch  is  not  considered  critical  for  entry.  For  a  failure  of  the  switch  during  entry  (LO  GAIN  or 
NO-YAW-JET ’),  the  AUTO  position  can  be  selected  on  SPEC  51,  OVERRIDE,  in  MM  304/305. 

ABORT  MODE  SW 

This  switch  is  used  to  select  the  bailout  function  and  early  mission  termination  is  not  required. 

ORBIT  DAP  PBTs 

If  the  CO  AS  is  required  for  entry  IMU  alignment,  then  MDF  is  required  by  definition  of  COAS/STAR 
TRACKER  requirements.  If  any  of  the  required  switches  is  zero-fault  tolerant  (and  the  CO  AS  is  required 
for  entry  IMU  alignment),  then  a  next  PLS  will  be  declared. 

B.  TVC  and  DRIVERS 

SSME  ACT  CHNL  and  SSME  SEC  DELTA  P 

These  systems  are  not  required  for  performing  a  safe  entry  (impacts  to  postlanding  configuration  and 
turnaround  activities  only). 

SRB  ACT  CHNL  and  SRB  SEC  DELTA  P 

These  systems  are  not  used  for  entry,  and  mission  duration  impacts  do  not  apply. 

L.  R  QMS  PITCH  and  YAW  TVC 

The  two  OMS  engines  and  the  four  +X  RCS  jets  constitute  three  means  of  deorbit  capability.  If  failures 
of  the  left  and/or  right  OMS  TVC  in  combination  with  failures  of  the  +X  RCS  jets  result  in  the  loss  of  two 
out  of  three  deorbit  methods,  then  a  next  PLS  (or  first  day  PLS)  is  required  (ref.  Rule  {A6-1001  j, 
OMS/RCS  GO/NO-GO  CRITERIA  [CIL],  and  Rule  {A8-3J,  LOSS  OF  GNC  SYSTEM). 

FORWARD  RCS  JETS 


The  forward  RCS  jets  are  not  considered  critical  for  entry.  Reduction  of  mission  duration  is  not  required 
for  failures  of  these  jets. 
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L,  R  RCS  JETS  LEFT  and  RIGHT  ( YAW  JETS ) 

For  one  yaw  jet  failed  and  the  orbiter  CG  outside  of  the  nominal  EOM  boundary  (ref  Rule  {A4-153},  CG 
PLANNING),  a  next  PLS  is  required  due  to  the  potential  for  elevon  saturation.  A  full  complement  of  yaw  jets 
is  required  to  ensure  vehicle  control  within  the  contingency  CG  envelope.  The  loss  of  three  yaw  jets  on  the 
same  side  results  in  significantly  degraded  flight  control  in  the  low  Q-bar  regime  (Q-bar  <  20  psf). 

Therefore,  a  next  PLS  is  required  after  two  yaw  jet  failures,  without  regard  to  vehicle  CG.  There  are  no  first 
day  PLS  requirements  for  the  loss  of  these  jets  because  the  no-yaw-jet  mode  is  certified  ( Q-bar  >  20  psf)  for 
flight  control  (ref.  Rule  {A6-1001},  OMS/RCS  GO/NO-GO  CRITERIA  [CIL];  Rule  {A8-19},  YAW  JET 
DOWNMODE;  and  EFTP,  1/15/88). 

L,  R  RCS  VERNIER  JETS 

The  loss  of  these  jets  has  no  impact  on  mission  duration. 

L,  R  RCS  JETS  UP  and  DOWN 

For  the  loss  of  any  two  jets  on  the  same  side  that  fire  in  the  same  direction  (two  LEFT  UP  firing,  for 
example),  a  next  PLS  (or  first  day  PLS)  is  required.  These  jets  are  critical  for  vehicle  pitch  and  roll  control 
during  entry,  and  entering  next  PLS  reduces  the  risk  for  the  next  failure  which  could  impact  vehicle  control 
(ref.  Rule  {A6-1001},  OMS/RCS  GO/NO-GO  CRITERIA  [CIL]). 

L.R  RCS  JETS  AFT  ( +X  JETS ) 

If  failures  of  the  left  and/or  right  OMS  TVC  in  combination  with  failures  of  +X  RCS  jets  result  in  the  loss  of 
two  out  of  three  deorbit  methods,  then  a  next  PLS  (or  first  day  PLS)  is  required.  There  are  no  mission 
duration  requiremen  ts  for  loss  of  these  jets  alone  (ref.  Rule  [A6-1001 },  OMS/RCS  GO/NO-GO  CRITERIA 
[CIL]). 
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C.  AEROSURFACES 
FCS  CHANNELS 


For  one  channel  failed  (any  surface)  the  FCS  is  single-fault  toleran  t,  with  the  exception  of  certain  “smart 
failures”  during  specific  windows  of  entry,  and  there  are  no  mission  duration  impacts  (ref  Rule  { A8-4J , 
FAULT  TOLERANCE  PHILOSOPHY).  The  risk  of  sustaining  a  second  failure  in  the  FCS  affecting  the  same 
aerosurface  (ASA,  MDM,  or  actuator)  while  on-orbit  for  the  remainder  of  the  mission  (NEOM)  will  be 
assessed  in  reed  time  as  required  per  Rule  { A2-102J ,  MISSION  DURATION  REQUIREMENTS.  After  the 
first  failure,  there  are  certain  failures  in  the  FCS  command  channels  (ASA,  sen’o  valve,  actuator)  which 
could  reduce  flight  control  margins  (2-on-l  force  fight)  for  short  periods  during  entry  until  the  MCC  and 
crew  can  isolate  the  bad  channel.  However,  the  risk  of  sustain  ing  one  of  these  failures  at  the  three-level  on 
the  FCS  command  channels  during  entry  is  the  same  regardless  of  when  entry  occurs  (i.e.,  the  window-of- 
exposure  is  the  same  regardless  of  flight  duration).  For  two  channels  failed  on  the  same  aerosurface,  a  next 
PLS  (or  first  day  PLS)  will  be  declared.  PLS  landing  site  selection  will  be  determined  per  Rule  { A2-207 }, 
LANDING  SITE  SELECTION.  Loss  of  three  command  channels  on  any  aerosurface  is  cm  uncertified  flight 
mode.  @[121296-4610]  ®[1 02402-5804C] 

BE  ACT  CHNL 


For  one  of  three  bodyflap  (BF)  channels  failed,  BF  con  trol  is  single-fault  toleran  t,  and  there  are  no  mission 
duration  impacts  (ref.  Rule  { A8-4J ,  FAULT  TOLERANCE  PHILOSOPHY).  The  risk  of  sustaining  a  second 
BF  channel  failure  while  on-orbit  for  the  remainder  of  the  mission  (NEOM)  will  be  assessed  in  real  time  as 
required  per  Rule  {A2-102},  MISSION  DURATION  REQUIREMENTS.  For  two  channels  failed,  next  PLS  is 
required  since  BF  control  is  zero-fault  toleran  t.  It  is  required  to  main  tain  con  trol  of  the  BF  in  order  to  avoid 
off-nominal  flying  configurations  and  to  prevent  damage  to  the  mean  engine  bells  and/or  the  bodyflap  itself. 
There  are  no  first  day  PLS  requirements  for  BF  channel  failures.  @[121296-4610  ] 

ELEVON/BF  POS  FDBK 

For  two  elevon  or  bodyflap  position  feedbacks  failed  on  the  same  surface,  MDF  is  required  since  the  system 
is  single-fault  toleran  t.  For  three  feedbacks  failed  on  the  same  surface,  the  system  is  fail  critical  and  a  next 
PLS  (or  first  day  PLS)  is  required.  However,  if  the  affected  port  is  bypassed,  then  the  FCS  channel  loss 
criteria  will  apply  (ref.  A/E  FTP  #45,  6/17/88). 

RUDDER  and  SPDBK  POS  FDBK 

The  position  feedbacks  for  these  surfaces  are  not  used  in  the  aerojet  DAP  but  are  used  for  surface  position 
indications  on  the  SPI.  Although  desirable,  these  indications  are  not  considered  critical  for  entry  and  there 
are  no  mission  duration  impacts  associated  with  them.  However,  if  the  affected  port  is  bypassed,  then  the 
FCS  channel  loss  criteria  will  apply  (ref.  A/E  FTP  #45,  6/17/88). 
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A8-1001  GNC  GO/NO-GO  CRITERIA  (CONTINUED) 

ELEVON  PRI  DELTA  P 

For  two  elevon  primary  delta  pressure  indications  failed  on  the  same  surface,  MDF  is  required  since  the 
system  is  single-fault  toleran  t.  For  three  failed,  a  next  PLS  is  required  because  the  system  is  zero-fault 
toleran  t.  The  effector  system  requires  at  least  one  primary  pressure  feedback  loop  in  an  actuator  since  the 
ASA  relies  on  these  pressure  indications  to  provide  command  stability  (ref.  SODB,  volume  I,  paragraph 
3.4.5. 1-4). 

SECONDARY  DELTA  P 

The  aerosurface  and  SSME/SRB  actuator  secondary  delta  pressure  transducers  provide  fault  detection  (RM ) 
in  the  ASA ’s  and  ATVC’s,  respectively.  IfRM  is  lost,  the  system  can  still  be  managed  (MCC  required)  and 
any  failed  channels  can  be  manually  bypassed  if  required.  FCS  channel  loss  criteria  will  apply  for 
transducer  failures  that  degrade  the  FCS  performance/redundancy. 

D.  SENSORS 

LATERAL  AA 


For  two  lateral  axis  AA ’s  failed,  cm  MDF  is  required  and,  for  three  failed,  a  next  PLS  ( or  first  day  PLS), 
is  required  .  Landing  site  selection  will  be  determined  per  Rule  {A2-207},  LANDING  SITE  SELECTION. 
The  lateral  axis  AA  feedback  is  used  in  the  aerojet  DAP  for  turn  coordination  by  preventing  rolloff 
during  bank  maneuvers.  The  lettered  feedback  is  also  used  for  NWS  control  during  rollout  (ref.  A/E  FTP 
#45,  6/1 7/88).  ®[1 02402-5804C] 

NORMAL  AA 


The  normal  AA  feedback  is  used  for  ADI  pitch  error  and  alpha  error  indications  only  prior  to  MM  305. 
In  MM  305,  the  normal  AA  feedback  is  used  by  guidance  to  provide  Nz  commands  to  the  flight  control 
system.  However,  failures  in  these  feedbacks  do  not  require  reduction  in  mission  duration  because  the 
crew  can  fly  CSS  in  the  pitch  axis  in  MM  305,  thereby  removing  the  normal  feedback  from  the  command 
loop. 

ORBITER  RGA 


For  two  orbiter  RGA’ s  failed,  MDF  is  required  because  the  system  is  single-fault  tolerant  on  orbit.  For 
three  failed,  a  next  PLS  (or  first  day  PLS)  is  required  because  the  system  is  zero-fault  tolerant  on  orbit. 
Landing  site  selection  will  be  determined  per  Rule  { A2-207J ,  LANDING  SITE  SELECTION,  (ref.  A/E 
FTP  #45,  6/1 7/88).  ®[1 02402-5804C] 

SRB  RGA 


These  systems  are  not  used  for  entry,  and  mission  duration  impacts  do  not  apply. 
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IMU 


For  the  loss  of  one  IMU,  the  system  is  single-fault  toleran  t,  with  the  exception  of  certain  “smart 
failures”  during  specific  windows  of  deorbit  and  entry,  and  there  are  no  mission  duration  impacts  (ref 
Rule  {A8-4},  FAULT  TOLERANCE  PHILOSOPHY).  The  risk  of  sustaining  a  second  IMU  failure  while 
on-orbit  for  the  remainder  of  the  mission  (NEOM)  will  be  assessed  in  real  time  as  required  per  Rule 
{A2-102},  MISSION  DURATION  REQUIREMENTS.  Also,  high-speed  C-band  radar  is  mandatory  for 
entry  at  the  IMU  two-level  ( ref  Rule  {A3-1 },  GROUND  AND  NETWORK  DEFINITIONS ).  There  are 
single-point  failures  that  can  result  in  either  an  unresolvable  dilemma  at  the  two-level,  or  bad  selected 
data  due  to  a  transient  output  which  is  not  presen  t  long  enough  for  IMU  RM  to  operate  and  declare  a 
failure.  For  these  cases,  the  onboard  state  vector  and/or  vehicle  flight  control  could  be  significantly 
impacted  during  critical  deorbit  or  entry  phases.  However,  the  risk  of  sustaining  one  of  these  failures 
at  the  two-level  during  entry  is  the  same  regardless  of  when  entry  occurs  (i.e.,  the  window-of-exposure  is 
the  same  regardless  of  flight  duration).  Additionally,  it  is  expected  that  the  IMU  entry  two-level 
redundancy  managemen  t  (RM),  including  the  use  of  BITE,  will  correctly  isolate  and  reconfigure  the 
system  (prime  selecting  the  good  IMU)  for  at  least  98  percent  of  all  failures.  For  two  IMU’s  failed,  a 
next  PLS  (or  first  day  PLS)  is  required.  The  system  is  zero-fault  tolerant  because  navigation  and  flight 
control  require  one  IMU  for  entry.  Landing  site  selection  will  be  determined  per  Rule  {A2-207J, 
LANDING  SITE  SELECTION.  ®[041 196-1914]  ®[1 21 296-461 0  ]  ®[ED  ]  ®[1 02402-5804C] 

STAR  TRACKER/COAS/HUD  ®[i  1 1 298-6750  ] 

If  only  one  instrument  for  aligning  the  IMU’s  remains,  enter  next  PLS.  It  is  important  to  note  that  in 
considering  the  availability  of  manual  alignmen  t  in  strumen  ts,  an  instrumen  t  can  only  be  considered 
available  if  it  has  been  calibrated  and  verified.  An  instrument  that  is  not  calibrated  and  verified  should 
not  be  used  to  perform  IMU  alignments.  Only  the  CDR  HUD  is  considered  calibrated  at  launch  (except 
on  OV-104).  This  calibration  should  be  verified  before  using  the  HUD  to  perform  IMU  alignments. 
Refer  to  Flight  Rule  { A8-108 },  HUD/CO  AS  SYSTEM  MANAGEMENT. 

The  only  exception  to  the  PLS  rule  is  the  case  where  the  -Z  COAS  is  the  only  instrumen  t  remaining  for 
performing  IMU  alignmen  ts.  Since  the  probability  of  a  COAS  failu  re  is  considered  extremely  remote 
(COAS  is  a  simple  mechanical  apparatus),  the  mission  can  be  extended  beyond  next  PLS  to  MDF. 

If  a  manual  alignment  instrument  is  required,  it  is  necessary  to  have  the  appropriate  digital  auto  pilot 
(DAP)  modes  available.  The  DAP  modes  are  required  to  allow  the  crew  to  mark  accurately  on  a  star. 
@[111298-6750] 
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ATT  REF  PB 


The  ATT  REF  PB  is  required  for  IMU  alignments  using  the  COAS  or  FlUD.  If  the  CO  AS  and/or  HUD  is 
required  for  the  entry  and  only  a  single  ATT  REF  PB  remains,  a  next  PLS  is  required.  It  should  be  noted 
that  only  the  forward  station  ATT  REF  PB’s  are  supported  in  OPS  3;  and,  if  only  the  aft  PB  remains,  the 
alignment  will  have  to  be  performed  in  OPS  2.  ®[1 11298-6750  ] 

TACAN  AND  SINGLE  STRING  GPS 


For  three  of  four  Entry  Navaids  (TACAN’ s  and/or  Single  String  GPS)  failed,  the  system  is  single-fault 
tolerant  (assuming  command  delta  state  capability  exists),  and  MDF  is  required.  For  three  of  four  LRU’s 
failed,  enter  next  PLS  if  high-speed  C-band  radar  is  not  scheduled  and  not  available  to  be  scheduled  for 
entry  (ref.  Rule  {A3-1},  GROUND  AND  NETWORK  DEFINITIONS).  For  all  four  Entry  Navaids  failed,  a 
next  PLS  is  required  to  protect  for  the  loss  of  CONUS  site  capability.  Entry  with  no  TACAN’ s  or  GPS 
could  require  a  GCA  and/or  a  command  delta  state  uplink  to  correct  navigation  errors,  and  declaring 
next  PLS  minimizes  exposure  to  landings  that  do  not  have  these  options.  Consideration  must  be  given  to 
Data  and  Power  Bus  configurations  to  ensure  that  fault  tolerance  exists  for  remaining  TACAN  and  GPS 
LRU’s.  If  fault  tolerance  does  not  exist,  then  a  PLS  landing  is  required  (ref.  EFTP  #28,  #29,  #30,  #176, 
#185).  @[041196-1914]  @[092602-5718] 

TACAN  MODE  SW,  ANT  SEL,  CHNL  SEL 

The  TACAN  mode  switch,  antenna  select,  and  channel  select  are  not  critical  for  entry.  If  the  switch 
failures  render  the  TACAN(s)  unusable,  then  the  TACAN  loss  criteria  will  apply. 

ADTA 


For  two  ADTA’ s  failed,  the  system  is  zero-fault  tolerant  and  MDF  is  required.  With  the  next  failure 
(three  ADT A’ s  failed),  air  data  (AD)  will  not  be  incorporated  into  G&C  except  for  specific  off-nominal 
circumstances,  and  a  next  PLS  (or  first  day  PLS)  is  required.  Landing  site  selection  will  be  determined 
per  Rule  {A2-207J,  LANDING  SITE  SELECTION.  The  incorporation  of  AD  to  G&C  is  required  for  auto 
flight  control  and  very  desirable  for  manual.  It  is  highly  desirable  to  protect  against  the  last  ADTA 
failure  so  that  it  can  be  used  if  necessary.  Without  AD,  the  crew  will  fly  theta  limits  for  pitch  control 
(ref.  A/E  FTP  #45,  6/1 7/88,  ENTRY  FTP  #34,  8/21/87,  and  A/E  FTP  #187,  9/20/02 ).  ®[i  02402-5894C] 

®[1 02402-5804C]  ®[1 02402-5804C] 
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MSBLS 


There  are  no  requirements  for  early  mission  termination  for  MLS  failures,  since  in  most  cases  a  safe 
landing  can  be  performed  without  the  use  of  MLS  (ref.  Rule  (A8-18},  LANDING  SYSTEMS 
REQUIREMENTS ).  However,  for  one  MLS  failed  and  MLS  redundancy  required  (ref  Rule  {A3-202}, 
MLS),  high-speed  C-band  radar  should  be  scheduled  as  required  (ref  Rule  {A3 -I},  GROUND  AND 
NETWORK  DEFINITIONS).  ®[04i  196-191 4]  ®[ED  ] 

RA 

The  radar  altimeters  are  used  for  altitude  source  from  5k  feet  to  the  ground  and  are  highly  desirable  for 
night  landings  and/or  low  ceilings.  However,  there  are  no  mission  duration  impacts  for  RA  failures. 

(Ref.  Rule  / A8-18 j,  LANDING  SYSTEMS  REQUIREMENTS.)  @[072398-6646  ] 

E.  DEDICATED  DISPLAYS 

LH&RHADI 

Declare  MDF  when  only  one  forward  ADI  remains  since  only  a  single  display  source  of  bank  angle  (phi) 
and  vehicle  rates  and  errors  remains.  Bank  angle  is  required  during  MM  304 for  controlling  drag  and 
H-dot  in  the  event  of  bad  guidance.  Similarly,  vehicle  rates  and  attitude  errors  are  required  in  the  event 
of  guidance  or  flight  control  problems.  Given  the  availability  of  replacement  units  for  both  the  ADI  and 
DDU  (aft  station),  two  failures  are  required  in  order  to  have  only  a  single  remaining  ADI  in  the  forward 
station. 

AFT  ADI 

There  is  no  requirement  for  this  display  during  entry.  (Ref.  Rule  { A8-9) ,  AFT  STATION  GNC 
REDUNDANCY. ) 

HUD/AMI 

Equivalent  air  speed  (EAS),  displayed  on  the  HUD  and  AMI,  is  a  critical  parameter  from  TAEM  to 
touchdown.  As  a  result,  declare  PLSfor  loss  of  three  of  the  four  sources  for  this  parameter,  and  MDF 
for  loss  of  two  of  the  four  sources  for  this  parameter. 
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HUD/AWI 

Altitude  (H),  displayed  only  on  the  HUD  and  AWIfrom  TAEM  to  touchdown,  is  a  critical  parameter 
required  by  the  pilot  during  the  approach  and  landing  phases  of  the  entry.  Thus,  declare  PLS  for  loss  of 
three  of  the  four  sources  for  this  parameter,  and  MDF  for  loss  of  two  of  the  four  sources  for  this 
parameter. 

While  H-dot,  displayed  only  on  the  AWI  in  MM  304,  is  an  important  parameter,  early  flight  termination 
will  not  be  declared  for  the  loss  of  one  AWI.  It  is  not  reasonable  to  declare  early  flight  termination  to 
protect  for  the  extremely  remote  scenarios  (if  they  exist  at  all )  where  H-dot  would  be  required  to  fly  a 
manual  MM  304  entry. 

HUD/FWD  ADI 

Phi  ( bank  angle)  and  one  of  gamma  ( flight  path  angle)  or  theta  (pitch)  are  required  from  TAEM  through 
the  approach  phase  of  entry.  These  parameters  are  only  available  to  the  pilot  on  the  HUD  and  forward 
ADI.  Thus,  declare  PLS  for  loss  of  three  of  the  four  sources  for  these  parameters,  and  MDF  for  loss  of 
two  of  the  four  sources  for  these  parameters. 

HUD 


The  HUD  is  highly  desirable  but  not  mandatory  for  night  landings;  therefore,  an  MDF  is  not  required. 
@[111298-6750] 

HSI 

For  low  ceilings  ( <10kfeet )  or  night  landings,  the  HSI  is  desirable,  but  not  required,  for  accurate 
heading  and  course  information.  Since  MLS  is  required  under  both  of  these  situations,  accurate 
approach  information  is  available.  In  addition,  rough  course  alignment  and  heading  is  provided  by  the 
Horizontal  Situation  Display  (HSD).  As  a  result,  early  flight  termination  is  not  required  for  loss  of 
HSI(s).  (Ref.  Rules  { A8-18 j,  LANDING  SYSTEMS  REQUIREMENTS;  { A3-202 j,  MLS;  and  {A2-6j, 
LANDING  SITE  WEATHER  CRITERIA  [ HC J.) 

SPI  and  G-METER 


Though  desirable,  these  displays  are  not  required. 
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A9-151  AC  INVERTER  MANAGEMENT 

NORMALLY,  ALL  AC  INVERTERS  AND  BUSES  WILL  BE  POWERED  DURING 
FLIGHT.  IF  AN  INVERTER  FAILS,  IT  WILL  BE  DISCONNECTED  FROM 
BOTH  THE  AC  AND  DC  BUSES. 

All  nine  ac  inverters  are  utilized  by  orbiter  equipment.  The  dc  power  to  a  failed  inverter  will  be 
disconnected  since  the  inverter  could  act  as  a  load.  Also,  the  output  capacitor  acts  as  a  load  of 
2.95  amps  on  the  other  two  phases  of  the  ac  bus  supplying  power  to  coupled  three-phase  loads 
(ac  motors). 


A9-152  AC  BUS  SENSORS  SWITCH  MANAGEMENT 

TO  PRECLUDE  INADVERTENT  AC  BUS  DISCONNECT,  THE  AC  BUS  SENSORS 
WILL  BE  PLACED  IN  THE  "MONITOR"  POSITION  DURING  ASCENT  (UNTIL 
MM  105) .  ALSO,  DURING  ASCENT  PRIOR  TO  MECO,  IF  ANY  AC  PHASE 
BUS  FAILS,  OR  IF  A  MAIN  ENGINE  SHUTS  DOWN,  OR  IF  AN  SSME 
CONTROLLER  LOSES  REDUNDANCY,  THEN  ALL  THREE  AC  BUS  SENSOR 
SWITCHES  WILL  BE  PLACED  TO  "OFF".  POST  OMS-1,  THE  AC  BUS 
SENSORS  WILL  NOMINALLY  BE  PLACED  IN  "AUTO  TRIP"  AND  REMAIN  IN 
THAT  POSITION  FOR  THE  REMAINDER  OF  THE  FLIGHT  (THROUGH  WHEEL 
STOP)  .  @[110900-3510] 

AC  sensors  are  put  to  MONITOR  during  powered  flight  to  prevent  an  inadvertent  tripoff  that  would 
cause  SSME  controller  auto  switchover  from  the  affected  bus  to  a  secondary  SSME  controller  on  another 
ac  bus.  If  a  main  engine  shuts  down,  or  SSME  controller  redundancy  is  lost,  or  a  failure  occurs  in  the 
AC  system,  the  ac  sensor  switches  will  be  put  to  OFF  so  that  no  failure  in  the  ac  bus  sensor  could  cause 
further  complications.  If  a  failure  occurs  in  an  AC  system  during  the  entry  timeframe,  the  affected  AC 
bus  sensor  can  be  taken  “  OFF”  to  protect  for  critical  equipment  redundancy.  @[110900-3510] 

Rule  { A5-111A },  AC  BUS  SENSOR  ELECTRONICS  CONTROL  [CIL]  references  this  rule.  ®[ED  ] 

A9-153  AC  BUS  LOADING 

WHEN  POSSIBLE,  AC  BUS  LOADING  WILL  BE  SELECTED  TO  PROVIDE 
SEPARATE  POWER  SOURCES  TO  REDUNDANT  EQUIPMENT  AND  TO  BALANCE 
BUS  LOADS. 


The  highest  level  of  power  redundancy  should  be  maintained.  It  is  advisable  to  maintain  near  equal 
loading  on  all  buses  in  the  event  that,  if  a  single  FC  powers  two  main  buses,  it  will  not  be  overstressed. 
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A9-154  AC  LOAD  MANAGEMENT  DURING  ASCENT 

A.  ONLY  THE  FOLLOWING  AC  SWITCHABLE  LOADS,  WHOSE  RECOVERY  CANNOT 

BE  DELAYED  UNTIL  POST-MECO,  MAY  BE  RECONFIGURED  PRE-MECO: 

1.  FREON  PUMPS  (IF  ONLY  ONE  FREON  LOOP  AFFECTED,  SWITCH 
WITHIN  6  MINUTES;  IF  BOTH  FREON  LOOPS  AFFECTED,  SWITCH 
ASAP) 

2.  RAD  BYPASS  VALVES  (ONLY  FOR  LOSS  OF  FES  OR  FREON  LOOP(S) 
AFFECTED) 

3.  RAD  ISOLATION  VALVES  (FOR  AN  UNEXPLAINED  LEAKING  LOOP 
ATTEMPT  ISOLATION  ASAP;  IF  LEAK  RATE  CAN  SUPPORT  MECO  AND 
AC  CRITICAL,  DELAY  ACTION  UNTIL  POST-MECO)  ®[040899-2568A] 

4.  AVIONICS  BAY  FANS  (SWITCH  WITHIN  3  MINUTES  IF  A  POWERED 
GOULD  TACAN  IS  LOCATED  IN  AFFECTED  AV  BAY.  IF  AV  BAY  3A 
UPGRADED  FOR  ENHANCED  COOLING,  THE  FAN  WILL  NOT  BE 
SWITCHED . ) 

5.  OMS/RCS  VALVES 

6.  APU/HYD  WSB  CONTROLLER  (ONLY  AFTER  HIGH  TEMP  FDA  ALERT) 

7.  H20  LOOP  PUMPS  (ONLY  IN  THE  EVENT  OF  AVIONICS  AIR  TEMP 
FDA) 

8.  CREW  SEAT  OPERATIONS  (ONLY  IF  CONSIDERED  MANDATORY  BY 
THE  CREW)  ®[040899-2568A] 

B.  AC  CIRCUIT  BREAKERS  WHICH  HAVE  OPENED  WILL  NOT  BE  RESET 

PRE-MECO  UNLESS  THE  FUNCTION  IS  CRITICAL  AND: 

1.  THE  MCC  HAS  CONFIRMED  THAT  THE  CB(S)  DID  NOT  OPEN  BECAUSE 
OF  A  SHORT,  OR: 

2.  THE  MCC  CONFIRMS  THAT  BOTH  SSME  CONTROLLERS  ON  THE 
AFFECTED  BUS  HAVE  BEEN  LOST,  OR: 

3.  LOSS  OF  THE  FUNCTION  IS  CONSIDERED  TO  BE  A  GREATER  RISK 
THAN  LOSS  OF  THE  TWO  AFFECTED  SSME  CONTROLLERS. 
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[1]  IF  A  FIVE-TANK  SET  IS  FLOWN,  TANKS  4  AND  5  ARE  CONSIDERED  AS  ONE  TANK. 

[2]  FOR  SINGLE  TANK  FAILURES,  CONSUMABLES  DETERMINE  FLIGHT  DURATION. 

[3]  MAY  REQUIRE  FUEL  CELL  SHUTDOWN  PRIOR  TO  ENTRY. 

[4]  SINGLE  FAULT  TOLERANT.  REF.  RULE  {A2-1 02B},  MISSION  DURATION  REQUIREMENTS.  @[101796-4561  A] 

[5]  ZERO  FAULT  TOLERANT.  REF.  RULE  {A2-102C},  MISSION  DURATION  REQUIREMENTS. 

[6]  LOSS  OF  PRIMARY  SYSTEM  FOR  MULTIPLE  FC'S  MAY  HAVE  RESULTED  FROM  FREEZING  OF  F^O  RELIEF  PANEL 
WHICH  COULD  ALSO  CAUSE  LOSS  OF  OVERBOARD  RELIEF  AND  LEAVE  ONLY  THE  ALTERNATE  SYSTEM  FOR  F^O 
REMOVAL.  REF.  RULE  {A2-102C},  MISSION  DURATION  REQUIREMENTS.  @[101 796-4561  A] 

[7]  LOSS  OF  PURGE  CAPABILITY  ON  ALL  THREE  FC'S.  ALSO.  ALL  THREE  FC’S  UNABLE  TO  VENT  C£  (H2)  FOR  A  DUAL 
GAS  REGULATOR  FAILURE.  ALL  THREE  FC’S  NO  LONGER  FAIL-SAFE.  REF.  RULES  [A9-1 J},  FUEL  CELL  (FC)  LOSS 
[CIL];  AND  {A9-52C},  D,  AND  E,  FC  PURGE. 

[8]  FUEL  CELL  PREDICTED  PERFORMANCE  DETERMINES  MISSION  DURATION. 

[9]  LOSE  ALL  MNA  SUB-BUSES  AND  ASSOCIATED  EQUIPMENT. 

[10]  IF  AC  BUS  NOT  SHORTED,  AN  MDF  MAY  BE  COMPLETED  BY  THE  USE  OF  THE  AC  POWER  TRANSFER  CABLE  TO 
REGAIN  CRITICAL  AC  LRU'S.  NEXT  PLS  REQUIRED  IF  AC  BUS  NOT  REGAINED.  REF.  RULE  {A9-158},  AC  POWER 
TRANSFER  CABLE.  ®[ED  ] 

[11]  LOSE  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY,  FUEL  CELL  1  PUMPS.  REF.  RULES  {A9-1 B},  FUEL  CELL  (FC) 
LOSS  [CIL],  AND  {A10-209H},  PLBD  RULE  REFERENCE  MATRIX. 

[12]  LOSE  ONE  MOTOR  IN  MULTIPLE  PLBD  CENTERLINE/BULKHEAD  LATCH  GANGS.  REDUNDANCY  MAY  BE 
REGAINED  BY  PERFORMING  THE  PLBD  SYS  ENABLE  RECOVERY  IFM.  REF.  RULE  [A1 0-209},  PLBD  RULE 
REFERENCE  MATRIX.  @[011801-3851]  @[032802-481 4A] 

[13]  LOSE  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY,  FUEL  CELL  1  PURGE  VALVES.  REF.  RULES  {A9-52C}  AND  D, 
FC  PURGE,  AND  {A10-209H},  PLBD  RULE  REFERENCE  MATRIX. 

[14]  LOSE  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY.  REDUNDANCY  MAY  BE  REGAINEDBY  PERFORMING  THE 
PLBD  SYS  ENABLE  RECOVERY  IFM,  ASSUMING  THERE  ARE  NO  OTHER  SYSTEMS  GO/NO-GO  CRITERIA 
VIOLATED.  REF.  RULE  {A10-209},  PLBD  RULE  REFERENCE  MATRIX. 

[15]  LOSE  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY.  REF.  RULE  [A1 0-209},  PLBD  RULE  REFERENCE  MATRIX. 

[1 6]  LOSE  OMS  X-FEED  AND  REPRESS  CAPABILITY.  A  G-MEM  CAN  BE  SENT  TO  RECOVER  THESE  FUNCTIONS. 

[17]  FAILURE  OF  ANOTHER  BUS  RESULTS  IN  LOSS  OF  CAPABILITY  TO  OPEN  FUEL  TANK  VALVES  ON  AN  APU  AND 
CAPABILITY  TO  DEPRESS  ANOTHER  HYD  SYSTEM.  REF.  RULE  {A10-21A},  LOSS  OF  APU/HYDRAULIC  SYSTEM(S) 
ACTIONS.  @[082593-1530]  @[032802-481 4A] 

[18]  LOSE  ALL  MNB  SUB-BUSES  AND  ASSOCIATED  EQUIPMENT. 

[19]  LOSE  FUEL  CELL  2  PUMPS,  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY,  S-BAND  SYSTEM  1  (INCLUDES  NSP 

1) ,  CABIN  FAN  B.  REF.  RULES  {A9-1B},  FUEL  CELL  (FC)  LOSS  [CIL];  {A9-1001},  ELECTRICAL  GO/NO-GO  CRITERIA; 
{A10-209H},  PLBD  RULE  REFERENCE  MATRIX;  AND  {All-1001},  COMMUNICATIONS  GO/NO-GO  CRITERIA. 

®[ED  ] 

[20]  LOSE  S-BAND  SYSTEM  1  (INCLUDES  NSP  1).  REF.  RULE  [A1 1 -1001},  COMMUNICATIONS  GO/NO-GO  CRITERIA. 

[21]  LOSE  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY,  FUEL  CELL  2  PURGE  VALVES.  REF.  RULES  {A9-52C}  AND  D, 
FC  PURGE,  AND  {A10-209H},  PLBD  RULE  REFERENCE  MATRIX. 

[22]  LOSE  ONE  MOTOR  IN  MULTIPLE  PLBD  CENTERLINE/BULKHEAD  LATCH  GANGS.  REF.  RULE  {A10-209},  PLBD  RULE 
REFERENCE  MATRIX.  @[011801-3851] 

[23]  LOSE  ALL  MNC  SUB-BUSES  AND  ASSOCIATED  EQUIPMENT. 

[24]  LOSE  FUEL  CELL  3  PUMPS,  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY,  S-BAND  SYSTEM  2  (INCLUDES  NSP 

2) ,  CABIN  FAN  A.  REF.  RULES  {A9-1B},  FUEL  CELL  (FC)  LOSS  [CIL];  {A9-1001},  ELECTRICAL  GO/NO-GO  CRITERIA; 
{A10-209H},  PLBD  RULE  REFERENCE  MATRIX;  AND  {All-1001},  COMMUNICATIONS  GO/NO-GO  CRITERIA. 

[25]  LOSE  S-BAND  SYSTEM  2  (INCLUDES  NSP  2).  REF.  RULE  {All-1001},  COMMUNICATIONS  GO/NO-GO  CRITERIA. 

®[ED  ] 
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[26]  LOSE  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY,  FUEL  CELL  3  PURGE  VALVES,  RGA  3.  REF.  RULES  [A8- 
1001D},  GNC  GO/NO-GO  CRITERIA;  {A9-52C}  AND  D,  FC  PURGE;  AND  {A10-209H},  PLBD  RULE  REFERENCE 
MATRIX.  ®[ED  ] 

[27]  LOSE  ADTA  3  AND  4.  REF.  RULE  [A8-1 001 D},  GNC  GO/NO-GO  CRITERIA. 

[28]  LOSE  S-BAND  SYSTEM  1  (INCLUDES  NSP  1).  RGA  2.  REF.  RULES  [A1 1 -1001},  COMMUNICATIONS  GO/NO-GO 
CRITERIA;  AND  {A8-1001D},  GNC  GO/NO-GO  CRITERIA.  ®[ED  ] 

[29]  LOSE  FUEL  CELL  1  ECU  PUMP  PRIMARY  RELAYS.  REF.  RULE  [A9-1 B},  FUEL  CELL  (FC)  LOSS  [CIL], 

[30]  LOSE  FUEL  CELL  2  ECU  PUMP  PRIMARY  RELAYS.  REF.  RULE  [A9-1 B},  FUEL  CELL  (FC)  LOSS  [CIL], 

[31]  LOSE  FUEL  CELL  3  ECU  PUMP  PRIMARY  RELAYS.  REF.  RULE  [A9-1 B},  FUEL  CELL  (FC)  LOSS  [CIL], 

[32]  LOSE  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY,  FUEL  CELL  2  PUMPS,  CABIN  FAN  B.  REF.  RULES  {A9- 

1 B},  FUEL  CELL  (FC)  LOSS  [CIL];  SECTION  B;  AND  [A1 0-209H},  PLBD  RULE  REFERENCE  MATRIX. 

[33]  LOSE  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY,  FUEL  CELL  3  PUMPS,  CABIN  FAN  A.  REF.  RULES 
{A9-1 B},  FUEL  CELL  (FC)  LOSS  [CIL];  SECTION  B;  AND  1  [A1 0-209H},  PLBD  RULE  REFERENCE  MATRIX. 

[34]  IF  BUS  SHORT-CIRCUITED,  INVOKE  CRITERIA  FOR  FMC,  MMC,  AMC  SUB-BUSES,  UNLESS  SHORTED  PHASE 
CAN  BE  ISOLATED  FROM  GANGED  CB  ASSEMBLY.  REF.  RULE  {A9-156},  LOSS  OF  SINGLE-PHASE  AC. 

®[ED  ] 

[35]  LOSE  1  AC  ?  OF  CABIN  FAN  B.  CONTINUE  IF  DEMONSTRATED  IN  FLIGHT  THAT  CABIN  FAN  CAN  BE  STARTED 
ON  TWO  REMAINING  AC?'S. 

[36]  LOSE  1  AC  ?  OF  CABIN  FAN  A.  CONTINUE  IF  DEMONSTRATED  IN  FLIGHT  THAT  CABIN  FAN  CAN  BE  STARTED 
ON  TWO  REMAINING  AC?'S. 

[37]  LOSS  OF  ALL  C&W  ALARM  TONES  AND  LIGHTS.  FLIGHT  CREW  MUST  MONITOR  CRT  MESSAGES  FOR 
CRITICAL  SYSTEM  FAULT  ANNUNCIATION.  REF.  RULES  {A2-102C},  MISSION  DURATION  REQUIREMENTS;  AND 
{A2-104AJ.6,  SYSTEMS  REDUNDANCY  REQUIREMENTS.  @[101796-4561  A] 

[38]  LOSE  POWER  TO  PCS  02  CROSSOVER  VALVE  1  MDF  UNTIL  IFM  TO  RESTORE  FULL  MANIFOLD  CAPABILITY  IS 
INSTALLED  OR  UNTIL  REAL-TIME  TEST  VERIFIES  ADEQUATE  02  SUPPLY  TO  CREW.  REF.  RULE  [A1 7-1 001 D},  LIFE 
SUPPORT  GO/NO-GO  CRITERIA.  @[050400-7189  ] 

[39]  LOSE  POWER  TO  PCS  02  CROSSOVER  VALVE  2  MDF  UNTIL  IFM  TO  RESTORE  FULL  MANIFOLD  CAPABILITY  IS 
INSTALLED  OR  UNTIL  REAL-TIME  TEST  VERIFIES  ADEQUATE  02  SUPPLY  TO  CREW.  REF.  RULE  [A1 7-1 001 D},  LIFE 
SUPPORT  GO/NO-GO  CRITERIA.  @[050400-7189  ] 

[40]  NEXT  WORST  FAILURE  (CNTLAB2  AND  APC5  COMBINATION)  RESULTS  IN  LOSS  OF  CAPABILITY  TO  OPEN  THE 
TANK  VALVES  ON  APU  2  AND  LOSS  OF  BOTH  WSB  1  CONTROLLERS.  REF.  RULE  {A10-21  A},  LOSS  OF 
APU/HYDRAULIC  SYSTEM(S)  ACTIONS.  @[032802-481 4A] 


CRYO 


a.  Continue  Nominal  Ascent 

If  all  but  one  of  the  cryo  tanks  fails  during  ascent,  an  abort  is  not  required  because  the  remaining 
tank  will  support  a  first  day  PLS  entry. 

b.  Invoke  Minimum  Duration  Flight 

If  a  single  tank  fails,  the  amount  of  consumables  will  determine  the  length  of  the  mission.  After  a 
single  tank  failure,  at  least  two  more  failures  are  required  before  loss  of  crew/  vehicle. 

c.  Enter  Next  PLS 

If  two  tanks  fail,  a  PLS  is  called  because  the  risk  has  increased  that  similar  failures  will  occur  in  the 
remaining  tanks.  Loss  of  cryo  is  loss  of  crew/vehicle. 
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A10-23  APU  ENTRY  START  TIME  (CONTINUED) 

B.  AN  APU  WILL  HAVE  ITS  ENTRY  START  TIME  DELAYED  FOR  THE 
FOLLOWING: 


FAILURE/CONSTRAINT 

START  TIME 

1. 

LOSS  OF  WSB  COOLING  CAPABILITY 

TAEM 

2. 

APU  LUBE  OIL  OUTLET  OR  GEARBOX  BEARING 
TEMPERATURES  EXCEEDED  LIMITS  SPECIFIED  IN  RULE 
{A10-22F}  ,  APU  START/RESTART  LIMITS,  DURING  ASCENT 

NO  EARLIER  THAN  TAEM  (IF  NEEDED  TO 
MAINTAIN  TWO  SYSTEMS) 

3. 

APU  WILL  ONLY  OPERATE  WITH  THE  AUTO  SHUTDOWN 
FUNCTION  INHIBITED 

TAEM  (UNLESS  NEEDED  EARLIER  TO 
MAINTAIN  TWO  SYSTEMS) 

4. 

APU  DOES  NOT  HAVE  GG  INJECTOR  COOLING  (IF 
APPLICABLE  TO  SINGLE  APU  ONLY) 

El-13 

5. 

GEARBOX  OR  GN2  REPRESS  BOTTLE  HAS  KNOWN 
EXTERNAL  LEAK  WHICH  WILL  NOT  SUPPORT  ENTIRE 

ENTRY  OR  GN2  REPRESS  VALVE  IS  FAILED  CLOSED 

NO  LATER  THAN  MACH  1 .0 

6. 

HYDRAULIC  SYSTEM  LEAK 

NO  EARLIER  THAN  TAEM  BASED  ON 

LEAK  RATE 

7. 

FREON  LEAK  INTO  A  HYDRAULIC  SYSTEM 

TAEM 

8. 

HYDRAULIC  SYSTEM  RESERVOIR  PRESSURE  LOST 

AFTER  OTHER  APU'S  RUNNING  AT 
NORMAL  PRESSURE 

9. 

HYDRAULIC  SYSTEM  RESERVOIR  TEMPERATURE  >  162° 

(1 54°)  F  PRIOR  TO  DEORBIT  APU  START. 

TAEM 

®[051 194-1 61 9B]  ®[ED  ]  ®[ED  ] 


1,  2.  The  loss  of  lube  oil  cooling  will  limit  APU  run  time  to  approximately  11  minutes,  based  on 
data  from  previous  flights.  The  time  period  from  TAEM  through  landing  is  more  critical  for 
APU /hydraulic  system  availability  since  the  system  will  be  needed  for  heavy  aerosurface 
activity,  landing  gear  deployment,  and  braking  during  that  period. 

IfWSB  cooling  was  lost  for  the  hydraulic  fluid  (due  to  a  failure  of  the  bypass  valve),  the  impact  to 
the  system  is  not  so  much  overheating  of  the  hydraulic  system,  but  rather  possible  premature 
depletion  of  the  water  supply  for  the  water  boiler,  resulting  in  the  loss  of  APU  cooling.  Bypass 
valve  failures  during  entry  on  STS-7  and  STS  61-C  caused  significant  depletion  in  the  water 
supply.  The  hydraulic  fluid  temperature  sensors  demanded  spraying,  but  the  bypass  valve  failure 
did  not  allow  the  fluid  to  receive  any  cooling  and  spraying  continued.  The  APU  start  time  should 
be  delayed  to  move  the  time  at  which  the  hydraulic  fluid  temperatures  will  demand  spraying  to  as 
close  to  TAEM  as  possible. 

Reference  Rule  (A10-22FJ,  APU  START/RESTART  LIMITS. 

3.  Since  inhibiting  the  auto  shutdown  logic  does  remove  one  layer  of  protection,  starting  the 
APU  at  TAEM  will  reduce  the  amount  of  time  this  protection  is  not  present.  However,  if 
another  APU/  hydraulic  system  is  failed  or  failing,  this  APU  may  be  started  earlier  than 
TAEM  to  maintain  two  systems.  In  this  case,  it  would  not  be  necessary  to  start  the  APU  any 
earlier  than  El  minus  13  minutes. 
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A10-23  APU  ENTRY  START  TIME  (CONTINUED) 

4.  If  an  APU  is  started  at  TIG  minus  5  minutes  and  then  a  one-orbit  waveojfis  declared,  the  APU  will 
have  to  be  shut  down.  Without  injector  cooling,  this  APU  could  not  be  restarted  to  support  entry 
as  it  would  not  have  had  time  to  cool  (reference  Rule  (A10-22AJ,  APU  START/RESTART  LIMITS). 
For  this  case,  the  APU  should  be  started  after  the  deorbit  burn  as  a  waveojfis  no  longer  a 
possibility. 

5.  If  gearbox  GN2  leakage  occurs,  the  GN2  repressurization  bottle  will  repressurize  the  gearbox  at 
APU  start.  GN2  will  leak,  requiring  further  represses  and  eventually  depleting  the  bottle.  By 
delaying  the  start  of  the  APU  until  Mach  1.0,  atmospheric  pressure  would  prevent  further  leakage 
from  the  gearbox  while  the  APU  is  running  and  actually  would  tend  to  back  pressurize  the 
gearbox.  It  is  not  possible  to  distinguish  between  an  oil  leak  and  a  GN2  leak  when  the  APU  is  not 
running.  If  the  drop  in  pressure  is  due  to  oil  leakage,  low  oil  pressure  will  be  seen  at  startup, 
bearing  temperatures  will  rise  rapidly,  and  the  APU  will  have  to  be  shut  down. 

If  the  GN2  bottle  develops  a  leak  or  the  repress  valve  fails  closed,  typical  GN2  leakage  from  the 
gearbox  may  not  support  the  entire  entry.  In  this  case,  delay  the  start  of  the  APU  until  it  will 
support  through  wheelstop  or  Mach  1.0,  where  atmospheric  pressure  will  prevent  GN2  leakage 
from  the  gearbox.  With  an  evacuated  repress  bottle,  if  a  gearbox  repress  is  required,  the  valve  will 
come  open  and  the  oil/GN2from  the  gearbox  will  flow  into  the  bottle.  The  pressure  would 
equalize  at  a  lower  value,  the  valve  will  remain  open,  and  the  0U/GN2  will  continue  to  leak.  Below 
Mach  1,  the  repress  valve  most  likely  will  not  be  activated.  If  it  is,  there  will  be  some  atmospheric 
pressure  in  the  bottle  that  will  reduce  the  amount  of  flow  from  the  gearbox.  @[021199-6814  ] 

Reference  Rules  {A10-lAj.5,  APU  LOSS  DEFINITIONS,  and  (A10-24C},  APU  OIL/GEARBOX 
TEMPERATURE/PRESSURE. 

6.  See  Rule  { A10-72J ,  HYDRAULIC  LEAKS,  for  rationale. 

7.  Analysis  by  RI/Downey  has  determined  that  when  Freon  and  hydraulic  fluid  are  mixed,  the  bulk 
modulus  of  the  hydraulic  fluid  is  main  tained  within  cm  acceptable  range  as  long  as  fluid 
temperatures  are  limited  to  below  150  deg  F.  To  prevent  excessive  temperature  buildup  in  a 
hydraulic  system  with  a  Freon  leak  into  it,  the  associated  APU  start  should  be  delayed  until  no 
earlier  than  TAEM.  The  temperature  rise  from  TAEM  to  wheelstop  is  not  expected  to  exceed 

1 00  deg  F.  @[021 1 99-6814  ] 
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A10-122  LOSS  OF  WSB(S)  ACTIONS  (CONTINUED) 

2.  FOR  DEPLOYABLE  PAYLOAD  FLIGHTS,  PAYLOAD  DEPLOY  AND/OR 

JETTISON  WILL  BE  SCHEDULED  TO  ALLOW  FOR  DEORBIT  ON  DAY  2. 

The  loss  of  a  WSB  system  does  not  indicate  the  immediate  loss  of  an  APU/hydraulic  system,  though  the 
APU  can  only  run  about  11  minutes  before  reaching  temperature  limits.  The  APU  associated  with  the 
lost  WSB  will  be  started  late  during  entry  to  support  landing  (reference  Rule  {A10-23},  APU  ENTRY 
START  TIME).  Assuming  the  other  APU /hydraulic/WSB  systems  are  good,  three  APU/hydraulic  systems 
will  be  available  to  support  the  latter  part  of  entry  and  landing. 

For  the  loss  of  two  WSB’s,  entry  should  be  made  at  the  next  PLS  opportunity  after  deployable  payloads 
have  been  deployed.  It  is  desirable  to  deploy  the  payloads  since  this  will  improve  the  vehicle  capability 
to  maneuver  and  land  safely  if  an  APU  or  hydraulic  system  fails  during  entry.  Jettison  of  deployable 
payloads  that,  for  some  reason,  cannot  be  deployed  should  be  considered  as  a  means  of  last  resort  to 
improve  the  vehicle  entry  and  landing  capability. 

If  the  APU/hydraulic  system  not  associated  with  the  lost  WSB’s  fails  or  if  the  remaining  WSB  fails,  one 
of  the  APU/hydraulic  systems  with  limited  run  time  must  be  stalled.  Starts  and  restarts  of  both  limited 
lifetime  APU/hydraulic  systems  must  be  managed  to  allow  for  at  least  one  system  running  at  all  times. 
Accomplishing  this  may  be  an  impossible  task  if  the  good  APU/hydraulic  system  fails  at  the  worst 
possible  time,  i.  e. ,  prior  to  the  deorbit  burn.  A  next  PLS  entry  should  be  performed  for  the  loss  of  two 
WSB’s  in  order  to  minimize  the  amount  of  time  the  vehicle  is  exposed  to  the  next  failure  that  would 
result  in  the  orbiter  being  down  an  APU/hydraulic  system  and  two  water  spray  boilers. 

Rule  {A2-301},  CONTINGENCY  ACTION  SUMMARY,  references  this  rule. 

A10-123  THROUGH  A10-140  RULES  ARE  RESERVED 
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LANDING/DECEL  SYSTEMS  MANAGEMENT 


A10-141  NOSE  WHEEL  STEERING  (NWS) 

A.  NWS  IS  DEFINED  AS  "REQUIRED"  IF  IT  IS  NEEDED  TO  MAINTAIN 
DIRECTIONAL  CONTROL  DURING  ROLLOUT:  ®[1 02402-5804C] 

1.  FOR  RTLS/TAL/AOA  (KSC)  LANDINGS. 

2.  AT  ANY  LANDING  SITE  IF  THERE  ARE  KNOWN  DIRECTIONAL  CONTROL 
PROBLEMS  (MLG  OR  NLG  TIRE  PREDICTED  TO  BE  BELOW  THE  MINIMUM 
ACCEPTABLE  PRESSURE  AT  TOUCHDOWN,  UNCOMMANDED  BRAKE  PRESSURE, 
OR  PEAK  CROSSWINDS  ABOVE  THE  SURFACE  WIND  LIMITS) . 

EFFORTS  WILL  BE  TAKEN  TO  REGAIN  NWS  AS  SPECIFIED  IN  THE 
REFERENCED  FLIGHT  RULES. 

NWS  provides  the  most  effective  means  of  preventing  runway  departure  at  any  site  where  lateral  margins 
are  very  limited,  especially  if  a  subsequent  directional  control  problem  develops.  Ames  VMS  testing 
(July/August  1988,  May/June  1989)  demonstrated  that  differential  braking  and  rudder  inputs  may  not 
always  provide  adequate  directional  control  capability  when  directional  control  problems  are  known  to 
exist,  even  for  run  ways  with  wide  lateral  margins.  The  forward  position  of  the  nose  wheel  provides  a 
long  moment  arm  ( relative  to  the  vehicle  CG)for  very  effective  vehicle  steering.  Therefore,  NWS  can 
overcome  high  frictional  forces  that  may  develop  between  aflat  tire  and  a  runway  surface  and  also 
overcome  the  high  frictional  forces  caused  by  uncommanded  brake  pressure.  Moreover,  excessive 
energy  dissipated  through  differential  braking  can  lead  to  subsequent  loss  of  tire  pressure 
(overtemperature  of  fuse  plugs,  post  wheelstop).  In  all  cases,  NWS  is  much  more  effective  for  directional 
control  than  differential  braking.  ®[1 02402-5804C] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A10-141  NOSE  WHEEL  STEERING  (NWS)  (CONTINUED) 

B.  NWS  WILL  BE  TURNED  OFF  FOR  ENTRY  IF,  DURING  THE  OPS  8 

CHECKOUT,  TWO  OF  THREE  STEERING  POSITION  TRANSDUCERS  DO  NOT 
INDICATE  -0.42  ±  0.31  VOLTS  (GROUND)  OR  0.0  ±  0.75  DEGREES 
(ONBOARD)  .  ®[1 02402-5804C] 

The  NWS  system  requires  at  least  two  good  steering  position  transducers  for  reliable  nose  wheel  position 
SOP  operation.  If  none  of  the  steering  position  transducers  have  been  comm  faulted  (all  three  inputs 
available),  the  nose  wheel  position  SOP  will  midvalue  select  from  the  three  position  transducer  values, 
regardless  of  their  failure  status.  If  one  transducer  is  failed  or  biased,  one  of  the  two  good  transducers 
will  always  yield  the  midvalue  of  the  three,  and  the  SOP  will  always  select  a  good  value.  If  two 
transducers  are  failed  or  biased,  one  of  these  two  may  yield  the  midvalue,  and  the  SOP  would  then  select 
an  erroneous  value.  However,  Ames  VMS  data  (July/August  1988)  confirmed  that,  for  this  scenario,  the 
selected  value  will  exceed  the  nose  wheel  position  comparison  limits  when  compared  against  the  DAP- 
commcinded  nose  wheel  position  and  rate.  The  nose  wheel  position  SOP  will  then  generate  a  nose  wheel 
position  error  and  downmode  to  castor.  ®[1 02402-5804C] 

C.  NWS 1  WILL  BE  USED  AS  THE  PRIMARY  MEANS  OF  DIRECTIONAL  CONTROL. 
IF  NWS  1  HAS  FAILED:  ®[1 02402-5804C] 

1.  BEFORE  NGTD :  NWS2  WILL  BE  SELECTED  AND  USED  AS  THE  MEANS 
OF  DIRECTIONAL  CONTROL. 

2.  POST-NGTD:  NWS 2  CAN  BE  SELECTED  AND  USED  AS  THE  MEANS  OF 
DIRECTIONAL  CONTROL. 

Although  both  NWS  I  and  NWS2  modes  of  nosewheel  steering  provide  identical  functions  and 
capabilities,  NWS1  provides  more  downlisted  system  status  parameters;  NWS1  is,  therefore,  preferred 
over  NWS2.  ®[1 02402-5804C] 

If  NWS  is  determined  to  be  failed  during  the  OPS  8  checkout  or  anytime  prior  to  nose  gear  touchdown 
(ground  speed  enable  flag  set  true),  selecting  NWS2  will  provide  the  best  alternative  for  rollou  t 
directional  control.  Ames  VMS  testing  (July/August  1988)  demonstrated  that  switching  NWS  modes 
during  rollout  was  an  effective  procedure,  particularly  for  MDM  hardover  failure  cases. 

However,  SAIL  testing  (April  1991)  demonstrated  that  for  certain  scenarios  where  the  NWS  1  channel 
downmoded  to  free  castor  (post-NGTD),  the  NWS  system  did  not  recover  after  selecting  NWS2.  In 
these  cases,  the  NWS2  channel  was  selected  coincident  with  a  large  rudder  pedal  command  (DR 
100737  and  106206).  The  NWS  system  was  never  perceived  to  have  recovered  as  it  downmoded  to 
castor  unnoticeably  240  milliseconds  after  selection.  Although  the  NWS  software  may  not  recover  if 
the  alternate  NWS  channel  is  selected  on  rollout,  NWS2  can  still  be  safely  selected  post-NGTD  and 
is  likely  to  regain  con  trol  if  a  large  rudder  pedal  input  is  not  presen  t  at  selection.  ®[1 02402-5804C] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A10-141  NOSE  WHEEL  STEERING  (NWS)  (CONTINUED) 

D.  NWS  WILL  BE  TURNED  OFF  FOR  LOSS  OF  ANY  OF  THE  FOLLOWING, 

UNLESS  NWS  IS  REQUIRED:  ®[1 02402-5804C] 

1 .  TWO  LATERAL  AA' S 

2.  TWO  LEFT  OR  TWO  RIGHT  RPTA  CHANNELS 

3.  RIGHT  DDU  (TWO  POWER  SUPPLIES  -  A,  B,  OR  C) 

4.  TWO  STEERING  POSITION  TRANSDUCERS  ®[1 02402-5804C] 

Once  two  lateral  AA’s  or  RPTA’ s  have  failed,  there  are  potential  vehicle  control  risks  if  NWS  is  selected. 

A  hcirdover  or  high  bias  of  one  of  these  remaining  componen  ts  could  result  in  loss  of  vehicle  control. 

For  runways  with  wide  lateral  margins,  where  differential  braking  and  rudder  inputs  can  provide 
adequate  vehicle  control,  the  use  of  NWS  is  not  warranted  at  the  risk  of  a  third  AA  or  RPTA  failure, 
provided  there  are  no  known  directional  control  problems.  However,  for  abort  landing  sites  ( without 
wide  lateral  margins),  the  risk  of  run  way  departure  due  to  a  subsequen  t  directional  control  problem 
outweighs  the  potential  for  a  third  AA  or  RPTA  failure  during  the  small  window  of  rollout,  and  NWS 
should  be  selected. 

Results  of  a  NWS  test  matrix  performed  using  the  NASA  Ames  VMS  in  May/June  1991  indicate  that 
vehicle  control  can  be  difficult  to  nonrecoverable  after  a  third  AA  or  RPTA  hcirdover  failure  has 
occurred  (Cooper/Harper  ratings  from  5  to  10).  The  matrix  also  demonstrated  that,  although  landing 
with  a  known  directional  control  problem  (failed  tire)  without  NWS  is  unsatisfactory  (Cooper/Harper 
ratings  between  5  and  8),  this  condition  is  sometimes  controllable.  Again,  the  risk  of  run  way  departure 
due  to  a  known  directional  con  trol  problem  ou  tweighs  the  poten  tial  for  a  third  AA  or  RPTA  failure 
during  rollout,  and  NWS  should  be  selected.  ®[1 02402-5804C] 

Rules  (A2-254CJ.1,  ENTRY  STRING  REASSIGNMENT;  { A2-261J ,  ENTRY DTO/AUTO 
MODE/CROSSWIND  DTO  GO/NO  GO;  {A2-301J,  CONTINGENCY  ACTION  SUMMARY;  {A7-102CJ.8, 
PASS  DATA  BUS  ASSIGNMENT  CRITERIA;  {A10-22E  and  Fj,  APU  START/RESTART  LIMITS;  {A10-24B}, 
APU  OIL/GEARBOX  TEMPERATURE/PRESSURE;  {A10-25D},  APU  HIGH  SPEED  SELECTION/SHIFT; 
{A10-71J,  HYDRAULIC  SYSTEM  CONFIGURATION;  {A10-72BJ,  HYDRAULIC  LEAKS;  {A10-142},  TIRE 
PRESSURE  [CIL];  and  { A10-145 },  UNCOMMANDED  BRAKE  PRESSURE,  reference  this  rule. 

®[1 1 1094-1622B] 
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SECTION  11  -  COMMUNICATIONS 


SYSTEM  MANAGEMENT  RULES 


All-1  COMMUNICATIONS  DURING  ASCENT 

THERE  ARE  NO  COMMUNICATIONS  FAILURES  FOR  WHICH  THE  ASCENT  PHASE 
WILL  BE  TERMINATED. 

Termination  of  the  ascent  phase  implies  an  immediate  return;  i.  e. ,  an  RTLS,  AOA,  or  TAL/TPL. 

Continuing  to  orbit  is  the  most  benign  environment  for  the  orbiter  and  crew.  In  addition,  there  is  a  high 
probability  of  restoring  at  least  one  communications  link  once  on  orbit;  and,  if  communication  is  not 
restored,  the  orbiter  is  capable  of  a  safe  day  1  return  without  any  further  contact  with  the  MCC. 

All-2  S— BAND/UHF  LAUNCH  REQUIREMENT 

S-BAND  PM  VOICE  WILL  BE  PRIME  FOR  LAUNCH.  THE  UHF  SYSTEM  WILL  BE 
CONFIGURED  IN  TRANSMIT/RECEIVE  MODE  AS  BACKUP  TO  THE  S-BAND  PM 
SYSTEM. 

The  S-band  PM  system  is  the  only  system  available  for  launch  that  can  provide  redundant  real-time 
telemetry,  command,  ranging,  and  duplex  voice  required  for  ascent  phase  support.  SSME  engine 
interface  unit  (EIU)  data  uses  the  S-band  FM  system  and  is  redundantly  recorded  on  Ops  recorder  1. 
C-band  skin  tracking  provides  a  redundant  tracking  source,  and  the  UHF  system  provides  an  additional 
simplex  voice  source. 
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All-3  UPLINK  HANDOVER  DURING  ASCENT  FROM  KSC 

UPLINK  HANDOVER  FROM  MIL  TO  PDL  WILL  OCCUR  BEFORE  THE  LINE-OF- 
SIGHT  FROM  THE  ORBITER  TO  MIL  INTERSECTS  THE  SRB  PLUME.  THE 
CARRIER  WILL  REMAIN  ON  PDL  UNTIL  POST-SRB  STAGING.  AT  THAT  TIME 
IT  WILL  BE  HANDED  BACK  TO  MIL  TO  REGAIN  S-BAND  TRACKING. 

During  ascent  it  is  highly  desirable  to  provide  S-band  ranging  data  to  the  MCC  as  an  additional 
tracking  source  for  trajectory  evaluation.  S-band  ranging  is  available  from  M1UMILX  but  not  PDL. 
Ascen  ts  from  KSC  necessarily  result  in  the  line-of-site  from  the  orbiter  to  MIL/MILX  in  tersecting  the 
SRB  plume.  The  SRB  plume  characteristics  are  such  that  severe  S-band  attenuation  (approaching  60 
dB)  and  erratic  phase  shifts  will  adversely  affect  the  S-band  PM  link,  resulting  in  poor  uplink  lock 
conditions  and  intermittent  downlink  data.  To  avoid  the  plume,  the  orbiter  antennas  are  optimized  for 
PDL  from  lift-off  and  the  uplink  is  handed  to  PDL  just  before  plume  intersection  until  after  SRB  staging. 
This  loss  of  S-band  ranging  and  somewhat  weaker  signal  margin  during  this  time  period  is  considered 
preferable  to  intermittent  S-band  uplink  and  downlink  lock  conditions,  since  downlink  vectors  and  C- 
band  tracking  are  still  available  for  trajectory  mon  itoring.  @[092602-5734  ] 

All-4  ORBITER  DATA  PRIORITY  DURING  ASCENT/ENTRY 

ORBITER  DATA  WILL  TAKE  PRIORITY  OVER  PAYLOAD  DATA  DURING 
ASCENT/ENTRY.  PCMMU  SWITCHES  FOR  THE  PURPOSE  OF  RECOVERING 
ORBITER  DATA  WILL  BE  PERFORMED  AT  THE  EXPENSE  OF  PDI  PAYLOAD 
DATA. 

01 MDM  port  failures  and  internal  PCMMU  failures  affecting  downlink  or  crew  display  of  orbiter  data 
can  be  recovered  by  power  cycling  the  active  PCMMU  or  by  switching  to  the  alternate  PCMMU.  During 
ascent/entry  phases,  when  the  SM  major  function  for  PCMMU  reloading  is  unavailable,  the  PDI  data 
downlinked  to  the  MCC  would  be  lost  as  the  PCMMU  defaults  to  Format  129  upon  powerup  and  this 
format  allocates  no  bandwidth  to  PDI  data.  The  intent  of  this  rule  is  to  document  that  monitoring  of 
orbiter  data  during  ascent/entry  takes  precedence  over  remoting  payload  data  to  remote  POCC’s.  PDI 
data  displayed  to  the  crew  will  not  be  affected. 
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All-11  S-BAND  FM  USAGE 

A.  THE  S-BAND  SYSTEM  SHALL  BE  REQUIRED  TO  TRANSMIT  MAIN  ENGINE 
DATA  DURING  ASCENT  PHASE. 


The  S-band  FM  system  provides  the  only  real-time  source  of  main  engine  interface  unit  (EIU)  high 
rate  data.  It  is  sufficiently  important  enough  to  require  downlinking  in  real  time  as  well  as  being 
redundantly  recorded  onboard. 

B.  FOR  THE  REMAINDER  OF  THE  FLIGHT,  THE  S-BAND  FM  SYSTEM  WILL  BE 
USED  FOR  TV,  OPS  RECORDER  DUMPS,  SOLID  STATE  RECORDERS  DUMPS 
(SSR) ,  REAL-TIME  PAYLOAD  DATA,  AND  PAYLOAD  RECORDER  DUMPS. 
@[102402-5735] 

The  S-band  FM  system  provides  a  wideband  downlink  to  GSDTN  sites  (not  for  TDRS)  which  can  be 
configured  for  any  one  of  several  inputs  (e.g.,  Ops  or  Payload  recorder  dumps,  SSR’s,  TV,  and  real¬ 
time  analog,  or  digital  payload  data).  Individual  mission  requirements  will  dictate  when  these  inputs 
will  be  required  to  use  the  FM  system  for  a  particular  flight  and  what  the  timesharing  plan  will  be. 
@[102402-5735] 
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All-12  S-BAND  PM  USAGE 

A.  THE  S-BAND  PM  SYSTEM  2  LRU'S  WILL  NOMINALLY  BE  SELECTED  VIA 
COMMAND  FOR  THE  ENTIRE  FLIGHT.  ONBOARD  SWITCHES  WILL  BE  IN 
THE  SYSTEM  1  LRU  CONFIGURATION. 

Since  the  S-band  system  is  the  prime  orbiter  communications  system,  it  is  desirable  that  switchover 
capability  to  the  redundan  t  system  be  reachable  from  the  CDR  or  PLT  seats  during  ascen  t/entry  and 
other  high  activity  phases.  The  design  of  panel  and  command  hybrid  driver  logic  within  the  GCIL  allows 
the  en  tire  S-band  PM  system  ( NSP ,  XPNDR,  antenna  electronics,  Power  Amp,  Pre  Amp)  to  be  switched 
to  the  redundant  string  with  a  single  switch  on  panel  C3.  The  redundant  string  is  selectable  via  the 
panel  C3  switch  (nominally  string  1).  The  choice  of  system  1  or  2  is  arbitrary;  however,  the  Flight  Data 
File  has  long  been  written  assuming  this  configuration. 

B.  THE  GROUND  WILL  BE  PRIME  FOR  OPERATION  OF  THE  S-BAND  PM 
SYSTEM. 

The  orbiter  S-band  PM  system  must  be  configured  differently  for  TDRS,  GSTDN  or  SGLS  modes 
continuously  as  required  during  the  flight.  This  is  a  routine,  repetitive  task  necessary  during  both  crew 
awake  and  crew  sleep  periods  in  order  to  maximize  data  retrieval  and  is  best  done  by  MCC  to  free  the 
flightcrew  for  more  mission-unique  tasks.  Additionally,  through  telemetry  indications  from  the  orbiter 
and  using  voice  reports  and  other  indications  from  TDRS,  GSTDN,  and  SGLS  sites,  the  MCC  has  better 
overall  visibility  into  the  total  air/ground  communications  network  and  is  better  suited  for  operating  the 
total  system,  especially  during  lion-nominal  conditions. 

C.  S-BAND  PM  ANTENNA  MANAGEMENT  WILL  BE  VIA  GPC  AUTOMATIC 
ANTENNA  SELECTION. 

S-band  PM  antenna  management  can  be  done  either  manually  by  the  crew  or  ground  or  via  GPC 
automatic  selection.  As  long  as  the  GPC’s  knowledge  of  attitude  and  position  is  accurate,  it  is  less  error 
prone  to  enable  automatic  selection.  This  has  the  added  benefit  of  greatly  reducing  crew  or  ground 
workload  for  what  is  largely  a  routine  function. 
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All-13  S-BAND  PAYLOAD  USAGE 

A.  THE  S-BAND  PAYLOAD  SYSTEM  1  LRU'S  WILL  NORMALLY  BE  USED  TO 
SUPPORT  PAYLOAD  OPERATIONS.  ONBOARD  SWITCHES  WILL  MATCH  THE 
DESIRED  CONFIGURATION. 

The  S-band  payload  system  consists  of  redundant  PI/PSP  strings.  Although  there  are  exceptions  on  some 
flights,  the  flightcrew  is  typically  much  more  involved  with  the  usage  of  this  system  than  in  the  S-band 
PM  system,  the  management  of  which  is  primarily  a  ground  function.  The  switch  setup  for  S-band  PM  is 
unmatched  from  that  commanded  so  that  the  crew  need  throw  a  minimum  number  of  switches  to  restore 
communications  in  the  event  of  onboard  failure.  In  the  case  of  the  S-band  payload  system,  it  is 
preferable  to  have  the  switches  match  the  commanded  configuration  so  that  the  crew  can  easily  track  the 
current  status  since  they  are  the  prime  system  operators. 

B.  THE  S-BAND  PAYLOAD  INTERROGATOR  (PI)  CHANNEL  SELECT 
THUMBWHEELS  WILL  BE  CONFIGURED  SO  THAT  INADVERTENT  PI 
ACTIVATION  WILL  NOT  INTERFERE  WITH  THE  S-BAND  PM  SYSTEM. 

THE  STANDARD  SETTING  FOR  ASCENT/ENTRY  SHALL  BE  CHANNEL  910. 

@[102402-5737] 

Although  the  PI  may  be  unpowered,  a  single-point  failure  exists  that  can  inadvertently  result  in  PI 
activation.  Should  this  occur  when  the  selected  channel  is  one  that  interferes  with  the  S-band  PM  uplink 
or  downlink,  a  loss  of  uplink  or  downlink  PM  lock  may  occur  disrupting  the  prime  mode  of 
communications.  The  cause  of  this  unexpected  disruption  would  be  difficult  to  detect,  result  in 
confusion,  and  the  workaround  would  not  be  obvious  even  if  the  alternate  UHF  link  were  available. 
Therefore,  it  should  be  avoided.  Channel  910  is  safe  for  ascent/entry  since  it  cannot  cause  any 
interference.  ®[1 02402-5737  ] 
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All-14  CREW  ALERT  SPC'S 

DURING  TIME  PERIODS  WHEN  ALL  CREWMEMBERS  SLEEP  SIMULTANEOUSLY, 

A  CREW  ALERT  SPC  WILL  BE  ROUTINELY  USED  TO  ALERT  THE  CREW  TO 
COMMUNICATIONS  SYSTEMS  PROBLEMS.  THE  SPC  WILL  TIME  OUT 
APPROXIMATELY  HALFWAY  THROUGH  THE  SLEEP  PERIOD  IN  THE  EVENT  OF 
A  LOSS  OF  UPLINK  COMMAND. 

The  crew  alert  commands  result  in  an  onboard  class  3  alarm.  When  loaded  into  the  SM  SPC  buffer 
during  time  periods  when  all  crewmembers  are  sleeping,  it  can  be  used  to  alert  the  crew  that  uplink 
S-band  command  and  probably  voice  capability  has  been  lost.  The  crew  alert  commands  are  uplinked  at 
the  beginn  ing  of  a  sleep  period  and  timetagged  to  execu  te  midway  through  the  sleep  period.  Should  no 
loss  of  command  occur,  these  commands  are  cleared  from  the  SPC  buffer  before  execution.  If  uplink 
command  is  lost,  it  is  possible  that  uplink  voice  or  even  downlink  voice  and  telemetry  may  be  lost  as  well 
since  common  components  are  used.  Single-point  failures  in  the  S-band  PM  system  exist  making  this 
possible.  UHF  provides  a  redundant  voice  source  but  is  often  deactivated  during  crew  sleep  periods  due 
to  ground  in  terference.  Therefore,  the  crew  alert  commands  are  used  to  warn  the  crew  of  a  possible  loss 
of  all  monitoring  capability  and  all  communications  capability.  This  is  considered  serious  enough  to 
wake  the  crew. 


All-15  ELBOW  CAMERA/ PAYLOAD  INTERFERENCE  [CIL] 

FOR  THOSE  MISSIONS  WHERE  AN  ELBOW  CAMERA/PAYLOAD  INTERFERENCE 
PROBLEM  EXISTS,  THE  ELBOW  CAMERA  WILL  NOT  BE  ACTIVATED  UNLESS  THE 
INTERFERENCE  PROBLEM  IS  ELIMINATED.  THIS  APPLIES  EVEN  IF  THE  RMS 
IS  DEPLOYED. 

FLIGHT-SPECIFIC  EXCEPTIONS  FOR  HIGH  PRIORITY  OPERATIONS  WILL  BE 
IDENTIFIED  IN  THE  FLIGHT  RULES  ANNEX. 


Due  to  the  geometry  of  the  elbow  camera  25 -degree  mounting  wedge  when  the  MPM  is  stowed,  the 
maneuvering  envelope  of  the  camera  intrudes  upon  the  maximum  payload  envelope.  A  potential 
interference  problem  exists  with  a  payload  manifested  at  the  same  X  location  as  the  elbow  camera.  The 
in  terference  could  preven  t  stowing  the  MPM’s  and  require  an  RMS  jettison  or  EVA  to  close  PLBD’s. 
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All-16  KU-BAND  MANAGEMENT 

THE  ORBITER  KU-BAND  SYSTEM  WILL  BE  OPERATED  IN  THE  "BETA  PLUS 
MASK"  MODE  WITH  A  LIMIT  OF  21  DEGREES  UNLESS  A  PAYLOAD 
EXTENDS  BEYOND  THE  PAYLOAD  BAY  DOOR  ENVELOPE.  IN  THIS  CASE, 
FLIGHT-SPECIFIC  KU  MASKING  IS  DEFINED  IN  RULE  {A2^25},  IFM 
PROCEDURES  ON  EXPERIMENTS  WITH  TOXIC  HAZARDS.  ®[ED  ]  @[102402-5742] 

The  Ku-band  masking  is  used  to  protect  a  payload  in  the  payload  bay  from  the  Ku  main  beam  RF 
radiation.  A  limit  of  21  degrees  in  the  “Beta  Plus  Mask ”  mode  will  protect  the  entire  bay  up  to  the 
payload  bay  door  moldline  and  prevent  any  part  of  the  bay  being  exposed  to  a  level  greater  than  10  volts 
per  meter  (the  ICD  limit).  This  masking  mode  also  provides  the  maximum  comm  coverage  while  still 
providing  the  required  protection.  @[102402-5742  ] 

If  a  payload  instrument  is  present  which  extends  beyond  the  payload  bay  door  moldline,  then  this 
masking  may  not  protect  the  payload  from  levels  higher  than  the  ICD  level.  The  required  mode  and  beta 
limit  is  then  dependent  on  the  location  of  the  payload  in  the  bay  and  on  the  dimensions  of  the  payload. 
Thus,  the  limit  must  be  calculated  for  the  specific  mission  case.  @[102402-5742  ] 

Note  that  the  beta  mask  function  does  not  apply  to  Ku  radar  operation.  The  radar  mode  uses  the  old 
microprocessor  mask  which  is  equivalent  to  beta  plus  mask  with  a  limit  of  -90  degrees.  This  is  more 
restrictive  ( i. e. ,  more  protection)  than  21  degrees.  ®[ED  ] 

Rule  (A2-118J,  RNDZ/PROX  OPS  COMMUNICATION  SYSTEMS  MANAGEMENT,  references  this  rule. 
@[061396-1961  ] 


VOLUME  A  11/21/02  FINAL,  PCN-1  COMMUNICATIONS  11-13 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


All-17  PI  CHANNELS  AND  S-BD  FREQUENCIES  COMPATIBILITIES 

IN  ORDER  TO  PREVENT  MUTUAL  INTERFERENCE  BETWEEN  THE  PAYLOAD 
INTERROGATOR  (PI)  AND  THE  S-BAND  PM  SYSTEM,  THE  FOLLOWING  PI 
CHANNELS  AND  S-BAND  PM  FREQUENCIES  COMPATIBILITY  TABLE  WILL  BE 
FOLLOWED  FOR  ALL  PI  OPERATIONS:  @[090894-1 648B] 


COMPATIBLE  PI  CHANNELS  AND  S-BAND  PM  FREQUENCIES 

WHEN  USING  PI  CHANNEL 

USE  S-BAND  PM  FREQUENCY 

001-407 

HIGH 

408-433 

NOT  COMPATIBLE  WITH  LOW  OR  HIGH  * 

434-883 

LOW 

899-909 

HIGH 

910-920 

LOW 

*  PI  INTERFERENCE  WITH  SSA  FORWARD  LINK  TEST  SHOWS  THAT  THERE  IS  A  POTENTIAL  FOR  DEGRADED  SSA 
FORWARD  LINK  ACQUISITION  AND;  THEREFORE,  THIS  PI/S-BD  PM  COMBINATION  (408-420/421-433)  WILL  NOT  BE 
USED.  EXCEPTIONS  MAY  BE  MADE  ON  A  FLIGHT  SPECIFIC  BASIS  BY  DETAILED  ANALYSIS. 

The  S-Band  PM  system  and  Payload  Interrogator  selectable  frequencies  overlap  and  if  not  properly 
selected  could  in  terfere  with  each  other.  The  consequence  of  selecting  channels  other  than  those  noted 
in  the  table  above  are  unknown  and  potentially  compromise  S-Band  PM  communications  and/or 
communications  with  a  detached  payload.  Reference  ESTL  report  EE7-93-214.  ®[090894-i648B] 

All-18  COMSEC  USAGE 

IN  ORDER  TO  PROTECT  THE  ORBITER  FROM  UNAUTHORIZED  COMMANDS,  THE 
S-BAND  SYSTEM  UPLINK  WILL  NORMALLY  BE  ENCRYPTED  FOR  ALL  FLIGHTS. 

Configuring  the  S-band  uplink  for  encryption  protects  against  unauthorized  commands  being  received 
via  both  the  S-band  and  Ku-band  systems  as  the  COMSEC  equipment  interfaces  with  the  NSP  which  is 
common  to  both  systems.  Uplinks  bypassing  the  NSP  can  still  be  received  via  the  alternate  (216  kbps) 
Ku-band  channel ,  but  this  channel  (intended  for  OCA  and  high  rate  payload  data)  does  not  interface 
with  the  GPC’s  or  other  critical  orbiter  systems.  ®[1 11298-6778  ]  ®[01 2402-5068  ] 
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All-59  FM  SYSTEM  IFM  GROUND  RULE 

FOLLOWING  A  CONFIRMED  LOSS  OF  DOWNLINK  IN  ONE  S-BAND  TRANSPONDER, 
CONSIDERATION  WILL  BE  GIVEN  TO  IMPLEMENTING  AN  IFM  PROCEDURE  TO 
ALLOW  THE  USE  OF  THE  FM  SYSTEM  AS  A  REDUNDANT  TELEMETRY  SOURCE 
FOR  ENTRY. 

Following  a  transponder  loss,  no  redundancy  remains  for  downlink  telemetry.  The  IFM  regains  this 
redundancy  using  the  FM  system,  and  implementation  of  the  IFM  should  be  considered  prior  to  entry. 

The  IFM  procedure  to  allow  the  use  of  the  S-band  FM  system  for  downlink  voice  and  telemetry  results  in 
disconnecting  flight  cables  and  terminating  the  use  of  one  of  the  Ops  recorders.  The  NSP’s  must  be 
switched  when  real-time  and  dump  data  share  the  FM  downlink.  This  is  compatible  only  with  ground 
stations,  not  TDRS.  For  these  reasons  it  is  desirable  to  troubleshoot  the  transponders  to  determine 
alternate  capabilities  before  considering  the  IFM  which  nominally  requires  about  2-1/2  hours  of  crew 
time.  As  transponder  troubleshooting  necessarily  requires  a  ground  station  or  TDRS  to  confirm  status, 
the  ground  should  direct  the  procedure  rather  than  the  crew  if  the  remaining  capability  makes  this 
feasible.  The  ground  is  required  because  compatible  configurations  are  necessary  onboard  and  at  the 
STDN  to  ensure  valid  checks. 

All-60  LOSS  OF  TDRS  TRACKING  CAPABILITY 

LOSS  OF  TDRS  TRACKING  CAPABILITY  WILL  RESULT  IN  CONTINUING  TO 
NOMINAL  EOM . 

Loss  of  TDRS  tracking  would  require  call  up  of  contingency  use  S-band  tracking  stations  that  are 
obligated  to  provide  support  in  the  event  of  such  an  orbiter  or  ground  system  failure.  These  stations, 
supplemented  as  required  by  C-band  radars,  can  provide  satisfactory  support  to  continue  nominal 
orbital  operations  and  entry  preparations. 

Rule  {All -1001 },  COMMUNICATIONS  GO/NO-GO  CRITERIA,  references  this  rule. 
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All-61  LOSS  OF  S-BAND  PREAMPS  AND  POWER  AMPS 

LOSS  OF  BOTH  S-BAND  PREAMPLIFIERS  AND/OR  BOTH  POWER  AMPLIFIERS 
WILL  RESULT  IN  CONTINUING  TO  NOMINAL  EOM . 

Loss  of  either  both  preamps  or  both  power  amps  results  in  loss  of  all  TDRS  S-band  capability.  Ku-band 
still  remains  but  does  not  provide  a  tracking  source  arid  is  unavailable  following  antenna  stowage  during 
deorbit  prep.  A  total  loss  of  TDRS  S-band  would  require  call  up  of  the  contingency  ground  stations  that 
are  obligated  to  provide  support  in  the  event  of  such  an  orbiter  failure.  These  stations  would  be  a 
combination  of  the  NASA  Spacecraft  Tracking  and  Data  Network  (STDN),  DOD  remote  tracking  stations 
(RTS),  and  C-band  radars.  These  stations  can  provide  satisfactory  support  to  continue  nominal  orbital 
operations  and  nominal  entry  preparations.  ®[1 02402-5741  ] 

Rule  I  All -1001 j,  COMMUNICATIONS  GO/NO-GO  CRITERIA,  references  this  rule. 

All-62  LOSS  OF  ANTENNA  ELECTRONICS 

THE  FLIGHT  WILL  BE  CONTINUED  FOR  LOSS  OF  THE  S-BAND  ANTENNA 
ELECTRONICS . 

Loss  of  both  S-band  antenna  electronics  results  in  the  inability  to  select  S-band  antennas  ( i.  e. ,  only  one 
antenna  could  be  used).  All  communications  functions  would  remain,  but  severe  attitude  constraints 
would  have  to  be  imposed  to  maintain  TDRS  S-band.  TDRS  Ku-band  would  be  unaffected,  and  ground 
station  (GSTDN)  S-band  would  be  slightly  degraded  due  to  reduced  (but  still  acceptable)  circuit 
margins.  Since  the  attitude  timeline  would  be  affected,  it  is  reasonable  to  assume  that  mission  activities 
would  be  impacted.  As  long  as  productive  mission  objectives  can  still  be  accomplished,  the  mission  need 
not  be  shortened.  Rule  {All-1001  f  COMMUNICATIONS  GO/NO-GO  CRITERIA,  references  this  rule. 
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All-65  AUDIO  CENTRAL  CONTROL  UNIT  (ACCU) 

THE  ACCU  IS  CONSIDERED  LOST  IF  TWO-WAY  VOICE  ON  THE  FOLLOWING 
LOOPS  IS  INOPERABLE: 

A.  AIR/GROUND  1. 

B.  AIR/GROUND  2. 

C.  AIR/AIR. 

These  are  the  only  loops  that  interface  with  the  communications  equipment  (both  air/ground  arid  EVA). 
Only  Intercom  and  Page  loops  remain.  Therefore,  a  subsequent  failure  in  the  alternate  ACCU  would 
result  in  the  loss  of  ail  orbiter  communications.  One -half  of  the  ACCU  BYPASS  IFM  (J4)  should  be 
performed  as  described  in  Rule  {All-66},  LOSS  OF  ACCU’ s. 

Rule  {All-66},  LOSS  OF  ACCU’ s,  references  this  rule. 
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All-66  LOSS  OF  ACCU' S 

A.  FOR  THE  LOSS  OF  ONE  ACCU,  ONE-HALF  OF  THE  ACCU  BYPASS  IFM 

( J4 )  WILL  BE  PERFORMED  AS  SOON  AS  PRACTICAL  AND  THE  NOMINAL 
FLIGHT  COMPLETED.  IF  UNSUCCESSFUL  A  NEXT  PLS  LANDING  WILL  BE 
PERFORMED . 

Refer  to  Rule  {All-65},  AUDIO  CENTRAL  CONTROL  UNIT  (ACCU). 

B.  FOR  THE  LOSS  OF  BOTH  ACCU'S,  THE  IFM  WILL  BE  COMPLETED  AND  AN 
MDF  WILL  BE  PERFORMED. 

The  primary  difference  between  A  and  B  above  is  that  loss  of  an  ACCU  is  only  loss  of  one  source  of 
redundancy  while  loss  of  total  IFM  is  loss  of  two  sources. 

Loss  of  one  ACCU  is  one  failure  away  from  loss  of  all  air/ground  voice.  The  IFM,  when  installed, 
provides  two  sources  of  air/ground  voice.  Implementing  the  J4  half  of  the  IFM  allows  normal  use  of  the 
remaining  ACCU  but  with  the  following  lost  capabilities: 

1.  PS,  OS,  and  AIRLOCK  ATU’s. 

2.  TACAN  3  tones. 

3.  C&W  B  tones  via  ACCU  (Middeck  Speaker  Unit).  ®[i  02402-5743  ] 

4.  NSP  2  voice  record  channel  1. 

5.  NSP  1  voice  record  channel  2. 

6.  NSP  1  Air/Ground  2  loop. 

7.  PLT  ATU  is  limited  to  only  the  Air/Ground  1  loop  in  NSP  2  and  only  in  hot  mike  mode. 

The  extent  of  these  lost  capabilities  is  of  minor  mission  impact  and  does  not  constitute  grounds  for 
shortening  the  mission.  For  vehicles  103  and  104  only  one  crewmember  in  the  airlock  will  have  hardline 
communications  which  has  a  minor  procedural  impact.  Should  the  remaining  ACCU  fail  after  the  J4 
IFM,  the  CDR  and  PLT  ATU’s  (only)  will  still  retain  an  S-band  communications  capability  although  it 
will  be  nonredundant.  The  IFM  should  then  be  completed  restoring  dual  S-band  communications 
redundancy.  Since  redundancy  is  available,  an  immediate  (next  PLS)  lajiding  is  not  necessary,  but  the 
dwindling  communication  capabilities  justify  that  the  flight  be  continued  only  until  MDF. 

Rule  {All-65},  AUDIO  CENTRAL  CONTROL  UNIT  (ACCU),  references  this  rule. 
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A13-155  ORBITER  HAZARDOUS  SUBSTANCE  SPILL  RESPONSE 

(CONTINUED) 

E.  LEVEL  0 

THE  FLIGHT  DECK  CREW  WILL  TURN  OFF  THE  CABIN  AND  I MU  FANS. 
THE  CLEANUP  CREW  WILL  TAKE  ACTIONS  a  AND  b  LISTED  IN 
PARAGRAPH  B. 

A  level-0  substance  may  or  may  not  be  containable  by  the  crew.  Crew  exposure  would  result  in  only 
slight  transient  (less  than  30  minutes)  irritation. 

No  protective  gear  is  required. 

See  paragraph  B,  level-3  rationale,  for  the  reason  for  stopping  the  airflow  in  the  spill  area. 

If  the  spill  is  not  con  tainable  by  the  crew,  the  MCC  will  determine  other  procedures  for  con  tainmen  t  or 
for  a  workaround. 

All  payload  substances  are  reviewed  by  the  Payload  Safety  Review  Panel;  those  not  listed  as  level-4 
through  1  are  considered  nonhazardous  (level  0). 
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A13-156  SPACEHAB  HAZARDOUS  SUBSTANCE  SPILL  RESPONSE 

@[092701-4872  ] 

THE  FLIGHT-SPECIFIC  ANNEX  WILL  LIST  ALL  EXPERIMENT/ SAMPLES 
CONTAINING  LEVEL-4  THROUGH  LEVEL-1  PAYLOAD  HAZARDOUS  SUBSTANCES. 
REFERENCE  RULE  {A13-154},  HAZARDOUS  SPILL  LEVEL  DEFINITIONS.  THE 
FOLLOWING  ACTIONS  WILL  BE  TAKEN  IN  THE  EVENT  THAT  A  HAZARDOUS 
SUBSTANCE  IS  RELEASED  INTO  THE  SPACEHAB/ORBITER  ATMOSPHERE. 
@[111501-4971  ] 

A.  LEVEL  4 

1.  ORBITER 

REFERENCE  RULE  {A13-155A},  ORBITER  HAZARDOUS  SUBSTANCE 
SPILL  RESPONSE.  THE  CREW  SHALL  SAFE  AND  ISOLATE  THE 
SPACEHAB  MODULE  PER  RULE  {A2-329},  SPACEHAB 
DEACTIVATION/ENTRY  PREP.  ®[ED  ] 

A  level-4  hazardous  substance  is  defined  as  either  a  gas,  a  volatile  liquid,  or  fumes  that  are  not 
containable  by  the  crew.  Crew  exposure  could  result  in  a  systemic  toxicity,  severe  irritation,  and/or 
tissue  damage.  The  driving  factor  that  distinguishes  a  level-4  substance  from  a  level-3  substance  is 
none  on  ta  inabil  i  ty. 


The  immediate  priorities  for  a  level-4  spill  in  the  orbiter  are  prevention  of  crew  exposure  to  the  sub¬ 
stance  and  configuration  of  the  atmospheric  revitalization  system  (ARS)for  environmental  scrubbing. 
All  crewmembers  will  don  and  activate  Quick  Don  Masks  to  avoid  any  detrimental  effects. 


The  Spacehab  module  cannot  be  used  as  a  safe  haven  for  the  crew  because  the  module  ARS  is  incapable 
of  controlling  humidity,  O2,  N2,  and  CO 2  concentrations. 

2  .  SPACEHAB  MODULE 

IF  HAZARDOUS  SPILL  OCCURS  IN  THE  SPACEHAB  MODULE,  EVACUATE 
ALL  CREWMEMBERS  TO  THE  ORBITER  EXCEPT  THE  SAFING  CREW.  THE 
FLIGHTDECK  CREW  WILL  TURN  OFF  ALL  SPACEHAB  FANS.  THE 
EVACUATING  CREW  WILL  CLOSE  THE  MAN  PL  ISOL  VLV .  THE  SAFING 
CREW  WILL  PERFORM  THE  FOLLOWING  ACTIONS:  @[021 600-71 02A] 

a.  DON/ACTIVATE  SEBS 

b.  OPEN  CABIN  DEPRESS  VALVE  (CDV) 

C.  EVACUATE  THE  MODULE 

d.  CLOSE  THE  SPACEHAB  HATCH 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PC N-1  AEROMEDICAL  13-54 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A16-11  EXPEDITED  POWERDOWN 

AN  EXPEDITED  POWERDOWN  IS  DEFINED  TO  ALLOW  ACCOMPLISHMENT  OF  ET 
DOOR  OPENING  (RTLS/TAL  ONLY) ,  OMS /RCS-SAF ING,  NOMINAL  GPC 
POWERDOWN  FOLLOWED  IMMEDIATELY  BY  AN  EMERGENCY  POWERDOWN. 
@[012402-5079  ] 

AN  EXPEDITED  POWERDOWN  AND  MODE  V  CREW  EGRESS  WILL  BE 
ACCOMPLISHED  FOR: 

A.  LOSS  OF  ALL  COMMUNICATIONS  (INCLUDING  VISUAL  SIGNALS  AND  MCC 
RELAY)  BETWEEN  CREW  AND  CONVOY  ELEMENTS. 

NOTE:  RULE  {A16-8},  CREW  EGRESS  METHOD  DETERMINATION  (FOR  MODE 

V  EGRESS)  GOVERNS  THE  MODE  V  EGRESS  METHOD  THE  CREW  WILL 
USE.  @[041 196-1 881  A] 


Crew  safety  could  be  compromised  with  the  loss  of  communication  between  the  crew  and  convoy 
personnel.  Possible  orbiter  problems  that  occur  during  landing  and  rollout  not  reflected  in  orbiter 
systems  would  not  be  available  to  the  crew  ( i.  e. ,  tire  fire,  explosive/flammable  conditions,  etc.). 

B.  LOSS  OF  ALL  TELEMETRY  (MCC  AND  LCC)  AND  ONBOARD  SYSTEMS 

MONITORING  (BFS ,  C&W  PANEL,  AND  FDA)  VISIBILITY.  IF  COMM  IS 
AVAILABLE  TO  CREW,  MCC  WILL  DETERMINE  IF  MODE  V  IS  REQUIRED. 


As  long  as  insight  into  critical  vehicle  systems  and  communication  with  the  crew  are  maintained,  normal 
postlanding  operations  can  continue.  Critical  systems  information  is  available  at  KSC  (LCC)  that 
allows  the  LCC  to  be  an  acceptable  source  for  orbiter  systems  monitoring. 

C.  A  NONISOLATABLE  CMS,  RCS,  OR  APU  FUEL  LEAK  OR  FOR  AN 

ISOLATED  LEAK  WHEN  THERE  HAS  BEEN  INSUFFICIENT  TIME  FOR  FUEL 
SUBLIMATION  (RTLS ,  TAL,  AO A,  OR  POST-DEORBIT  IGNITION) .  FOR 
THESE  CASES,  A  MODE  V  CREW  EGRESS  WILL  BE  IMPLEMENTED.  RCS 
JET  LEAKS  AND  APU  SEAL  CAVITY  DRAIN  LEAKS  ARE  EXEMPTED  FROM 
THIS  CATEGORY. 


Leaking  OMS,  RCS,  or  APU  fuel  poses  a  toxicity  and  fire  hazard.  An  expedited  powerdown  should  be 
performed  in  order  to  minimize  the  danger  to  the  flightcrew  and  ground  operations  personnel.  If  a  fuel 
leak  occurs  and  is  isolated  during  an  RTLS,  TAL,  AOA,  or  post-deorbit  ignition,  there  is  insufficient  time 
for  the  fuel  to  sublimate,  and  an  expedited  powerdown  is  prudent. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  POSTLANDING  16-7 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A16-11  EXPEDITED  POWERDOWN  (CONTINUED) 

An  isolated  RCS  jet  leak  does  not  pose  a  risk  to  the  orbiter/crew  with  continued  postlanding  operations. 
In  the  event  of  an  APU  fuel  pump  seal  failure,  the  APU  seed  cavity  drain  dumps  hydrazine  overboard. 
Once  the  APU  is  shut  down,  the  leak  is  isolated. 

Rules  {A16-10CJ  and  D,  NORMAL  POSTLANDING  OPERATIONS,  and  (A6-206J,  RCS 
MANIFOLD/LEG  LEAK  PRESSURIZATION,  reference  this  rule.  ®[ED  ] 

D.  A  CONFIRMED  OR  SUSPECTED  FIRE  FOR  WHICH  A  FIRE  SUPPRESSION 
BOTTLE  HAS  BEEN  DISCHARGED  DURING  ENTRY. 

Vehicle  damage  can  pose  hazards  to  crew  safety  after  afire  is  extinguished,  especially  if  its  location  is 
unknown.  Wires  melted  together  could  cause  any  number  of  hazards  (e.g.,  inadvertent  GPC 
commanding  causing  fuel  valves  to  open,  etc.).  In  addition,  if  the  fire  occurred  in  an  avionics  bay 
severed  hours  (minutes  for  a  cabin  fire)  before  landing,  the  crew  should  exit  the  vehicle  to  avoid 
breathing  Halon  and  toxic  combustion  byproducts  which  slowly  leak  out  of  the  avionics  bay  and 
panels. 

E.  A  NON- I SOLATABLE  H2  LEAK  GREATER  THAN  6.5  LB/HR  (5.5  LB/HR 
FOR  SPACEHAB/PAYLOAD  RETURN) . 

Leaking  H2  poses  a  possible  fire  hazard  in  the  midbody.  An  H2  concentration  of  4  percent  represents 
the  lower  ignitcible  limit  ofH2  (deflagrates  or  burns  rapidly). 

Rule  {A16-205FJ,  EARLY  APU  SHUTDOWN,  references  this  rule.  @[072398-6577] 

Normally,  KSC  is  prime  for  recommending  an  expedited  powerdown/crew  egress  based  on  detected  H2 
concentrations.  For  known  H2  leaks  prior  to  touchdown,  this  rule  identifies  the  H2  leak  rate  criteria  to 
be  used  by  MCC  in  determining  whether  an  expedited  powerdown/crew  egress  should  be  performed  prior 
to  KSC  assessment  ( i.  e. ,  for  large  leaks).  These  leak  rates  are  based  on  a  4  percent  concentration 
35  minutes  after  wheels  stop. 

For  leak  rates  below  6.5  (5.5)  Ib/hr,  KSC  is  prime  for  determining  whether  or  not  cm  expedited 
powerdown  is  required,  based  on  actual  detection  ofH2-  The  MCC  H2  leak  rate  prediction  is  based  on 
the  in  itial  size  of  the  leak  once  detected,  a  homogenous  mixing  in  the  midbody,  and  no  consideration  for 
venting  or  leakage  of  H2  from  the  midbody  at  wheel  stop. 

DOCUMENTATION:  ECLS  Console  Handbook,  SCP  4.6.2,  and  KSC  OMI S0026,  Revision  L. 
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A16-11  EXPEDITED  POWERDOWN  (CONTINUED) 

F.  AN  INCOMPLETE  MPS  LH2  DUMP  (NEGATIVE  INERT)  OR  FAILURE  TO 
PRESSURIZE  THE  MPS  LH2  MANIFOLD  ABOVE  ATMOSPHERIC  PRESSURE 
ON  AN  RTLS  OR  TAL  ABORT.  @[012402-5079] 

Fciilure(s)  in  the  MPS  LH2  system  during  the  MPS  dump  and  inert  will  result  in  an  incomplete  LH2 
dump  (negative  inert )  on  RTLS  and  TAL  aborts.  Analysis  (reference  Rockwell  Interned  Letter  no.  287- 
100-94-186  dated  October  12,  1994 )  has  shown  that  the  loss  of  a  dump  path  or  the  loss  of  helium 
pressurization  (during  the  MPS  dump)  will  trap  between  approximately  0.8  to  40.8  pounds  ofLH2 
residuals  in  the  MPS  LH2  manifold  depending  on  the  specific  scenario.  Loss  of  a  dump  path  may  be 
caused  by  failure  of  one  of  the  following  LH2  valves:  outboard  or  inboard  fill/drain  valve,  backup  dump 
valves,  topping  valve,  prevalve,  or  SSMEfuel  bleed  valve.  Loss  of  helium  pressurization  may  be  caused 
by  numerous  reasons  such  as:  relief  isolation  valve  foils  closed,  relief  valve  fails  open,  inboard  fill/drain 
fails  open,  clogged  orifice,  etc.  In  these  failure  cases,  concern  exists  for  crew  and  convoy  safety  because 
analysis  ( reference  Boeing  Internal  Letter  SHA0-01-043  dated  April  26,  2001 )  predicts  the  MPS  LH2 
manifold  will  exceed  its  relief  setting  and  venting  of  hydrogen  residuals  ( potentially  explosive  mixture) 
will  occur  as  early  as  10.8  minutes  after  touchdown.  In  addition,  nominal  leakage  in  the  MPS  system 
could  lead  to  the  buildup  of  an  explosive  mixture  of  hydrogen  in  or  around  the  aft  compartment. 
@[012402-5079  ] 

After  discussion  at  the  Ascent/Entry  Flight  Techniques  Panel  (AEFTP  # 168  on  October  27,  2000)  and 
subsequent  discussions  with  KSC  ground  operations  and  KSC  safety,  it  was  decided  that  the  appropriate 
action  for  MPS  dump  failu  res  on  RTLS  and  TAL  aborts  is  to  perform  an  expedited  powerdown. 

Rationale  for  this  decision  is  based  on  the  potential  hazard  to  the  flight  crew  and  ground  personnel  due 
to  uncertain  ties  in  the  hazards  of  the  trapped  hydrogen  residuals.  Although,  residuals  due  to  a  failure  in 
the  MPS  system  on  a  TAL  abort  can  be  lower  than  the  residuals  on  a  nominal  RTLS  abort,  an  expedited 
powerdown  will  still  be  performed  on  the  TAL  because  of  the  limited  ground  operations  equipment 
available  to  assess  and  manage  the  situation  at  the  TAL  site.  Expedited  powerdown  actions  are  not 
required  for  AO  A  aborts  or  nominal  missions  because  sufficient  time  exists  on  orbit  to  fully  inert  the 
MPS  LH2  manifold  of  all  LH2  residuals.  @[012402-5079  ] 

After  discussion  at  the  AEFTP  Meeting  (AEFTP  # 168  on  October  27,  2000)  and  subsequent  discussions 
with  KSC  ground  operations  and  KSC  safety,  it  was  also  decided  that  the  failure  to  pressurize  the  MPS 
LH2  manifold  above  atmospheric  pressure  on  RTLS  and  TAL  aborts  would  result  in  the  ingestion  of  air 
into  the  LH2  manifold  resulting  in  the  creation  of  cm  explosive  mixture  (reference  Boeing  Internal  Letter 
SHA0-01-043  dated  April  26,  2001).  The  hazards  of  cm  explosive  mixture  in  the  MPS  manifold  that  the 
flight  crew  and  ground  operations  personnel  would  be  exposed  to  are  difficult  to  quantify.  However, 
these  hazards  represent  an  unnecessary  risk,  and,  therefore,  this  scenario  warrants  an  expedited 
powerdown. 

Rules  /A5-210},  ENTRY  MPS  PROPELLANT  DUMP  FAILURES,  { A5-201 },  MPS  DUMP  INHIBIT 
[CIL],  and  { A5-209 },  ENTRY  MPS  HELIUM  PURGING  FOR  CRITICAL  VEHICLE 

POWER/COOLING,  reference  this  rule.  @[030994-1 604B]  @[030994-1617]  @[090894-1 730A  ]  @[012402-5079] 

®[ED  ] 
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A16-12  EMERGENCY  POWERDOWN 

AN  EMERGENCY  POWERDOWN  WILL  BE  IMPLEMENTED  POST-ROLLOUT  FOR  THE 
FOLLOWING  CONDITIONS  OR  AS  REQUESTED  BY  THE  FLIGHT  DIRECTOR  OR 
CONVOY  COMMANDER: 

An  emergency  powerdown  will  be  performed  if  Orbiter  systems  cannot  support  continued  operations  or  if 
orbiter  conditions  compromise  crew  safety.  The  normal  egress  mode  is  preferred  if  allowed  by  system 
conditions.  Loss  of  cooling  will  allow  an  orderly  egress  to  con  tinue. 

If  conditions  exist  that  compromise  crew  safety  (fire,  smoke,  explosive  conditions,  etc.),  a  MODE  V 
egress  is  warranted.  Based  on  knowledge  of  Orbiter  conditions  and  systems  indications,  the  Flight 
Director  and  Convoy  Commander  are  able  to  recognize  problems  and  recommend  the  appropriate 
action/egress  mode. 

A.  NORMAL  EGRESS  (SIDE  HATCH,  CONVOY  CREW  ASSIST) : 

1.  LOSS  OF  BOTH  FREON  COOLANT  LOOPS. 

If  both  loops  are  lost,  the  emergency  powerdown  is  required  because  there  is  absolutely  no  cooling 
of  the  vehicle.  The  fuel  cell  stack  temperature  will  reach  the  specification  limit  of 250  degrees  F  within 
approximately  50  minutes.  In  addition,  the  electrolyte  concentration  will  reach  the  25  percent 
operational  limit  in  approximately  75  minutes.  At  this  point,  continued  operation  of  the  fuel  cells  is 
questionable.  This  assumes  a  simultaneous  purge  of  all  three  fuel  cells  and  a  12.54  kWH  (4.18  kWH/fuel 
cell)  power  level.  If  the  failure  occurred  on  orbit,  the  situation  would  be  time-critical  postlanding. 
Purging  H2  into  the  atmosphere  should  be  avoided  if  at  all  possible  (ref.  Rule  {A16-301}, 
CONTAMINATION/  FLAMMABILITY/TOXICITY).  Without  the  purge,  the  fuel  cells  will,  flood  in 
approximately  18  minutes  based  on  an  8.0  kWH  (2.67  kWH/fuel  cell)  power  level  (ref.  Rules  { A2-54 }, 
RTLS,  TAL,  AND  AO  A  ABORTS  FOR  SYSTEMS  FAILURES  [CIL];  and  {A2-205},  EMERGENCY 
DEORBIT).  Upon  completion  of  the  emergency  powerdown,  a  normal  crew  egress  can  be  performed. 

DOCUMENTATION :  Dual  Freon  Loop  Failure  Entry  Analysis,  Rockwell  International  IL  388-301-79- 
018,  and  SODB  table  3. 4. 4. 1-1. 

2.  LOSS  OF  BOTH  H20  COOLANT  LOOPS. 

If  both  loops  are  lost,  the  emergency  powerdown  is  required  because  there  is  no  cooling  to  water  and  air 
cooled  equipmen  t  in  the  cabin.  If  the  failure  occurred  on  orbit,  avionics  equipmen  t  and  GPC’s  would  be 
cycled  to  their  thermal  limits  in  order  to  maintain  as  much  redundancy  as  possible  during  critical 
mission  phases.  Since  this  failure  scenario  does  not  contain  any  hazard  to  the  crew,  an  orderly,  normal 
egress  can  be  accomplished. 

DOCUMENTATION :  MDTSCO  analysis  l.l-ECLSS-09,  Dual  Water  Coolant  Loop  Failed  Entry 
Contingency. 
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A16-12  EMERGENCY  POWERDOWN  (CONTINUED) 

3.  LOSS  OF  BOTH  NH3  SYSTEMS  WHEN  CRITICAL  TEMPERATURES  ARE 
(RULE  {A16-51},  NO  GROUND  COOLING/EARLY  VEHICLE  POWER 
TERMINATION)  EXCEEDED. 

Postlanding,  orbiter  cooling  is  provided  by  the  heat  sink  capacity  remaining  from  the  on-orbit  radiator 
coidsoak,  the  NH 3  system,  and  the  ground-cooling  cart.  In  the  event  that  the  ground-cooling  cart  is  not 
available,  AT/3  must  supply  the  cooling  once  the  radiator  coidsoak  has  been  used.  Therefore, 
subsequen  t  loss  of  both  AT/3  systems  will  even  tually  lead  to  loss  of  all  vehicle  cooling,  and  loss  of  all 
vehicle  cooling  has  the  same  result  as  described  in  the  loss  of  both  Freon  loops  in  paragraph  A.l. 

DOCUMENTATION :  Engineering  judgment. 

B.  MODE  V  EGRESS: 

1.  WHEEL  WELL  FIRE  OR  BRAKE  FIRE  THAT  POTENTIALLY  WILL 
PROPAGATE  TO  THE  WHEEL  WELL.  EGRESS  WILL  BE  BASED  ON 
CONVOY  COMMANDER  RECOMMENDATION. 

2.  EXPLOSIVE/FLAMMABLE  CONDITIONS  (REF.  RULE  {A16-301}, 
CONTAMINATION/FLAMMABILITY/TOXICITY) . 

3.  SMOKE,  FIRE,  OR  OBVIOUS  STRUCTURAL  DAMAGE. 

4.  INTOLERABLE  CABIN  CONDITIONS . 

NOTE:  RULE  {A16-8},  CREW  EGRESS  METHOD  DETERMINATION  (FOR  MODE 

V  EGRESS)  GOVERNS  THE  MODE  V  EGRESS  METHOD  THE  CREW  WILL 
USE.  @[041196-1 881  A] 

It  is  preferable  to  perform  a  normal  egress.  However,  if  cabin  conditions  warrant,  a  MODE  V 
egress  may  be  performed.  An  emergency  powerdown  should  be  implemented  for  the  conditions  listed  in 
paragraph  Bl,  2,  3  above  in  order  to  eliminate  electrical  ignition/isolate  volatile  propellant  sources  that 
could  make  the  vehicle  anomalous  condition  worse.  A  confirmed  MPS  LH2  leak  is  considered  to  be  an 
explosive/flammable  condition  (ref.  rule  {A5-201},  MPS  DUMP  INHIBIT  [CIL]).  @[030994-1 604B] 

®[ED  ] 

DOCUMENTATION :  Engineering  judgment. 

Rule  { A16-10EJ ,  NORMAL  POSTLANDING  OPERATIONS,  references  this  rule. 
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A16-13  SIDE  HATCH  OPENING  CONSTRAINT 

IF  CABIN  PRESSURE  EXCEEDS  LANDING  SITE  ATMOSPHERIC  PRESSURE  BY 
MORE  THAN  3.2  PS  ID,  THEN  THE  CABIN  VENT  VALVES  WILL  BE  USED  TO 
DEPRESSURIZE  THE  CABIN  TO  BRING  THE  PRESSURE  DIFFERENTIAL  BELOW 
3.2  PSID  BEFORE  ATTEMPTING  TO  OPEN  THE  SIDE  HATCH. 

An  unisolatable  leak  into  the  cabin  could  result  in  cabin  pressure  being  as  much  as  16  psid  greater  than 
landing  site  atmosphere  pressure  (the  cabin  relief  valves  relieve  at  16  psid).  Rockwell  International  has 
verified  side  hatch  structural  capability  to  vent  excess  cabin  pressure  postlanding  only  as  high  as  3.2 
psid.  The  3.2  psid  pressure  differential  was  selected  for  verification  because  it  is  the  maximum  expected 
to  be  encountered  at  the  highest  altitude  landing  site  (White  Sands)  under  normal  cabin  pressure 
conditions. 

DOCUMENTATION :  Side  Hatch  Structural  Capability  to  Release  Cabin  Pressure  Following  Rollout, 
Rockwell  International  Internal  Letter  No.  280-106-82-016,  May  7,  1983. 
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A16-204  WINDWARD  APU  OPERATION  CONSTRAINT 

TO  AVOID  EXCEEDING  VERTICAL  TAIL  STRUCTURAL  TEMPERATURE  LIMITS, 
THE  WINDWARD  APU(S)  WILL  NOT  BE  OPERATED  LONGER  THAN  THE 
ALLOWABLE  POSTLANDING  APU  RUN  TIME,  OBTAINED  FROM  THE  POSTLANDING 
OPERATIONS  PLOT. 


POSTLANDING  OPERATIONS 


ALLOWABLE 
APU  RUNNING 
TIME,  MIN 


STEADY  STATE  CROSS  WIND  COMPONENT  IN  ±Y0  DIRECTION,  KNOTS 


If  the  postlanding  run  time  exceeds  the  allowable  run  time,  vertical  tail  overtemperature  and  subsequent 
structural  damage  can  occur  if  the  APU  plume  has  ignited.  There  are  no  constraints  to  run  time  if  the 
APU  plume  has  not  ignited;  however ,  due  to  the  difficulty  in  visually  determining  whether  the  plume  is 
burning  or  not,  the  worst  case  is  assumed. 

Reference  SPDB  3. 2. 1.1. 
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A16-205  EARLY  APU  SHUTDOWN 

AN  APU  (OR  APU'S)  WILL  BE  SHUTDOWN  ASAP  POST-WHEEL  STOP: 

A.  IF  A  FUEL  OR  OXIDIZER  LEAK  IS  SUSPECTED  OR  DETECTED  IN  THE 
MPS,  OMS,  RCS ,  OR  ANY  APU,  EVEN  IF  THE  LEAKS  HAVE  BEEN 
ISOLATED  (DOES  NOT  APPLY  FOR  RCS  JET  LEAKS)  .  @[030994-1 604B] 

The  requirements  for  APU  operations  postlanding,  SSME  repositioning,  and  hydraulic  load  test  are 
not  considered  mandatory.  In  cases  where  fuel  or  oxidizer  leaks  are  suspected  or  detected,  the  APU’s 
should  be  shut  down  ASAP  to  reduce  chances  of  the  leak  developing  into  a  greater  flammability  hazard, 
brought  on  by  the  operation  of  hot,  rotating  machinery.  Note  that  an  APU  fuel  tank  N2  leak  is 
considered  a  fuel  leak. 

APU’s  will  not  be  shut  down  early  for  RCS  jet  leaks  since  these  types  of  leaks  are  isolated  and  external  to 
the  orbiter.  No  flammability  hazard  exists  for  continued  APU  operations  with  known  RCS  jet  leaks. 

Rules  (A5-201J,  MPS  DUMP  INHIBIT  [CIL],  and  (A6-206J,  RCS  MANIFOLD/LEG  LEAK 
PRESSURIZATION,  reference  this  rule.  @[030994-1 604B]  ®[ED  ] 

B.  IF  A  FIRE  IS  OBSERVED  IN  A  WHEEL  WELL  OR  TIRE/BRAKE  AREA. 

THE  HYDRAULIC  LANDING  GEAR  EXTEND  AND  BRAKE  ISOLATION  VALVES 
WILL  BE  CLOSED  PRIOR  TO  SHUTTING  DOWN  THE  APU' S . 

Afire  in  the  wheel  well  or  landing  gear  area  could  involve  hydraulic  fluid.  Closing  the  landing  gear 
isolation  valves  will  isolate  the  fluid  from  the  gear  area,  thus  preventing  any  further  feeding  of  the  fire. 
The  APU’s  should  be  shut  down  in  an  effort  to  reduce  high-pressure  flow  of  hydraulic  fluid  to  the  gear 
area  should  an  isolation  valve  fail  to  close. 

C.  IF  THERE  IS  A  NON- I SOLATABLE  LEAK  IN  ITS  ASSOCIATED  HYDRAULIC 
SYSTEM. 

The  APU  should  be  shut  down  postlanding  to  minimize  hydraulic  leakage  into  the  aft  compartment. 
Postlanding  operations  requiring  hydraulic  power  are  not  mandatory  and  can  be  performed  if  there  are 
two  remaining  good  systems. 

D.  IF  THE  APU  SHIFTS  TO  HIGH  SPEED  WITH  NORMAL  SPEED  SELECTED. 

The  APU  should  be  shut  down  postlanding  to  protect  against  a  possible  uncontained  overspeed. 
Postlanding  operations  requiring  the  APU’s  are  not  mandatory  and  can  be  performed  if  there  are  two 
remaining  good  systems. 
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A17-254  CABIN  02  CONCENTRATION  (CONTINUED) 

The  36-hour  decision  point  for  which  upper  limit  to  apply  to  oxygen  concentration  at  8.0  psi  is 
arbitrary.  A  reason  for  having  two  upper  limits  while  at  8.0  psi  is  to  avoid  extended  operations  at 
high  O2  concentration  levels.  Leak  rates  which  allow  less  than  36  hours  will  be  large  enough  to  keep 
the  oxygen  concentration  from  remaining  above  35  percent  for  long  periods  of  time.  ( Ref.  Rule  {A13- 
53A }.  2,  MINIMUM  PP02  CONSTRAINTS. ).  ®[090894-i  673A] 

Documentation:  PRCB  PCIN  41004,  NASA  TR-25 5-001. 

Rules  {A17-53},  FIRE  AND  POST-FIRE  ACTIONS;  and  (A13-152CJ,  CABIN  ATMOSPHERE 
CONTAMINATION,  reference  this  rule. 


VOLUME  A  06/20/02  FINAL  LIFE  SUPPORT  17-55 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A17-255  8  PSIA  EMERGENCY  CABIN  CONFIGURATION 

THE  14.7  PSIA  CABIN  REGULATOR  INLET  VALVES  WILL  BE  CLOSED  AND  THE 
CABIN  WILL  BE  ALLOWED  TO  BLEED  TO  8  PSIA  ONLY  IF:  @[090894-1 673A] 

A.  CABIN  LEAK:  O2/N2  CONSUMABLES  ARE  INSUFFICIENT  TO  ALLOW  THE 
ORBITER  TO  EFFECT  A  NEXT  PLS  ENTRY  AT  14.7  (10.2  IF  ALREADY 
IN  10.2  PSIA  OPS)  PSIA  CABIN  PRESSURE  PLUS  A  24-HOUR  FLIGHT 
EXTENSION  AT  8  PSIA. 

Operation  at  14. 7  psia  is  preferred  because,  at  8  psia,  a  powerdown  is  required  and  the  crew  must  wear 
the  LES  helmet.  However,  if  inadequate  consumables  exist  to  allow  both  a  14.7  (10.2  if  already  in  10.2 
PSIA  ops)  psia  cabin  pressure  to  the  next  PLS  opportunity  and  1  extension  day  at  8  psia,  the  cabin  will 
be  immediately  reconfigured  to  the  8 psia  emergency  configuration  ( i. e. ,  14.7  cabin  regulators  closed 
and  associated  powerdowns  performed ). 

If  it  is  determined  that  enough  consumables  exist  to  allow  the  14.7  (10.2  if  already  in  10.2  PSIA  ops)  psia 
cabin  pressure  to  the  next  PLS  plus  the  24-hour  extension  day  at  8  psia,  then  the  14.7  ( 10.2  if  already  in 
10.2  PSIA  ops)  psia  cabin  will  be  maintained  to  the  next  PLS  opportunity  to  attempt  a  normal  entry.  If 
entry  cannot  be  performed  at  the  PLS  opportunity,  then  the  cabin  must  be  reconfigured  to  the  8  psia 
emergency  configuration  for  the  remainder  of  the  mission  and  an  entry  performed  prior  to  consumables 
depletion  ®[090894-1673A] 

DOCUMENTATION :  Engineering  judgment. 

Rule  (A17-254J,  CABIN  02  CONCENTRATION,  references  this  rule. 

B.  CABIN/ AV  BAY  FIRE  OR  LEVEL  4  HAZARDOUS  SPILL:  THE  CREW  IS 
REQUIRED  TO  WEAR  THE  LES/QD,  FOR  AN  EXTENDED  PERIOD  OF  TIME 
TO  PROTECT  THEMSELVES  AGAINST  A  CONTAMINATED  CABIN 
ATMOSPHERE.  @[090894-1 673A] 

A  cabin  depress  to  8  psi  and  continuous  purge  at  8  psi  will  manage  O2  concentration  below  maximum 
levels  as  well  as  decrease  the  concentration  of  discharged  Halon  and  any  potentially  toxic  gases  that 
were  produced  by  a  fire  or  hazardous  elements  that  were  spilled  into  the  cabin  atmosphere.  This  action 
could  extend  the  time  on  orbit  so  as  to  avoid  an  ELS  entry  (ref.  Rule  (A17-53J,  FIRE  AND  POST-FIRE 
ACTIONS,  and  (A1 3-155),  ORBITER  HAZARDOUS  SUBSTANCE  SPILL  RESPONSE).  ®[ED  ] 

DOCUMENTATION:  Engineering  judgment  ®[090894-l  673A] 

Rule  (A17-254J,  CABIN  02  CONCENTRATION,  references  this  rule. 
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A17-256 


02  BLEED  ORIFICE  MANAGEMENT 


THE  O2  BLEED  ORIFICE  WILL  BE  INSTALLED  IN  AN  LEH  VALVE  QUICK 
DISCONNECT  (QD)  ,  PRESLEEP  ON  FLIGHT  DAY  1,  IF  PP(£  LEVELS  ARE 
BELOW  3.20  PSIA  AND  REMOVED  DURING  DEORBIT  PREPARATION  ACTIVITIES 
ON  ENTRY  DAY. 

The  O2  bleed  orifice,  sized  specifically  for  metabolic  consumption  of  O2  based  on  crew  size,  is  installed 
to  keep  the  14.7  cabin  regulator  inlets  in  the  low  flow  region  of  the  regulator.  This  eliminates  nuisance 
O2/N2  FLOW  HIGH  alarms  caused  by  WCS  cycles  and  02/N2.flow  switchovers.  Normally,  the  bleed 
orifice  is  installed  presleep  on  flight  day  1,  ifPP02  levels  permit.  Due  to  oxygen  introduced  into  the 
cabin  via  LESflow  during  ascent,  however,  the  PPO2  may  be  elevated  to  such  a  degree  that  bleed  orifice 
installation  is  not  necessary  until  postsleep  on  flight  day  2.  Delaying  the  installation  will  allow 
metabolic  consumption  to  lower  PPO2  to  nominal  levels. 

The  bleed  orifice  is  not  used  during  ascent/entry  since  the  PCS  system  is  deactivated  and  there  is  no 
concern  of  generating  nuisance  flow  alarms. 


DOCUMENTATION:  Flight  data. 


A17-257 


N2  SYSTEM  MANAGEMENT 


BOTH  N2  SYSTEMS  WILL  NORMALLY  BE  OPERATED  AS  ONE  SYSTEM. 

Nominal  operations  for  N2  systems  1  and  2  has  both  systems  fully  open  ( i.  e. ,  supply  valves,  regulator 
inlet  valves,  etc.)  so  N2  will  be  depleted  simultaneously  from  all  tanks.  One  of  the  drawbacks  of 
operating  both  nitrogen  systems  as  a  single  system  is  the  possibility  of  losing  more  than  one  system’s 
nitrogen  quan  tity  in  the  even  t  of  a  massive  tank  leak.  However,  by  operating  both  systems  fully  open,  the 
risk  is  removed  of  a  supply  valve  failing  closed  and  cu  tting  off  one  N2  system  for  the  remainder  of  the 
mission.  The  likelihood  of  a  supply  valve  failing  closed  is  considered  greater  than  the  possibility  of  a 
massive  tank  leak,  and  therefore  the  system  is  operated  to  protect  against  failure  of  one,  or  both,  of  the 
N2  supply  valves  failing  closed.  Also,  by  depleting  nitrogen  equally  from  both  systems,  the  quantity  of 
N2  remaining  in  a  good  system  is  maximized. 


DOCUMENTATION :  Engineering  judgment. 

Rule  {A17-202B},  8  PSIA  CABIN  CONTINGENCY  165-MINUTE  RETURN  CAPABILITY,  references 
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A17-258  LOSS  OF  CABIN  INTEGRITY  Tfoay  DEFINITION  AND  TIG 

SELECTION 

a.  tmax  is  defined  as  the  latest  deorbit  tig  that  will  allow  a 

LANDING  BEFORE  THE  DEPLETION  OF  N?  CONSUMABLES.  IF 
CONSUMABLES  WILL  BE  DEPLETED  BEFORE  A  PLS  LANDING,  AN  ELS 
LANDING  WILL  BE  EFFECTED. 

B.  THE  MINIMUM  ACCEPTABLE  CABIN  PRESSURE  PRIOR  TO  ATMOSPHERIC 
REPRESSURIZATION  IS  8  PSIA.  THE  PCS  SHALL  BE  CONFIGURED  TO 
MAINTAIN  8  PSIA.  NOTE:  EXTENDED  TIME  ON  ORBIT  AT  A  LOWER 
CABIN  PRESSURE  WILL  BE  SACRIFICED  TO  MAINTAIN  A  CABIN 
PRESSURE  OF  8  PSIA. 

C.  A  DEORBIT  TIG  FOR  LOSS  OF  CABIN  PRESSURE  INTEGRITY  SHALL 
OCCUR  AT  OR  BEFORE  TMAX • 

7 'max  ,s  defined  as  the  deorbit  TIG  that  synchronizes  touchdown  with  the  depletion  ofN2  consumables. 
Note  that  Tmax  is  independent  of  landing  site  availability  and  does  not  account  for  cooling  certification 
violations  due  to  loss  of  cabin  pressure. 

The  Tmax  prediction  is  based  on  an  assumed  8-psia  emergency  regulator  maximum  flowrate  of  125  Ib/hr 
ofN2  each  (while  the  spec  max  flow  is  75  Ib/hr,  OMRSD  testing  shows  that  the  actual  average  max  flow 
is  about  125  Ib/hr).  It  also  assumes  that  the  time  from  TIG  to  touchdown  is  60  minu  tes  and  that  O2  is 
managed  between  2.2  and  3.0  psia  ( ref.  Rules  {A1 7-254},  CABIN  02  CONCENTRATION,  and  {A13-53}, 
MINIMUM  PP02  CONSTRAINTS).  N2  depletion  is  defined  in  Rule  [A1 7-204},  N2  SUPPLY,  as  tank 
pressure  below  200  (375)  psia.  ®[ED  ] 

The  vehicle  avionics  are  not  certified  to  withstand  cabin  pressures  below  8  psia  due  to  cooling 
requirements.  Also,  a  cabin  pressure  of  8  psia  is  the  minimum  pressure  which  will  allow  the  crew  to 
function  normally  for  any  length  of  time  withou  t  a  prebreathe.  Reference  Rule  {A13-51A},  CABIN 
PRESSURE.  For  these  reasons,  maintaining  8  psia  (if  possible)  is  mandatory. 

In  maintaining  8  psia,  N2  supplies  will  be  exhausted  as  necessary.  No  N2  conservation  steps  that  involve 
lowering  the  cabin  stabilization  pressure  below  8  psia  will  be  attempted.  Therefore,  the  time  on  orbit 
that  could  be  achieved  if  the  cabin  was  allowed  to  stabilize  at  a  lower  pressure  will  be  sacrificed  to 
maintain  8  psia. 
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A17-705  ATMOSPHERE  REVITALIZATION  SYSTEM  (ARS)  FAN  @[021600- 

7106B]  @[111 501 -51 01  A] 

A.  FOR  LOSS  OF  A  SINGLE  PHASE,  THE  ARS  FAN  MAY  CONTINUE  TO  BE 
OPERATED  ON  TWO-PHASE  POWER. 

The  ARS  fan  was  operated  on  two  phases  during  preflight  testing.  The  ARS  fan  may  be  operated  but  not 
started  on  only  two  phases.  ®[1 11501  -501 0A] 

If  the  ARS  fan  is  operating  on  the  SH INV  and  phase  A  fails,  the  fan  will  stop  working  because  phase  A  of 
the  SH  INV  provides  the  sync  pulse  required  for  SH  INV  phases  B  and  C  to  operate.  However,  the  fan 
will  continue  to  operate  on  the  SH  INV  on  two-phase  power  if  phase  A  continues  to  operate  with  either 
phase  B  or  phase  C.  @[021 600-71 06B] 

B.  FOR  LOSS  OF  THE  ARS  FAN,  AN  IFM  WILL  BE  PERFORMED  (BASED  ON 
PPCO2,  ETC.)  TO  CHANGE  OUT  THE  FAN.  UNTIL  THE  IFM  IS 
PERFORMED,  ALLOWABLE  CREW  TIME  IN  THE  MODULE  IS  LIMITED  BY 
DEWPOINT,  PPO2,  AND  PPCO2  RESTRICTIONS  PER  RULE  {A17-701}, 
MODULE  ATMOSPHERIC  CONTROL.  @[101096-4494] 

Withou  t  the  ARS  fan,  air  exchange  with  the  orbiter  is  degraded.  In  the  Spacehab  RDM,  smoke  detection 
in  the  forward  subfloor  volume  is  considered  lost  when  the  ARS  fan  is  not  operating  with  the  mixing  box 
cap  installed.  As  long  as  one  HFAfan  is  operating,  smoke  detection  capability  can  be  regained 
throughout  the  RDM  by  removing  the  mixing  box  cap.  Reference  Rule  {A17-757j,  RDM  MIXING  BOX 
CAP. 

C.  ( SM/LDM  ONLY)  THE  ARS  FAN  SHALL  NOT  BE  OPERATED  WITH  THE  PL 
ISO  VALVE  CLOSED  UNLESS  THE  ASCENT/DESCENT  INLET  STUB  IS  OPEN 
OR  THE  FLEX  DUCT  IS  REMOVED.  @[021 600-71 06B] 

Operation  of  the  ARS  fan  with  the  PL  ISO  valve  closed  and  flex  duct  connected  in  the  Spacehab  single 
or  logistics  double  module  configurations  may  cause  failure  of  the  ARS  fan.  Reference  Rule  {A17- 
756},  SM/LDM  ASCENT/DESCENT  INLET  STUB.  @[021 600-71 06B] 

D.  (RDM  ONLY)  THE  ARS  FAN  SHALL  BE  DEACTIVATED  PRIOR  TO  POWERING 
ON  A  SECOND  HFA  FAN. 

Preflight  testing  by  Boeing  has  shown  that  the  HFA  fans  will  operate  in  a  degraded  mode  if  a  second 
HFAfan  is  powered  up  while  the  ARS  fan  is  operating.  Reference  Rule  {A17-704},  CABIN/HFA  FAN. 

No  immediate  damage  to  the  fans  is  associated  with  operation  in  this  mode,  only  degraded  system 
performance  (>  30  percent  reduction  in  HFA  flow). 

DOCUMENTATION :  Boeing  RDM  Certification  Acceptance  Review  Presentation,  October  4-5,  2000, 
ECS  Special  Topic.  ®[i  1 1 501  -501 0A] 
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A17-706  SPACEHAB  FAN  CONFIGURATIONS 

THE  FOLLOWING  FAN  CONFIGURATION  WILL  BE  USED  FOR  NOMINAL  SPACEHAB 
SM/LDM  OR  RDM  OPERATIONS  FOR  ASCENT,  ON-ORBIT,  AND  ENTRY:  @[111501- 
5000] 

A.  ASCENT 

1.  SM/LDM: 

a.  UNPOWERED  SPACEHAB  MODULE 

(1)  ARS  FAN  -  ON,  CONFIGURED  TO  SPACEHAB  INVERTER 
POWER,  BUT  NOT  OPERATIONAL  SINCE  THE  SPACEHAB 
INVERTER  IS  UNPOWERED 

(2)  CABIN  FAN  -  OFF,  CONFIGURED  TO  SPACEHAB  INVERTER 
POWER 

(3)  AFT  MODULE  FAN  -  OFF  ( LDM  ONLY) 


When  the  Spacehab  module  is  unpowered  for  ascent,  all  subsystem  equipment  is  OFF.  Although  the  ARS 
fan  is  configured  ON,  it  is  not  operational  because  its  power  source  is  configured  to  an  unpowered 
Spacehab  inverter.  This  configuration  simply  allows  the  ARS  fan  to  be  activated  by  commanding  its 
power  source  from  Spacehab  inverter  to  orbit er  AC. 

b.  POWERED  SPACEHAB  NODULE 

(1)  ARS  FAN  -  ON,  USING  SPACEHAB  INVERTER  POWER 

(2)  CABIN  FAN  -  OFF,  BUT  CONFIGURED  TO  SPACEHAB 
INVERTER  POWER 

(3)  AFT  MODULE  FAN  -  OFF  (LDM  ONLY) 

IF  THE  ARS  FAN  FAILS,  IT  WILL  BE  COMMANDED  OFF  AND 
THE  CABIN  FAN  COMMANDED  ON  ASAP  POST  MAIN  ENGINE 
CUTOFF  (MECO) .  FOR  FAILURE  OF  THE  SPACEHAB  INVERTER, 
REFERENCE  RULE  {A9-354},  SPACEHAB  AC  MANAGEMENT. 

®[ED  ]  ®[ED  ] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A17-706  SPACEHAB  FAN  CONFIGURATIONS  (CONTINUED) 


The  ARS  or  cabin  fan  is  required  to  maintain  airflow  for  heat  rejection  and  fire/ smoke  detection  in  the 
module.  The  cabin  fan  is  unpowered,  but  configured  to  inverter  power  to  allow  it  to  serve  as  a  backup  in 
case  the  ARS  fan  fails.  Without  switching  fans,  all  fire/ smoke  detection  capability  is  lost.  Since  no  on¬ 
board  command  capability  exists  in  OPS  1  (SM  GPC  not  available),  the  fans  will  be  reconfigured  via 
ground  command  post  MECO.  The  aft  module  fan  uses  Spacehcib  DC  power  and  is  not  powered  for 
ascent.  ®[i  1 1 501-5000  ] 

2.  RDM:  @[111501-5000] 


a . 

HFA 

FAN 

1 

-  ON, 

USING  SPACEHAB 

INVERTER 

POWER 

b . 

HFA 

FAN 

2 

-  OFF, 

CONFIGURED 

TO 

SPACEHAB 

INVERTER 

POWER 

c . 

ARS 

FAN 

- 

ON,  CONFIGURED  TO 

ORBITER  AC, 

BUT  NOT 

OPERATIONAL  SINCE  ORBITER  AC  IS  NOT  AVAILABLE  TO 
PAYLOADS  FOR  ASCENT 

IF  HFA  FAN  1  FAILS,  IT  WILL  BE  COMMANDED  OFF  AND  HFA 
FAN  2  COMMANDED  ON  ASAP  POST  MAIN  ENGINE  CUTOFF 
(MECO) .  FOR  FAILURE  OF  THE  SPACEHAB  INVERTER, 

REFERENCE  RULE  {A9-354},  SPACEHAB  AC  MANAGEMENT. 

®[ED  ]  ®[ED  ] 

The  Spacehcib  RDM  is  always  powered  for  ascent.  An  HFA  fan  is  required  to  maintain  airflow  for  heat 
rejection  and  fire/smoke  detection  in  the  module.  HFA  fan  1  is  preferred  over  HFA  fan  2  because 
con  tingency  commanding  is  only  available  to  turn  HFA  fan  1  OFF  and  HFA  fan  2  ON.  HFA  fan  2  is 
unpowered  but  configured  to  inverter  power  to  allow  it  to  serve  as  a  backup  in  case  HFA  fan  1  fails. 
Without  switching  fans,  all  fire/smoke  detection  capability  is  lost.  Since  no  on-board  command 
capability  exists  in  OPS  1  (SM  GPC  not  available),  the  fans  will  be  reconfigured  via  ground  command 
post  MECO.  The  ARS  fan  is  not  operational  during  ascent;  however,  it  is  configured  ON,  but  to  orbiter 
AC  power  which  is  not  available  during  ascent.  In  this  configuration,  the  ARS  fan  can  be  activated 
whenever  power  is  applied  to  the  payload  AC  2  bus  in  the  event  of  a  failure  that  preven  ts  Spacehcib 
commanding. 
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A17-706  SPACEHAB  FAN  CONFIGURATIONS  (CONTINUED) 

B.  ON-ORBIT 

1.  SM/LDM: 

a.  ARS  FAN  -  ON,  USING  ORBITER  AC  POWER 

b.  CABIN  FAN  -  ON,  USING  ORBITER  AC  POWER 

C.  AFT  MODULE  FAN  -  ON,  USING  SPACEHAB  DC  POWER  ( LDM 
ONLY) 

IF  ORBITER  AC  POWER  IS  UNAVAILABLE,  REFERENCE  RULE 
{ A9-354  }  ,  SPACEHAB  AC  MANAGEMENT.  @[111501-5000]  ®[ED  ] 

®[ED  ] 

2.  RDM:  @[111501-5000] 

a.  ARS  FAN  -  ON,  USING  ORBITER  AC3  POWER 

b.  HFA  FAN  1  -  ON,  USING  SPACEHAB  INVERTER  POWER 

c.  HFA  FAN  2  -  ON,  USING  ORBITER  AC2  POWER 

FOR  FAILURE  OF  THE  SPACEHAB  INVERTER  OR  ORBITER  AC, 
REFERENCE  RULE  {A9-354},  SPACEHAB  AC  MANAGEMENT.  ®[ED  ] 
®[ED  ] 

All  subsystem  fans  for  Spacehab  SM/LDM  or  RDM  are  nominally  operating  on-orbit  to  obtain  the  best 
air  circulation  throughout  the  module.  It  is  highly  desired  to  power  the  ARS  fan  from  orbiter  AC  in 
order  to  main  tain  fan  operation  in  case  of  an  inadverten  t  loss  of  the  Spacehab  inverter.  Powering  any  of 
the  fans  via  the  Spacehab  inverter(s)  or  orbiter  AC  is  acceptable  and  is  preferred  over  not  running  the 
fans.  In  the  RDM,  HFA  fan  I  is  powered  by  the  Spacehab  inverters  and  HFA  fan  2  is  powered  by  orbiter 
AC  to  maintain  airflow  in  case  of  a  failure  of  either  power  source,  as  well  as  to  offload  orbiter  AC  2. 
Operation  of  both  HFA  fans  from  the  same  power  source  is  acceptable,  but  will  impact  troubleshooting 
in  the  case  of  a  failed  fan. 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  LIFE  SUPPORT  17-110 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A17-706  SPACEHAB  FAN  CONFIGURATIONS  (CONTINUED) 

C.  ENTRY 

1.  SM/LDM: 

a.  ARS  FAN  -  ON,  USING  SPACEHAB  INVERTER  POWER 

b.  CABIN  FAN  -  OFF,  CONFIGURED  TO  ORB I TER  AC 
C.  AFT  MODULE  FAN  -  OFF  (LDM  ONLY) 

IF  THE  ARS  FAN  FAILS,  IT  WILL  BE  COMMANDED  OFF  AND  THE 
CABIN  FAN  COMMANDED  ON  USING  ORBITER  AC  POWER  ASAP 
PROVIDED  THE  TOTAL  AC  LOAD  (ORBITER  +  SPACEHAB)  CAN  BE 
MANAGED  TO  STAY  WITHIN  LIMITS  SPECIFIED  IN  RULE  £,9-155}, 
AC  INVERTER  THERMAL  LIFE.  FOR  FAILURE  OF  THE  SPACEHAB 
INVERTER,  REFERENCE  RULE  {A9-354},  SPACEHAB  AC 
MANAGEMENT  .  ®[ED  ]  ®[ED  ] 

The  ARS  or  cabin  fan  is  required  to  maintain  airflow  for  heat  rejection  and  fire/ smoke  detection  in  the 
module.  The  cabin  fan  is  unpowered  but  configured  to  orbiter  AC  power  to  allow  it  to  sen’e  as  a  backup 
in  case  the  ARS  fan  or  Spacehcib  inverter  fails.  Without  switching  fans,  all  fire/ smoke  detection 
capability  is  lost.  Since  no  on-board  command  capability  exists  in  OPS  3  (SM  GPC  not  available),  the 
fans  will  be  reconfigured  via  ground  command.  The  aft  module  fan  uses  Spacehcib  DC  power  and  is  not 
powered  for  entry.  ®[1 1 1 501-5000  ] 
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A17-706  SPACEHAB  FAN  CONFIGURATIONS  (CONTINUED) 


RDM:  @[111501-5000] 

a.  HFA 

FAN 

1 

-  ON, 

USING  INVERTER 

POWER 

b .  HFA 

FAN 

2 

-  OFF, 

CONFIGURED  TO 

ORBITER  AC 

C.  ARS 

FAN 

_ 

OFF 

IF  HFA  FAN  1  FAILS,  IT  WILL  BE  COMMANDED  OFF  AND  HFA  FAN 
2  COMMANDED  ON  USING  ORBITER  AC  POWER  ASAP  PROVIDED  THE 
TOTAL  AC  LOAD  (ORBITER  +  SPACEHAB)  CAN  BE  MANAGED  TO  STAY 
WITHIN  LIMITS  SPECIFIED  IN  RULE  {A9-155},  AC  INVERTER 
THERMAL  LIFE.  FOR  FAILURE  OF  THE  SPACEHAB  INVERTER, 
REFERENCE  RULE  {A9-354},  SPACEHAB  AC  MANAGEMENT.  ®[ED  ] 
®[ED  ] 

An  HFA  fan  is  required  to  maintain  airflow  for  heat  rejection  and  fire/smoke  detection  in  the  module. 

HFA  fan  1  is  preferred  over  HFA  fan  2  because  contingency  commanding  is  only  available  to  turn  HFA 
fan  1  OFF  and  HFA  fan  2  ON.  HFA  fan  2  is  unpowered,  but  configured  to  orbiter  AC  to  allow  it  to 
serve  as  a  backup  in  case  HFA  fan  1  or  the  Spacehab  inverter  fails.  Without  switching  fans,  all 
fire/smoke  detection  capability  is  lost.  Since  no  on-board  command  capability  exists  in  OPS  3  (SM  GPC 
not  available),  the  fans  will  be  reconfigured  via  ground  command.  The  ARS  fan  is  OFF  during  entry  and 
is  not  considered  a  viable  option  to  regain  smoke  detection  should  both  HFA  fans  fail  (reference  Rule 
{. A17-601 j,  SPACEHAB  FIRE/SMOKE  DETECTION  LOSS).  ®[i  1 1 501 -5000  ] 

A17-707  THROUGH  A17  750  RULES  ARE  RESERVED 
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A18-553  SPACEHAB  SUBSYSTEM  PUMP  OPERATIONS  ®[l  11501-5012] 

A.  FOR  LOSS  OF  A  SINGLE  PHASE,  THE  SUBSYSTEM  WATER  PUMP  MAY 
CONTINUE  TO  BE  OPERATED  ON  TWO-PHASE  POWER. 

The  Subsystem  Water  Pump  was  operated  on  two  phases  during  preflight  testing.  The  Subsystem  Water 
Pump  may  be  operated  but  not  started  on  only  two  phases. 

If  the  Subsystem  Water  Pump  is  operating  on  the  Spacehab  INV  and  phase  A  fails,  the  pump  will  stop 
working  because  phase  A  of  the  Spacehab  INV  provides  the  sync  pulse  required  for  Spacehab  INV  phases 
B  and  C  to  operate.  However,  the  Subsystem  Water  Pump  will  continue  to  operate  on  the  Spacehab  INV 
on  two-phase  power  if  phase  A  continues  to  operate  with  either  phase  B  or  phase  C. 

B.  THE  FOLLOWING  SUBSYSTEM  WATER  PUMP  CONFIGURATION  WILL  BE  USED 
FOR  NOMINAL  SPACEHAB  SM/LDM  OR  RDM  OPERATIONS  FOR 
ASCENT/ENTRY  AND  ON-ORBIT: 

1.  ASCENT/ENTRY 

a.  POWERED  SPACEHAB  MODULE 

(1)  SUBSYSTEM  WATER  PUMP  1  -  ON,  USING  SPACEHAB 
INVERTER  POWER 

(2)  SUBSYSTEM  WATER  PUMP  2  -  OFF,  CONFIGURED  TO 
SPACEHAB  INVERTER  POWER 

FOR  FAILURE  OF  WATER  PUMP  1,  WATER  PUMP  2  WILL  BE 
COMMANDED  ON  ASAP  POST-MECO  OR  DURING  ENTRY.  FOR 
FAILURE  OF  THE  SPACEHAB  INVERTER,  REFERENCE  RULE 
{ A9-354  }  ,  SPACEHAB  AC  MANAGEMENT.  ®[ED  ] 

Subsystem  water  pump  2  is  configured  to  inverter  power  to  allow  it  to  serve  as  a  backup  in  case  pump  1 
fails.  Without  switching  pumps,  module  heat  rejection  is  lost.  Subsystem  water  pump  1  can  only  be 
powered  from  the  Spacehab  inverter.  Pump  2  can  be  powered  from  Spacehab  inverter  or  orbiter  AC 
power.  Since  no  on-board  command  capability  exists  in  OPS  1  (Single  Module  General  Purpose 
Computer  (SM  GPC)  not  available),  the  pumps  will  be  reconfigured  via  ground  command  post  MECO  or 
during  entry.  ®[1 1 1 501  -5012] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A18-553  SPACEHAB  SUBSYSTEM  PUMP  OPERATIONS  (CONTINUED) 

b.  UNPOWERED  SPACEHAB  MODULE  ( SM/LDM  ASCENT  ONLY) 
@[111501-5012] 

SUBSYSTEM  WATER  PUMP  2  IS  CONFIGURED  ON  AND  TO 
ORBITER  POWER,  BUT  THE  PUMP  WILL  NOT  BE  OPERATING 
SINCE  ORBITER  AC  POWER  IS  NOT  AVAILABLE  TO  PAYLOADS 
DURING  ASCENT. 


When  the  Spacehab  module  is  unpowered  for  ascent,  this  configuration  allows  the  Spacehab  Subsystem 
Pump  to  be  activated  whenever  power  is  applied  to  the  payload  AC  bus  in  the  event  of  a  failure  that 
prevents  Spacehab  commanding.  Spacehab  is  always  powered  for  entry. 

2.  ON-ORBIT 

a.  SUBSYSTEM  WATER  PUMP  2  -  ON,  USING  ORBITER  AC 

b.  SUBSYSTEM  WATER  PUMP  1  -  OFF,  CONFIGURED  TO  SPACEHAB 
INVERTER  POWER 

PUMP  1  WILL  BE  COMMANDED  ON  FOR  FAILURE  OF  PUMP  2.  FOR 
FAILURE  OF  THE  SPACEHAB  INVERTER  OR  ORBITER  AC,  REFERENCE 
RULE  { A9-354  }  ,  SPACEHAB  AC  MANAGEMENT.  ®[ED  ] 

A  subsystem  water  pump  is  required  to  provide  heat  rejection  for  the  module.  Operation  of  either  pump 
on  Spacehab  inverter  power  is  acceptable,  but  orbiter  AC  power  is  preferred  to  maintain  pump  operation 
in  case  of  a  Spacehab  Main  Power  Kill.  Subsystem  pump  2  is  preferred  because  pump  1  cannot  be 
configured  to  orbiter  AC  power.  ®[1 11501-5012] 
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A18-556  RDM  CENTRALIZED  EXPERIMENT  WATER  LOOP  (CEWL) 

A.  LOST  IF:  @[111501-5013] 

1.  PUMP  ACCUMULATOR  QUANTITY  IS  ?  0  (3.4)  PERCENT  AND 

SYMPTOMS  OF  PUMP  CAVITATION  ARE  PRESENT. 


Spacehab  has  identified  this  percentage  as  an  indication  of  accumulator  failure;  3.4  percent  is  the  range 
of  uncertainty  of  the  quantity  sensor. 

2.  THERE  ARE  SYMPTOMS  OF  PUMP  CAVITATION  AND  THE  PUMP  INLET 
PRESSURE  IS  LESS  THAN  20  PSIA. 


Pump  will  operate  erratically  and  may  cavitate  at  pressures  less  than  specified  value. 

B.  FOR  LOSS  OF  THE  CEWL,  POWER  WILL  BE  REMOVED  FROM  EXPERIMENT 
COMPONENTS  BEING  COOLED  BY  THE  CEWL  IF  REQUIRED  TO  MAINTAIN 
THERMAL  LIMITS. 

C.  THE  CEWL  INLET  QD'  S  SHALL  BE  CAPPED  FOR  ASCENT/ENTRY  AND 
UNCAPPED  PRIOR  TO  ACTIVATING  THE  CEWL  PUMP. 


The  CEWL  inlet  QD’s,  when  uncapped,  provide  pressure  relief  capability  for  the  CEWL  when  active. 

This  pressure  relief  capability  is  a  safety  requirement  to  prevent  temperature  induced  over  pressurization 
of  the  CEWL  in  case  of  loss  of  flow.  Ascent/Entry  loads  may  cause  water  to  leak  into  the  Spacehab 
subfloor  from  the  CEWL  inlet  QD’s  if  not  capped. 

Reference:  Hazard  Report  RDM  HR-5.  ®[1 11501-5013] 
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A.  FOR  LOSS  OF  A  SINGLE  PHASE,  THE  CEWL  PUMP  MAY  CONTINUE  TO  BE 
OPERATED  ON  TWO-PHASE  POWER.  @[111501-5013] 

The  CEWL  pump  was  operated  on  two  phases  during  preflight  testing.  The  CEWL  pump  may  be 
operated  but  not  started  on  only  two  phases. 

If  the  CEWL  pump  is  operating  on  the  Spacehab  Aft  INV  and  phase  A  fails,  the  CEWL  pump  will  stop 
working  because  phase  A  of  the  Spacehab  INV  provides  the  sync  pulse  required  for  Spacehab  INV  phases 
B  and  C  to  operate.  However,  the  CEWL  pump  will  continue  to  operate  on  the  Spacehab  INV  on  two- 
phase  power  if  phase  A  continues  to  operate  with  either  phase  B  or  phase  C. 

B.  THE  ON-ORBIT  CEWL  PUMP  CONFIGURATION  FOR  NOMINAL  OPERATIONS 
IS  AS  FOLLOWS: 

1.  CEWL  PUMP  1  -  ON,  USING  ORBITER  AC  POWER 

2.  CEWL  PUMP  2  -  OFF,  CONFIGURED  TO  SPACEHAB  AFT  INVERTER 
POWER 

FOR  FAILURE  OF  CEWL  PUMP  1,  CEWL  PUMP  2  WILL  BE  AUTOMATICALLY 
COMMANDED  ON.  FOR  FAILURE  OF  THE  SPACEHAB  INVERTER  OR 
ORBITER  AC,  REFERENCE  RULE  {A9-354},  SPACEHAB  AC  MANAGEMENT. 

®[ED  ] 

CEWL  pump  1  is  considered  the  prime  pump  since  an  automatic  switchover  capability  exists  in  the  Aft 
Power  Distribution  Unit  (APDU)  logic  to  power  on  CEWL  pump  2  in  case  of  a  pump  1  failure.  This 
capability  does  not  exist  from  pump  2  to  pump  1.  Pump  2  is  configured  to  an  alternate  power  source  to 
allow  it  to  be  powered  in  case  the  power  source  to  pump  1  fails.  Orbiter  AC  is  considered  the  preferred 
source  for  the  prime  pump.  Operation  of  either  CEWL  pump  by  Spacehab  Aft  Inverter  or  orbiter  AC  is 
acceptable.  Whenever  CEWL  cooled  experiments  are  operating,  a  CEWL  pump  is  required  to  provide 
heat  rejection.  ®[i  1 1 05-501 3  ] 

A18-558  THROUGH  A18-600  RULES  ARE  RESERVED 
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A18-605  RDM  ROTARY  SEPARATOR  (RS)  OPERATIONS 

A.  THE  RS  SENSORS  SHALL  BE  POWERED  PRIOR  TO  RS  ACTIVATION. 

@[111501-5013] 

The  RS  sensors  can  be  powered  by  orbiter  AC  or  Spacehab  inverter  power.  The  sensors  must  be  active 
before  RS  activation  to  preven  t  RS  automatic  switchover. 

B.  THE  RS  MAY  BE  OPERATED,  BUT  NOT  STARTED  USING  ONLY  TWO-PHASE 
POWER. 

The  RS  was  operated  on  two  phases  during  preflight  testing.  The  RS  may  be  operated  but  not  started  on 
only  two  phases. 

If  the  RS  is  operating  on  the  Spacehab  Aft  INV  and  phase  A  fails,  the  RS  will  stop  working  because  phase 
A  of  the  Spacehab  INV  provides  the  sync  pulse  required  for  phases  B  and  C  to  operate.  However,  the  RS 
will  continue  to  operate  on  the  Spacehab  INV  on  tw’o-phase  power  if  phase  A  continues  to  operate  with 
either  phase  B  or  phase  C.  ®[1 11501-5013] 

C.  THE  RS  CONFIGURATION  FOR  ASCENT/ENTRY  WILL  BE  AS  FOLLOWS: 

@[111501-5013] 

1.  RS  1  -  ON,  USING  SPACEHAB  INVERTER  POWER 

2.  RS  2  -  OFF,  CONFIGURED  TO  SPACEHAB  INVERTER  POWER 

RS  1  WILL  BE  AUTOMATICALLY  COMMANDED  OFF  AND  RS  2  COMMANDED 
ON,  IF  RS  1  FAILS.  FOR  FAILURE  OF  THE  SPACEHAB  INVERTER, 
REFERENCE  RULE  {A9-354},  SPACEHAB  AC  MANAGEMENT.  ®[ED  ] 

RS  1  is  the  prime  RS  since  an  automatic  switchover  capability  exists  in  the  APDU  logic  to  power  on  RS  2 
in  case  of  an  RS  1  failure.  RS  2  is  configured  to  inverter  power  to  allow  it  to  ser\’e  as  a  backup  in  case  of 
an  RS  1  failure.  This  automatic  switchover  capability  does  not  exist  to  turn  on  RS  1  ifRS  2  fails. 
Therefore,  as  long  as  RS  1  is  operational,  it  will  always  be  prime.  RS  2  operating  would  indicate  failure 
ofRS  1.  An  operational  RS  is  required  to  maintain  moisture  removal  capability  in  the  Spacehab  module. 
Unlike  fans  and  pumps,  the  backup  RS  is  not  configured  to  orbiter  AC  because  it  is  not  critical  for  entry 
and  the  RS  switches  automatically  without  opportunity  for  flight  controller  intervention.  ®[1 11501-5013] 
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D.  THE  RS  CONFIGURATION  FOR  ON-ORBIT  OPERATIONS  WILL  BE  AS 
FOLLOWS : 


1 . 

RS 

1 

-  ON, 

USING  SPACEHAB 

INVERTER  POWER 

2  . 

RS 

2 

-  OFF, 

CONFIGURED  TO 

ORBITER  AC  POWER 

RS  1  WILL  BE  AUTOMATICALLY  COMMANDED  OFF  AND  RS  2  COMMANDED 
ON,  IF  RS  1  FAILS.  FOR  FAILURE  OF  THE  SPACEHAB  INVERTER  OR 
ORBITER  AC,  REFERENCE  RULE  {A9-354},  SPACEHAB  AC  MANAGEMENT. 

®[ED  ] 

RS  1  is  the  prime  RS  since  an  automatic  switchover  capability  exists  in  the  APDU  logic  to  power  on  RS  2 
in  case  of  an  RS  1  failure.  This  automatic  switchover  capability  does  not  exist  to  turn  on  RS  1  ifRS  2 
fails.  Therefore,  as  long  as  RS  1  is  operational,  it  will  always  be  prime.  RS  2  operating  would  indicate  a 
failure  in  RS  1.  It  is  preferred  for  RS  1  to  remain  on  Spacehcib  aft  inverter  power  from  the  ascent 
configuration.  RS  2  is  commanded  to  orbiter  AC  to  allow  RS  2  to  be  powered  by  an  alternate  source  in 
case  of  a  Spacehcib  aft  inverter  failure.  Operation  of  either  RS  from  Spacehcib  inverter  power  or  orbiter 
AC  power  is  acceptable.  An  operational  RS  is  required  to  maintain  moisture  removal  capability  in  the 
Spacehcib  module.  The  Spacehcib  inverters  are  the  preferred  source  of  power  for  the  prime  RS  in  order 
to  off  load  orbiter  AC  power.  ®[1 1 1 501  -5013] 
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ALL  FLIGHTS 
VOLUME  A 
FINAL 
PREFACE 


THIS  DOCUMENT,  VOLUME  A,  FINAL,  DATED  JUNE  20,  2002,  IS  THE  GENERIC 
VERSION  OF  THE  SPACE  SHUTTLE  OPERATIONAL  FLIGHT  RULES  AND  IS  INTENDED 
TO  BE  USED  IN  CONJUNCTION  WITH  THE  SPACE  SHUTTLE  OPERATIONAL  FLIGHT 
RULES  ANNEX  (NSTS-18308)  WHICH  CONTAINS  THE  FLIGHT  SPECIFIC  RULES. 
INCLUDED  IN  THIS  PUBLICATION  ARE  FLIGHT  RULE  CHANGES  APPROVED  IN 
FLIGHT  RULES  CONTROL  BOARD  ( FRCB )  MEETINGS  137,  138,  AND  139  HELD  ON 

MARCH  28,  APRIL  25,  AND  MAY  23,  2002,  RESPECTIVELY. 

THIS  DOCUMENT  USES  A  NEW  RULE  NUMBER  SYSTEM  DESIGNED  TO  FACILITATE 
NEW  DATABASES  FOR  MAINTAINING  CONFIGURATION  MANAGEMENT  OF  JOINT 
SHUTTLE-ISS  ANNEXES,  SPACE  SHUTTLE  OPERATIONAL  FLIGHT  RULES,  VOLUME 
A;  ISS  GENERIC  OPERATIONAL  FLIGHT  RULES,  VOLUME  B;  JOINT  SHUTTLE/ISS 
GENERIC  OPERATIONAL  FLIGHT  RULES,  VOLUME  C;  AND  SO YUZ /PROGRESS/ ISS 
JOINT  FLIGHT  RULES,  VOLUME  D. 

IT  IS  REQUESTED  THAT  ANY  ORGANIZATION  HAVING  COMMENTS,  QUESTIONS,  OR 
SUGGESTIONS  CONCERNING  THESE  FLIGHT  RULES  CONTACT  DA8/W.  PRESTON  DILL, 
FLIGHT  DIRECTOR  OFFICE,  BUILDING  4  NORTH,  ROOM  3039,  PHONE  281-483-5418. 

ALL  FLIGHT  RULES  ARE  AVAILABLE  ON  THE  INTERNET.  THE  URL  IS: 

HTTP: //MOD. JSC.NASA.GOV/DA8.  NO  ID  OR  PASSWORD  WILL  BE  REQUIRED  TO 
ACCESS  ANY  OF  THE  RULES  PROVIDED  THE  USER  IS  ACCESSING  FROM  A  TRUSTED 
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SECTION  1  -  OPERATIONS  POLICY,  GENERAL  AND  DEFINITIONS 


OPERATIONS  POLICY 


Al-1  FLIGHT  RULE  PURPOSE 

THE  FLIGHT  RULES  OUTLINE  PREPLANNED  DECISIONS  DESIGNED  TO 
MINIMIZE  THE  AMOUNT  OF  REAL-TIME  RATIONALIZATION  REQUIRED  WHEN 
NON -NOMINAL  SITUATIONS  OCCUR  FROM  THE  START  OF  THE  TERMINAL 
COUNTDOWN  THROUGH  CREW  EGRESS  OR  GROUND  SUPPORT  EQUIPMENT  (GSE) 
COOLING  ACTIVATION,  WHICHEVER  OCCURS  LATER. 


Self-explanatory. 


Al-2  REAL-TIME  OPERATING  POLICY 

A.  MISSION  SUCCESS  RELATED  REAL-TIME  DECISIONS  WILL  BE  MADE 
WITHIN  THE  FRAMEWORK  OF  THE  ESTABLISHED  SHUTTLE  OPERATING 
BASE  DOCUMENTED  AS  FOLLOWS : 

1.  PREMISSION  DECISIONS  -  STS  OPERATIONAL  FLIGHT  RULES  AND 
STS  OPERATIONAL  FLIGHT  RULES  FLIGHT-SPECIFIC  ANNEX 
DEVELOPED  USING  THE  SYSTEM  PERFORMANCE  CAPABILITIES 
DOCUMENTED  IN  THE  SHUTTLE  OPERATIONAL  DATA  BOOK  (SODB) . 

2.  PROGRAM  CERTIFIED  CAPABILITY  -  REAL-TIME  INTERPRETATION 
OF  THE  REQUIREMENTS  WILL  BE  MADE  CONSISTENT  WITH 
AUTHORITY  DEFINED  HEREIN. 

B.  CREW  SAFETY  RELATED  DECISIONS  WILL  BE  MADE  WITHIN  THE 
FRAMEWORK  OF  ESTABLISHED  SHUTTLE  OPERATING  BASE  (PARAGRAPH  A 
ABOVE)  WHEN  PRACTICAL.  WHEN  TIME  OR  CIRCUMSTANCES  DO  NOT 
ALLOW  STAYING  WITHIN  THE  OPERATING  BASE,  THE  RESPONSIBLE 
AUTHORITY  MAY  CHOOSE  TO  TAKE  ANY  NECESSARY  ACTION  TO  ENSURE 
THE  SAFETY  OF  THE  SHUTTLE  AND  CREW. 

C.  WHERE  POSSIBLE  CONTINGENCY  MANAGEMENT  WILL  BE  EMPLOYED  TO 
PROVIDE  FOR  LANDING  AT  THE  PRIMARY  OR  SECONDARY  LANDING  SITE 
AND  TO  PROVIDE  THE  MAXIMUM  POSSIBLE  GUIDANCE,  NAVIGATION,  AND 
CONTROL  CAPABILITY  FOR  ENTRY  AND  LANDING. 


Self-explanatory. 

Rule  { Al-51 ,  FLIGHT  DIRECTOR  AUTHORITY,  references  this  rule. 
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Al-3  PROGRAM  LIFETIME  OPERATING  POLICY 

SYSTEMS  MANAGEMENT  FOR  NOMINAL  OPERATION  WILL  OBSERVE  THE  PROGRAM 
(MULTIPLE  FLIGHT)  LIFETIME  OPERATING  LIMITS  AND/OR  CONSTRAINTS 

PER  THE  SODB.  HOWEVER,  THOSE  LIMITS  AND/OR  CONSTRAINTS  MAY  BE 

VIOLATED  FOR  CONTINGENCY  OPERATIONS  AS  FOLLOWS: 

A.  SINGLE-FLIGHT  CONTINGENCY  MANAGEMENT  LIMITS  AND/OR 
CONSTRAINTS  MAY  BE  USED  IF  AGREED  TO  PREFLIGHT  OR  WITH  THE 
CONCURRENCE  OF  THE  MISSION  MANAGEMENT  TEAM  (MMT )  IN  REAL 
TIME  . 

B.  IF  THE  SINGLE-FLIGHT  LIMITS  MUST  BE  VIOLATED,  THE  BEST 
ENGINEERING  JUDGMENT  ON  THE  LIMITS/CONSTRAINTS  THAT  PROVIDE 
THE  HIGHEST  PROBABILITY  OF  SUCCESSFUL  RECOVERY  OF  THE  CREW 
AND  ORBITER  WILL  BE  USED. 


Self-explanatory. 


Al-4  MISSION  MANAGEMENT  TEAM  (MMT)  AUTHORITY 

DURING  FLIGHT,  THE  MMT  CHAIRMAN  IS  RESPONSIBLE  FOR  NEAR  REAL-TIME 
POLICY  DECISIONS  AND  WILL  BE  CONSULTED  AS  SOON  AS  POSSIBLE 
WHENEVER  OPERATIONS  OUTSIDE  THE  SHUTTLE  OPERATING  BASE  ARE 
REQUIRED . 


Self-explanatory. 


VOLUME  A  06/20/02  FINAL  GENERAL,  AUTHORITY,  1-2 

AND  DEFINITIONS 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


Al-5  FLIGHT  DIRECTOR  AUTHORITY 

A.  THE  FLIGHT  DIRECTOR  IS  RESPONSIBLE  FOR  OVERALL  DIRECTION 

OF  SHUTTLE  FLIGHTS  FROM  SOLID  ROCKET  BOOSTER  ( SRB)  IGNITION 
UNTIL  CREW  EGRESS  OR  GSE  COOLING  ACTIVATION,  WHICHEVER  OCCURS 
LATER: 

1.  THE  FLIGHT  DIRECTOR  IS  RESPONSIBLE  FOR  REAL-TIME 
IMPLEMENTATION  OF  OPERATIONS  WITHIN  THE  FRAMEWORK  OF  THE 
SHUTTLE  OPERATING  BASE  (REFERENCE  (REF.)  RULE  {Al-2}, 
REAL-TIME  OPERATING  POLICY) . 

2.  THE  FLIGHT  DIRECTOR  IS  RESPONSIBLE  FOR  PROVIDING 
RECOMMENDATIONS  AND/OR  OPTIONS  TO  THE  MMT  FOR  NEAR 
REAL-TIME  DECISIONS  WHEN  OPERATING  OUTSIDE  THE 
FRAMEWORK  OF  THE  MISSION  RULES  OR  THE  SHUTTLE 
OPERATING  BASE. 

B.  THE  FLIGHT  DIRECTOR,  AFTER  ANALYSIS  OF  THE  FLIGHT  CONDITION, 
MAY  CHOOSE  TO  TAKE  ANY  NECESSARY  REAL-TIME  ACTION  REQUIRED  TO 
ENSURE  THE  SAFETY  OF  THE  CREW  AND  SHUTTLE. 

C.  THE  FLIGHT  DIRECTOR  WILL  PROVIDE  THE  DEFINITIVE  LAUNCH  WINDOW 
OPEN,  CLOSE,  RENDEZVOUS  PANE  CHANGE  AND  LOX  DRAINBACK  TIME. 
@[041097-4911  A] 

D.  THE  FLIGHT  DIRECTOR  WILL  INITIATE  THE  ABORT  REQUEST  COMMAND 
FROM  THE  MCC. 

E.  THE  FLIGHT  DIRECTOR  IS  RESPONSIBLE  FOR  CALLING  A  LAUNCH 
"HOLD"  FOR  ALL  PROBLEMS  THAT  JEOPARDIZE  THE  ABILITY  TO  SAFELY 
MONITOR  AND  RECOVER  THE  ORBITER  AND  CREW  AFTER  LAUNCH.  THIS 
INCLUDES  PROBLEMS  IN  THE  FOLLOWING  AREAS:  MISSION  CONTROL 
CENTER  (MCC)  ,  SPACECRAFT  TRACKING  AND  DATA  NETWORK  ( STDN )  , 
LANDING  AREA  FACILITIES,  AND  ABORT  LANDING  AREA  WEATHER. 

F.  THE  FLIGHT  DIRECTOR  IS  RESPONSIBLE  FOR  OVERALL  CONTROL  OF  THE 
MCC  COMMAND  UPLINK  CAPABILITY. 

G.  THE  FLIGHT  DIRECTOR  IS  RESPONSIBLE  FOR  POSTLANDING  ORBITER 
SYSTEMS  CONFIGURATION  AND  SAFING  THROUGH  CREW  EGRESS  OR  GSE 
COOLING  ACTIVATION,  WHICH  EVER  OCCURS  LATER.  @[041097-491 1  A] 


Self-explanatory. 
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Al-6  SHUTTLE  COMMANDER  AUTHORITY 

A.  THE  COMMANDER  WILL  ASSUME  RESPONSIBILITY  FOR  CONDUCT  OF  THE 
FLIGHT  WITHIN  THE  FRAMEWORK  OF  THE  FLIGHT  RULES,  IF  UNABLE  TO 
COMMUNICATE  WITH  MCC . 

B.  THE  COMMANDER  MAY  INITIATE  SUCH  ACTION  AS  HE  DEEMS  ESSENTIAL 
FOR  CREW  SAFETY. 


Self-explanatory. 

Rule  {A2-251},  BAILOUT,  references  this  rule. 


Al-7  FLIGHT  CONTROL  ROOM  (FCR)  SURGEON  AUTHORITY 

A.  THE  FCR  SURGEON  WILL  BE  CONSULTED  ON  ALL  CONDITIONS  WHICH 
DEAL  WITH  CREW  HEALTH. 

B.  THE  FCR  SURGEON  IS  RESPONSIBLE  FOR  EVALUATION  OF  ANY  CHANGE 
IN  CREW  HEALTH  STATUS  AND  MAKING  RECOMMENDATIONS  TO  THE 
FLIGHT  DIRECTOR  REGARDING  ANY  REQUIRED  CHANGES  IN  MISSION 
DURATION  OR  CREW  ACTIVITIES. 

Al-8  WEATHER  DECISION  AUTHORITY 

A.  THE  JOHNSON  SPACE  CENTER  (JSC)  MCC  FLIGHT  DIRECTOR  IS 
RESPONSIBLE  FOR  LAUNCH  ABORT  LANDING  AND  END-OF-MI SS ION 
WEATHER  DECISIONS  AND  ASSOCIATED  RECOMMENDATIONS  TO  THE  MMT 
CHAIRMAN. 

B.  THE  KENNEDY  SPACE  CENTER  (KSC)  LAUNCH  DIRECTOR  IS  RESPONSIBLE 
FOR  THE  LAUNCH  DECISION  FOR  WEATHER  ACCEPTABILITY  AT  THE 
LAUNCH  PAD  FOR  ASCENT  TRAJECTORY  AND  ASSOCIATED 
RECOMMENDATIONS  TO  THE  MMT  CHAIRMAN. 


Self-explanatory. 
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Al-9  POSTLANDING  DECISION  AUTHORITY 

A.  FLIGHT  DIRECTOR 

THE  FLIGHT  DIRECTOR  IS  RESPONSIBLE  FOR  POSTLANDING  ORBITER 
SYSTEMS  CONFIGURATION  AND  SAFING  THROUGH  CREW  EGRESS  OR  GSE 
COOLING  ACTIVATION,  WHICHEVER  OCCURS  LATER.  THIS  INCLUDES: 

1.  IN-FLIGHT  CONTINGENCIES. 

2.  OFF-NOMINAL  AND  CONTINGENCY  LANDING  OPERATIONS  (THROUGH 
CREW  EGRESS)  AS  LONG  AS  COMMUNICATIONS  EXIST  BETWEEN  THE 
ORBITER  AND  MCC-HOUSTON  (MCC-H) . 


The  flight  director  will  support  postlanding  operations  by  ensuring  correct  configuration  of  orbiter 
systems  to  allow  convoy  activities  to  proceed.  Assessment  of  the  external  environment  to  allow  safe 
crew  egress  and  continued  postlanding  operations  is  the  responsibility  of  convoy  personnel. 

B .  CONVOY  COMMANDER 

THE  CONVOY  COMMANDER  IS  RESPONSIBLE  FOR  THE  ORBITER  SAFETY 
INSPECTION/HAZARD  ASSESSMENT  AND  ASSOCIATED  IMPACT  TO  CREW  EGRESS 
AND  CONVOY  OPERATIONS.  THE  FLIGHT  DIRECTOR  WILL  BE  NOTIFIED  OF 
ANY  EXPLOSIVE,  FLAMMABLE,  OR  TOXIC  CONDITIONS  THAT  WILL 
PRECLUDE/DELAY  NORMAL  CREW  EGRESS. 


The  orbiter  inspection/hazard  assessment  will  be  accomplished  by  on-site  convoy  personnel  who  are 
in  the  best  position  to  determine  if  unsafe  conditions  exist  (explosive,  flammable,  toxic,  smoke,  etc.). 
Violation  of  identified  “safe  criteria”  will  result  in  termination  of  convoy  activities  and  crew  egress  as 
recommended  by  the  convoy  commander  ( reference  Postlanding  Operations  Maintenace  Instruction 
(OMI)for  hazard  assessment  criteria). 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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Al-9  POSTLANDING  DECISION  AUTHORITY  (CONTINUED) 

C.  LANDING  RECOVERY  DIRECTOR  (LRD) /GROUND  OPERATIONS  MANAGER 
(GOM) 

THE  LRD  OR  THE  GOM  IS  RESPONSIBLE  FOR  THE  COORDINATION  OF 
DECLARED  POSTLANDING  MODE  V  THROUGH  MODE  VII  EGRESS /ESCAPE 
MODES  PLUS  ORBITER  POSTLANDING  ACTIVITIES  POST-MCC  HANDOVER. 

Coordinating  contingency  operations  at  any  time  during  a  mission  should  be  accomplished  by  the  person 
in  charge  with  the  most  current,  reliable  information  and  communications  capabilities  that  ensure  the 
proper  resources  are  employed  to  save  life  and  property.  During  a  landing  at  an  augmented  landing  site 
(ALS),  (primary  landing  site  (PLS),  secondary  landing  site  (SLS),  or  transoceanic  abort  landing  (TAL) 
site),  the  LRD/GOM  is  best  able  to  coordinate  this  effort.  At  a  Departmen  t  of  Defense  (DOD)  emergency 
landing  site  (  ELS),  this  coordination  is  best  handled  by  the  on-scene  commander.  In  certain  situations, 
however,  the  Flight  Director  is  in  the  best  position  to  coordinate  contingency  operations.  These  are  as 
follows: 

a.  For  in-flight  emergencies,  the  flight  director  (in  conjunction  with  the  flightcrew)  is  best  able  to 
determine  when  a  contingency  situation  exists  and  is  responsible  for  conduct  of  the  flight  until 
crew  egress. 

b.  When  outside  the  operating  radius  of  cm  ALS  or  DOD  ELS,  the  flight  director,  again  in 
conjunction  with  the  crew,  is  in  the  best  position  to  coordinate  contingency  operations  and 
to  see  that  the  appropriate  actions  are  initiated  up  to  and  including  crew  egress. 
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Al-10  POSTLANDING  EMERGENCY  DECLARATION 

OFFICIAL  DECLARATION  OF  A  POSTLANDING  EMERGENCY  (MODE  V  THROUGH 
MODE  VII)  CAN  BE  MADE  BY  THE  LRD ,  FLIGHT  DIRECTOR,  GOM,  CONVOY 
COMMANDER,  OR  FLIGHTCREW.  IN  ADDITION  FOR  ELS  LANDINGS,  THIS 
DECLARATION  MAY  BE  MADE  BY  THE  DOD  ON-SCENE  COMMANDER.  TIME  AND 
CIRCUMSTANCES  PERMITTING,  COORDINATION  WITH  THE  FLIGHT  DIRECTOR 
WILL  BE  ACCOMPLISHED. 

A  postlanding  emergency  (Mode  V  through  Mode  VII)  should  be  declared  so  that  everyone  involved  is 
aware  of  the  situation  and  can  take  the  proper  actions  or  precautions  to  protect  both  equipment  and 
life.  For  this  reason,  the  first  of  the  following  individuals  that  would  discover  that  the  emergency 
exists  would  make  the  declaration:  LRD,  flight  director,  GOM,  convoy  commander,  on-scene 
commander,  or  flightcrew.  Any  of  the  above  individuals  have  the  communication  capabilities  to  ensure 
that  everyone  involved  is  aware  of  the  emergency.  If  time  is  available  and  the  circumstances  allow, 
coordination  with  the  flight  director  will  ensure  that  the  most  current  information  concerning  the 
status  of  the  crew  and  the  orbiter  is  available  for  dealing  with  the  emergency. 
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Al-ll  SEARCH  AND  RESCUE  RESPONSIBILITY 

FOR  MODE  VII,  SEARCH  AND  RESCUE  RESPONSIBILITY  REVERTS  FROM  THE 
LOCAL  SITE  COMMANDER  TO  THE  APPROPRIATE  SEARCH  AND  RESCUE  (SAR) 
PLAN,  WHEN  IMPACT  IS: 


A.  FOR  EDWARDS  (EDW),  OUTSIDE  THE  BOUNDARIES  OF  THE  BASE. 

B.  FOR  NORTHRUP  (NOR),  GREATER  THAN  25  NM  RADIUS  OF  THE  WHITE 
SANDS  SPACE  HARBOR  (WSSH)  TACAN . 

C.  FOR  KSC,  GREATER  THAN  25  NM  RADIUS  OF  THE  KSC  TACAN, 
EXCLUDING  THE  ATLANTIC  OCEAN. 


Within  the  local  contingency  area  for  KSC,  the  DOD  will  support  NASA’s  rescue/recovery  operations 
by  providing  two  helicopters  configured  for  Medivac. 

At  Edwards  Air  Force  Base  (EAFB),  the  Commander  of  Air  Force  Flight  Test  Center  (AFFTC)  has 
complete  responsibility  for  all  efforts  involving  astronaut  recovery,  fire  fighting,  and  security.  The 
DOD  will  provide  support  as  necessary. 

At  WSSH,  the  DOD  has  varying  degrees  of  responsibility  and  basically  will  provide  support  for  search 
and  rescue  within  the  limitations  of  their  equipment. 

All  of  the  above  support  is  provided  within  the  limits  of  the  site  as  described  in  this  rule.  Outside  of  that 
limit,  search  and  rescue  operations  will  be  conducted  in  accordance  with  applicable  SAR  plans.  These 
plans  identify  the  areas  of  responsibility  and  the  controlling  agencies. 


Al-12  ORBITER  EMERGENCY  LANDING  SITE  (ELS)  AUTHORITY 

FOR  ELS  LANDINGS,  THE  FLIGHTCREW  HAS  ON-SCENE  RESPONSIBILITY 
FOR  THE  ORBITER  UNTIL  ARRIVAL  OF  THE  KSC  RAPID  RESPONSE  TEAM 
(APPROXIMATELY  LANDING  PLUS  24  HOURS) .  THE  LANDING  AND 
RECOVERY  DIRECTOR  (LRD)  IS  RESPONSIBLE  FOR  ANSWERING  ORBITER 
HANDLING  QUESTIONS  FROM  ELS  PERSONNEL. 

For  a  landing  at  an  ELS,  the  crew  will  have  the  responsibility  for  the  orbiter  until  the  KSC  Rapid 
Response  Team  is  able  to  arrive.  The  crew  will  have  a  checklist  to  follow  and  may  be  able  to  obtain 
help  from  the  U.  S.  Embassy  in  securing  and  protecting  the  orbiter.  Communications  to  the  ELS  will 
be  provided  as  best  as  possible  through  the  JSC  Landing  Support  Officer  (LSO),  and  any  questions 
that  the  ELS  personnel  may  have  regarding  the  handling  of  the  orbiter  will  be  provided  by  the  person 
responsible  for  the  recovery,  the  LRD  at  KSC. 
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Al-13  MCC  REAL-TIME  COMMAND  COORDINATION  POLICY 

A.  THE  FLIGHT  DIRECTOR  WILL  APPROVE  ALL  COMMAND  OPERATIONS. 

@[092293-1547] 

The  flight  director  is  responsible  for  the  integrity  of  the  command  system/process  and  for  insuring  that 
all  commands  to  the  shuttle  are  safely  and  properly  executed. 

B.  ROUTINE  COMMAND  OPERATIONS  CAN  BE  PERFORMED  WITHOUT  A  "GO" 
FROM  THE  FLIGHT  DIRECTOR  FOR  EACH  ROUTINE  FUNCTION. 

Thousands  of  routine  commands  must  be  sent  to  the  vehicle  each  flight  to  manage  comm  systems, 
instrumen  tation  systems,  recorders,  video  systems,  etc.  Requiring  flight  director  approval  for  these 
operations  continuously  is  not  appropriate  and  prevents  efficient  operations.  Risk  associated  with 
these  routine  commands  is  considered  low.  The  flight  director  may  identify  critical  time  periods  where 
even  routine  commands  require  coordination. 

C.  NONSTANDARD  COMMAND  ACTIVITY  (NOT  OPERATING  PER  A  REVIEWED, 
APPROVED,  AND  PUBLISHED  PROCEDURE  OR  ANY  EXECUTION  OF  A 
PROCEDURE  THAT  IS  NOT  ROUTINELY  PERFORMED  EACH  MISSION)  MUST 
BE  REVIEWED  BY  THE  FLIGHT  CONTROL  TEAM  AND  BE  APPROVED  BY  THE 
FLIGHT  DIRECTOR. 

Nonstandard  command  activity  contains  increased  possibilities  for  command  errors.  Flight  control  team 
review  and  flight  director  approval  are  the  techniques  used  to  reduce  the  possibility  of  command  errors. 
These  techniques  must  be  utilized  whenever  a  procedure  is  developed  or  modified  in  real  time  because 
the  standard  preflight  command  procedure  review  has  not  been  accomplished.  These  techniques  must 
also  be  used  on  infrequently  used  or  modified  procedures  in  order  to  assure  that  the  procedures  are 
current  and  compatible  with  recent  changes  in  shuttle  hardware  and  software  as  well  as  ground 
hardware  and  software. 
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Al-13  MCC  REAL-TIME  COMMAND  COORDINATION  POLICY 

(CONTINUED) 

D.  ANY  REAL-TIME  MODIFICATIONS  TO  PREFLIGHT  APPROVED  COMMAND 
PROCEDURES  MUST  BE  REVIEWED  BY  THE  FLIGHT  CONTROL  TEAM  AND 
APPROVED  BY  THE  FLIGHT  DIRECTOR. 

Modified  procedures  need  to  be  reviewed  just  as  the  procedures  specified  in  paragrapgh  C  above  require 
review. 

E.  COMMANDS  SHALL  ONLY  BE  BUILT  BY  CERTIFIED  FLIGHT  CONTROLLERS 
AND  EXECUTED  BY  COMMAND  CERTIFIED  FLIGHT  CONTROLLERS. 

Command  certification  is  required  to  reduce  command  error  risk  by  insuring  that  personnel  are  properly 
trained  and  certified  to  accomplish  the  necessary  command  functions  without  error. 

F.  ANY  ANOMALIES  IN  COMMAND  OPERATIONS  WILL  BE  BROUGHT  TO  THE 
ATTENTION  OF  THE  FLIGHT  DIRECTOR  IMMEDIATELY. 

The  flight  director  is  responsible  for  command  operations  and  any  deviations  from  command  operations. 
The  flight  director  is  also  responsible  for  main  tain  ing  the  in  tegrity  and  safety  of  command  operations. 
The  flight  director  must  be  notified  immediately  of  any  problems  or  off-nominal  activity  with  respect  to 
any  procedure  to  assure  corrective  action  coordination  and  safe  resumption  of  command  activity. 

G.  THE  FLIGHT  DIRECTOR  WILL  EXERCISE  POSITIVE  CONTROL  AND  BE 
DIRECTLY  INVOLVED  THROUGH  STATUS  AND  APPROVAL  AT  MAJOR  STEPS 
IN  ALL  NONSTANDARD  COMMAND  PROCEDURES. 

When  executing  nonstandard  or  critical  commands  which  create  more  risk  to  the  vehicle/ command 
operations  than  routine  commanding,  the  flight  director  will  provide  another  level  of  operational 
awareness  and  control  to  assure  the  safe  and  proper  execution  of  the  required  command  functions. 
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Al-13  MCC  REAL-TIME  COMMAND  COORDINATION  POLICY 

(CONTINUED) 


H.  INCO  IS  THE  PRIME  UPLINK  OPERATOR  AND  ALL  FLIGHT  CONTROL 

POSITIONS  WILL  COORDINATE  THEIR  COMMAND  ACTIVITIES  THROUGH 

INCO. 

The  INCO  and  the  INCO  MPSR  perform  the  majority  of  all  commanding  to  the  shuttle  and  are  aware  of 
the  systems/uplink  and  downlink  status.  Because  multiple  command  operations/operators  can  lead  to 
command  execution  problems  and  errors,  all  command  activities  will  be  coordinated  through  INCO  and 
the  INCO  MPSR  to  reduce  the  possibility  of  having  command  problems. 

I.  FLIGHT  CONTROLLERS  REQUESTING  COMMAND  ACTIVITIES  ARE 

RESPONSIBLE  FOR: 

1.  PROPERLY  GENERATING  THE  COMMAND  DATA 

2.  CLEARLY  COMMUNICATING  THE  COMMAND  REQUEST  AND  COMMANDS  TO 
THE  FLIGHT  CONTROLLER  EXECUTING  THE  COMMANDS  (AS  WELL  AS 
THE  FLIGHT  CONTROL  TEAM/FLIGHT  DIRECTOR  IF  REQUIRED) 

3.  REMAINING  IN  COMMUNICATION  WITH  THE  EXECUTING  FLIGHT 
CONTROLLER  THROUGHOUT  THE  COMMAND  SEQUENCE 

4.  VERIFYING  THE  PROPER  EXECUTION  OF  THE  REQUIRED  COMMANDS 
PRIOR  TO  PROCEEDING  TO  THE  NEXT  COMMAND  (VIA  COMMAND 
TRACK  DISPLAYS  OR  END  ITEM  FUNCTIONS) 

5.  REPORTING  THE  RESULTS  OF  THE  COMMAND  TO  THE  FLIGHT 
DIRECTOR 


Responsibilities  of  the  flight  controllers  must  be  established  to  assure  that  command  activities  are 
performed  in  a  safe  and  proper  manner.  The  INCO  and  flight  control  tecim/flight  director  may  not  know 
all  of  the  ramifications  of  a  particular  command  sequence  and  must  be  informed  clearly  of  the  procedure 
and  expectations  and  risks  associated  with  it. 
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Al-13  MCC  REAL-TIME  COMMAND  COORDINATION  POLICY 

(CONTINUED) 


J.  COMMAND  ACTIVITIES  TO  THE  SHUTTLE  OR  PAYLOADS  DURING  PERIODS 

OF  CREW  SLEEP  WILL  ONLY  BE  ALLOWED  IN  THE  FOLLOWING  CASES: 

1.  THE  COMMANDS  HAVE  BEEN  PREVIOUSLY  COORDINATED  WITH  THE 
CREW,  EITHER  INDIVIDUALLY  OR  AS  PART  OF  A  PAYLOAD  COMMAND 
PLAN. 

2.  THE  COMMANDS  ARE  NECESSARY  TO  PREVENT  NUISANCE  ALARMS 
THAT  WILL  DISTURB  THE  CREW  SLEEP. 

3.  THE  COMMANDS  ARE  THE  ROUTINE/CONTINUOUS  COMMANDS  REQUIRED 
FOR  COMMUNICATIONS  CONFIGURATION  (E.G.,  RECORDERS,  VIDEO, 
COMM  SYSTEMS  MANAGEMENT) . 

4.  STATE  VECTOR  UPDATES  REQUIRED  TO  MAINTAIN  SHUTTLE 
EMERGENCY  DEORBIT  CAPABILITY. 


In  order  to  mitigate  the  risk  of  unanticipated  command  effects,  only  necessary  commands  will  be  sent 
during  crew  sleep  periods.  Special  testing  or  comm  related  DTO’s  are  not  considered  necessary 
commanding,  as  well  as  any  other  command  operations  that  could  result  in  disturbing  the  crew 
and/or  disruption  of  mission  activities. 

K.  ALL  TYPES  OF  COMMANDS  WILL  BE  COORDINATED  WITH  THE  ORBITER 

FLIGHTCREW  AND  MCC  FLIGHT  DIRECTOR  PRIOR  TO  BEING  TRANSMITTED 
WITH  THE  EXCEPTION  OF: 

1.  ROUTINE  ORBITER  COMMUNICATIONS  COMMANDS  (TRANSPARENT  TO 
CREW) . 

2.  NONHAZARDOUS  PAYLOAD  COMMANDS  (PREFLIGHT  APPROVED). 

With  the  exception  of  routine  communications  systems  commands  and  nonhazardous  commands,  most 
command  uplinks  directly  affect  the  systems  being  used  by  the  flightcrew  for  control  of  the  vehicle  or 
payload.  To  ensure  that  the  flightcrew  has  current  status  of  vehicle  or  payload  systems  in  the  event  of 
loss  of  communications,  and  to  ensure  that  the  flightcrew  and  ground  are  not  in  competition  for  use  of  a 
particular  orbiter  or  payload  facility,  the  flightcrew  shall  be  informed  of  the  transmission  of  command 
uplinks. 
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Al-51  VEHICLE  SYSTEM  LIMITS 

SYSTEMS  LIMITS  LISTED  IN  THESE  RULES  INCLUDE  THE  ACTUAL  VEHICLE 
LIMITS  FOLLOWED  BY  A  NUMBER  IN  (  )  WHICH  IS  THE  NUMBER  BIASED  FOR 
INSTRUMENTATION  INACCURACIES  AND  REPRESENTS  THE  NUMBER  ON  WHICH 
FLIGHT  CONTROL  ACTION  WILL  BE  TAKEN.  IN  THE  EVENT  ONLY  ONE 
NUMBER  IS  INDICATED,  IT  WILL  BE  ASSUMED  THAT  INSTRUMENTATION 
INACCURACY  CANNOT  BE  INCORPORATED  OR  IS  IRRELEVANT.  IN  THOSE 
CASES  WHERE  TWO  SETS  OF  ENGINEERING  UNITS  ARE  INDICATED,  THE 
SECOND  SET  WILL  BE  SEPARATED  FROM  THE  FIRST  BY  A  SLASH;  I.E., 

XX  DEG  F/YY  DEG  C  (XX  DEG  F/YY  DEG  C) . 


Self-explanatory. 


Al-52  INTERIM  OR  UNCONFIRMED  LIMITS 

FLIGHT  RULE  LIMITS  THAT  ARE  CONSIDERED  TO  BE  INTERIM  OR 
UNCONFIRMED  NUMBERS  WILL  BE  UNDERLINED  IN  THIS  PUBLICATION  AND  IN 
ALL  SUBSEQUENT  REVISIONS  UNTIL  THE  NUMBERS  ARE  CONFIRMED  BY  THE 
RESPONSIBLE  NASA  ORGANIZATION. 


Self-explanatory. 


Al-53  MANDATORY  INSTRUMENTATION  REQUIREMENTS 

UNLESS  STATED  OTHERWISE,  MANDATORY  INSTRUMENTATION  REQUIREMENTS 
CAN  BE  SATISFIED  BY  EITHER  ONBOARD  OR  TELEMETRY  CAPABILITY. 


Self-explanatory. 
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Al-54  FAILURE  DEFINITION  APPLICATION 

FAILURE  DEFINITIONS  IN  THIS  DOCUMENT  REFER  TO  LIMITS  TO  BE 
APPLIED  FOR  GO/NO-GO  DECISIONS  TO  CONTINUE  BEYOND  A  PREFERRED 
DAILY  LANDING  OPPORTUNITY.  SYSTEMS  MAY  BE  USED  IN  A  DEGRADED 
MODE  AS  SPECIFIED  BY  THE  MANAGEMENT  RULES  OR  AS  DICTATED  BY 
FLIGHT  NEED. 


Self-explanatory. 


Al-55  CONFLICTING  FLIGHT  RULES 

A.  RULES  WHICH  ARE  KNOWN  TO  HAVE  FLIGHT  SPECIFIC  EXCEPTIONS  OR 
OPTIONS  WILL  BE  NOTED  IN  THIS  DOCUMENT  (NSTS-12820)  AND 
DOCUMENTED  IN  THE  FLIGHT  SPECIFIC  ANNEX  (NSTS-18308) . 

B.  RULES  FROM  THE  "ALL  FLIGHTS"  DOCUMENT  FOR  WHICH  EXCEPTIONS 
ARE  PROPOSED  WHICH  HAVE  NOT  BEEN  PREVIOUSLY  IDENTIFIED  AS 
EXCEPTIONS  OR  OPTIONS  MUST  BE  PROCESSED  AND  APPROVED  AS  A 
PERMANENT  CHANGE  OR  AS  A  DEVIATION  TO  THE  ALL  FLIGHTS 
DOCUMENT . 


Flight-specific  exceptions  or  options  to  the  Ail  Flights  rules  are  at  the  discretion  of  the  lead  flight 
director  provided  that  the  All  Flights  rules  permit  them.  If  the  All  Flights  rule  does  not  make  provisions 
for  an  exception,  a  change  request  (CR)  must  be  written  to  change  the  rule,  and  the  CR  may  be  approved 
as  either  a  change  or  deviation.  The  annotation  in  the  Annex  rationale  should  reflect  the  type  of  rule 
approval,  i.e.,  stating,  “  This  rule  is  a  flight-specific  exception  or  option  (as  applicable )  to  Flight  Rule 
xx.yy-zz”  or,  “This  rule  is  a  flight-specific  deviation  from  Flight  Rule  xx.yy-zz.  ” 
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Al-56  INSTRUMENTATION  ONBOARD  VS.  GROUND  READOUT 

PHILOSOPHY 

WHERE  DISCREPANCIES  EXIST  BETWEEN  ONBOARD  AND  GROUND  READOUTS, 
DEDICATED  ONBOARD  METERS  WILL  BE  CONSIDERED  PRIME  OVER  GROUND 
READOUTS.  FOR  GENERAL  PURPOSE  COMPUTER  (GPC) -DRIVEN  DATA,  THE 
MOST  REASONABLE  (IF  IT  CAN  BE  DETERMINED)  OR  THE  MOST  CONSERVATIVE 
READOUT  WILL  BE  USED.  LOSS  OF  INSTRUMENTATION  WHICH  PRECLUDES 
IMPLEMENTATION  OF  A  FLIGHT  RULE  WILL  NOT  NECESSARILY  CAUSE  FLIGHT 
TERMINATION. 

The  purpose  of  this  rule  is  to  minimize  the  possibility  of  invoking  a  flight  rule  as  a  result  of  transducer 
failures,  shifts,  or  errors  in  troduced  in  the  communications  path  from  the  vehicle  to  the  MCC.  In 
general,  if  the  same  transducer  drives  both  an  onboard  meter  and  a  telemetry  input,  the  onboard  meter 
readout,  if  reasonable,  should  be  more  accurate  since  it  is  closer  to  the  source.  In  cases  of  GPC-driven 
data  (no  meter  or  other  analog  display),  when  two  readouts  (both  onboard  or  onboard  and  ground ) 
differ  but  are  still  reasonable,  the  more  conservative  of  the  two  is  used  as  it  results  in  the  safest  course  of 
action.  If  a  mandatory  instrumentation  parameter  exists  which,  if  lost,  would  result  in  invoking  a  flight 
rule,  it  is  specifically  identified  in  these  rules.  In  general,  instrumentation  failures  will  not  cause  flight 
termination  since  critical  systems  failure  can  be  monitored  by  redundant  means. 


Al-57  FLIGHT-CRITICAL  MOPING 

WHERE  REDUNDANT  CAPABILITIES  ARE  PROVIDED  TO  EXECUTE  FLIGHT- 
CRITICAL  SWITCHING  OR  MODING,  THE  PATHS  WILL  BE  CONFIGURED  TO 
PREVENT  LOSS  OF  A  TOTAL  CAPABILITY  FOR  LOSS  OF  A  SINGLE  GPC,  DATA 
PATH,  OR  POWER  SOURCE. 


Self-explanatory. 
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Al-58  SHUTTLE  OPERATIONAL  DATA  BOOK  (SODB) ,  VOLUME  III, 

DATA  USE 

IN  CONTINGENCY  SITUATIONS,  SODB,  VOLUME  III,  DATA  IS  USED  WITH 
THE  BEST  ENGINEERING  JUDGMENT  RECOGNIZING  THAT  SOME  OF  THE  DATA 
CONTAINS  ENGINEERING  ESTIMATES  FOR  NON-NOMINAL  PERFORMANCE 
EVALUATION  AND  MAY  NOT  BE  SUPPORTED  BY  TEST  DATA. 

Al-59  ACTIVITIES  DURING  YEAR  END  ROLLOVER/ LEAP  SECOND 

INCORPORATION 

IF  POSSIBLE,  CRITICAL  PHASES  OF  MISSIONS  WILL  NOT  BE  PERFORMED 
DURING  AN  OCCURRENCE  OF  A  MASTER  TIMING  UNIT  (MTU)  YEAR  END 
ROLLOVER  OR  AN  INCORPORATION  OF  A  LEAP  SECOND. 

Whenever  an  MTU  year  end  rollover  or  leap  second  incorporation  occurs  during  a  flight,  the  MCC  has 
to  perform  several  off-nominal  procedural  workarounds  including  reconfiguring  the  data  dump  handler 
(DDH)  ( which  directly  affects  near  real-time  telemetry  (NRT)  processing  and  retrieval ),  manually 
processing  the  GSFC  TDRS  state  vectors,  and  altering  the  build  process  for  stored  program  commands 
(SPC’s).  Additionally,  the  1-second  bias  to  the  data  as  a  result  of  a  leap  second  incorporation  during 
ascent/entry  is  deemed  undesirable  by  the  ground  navigation  and  tracking  personnel.  Tracking  data  in 
the  high  speed  phases  of  ascent/entry  would  be  1  second  out  of  sync  with  the  mission  operations 
computer  (MOC),  and  the  MCC  would  have  to  manually  implement  a  bias  to  account  for  the  1  additional 
second;  if  this  bias  is  not  implemented,  the  tracking  data  would  be  essentially  useless.  Per  the  ground 
navigation  personnel,  implementation  of  this  bias  is  not  a  trivial  task.  For  year  end  rollover,  the  same 
concerns  apply,  but  to  a  greater  degree.  Therefore,  because  of  the  dependency  of  several  critical  mission 
phases  on  accurate  time,  these  phases  should  not  be  performed  during  an  MTU  year  end  rollover  or  leap 
second  incorporation.  However,  if  other  factors  prevent  a  rescheduling  of  these  critical  phases  ( e.  g. , 
weather,  next  PLS  conditions),  the  risk  of  performing  these  critical  phases  during  MTU  year  end  rollover 
or  leap  second  incorporation  will  be  accepted. 

References:  MICB  CR  R21075-053,  Level  B  Groundrules  and  Constraints  Update:  Findings:  Year  End 
Rollover  and  Leap  Second  Phenomena  and  Their  Effects  of  STS  Mission  Support  (Documen  t  No. 
STSOC-RT-400141). 
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GENERAL  DEFINITIONS 


Al— 101  AS  SOON  AS  PRACTICAL  (ASAP) 

AS  SOON  AS  PRACTICAL  (I.E.,  AS  SOON  AS  POSSIBLE  AND  REASONABLE) 
Self-explanatory. 


Al— 102  HIGHLY  DESIRABLE  (HD) 

A  SPACE  TRANSPORTATION  SYSTEM  (STS)  OR  GROUND  SUPPORT  ELEMENT 
THAT  ENHANCES  ACCOMPLISHMENT  OF  THE  FLIGHT.  CONSIDERATION  WILL 
BE  GIVEN  TO  HOLDING  THE  COUNT  FOR  THE  REPAIR  OF  AN  HD  ELEMENT,  IF 
CONVENIENT,  BUT  IN  NO  CASE  WILL  THE  LAUNCH  BE  SCRUBBED. 


Self-explanatory. 


Al-103  MANDATORY  (M) 

AN  STS  OR  GROUND  ELEMENT  THAT  IS  REQUIRED  TO  ENSURE  CREW  SAFETY, 
IMPLEMENT  LAUNCH  GO/NO-GO  CRITERIA,  LAUNCH  ABORT,  OR  EARLY  FLIGHT 
TERMINATION  FLIGHT  RULES. 


Self-explanatory. 
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Al— 104  FLIGHT  PHASE 

A.  PRELAUNCH  -  PRIOR  TO  SRB  IGNITION. 

B.  ASCENT  -  SRB  IGNITION  THROUGH  ORBITAL  MANEUVERING  SYSTEM  2 
(OMS-2)  CUTOFF. 

C.  ORBIT  -  OMS-2  CUTOFF  TO  DEORBIT  MANEUVER  IGNITION. 

D.  DEORBIT  PREPARATION  -  FROM  DEORBIT  TIME  OF  IGNITION  (TIG) 

-3.5  HRS  TO  DEORBIT  TIG. 

E.  EXTRAVEHICULAR  ACTIVITY  (EVA)  -  START  OF  AIRLOCK 
DEPRESSURIZATION  THROUGH  REPRESSURIZATION  AND  VERIFICATION  OF 
AIRLOCK  INTEGRITY. 

F.  ENTRY  -  DEORBIT  MANEUVER  IGNITION  THROUGH  ROLLOUT. 

G.  POSTLANDING  -  ROLLOUT  THROUGH  CREW  EGRESS. 

H.  TURNAROUND  OPERATIONS  -  POST  CREW  EGRESS. 


Self-explanatory. 


VOLUME  A  06/20/02  FINAL  GENERAL,  AUTHORITY,  1-18 

AND  DEFINITIONS 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


Al— 105  THROTTLE  SETTINGS 

A.  NOMINAL  THROTTLE  -  MAXIMUM  SPACE  SHUTTLE  MAIN  ENGINE  (SSME) 
THROTTLE  SETTING  LEVEL  THAT  IS  ALLOWED  DURING  A  NOMINAL  (NOT 
LOW  PERFORMANCE)  ASCENT. 

B.  ABORT  THROTTLE  -  MAXIMUM  CERTIFIED  SSME  THROTTLE  SETTING 
LEVEL  TO  BE  USED  FOR  OFF-NOMINAL  (LOW  PERFORMANCE)  ASCENT  AND 
INTACT  ABORT  MODES . 

C.  MAX  THROTTLE  -  MAXIMUM  SELECTABLE  SSME  THROTTLE  SETTING 
LEVEL. 


Self-explanatory. 


Al-106  LANDING  SITES 

A.  PRIMARY  LANDING  SITE  (PLS)  -  THE  PREMISSION  SELECTED,  NOMINAL 
END -OF -MI SS ION  (EOM)  LANDING  SITE  OR  THE  CONUS  (EDW,  KSC, 

NOR)  LANDING  SITE  SELECTED  DAILY  IF  REQUIRED  FOR  EARLY 
MISSION  TERMINATION  ("NEXT  PLS").  SEE  RULE  {A4-107},  PLS/EOM 
LANDING  OPPORTUNITY  REQUIREMENTS.  @[113095-1800] 

B.  SECONDARY  LANDING  SITE  (SLS)  -  BACKUP  TO  THE  PRIMARY  EOM 
LANDING  SITE  USED  WHEN  THE  PRIME  EOM  LANDING  SITE  DOES  NOT 
MEET  ACCEPTABLE  CONDITIONS. 

C.  EMERGENCY  LANDING  SITES  (ELS)  -  LANDING  SITES,  CARRIED  IN  THE 
ONBOARD  SOFTWARE  OR  AVAILABLE  FOR  UPLINK  FROM  THE  MCC,  NOT 
SUPPORTING  PLANNED  EOM  OR  INTACT  ABORTS.  SEE  RULE  {A2-264}, 
EMERGENCY  LANDING  FACILITY  CRITERIA.  @[113095-1800] 

D.  ABORT-ONCE-AROUND  ( AOA)  SITE  -  THE  SITE  SELECTED 
PREMISSION  FOR  LANDING  IN  THE  EVENT  OF  AN  AOA  ABORT. 

(REF.  RULE  { A2-2 } ,  ABORT  LANDING  SITE  REQUIREMENTS). 

@[121593-1590] 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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Al-106  LANDING  SITES  (CONTINUED) 

E.  ALTERNATE  AOA  SITE  -  THE  BACKUP  TO  THE  PRIME  AOA  SITE;  USED 
WHEN  THE  PRIME  AOA  SITE  DOES  NOT  MEET  ACCEPTABLE  CONDITIONS 
(REF.  RULES  {A2-1F},  PRELAUNCH  GO/NO-GO  REQUIREMENTS,  AND 

{ A2  -2  }  ,  ABORT  LANDING  SITE  REQUIREMENTS).  @[121593-1590] 

F.  TRANSOCEANIC  ABORT  LANDING  (TAL)  SITE  -  THE  SITE(S)  SELECTED 
PREMISSION  FOR  LANDING  IN  THE  EVENT  OF  A  TAL  ABORT. 

G.  ALTERNATE  TAL  SITE  -  THE  BACKUP  TO  THE  PRIME  TAL  SITE;  USED 
WHEN  THE  PRIME  TAL  SITE  DOES  NOT  MEET  ACCEPTABLE  CONDITIONS 
(REF.  RULE  { A2-1F } ,  PRELAUNCH  GO/NO-GO  REQUIREMENTS). 

H.  AUGMENTED  CONTINGENCY  LANDING  SITE  (ACLS)  -  A  TAL  SITE, 

WHICH  IS  NO-GO  FOR  TAL  DUE  TO  WEATHER,  REDUNDANCY,  OR 
TOUCHDOWN/ROLLOUT  CONDITIONS,  THAT  IS  USED  TO  FILL 
CONTINGENCY  POWERED  FLIGHT  PERFORMANCE  GAPS  AND  PROVIDE 
COVERAGE  FOR  CERTAIN  ASCENT  SYSTEMS  FAILURES  REQUIRING 
EARLIEST  LANDING  TIME.  WEATHER  (EXCEPT  AS  NOTED  BELOW) 

AND  TOUCHDOWN/ROLLOUT  CONDITIONS  ARE  NOT  CONSIDERED  FOR 
THESE  SITES,  AND  MINIMUM  REQUIRED  NAV/LANDING  AIDS  ARE 
REDUCED  TO  A  SINGLE-STRING  TACAN  OR  DME ,  WITH  SINGLE¬ 
STRING  MLS  REQUIRED  FOR  REDUCED  CEILING  AND  VISIBILITY 
LIMITS  AS  DEFINED  IN  RULE  {A2-6},  LANDING  SITE  WEATHER 
CRITERIA  [HC] .  FOR  NIGHT  LANDINGS,  RUNWAY  EDGE  LIGHTING 
IS  ALSO  REQUIRED.  @[102793-1560]  @[113095-1800] 


Self-explanatory. 
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Al— 107  LANDING  OPPORTUNITIES 

A.  ENTER  FIRST  DAY  PLS  -  THE  PLANNED  OPPORTUNITY  FOR  LANDING  ON 
THE  DAY  OF  LAUNCH  IF  A  SITE  IS  AVAILABLE,  REF.  RULE  {A2-2}, 
ABORT  LANDING  SITE  REQUIREMENTS,  OTHERWISE  LAND  ON  FLIGHT 
DAY  2  PLS.  @[121593-1590] 

B.  ENTER  NEXT  PLS  -  THE  NEXT  LANDING  OPPORTUNITY  AT  THE  PRIMARY 
LANDING  SITE,  WHICH  SATISFIES  LIGHTING,  WEATHER,  AND  CREW 
CONSTRAINTS . 

C.  ENTER  ASAP  -  ENTER  AS  SOON  AS  PRACTICAL  TO  THE  NEXT  AVAILABLE 
LANDING  SITE  (PLS,  SLS,  OR  ELS)  . 

D.  ENTER  IMMEDIATELY  -  ENTER  IMMEDIATELY  TO  AN  UNSPECIFIED 
LANDING  AREA. 

For  some  systems  failures,  the  risk  of  staying  on  orbit  beyond  the  first  flight  day  is  considered  to  be 
high  enough  to  justify  the  increased  risk  associated  with  a  day  1  entry.  These  failures  are  defined  in 
Rule  {A2-301},  CONTINGENCY  ACTION  SUMMARY. 

This  set  of  failures  is  a  subset  of  the  larger  group  of  failures  that  require  entry  at  the  next  PLS.  This 
larger  set  includes  all  systems  failures  where  deorbit  will  be  planned  for  the  next  opportunity  to  the 
primary  landing  site  which  meets  required  weather  and  lighting  constraints  and  allows  the  crew  to  have 
adequate  rest  and  perform  a  nominal  deorbit  prep.  These  failu  res  are  listed  in  the  individual  sections  of 
this  book  and  are  consolidated  in  Rule  {A2-1001  j,  ORBITER  SYSTEMS  GO/NO-GO. 

Enter  ASAP  and  immediately  are  self-explanatory.  They  only  apply  to  the  most  critical  of  circumstances 
where  staying  on  orbit  would  mean  probable  loss  of  the  orbiter  and  crew.  These  failures  are  also  listed 
in  Rule  {A2-301 },  CONTINGENCY  ACTION  SUMMARY. 
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Al— 108  CREW  EGRESS/ESCAPE  MODES 

A.  MODE  I  -  UNAIDED  PRELAUNCH  EGRESS  AND  ESCAPE.  @[041196-1881  A] 

B.  MODE  II  -  AIDED  PRELAUNCH  EGRESS  AND  ESCAPE,  THE  FLIGHT  CREW 
IS  ASSISTED  BY  THE  CLOSEOUT  CREW. 

C.  MODE  III  -  AIDED  PRELAUNCH  EGRESS  AND  ESCAPE,  THE  FLIGHT  CREW 
IS  ASSISTED  BY  FIRE/RESCUE  PERSONNEL. 

D.  MODE  IV  -  AIDED  PRELAUNCH  EGRESS  AND  ESCAPE,  THE  FLIGHT  CREW 
AND  CLOSEOUT  CREW  ARE  ASSISTED  BY  FIRE/RESCUE  PERSONNEL. 

E.  MODE  V  -  UNAIDED  POSTLANDING  EGRESS  AND  GROUND-AIDED 
ESCAPE/EVACUATION. 

1.  HATCH  ON  MODE  V  -  NORMAL  HATCH  OPENING. 

2.  HATCH  JETTISON  MODE  V  -  PYROTECHNIC  HATCH  JETTISON 
(IMMINENT  CREW  HAZARD) . 

3.  ESCAPE  PANEL  MODE  V  -  PYROTECHNIC  JETTISON  OF  WINDOW  8 
ESCAPE  PANEL  (HATCH  EGRESS  IMPOSSIBLE)  .  @[041 196-1 881  A] 

F.  MODE  VI  -  AIDED  POSTLANDING  EGRESS,  ESCAPE,  AND  EVACUATION 
WITHIN  AN  AREA  ACCESSIBLE  BY  THE  GROUND  CONVOY  ELEMENTS. 

@[041 196-1 881  A] 

G.  MODE  VII  -  AIDED  POSTLANDING  EGRESS,  ESCAPE,  AND  EVACUATION 
AT  A  LOCATION  INACCESSIBLE  BY  THE  GROUND  CONVOY  ELEMENTS. 

H.  MODE  VIII  -  BAILOUT  DURING  CONTROLLED,  GLIDING  FLIGHT. 

@[041 196-1 881  A] 

Self-explanatory. 
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Al-109  CREW  MEDICAL  (MED)  CONDITIONS 

A.  MED  0  -  PATIENT  SEVERELY  INJURED  BEYOND  REASONABLE 
EXPECTATION  OF  SURVIVAL  OR  DECEASED. 

B.  MED  1  -  CONDITION  CRITICAL,  PATIENT  REQUIRES  IMMEDIATE  CARE 
AND  EVACUATION. 

C.  MED  2  -  CONDITION  FAIR  TO  POOR,  PATIENT'S  NEED  FOR  CARE  IS 
NOT  SO  ACUTE,  BUT  WILL  REQUIRE  CARE  BEFORE  EVACUATION. 

D.  MED  3  -  CONDITION  GOOD  TO  FAIR,  PATIENT  WITH  INJURIES  WHICH 
DO  NOT  REQUIRE  HOSPITALIZATION;  SOME  MEDICAL  CARE  MAY  BE 
NEEDED,  BUT  NOT  ON  A  TIME  CRITICAL  BASIS. 


These  medical  codes  are  the  standard  triage  codes  used  by  the  DOD  triage  teams  and  the  KSC  triage 
teams.  Triage  codes  should  be  in  universal  agreement  so  accurate  reporting  of  crew  medical  conditions 
can  occur. 
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Al— 110  REMOTE  MANIPULATOR  SYSTEM  (RMS) 

A.  STOW/DEPLOY  -  ROLL  THE  MANIPULATOR  POSITIONING  MECHANISM 

(MPM)  INBOARD /OUTBOARD  WHILE  THE  RMS  IS  CRADLED  AND  LATCHED. 

B.  CRADLE /UNCRADLE  -  MOVE  THE  RMS  TO/FROM  ITS  RETENTION  LATCHES. 

C.  BERTH/UNBERTH  -  USE  THE  RMS  TO  ATTACH/DETACH  A  PAYLOAD 

TO/FROM  THE  PAYLOAD  BAY  OR  PALLET  STRUCTURE. 

D .  CONTROL  MODES : 

1.  MANUAL  AUGMENTED  -  POINT  OF  RESOLUTION  (POR)  IS 
MANEUVERED  BY  CONTROL  INPUTS  VIA  THE  REMOTE  HAND 
CONTROLLERS  (RHC'S). 

2.  AUTO  -  POR  IS  MANEUVERED  BY  THE  GPC  TO  PREPROGRAMMED 
POINTS . 

3.  OPERATOR  COMMANDED  -  COMPUTER  COMMANDED  MODE  WITH  POR 
MANEUVERED  TO  A  POINT  LOADED  BY  THE  CREW. 

4.  SINGLE  -  JOINTS  ARE  DRIVEN  ONE  AT  A  TIME  BY  "PLUS"  AND 
"MINUS"  DRIVE  COMMANDS  FROM  THE  DISPLAYS  AND  CONTROLS 
(D&C)  PANEL.  THE  UNDRIVEN  JOINTS  ARE  HELD  IN  POSITION  BY 
THE  GPC. 

5.  DIRECT  -  SAME  AS  "SINGLE"  WITH  THE  EXCEPTION  THAT  THE 
UNDRIVEN  JOINTS  ARE  HELD  IN  POSITION  BY  THE  BRAKES. 

6.  BACKUP  -  SAME  AS  "DIRECT"  WITH  THE  EXCEPTION  THAT  NO 
DISPLAYS  ARE  AVAILABLE  AND  POWER  IS  SUPPLIED  BY  MAIN  BUS 
B  VICE  MAIN  BUS  A. 


Self-explanatory. 
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Al— 111  TIME  REFERENCE  DEFINITIONS 

DAY  -  ANY  24-HOUR  PERIOD 

END -OF -MIS SION  (EOM)  ±  -  TIME  REFERENCE  RELATING  TO  THE  EOM  WHERE 
THE  PLANNED  LANDING  TIME  IS  ZERO. 

FLIGHT  DAY  (FD)  -  TIME  REFERENCE  RELATING  TO  A  CREWMEMBER'S 
WORK/REST  CYCLE.  FD  1  BEGINS  AT  LAUNCH  WITH  SUBSEQUENT  FD'S 
BEGINNING  AT  CREW  WAKE  UP  AND  CONTINUING  THROUGH  CREW  SLEEP. 

MISSION  ELAPSED  TIME  (MET)  -  TIME  REFERENCE  RELATING  TO  MET, 

WHERE  LAUNCH  IS  0/00:00  (D / HH : MM) . 


Self-explanatory. 


Al— 112  MULTIFUNCTION  ELECTRONIC  DISPLAY  SUBSYSTEM 

FOR  THE  MEDS  CONFIGURATION:  ©[040899-2459B] 

FLIGHT  RULES  THAT  REFERENCE  MCDS  ARE  ACTUALLY  REFERENCING  MEDS. 

A.  FLIGHT  RULES  THAT  REFERENCE  A  DEU  ARE  ACTUALLY  REFERENCING  AN 
IDP  . 

B.  FLIGHT  RULES  THAT  REFERENCE  A  DU  ARE  ACTUALLY  REFERENCING  AN 
MDU  . 

C.  FLIGHT  RULES  THAT  REFERENCE  PANEL  F6,  F7,  AND  F8  FLIGHT 
INSTRUMENT  TAPES  AND  SUBSYSTEM  METERS  ARE  ACTUALLY  REFERENCING 
THE  FUNCTION  OF  THOSE  TAPES  AND  METERS  DISPLAYED  ON  AN  MDU. 

D.  FLIGHT  RULES  THAT  REFERENCE  A  FLIGHT  INSTRUMENT  (ADI,  HSI, 

SPI,  ETC)  ARE  ACTUALLY  REFERENCING  THE  FUNCTION  OF  THOSE 
INSTRUMENTS  DISPLAYED  ON  AN  MDU. 


This  flight  rule  allows  existing  flight  rules  to  be  compatible  with  MEDS  configured  vehicles  and  also 
allows  existing  rules  to  be  used  with  a  mixed  fleet  of  MCDS  and  MEDS.  ©[040899-2459B] 
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SECTION  2  -  FLIGHT  OPERATIONS 


PRE LAUNCH 


A2-1  PRELAUNCH  GO/NO-GO  REQUIREMENTS 

LAUNCH  WILL  BE  NO-GO  IF  THE  FOLLOWING  CONDITIONS  ARE  NOT 
SATISFIED : 

A.  MINIMUM  STS  SUBSYSTEMS  CAPABILITY  (REF.  LAUNCH  COMMIT 
CRITERIA  (LCC) ) . 

The  vehicle  must  satisfy  certain  minimum  subsystems  capabilities  to  be  GO  for  launch.  Prelaunch  OMI’s 
implement  checkout  requirements  specified  in  the  OMRSD.  In  general,  these  are  designed  to 
demonstrate  operation  of  all  testable  subsystems  within  prescribed  limits.  Any  deviation  must  be 
accounted  for,  either  by  repair,  replacement,  or  a  waiver  from  the  MMT.  Launch  commit  criteria  are 
designed  to  ensure  those  systems  that  are  monitorable  operate  within  acceptable  limits  during  the  final 
hours  in  the  launch  countdown.  In  certain  areas,  launch  may  be  permitted  with  certain  equipment  losses 
provided  those  are  well  understood  to  be  isolated  occurrences  and  not  symptomatic  of  a  poten  tially 
generic  problem.  These  instances  will  be  specified  in  the  LCC  document. 

B.  MINIMUM  ONBOARD  INSTRUMENTATION  REQUIREMENTS  (REF.  LCC) . 

The  vehicle  must  satisfy  minimum  onboard  display/control  capability  via  crew  display/control  equipment 
as  well  as  minimum  telemetry/instrumen  tation  requirements  to  be  GO  for  launch.  These  capabilities  are 
required  to  allow  ground  and  crew  monitoring  and  con  trol  of  the  vehicle  systems  for  critical  failures  and 
crew  capability  to  fly  the  vehicle  should  it  become  necessary.  These  are  documented  in  the  Launch 
Commit  Criteria. 

C.  VEHICLE  PERFORMANCE  MARGINS  (REF.  RULE  {A4-1A},  PERFORMANCE 
ANALYSIS) . 

The  vehicle  must  satisfy  the  propellant  reser\’e  performance  margins  (ref.  Rule  {A4-1AJ, 
PERFORMANCE  ANALYSIS)  in  order  to  be  GO  for  launch.  These  margins  are  protected  to  assure  that 
sufficient  propellant  reser\’es  cover  loading  and  systems  usage  dispersions  during  ascent. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-1  PRELAUNCH  GO/NO-GO  REQUIREMENTS  (CONTINUED) 

D.  ACCEPTABLE  STRUCTURAL  LOADS  AND  DAY-OF-LAUNCH  I-LOAD  UPDATE 
(DOLILU)  ASSESSMENT  (REF.  NSTS-08329,  VOL.  VIII,  DOLILU 
OPERATIONS  SUPPORT  PLAN  (DOSP)  )  .  ®[091 098-6622C] 

The  generation  of  the  DOLILU  I-loads  must  be  consistent  with  certification  groundrules  and  the  launch 
day  en  vironmen  t,  and  vehicle  structu  ral  loading  must  remain  within  acceptable  boundaries  to  be  GO  for 
launch.  The  assessment  is  performed  at  several  points  in  the  pre-launch  timeframe  using  balloon- 
measured  upper-level  wind  data.  The  DOLILU  process  launch  decision  criteria  applied  to  this 
assessment  is  specified  in  the  DOSP.  ®[09i  098-6622C] 

E.  MINIMUM  GROUND  INSTRUMENTATION  REQUIREMENTS. 

SUFFICIENT  GROUND  INSTRUMENTATION  SUPPORT  SHALL  BE 
OPERATIONAL  AT  LAUNCH  TO  SATISFY  A/G  VOICE,  TELEMETRY, 
TRACKING,  AND  COMMAND  REQUIREMENTS  FOR  ASCENT  AND  REQUIRED 
ABORT  LANDING  SITES,  REF.  RULE  {A2-2},  ABORT  LANDING  SITE 
REQUIREMENTS.  SPECIFIC  EQUIPMENT  REQUIREMENTS  ARE  DEFINED  IN 
FLIGHT  RULES  SECTION  3. 

FOR  FIRST  DAY  PLS  LANDING  SITES  ONLY,  EQUIPMENT  OUTAGES  ARE 
ALLOWED  ONLY  IF  CRITICAL  EQUIPMENT  ETRO  IS  PRIOR  TO  FIRST  DAY 
PLS  DEORBIT  DECISION  TIME,  OR  IF  FIRST  DAY  PLS  IS  NOT 
REQUIRED,  ETRO  MUST  BE  PRIOR  TO  SECOND  DAY  PLS  DEORBIT 
DECISION  TIME. 

Detailed  requirements  and  the  facilities  necessary  to  provide  support  and  redundancy  for  ascen  t  and 
ascent  aborts  vary  from  phase  to  phase  and  even  within  each  phase.  In  general,  the  requirements  are 
broken  down  into  A/G  voice,  telemetry,  tracking,  and  command  capabilities  as  high-level  requirements. 
These,  in  turn,  determine  the  facilities  support  requiremen  ts  which  are  detailed  in  section  3  for  each 
capability  and  facility.  For  mandatory  ascent  abort  landing  sites,  full  capabilities  must  be  functioned 
prior  to  launch.  If  an  ascent  abort  landing  site  is  not  required,  then  full  capabilities  are  highly 
desirable,  and  loss  of  any  capability  will  not  lead  to  a  launch  hold.  For  a  required  first  day  PLS  site, 
equipmen  t  outages  are  allowed  if  repairs  can  be  guaranteed  complete  prior  to  landing.  In  any  event,  all 
required  equipmen  t  must  be  planned  to  be  functional  at  one  CONUS  site  by  second  day  PLS  time,  or 
launch  is  NO-GO. 
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A2-1  PRELAUNCH  GO/NO-GO  REQUIREMENTS  (CONTINUED) 

F.  ACCEPTABLE  LANDING  CONDITIONS  FOR  REQUIRED  ABORT  LANDING 

SITES,  REF.  RULE  {A2-2},  ABORT  LANDING  SITE  REQUIREMENTS.  IF 
AN  ABORT  LANDING  SITE  IS  NOT  MANDATORY,  ACCEPTABLE  LANDING 
CONDITIONS  ARE  STILL  HIGHLY  DESIRABLE  AT  THAT  SITE. 

CONDITIONS  WHICH  MUST  BE  MET  ARE: 

1.  NO  VIOLATIONS  OF  THE  LANDING  SITE  WEATHER  CRITERIA  (REF. 
RULES  { A4-2 } ,  LANDING  SITE  CONDITIONS,  AND  {A2-6}, 

LANDING  SITE  WEATHER  CRITERIA  [HC]  )  .  ®[1 11 094-1 622B] 

2.  FOR  ALL  LANDINGS  BUT  FIRST  OR  SECOND  DAY  PLS,  NO 
VIOLATION  OF  ENTRY  ANALYSIS  LIMITS  INCLUDING: 

a.  APPROACH  AND  LAND  TRANSITION  (REF.  RULE  {A4-156},  HAC 
SELECTION  CRITERIA) 

b.  NORMALIZED  TOUCHDOWN  DISTANCE  (REF.  RULE  {A4-110}, 
AIMPOINT,  EVALUATION  VELOCITY,  AND  SHORT  FIELD 
SELECTION) 

C.  TIRE  SPEED/ROLLOUT/BRAKING  LIMITS  (REF.  RULE  {A4-108}, 
TIRE  SPEED,  BRAKING,  AND  ROLLOUT  REQUIREMENTS) 

d.  NZ  AND  Q-BAR  CONSTRAINTS  (REF.  RULE  {A4-207},  ENTRY 
LIMITS)  @[072795-1 788B] 

3.  ACCEPTABLE  GROUND  NAVAIDS  (REF.  RULES  {A3-201},  TACAN 
REDUNDANCY  REQUIREMENTS  AND  ALTERNATE  TACAN  SELECTION 
PHILOSOPHY;  {A3-202},  MLS;  AND  {A2-6},  LANDING  SITE 
WEATHER  CRITERIA  [HC]  )  .  @[111 094-1 622B] 
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A2-1  PRELAUNCH  GO/NO-GO  REQUIREMENTS  (CONTINUED) 

4.  ACCEPTABLE  LANDING  AND  VISUAL  AIDS  (REF.  RULE  {A3-203}, 
LANDING  AID  REQUIREMENTS) . 

5.  ACCEPTABLE  CURRENT  AND  PREDICTED  RUNWAY  CONDITIONS  (REF. 
RULE  { A4-111 } ,  RUNWAY  ACCEPTABILITY  CONDITIONS). 

®[1 11 094-1 622B] 

6.  ACCEPTABLE  COMMUNICATIONS  FROM  THE  MCC  TO  THE  REQUIRED 
ASCENT  ABORT  SITES.  (REF.  RULES  {A3-52E},  MCC  INTERNAL 
VOICE,  AND  { A3-156 } ,  MCC/ASCENT  ABORT  SITE  INTERFACE). 

®[11 1094-1 71 6A] 

Prelaunch,  the  MCC  must  be  able  to  communicate  with  the  ascent  abort  landing  sites.  This  insures  that 
there  has  not  been  a  change  in  weather  or  nav/landing  aid  status.  It  also  insures  that  anomalies  can  be 
passed  to  the  ground  support  team  and  that  the  runway  and  airspace  are  clear  for  a  safe  landing.  This 
can  be  accomplished  by  insuring  that  at  least  one  of  the  communications  capabilities  listed  below  are 
available: 


a.  Longline  (LFP1) 

b.  INMARSAT 

c.  Commercial  Telephone  ®[1 11094-1 71 6A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  FLIGHT  OPERATIONS  2-4 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A2-1  PRELAUNCH  GO/NO-GO  REQUIREMENTS  (CONTINUED) 

7.  DAYLIGHT  LANDING  UNLESS  CREW  SPECIFICALLY  TRAINED  FOR 
NIGHT  LANDING  AND  RELATED  LANDING  AIDS  FUNCTIONAL  (REF. 
PARAGRAPHS  3  AND  4  ABOVE) .  EXCEPTIONS  ARE  ALLOWED  FOR 
AOA  (IF  NOT  REQUIRED)  AND  FIRST  DAY  PLS . 

Acceptable  landing  conditions  and  aids  requirements  rationale  for  each  of  the  requiremen  ts  may  be 
found  in  the  referenced  rule.  A  TAL  site  is  highly  desirable  if  RTLS/two- engine  press  capability  overlap 
exists  since  TAL  is  preferred  over  RTLS  (ref.  Rule  {A2-52},  ASCENT  MODE  PRIORITIES  FOR 
PERFORMANCE  CASES)  for  an  engine  out  performance.  TAL  capability  also  provides  for  performance 
gap  management  and  extended  coverage  during  ascent  for  systems  aborts  that  require  abort  modes  other 
than  first  day  PLS.  Rules  (A1-106EJ  and  {A1-106G},  LANDING  SITES,  reference  this  rule. 

For  all  abort  landings,  the  entry  analysis  using  the  forecast  and  measured  (ref.  Rule  {A4-112J,  UPPER 
AND  LOWER  LEVEL  MEASURED  WIND  AND  ATMOSPHERIC  DATA )  environmental  data  must  be 
predicting  a  safe  landing.  For  first  day  PLS,  prelaunch  analysis  is  not  generally  performed  due  to  the 
length  of  time  from  prelaunch  data  collection  until  actual  landing;  similarly,  only  forecast  weather  is 
used  for  first  day  PLS  status,  not  prelaunch  observations.  ®[i  1 1 094-1 622B] 

If  AOA  is  not  required  for  performance  reasons,  then  systems  AOA  is  an  extreme  contingency  case  and 
crew  pilot  pool  night  training  is  considered  adequate.  Lighting  at  first  day  PLS  is  not  a  design 
groundrule;  lighted  launch,  TAL,  and  first  day  PLS  cannot  all  be  accomplished  for  some  high  inclination 
missions.  Therefore,  pilot  pool  night  training  is  considered  acceptable  for  systems  AOA  or  first  day  PLS. 
Also  for  first  day  PLS,  crew  workday  is  not  protected. 

Predictions  of  weather  and  or  equipmen  t  availability  at  the  first  day  PLS  site  are  less  accurate  due  to  the 
time  involved  (4.5  to  10.5  hours  after  launch).  The  requirements  to  use  a  first  day  PLS  site  are  based  on 
performance  and  systems  redundancy  requiremen  ts.  If  a  first  day  PLS  site  is  not  available,  the  single 
engine  out  abort  boundaries  are  adjusted  to  ensure  that  a  stable  orbit  is  achieved  which  will  support  a 
delay  in  landing  until  flight  day  2  when  more  landing  sites  and  better  conditions  will  be  available.  The 
redundancy  requirements  are  considered  cm  acceptable  risk  (multiple  failures  of  proven  highly  reliable 
equipmen  t  occurring  in  short  periods  of  time).  Acceptance  of  this  risk  allows  an  on  time  launch  when  all 
con  ditions  other  than  those  at  the  first  day  PLS  site  are  acceptable. 
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G.  THE  LAUNCH  WILL  BE  NO-GO  IF  PRELAUNCH,  U.S.  SPACE  COMMAND 

ORBIT  CONJUNCTIONS  (COMBO  ANALYSIS),  OR  EASTERN  RANGE  (ER) 
COLLISION  AVOIDANCE  (COLA)  CONFLICTS  ARE  PREDICTED.  LAUNCH 
HOLD  TO  THE  NEXT  EVEN  MINUTE  IS  UTILIZED  TO  CLEAR  CONFLICTS 
(REF.  RULE  { A4-3 } ,  ORBIT  CONJUNCTIONS/CONFLICTS,  AND  LCC 
5.6).  @[051194-1605] 

Responsibility  for  calling  launch  holds  based  on  COLA's  lies  with  ER/KSC,  while  computation  of  misses 
between  orbits  (COMBO)  conflict  responsibility  lies  with  JSC  based  on  data  provided  by  U.  S.  Space 
Command. 

U.S.  Space  Command  and  ER  perform  several  prelaunch  analyses  to  determine  if  any  such  orbital 
conjunctions  may  result.  The  U.S.  Space  Command  COMBO  analysis  is  performed  assuming  an  on-time 
launch  while  the  ER  COLA  analysis  evaluates  the  entire  launch  window.  Also,  ER  analyses  are 
performed  only  against  mannable  space  vehicles  (such  as  Mir)  for  the  first  orbit  after  liftoff,  while  U.S. 
Space  Command  provides  data  to  JSC  for  analysis  of  the  entire  U.S.  Space  Command  orbiting  object 
catalog  for  a  period  of  2  hours  after  liftoff.  If  clearance  limits  are  exceeded  for  a  launch  at  the  planned 
time,  the  launch  must  be  held  until  adequate  clearance  can  be  assured.  For  practiced  considerations, 
such  holds  will  extend  to  the  even  minute.  @[051 194-1605  ] 

H.  ACLS'S  ARE  NOT  REQUIRED  FOR  LAUNCH  COMMIT. 

These  sites  are  for  contingency  cases  only  and  are  therefore  not  required  for  launch. 

I.  POSTLAUNCH  SEARCH  AND  RESCUE  (SAR)  OPERATIONS  -  THE  LAUNCH 
WILL  NOT  BE  HELD  BASED  ON  SAR  WEATHER  OR  THE  FAILURE  OF  ANY 
EQUIPMENT  THAT  WOULD  BE  USED  TO  SUPPORT  A  POSTLAUNCH  SAR 
OPERATION. 

Establishing  weather/sea  state  criteria  across  the  total  trajectory /range  for  SAR  operations  is 
prohibitive,  and  we  would  be  NO-GO  for  launch  most  of  the  time.  Additionally,  the  weather  and  sea 
state  along  the  total  trajectory  will  probably  not  be  known.  Delaying  the  launch  to  accommodate  repair 
of  a  SAR  aircraft  or  other  piece  of  equipment,  or  to  allow  improvement  in  weather  conditions  in  areas 
for  which  we  may  not  have  an  adequate  forecast  anyway,  is  not  the  prudent  action.  The  DOD  response 
for  bailout  support  may  be  affected. 
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A2-2  ABORT  LANDING  SITE  REQUIREMENTS 

CONTINUOUS  SINGLE  SSME  OUT  INTACT  ABORT  COVERAGE  IS  REQUIRED 
THROUGHOUT  POWERED  FLIGHT  (REF.  NSTS  07700,  VOLUME  X,  PARAGRAPHS 
3. 2. 1.1. 4  AND  3. 2. 1.5. 1.1  THROUGH  3. 2. 1.5. 1.3).  PRELAUNCH 
ANALYSIS  MUST  DEMONSTRATE  THIS  CONTINUOUS  SINGLE  SSME  OUT  INTACT 
ABORT  COVERAGE  EXISTS  OR  LAUNCH  IS  NO  GO  PER  RULE  {A2-1}, 
PRELAUNCH  GO/NO-GO  REQUIREMENTS.  ®[041 1 96-1 801  A] 

THIS  CONTINUOUS  SINGLE  SSME  OUT  INTACT  ABORT  COVERAGE  MUST 
INCLUDE  SYSTEMS  FAILURE  TOLERANCE  AND  BOTH  SYSTEMS  AND 
ENVIRONMENTAL  PERFORMANCE  DISPERSIONS  AS  REQUIRED. 

THIS  CONTINUOUS  SINGLE  ENGINE  OUT  INTACT  ABORT  COVERAGE  MUST  BE 
TO  A  FULLY  ACCEPTABLE  LANDING  SITE  THROUGHOUT  POWERED  FLIGHT. 
THERE  CAN  BE  NO  PRELAUNCH  PREDICTED  SINGLE  SSME  OUT  ABORT  GAP 
BETWEEN  LAST  RTLS  AND  FIRST  TAL  NOR  BETWEEN  LAST  RTLS  OR  LAST 
INTACT  TAL  CAPABILITY  (TO  A  GO  TAL  SITE)  AND  FIRST  PRESS 
CAPABILITY,  AND  NO  GAP  IN  SINGLE  SSME  OUT  PROTECTION  FOLLOWING 
FIRST  PRESS  CAPABILITY  NO  MATTER  WHICH  OF  THE  FOLLOWING  CRITERIA 
IS  USED  TO  DEFINE  PRESS  CAPABILITY.  @[0411 96-1 801  A] 

A.  AN  RTLS  LANDING  SITE  IS  REQUIRED  FOR  LAUNCH  COMMIT. 

B.  A  TAL  LANDING  SITE  IS  REQUIRED  FOR  LAUNCH  COMMIT  UNLESS  THERE 
IS  RTLS  AND  TWO  ENGINE  PRESS  CAPABILITY  OVERLAP.  THEN  A  TAL 
LANDING  SITE  IS  HIGHLY  DESIRABLE. 
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A2-2  ABORT  LANDING  SITE  REQUIREMENTS  (CONTINUED) 

C.  AN  AOA  LANDING  SITE  IS  HIGHLY  DESIRABLE.  AN  AOA  LANDING  SITE 
IS  REQUIRED  FOR  LAUNCH  COMMIT  ONLY  IF  BOTH  OF  THE  FOLLOWING 
CONDITIONS  ARE  MET: 

1.  AN  INTACT  SINGLE  ENGINE  OUT  ABORT  GAP  EXISTS  BETWEEN  THE 
LATER  OF  LAST  TWO  ENGINE  TAL  TO  A  GO  TAL  SITE  OR  LAST  TWO 
ENGINE  RTLS  AND  TWO  ENGINE  PRESS  CAPABILITY  BASED  ON 
ATO/MINIMUM  HP  SHALLOW  DEORBIT  (FD1  OR  2),  AND  @[012402-51 12B] 

2.  TWO  ENGINE  PRESS  CAPABILITY  BASED  UPON  AOA  STEEP  PROVIDES 
CONTINUOUS  SINGLE  ENGINE  OUT  INTACT  ABORT  COVERAGE 
THROUGH  MECO. 

IF  AN  ASCENT  INTACT  ABORT  LANDING  SITE  IS  REQUIRED,  THEN  ALL 
LANDING  SITE  REQUIREMENTS,  AS  SPECIFIED  IN  THE  FLIGHT  RULES,  MUST 
BE  SATISFIED.  IN  THE  CASE  OF  LAUNCH  COMMIT  WITHOUT  A  TAL  OR  AOA 
OR  FIRST  DAY  PLS  LANDING  SITE,  OR  WITHOUT  ANY  COMBINATION  OF 
SITES,  THEN  A  CONTINGENCY  OR  SYSTEMS  ABORT  REQUIREMENT  WILL  BE 
SATISFIED  USING  EXISTING  RTLS,  TAL,  ACLS,  OR  ABORT  FROM  ORBIT 
(AFO)  CAPABILITY,  POSSIBLY  TO  AN  ELS.  @[041 196-1 801  A]  @[012402-51 12B] 

NOTE:  IF  FIRST  DAY  PLS  IS  NO-GO  DUE  TO  EQUIPMENT  OUTAGE  (REF. 

SECTION  3),  THEN  LAUNCH  WILL  BE  GO  ONLY  IF  ALL  REQUIRED 
EQUIPMENT  WILL  BE  AVAILABLE  AT  ONE  OR  MORE  CONUS  SITES 
PRIOR  TO  FD  2  PLS  DEORBIT  DECISION  TIME. 
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Continuous  single  engine  out  intact  abort  capability  to  a  landing  site  meeting  all  requirements  must  be 
achieved  to  commit  to  launch  (ref.  Rule  {A4-1D},  PERFORMANCE  ANALYSES).  Since  the  only  two 
engine  intact  abort  mode  available  for  the  first  2  to  3  minutes  of  any  flight  is  the  RTLS  site,  GO 
conditions  are  mandatory  at  the  RTLS  landing  site. 

TAL  is  required  unless  RTLS/two  engine  press  overlaps.  Even  in  those  cases,  TAL  is  the  preferred  abort 
mode  for  an  engine  out  during  the  RTLS/TAL  overlap  period.  Launching  without  TAL  capability  should 
never  be  a  design  goal  but  a  real-time  fallback  if  weather  or  equipmen  t  outages  at  the  TAL  sites  are  the 
only  constraints  to  launch. 

The  ATO  single  SSME  out  press  boundary  represen  ts  the  earliest  time  at  which  an  engine  failure  will 
result  in  the  achievement  of  cm  acceptable  MECO  underspeed  based  on  one  of  four  cases:  AO  A  steep 
capability;  ATO/minimum  Hp  with  shallow  deorbit  on  flight  day  1  capability;  ATO/minimum  Hp  with 
shallow  deorbit  on  flight  day  2  capability,  including  OPS  2  use  of  Fwd  RCS  (ref.  Rule  {A2-53}, 
FORWARD  RCS  USAGE  GUIDELINES);  or  ET  impact  in  an  acceptable  area  (ref.  Rule  { A4-55B j, 
DESIGN  AND  CRITICAL  MECO  UNDERSPEED  DEFINITIONS).  If  the  design  press  boundary  is 
based  on  AO  A  steep  but  no  AO  A  site  is  available,  then  intact  capability  can  still  be  provided  as  long  as 
no  gap  exists  between  last  RTLS  or  TAL  and  the  press  boundary  based  on  ATO/minimum  Hp  for  flight 
day  1/shallow  deorbit.  If  no  first  day  PLS  site  is  available,  then  continuous  single  SSME  out  intact  abort 
capability  can  still  be  provided  as  long  as  no  gap  exists  between  last  RTLS  or  TAL  and  the  press 
boundary  based  on  AOA  steep  (press  capabilities  based  on  AOA  steep  and  ATO/rnin  Hp/flight  day  1 
shallow  come  only  a  few  seconds  apart).  If  neither  cm  AOA  or  first  day  PLS  site  are  available,  then 
launch  commit  may  be  allowed  if  there  is  no  gap  between  last  RTLS  or  TAL  and  a  press  boundary  based 
on  ATO  OMS-l/minimum  Hp  OMS-2/shallow  deorbit  on  flight  day  2.  This  boundary  assumes  the  use  of 
the  Fwd  RCS  in  OPS  2.  Analysis  has  shown  that  there  is  no  delay  in  this  press  boundary  with  respect  to 
the  flight  day  1  press  boundary  when  the  Fwd  RCS  is  allowed.  ®[01 2402-51 12B] 

Even  if  a  first  day  PLS  site  is  not  technically  available  at  launch  time,  equipmen  t  outages  may  be 
resolved  or  weather  may  improve  by  deorbit  decision  time. 
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A2-2  ABORT  LANDING  SITE  REQUIREMENTS  (CONTINUED) 

If  a  first  day  PLS  landing  site  is  not  available,  and  systems  failures  requiring  early  flight  termination 
occur,  landing  will  be  supported  by  RTLS,  TAL,  and  AFO  sites.  This  means  that  deorbit/landing  might 
be  made  under  AC LS/ELS  type  conditions:  less  than  normally  acceptable  weather;  lack  of  navciids;  etc. 
Systems  failures  requiring  first  day  PLS  are  typically  multiple  failures  or  structural  failures.  In  some 
cases,  immediate  deorbit  is  required.  Should  these  type  failures  occur  during  the  on-orbit  timeframe,  it 
has  always  been  acceptable  to  land  under  ACLS/ELS  conditions.  In  other  cases,  loss  of  redundancy  in 
entry  critical  equipment  is  cause  for  a  first  day  PLS.  When  a  first  day  PLS  site  is  not  available,  for  loss 
of  redundancy  that  normally  calls  for  first  day  PLS,  the  risk  of  staying  on  orbit  until  the  next  day  for 
improved  landing  conditions  outweighs  the  risk  of  loss  of  critical  equipment  during  the  on-orbit  wait  for 
24  hours. 

If  cm  abort  landing  site  is  required,  the  sites  must  fully  meet  the  requirements  listed  in  the  flight  rules 
(ref.  Rules  {A2-1G}  and  {A2-1F},  PRELAUNCH  GO/NO-GO  REQUIREMENTS,  and  {A4-107A}, 
PLS/EOM  LANDING  OPPORTUNITY  REQUIREMENTS)  for:  landing  site  weather  conditions  including 
visibility,  clouds,  winds,  turbulence,  precipitation,  runway/lakebed  surface  conditions,  and  resources 
necessary  to  measure  low-level  winds  and  atmospheric  data  ( not  PLS);  crossrange,  rollout  margin,  brake 
energy,  navigation  aids,  and  lighting  (not  PLS);  touchdown  margin  (not  PLS);  and  tracking  (not  AO  A  or 
PLS),  telemetry,  command,  and  car-ground  voice  (for  PLS  equipment  outage  ETRO  must  be  before 
deorbit  decision  time).  @[072795-1772  ] 

Rules  (A1-106J,  LANDING  SITES;  (A2-1J,  PRELAUNCH  GO/NO-GO  REQUIREMENTS;  {A3-1}, 
GROUND  AND  NETWORK  DEFINITIONS;  {A3-102J,  INTEGRATED  NETWORK  FAILURE 
DECISION  MATRIX;  {A3-201J,  TACAN  REDUNDANCY  REQUIREMENTS  AND  ALTERNATE  TACAN 
SELECTION  PHILOSOPHY;  {A4-2},  LANDING  SITE  CONDITIONS;  and  / A4-55 },  DESIGN  AND 
CRITICAL  MECO  UNDERSPEED  DEFINITIONS,  reference  this  rule.  ®[ED  ] 
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A2-3  LAUNCH  HOLD 

NO  MCC  COUNTDOWN  HOLD  WILL  BE  CALLED  AFTER  T-31  SECONDS. 

After  T-31  seconds,  launch  holds  will  not  be  called  by  the  MCC.  T-31  seconds  is  the  latest  time  that  an 
MCC  voice  call  for  a  launch  hold  can  realistically  be  acted  on  in  real  time.  Calling  such  a  hold  for 
MCC-related/non-ground  launch  sequencer  (GLS)  recognized  problems  does  not  merit  the  risk  of  such  a 
launch  hold.  Backup  onboard  crew  procedures  can  accomplish  most  abort  functions  should  the  MCC 
have  a  problem  in  the  last  few  seconds  before  launch.  @[061396  4005  ] 


A2-4  LAUNCH  DAY  CREW  TIME  CONSTRAINTS 

A.  THE  MAXIMUM  TIME  THE  CREW  WILL  REMAIN  IN  THE  VEHICLE  IS  5 
HOURS  15  MINUTES  (EXCLUDING  SAFING  AND  EGRESS  TIME)  (REF.  LCC 
3.2B),  WHICH  ALLOWS  2.5  HOURS  OF  HOLD  TIME  AFTER  THE  EARLIEST 
PLANNED  LAUNCH  TIME. 

It  is  impractical  to  keep  the  crew  in  the  launch-seat  posture  for  an  extended  period  of  time.  The  crew 
enters  the  vehicle  about  2  hours  45  minutes  before  launch;  thus,  a  2.5-hour  launch  window  is  preserved. 

B.  THE  SCHEDULED  CREW  AWAKE  TIME  ON  LAUNCH  DAY  WILL  NOT  NORMALLY 
EXCEED  16  HOURS.  PRELAUNCH  HOLD  TIME  AND  POSTLAUNCH 
ORBITER/PAYLOAD  CONTINGENCIES  REQUIRING  THE  USE  OF  BACKUP 
TIMELINES  WILL  BE  ACCOMMODATED  AS  LONG  AS  THEY  DO  NOT  EXTEND 
THE  CREW  DAY  BEYOND  18  HOURS. 

Abnormally  long  days  will  result  in  crew  fatigue  and  increase  the  potential  for  procedural  errors  that 
could  affect  safety  or  compromise  mission  success.  Without  a  waiver,  crew  awake  time  on  launch  day 
will  not  be  premission  scheduled  for  greater  than  16  hours.  Since  the  crew  is  awake  about  4  hours  55 
minutes  before  launch,  this  allows  for  up  to  11  hours  5  minutes  of  on-orbit  activities  before  the  start  of 
the  sleep  period.  If  there  is  a  launch  hold  or  orbiter/payload  contingencies  require  the  use  of  backup 
timelines  for  deploy  opportunities  or  off-nominal  operations,  these  adjustments  will  be  accommodated  as 
long  as  the  maximum  crew  day  of  18  hours  is  not  exceeded. 
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A2-5  PORT  MODING/RESTRINGING  GUIDELINES 

A.  PORT  MODING  OR  RESTRINGING  MAY  BE  USED  PER  RULES  {A2-254C}, 
ENTRY  STRING  REASSIGNMENT;  {A2-63B}.2,  ASCENT  STRING 
REASSIGNMENT;  {A7-5},  PASS  GPC  BCE  FAILURE  MANAGEMENT;  AND 
{ A7-105 } ,  MDM  PORT  MODING,  TO  REGAIN  LOST  CAPABILITIES  DUE  TO 
GPC  FLIGHT-CRITICAL  BCE  FAILURES.  THE  RECOVERY  TECHNIQUE 
USED  WILL  DEPEND  UPON  THE  SPECIFIC  FLIGHT  PHASE  AND  FAILURE 
SCENARIO  PRESENT  IN  THE  ORBITER.  IN  GENERAL,  PORT  MODING 
WILL  BE  ATTEMPTED  DURING  DYNAMIC  PHASES  OVER  RESTRINGING 
EXCEPT  AS  NOTED  IN  THE  REFERENCED  RULES.  ®[ED  ] 

For  flight-critical  BCE  failures,  recovery  of  lost  capability  may  be  attempted  via  port  moding  or 
restringing.  Port  moding  will  recover  the  bypassed  FC  MDM,  but  will  result  in  the  loss  of  the  other  FC 
MDM  on  the  affected  string.  Restringing  will  result  in  the  entire  recovery  of  string  capability,  but  GPC 
redundancy  may  be  given  up. 


Port  moding  is  preferred  over  restringing  because  of  the  ease  of  implementation  (crew  SPEC  entry),  port 
mode  reconfiguration  is  considered  to  be  less  hazardous  to  the  PASS  redundant  set  than  restring 
reconfiguration,  and  the  desire  to  maintain  GPC  redundancy. 


In  general,  restringing  will  only  be  attempted  when  the  appropriate  restring  criteria  is  satisfied. 
Otherwise,  port  moding  may  be  done  to  recover  lost  capability. 

B.  A  RESTRING  WILL  BE  PERFORMED  TO  MAINTAIN  CRITICAL  CAPABILITY 
FOR  THE  FOLLOWING  POWERDOWNS : 


1 . 

LOSS 

OF 

AV  BAY  COOLING  (TO  RECOVER  TWO  STRINGS 

2  . 

LOSS 

OF 

CABIN  PRESSURE 

3. 

LOSS 

OF 

FLASH  EVAPORATOR  SYSTEM 

4  . 

LOSS 

OF 

TWO  FREON  LOOPS 

5  . 

LOSS 

OF 

TWO  FUEL  CELLS 

6. 

LOSS 

OF 

TWO  H20  LOOPS 
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A2-5  PORT  MODING/RESTRINGING  GUIDELINES  (CONTINUED) 

If  powerdowns  are  required  during  ascent  or  entry,  the  GPC’s  are  intentionally  moded  to  STBY  then 
HALT  and  powered  off  to  maintain  either  acceptable  orbiter  power  levels  or  GPC  thermal  limits.  This 
rule  allows  for  a  restring  to  be  performed  for  the  listed  powerdowns. 

If  GPC  failures  or  multiple  LRU  failures  in  a  subsystem  exist,  then  the  current  restring  rules  will  be 
adhered  to.  Measures  will  also  be  taken  to  ensure  that  the  least  number  of  strings  are  reassigned  (ref. 
Rules  {A2-63J,  ASCENT  STRING  REASSIGNMENT;  and  {A2-254},  ENTRY  STRING  REASSIGNMENT). 

Powerdown  procedures  have  been  verified  and  are  officially  documented  as  part  of  the  Space  Shuttle 
Flight  Data  File  (FDF). 
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A2-6  LANDING  SITE  WEATHER  CRITERIA  [HC]  @[052401 -4459A] 

LIMITS  APPLY  TO  DAY  AND  NIGHT  LANDINGS  UNLESS  OTHERWISE  NOTED. 
THE  WEATHER  LIMITS  CONTAINED  IN  THIS  RULE  MUST  BE  SATISFIED  WITH 
OBSERVATIONS  AT  THE  GO/NO-GO  DECISION  TIME  AND  WITH  THE  FORECAST 
FOR  THE  LANDING  TIME  WITH  THE  FOLLOWING  EXCEPTIONS:  ®[111 094-1 622B] 

@[021 998-6490A] 

FIRST  -  PRELAUNCH  EVALUATION  OF  THE  FD1  OR  FD2  PLS  IS  BASED  ONLY 
ON  THE  FORECAST. 


The  prelaunch  PLS  evaluations  use  only  the  forecast  because  the  landing  time  is  at  least  5-10  hours  after 
launch. 

SECOND  -  CONSIDERATION  MAY  BE  GIVEN  TO  RELAXING  THE  REQUIREMENT 
FOR  A  GO  OBSERVATION  AT  DECISION  TIME  IF  ANALYSIS  CLEARLY 
INDICATES  IMPROVING  WEATHER  CONDITIONS,  AND  THE  FORECAST  STATES 
THAT  ALL  WEATHER  LIMITS  WILL  BE  MET  AT  LANDING  TIME. 


In  some  weather  situations,  the  observed  weather  at  decision  time  may  be  NO-GO  although  weather 
conditions  are  improving.  If  there  is  a  high  level  of  confidence,  based  upon  the  observed  weather  tren  ds, 
that  the  forecast  for  landing  time  is  for  weather  to  be  within  limits,  consideration  may  be  given  to 
relaxing  the  GO  requirement  at  decision  time.  Examples  include:  rain  showers  exhibiting  predictable 
dissipation  or  movement  away  from  the  landing  site  at  decision  time;  and  crosswinds  exceeding  limits 
that  are  forecast  to  decrease  diurnally  for  a  landing  near  or  after  sunset.  ©[021998-6490A] 

THE  APPROACHES  TO  BOTH  THE  PRIME  AND  BACKUP  RUNWAYS  AT  A  GIVEN 
SITE  MUST  SATISFY  THE  CEILING,  VISIBILITY,  PRECIPITATION,  AND 
THUNDERSTORM  PROXIMITY  LIMITS  LISTED  BELOW.  WHENEVER  AVAILABLE, 
A  WEATHER  RECONNAISSANCE  FLIGHT  WILL  PROVIDE  A  LANDING  SITE 
GO/NO-GO  RECOMMENDATION.  ®[ED  ] 
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A2-6  LANDING  SITE  WEATHER  CRITERIA  [HC]  (CONTINUED) 

A.  CEILING  AND  VISIBILITY  LIMITS 

TABLE  A2-6-I  -  CEILING  AND  VISIBILITY  LIMITS 


CEILING  /VISIBILITY 

(K  FT)/(SM) 

REDUNDANT 

MLS 

SINGLE 

STRING-MLS 

NO  MLS 

KSC,  EDW,  NOR, 

CONCRETE 

DAY 

?  1 0/7 

AOA, 

NIGHT 

?  8/5 

NO-GO 

DAILY  PLS 

SELECTION 
(ALL  SITES) 

LAKEBED 

DAY 

(WX  RECON 
REQUIRED) 

?  1 0/7 

NIGHT 

?  1 5/7 

NO  GO 

RTLS,  TAL 

CONCRETE 

DAY 

?5/4  RTLS 
>5/5  TAL 

?  1 0/7 

NIGHT 

(WX  RECON 
REQUIRED) 

NO  GO 

ACLS /ECAL/ ELS 

0/0 

?8/5  | 

PREDEORBIT:  ONE  APU  FAILED  OR 

ATTEMPT  TWO  APU’S  PROCEDURE 

?  1 0/7 

®[050495-1 776A  ]  ®[041 097-4927A]  ®[051697-4928B] 


1.  CEILINGS  AND  VISIBILITY  MUST  MEET  THE  LIMITS  LISTED  IN 
TABLE  A2-6-I  TO  BE  GO  CONDITIONS.  THE  MLS  REQUIREMENTS 
APPLY  TO  THE  GROUND  AND  ORBITER  EQUIPMENT. 

2.  FOR  EOM  AND  INTACT  ABORTS,  WX  RECON  MUST  CONFIRM  THAT 
THE  PAPI'S  OR  AIMPOINT  ARE  VISIBLE  FROM  8K  (5K  FOR 
RTLS ,  TAL)  TO  PREFLARE  AND  THE  BALL  BAR  IS  VISIBLE  FROM 
PREFLARE  TO  FINAL  FLARE  FOR  CEILINGS  BELOW  10K  FT 
AND/OR  VISIBILITY  LESS  THAN  7  STATUTE  MILES  (SM) .  WX 
RECON  GO/NO-GO  RECOMMENDATION  (BASED  ON  CURRENT 
CONDITIONS)  IS  REQUIRED  FOR  CEILINGS  AT  OR  BELOW  8K  FT. 
WX  RECON  IS  NOT  REQUIRED  FOR  AN  ACLS  OR  DAILY  PLS 
SELECTION.  ®[050495-1 776A  ]  ®[051697-4928B] 
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A2-6  LANDING  SITE  WEATHER  CRITERIA  [HC]  (CONTINUED) 

3.  FOR  KSC  EOM  ONLY,  NO-GO  CONSIDERATION  WILL  BE  GIVEN  TO 

CLOUD  LAYERS  BELOW  8K  FT  BEING  REPORTED  BY  GROUND  WEATHER 
OBSERVERS  OR  WEATHER  AIRCRAFT  GREATER  THAN  2/8  COVERAGE 
AND  LESS  THAN  OR  EQUAL  TO  4/8  COVERAGE  (SCATTERED)  AT  THE 
DEORBIT  BURN  GO/NO-GO  DECISION  TIME.  ®[1 1 1094-1622B]  ®[061 396-4008  ] 

®[041 097-4927A] 

The  definition  of  a  ceiling  is  where  the  cumulative  toted  of  cloud  cover  exceeds  more  than  50  percen  t 
coverage  of  the  sky.  Restrictions  to  visibility  include  smoke ,  haze,  fog,  dust,  clouds,  and  precipitation. 

The  visibility  limits  are  horizontal  distances  that  correspond  to  slant  range  visibility  from  a  point  on  the 
outer  glide  slope  to  the  runway  threshold.  The  7  and  5  SM  visibility  limits  correspond  to  the  10K  and  8K 
foot  altitude  points  on  the  outer  glide  slope  respectively.  Ceiling  and  visibility  limits  ensure  that  the 
crew  has  sufficient  time  on  the  outer  and  inner  glide  slopes  to  acquire  the  runway  and  the  landing  aids 
during  preflare  and  fined  flare  and  correct  for  any  navigation  dispersions.  Therefore,  the  minimum 
limits  are  a  function  of  MLS  availability,  lighting  conditions,  and  type  of  runway.  Reference  Rule  {A8- 
18},  LANDING  SYSTEMS  REQUIREMENTS,  for  orbiter  MLS  requirements. 

For  RTLS  and  TAL,  the  ceiling  limits  can  be  reduced  to  5K  minimum  altitude.  Testing  at  AMESfVMS  in 
combination  with  STA  test  matrices  confirmed  guidance  was  able  to  correct  back  to  glide  slope  and 
cen  terline  by  approximately  5K  feet  assuming  flight  derived  3-sigmci  nav  errors  ( +1100  feet  in  Z  and 
1400 feet  in  Y  combined  with  worse  case  late  MLS  incorporation)  and  KSC  design  winds.  STA  data 
indicated  acceptable  landing  parameters  could  be  obtained  with  ceilings  of  3 K,  4K,  or  5K.  The  primary 
difference  between  3K  and  5K  consists  of  reaction  time  available  on  the  outer  glide  slope  for  the  pilot  to 
transition  from  IFR  to  VFR  conditions  prior  to  initiation  of  the  preflare  maneuver  at  2,000 ft  AGE  (3K 
allows  6  seconds  and  5K  allows  18  seconds  prior  to  the  preflare  maneuver).  Pilot  evaluation  concluded 
that  18  seconds  was  the  minimum  acceptable  reaction  time  to  safely  transition  from  IMC  or  VMC  prior 
to  the  preflare.  Since  the  guidance  and  navigation  capability  is  similar  for  RTLS  and  TAL,  the  testing 
applies  to  both  RTLS  and  TAL.  The  higher  visibility  requirement  of  5  NM  for  TAL  provides  a  better  view 
of  the  majority  of  the  runway  length  when  breaking  out  of  a  5K  ceiling.  This  view  of  the  runway  is 
desirable  on  a  TAL  since  the  CDR  is  less  familiar  with  the  TAL  site  than  the  SLF.  A  WX  Recon  GO/NO- 
GO  recommendation  by  the  STA  is  required  when  deeding  with  reduced  ceilings  to  confirm  the  visibility 
and  to  also  factor  in  other  weather  conditions  ( turbulence ,  crosswinds,  etc.).  Weather 
minimums/maximums  are  defined  assuming  that  parameter  is  the  only  condition  present.  Combinations 
near  the  limits  of  ceilings,  crosswinds,  tu  rbulence,  and/or  visibility  need  to  be  assessed  by  the  WX  Recon 
to  ensure  acceptable  landing  conditions.  ®[050495-l  776A  ]  ®[051697-4928B] 

Forecast  experience  and  climatological  studies  indicate  that  in  most  KSC  weather  situations,  2/8  low 
cloud  coverage  is  a  reasonable  criteria  to  expect  a  continuation  of  few  or  scattered  (less  than  or  equal  to 
4/8)  low  cloud  conditions  for  1  to  2  hours.  Thus,  due  to  the  inheren  t  variability  and  volatility  of  cloud 
conditions  in  the  KSC  area,  strong  consideration  should  be  given  to  this  2/8  low  cloud  criteria  at  the 
deorbit  burn  GO/NO-GO  decision  time.  However,  there  are  meteorological  situations  when  forecaster 
confidence  of  low  clouds  remaining  scattered  for  touchdown  time  supports  a  GO  deorbit  burn  decision 
when  low  clouds  exceed  2/8  coverage  at  the  deorbit  burn  GO/NO-GO  decision  time.  ®[06i  396-4008  ] 
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A2-6  LANDING  SITE  WEATHER  CRITERIA  [HC]  (CONTINUED) 

NO  MLS 

Without  MLS,  visual  cues  provide  the  only  means  to  correct  navigation  dispersions  remaining  from 
TACAN/ADTA  processing.  Flight  history  has  shown  that  the  one-sigma  position  errors  in  the  onboard 
state  when  using  HAINS  IMU’s  (no  piloting  dispersions  included)  just  before  processing  MLS  (at 
approximately  17Kfeet)  are  188  ft  u,  232  ft  v,  225 ft  w,  and  374 ft  RSS’d.  The  one-sigma  position  errors 
after  one  cycle  of  MLS  processing  are  38  ft  u,  37  ft  v,  64  ft  w,  and  83  ft  RSS’d.  Reference:  The  Summary 
of  Navigation  Errors  through  STS-88  (STF  NAV-99-48500-008,  February  4,  1999).  Therefore,  the  crew 
can  rely  on  guidance  commands  to  a  lower  altitude  when  using  MLS  before  beginning  transition  to 
visual  cues.  ©[070899-6872A] 

REDUNDANT  AND  SINGLE  STRING  MLS 

The  runway  and  orbiter  must  have  redundant  MLS  for  a  night  landing  except  for  a  lakebed  runway. 
Single  string  MLS  is  acceptable  because  navigation  dispersions  are  more  tolerable  on  the  larger  area 
provided  by  the  lakebed  environment.  If  the  single-string  MLS  fails,  visual  cues  provide  the  only  means 
to  correct  navigation  dispersions.  Flight  Design  and  Dynamics  personnel  in  cooperation  with  the 
Astronaut  Office  conducted  an  analysis  to  determine  the  night  ceiling  limit  of  15K  feet  on  the  lakebed. 
The  Shuttle  Mission  Simulator  (SMS)  and  Shuttle  Training  Aircraft  (ST A)  flew  several  sessions  of  night 
landings  with  dispersed  initial  conditions  and  good  navigation.  The  experience  gained  from  these 
analyses  indicated  that  a  ceiling  level  of  15K  feet  would  be  acceptable.  This  ceiling  level  will  provide 
sufficient  time  for  the  crew  to  visually  acquire  the  landing  area,  assess  the  need  to  correct  dispersions, 
and  take  the  necessary  actions.  If  MLS  were  available,  this  is  the  approximate  altitude  when  processing 
would  begin.  ®[i  1 1 094-1 622B] 

INOPERATIVE  MLS  COMPONENTS 

For  purposes  of  this  rule,  failure  of  any  of  the  three  MLS  ground  station  measuremen  ts  (azimuth, 
elevation,  or  range)  constitutes  a  toted  failure  of  that  string.  Onboard  navigation  software  will  not 
process  MLS  data  if  either  azimuth  or  range  is  unavailable.  Although  MLS  azimuth  and  range  data  will 
be  processed  in  case  of  ground  elevation  equipment  failure,  onboard  altitude  errors  will  not  be  corrected 
adequately.  ®[070899-6872A]  ®[041 097-4927A] 
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A2-6  LANDING  SITE  WEATHER  CRITERIA  [HC]  (CONTINUED) 

®[ED  ] 

ACLS / ECAL / ELS 

The  ACLS,  ECAL,  or  ELS  limits  require  accepting  additional  risk.  Emergency  deorbit,  SSME  limits 
management,  and  abort  gap  closure  procedures  potentially  use  these  sites.  Rules  (A2-205EJ  and 
{A2-205F},  EMERGENCY  DEORBIT,  and  {A4-107},  PLS/EOM  LANDING  OPPORTUNITY 
REQUIREMENTS,  outline  conditions  for  use  of  an  ELS  for  emergency  deorbit.  Rule  { A5-103A}.2 , 
LIMIT  SHUTDOWN  CONTROL,  specifies  enabling  main  engine  limits  at  the  earliest  single-engine 
capability  to  reach  a  prime  TAL  or  ACLS  for  some  cases  following  an  SSME  failure.  This  action 
precludes  exposure  to  SSME  limits-inhibited  operation  for  any  longer  than  necessary.  Landing  at  an 
ACLS  with  zero/zero  conditions  carries  less  risk  than  continuing  limits-inhibited  SSME  operation. 
Rule  ( A4-56I  j.3,  PERFORMANCE  BOUNDARIES,  specifies  the  use  of  an  ACLS  for  abort  gap 
closure.  It  is  reasonable  to  attempt  landing  at  an  ACLS  with  zero/zero  conditions  if  the  attempt 
carries  a  reasonable  probability  of  success  and  the  only  alternative  is  a  bailout. 

ONE  APU  FAILED  (OR  ATTEMPT  TWO  APU’S  PROCEDURE ) 

Flight  Rules  (A2-207},  LANDING  SITE  SELECTION,  and  (A10-23},  APU  ENTRY  START  TIME, 
summarize  the  conditions  and  rationale  for  selecting  a  landing  site  with  one  APU  failed  and  using  the 
ATTEMPT  TWO  APU’s  start  procedure.  With  two  APU’s  failed,  the  loss  of  hydraulic  power  causes 
reduced  flight  control  authority,  reduced  braking,  and  loss  of  nose  wheel  steering.  The  APU  placards 
assure  safe  conditions  should  the  orbiter  lose  a  second  APU.  ®[111 094-1 622B] 
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A2-6  LANDING  SITE  WEATHER  CRITERIA  [HC]  (CONTINUED) 

B.  SURFACE  WINDS  AND  TURBULENCE  LIMITS  ®[1 11 094-1 622B] 

TABLE  A2-6-II  -  SURFACE  WINDS  AND  TURBULENCE  LIMITS  ®[ED  ] 


SURFACE  WIND (KNOTS) 

AND  TURBULENCE 

CROSS 

PEAK 

HEAD 

PEAK 

TAIL 

AVG 

TAIL 

PEAK 

GUST 

TURB 

RTLS 

?  1 5  * 

?25 

?10 

?  1 5 

<10 

<MOD 

DAY 

EOM,  TAL,  AOA, 

DAILY  PLS  SELECTION 

?  1 5 

NIGHT 

EOM 

DAILY  PLS  SELECTION 

?  1 2 

TAL,  AOA 

?  1 5 

CROSSWIND  DTO 

?10 
?  1 5 

NOMINAL  DRAG  CHUTE  DEPLOY 

?  1 5 

LANDING  ?  CDR  FD19 

?  1 2 

PREDEORBIT:  1  APU  FAILED  OR 
ATTEMPT  2  APU’S  PROCEDURE 

?10 

?LGT 

ECAL/ELS 

?  1 5 

!  N/A  | 

REQUIRES  AN  STA  EVALUATION  TO  17  KNOTS  AND  A  GO  FROM  THE  STA  PILOT.  ®[041 196-1 81 7B]  ®[041 196-1871 B] 
@[041097-4926]  ®[041 097-4890A]  @[121400-3866]  @[052401 -4459A] 

1.  SURFACE  WINDS  AND  TURBULENCE  MUST  MEET  THE  LIMITS  LISTED 
IN  TABLE  A2-6-II  TO  BE  "GO"  CONDITIONS.  ®[ED  ] 

2.  THE  LEVEL  OF  TURBULENCE  SHOULD  BE  THE  PROJECTED/ESTIMATED 
LEVEL  FOR  THE  ORBITER  (Cl 3  0  OR  T3  8  MAY  BE  COMPARABLE  TO 
THE  ORBITER;  C12,  C21,  AND  STA  WOULD  BE  LESS  FOR  THE 
ORBITER) . 

3.  STA  GO  FOR  RTLS  CROSSWINDS  GREATER  THAN  15  KNOTS  WILL  BE 
BASED  ON  A  USABLE  HUD  BELOW  1000  FEET  (HUD  NOT  CAGED  AND 
SIGNIFICANT  DIGITS  FOR  EAS  AND  ALTITUDE  VISIBLE)  AND 
ACCEPTABLE  PILOT  WORKLOAD  IN  THE  PRESENCE  OF  LOW  LEVEL 
SHEARS  AS  EVIDENCED  BY  HDOT ,  X-DISTANCE,  Y-DISTANCE  AND 
Y-DOT  AT  TOUCHDOWN.  CDR' S  HUD  AND  REDUNDANT  MLS  REQUIRED 
TO  ENSURE  ACCURATE  HUD  DATA  AVAILABLE  TO  THE  CREW. 

@[041 196-1 81 7B] 


At  KSC  and  EDW,  the  official  observation  measures  the  magnitude  and  direction  of  the  wind  every 
second.  The  peak  wind  is  the  highest  wind  magnitude  measured  during  the  preceding  2,  5,  or  10 
minutes.  The  average  wind  is  the  average  of  the  wind  measurements  over  the  preceding  2  minutes.  The 
peak  and  average  winds  are  broken  down  into  headwind,  tailwind,  and  crosswind  components  relative  to 
the  runway. 
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DEFINITION  OF  GUSTS 

The  Shuttle  Program  uses  the  term  gust  to  define  the  difference  between  the  peak  and  average  wind.  This 
is  different  from  the  meteorological  definition  of  a  gust,  which  is  peak  to  trough.  The  gust  limit  applies 
to  the  measured  wind,  not  individual  wind  components.  The  gust  criterion  restricts  the  wind  conditions 
to  those  that  are  stable,  predictable,  and  within  the  orbiter  landing  performance  capability.  ©[111094- 
1 622B] 

HEAD  WIND  ©[111  094-1 622B] 

The  headwind  certification  limit  is  20  knots  steady  state  with  a  moderate  turbulence  model 
(approximately  I  10  knots )  (reference  ORBITER  VEHICLE  END  ITEM  SPECIFICATION  FOR  THE 
SPACE  SHUTTLE  SYSTEM,  Part  1,  Performance  and  Design  Requirements,  Section  10.1.3.3.1.1.3, 
Orbiter  Entry  and  Landing  Phase;  Vehicle  Design  Environment;  Steady  State  Winds  ( IK  -  surface),  and 
Section  10.1.3.3.1.2,  Design  Vehicle  Gust  Environments).  Headwind  affects  touchdown  energy.  Flight 
Rule  {A4-110},  AIMPOINT,  EVALUATION  VELOCITY,  AND  SHORT  FIELD  SELECTION,  documents 
the  acceptable  touchdown  distance. 

TAILWIND 

Tailwind  affects  the  landing  by  causing  a  longer  touchdown  distance,  higher  touchdown  ground  speed, 
loss  of  roll  out  margin,  and  higher  brake  energy.  The  tailwind  certification  limit  is  one-hcdf  the  landing 
steady  state  design  wind  speed  (reference  ORBITER  VEHICLE  END  ITEM  SPECIFICATION  FOR  THE 
SPACE  SHUTTLE  SYSTEM,  Part  1,  Performance  and  Design  Requirements,  Section  10.1.3.3.1.1.3, 
Orbiter  Entry  and  Landing  Phase;  Vehicle  Design  Environment;  Steady  State  Winds  (IK  -  surface)). 

CROSSWIND 

Crosswind  limits  are  set  due  to  concerns  in  the  following  areas:  tire  wear,  main  gear  tire/strut  loads, 
and  orbiter  handling  qualities.  Currently,  the  limiting  factor  for  crosswinds  is  the  vehicle  certification 
limit  of  20  knots.  Previous  concerns  with  orbiter  handling  qualities  in  the  two  point  stance  were 
eliminated  with  the  “cost  effective”  rudder  fix  combined  with  beep  trim  derotation  and  significantly 
reduced  lateral  aerodynamic  uncertainties.  ®[041196-1817B]  ©[052401-4459A] 

The  crosswind  limit  is  referenced  to  peak  wind  (the  maximum  wind  reported  for  2/5/10-minute  periods) 
versus  average  wind  since  peak  winds  tend  to  persist  long  enough  to  be  significant  with  respect  to  orbiter 
handling  qualities  during  the  final  approach,  TD,  and  derotcition. 

With  the  incorporation  of  the  new  modified  tire  (which  provided  a  thicker  and  more  durable  tread)  and 
the  September  1994  regrinding  of  the  KSC  surface,  tire  wear  concerns  up  to  20  kts  have  been  alleviated 
for  all  shuttle  CONUS  runway  surfaces.  ®[041196-1817B] 
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Main  gear  tire/strut  loads  have  been  certified  under  nominal  conditions  (pilot  technique  and  crosswind 
of  15  lets)  with  dispersions  RSS’d  for  pilot  technique  and  crosswind  up  to  20  lets  (reference  Rule  (A10- 
142),  TIRE  PRESSURE  [ CIL ]).  AMES  VMS  testing  in  August  1995  indicated  mean  gear  strut  loads  were 
exceeded  for  landing  in  crosswinds  greater  than  20  knots.  Additionally,  the  sideslip  at  landing  in 
crosswinds  greater  than  20  knots  exceeded  all  test  data  on  tire  capability.  ®[041196-1817B] 

Previous  AMES  VMS  evaluation  of  orbiter  handling  qualities  as  a  function  of  crosswind  (no  systems 
failures  and  no  aero  uncertainties)  have  shown  HQR’s  of  Level  I  up  to  steady  state  crosswind  of  12  kts 
(plus  2-3  kts  of  turbulence).  HQR’s  increase  from  Level  I  to  Level  II  as  crosswind  increases  from  15  to 
17.5  kts.  For  steady  state  crosswind  in  the  20-25  kt  region,  HQR’s  range  from  Level  II  to  Level  III. 
Testing  with  worse  case  aerodynamic  uncertainties  resulted  in  increased  handling  qualities  rating  of 
approximately  1. 

The  August  1995  AMES  VMS  testing  used  dynamic  wind  profiles  and  incorporated  the  “cost  effective” 
rudder  fix.  Utilization  of  dynamic  wind  profiles  (shear  and  turbulence)  can  shift  HQR’s  from  Level  I  to 
Level  III  for  landing.  August  1995  AMES  VMS  testing  indicated  that  the  most  significant  area  of  vehicle 
control  is  mean  gear  touchdown  when  flown  in  dynamic  wind  profiles.  Due  to  the  infinite  number  of 
potential  wind  profiles,  testing  cannot  determine  acceptable  shear  or  turbulence  in  the  presence  of 
crosswinds  between  15  and  20  knots.  The  only  tool  available  for  determining  cm  acceptable  wind  profile 
at  touchdown  with  respect  to  shear  and  turbulence  while  remaining  within  vehicle  limits  is  the  STA  since 
it  will  fly  through  the  existing  wind  conditions  (approximately  40  minutes  from  predicted  RTLS 
landings).  The  STA  is  considered  conservative  due  to  the  lower  wing  loading  and  slower  roll  response. 
Since  testing  at  AMES  indicated  that  there  are  some  profiles  that  provide  acceptable  HQR’s  in 
crosswinds  up  to  20  knots,  utilization  of  the  STA  would  cdlow  launch  on  the  days  where  the  wind  profile 
is  considered  acceptable  by  the  STA  pilot.  The  STA  GO  will  be  based  on  usability  of  the  HUD  (HUD  not 
caged  and  sign  ificant  digits  for  altitude  and  airspeed  visible)  and  acceptable  pilot  work  load  during 
landing  ( low  level  shears  that  do  not  degrade  landing  parameters  Hdot,  EAS,  X-distance,  Y-distcmce  and 
Y-drift  rate).  Limited  flight  test  data  (STS  51-G,  11  kts  peak;  STS-30,  11  kts  ave,  16-19  kts  peak;  STS-37, 
8  kts  ave,  9-10  kts  peak)  are  inconclusive  but  provide  indications  of  handling  qualities  degradation  with 
increasing  crosswind  (STS-30  HQR  approximately  5;  however,  its  landing  was  complicated  with  a  NWS 
S/W  anomaly).  ®[111 094-1 622B]  ®[041 1 96-181 7B] 
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Wind  forecasting  accuracy  must  also  be  considered  when  determining  crosswind  limits.  Analysis  of 
SMG  simulation  and  mission  (STS-60  through  STS-106)  crosswind  forecast  accuracy  presented  at 
AEFTP  4 173  determined  that  a  15-kt  (17 -kt  RTLS)  peak  crosswind  limit  protected  the  20-kt  vehicle 
certification  limit  in  excess  of  98  percen  t  of  RTLS,  TAL,  and  EOM  cases  studied.  Peak  crosswinds 
exceeding  20  kt  were  observed  in  less  than  5  percent  of  all  cases  (most  frequent  for  KSC  mission  EOM 
and  RTLS  cases,  each  4. 7  percent).  For  those  rare  cases  when  landing  opportunity  crosswinds  were 
observed  >  20  kts,  SMG  forecast  crosswinds  >15  kts  in  89  percent  of  KSC  EOM,  100  percent  of  KSC 
RTLS,  80  percen  t  of  TAL,  and  46  percent  ofEDW  EOM  cases.  In  just  over  half  of  the  Edwards 
crosswind  forecast  “busts,  ”  peak  wind  speed  was  forecast  to  be  25  kts  or  more,  and  a  small  wind 
direction  forecast  error  resulted  in  observed  crosswinds  exceeding  the  20  kt  vehicle  certification  limit. 

No  reasonable  crosswind  Flight  Rule  would  have  protected  the  remaining  EDW  EOM  forecast  “busted” 
cases.  Analysis  presented  at  AEFTP  4 173  did  not  consider  the  requirement  for  a  “GO”  observed 
crosswind  at  decision  time,  which  is  believed  to  add  further  protection  from  exceeding  the  20-kt  vehicle 
certification  limit.  Limiting  peak  crosswind  to  17  kts  for  an  RTLS  (typically  12-14  kts  average)  and 
requiring  a  “GO”  from  the  STA  pilot  on  the  wind  profile  provides  adequate  allowance  for  aerodynamic 
uncertainties  and  weather  forecasting  dispersions  while  maintaining  landing  within  vehicle  limits  and 
Level  ////  handling  qualities.  ®[111 094-1 622B]  ®[041196-1817B]  ®[021 998-6490A]  ®[052401-4459A] 

Crosswind  limits  for  EDO  flights  and  night  landings  include  a  somewhat  arbitrary  reduction  to  12  knots 
peak  to  allow  for  additional  piloting  margin  due  to  uncertainties  in  pilot  performance  degradation  from 
increased  exposure  to  zero-g  and  reduced  depth  perception,  respectively.  AEFTP  4138  reviewed  flight 
data  for  gross  landing  parameters  (Helot,  TD  EAS,  Y-position,  height  over  threshold,  and  drift  in  the 
two-point  attitude)  for  mission  durations  out  to  18  days  (STS-67,  STS-78,  and  STS-80).  No  degradation 
was  noted;  therefore,  the  EDO  duration  was  set  to  bracket  current  flight  data.  Data  previously  presented 
by  SD  indicated  some  performance  shift  for  long  duration  flights;  therefore,  the  AEFTP  decided  to 
maintain  the  crosswind  reduction  for  flights  outside  of  the  tested  envelope.  Night  RTLS  is  allowed  to  be 
17/15  knots  peak  since  zero-g  degradation  is  not  a  concern  and  the  pilots  are  very  familiar  with  the 
landing  site.  In  addition,  the  CDRJPLT  have  recen  t  STA  flight  approaches  to  the  SLF.  Although  TAL 
sites  have  shorter  and  narrower  runways  than  RTLS,  and  pilot  familiarity  of  these  runways  is  generally 
less  than  RTLS,  there  are  no  significan  t  differences  between  day  and  night  TAL  landings  with  respect  to 
the  peak  crosswind  limit.  Simulation  data  from  the  Ames  VMS  8/00  session  showed  acceptable 
piloting/HQR  results  (Level  II  or  better)  for  night  TAL  landings  with  crosswinds  up  to  20  kts.  The 
AEFTP  4168  and  4173  reviewed  Ames  VMS  results,  re-reviewed  the  vehicle  structural  certification  limit 
of  20-kt  s  crosswind,  and  reviewed  updated  SMG  crosswind  forecast  accuracy  statistics.  The  AEFTP 
subsequently  determined  that  a  15-kt  TAL  peak  crosswind  limit  (day  and  night)  would  provide  adequate 
protection  of  the  20-kt  vehicle  certification  limit.  Additionally,  it  follows  that  the  AO  A  crosswind  limit 
should  be  the  same  day  and  night,  since  there  are  no  significant  differences  between  TAL  and  AO  A 
landings  with  respect  to  the  crosswind  limit.  Although  there  is  some  exposure  to  zero-g  on  an  AO  A,  it  is 
not  considered  significant  relative  to  pilot  performance  degradation.  All  other  intact  aborts,  other  than 
RTLS,  TAL,  and  AO  A,  have  significant  exposure  of  the  pilot  to  zero-g  and  therefore  maintain  the  12-kt 
limit  for  night  landings.  ®[041 196-1 81 7B]  ®[041 196-1 871 B]  @[041097-4926]  ®[021998-6490A]  @[052401 -4459A] 
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CROSSWIND  DTO 

Reference  Rule  { A2-261} ,  ENTRY DTO/AUTOMODE/CROSSWIND  DTO  GO/NO-GO,  for  the  crosswind 
DTO  requirements.  Even  though  the  crosswind  DTO  limit  is  15  knots  peak,  the  12-knot  peak  crosswind 
limit  still  applies  for  night  landings  and  mission  landing  >  the  CDR’s  flight  day  17.  ®[041 196-1 871 B] 

DRAG  CHUTE  CROSSWIND  LIMITS 

Reference  Rules  {A10-144},  DRAG  CHUTE  DEPLOY  CONSTRAINTS,  and  (A2-261J,  ENTRY 
DTO/AUTO  MODE/CROSSWIND  DTO  GO/NO-GO,  for  the  drag  chute  requirements. 

ONE  APU  FAILED  (OR  ATTEMPT  TWO  APU’S  PROCEDURE ) 

Flight  Rules  (A2-207},  LANDING  SITE  SELECTION,  and  { A10-23J ,  APU  ENTRY  START  TIME, 
summarize  the  conditions  and  rationale  for  selecting  a  landing  site  with  one  APU  failed  and  using  the 
ATTEMPT  TWO  APU’s  start  procedure.  With  two  APU’s  failed,  the  loss  of  hydraulic  power  causes 
reduced  flight  control  authority  and  braking  and  loss  of  nose  wheel  steering.  The  APU  placards  assure 
safe  conditions  should  the  orbiter  lose  a  second  APU.  ®[111 094-1 622B] 

TURB  ULENCE  ®[i  1 1 094-1 622B] 

Severe  turbulence  is  undesirable  due  to  controllability  concerns.  Turbulence  information  conies 
primarily  from  WX  RECON  and  TALCOM  aircraft  or  area  pilot  reports  (PIREP).  The  type  of  aircraft  is 
a  factor  when  determining  the  applicability  of  a  PIREP  to  the  orbiter  because  cm  aircraft’s  response  to 
turbulence  is  a  function  of  wing  loading.  The  shuttle  is  sensitive  to  turbulence-caused  trajectory 
deviations  below  3000 feet  due  to  the  inability  to  makeup  energy  loss  and  achieve  the  desired  touch  down 
point.  The  PIREP’s  follow  standard  definitions  for  the  in  tensity  of  the  turbulence.  The  aircraft  reactions 
for  the  different  types  of  the  turbulence,  as  found  in  the  DOD  flight  information  handbook,  are  as 
follows:  ®[041 196-1871 B] 

Light  turbulence  -  turbulence  that  momentarily  causes  slight,  erratic  changes  in  altitude  and/or  attitude. 

Moderate  turbulence  -  turbulence  that  causes  changes  in  altitude  and/or  attitude,  but  with  the  aircraft 
always  remaining  in  positive  control. 

Severe  turbulence  -  turbulence  that  causes  large,  abrupt  changes  in  altitude  and/or  attitude.  It  usually 
causes  large  variations  in  indicated  airspeed.  Aircraft  may  be  momen  tarily  out  of  con  trol. 
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C.  THUNDERSTORM,  LIGHTNING,  AND  PRECIPITATION 

TABLE  A2-6-III  -  THUNDERSTORM,  LIGHTNING,  AND  PRECIPITATION 


THUNDERSTORM,  LIGHTNING,  AND  PRECIPITATION 
PROXIMITY  LIMITS  (NM) 

PRELAUNCH 
(RTLS,  TAL) 

PREDEORBIT 
(EOM, 
DAILY  PLS) 
PRELAUNCH 
(AOA) 

REDESIG 

CRITERIA 

ELS, 

ECAL, 

ACLS 

TSTORM  (INCLUDING 
ATTACHED  NONTRANS¬ 
PARENT  ANVILS),  AND 
LIGHTNING 

RADIAL  FROM  CENTER 
OF  PRIME  RUNWAY 

>20 

>30 

>15 

NONEAT 

SITE 

LATERAL  ALONG 
APPROACH  PATH 

OUT  TO  30  NM 

>10 

>20 

>5 

VERTICAL  FROM  TOP 

OF  CLOUD 

>2 

DETACHED 

NONTRANSPARENT  ANVIL 
<3  HRS  OLD 

RADIAL  FROM  CENTER 
OF  PRIME  RUNWAY 

>15 

>20 

>15 

N/A 

LATERAL  ALONG 
APPROACH  PATH 

OUT  TO  30  NM 

>5 

>10 

>5 

VERTICAL  FROM  TOP 

OF  CLOUD 

>2 

PRECIPITATION  * 

RADIAL  FROM  CENTER 
OF  PRIME  RUNWAY 

>20 

>30 

>  15 

N/A 

LATERAL  ALONG 
APPROACH  PATH 

OUT  TO  30  NM 

>10 

>20 

>  5 

VERTICAL  FROM  TOP 

OF  CLOUD 

>2 

CUMULUS  CLOUDS 
PRODUCED  BY 

SMOKE/FIRE  UP  TO  1  HR 
AFTER  DETACHING 

LATERAL  ALONG 
APPROACH  PATH 

>0 

N/A 

*  EXCEPTIONS  EXIST  FOR  RTLS,  SEE  RULE  {A2-6C}.4.a-g,  LANDING  SITE  WEATHER  CRITERIA  [HC],  @[111298-6734] 


1.  THUNDERSTORMS  (INCLUDING  ATTACHED  NONTRANSPARENT  ANVILS), 
LIGHTNING,  OR  PRECIPITATION  MUST  BE  OUTSIDE  THE  LIMITS 
LISTED  IN  TABLE  A2-6-III  TO  ENSURE  WEATHER  DOES  NOT 
ADVERSELY  EFFECT  THE  ORBITER  DURING  AN  ENTRY  AND  LANDING. 
REFERENCE  FIGURES  A2-6-I  THROUGH  A2-6-V.  THE  LATERAL  OR 
VERTICAL  LIMITS  MUST  BE  MET  IN  ADDITION  TO  THE  RADIAL 
LIMIT.  ®[ED  ]  @[111298-6734] 

a.  RADIAL  PROXIMITY  LIMITS  ARE  RELATIVE  TO  THE  CENTER  OF 
THE  PRIME  RUNWAY.  @[111 094-1 622B] 
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b.  LATERAL  PROXIMITY  LIMITS  ARE  RELATIVE  TO  THE  ORBITER 
APPROACH  PATH  OUT  TO  A  RANGE  OF  30  NM  FROM  THE  CENTER 
OF  THE  PRIME  RUNWAY.  ®[1 11 094-1 622B] 

C.  VERTICAL  CLEARANCES  ARE  FROM  THE  TOP  OF  THE 

THUNDERSTORM  OR  SHOWER  TO  THE  ORBITER  APPROACH  PATH. 

PRECIPITATION  INDICATIONS  INCLUDE  VISIBLE  RAIN  OR  VIRGA, 
PRECIPITATION  ECHO  ON  WEATHER  RADAR,  OR  CUMULONIMBUS  OR 
CUMULUS  CONGESTUS  (TOWERING  CUMULUS)  CLOUD  TYPES. 

FOR  ACLS/ECAL/ELS,  PRECIPITATION  IS  ACCEPTABLE.  NO 
THUNDERSTORMS  (INCLUDING  ATTACHED  NONTRANSPARENT  ANVIL) 

OR  LIGHTNING  AT  THE  SITE.  @[0201 96-1 808A]  @[111298-6734] 

FOR  RTLS ,  RAIN  SHOWERS  (EXCLUDING  THUNDERSTORMS)  WITHIN 
THE  LIMITS  LISTED  ABOVE  ARE  ACCEPTABLE  IF  CONTINUOUS 
RADAR  AND  AIRCRAFT  SURVEILLANCE  INDICATES  ALL  OF  THE 
FOLLOWING  CONDITIONS  ARE  MET.  @[021 998-6490A] 

a.  COVERAGE:  SHOWERS  COVER  LESS  THAN  10  PERCENT  OF  THE 
AREA  WITHIN  20  NM  OF  THE  SLF  OR  MULTIPLE  HAC' S  ARE 
CLEAR  OF  SHOWERS . 

b.  MOVEMENT/DEVELOPMENT:  OBSERVED  HORIZONTAL  MOVEMENT 
IS  CONSISTENT  AND  NO  ADDITIONAL  CONVECTIVE 
DEVELOPMENT  IS  FORECAST. 

c.  LIGHTNING  POTENTIAL:  TOPS  OF  CLOUDS  CONTAINING 
PRECIPITATION  DO  NOT  EXCEED  THE  +5  DEG  C  LEVEL  AND 
HAVE  NOT  EXCEEDED  THE  -10  DEG  C  LEVEL  WITHIN  2.5 
HOURS  PRIOR  TO  LAUNCH. 

d.  INTENSITY:  PRECIPITATION  IS  LIGHT  (LESS  THAN  30 
DBZ )  AT  ALL  LEVELS  WITHIN  AND  BELOW  THE  CLOUD.  @[021998- 
6490A] 
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e.  FOR  ANY  SHOWER  WITHIN  20  MILES  OF  THE  SLF ,  IF  THE 
SHOWER  EXCEEDS  PARAGRAPHS  4  .c  OR  4.d,  THEN  A  2-NM 
VERTICAL  CLEARANCE  FROM  THE  TOP  OF  THAT  SHOWER  AND  A 
10-NM  LATERAL  CLEARANCE  MUST  BE  MAINTAINED  ALONG  THE 
APPROACH  PATHS  TO  THE  OVERHEAD  AND  STRAIGHT-IN  HAC' S 
AT  BOTH  ENDS  OF  THE  RUNWAY.  ®[021 998-6490A] 

f.  BOTH  ENDS  OF  THE  RUNWAY  MEET  THE  LANDING  AND  ROLLOUT 
CRITERIA  AND  NAVAID  REQUIREMENTS  SPECIFIED  IN  RULE 

{ A2-1 } ,  PRELAUNCH  GO/NO-GO  REQUIREMENTS. 


g.  CONSIDERATION  MAY  BE  GIVEN  TO  RELAXING  THE 

REQUIREMENT  TO  MEET  ALL  FOUR  APPROACHES  TO  BOTH  ENDS 
OF  THE  RUNWAY  AS  SPECIFIED  IN  PARAGRAPHS  4  £  AND  4.f 
ABOVE.  THERE  SHOULD  BE  A  HIGH  LEVEL  OF  CONFIDENCE 
THAT  AT  LEAST  TWO  HAC  APPROACHES  (OVERHEAD  AND 
STRAIGHT-IN  TO  ONE  RUNWAY  OR  STRAIGHT-IN  TO  BOTH  ENDS 
OF  THE  RUNWAY)  WILL  BE  ACCEPTABLE  AT  RTLS  LANDING 
TIME.  TREND  MONITORING  UTILIZING  RADAR  AND  AIRCRAFT 
SURVEILLANCE  SHOULD  INDICATE  THAT  A  STABLE  AND 
PREDICTABLE  ENVIRONMENT  EXISTS.  ®[021 998-6490A] 

5.  THE  ORBITER  SHALL  NOT  PENETRATE  A  CUMULUS  CLOUD  THAT  IS 
ATTACHED  TO  A  SMOKE  PLUME  PRODUCED  BY  A  FIRE.  IF  THE 
CUMULUS  CLOUD  DETACHES  FROM  THE  SMOKE  PLUME,  1  HOUR  MUST 
ELAPSE  FROM  TIME  OF  DETACHMENT  FOR  SAFE  PENETRATION  BY 
THE  ORBITER.  @[111298-6734] 


The  orbiter  is  not  to  encounter  precipitation  on  any  approach  due  to  decreased  visibility,  damage  to  the 
TPS,  and  the  potential  for  triggered  lightning.  Undesirable  aspects  of  thunderstorms  include  rain  (TPS, 
structure),  hail  (TPS,  structure,  control),  severe  wind  shear  (structure),  turbulence  (control, 
performance,  structure),  and  natural  or  triggered  lightning  (structure,  electronic/software  systems). 
Environmental  design  requirements  for  the  orbiter  are  based  on  no  in-flight  penetration  of 
thunderstorms  (ref.  Appendix  10-10,  Volume  X,  Space  Shuttle  Level  II  Program  Specification).  The 
participants  in  the  Weather  Rules  Workshop  held  at  JSC/MSFC  in  October  1987  developed  the 
thunderstorm,  lightning,  and  precipitation  limits  based  on  scientific  knowledge,  engineering  judgment, 
and  experience. 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  FLIGHT  OPERATIONS  2-26 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A2-6  LANDING  SITE  WEATHER  CRITERIA  [HC]  (CONTINUED) 

The  20  nm  and  15  nm  radii  around  the  landing  site  approximate  a  10  nm  and  5  nm  lateral  clearance 
from  all  HAC’s,  respectively.  Increasing  the  radial  and  lateral  limits  for  EOM,  AOA,  PLS,  and  ELS 
adds  protection  for  the  uncertainty  associated  with  a  longer  forecast.  The  post-commitment  clearances 
balance  the  risks  associated  with  a  runway  redesignation  and  damage  from  flying  through  precipitation 
or  probability  of  incurring  a  lightning  strike.  Clearances  are  lower  for  detached  nontransparent 
thunderstorm  anvils  because  the  probability  for  triggered  lightning  is  lower.  An  attached  anvil  is  part 
of  the  thunderstorm  and  must  meet  the  thunderstorm  proximity  limits  if  the  anvil  is  nontransparent.  At 
the  January  and  April  1998  meetings  of  the  Lightning  Advisory  Panel  [LAP),  the  consensus  was  that 
transparent  anvil  clouds  do  not  pose  a  triggered  lightning  threat.  An  anvil  may  be  considered 
transparent  when  higher  clouds,  blue  sky,  stars,  etc.  may  be  seen  and  identified  from  below  or  when 
terrain,  buildings,  etc.  may  be  seen  and  identified  from  above.  Evaluation  of  anvils  is  sometimes 
difficult  and  inexact,  even  with  modern  remote  sensing  technology.  Water  droplets  observed  on  the 
windscreen  of  weather  aircraft  when  flying  through  clouds  are  definitive  evidence  of  precipitation  or 
virga.  @[111298-6734] 

At  the  January  and  April  1998  meetings  of  the  Lightning  Advisory  Panel,  LAP  members  stated  that 
applicable  research  indicated  that  cumulus  clouds  formed  by  fires  and  smoke  pose  a  threat  of  triggered 
lightning  if  penetrated  and  should  be  avoided  for  up  to  1  hour  after  the  cloud  detaches  from  the  source 
fire  or  smoke.  ®[i  1 1 298-6734  ] 

Figures  A2-6-I  through  A2-6-V  depict  the  thunderstorm/Iightning/rainshower  proximity  limits  for  a  28.5 
degree  inclination  flight.  The  maximum  heights  marked  in  the  corridor  insure  that  the  orbiter  clears  the 
top  of  the  thunderstorm  for  the  worst  case  (i.e.,  orbiter  on  the  western  edge  of  the  region).  @[111094- 
1622B]  @[0201 96-1 808A]  ®[ED  ] 

ACLS/ECAL/ELS  LIMITS  ®[1 1 1 094-1 622B]  @[0201 96-1 808A] 

Weather  at  the  site  must  be  acceptable  to  provide  good  visibility  during  final  approach,  since  lateral 
and  longitudinal  margins  are  minimal  at  ECAL/ELS  sites.  As  long  as  visibility  and  ceiling  limits  are 
met,  there  is  no  constrain  t  for  precipitation.  Additional  constrain  ts  to  avoid  thunderstorms  and 
lightning  apply  only  to  the  landing  site.  The  definition  for  “none  at  site”  used  in  the  Shuttle  Program 
will  mean  that  no  thunderstorm  is  over  the  landing  airfield.  Note  that  operational  meteorological 
reporting  standards  for  weather  occurring  at  a  site  differs  slightly  from  the  definition  applied  for  shuttle 
landings.  For  thunderstorm  and  lightning  observations  (METAR)  and  forecasts  (TAF)  used  to  evaluate 
the  GO/NO-GO  status  of  cm  ACLS/ECAL/ELS  site  prior  to  launch,  meteorological  reporting  standards 
define  “none  at  site”  as:  no  thunderstorms  or  lightning  within  5  statute  miles  of  the  observing 
( landing)  site.  ®[1 1 1 298-6734  ] 
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A2-6  LANDING  SITE  WEATHER  CRITERIA  [HC]  (CONTINUED) 

RTLS  PRECIPITATION  LIMITS 

The  short  forecast  interval  for  RTLS  and  availability  of  radar  and  weather  aircraft  allow  improved 
estimation  of  rain  shower  movemen  t  and  characterization  of  the  cloud  type.  The  RTLS  shower  exception 
specifies  conditions  under  which  launch  is  acceptable  when  showers  are  within  the  area  of  the  SLP  on 
launch  day.  SMG  developed  the  conditions  specified  in  this  rule  to  meet  orbiter  design  requirements. 
Additional  launch  probability  is  gained  by  eliminating  the  avoidance  criteria  for  showers  that  do  not 
pose  a  threat  due  to  lightning,  hail,  visibility,  aerodynamic  control,  or  MLS  attenuation.  Tile  damage 
that  occurs  if  precipitation  is  encountered  is  acceptable.  Radial,  lateral,  and  vertical  avoidance  criteria 
still  apply  for  any  storm  that  poses  a  threat  to  the  orbiter.  Reference  A/E  PTP  It  109  and  111.  @[020196- 
1808A] 

Cloud  Top  Temperatures  and  Lightning  Avoidance  -  Clouds  that  exceed  the  conditions  stated  in 
paragraphs  c  and  d  above  pose  a  threat  of  hail  or  lightning  (natural  and  triggered).  Clouds  with  <  30 
DBZ  and  tops  below  the  +5  deg  C  thermal  layer  do  not  pose  a  threat  of  stored  electrical  charge.  Clouds 
that  have  previously  extended  above  the  -10  deg  C  thermal  layer  must  be  avoided  for  2.5  hours  to  allow 
any  accumulated  charge  to  dissipate.  A  2-nm  vertical  clearance  and  a  10-nm  lettered  clearance  must  be 
main  tained  along  the  approach  paths  of  the  overhead  and  straight-in  HAC’s  at  both  ends  of  the  runway 
for  showers  exceeding  these  limits.  The  Lightning  Avoidance  Criteria  Peer  Review  Committee  reviewed 
and  concurred  with  these  criteria  at  their  KSC  meeting  in  February  1994.  ®[021 998-6490A] 

If  the  orbiter  encounters  ice,  window  damage  may  occur  resulting  in  reduced  visibility  (depending  on  ice 
population,  mass,  density,  and  relative  velocity)  and  RCC  coating  damage  may  occur  forcing  RCC  panel 
replacement.  Clouds  with  tops  below  the  +5  deg  C  thermal  layer  are  warm  enough  to  assure  they  do  not 
contain  hail. 

Light  Precipitation  -  Testing  of  TPS  tiles  flown  through  moderate  rainfall  (35  to  40  dbz)  indicates  that 
significan  t  tile  damage  will  occur  if  the  orbiter  encoun  ters  ice-free  precipitation  at  velocities  below  Mach 
1  and  above  touchdown  speed.  The  exten  t  of  damage  depends  on  drop  size  and  the  angle  of  incidence 
between  a  drop  and  a  tile.  Conservative  estimates  of  effects  on  approach  and  landing  characteristics 
assuming  a  worst-case  estimate  of  approximately  2000  damaged  tiles  (nose  and  canopy/windshield 
areas,  vertical  tail  and  OMS  pod  leading  edges)  show  no  significant  effect  on  landing  performance.  A 
retrim  to  a  slightly  higher  angle  of  attack  would  be  the  primary  noticeable  response  to  flight  through 
rain  during  landing  approach.  No  structure  or  control  system  damage  would  occur.  Testing  indicates 
that  damage  to  RCC  does  not  occur  when  flown  through  light  rain  at  speeds  below  0. 7  Mach.  RCC 
damage  is  not  desirable  due  to  replacement  cost  and  lead  time.  RCC  damage  caused  by  precipitation 
impact  would  not  affect  aerodynamic  performance.  @[020296-1 808A] 

Tile  damage  could  result  in  a  loss  of  up  to  1000ft  of  touchdown  distance.  Typical  touchdown  distances 
carry  adequate  margin  to  protect  this  type  of  energy  loss.  A  dispersed  entry  that  is  flown  through  a 
shower  on  a  day  that  predicted  touchdown  conditions  are  at  the  limits  specified  in  Rule  {A4-110}, 
AIMPOINT,  EVALUATION  VELOCITY,  AND  SHORT  FIELD  SELECTION,  could  result  in  a  vehicle 
touchdown  on  the  underrun.  Consideration  should  be  given  to  not  launching  on  a  low  energy  day  where 
the  capability  to  avoid  showers  is  low.  Otherwise,  adequate  margin  exists  within  the  system  to  support 
loss  of  touchdown  energy  due  to  tile  damage.  @[020196-180] 
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A2-6  LANDING  SITE  WEATHER  CRITERIA  [HC]  (CONTINUED) 

Water  attenuates  microwave  signals  at  MLS  frequencies;  however,  MLS  performance  is  not  severely 
affected.  Analysis  of  MLS  link  performance  with  a  transmitter  power  output  of  1600  W  (the  minimum 
acceptable  transmitter  power  output  level)  shows  that  MLS  acquires  at  over  9  nm  slant  range  when  a 
rainfall  rate  of  10  mm/hr  (0.4  in/hr)  exists  along  the  entire  path  between  the  orbiter  and  the  ground  MLS 
station.  Since  “light”  rainfall  is  less  than  0.4  in/hr,  nominal  MLS  acquisition  is  protected. 

Ceiling  and  visibility  criteria  specified  in  paragraph  A  of  this  rule  still  apply  and  protect  for  adequate 
crew  visibility  of  the  P API's,  aimpoint,  and  ball  bar  through  clouds  and  precipitation.  WX  RECON  has 
primary  responsibility  for  assessing  visibility  through  light  precipitation  from  any  showers  of  concern 
that  do  not  fall  within  the  field  of  view  used  by  meteorological  observers  to  evaluate  visibility.  Ground 
observers  are  limited  to  evaluations  using  fixed  landmarks. 

Area  Coverage/Multiple  HAC’s  -  While  it  is  acceptable  to  encounter  showers  that  meet  the  criteria 
specified  in  this  rule,  it  is  still  more  desirable  to  avoid  them  if  possible.  Limiting  the  number  of  showers 
in  the  vicinity  of  the  SLF  minimizes  the  chances  of  encountering  a  shower.  If  more  than  10  percen  t 
coverage  exists  or  is  forecast  but  multiple  HAC’s  are  clear  and  will  remain  clear  of  showers,  the  intent  of 
this  constraint  has  been  met. 

Movement  and  Convective  Development  -  Consistent  horizontal  motion  that  is  linear  or  near  linear  and 
can  be  tracked  is  required  to  accurately  forecast  future  movement.  Conditions  must  be 
thermodynamically  stable.  Observed  and  forecast  conditions  are  the  same  and  expected  to  remain 
unchanged  throughout  the  RTLS  period. 

Paragraph  f  defines  the  clearance  requirements  of  showers  with  lightning  potential  (tops  greater  than 
+5  deg  C  or  returns  greater  than  30  dbz)  which  have  not  demonstrated  air  to  ground  lightning  strikes. 
The  clearance  requiremen  ts  for  lightning  poten  tial  are  the  same  as  those  of  actual  thunderstorms. 

®[0201 96-1 

RTLS  OBSERVATIONS 

Providing  a  safe  approach  at  RTLS  landing  time  is  of  prime  importance.  Most  of  these  weather  criteria 
are  treated  as  macro  type  events,  so  the  general  landing  site  area  is  protected.  Given  the  short 
forecasting  time  for  an  RTLS  and  the  use  of  sophisticated  meteorological  tools  along  with  aircraft 
surveillance,  it  may  be  possible  to  treat  a  given  situation  as  a  “micro”  event.  In  relaxing  these  criteria, 
it  is  importan  t  to  consider  the  stability/predictability  of  the  situation  and  the  tools  used  to  monitor  the 
area  (radar,  satellite,  aircraft  surveillance).  ®[021 998-6490A] 

Rules  (A2-1FJ,  PRELAUNCH  GO/NO-GO  REQUIREMENTS;  (A2-2J,  ABORT  LANDING  SITE 
REQUIREMENTS;  { A2-103 },  EXTENSION  DAY  REQUIREMENTS;  {A2-202},  EXTENSION  DAY 
GUIDELINES;  { A2-205 },  EMERGENCY  DEORBIT;  {A2-261},  ENTRY  DTO/AUTO 
MODE/CROSSWIND  DTO  GO/NO-GO;  { A3-202 ),  MLS;  I A4-107 },  PLS/EOM  LANDING 
OPPORTUNITY  REQUIREMENTS;  {A5-103J,  LIMIT  SHUTDOWN  CONTROL;  { A8-18 ),  LANDING 
SYSTEMS  REQUIREMENTS;  and  {A8-1001},  GNC  GO/NO-GO  CRITERIA,  reference  this  rule. 

®[1 11 094-1 622B]  ®[020196-1808A] 
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CEILING  /VISIBILITY 

(K  FT)/(SM) 

REDUNDANT 

MLS 

SINGLE 

STRING-MLS 

NO  MLS 

KSC,  EDW,  NOR, 

CONCRETE 

DAY 

710/7 

AOA, 

NIGHT 

?  8/5 

NO-GO 

DAILY  PLS  SELECTION  (ALL  SITES) 

LAKEBED 

DAY 

(WX  RECON  REQD) 

710/7 

NIGHT 

715/7 

NO  GO 

RTLS,  TAL 

CONCRETE 

DAY 

?5/4  RTLS 
>5/5  TAL 

710/7 

NIGHT 

(WX  RECON  REQD) 

NO  GO 

ACLS/ECAL/ELS 

0/0 

?  8/5  J 

PRED/O:  1  APU  FAILED  OR  ATTEMPT  2  APU’S  PROCEDURE 

710/7  1 

SURFACE  WIND (KNOTS) 

AND  TURBULENCE 

CROSS 

PEAK 

HEAD 

PEAK 

TAIL 

AVG 

TAIL 

PEAK 

GUST 

TURB 

RTLS 

715  * 

?25 

710 

715 

<10 

<MOD 

DAY 

EOM,  TAL,  AOA, 

DAILY  PLS  SELECTION 

715 

NIGHT 

EOM 

DAILY  PLS  SELECTION 

712 

TAL,  AOA 

715 

CROSSWIND  DTO 

710 

715 

NOMINAL  DRAG  CHUTE  DEPLOY 

715 

LANDING  ?  CDR  FD19 

712 

PREDEORBIT:  1  APU  FAILED  OR 

ATTEMPT  2  APU’S  PROCEDURE 

710 

?LGT 

ECAL/ELS 

715 

!  N/A  1 

®f1 21 400-3866  1  @[052401 -4459A1 


THUNDERSTORM,  LIGHTNING,  AND  PRECIPITATION 
PROXIMITY  LIMITS  (NM) 

PRELAUNCH 
(RTLS,  TAL) 

PREDEORBIT 

(EOM, 

DAILY  PLS) 
PRELAUNCH 
(AOA) 

REDESIG 

CRITERIA 

ELS, 

ECAL, 

ACLS 

TSTORM  (INCLUD  ATTACH 
NONTRANS-PARENT 
ANVILS),  &  LIGHTNING 

RADIAL  FROM  CENTER 

OF  PRIME  RUNWAY 

>20 

>30 

>15 

NONEAT 

SITE 

LATERAL  ALONG 
APPROACH  PATH  OUT 

TO  30  NM 

>10 

>20 

>5 

VERTICAL  FROM  TOP  OF 
CLOUD 

>2 

DETACHED 

NONTRNSPARNT  ANVIL  <  3 
HRS  OLD 

RADIAL  FROM  CENTER 

OF  PRIME  RUNWAY 

>15 

>20 

>15 

N/A 

LATL  ALONG 

APPROACH  PATH  OUT 

TO  30  NM 

>5 

>10 

>5 

VERTICAL  FROM  TOP  OF 
CLOUD 

>2 

PRECIPITATION  * 

RADIAL  FROM  CENTER 

OF  PRIME  RUNWAY 

>20 

>30 

>  15 

N/A 

LATLALNG  APPRCH 

PATH  OUT  TO  30  NM 

>10 

>20 

>  5 

VERT  FRM  TOP  OF  CLD 

>2 

CMLUS  CLDS  PROD  BY  S/F 
?  1  HR  AFTR  DETACHING 

LATERAL  ALONG 
APPROACH  PATH 

>0 

N/A 
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NOTE:  VALID  FOR  28.45  DEG  INCLINATION  ®[ED  ] 

FIGURE  A2-6-I  -  VERTICAL  CLOUD  TOP  CLEARANCE  LIMITS 
PROTECT  STRAIGHT  IN  APPROACHES 

©[081497-6278A] 
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NOTE:  VALID  FOR  28.45  DEG  INCLINATION  ®[ED  ] 

FIGURE  A2-6-II  -  ONLY  STRAIGHT  IN  HACS  AVAILABLE 

®[081497-6278A] 
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FltRule3.cvs 


NOTE:  VALID  FOR  28.45  DEG  INCLINATION  ®[ED  ] 

FIGURE  A2-6-III  -  ONLY  OVERHEAD  HACS  AVAILABLE 

©[081497-6278A] 
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FltRule4.cvs 


NOTE:  VALID  FOR  28.45  DEG  INCLINATION  ®[ED  ] 

FIGURE  A2-6-IV  -  ONLY  KSC33  AVAILABLE 

®[081497-6278A] 
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FltRule5.cvs 


NOTE:  VALID  FOR  28.45  DEG  INCLINATION  ®[ED  ] 

FIGURE  A2-6-V  -  ONLY  KSC15  AVAILABLE 

®[081497-6278A] 
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A2-7  DAY-OF-LAUNCH  ET  LOAD  DATA 

A.  ACTUAL  DAY  OF  LAUNCH  (DOL)  ET  LOAD  DATA  FROM  THE  PLOAD 
PROGRAM  WILL  BE  USED  TO  RE-COMPUTE  ASCENT  PERFORMANCE  MARGIN, 
ARD  MASS  PROPERTIES,  AND  ARD  FPR  BASED  ON  L-1.75  HOUR  (OR 
LATER)  DATA.  ®[050495-1729D]  ©[081497-6305A] 

B.  IF  A  REVERT  HAS  OCCURRED,  MCC  WILL  BE  NO-GO  FOR  LAUNCH  UNTIL 
STABLE  REPLENISH  HAS  BEEN  RE-ESTABLISHED  AND  A  NEW  PLOAD  DATA 
INPUT  HAS  BEEN  RECEIVED  AND  EVALUATED  (APPROXIMATELY  50 
MINUTES  FOR  AN  LO2  REVERT  OR  APPROXIMATELY  25  MINUTES  FOR  AN 
LH2  REVERT) . 

C.  IF  PLOAD  IS  UNAVAILABLE,  THE  ARD  WILL  BE  CONFIGURED  TO 
REFLECT  TARGET  TDDP  LOAD  QUANTITIES  AND  THE  ARD  FPR  WILL  BE 
RE-CALCULATED  WITH  INCREASED  LOAD  UNCERTAINTIES  TO  ACCOUNT 
FOR  ADDITIONAL  DISPERSIONS  IN  THE  ACTUAL  LOAD.  NOTE:  THIS 
IS  VALID  ONLY  FOR  A  NOMINAL  ET  LOADING  TIMELINE,  UNLESS 
PROPULSION  SYSTEMS  COMMUNITY  CONCURRENCE  IS  RECEIVED  PER 
PARAGRAPH  D,  BELOW. 

D.  IF  BOTH  AN  L02  REVERT  HAS  OCCURRED  AND  PLOAD  IS  UNAVAILABLE, 
OR  IF  FOR  ANY  OTHER  REASON  LOAD  UNCERTAINTY  EXISTS  WITHOUT 
PLOAD  DATA,  MCC  WILL  BE  NO-GO  FOR  LAUNCH  UNTIL  THE  PROPULSION 
SYSTEMS  COMMUNITY,  AS  REPORTED  BY  THE  JSC/USA  PSIG 
REPRESENTATIVE  IN  THE  MER,  VALIDATES  THAT  THE  MEASURED  ULLAGE 
PRESSURE  DOES  NOT  EXCEED  0.255  PSI  ABOVE  THE  TDDP  NOMINAL 
LOAD  ULLAGE  PRESSURE  OF  0.781  PSIG.  @[092602-5668] 
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A2-7  DAY-OF-LAUNCH  ET  LOAD  DATA  (CONTINUED) 

The  PLOAD  program  is  executed  at  L-l.  75  hours  to  estimate  LO2  and  LH2  loads  based  on  ullage 
pressures  and  environmental  conditions.  This  data  is  provided  to  the  flight  dynamics  team  at  about  L- 
1.5  hours  (subsequent  PLOAD  run  data  during  extended  launch  holds  will  also  be  incorporated  as  it 
becomes  available,  if  necessary).  The  predicted  end-of-replenish  quantities  are  used  to  calculate  DOL 
ascen  t  performance  margin,  fuel  bias,  ARD  Main  Engine  Propellant  (MEP)  quantity,  and  vehicle 
weights.  ARD  FPR  is  also  recalculated  based  on  the  actual  load,  since  the  ET  load  and  mixture  ratio 
component  of  ARD  FPR  is  a  function  of  predicted  fuel  bias. 

If  a  revert  occurs,  launch  will  not  be  attempted  until  a  valid  PLOAD  data  point  can  be  evaluated 
(approximately  50  minutes  of  stable  replenish  for  ullage  pressure  stabilization  and  load  data  transmittal 
for  cm  LO2  revert,  approximately  25  minu  tes  for  LH2),  to  assure  cm  adequate  ascen  t  performance 
margin.  The  minimum  time  is  that  which  is  required  before  giving  a  “GO”  to  pick  up  the  count  at  T-9 
min  or  T-5  min.  These  procedures  were  approved  at  the  PRCB,  January  14,  1992.  ©[050495-1729D] 

®[081 497-6305A] 

When  PLOAD  is  not  available,  it  is  assumed  that  the  load  fits  within  statistical  limits  of  previous  load 
quantities,  which  historically  have  been  very  close  to  the  targeted  load  specified  in  the  Trajectory  Design 
Data  Package  (TDDP).  In  this  case,  ARD  FPR  must  protect  for  historical  deviations  of  the  reported 
load  from  the  target  load  as  well  as  normal  PLOAD  uncertainties.  The  historical  deviations  (reference 
NSTS  08209,  Shuttle  Systems  Design  Criteria;  Volume  I,  Shuttle  Performance  Assessment  Databook; 
Section  8,  Flight  Performance  Reserve;  Table  8.1,  System  Dispersions  for  FPR  Computation)  are  root 
sum  squared  with  the  normal  PLOAD  uncertainties  to  provide  a  total  load  uncertainty  that  is  used  to 
recompute  ARD  FPR.  This  increases  the  ARD  FPR  by  approximately  70  lbs.  ®[08i  497-6305A] 

For  any  case  involving  loss  of  PLOAD  data,  a  nominal  stable  replenish  timeline  is  necessary  to  ensure 
that  the  load  has  reached  TDDP  target  conditions.  In  the  very  unlikely  event  that  both  an  LO2  revert  has 
occurred  and  the  PLOAD  program  is  unavailable,  or  if  for  any  other  reason  load  uncertainty  exists,  the 
propulsion  systems  community,  as  reported  via  the  Propulsion  Systems  Integration  Group  (PSIG) 
representative  in  the  MER,  must  be  satisfied  that  the  target  MPS  inventory  has  been  achieved  before  a 
“GO”  can  be  given  to  pick  up  the  count.  The  MPS  inventory  is  protected  if  the  ullage  pressure  is  less 
than  1.036  psi.  Ullage  pressure  above  this  limit  indicates  an  under-load  of  a  magnitude  beyond  that 
covered  in  the  FPR.  The  value  of  1.036  psi  is  derived  by  adding  the  ullage  pressure  used  in  deriving  the 
inventory  (0.781  psi)  to  a  tolerance  that  is  protected  by  FPR  (0.255  psi).  ®[08i 497-6305A]  @[092602-5668  ] 
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A2-8  LAUNCH  TIME  SELECTION  FOR  GROUND-UP  RENDEZVOUS 

THE  MCC-H  FLIGHT  DYNAMICS  OFFICER  (FDO)  IS  RESPONSIBLE  FOR  ALL 
COMPUTATIONS  RELATED  TO  LAUNCH  WINDOW.  FINAL  CALCULATIONS  WILL 
BE  MADE  AT  APPROXIMATELY  L-2  HOURS.  THESE  WILL  USE  THE  LATEST 
AVAILABLE  BALLOON  PERFORMANCE  ANALYSIS,  LATEST  AVAILABLE  TARGET 
TRACKING  VECTOR,  AND  THE  FINAL  PLOAD  ANALYSIS  OF  ET  LOADING.  THE 
FDO  SHALL  INFORM  THE  MCC-H  FLIGHT  DIRECTOR  OF  THE  LAUNCH  WINDOW 
TIMES.  THE  FLIGHT  DIRECTOR  SHALL  BE  THE  SINGLE  POINT  OF 
COMMUNICATION  FOR  THE  LAUNCH  WINDOW  TIMES  TO  KSC  VIA  THE  NTD . 

THE  ASSOCIATED  LAUNCH  TARGET ING/AUTO  DEL  PSI  COMMAND  LOADS  WILL 
BE  GENERATED  AND  UPLINKED  TO  THE  VEHICLE  IN  THIS  TIMEFRAME. 

AFTER  THIS  TIME,  UPDATES  TO  WINDOW  TIMES  AND/OR  A  NEW  COMMAND 
UPLINK  WILL  BE  REQUIRED  IF  THE  PANE  SWITCH  WINDOW  TIME  CHANGES  BY 
MORE  THAN  5  SECONDS  (IN  EITHER  DIRECTION)  BASED  ON  THE  L-2. 25  HR 
BALLOON  ANALYSIS  AT  APPROXIMATELY  L-30  .  ©[081497-6263B]  @[111298-6693] 

A.  LAUNCH  WINDOW  OPEN  AND  CLOSE  TIMES  WILL  BE  COMPUTED  TO  THE 
NEAREST  SECOND.  ON  A  GIVEN  DAY,  A  RENDEZVOUS  LAUNCH  WINDOW 
MAY  BE  ONLY  ONE  PLANAR  PANE  OR  THE  COMBINATION  OF  TWO  PLANAR 
PANES.  ONLY  THE  PLANAR  PANE  WHERE  THE  PHASE  ANGLE  IS 
ACCEPTABLE  WILL  BE  CONSIDERED  PART  OF  THE  COMBINED  LAUNCH 
WINDOW.  THIS  MAY  RESULT  IN  CUTOUTS  IN  THE  LAUNCH  WINDOW. 
CALCULATION  OF  LAUNCH  WINDOW  OPEN,  CLOSE,  AND  PANE  SWITCH 
TIMES  WILL  PROTECT: 

1.  MPS  AND  OMS  PERFORMANCE  MARGIN  FOR  MISSION  SUCCESS  AS 

DEFINED  BY  THE  ANNEX  FLIGHT  RULE,  SHUTTLE  TRAJECTORY  AND 
GUIDANCE  PARAMETERS,  PARAGRAPHS  A  AND  B.  THIS  IS  ZERO 
PREDICTED  MPS  USABLE  RESIDUALS  ABOVE  THE  FLIGHT  PERFORMANCE 
RESERVE  AND  THE  REQUIRED  SIGMA  DISPERSION.  THE  SIGMA 
DISPERSION  IS  DEFINED  IN  THE  ANNEX  FLIGHT  RULE,  SHUTTLE 
TRAJECTORY  AND  GUIDANCE  PARAMETERS.  @[062801-4521] 
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A2-8  LAUNCH  TIME  SELECTION  FOR  GROUND-UP  RENDEZVOUS 

(CONTINUED) 

LAUNCH  WINDOW  OPEN  WILL  BE  BASED  ON  LOX  DRAINBACK 
START  TIME  4  MINUTES  55  SECONDS  BEFORE  WINDOW  OPENING. 
LAUNCH  WINDOW  CLOSE  WILL  BE  BASED  ON  A  HOLD  THAT 
DELAYS  LOX  DRAINBACK  START  TIME  TO  THE  MAXIMUM  EXTENT 
POSSIBLE,  4  MINUTES  55  SECONDS  BEFORE  THE  CLOSE  OF  THE 
WINDOW.  ®[081497-6263B] 

FOR  51.6  DEGREE  INCLINATION  MISSIONS,  IF  THE  PERFORMANCE 
MARGIN  IS  LESS  THAN  200  POUNDS  AT  THE  OPENING  OF  THE 
LAUNCH  WINDOW,  AN  ADDITIONAL  DELAY,  IF  AVAILABLE,  WILL  BE 
ADDED  TO  WINDOW  OPEN  TIME  TO  PROTECT  FOR  PERFORMANCE 
VARIATION  DUE  TO  WIND  PERSISTENCE.  ®[081 497-6263B]  @[111298-6693] 

2.  PROTECT  CONTINUOUS  SINGLE  SSME  OUT  INTACT  ABORT 
CAPABILITY  FOR  A  LAUNCH  AT  ANY  TIME  DURING  THE  WINDOW. 

3.  RANGE  SAFETY  ET  DISPOSAL  AS  SPECIFIED  BY  FLIGHT  RULE  {A2- 
62},  ET  FOOTPRINT  CRITERIA. 

4.  ET  YAW  STEERING  CERTIFICATION  LIMIT  AROUND  INPLANE  LAUNCH 
TIME  FOR  THE  PLANAR  WINDOW  (S).  @[062801-4521] 

5.  SHUTTLE  TO  TARGET  VEHICLE  OMS-2  PHASE  ANGLE  WINDOW, 
ASSUMING  NOMINAL  MECO  CONDITIONS,  AS  DEFINED  BY  THE 
RENDEZVOUS  PLAN  ASSUMPTIONS  DOCUMENTED  IN  THE  FLIGHT  RULE 
ANNEX . 
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A2-8  LAUNCH  TIME  SELECTION  FOR  GROUND-UP  RENDEZVOUS 

(CONTINUED) 

6.  ACCEPTABLE  PERFORMANCE  AROUND  PANE  SWITCH.  THE  UPLINKED 
PANE  SWITCH  TIME  WHICH  DEFINES  THE  END  OF  THE  FIRST  PANE 
FOR  PERFORMANCE  AND  AN  ASSOCIATED  OPENING  OF  THE  SECOND 
PANE  WILL  BE  COMPUTED  BASED  ON  LOX  DRAINBACK  STARTING  4 
MIN  55  SECONDS  PRIOR  TO  THE  PREFERRED  LAUNCH  TIME  AS 
DEFINED  IN  PARAGRAPH  D  BELOW.  NOTE  THAT  THERE  MAY  BE  A 
LAUNCH  WINDOW  CUTOUT  WHERE  THERE  IS  INSUFFICIENT 
PERFORMANCE  FOR  LAUNCH.  ©[081497-6263B] 

B.  UNPLANNED  HOLDS  ®[081 497-6263 B]  @[062801-4521] 

1.  PANE  1  CLOSE  AND  PANE  2  OPEN  WILL  BE  CALCULATED  ASSUMING 
LOX  DRAINBACK  (T-4  MINUTES  55  SECONDS)  STARTS  FOR  THE 
PREFERRED  LAUNCH  TIME  AS  DEFINED  IN  PARAGRAPH  D  BELOW. 
PANE  1  CLOSE  AND  PANE  2  OPEN  TIMES  WILL  BE  UPDATED  IF 
LAUNCH  IS  TO  BE  ATTEMPTED  AT  THE  WINDOW  OPEN  TIME. 

2.  LOX  DRAINBACK  HOLD  TIME  REPORTED  TO  THE  NTD  WILL  BE 
CALCULATED  ASSUMING  START  OF  LOX  DRAINBACK  4  MIN  55  SEC 
PRIOR  TO  THE  PREFERRED  LAUNCH  TIME  AS  DESCRIBED  IN 
PARAGRAPH  D  BELOW.  LOX  DRAINBACK  HOLD  TIME  WILL  BE 
UPDATED  IF  LAUNCH  IS  TO  BE  ATTEMPTED  AT  THE  WINDOW  OPEN 
TIME.  FOR  HOLDS  BEFORE  LOX  DRAINBACK  STARTS,  THIS  TIME 
IS  NO  LONGER  VALID  AND  IN  GENERAL  DECREASES.  FOLLOWING  A 
SERIES  OF  HOLDS  BEFORE  OR  DURING  LOX  DRAINBACK,  IF 
REQUIRED,  THE  FD  WILL  COORDINATE  A  HOLD  OR  CUTOFF  WITH 
THE  NTD  TO  PREVENT  A  LAUNCH  WITH  INSUFFICIENT 
PERFORMANCE . 

3.  SSME  START  BOX  TEMPERATURE  LIMITS  ARE  NOT  CONSIDERED  IN 
THESE  CALCULATIONS.  ONCE  THE  SSME  CONTROLLER  DETECTS  AN 
OUT  OF  LIMITS  THERMAL  CONDITION,  AN  AUTOMATIC  HOLD/CUTOFF 
WILL  OCCUR. 
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A2-8  LAUNCH  TIME  SELECTION  FOR  GROUND-UP  RENDEZVOUS 

(CONTINUED) 


C.  ON  TWO  PLANAR  WINDOW  PANE  DAYS: 

1.  FOR  28.5-DEGREE  INCLINATION  MISSIONS,  THERE  WILL  BE  A 
10-SECOND  LAUNCH  WINDOW  CUTOUT  AT  THE  UPLINKED  PANE 
SWITCH  TIME  TO  ENSURE  ONBOARD  GUIDANCE /GROUND  PROCESSOR 
SYNCHRONIZATION.  THIS  CUTOUT  WILL  START  5  SECONDS 
BEFORE  SWITCH  TIME  AND  CONTINUE  TO  5  SECONDS  PAST 
SWITCH  TIME.  FOR  SOME  PERFORMANCE  CASES,  THE  SECOND 
PANE  OPENING  MAY  BE  FURTHER  DELAYED.  A  COUNTDOWN  HOLD 
WILL  BE  CALLED  TO  AVOID  LAUNCHING  DURING  THESE  CUTOUTS. 
@[062801-4521]  @[022802-5220] 

2.  FOR  51.6-DEGREE  INCLINATION  MISSIONS,  THERE  WILL  BE  A 
MINIMUM  10-SECOND  LAUNCH  WINDOW  CUTOUT  AT  THE  UPLINKED 
PANE  SWITCH  TIME  TO  ENSURE  ONBOARD  GUIDANCE /GROUND 
PROCESSOR  SYNCHRONIZATION  AND  TO  MAXIMIZE  THE  ASCENT 
PERFORMANCE  MARGIN  AT  THE  OPENING  OF  THE  SECOND  PANE. 

THIS  CUTOUT  WILL  START  5  SECONDS  BEFORE  SWITCH  TIME. 

©[081497-6263B]  @[062801-4521]  @[022802-5220] 

a.  IN  THE  EVENT  OF  AN  UNPLANNED  HOLD  OUTSIDE  OF 
DRAINBACK,  THE  CUTOUT  WILL  END  AT  THE  LATER  OF  5 
SECONDS  AFTER  THE  SWITCH  TIME  OR  THE  PANE  2  INPLANE 
TIME  . 

b.  IN  THE  EVENT  OF  A  HOLD  INSIDE  DRAINBACK,  THE  CUTOUT 
WILL  END  AT  THE  LATER  OF  5  SECONDS  AFTER  THE  SWITCH 
TIME  OR  AT  THE  PANE  2  PERFORMANCE  OPEN. 

A  COUNTDOWN  HOLD  WILL  BE  CALLED  TO  AVOID  LAUNCHING  DURING 
THESE  CUTOUTS. 
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A2-8  LAUNCH  TIME  SELECTION  FOR  GROUND-UP  RENDEZVOUS 

(CONTINUED) 

3.  WHENEVER  POSSIBLE,  FLIGHT  DAY  3  RENDEZVOUS  CAPABILITY 
WILL  BE  MAXIMIZED.  FD3  CAPABILITY  IS  ONLY  AVAILABLE  IN 
THE  FIRST  PANE  AND  SOMETIMES  ONLY  A  PORTION  OF  THE  FIRST 
PANE.  FD3  CAPABILITY  WILL  BE  MAINTAINED  TO  THE  LAST 
POSSIBLE  TIME  IN  THE  COUNTDOWN.  ®[081 497-6263 B]  @[062801-4521] 

4.  FLIGHT  DAY  2  RENDEZVOUS  CAPABILITY  IS  HIGHLY  DESIRABLE  IF 
MDF  OCCURS.  REGIONS  OF  THE  LAUNCH  WINDOW  THAT  PRESERVE 
FD2  RENDEZVOUS  WILL  BE  UTILIZED  WHENEVER  CONVENIENT. 

D.  PREFERRED  LAUNCH  TIME 

1.  DURING  THE  T-9  MINUTE  HOLD,  THE  LD,  NTD ,  AND  FD  WILL  MAKE 
A  FINAL  DETERMINATION  ON  THE  USE  OF  PREFERRED  LAUNCH 
TIME.  IF  THERE  ARE  INDICATIONS  THAT  THERE  IS  A 
SIGNIFICANT  CHANCE  OF  TROUBLESHOOTING  REQUIRED  AFTER 
RESUMPTION  OF  THE  COUNTDOWN  AT  T-9  MINUTES,  THE  COUNTDOWN 
CLOCK  WILL  BE  SET  TO  WINDOW  OPENING  AS  DEFINED  BY 
PARAGRAPH  A  OF  THIS  RULE.  OTHERWISE,  THE  COUNTDOWN  CLOCK 
WILL  BE  SET  TO  THE  PREFERRED  (DELAYED)  LAUNCH  TIME.  IF 
THE  WINDOW  OPEN  LAUNCH  TIME  IS  SELECTED  RATHER  THAN  THE 
PREFERRED  LAUNCH  TIME,  A  NEW  LAUNCH  TARGET/OMS  TARGET 
UPLINK  MAY  BE  REQUIRED.  PANE  1  CLOSE,  PANE  2  OPEN,  AND 
LOX  DRAINBACK  HOLD  TIME  UPDATES  MAY  ALSO  BE  REQUIRED. 
@[062801-4521  ] 
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A2-8  LAUNCH  TIME  SELECTION  FOR  GROUND-UP  RENDEZVOUS 

(CONTINUED) 

2.  FOR  51.6-DEGREE  INCLINATION  MISSIONS,  PREFERRED  LAUNCH 
TIME  MAXIMIZES  THE  MPS  PERFORMANCE  MARGIN  AVAILABLE  IN 
CASE  UNFORESEEN  IN-FLIGHT  PERFORMANCE  PROBLEMS  OCCUR.  IF 
SHUTTLE  TO  TARGET  VEHICLE  OMS-2  PHASE  ANGLE  CONSTRAINTS 
ARE  SATISFIED,  PREFERRED  LAUNCH  TIME  WILL  BE  THE  INPLANE 
LAUNCH  TIME  FOR  THE  FIRST  PANE  OF  THE  LAUNCH  WINDOW. 
UNLESS  NOTED  AS  AN  EXCEPTION  IN  THE  FLIGHT  RULES  ANNEX, 
THE  PREFERRED  LAUNCH  TIME  WILL  BE  NO  EARLIER  THAN  THE 
INPLANE  TIME  OF  THE  FIRST  PANE  OF  THE  LAUNCH  WINDOW.  BY 
DEFINITION,  THIS  WILL  RESULT  IN  A  DECREASE  OF  TOTAL 
LAUNCH  WINDOW  TIME  AVAILABLE.  ©[081497-6263B]  @[062801-4521  ] 

3.  FOR  28.5  DEGREE  INCLINATION  MISSIONS,  PREFERRED  LAUNCH 
TIME  MAY  BE  EARLIER  THAN  INPLANE  TO  MAXIMIZE  A  TOTAL 
LAUNCH  WINDOW  CAPABILITY  FOR  A  HOLD  PRIOR  TO  THE  START  OF 
LOX  DRAINBACK.  @[081 497-6263 B]  @[062801-4521  ] 

E.  THE  OMS  ASSIST  DUMP  TIMER  MAY  BE  RECOMPUTED  AND  UPLINKED 

BASED  ON  THE  L  MINUS  8-DAY  TRAJECTORY  DESIGN  DATA  PACK  ( TDDP ) 
TO  MAXIMIZE  OMS  PROPELLANT  AVAILABLE  FOR  ORBIT  OPERATIONS. 

THE  OMS  ASSIST  DUMP  TIMER  UPDATE  IS  DESIGNED  SUCH  THAT  THE 
RESULTING  ASCENT  PERFORMANCE  MARGIN  ( APM)  IS  AT  LEAST  1100 
LBS  ABOVE  FLIGHT  PERFORMANCE  RESERVE  (FPR)  AND  FUEL  BIAS  TO 
PROTECT  FOR  DOL  UNCERTAINTIES.  THIS  MINIMUM  APM  MUST  BE 
ACHIEVED  FOR  AT  LEAST  A  5-MINUTE  PERIOD  CENTERED  NEAR  INPLANE 
TIME  . 
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A2-8  LAUNCH  TIME  SELECTION  FOR  GROUND-UP  RENDEZVOUS 

(CONTINUED) 


Launch  window  calculation  for  ground  up  rendezvous  is  a  complex  series  of  calculations  accommodating 
various  conflicting  requirements.  Paragraph  A  of  this  rule  states  the  mandatory  requiremen  ts  for 
defining  the  launch  window  and  is  self-explanatory.  On  launch  day,  the  latest  information  is  used  to 
ensure  the  maximum  precision  in  calculations.  The  FD  is  the  single  point  of  contact  with  KSC  to  ensu  re 
the  launch  time  is  set  properly.  ®[081497-6263B]  @[062801-4521  ] 

Normally,  the  fined  launch  window  times  are  calculated  based  on  the  L-4.5  hour  balloon  data.  These 
calculations  are  complete  about  L-2  hours.  An  update  using  the  L-2.25  hour  balloon  is  possible  at  about 
L-30  minutes.  Also,  if  a  revert  occurs,  new  PLOAD  calculations  may  require  window  time  recalculation. 
New  times  will  be  passed  and  new  launch  target  commands  sent  only  if  these  calculations  result  in 
sign  ifican  t  changes.  Since  a  10-second  launch  window  cu  toff  exists  around  the  pane  switch  time  to 
ensure  onboard  guidance/ground  processor  synchronization,  both  the  onboard  PASS/BFS  guidance  and 
the  Abort  Region  Determinator  ground  processor  will  always  be  on  the  first  pane  before  the  cutout,  and 
on  the  second  pane  after  the  cutout.  Thus,  if  the  new  switch  time  is  more  than  5  seconds  different  than 
that  which  is  already  onboard  ( i.  e. ,  it  falls  outside  the  original  cutout),  either  a  new  command  load 
uplink  with  a  revised  pane  switch  time  and  associated  launch  window  cutout  is  required,  or  the  cutout 
must  be  extended  to  the  new  desired  switch  time.  ©[081497-6263B]  @[022802-5220  ] 

Performance  varies  through  the  window  as  a  function  of  launch  time  because  of  the  orbital 
mechanics/rendezvous  effects  -  primarily  yaw  steering.  However,  performance  decreases  with  delays 
after  the  start  ofLOX  drainback  (T-4  min  55  sec).  For  simplicity,  all  times  transmitted  to  KSC  assume 
that  LOX  drainback  is  started  for  the  selected  launch  time:  in  general  for  the  preferred  time  and  in  off 
nominal  cases  for  the  window  open  time.  For  a  combination  of  problems  that  result  in  delays  to  the  start 
ofLOX  drainback  and  also  holds  after  the  start  ofLOX  drainback,  the  FDO  calculates  new  window 
open/close  times  based  on  all  factors  (ascen  t  performance  margin,  yaw  steering  costs,  and  LOX 
drainback  impact).  If  the  need  to  use  these  new  times  arises,  the  FD  is  responsible  to  ensure  that  launch 
will  occur  only  when  performance  is  available  to  support  mission  success.  It  is  possible  that  a 
combination  of  launch  holds  before  and  after  the  start  ofLOX  drainback  could  result  in  cm  unanticipated 
single  SSME  out  abort  gap  opening.  This  is  especially  true  if  cm  out-of  plane  TAL  site  is  used.  If  this  is 
known  prelaunch,  it  will  be  avoided.  If  it  is  unknown  until  after  launch,  then  Flight  Rule  {A4-56I}, 
PERFORMANCE  BOUNDARIES,  applies.  ®[i  1 1 298-6693] 
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Beginning  with  01-29,  a  flight  software  modification  was  made  to  prevent  the  PASS  and  BPS  from 
targeting  different  launch  panes  around  the  pane  switch  time.  At  the  Ascent/Entry  Flight  Techniques 
Panel  #  179  on  October  19,  2001,  a  recommendation  was  accepted  to  maintain  a  10-second  launch 
window  cutout  to  guarantee  launch  pane  agreement  between  the  onboard  PASS/BFS  guidance  and  the 
Abort  Region  Determinator  ground  processor.  Also,  by  maintaining  a  10-second  launch  window  cutout 
around  the  pane  switch  time,  there  is  a  reduced  likelihood  that  a  launch  target  re-uplink  is  required  at  L- 
30  minutes.  ®[081 497-6263 B]  @[022802-5220] 

For  high  inclination  missions,  at  the  direction  of  the  SSP,  the  launch  window  management  plan  was 
modified  to  delay  launch  until  the  Pane  2  inplane  time  whenever  the  Pane  2  inplane  time  is  after  the 
uplinked  switch  time  and  a  hold  outside  of  drainback  moves  the  T-0  time  into  the  second  pane.  This  is 
consisten  t  with  the  SSP  philosophy  to  select  the  inplane  time  as  the  preferred  launch  time.  The  Pane  2 
inplane  time  will  be  passed  from  JSC  to  the  NTD  at  L-l:30  with  the  launch  window  times.  There  is  no 
change  to  the  launch  window  managemen  t  plan  for  holds  inside  of  drainback.  @[062801-4521  ] 

Flight  Day  3  rendezvous  capability  (as  defined  by  an  acceptable  phase  angle  region  inside  the  orbited 
plane  window  pane )  is  extremely  important  for  most  flights.  However,  FD3  capability  does  not  exist  for 
all  launch  days.  FD4  rendezvous  capability  is  available  on  every  launch  day  since  the  longer  time 
allows  catch  up  from  greater  phase  angles.  Note  that  even  if  launch  occurs  in  a  FD3  portion  of  the 
window,  a  FD3  rendezvous  can  always  be  cheaply  turned  into  a  FD4  rendezvous  if  time  constrain  ts 
require  it.  For  an  MDF  mission,  a  FD2  rendezvous  is  desirable.  However,  FD2  phase  windows  are  even 
shorter  than  FD3  so  they  are  not  generally  available.  When  a  FD2  window  is  available,  it  should  be 
used  providing  there  are  no  adverse  impacts.  @[081 497-6263B] 

Since  historical  data  indicates  a  good  track  record  of  on-time  launches,  and  mission  success  margins  are 
greater  at  the  middle  of  the  window  rather  than  the  opening,  a  preferred  launch  time  is  defined  so  that 
when  there  are  no  overriding  considerations,  the  maximum  margin  for  mission  success  is  available  in 
flight.  In  addition  to  maximizing  mission  success  margin,  SSP  reviews  have  determined  that  the  inplane 
time  maximizes  programmatic  safety  margins.  Note  that  delaying  the  launch  time  also  improves  multiple 
SSME  out  contingency  abort  landing  site  coverage  which  is  desirable,  but  not  a  window  length  driver. 
©[081497-6263B] 
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For  performance  limited  51.6  deg  inclination  missions,  the  launch  window  open  may  actually  be  based 
on  ascen  t  performance.  For  these  cases,  200  pounds  of  ascent  performance  margin  is  desired  at  the 
window  open  to  protect  for  performance  variations  between  the  balloon  release  and  launch  time.  With 
FDO’s  launch  window/launch  performance  application,  the  window  open  time  will  be  biased,  if  there  is 
time  available  in  the  launch  window,  to  protect  this  minimum  desired  performance  margin.  @[111298- 
6693  ] 

QMS  assist  timer  reduction  may  be  used  to  trade  excess  ascen  t  performance  margin  for  increased  on- 
orbit  OMS.  The  minimum  change  to  the  dump  timer  is  1  second,  which  equates  to  about  40  pounds  less 
OMS  propellant  dumped.  To  maintain  the  earliest  possible  Press  to  ATO,  any  decrease  in  the  OMS 
assist  timer  requires  a  corresponding  increase  in  the  ATO  timer.  The  1100-lbs  bias  protects  for 
performance  losses  from  SRB  PMBT,  weight  changes,  DOT  winds,  and  DOT  atmosphere  changes 
between  L  minus  8  days  and  liftoff  (ref.  PRCB  SR# 1382,  October  19,  2000).  This  performance  bias  is 
required  to  ensure  the  OMS  assist  timer  will  not  need  to  be  increased  on  DOT.  If  the  OMS  assist  timer 
were  increased  on  DOT,  PROP  products  and  data  would  not  be  sufficiently  conservative.  Once  the  OMS 
assist  timer  is  determined,  it  cannot  be  recomputed  on  DOT.  PROP  and  FDO  are  responsible  to  report 
to  LDO  that  there  are  no  issues  with  the  new  OMS  assist/ATO  timers.  @[062801-4521  ] 
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A2-9  LOSS  OF  ET  LOX  LIQUID  LEVEL  CONTROL  SENSORS 

IN  THE  PRELAUNCH  TIMEFRAME:  ©[092602-5669A] 

A.  FOR  THE  LOSS  OF  THE  FIRST  100  PERCENT  ET  LOX  LIQUID  LEVEL 
CONTROL  SENSOR,  NO  MCC  ACTION  IS  REQUIRED,  REGARDLESS  OF  WHEN 
THE  FIRST  SENSOR  FAILS. 

B.  LOSS  OF  A  SECOND  100  PERCENT  ET  LOX  LIQUID  LEVEL  CONTROL 
SENSOR  WILL  RESULT  IN  THE  TRANSFER  OF  ET  LOX  LOADING  CONTROL 
TO  THE  100.15  PERCENT  SENSOR. 

1.  FOR  CONTROL  TRANSFER  TO  100.15  PERCENT  SENSOR  PRIOR  TO  L- 

25  MINUTES: 

a.  ARD  AND  LAUNCH  WINDOW  DATA  WILL  BE  BASED  ON  A  100.15 
PERCENT  LOX  LOADING  ESTIMATE  (WITH  ADJUSTMENT  FOR 
ADDITIONAL  DRAINBACK  TIME,  AS  APPLICABLE) . 

b.  IF  STABLE  REPLENISH  USING  THE  100.15  PERCENT  SENSOR 
IS  REACHED  PRIOR  TO  L-l:20  HOURS,  THE  LOX  LOADING 
ESTIMATE  WILL  BE  GENERATED  USING  PLOAD .  OTHERWISE, 
"NO  PLOAD"  LOADING  ESTIMATES  WILL  BE  USED  PER  RULE 
{A2-7C},  DAY-OF-LAUNCH  ET  LOAD  DATA,  DUE  TO  MCC 
OPERATIONAL  PROCESSING  TIMELINE  CONSTRAINTS. 

C.  IF  LAUNCH  WINDOW  UPDATES  ARE  AVAILABLE  PRIOR  TO  L-39 
MINUTES,  THE  FDO  WILL  COORDINATE  UPDATES  TO  THE  KSC 
LAUNCH  WINDOW  DATA.  OTHERWISE,  THERE  WILL  BE  NO 
UPDATE  TO  THE  KSC  LAUNCH  WINDOW  TIMES. 

d.  ADDITIONAL  DRAINBACK  TIME  SHALL  BE  INSERTED  INTO  THE 
TIMELINE  AFTER  THE  START  OF  DRAINBACK  AS  SPECIFIED  BY 
THE  DOLILU  OPERATIONS  SUPPORT  PLAN.  FD  WILL 
COORDINATE  THE  INSERTION  OF  THE  ADDITIONAL  DRAINBACK 
TIME,  IF  ANY,  WITH  NTD  .  ®[092602-5669A] 
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A2-9  LOSS  OF  ET  LOX  LIQUID  LEVEL  CONTROL  SENSORS 

(CONTINUED) 

2.  FOR  CONTROL  TRANSFER  TO  100.15  PERCENT  SENSOR  AFTER  L-25 

MINUTES:  ®[092602-5669A] 

a.  LAUNCH  WINDOW  DATA  AND  ARD  CALCULATIONS  WILL  NOT  BE 
UPDATED . 

b.  ADDITIONAL  DRAINBACK  TIME  WILL  NOT  BE  INSERTED  INTO 
THE  TIMELINE. 

c.  MCC  WILL  BE  NO-GO  FOR  LAUNCH  UNTIL  THE  PSIG 
REPRESENTATIVE  IN  THE  MER  VALIDATES  THAT  THE  MEASURED 
ULLAGE  PRESSURE  DOES  NOT  EXCEED  0.255  PSI  ABOVE  THE 
TDDP  NOMINAL  LOAD  ULLAGE  PRESSURE  OF  0.781  PSIG 

The  ET  project  has  determined  that  the  PLOAD  LOX  loading  estimate  based  on  liquid  level  control 
using  a  100  percent  sensor  which  subsequently  fails  will  remain  valid  after  a  switch  to  the  second  100 
percent  ET  LOX  liquid  level  control  sensor.  Therefore,  switching  liquid  level  control  from  one  100 
percent  sensor  to  the  second  100  percent  sensor  does  not  invalidate  the  original  PLOAD  loading 
estimate. 

The  ET  project  has  determined  that  the  PLOAD  LOX  loading  estimate  based  on  liquid  level  con  trol 
using  either  100  percent  sensor  is  not  accurate  in  the  event  of  a  later  failure  of  both  100  percent  LOX 
liquid  level  con  trol  sensors  and  subsequen  t  fill  to  the  100.15  percen  t  sensor  per  LCC  ET-10.  The  ET 
Project  has  requested  DOSS  to  rerun  PLOAD  or  revert  to  100.15  percen  t  MPS  inventory  loading 
estimates.  A  rerun  and  QA  of  PLOAD  loading  updates,  nominal  mission  performance  margin,  and 
launch  window  impacts  requires  approximately  40  minutes.  KSC  Ground  Operations  is  unable  to  accept 
launch  window  updates  after  L-39  minutes.  However,  FDO  and  ARD  Support  should  reflect  the  best 
possible  estimate  of  the  true  LOX  loading.  Therefore  these  elements  will  reconfigure  to  reflect  LOX 
loading  to  the  100.15  percent  MPS  inventory  values,  if  the  fail  over  occurs  after  the  latest  time  to  rerun 
PLOAD  (about  L-l:20  hour)  and  prior  to  L-25  minutes,  regardless  of  whether  or  not  the  KSC  launch 
window  is  updated. 

For  any  level  sensor  failure  after  L-25  minutes,  no  action  is  required  by  the  MCC.  A  late  sensor  failure 
(either  the  first  or  the  second)  may  result  in  an  underload  of  approximately  1,100  pounds  of  LOX,  which 
still  meets  LCC  ET-10  launch  requirements.  This  equates  to  approximately  15  fps  of  ascent  performance 
margin.  A  launch  with  an  underload  of  this  magnitude  will  result  in  TAL  and  ATO  abort  boundary  calls 
being  made  approximately  15  fps  early  and  slightly  increases  the  chances  of  a  low  level  cut-off  with  a 
small  underspeed.  The  program  accepts  this  risk  due  to  its  low  probability  of  occurrence.  ®[092602-5669A] 
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In  the  event  of  a  failure  of  both  100  percent  sensors  and  fail-over  to  a  fill  to  the  100.15  percent  sensor 
failure ,  no  additional  drawback  time  will  be  added  to  the  countdown.  Analysis  to  clear  the  ET  for  flight 
in  this  condition  is  valid  only  through  STS- 118.  ET  LOX  tank  changes  being  made  subsequent  to  STS- 
118  will  require  additional  analysis.  ®[092602-5669A] 

Late  fail-over  to  a  LOX  tank  fill  controlled  by  the  100.15  percent  (after  failure  of  both  100  percent  level 
sensors)  will  require  verification  that  the  LOX  loading  is  consistent  with  MPS  inventory  loading 
estimates.  The  MPS  inventory  is  protected  if  the  ullage  pressure  is  less  than  1.036  psi.  Ullage  pressure 
above  this  limit  indicates  an  under-load  of  a  magnitude  beyond  that  covered  in  the  FPR.  The  value  of 
1.036  psi  is  derived  by  adding  the  ullage  pressure  used  in  deriving  the  inventory  (0.781  psi)  to  a 
tolerance  that  is  protected  by  FPR  (0.255  psi).  ®[092602-5669A] 
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A2-51  STS  ABORT  CRITERIA 

NOMINAL  ASCENT  WILL  BE  CONTINUED  FOR  STS  PROBLEMS  EXCEPT  FOR: 

A.  ENGINE  PROBLEMS  WHERE  REQUIRED  PERFORMANCE  IS  NOT  AVAILABLE. 

B.  LOSS  OF  DEORBIT  MANEUVER  CAPABILITY. 

C.  LOSS  OF  ATTITUDE  CONTROL. 

D.  CONSUMABLES,  COOLING,  OR  SYSTEMS  LIFETIME  PROBLEMS  THAT  WILL 
NOT  SUPPORT  THE  FOLLOWING  FIRST  DAY  PLS  DURATIONS: 

1.  LOW  INCLINATION  -  DEORBIT  ORBIT  3,  LANDING  ORBIT  4. 

2.  HIGH  INCLINATION  -  DEORBIT  ORBIT  7,  LANDING  ORBIT  8. 

In  order  to  maximize  probability  of  mission  success,  nominal  ascent  will  be  continued  unless  a  specific 
problem  arises  which,  if  not  acted  upon,  jeopardizes  the  orbiter  and/or  crew.  In  these  cases,  either  a 
pre-MECO  abort  (RTLS,  TAL,  ATO)  or  a  post-MECO  abort  (AOA)  will  be  selected.  The  specifics  of 
which  abort  will  be  selected  and  the  priority  of  available  modes  are  contained  in  Rule  {A2-52J,  ASCENT 
MODE  PRIORITIES  FOR  PERFORMANCE  CASES,  for  performance-related  failures  (paragraph  A 
above)  and  in  Rule  (A2-54},  RTLS,  TAL,  AND  AOA  ABORTS  FOR  SYSTEMS  FAILURES  [CIL],  for 
systems  problems  (paragraphs  B  to  D).  If  the  capability  to  support  a  first  day  PLS  landing  opportunity 
is  lost,  or  the  particular  failure  is  such  that  conditions  could  deteriorate  so  rapidly  that  the  landing 
opportunity  could  be  lost,  then  an  AOA  will  be  performed  as  specified  in  Rule  {A2-54},  RTLS,  TAL,  AND 
AOA  ABORTS  FOR  SYSTEMS  FAILURES  [ CIL],  First  day  PLS  landing  opportunities  are  selected 
based  on  providing  sufficient  time  for  pre-deorbit  tracking  and  onboard  state  vector  update  while 
maintaining  capability  to  a  CONUS  landing  site. 

Orbit  3  deorbit  is  typically  the  last  CONUS  opportunity  for  low  inclination  flights.  For  high  inclination 
flights,  orbit  2  deorbit  provides  the  last  ascending  first  day  opportunity  to  Edwards,  while  orbit  7 
provides  the  first  descending  opportunity  to  Edwards.  Orbit  2  deorbit  to  Edwards  is  available  for  both 
low  and  high  inclinations,  but  it  does  not  provide  sufficient  tracking  to  assure  an  adequate  deorbit  state 
vector.  Hence,  orbits  3  (low  inclination )  and  7  (high  inclination)  are  chosen  for  the  PLS  opportunities 
(ref.  Ascent  Flight  Techniques  meeting  #43). 
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A2-52  ASCENT  MODE  PRIORITIES  FOR  PERFORMANCE  CASES 

A.  DURING  POWERED  FLIGHT,  THE  ABORT  PRIORITIES  FOR  PERFORMANCE 
CASES  ARE  AS  FOLLOWS: 


1 . 

PRESS-TO-ORBIT 

TRAJECTORIES) 

(INCLUDING 

PRESS-TO-MECO 

AND  PRESS-TO-ATO 

2  . 

TAL 

3. 

RTLS 

4  . 

TAL  TO  AN  ACLS 

(MAY  REQUIRE  MANUAL  SSME 

SHUTDOWN) 

5  . 

AOA  SHALLOW  USING  ARCS  TO 

THE  ARCS  PRESS 

QUANTITY  AND  CG 

LIMITED  BY  THE  CONTINGENCY  CG  ENVELOPE 


Powered  flight  abort  priorities  were  established  based  on  providing  the  highest  probability  of  safe  return 
of  the  orbiter  and  crew.  If  at  all  possible,  as  long  as  steep  deorbit  capability  can  be  maintained,  the 
desire  is  to  press  to  orbit  before  considering  a  pre-MECO  abort  since  achieving  orbit  provides  the 
maximum  time  to  assess  and  react  to  problems  without  incurring  additional  risks  associated  with 
powered  flight  aborts.  Following  the  option  of  pressing  uphill,  the  TAL  abort  (assumed  to  be  flown 
under  auto  guidance )  is  next  in  priority  since  it  provides  the  earliest  contingency  avoidance  capability 
for  multiple  engine  failures  and  is  considered  to  be  more  benign  than  RTFS  from  an  operational  point  of 
view.  The  RTLS  abort  is  next  in  priority  and  in  the  performance  case  would  be  used  only  if  TAL  were  not 
available  ( i.  e. ,  some  systems  problems  may  dictate  RTLS  over  TAL  when  both  modes  are  available). 

Pre-MECO,  if  TAL  capability  to  the  prime  site  is  not  available  and  steep  AO  A  cannot  be  protected,  TAL 
to  an  ACLS  is  selected  next  in  priority  since  the  next  lower  option  (AOA  shallow )  is  considered  to  be 
unacceptably  sensitive  to  navigation  dispersions.  Since  an  augmented  site  is  required,  the  abort  is  not 
expected  to  be  adversely  affected  by  navigation  capability.  The  tradeoff  in  this  case  is  that  only  limited 
OMS  clump  time  is  available  for  TAL’s  selected  late  in  powered  flight,  which  may  result  in  violation  of 
the  nominal  aft  CG  limit  (the  contingency  limit  is  still  protected )  and  downweight  restrictions.  On  the 
other  hand,  a  nominal  forward  CG  violation  can  result  from  commitment  to  AOA  shallow,  so  the  CG 
concern  by  itself  becomes  less  of  a  factor.  Note  that  the  TAL  to  an  ACLS  is  still  performed  under  auto 
guidance,  but,  in  some  cases,  a  manual  MECO  is  performed  to  achieve  the  TAL  site  R-V  line  with  TAL 
selection  occurring  post-MECO. 
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B.  PRESS-TO-ORBIT  PERFORMANCE  DECISIONS  WILL  BE  BASED  ON  THE 
ABILITY  TO  ACHIEVE  MECO  UNDERSPEED  CONDITIONS  WHICH  SATISFY 
ESTABLISHED  MINIMUM  CONSTRAINTS.  INCLUDED  IN  THESE  ARE 
LIMITATIONS  ON  ET  IMPACT  LOCATION,  POST-MECO  PERFORMANCE 
CAPABILITY,  TRAJECTORY  ALTITUDE  LIMITS,  SSME  MINIMUM  NPSP 
CONSTRAINTS,  AND  PROTECTION  OF  THE  CONTINGENCY  CG  ENVELOPE 
(REF.  RULE  { A4-55 } ,  DESIGN  AND  CRITICAL  MECO  UNDERSPEED 
DEFINITIONS) . 

Reference  Rule  (A4-55},  DESIGN  AND  CRITICAL  MECO  UNDERSPEED  DEFINITIONS ,  for  rationale. 

C.  MAXIMUM  THROTTLES  WILL  BE  USED  TO  REGAIN  INTACT  ABORT 

CAPABILITY  AND  TO  CONTINUE  THE  EXECUTED  TAL  TO  THE  SELECTED 
SITE  (REF.  RULES  {A4-53},  USE  OF  MAXIMUM  THROTTLES;  AND 
{A4-56F},  { A4 -5  6H }  . 2 ,  AND  {A4-56H}.3,  PERFORMANCE 

BOUNDARIES)  .  @[0921 95-1 770A] 


Maximum  throttle  capability  is  used  only  in  limited  cases  and  is  the  highest  power  level  available  on  a 
flight.  Use  of  the  maximum  setting  places  additional  stress  on  the  engine  and  seriously  reduces  engine 
lifetime  and  so  should  be  used  only  if  absolutely  necessary.  In  line  with  this  philosophy,  the  maximum 
throttle  setting  will  only  be  used  if  it  allows  the  orbiter  to  regain  intact  abort  capability  or  will  allow 
continuation  of  a  TAL  abort  to  the  originally-selected  site  when  two  SSME’s  have  failed  (continuing  to 
the  originally-selected  site  at  maximum  throttle  is  preferred  over  committing  to  a  sizable  attitude 
maneuver  on  a  single  engine). 

D.  POST-MECO  (OPS  1),  THE  ABORT  PRIORITIES  ARE  AS  FOLLOWS: 

®[1 20894-1 744B] 

1.  NOMINAL,  STEEP  DEORBIT  [1] 

2.  ATO/ATO  [2],  STEEP  DEORBIT  [3] 
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STEEP  DEORBIT 

a.  ATO/MINIMUM  HP  [4],  STEEP  DEORBIT  FD1  (IF  FD1  PLS  SITE 

IS  GO)  [3]  USING  AFT  RCS  TO  THE  FD1  AFT  RCS  STEEP 
PRESS  QUANTITY.  [5]  [6]  [7]  ®[01 2402-51 12B] 

OR 

b.  ATO/MINIMUM  HP  [4],  STEEP  DEORBIT  FD2  (IF  FD1  PLS  SITE 
IS  NOT  AVAILABLE)  [3]  USING  AFT  RCS  TO  THE  FD2  AFT  RCS 
STEEP  PRESS  QUANTITY  AND  FWD  RCS  IN  OPS  2  TO  THE  FD2 
FWD  RCS  PRESS  QUANTITY.  [5]  [6]  [7] 

OR 

C.  ATO/ATO  [2],  STEEP  DEORBIT  FD2  (IF  FD1  PLS  IS  NOT 

AVAILABLE)  [3]  USING  AFT  RCS  TO  THE  FD2  AFT  RCS  STEEP 
PRESS  QUANTITY.  [5]  [6]  [7] 
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VOLUME  A 
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(CONTINUED) 


SHALLOW  DEORBIT 

a.  ATO/MINIMUM  HP  [4],  SHALLOW  DEORBIT  FD1  (IF  FD1  PLS 
SITE  IS  GO)  [3]  USING  AFT  RCS  TO  THE  FD1  AFT  RCS 
SHALLOW  PRESS  QUANTITY.  [5]  [6]  [7] 

OR 

b.  ATO/MINIMUM  HP  [4],  SHALLOW  DEORBIT  FD2  (IF  FD1  PLS 
SITE  IS  NOT  AVAILABLE)  [3]  USING  AFT  RCS  TO  THE  FD2 
AFT  RCS  SHALLOW  PRESS  QUANTITY  AND  FWD  RCS  IN  OPS  2 
TO  THE  FD2  FWD  RCS  PRESS  QUANTITY.  [5]  [6]  [7] 

OR 

C.  ATO/ATO  [2],  SHALLOW  DEORBIT  FD2  (IF  FD1  PLS  IS  NOT 
AVAILABLE)  [3]  USING  AFT  RCS  TO  THE  FD2  AFT  RCS 
SHALLOW  PRESS  QUANTITY.  [5]  [6]  [7]  ®[01 2402-51 12B] 

AOA  STEEP  USING  ARCS  TO  THE  AOA  AFT  RCS  STEEP  PRESS 
QUANTITY  [5]  AND  CG  LIMITED  BY  THE  CONTINGENCY  CG  ENVELOPE 
(IF  AOA  SITE  IS  GO)  .  [6]  [7]  ®[01 2402-51 12B] 

ATO/MINIMUM  HP  [4],  SHALLOW  DEORBIT  FD1  TO  A  NO-GO  FD1  PLS 
SITE  [3]  USING  AFT  RCS  TO  THE  FD1  AFT  RCS  SHALLOW  PRESS 
QUANTITY.  [5]  [6]  [7] 

AOA  STEEP  USING  AFT  RCS  TO  THE  AOA  AFT  RCS  STEEP  PRESS 
QUANTITY  [5]  AND  CG  LIMITED  BY  THE  CONTINGENCY  CG  ENVELOPE 
TO  A  NO-GO  AOA  SITE.  [6]  [7] 
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8.  TAL  TO  A  TAL  SITE  OR  ACLS  USING  NOMINAL  GUIDANCE  (REFER 

TO  FIGURE  A2-52-I,  REGION  A)  .  ®[1 20894-1 744B] 

9.  AOA  SHALLOW  USING  AFT  RCS  TO  THE  AOA  AFT  RCS  SHALLOW 

PRESS  QUANTITY  [5],  AND  CG  LIMITED  BY  THE  CONTINGENCY  CG 

ENVELOPE  .  @[012402-51 12B] 

10.  TAL  TO  A  TAL  SITE 

a.  REQUIRING  LOW  ENERGY  GUIDANCE  (REFER  TO  FIGURE 
A2-52-I,  REGION  B) 

b.  REQUIRING  LOW  ENERGY  GUIDANCE  AND  HIGH  CROSSRANGE 
PROCEDURES  (REFER  TO  FIGURE  A2-52-I,  REGION  C) 

c.  REQUIRING  HIGH  ENERGY  PROCEDURES  (REFER  TO  FIGURE  A2- 
52-1,  REGION  D) 

11.  TAL  TO  AN  ACLS 

a.  REQUIRING  LOW  ENERGY  GUIDANCE  (REFER  TO  FIGURE 
A2-52-I,  REGION  B) 

b.  REQUIRING  LOW  ENERGY  GUIDANCE  AND  HIGH  CROSSRANGE 
PROCEDURES  (REFER  TO  FIGURE  22-52-1,  REGION  C) 

c.  REQUIRING  HIGH  ENERGY  PROCEDURES  (REFER  TO  FIGURE 
A2-52-I,  REGION  D)  ®[1 20894-1 744B] 
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TAL  TO  A  DOWNRANGE  ELS  WHICH  SATISFIES  CRITERIA  IN  RULE 
{ A2 -2  64  }  ,  EMERGENCY  LANDING  FACILITY  CRITERIA  ®[1 20894-1 744B] 

a.  WITHIN  NOMINAL  GUIDANCE  CAPABILITY  (REFER  TO  FIGURE 
A2-52-I,  REGION  A) 

b.  REQUIRING  LOW  ENERGY  GUIDANCE  (REFER  TO  FIGURE 
A2-52-I,  REGION  B) 

c.  REQUIRING  LOW  ENERGY  GUIDANCE  AND  HIGH  CROSSRANGE 
PROCEDURES  (REFER  TO  FIGURE  22-52-1,  REGION  C) 

TAL  TO  ANY  SITE  WHICH  SATISFIES  CRITERIA  IN  RULE 
{ A2 -2  64  }  ,  EMERGENCY  LANDING  FACILITY  CRITERIA,  BUT 
LIES  OUTSIDE  NOMINAL  AND  LOW  ENERGY  GUIDANCE 
CAPABILITY  (REFER  TO  FIGURE  22-52-1,  REGIONS  D,  E, 

AND  F) .  LANDING  ATTEMPTS  TO  THESE  SITES  MAY  REQUIRE 
HIGH  ENERGY  PROCEDURES  (REGION  D) ,  LOWER  ANGLES  OF 
ATTACK  DURING  THE  FIRST  PULLOUT  (REGION  E) ,  OR  HIGH 
CROSSRANGE  PROCEDURES  (REGION  F) .  THIS 
DETERMINATION  WILL  BE  MADE  IN  REAL-TIME  BASED  ON  THE 
NUMBER  OF  SITES  AND  THEIR  PROXIMITY  TO  THE  FOOTPRINT 
IN  EACH  AREA.  ®[1 20894-1 744B] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


06/20/02  FINAL  FLIGHT  OPERATIONS  2-55 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 
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Nominal  guidance  capability. 

Low  energy  guidance  capability. 

Low  energy  guidance  capability 
requiring  high  crossrange  procedures 
Outside  nominal  guidance  capability; 
requires  high  energy  procedures. 
Outside  AUTO  low  energy  guidance 
capability;  requires  ?  =40/31  or  37/31 
Outside  AUTO  low  energy  guidance 
capability;  requires  high  crossrange 
procedures. 


FOOTPRINT 


(FOR  ILLUSTRATION  ONLY) 


®[1 20894-1 744B] 

NOTES: 

[1]  DEORBIT  DELTA  V  MUST  BE  PROTECTED  FOR  FD  1  AND  2  PLS  OPPORTUNITIES. 

[2]  OMS-1  TARGET/OMS-2  TARGET. 

[3]  DEORBIT  DELTA  V  MUST  BE  PROTECTED  FOR  FD  1  OR  2  PLS  (AS  REQUIRED).  @[121593-1590  ] 

[4]  MINIMUM  HP  THAT  WILL  ENSURE  ORBITAL  LIFETIME  (ASSUMING  3  SIGMA  DRAG  AFFECTS)  AT  LEAST  TWO 
ORBITS  BEYOND  THE  FD  1  PLS  OPPORTUNITY  AND  WILL  PROVIDE  ADEQUATE  GROUND  TRACKING  ACCURACIES 
FOR  DEORBIT  TARGETING  AND  STATE  VECTOR  UPDATE. 

[5]  ARCS  PRESS  QUANTITY  CORRESPONDING  TO  THE  EXPECTED  X  AND  Y  CG. 

[6]  OMS-2  MAY  BE  EXECUTED  WITH  THE  FRCS  (REF.  RULE  {A2  -53}.  FORWARD  RCS  USAGE  GUIDELINES).  FOR  FD2 
DEORBIT  USING  THE  FWD  RCS  IN  OPS  2  IS  PREFERRED  OVER  OMS-2  SINCE  IT  REQUIRES  LESS  AFT  RCS  FOR 
ATTITUDE  CONTROL.  ®[1 20894-1 744B]  @[012402-51 12B] 

[7]  IF  FRCS  USAGE  IS  ALLOWED  BY  FLIGHT  RULE  {A2-53},  FORWARD  RCS  USAGE  GUIDELINES,  THEN  ARCS 
ATTITUDE  CONTROL  MUST  BE  PROTECTED  FOR  THE  FRCS  BURN.  ®[1 20894-1 744B] 
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Post-MECO  abort  priorities  were  established  to  provide  the  highest  probability  of  safe  return  of  the 
orbiter  and  crew.  Again,  the  priorities  are  set  up  to  allow  the  orbiter  to  achieve  the  most  desirable 
uphill/orbital  capability  available  based  on  propellant  available  and  the  known  MECO  conditions.  The 
first  priority  is  to  achieve  the  nominal  mission  orbital  parameters  while  maintaining  steep  deorbit 
capability  (1).  This  is  followed  by  reducing  the  orbital  altitude,  but  still  protecting  steep  deorbit  (2). 
Steep  capability  is  maintained  since  commitmen  t  to  shallow  deorbit  unnecessarily  trades  off  the 
deorbit/entry  propellant  and  trajectory  dispersion  protection  inheren  t  in  steep  targeting  for  achievemen  t 
of  mission  objectives  that  in  many  cases  can  be  adequately  accomplished  at  a  lower-than-nominal 
altitude.  The  next  option  (3)  accepts  further  reduction  in  orbit  perigee  (and  hence,  orbital  lifetime  and 
tracking/navigation  quality)  in  order  to  achieve  at  least  some  on-orbit  time.  Aft  RCS  is  committed  for 
deorbit  burn  completion  ( nominal  RCS  entry  redlines  are  maintained,  however).  Forward  RCS  may  be 
committed  for  OMS-2  and  in  OPS  2  at  this  priority  level  (ref.  Rule  {A2-53},  FORWARD  RCS  USAGE 
GUIDELINES).  Again,  these  trades  are  made  in  order  to  maintain  steep  deorbit  capability.  ATO/ATO 
(Hp  approximately  105  nm )  gives  orbital  lifetime  for  FD2  deorbit  without  committing  the  Fwd  RCS.  The 
minimum  perigee  guarantees  a  safe  deorbit  for  the  FD1  PLS  opportunity.  Tirne-to-EI  constraints  do  not 
apply  to  minimum  perigee  determinations.  At  the  next  priority  level  (4),  shallow  FD1  and  FD2  deorbits 
are  allowed.  The  only  remaining  method  of  preserving  propellant  in  addition  to  that  already  committed 
is  to  allow  use  of  ARCS  and  violation  of  the  CG  to  the  contingency  CG  box  (priorities  5,  7,  and  9).  This 
may  allow  achievement  of  minimum  orbital  conditions  or  may  require  a  steep  or  shallow  AO  A,  with  the 
poten  tial  in  any  case  of  requiring  use  of  a  no-go  site.  ®[01 2402-51 12B] 

If  cm  AO  A  cannot  be  achieved,  the  site  selection  priority  will  be  based  on  site  status  (TAL  vs  ACLS  vs 
ELS)  and  guidance  capability  when  more  than  one  site  satisfies  the  conditions  in  Rule  {A2-264}, 
EMERGENCY  LANDING  FACILITY  CRITERIA.  Guidance  capability  will  be  based  on  the  Descent 
Design  System  (DDS)  if  available  or  the  Downrange  Abort  Evaluator  (DAE).  Figure  A2-52-I  is  included 
for  clarity  to  illustrate  the  various  regions  of  dissimilar  gu  idance  capability.  Nominal  guidance  refers  to 
OPS  3  entry  guidance  requiring  no  manual  procedures.  Low  energy  guidance  refers  to  the  use  of 
automatic  low  energy  guidance,  enabled  via  Item  3  on  the  Entry  TRAJ  display.  High  crossrcmge 
procedures  consist  of  enabling  low  energy  guidance  and  manually  flying  a  37-degree  angle  of  attack 
during  the  second  pullout  to  minimize  wing  leading  edge  temperatures.  High  energy  procedures  consist 
of  manual  pitch  and  roll  inputs  during  entry  and  are  contained  in  section  2  of  the  Ascen  t  Checklist. 

®[1 20894-1 774B] 
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In  general,  the  regions  shown  in  figure  A2-52-I  are  preferred  in  the  following  priority:  Nominal  entry 
guidance  capability  (region  A),  low  energy  guidance  capability  (region  B),  low  energy  guidance  with 
high  crossrange  procedures  (region  C ),  and  finally  high  energy  procedures  (region  D).  Nominal  entry 
guidance  is  preferred  over  low  energy  guidance  since  low  energy  guidance  can  take  the  vehicle  to  its 
thermal  limits.  A  site  in  the  high  crossrange  region  (region  C)  is  third  in  priority  since  it  requires  the 
use  of  low  energy  guidance  to  solve  the  crossrange  problem  and  pitch  CSS  to  prevent  potential  thermal 
violations  (reference  Rule  { A2-55 },  USE  OF  LOW  ENERGY  GUIDANCE).  High  energy  procedures  are 
last  in  priority  since  they  are  more  complicated  and  may  take  the  vehicle  to  its  structural  and  thermal 
limits.  Usually  a  TAL  site  has  priority  over  an  ACLS,  which  has  priority  over  an  ELS.  However,  priority 
will  be  given  to  an  ACLS  within  nominal  guidance  capability  (region  A)  over  a  TAL  site  within  low 
energy  guidance  capability  (regions  B  or  C).  The  risk  associated  with  landing  at  cm  ACLS  is  considered 
less  than  the  risk  associated  with  the  use  of  low  energy  guidance.  If  no  TAL  site  or  ACLS  lies  within 
nominal  guidance  capability  (region  A),  priority  will  be  given  to  a  TAL  site  within  low  energy  guidance 
capability  (region  B),  followed  by  a  TAL  site  within  low  energy  guidance  capability  requiring  high 
crossrange  procedures  (region  C),  followed  by  a  TAL  site  requiring  high  energy  procedures  (region  D). 

If  no  TAL  site  is  available,  the  same  priorities  will  be  given  to  an  ACLS.  The  use  of  high  energy 
procedures  to  a  TAL  site  or  ACLS  was  given  priority  over  an  ELS  within  nominal  guidance  capability 
since  those  sites  will  have  landing  aids,  navaids,  and  ground  support.  If  no  TAL  site  or  ACLS  is 
available,  then  an  ELS  within  nominal  guidance  capability  (region  A)  will  be  selected.  If  no  ELS  lies 
within  nominal  guidance  capability,  then  the  site  within  low  energy  guidance  capability  (region  B)  will 
be  selected.  Otherwise,  cm  ELS  within  low  energy  guidance  capability  requiring  high  crossrange 
procedures  (region  C)  will  be  selected. 

If  there  is  no  site  within  nominal  or  low  energy  guidance  capability  (outside  regions  A,  B,  or  C),  the  site 
(TAL,  ACLS,  or  ELS)  with  the  best  chance  of  a  runway  landing  will  be  selected.  A  landing  attempt  to 
this  site  may  require  the  use  of  high  energy  procedures  (region  D)  or  a  lower  angle  of  attack  during  the 
first  pullout  (region  E)  or  high  crossrange  procedures  (region  F)  (reference  Rule  {A2-55},  USE  OF  LOW 
ENERGY  GUIDANCE).  Since  all  three  of  these  regions  require  manual  procedures  and  may  take  the 
vehicle  to  its  thermal  and  structural  limits,  they  are  given  the  same  priority.  Site  status,  difficulty  of 
manual  procedures,  and  proximity  to  guidance  capability  will  be  considered  when  choosing  between  sites 
in  regions  D,  E,  and  F. 
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Note  that  these  choices  can  be  heavily  influenced  by  landing  site  status.  Since  determination  of  the 
desired  site  must  be  made  rapidly,  in  real  time,  the  engineering  judgmen  t  of  the  flight  control  team  will 
be  considered  due  to  the  significan  t  tradeoffs  which  must  be  made.  For  example,  the  preference  for  ACLS 
in  region  A  over  a  TAL  site  in  region  B,  C,  or  D  could  be  modified  if  the  ACLS  has  very  bad  weather,  as 
opposed  to  the  ACLS  being  no-go  as  a  TAL  site  simply  due  to  loss  ofnavaids  redundancy.  ®[1 20894-1 774B] 

Rules  (A2-51J,  STS  ABORT  CRITERIA;  (A4-56CJ,  PERFORMANCE  BOUNDARIES;  {A4-62},  OMS- 
l/OMS-2  EXECUTION;  and  {A6-51},  OMS  FAILURE  MANAGEMENT  [CIL],  reference  this  rule. 

E.  POST-MECO  (OPS  6  CONTINGENCY  ABORT),  THE  DOWNRANGE  SITE  HAS 
PRIORITY  WHEN  CAPABILITY  EXISTS  TO  MULTIPLE  SITES  WHICH 
SATISFY  THE  CRITERIA  IN  RULE  {A2-264},  EMERGENCY  LANDING 
FACILITY  CRITERIA.  ®[1 20894-1 744B] 

For  OPS-6  contingency  abort  entries  (ECAL  and  Bermuda),  powered  flight  guidance  uses  an  open  loop 
scheme  and  is  therefore  not  targeted  to  any  particular  MECO  conditions.  In  these  cases,  energy 
evaluation  is  not  feasible  until  after  the  post-MECO  pullout  maneuver.  Even  though  active  guidance 
begins  at  transition  to  OPS  603  at  Mach  3.2  (TAEM  interface),  an  accurate  energy  assessment  cannot  be 
made  until  the  trajectory  stabilizes.  If  energy  capability  overlaps  between  two  sites  and  both  satisfy  the 
criteria  in  Rule  { A2-264 j,  EMERGENCY  LANDING  FACILITY  CRITERIA,  the  further  downrange  site 
shall  be  selected  to  minimize  steering  requirements  caused  by  large  heading  errors.  ®[i  20894-1 744B] 
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A2-53  FORWARD  RCS  USAGE  GUIDELINES 

A.  PRE-MECO:  FORWARD  RCS  DELTA  V  CAPABILITY  WILL  ONLY  BE 
CONSIDERED  FOR  OPS-2  BURNS  IN  SUPPORT  OF  A  FD2  PLS . 

®[01 2402-51 12B] 

B.  POST-MECO:  FORWARD  RCS  WILL  BE  USED  FOR  OMS-2  TO  OBTAIN  THE 
HIGHEST  POSSIBLE  ABORT  MODE  PROVIDED  THERE  IS  SUFFICIENT 
FORWARD  RCS  PROPELLANT  TO  SUPPORT  THE  TOTAL  DELTA  V  REQUIRED 
FOR  THE  BURN. 

Pre-MECO,  Forward  RCS  delta  V  capability  is  not  considered  as  being  available  to  support  or  provide 
an  abort  capability  for  AO  A  or  FD1  PLS  since  flight  design  and  techniques  do  not  assure  that  time 
and/or  trajectory  constraints  will  not  preclude  its  use.  However,  it  may  be  considered  pre-MECO  in 
support  of  a  FD2  PLS  capability,  since  a  FD2  deorbit  allows  sufficient  time  to  perform  OPS-2  Fwd  RCS 
burns  and  the  post-OMS-2  trajectory  conditions  are  better  defined  ( reference  A/E  Flight  Techniques 
#178).  Each  Forward  RCS  burn  will  be  constrained  to  a  maximum  burn  time  of  150  seconds  as  defined 
by  Flight  Rule  (A6-153A),  RCS  JET  MAXIMM  BURN  TIME. 

Post-MECO,  the  time  and  trajectory  constraints  are  mitigated  by  knowledge  of  the  actual  trajectory 
condition,  and  hence  the  Forward  RCS  may  then  be  committed  to  help  achieve  the  highest -priority  abort 
option.  The  basic  groundrule  in  Forward  RCS  commitment  for  OMS-2  is  that  Forward  RCS  critical- 
burn  redundancy  is  considered  sufficient  to  commit  its  use  at  OMS-2  if  such  usage  will  result  in  at  least 
some  on-orbit  capability  (i.e.,  avoidance  of  AO  A).  It  is  also  desirable  to  avoid  any  requirement  for  a 
flip-around  maneuver  to  complete  a  burn  begun  with  the  Forward  RCS,  particularly  when  the  burn  is 
considered  critical.  Therefore,  the  Forward  RCS  will  only  be  used  for  OMS-2  if  it  can  provide  all  the 
delta  V  necessary  to  establish  a  safe  perigee.  An  additional  advantage  of  using  the  Forward  RCS  in  this 
manner  is  that  usage  at  OMS-2  (rather  than  saving  it  for  deorbit  completion )  may  preclude  a  fast-flip 
requirement  to  complete  the  deorbit  burn  since  extra  OMS/ARCS  is  made  available  for  that  maneuver. 
(©[012402-51 12B] 

Rules  (A2-52DJ,  ASCENT  MODE  PRIORITIES  FOR  PERFORMANCE  CASES;  and  {A6-51},  OMS 
FAILURE  MANAGEMENT  [CIL],  reference  this  rule. 
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[CIL] 

FOR  SPECIFIC  SYSTEMS  FAILURES,  AN  RTLS,  TAL,  OR  AOA  ABORT  WILL  BE 
SELECTED  TO  PROVIDE  THE  EARLIEST  AVAILABLE  LANDING  TIME  OR  TO 
AVOID  REQUIRING  A  LOST  CAPABILITY. 

NOTE:  WHEN  THE  SAME  ITEM  APPEARS  IN  MORE  THAN  ONE  ABORT  OPTION, 

THE  EARLIEST  ABORT  OPTION  AVAILABLE  IS  SELECTED. 

A.  AN  RTLS  WILL  BE  PERFORMED  FOR  THE  FOLLOWING: 

1.  IMPENDING  LOSS  OF  ALL  APU/HYDRAULIC  SYSTEMS  CAPABILITY. 

®[1 1 1699-7070B] 

At  least  one  APU/HYD  system  is  required  to  attempt  to  land  the  vehicle.  If  failures  are  present  that  are 
leading  to  the  loss  of  all  systems,  the  abort  mode  which  affords  the  earliest  landing  time  is  selected  {ref 
Rule  {A10-21AJ.4,  LOSS  OF  APU/HYDRAULIC  SYSTEM(S)  ACTIONS). 

If  the  third  APU/HYD  system  is  nominal,  it  is  preferable  to  continue  to  orbit  rather  than  performing  an 
abort.  Con  tin  uing  to  orbit  allows  for  time  to  troubleshoot  the  two  failed  systems  and  possibly  regain  one 
or  both  systems  for  entry.  Additionally,  going  to  orbit  will  provide  the  time  to  take  the  necessary  steps  to 
ensure  the  best  possible  conditions  (i.e.,  trajectory,  landing  site,  crew  and  vehicle  health,  weather 
conditions,  etc.)  for  a  single  APU  entry.  ®[1 1 1 699-7070B] 

2.  FAILURE  OF  A  FORWARD  WINDSHIELD  OR  SIDE  HATCH  THERMAL 
WINDOWPANE  (OUTER  PANE)  [CIL]  .  @[021998-6493] 

An  RTLS  abort  is  selected  to  minimize  the  thermal  stresses  on  the  remaining  windowpanes  and 
surrounding  structure.  Entry  heat  loads  are  less  on  an  RTLS  than  on  other  abort  modes  or  during  a 
normal  landing.  This  provides  a  better  chance  of  the  remaining  panes  and  surrounding  structure 
surviving  entry. 

Reference  rule  (A10-381 },  THERMAL  WINDOWPANE  FAILURE  [CIL ].  @[021 998-6493  ] 
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[CIL]  (CONTINUED) 

3.  CABIN  LEAK  RESULTING  IN  A  DP/DT  >  -0.15  PSIA/MINUTE. 

If  a  cabin  leak  develops  with  a  leak  rate  greater  than  that  specified,  then  there  has  been  a  loss  of  cabin 
integrity  and  the  abort  mode  that  affords  the  earliest  landing  time  should  be  selected.  The  -0.15  psia/ 
minute  value  allows  the  capability  to  perform  an  orbit  3  deorbit  and  land  with  a  cabin  pressure  of  8  psi. 

It  is  also  the  value  that  should  cover  ascent  pressure  fluctuations  so  that  cm  erroneous  abort  is  not 
called.  If  the  leak  rate  is  less  than  that  specified,  continue  to  MECO  and  attempt  leak  isolation.  If  the 
leak  is  not  isolated,  then  an  AOA  will  be  performed  and  there  should  be  enough  pad  so  that  if  the  leak 
increases  the  abort  can  be  completed. 

4.  IMPENDING  LOSS  OF  ALL  O2  (H2)  CRYO . 

If  the  pressure  cannot  be  maintained  in  at  least  one  cryo  tank  and  manifold,  the  fuel  cells  will  even  tually 
stop  producing  electrical  power,  no  matter  what  the  quantity  is  in  the  cryo  tanks.  Since  the  amount  of 
time  available  before  “blowdown  ”  of  the  tanks  is  dependen  t  on  a  large  number  of  variables,  specific 
numbers  cannot  be  defined  for  the  purpose  of  selecting  the  most  preferred  abort.  Thus,  this  condition 
warrants  the  selection  of  the  abort  mode  that  affords  the  earliest  landing  time  (ref.  Rule  (A9-261 }, 
IMPENDING  LOSS  OF  ALL  CRYO). 

5.  LOSS  OF  TWO  FREON  LOOPS. 

With  the  loss  of  both  Freon  loops  the  vehicle  has  lost  all  cooling  capacity.  Fuel  cell  life  becomes  the 
critical  factor.  Assuming  a  purge  of  all  three  fuel  cells  and  a  12.54  kW  ( 4.18  kW/fuel  cell)  power  level, 
stack  temperature  limits  will  be  reached  in  about  50  minutes  and  the  electrolyte  concentration  will  reach 
the  operational  limit  of  25  percen  t  in  about  75  minutes.  At  this  point,  continued  operation  of  the  fuel  cell 
is  questionable.  Without  a  purge,  the  fuel  cells  will  flood  in  about  18  minutes  at  a  power  level  of  8.0  kW 
(2.67  kW/fuel  cell).  The  life  of  the  fuel  cell  would  therefore  be  somewhere  between  18  and  50  minutes, 
thus  requiring  an  abort  mode  that  affords  the  earliest  landing  time.  This  data  is  supported  by  Rockwell 
analysis  and  the  SODB. 
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A2-54  RTLS ,  TAL,  AND  AOA  ABORTS  FOR  SYSTEMS  FAILURES 

[CIL]  (CONTINUED) 

6.  LOSS  OF  ANY  TWO  MAIN  BUSES  (PRECLUDES  EXTERNAL  TANK  (ET) 
DOOR  CLOSE) . 

The  loss  of  two  main  electrical  buses  precludes  closing  the  ET  doors.  An  RTLS  will  be  performed  for 
this  failure  since  it  provides  a  more  benign  entry  heating  scenario  and  allows  a  better  chance  of 
accomplishing  a  successful  landing. 

B.  A  TAL  WILL  BE  PERFORMED  FOR  THE  FOLLOWING: 

NOTE:  FOR  THE  PURPOSES  OF  SYSTEMS  ABORTS,  A  TAL  WILL  ONLY 

BE  EXECUTED  TO  A  TAL  SITE  OR  AN  AUGMENTED  CONTINGENCY 
LANDING  SITE. 

1.  TWO  OMS  PROPELLANT  TANKS  LEAKING/FAILED,  DIFFERENT  SIDES. 

If  two  OMS  propellant  tanks  are  leaking  or  have  failed  ( different  sides),  a  TAL  abort  will  be  selected 
since  uphill  capability  is  not  available.  A  TAL  abort  is  preferred  over  an  RTLS  for  the  following 
reasons: 

a.  The  TAL  entry  environment  (with  the  exception  of  thermal)  is  less  severe  than  GRTLS.  RTLS  ET 
separation  is  more  demanding  because  of  higher  aerodynamic  loads;  trajectory  maneu  vers  post-  ET 
separation  are  more  time-critical  (to  maintain  reasonable  energy  level  and  loads  on  the  vehicle); 
and  50  degrees  angle  of  attack  must  be  established  and  main  tained. 

b.  NZ  is  greater  during  GRTLS  than  TAL  entry.  This  becomes  an  important  factor  if  the  OMS  tank 
landing  weight  and  maneuver  constraints  are  violated.  Structural  damage  to  the  OMS  tank  might 
occur  if  the  OMS  maneuver  constraint  is  violated  with  high  NZ. 

c.  The  TAL  post-MECO  dump  allows  the  single  engine  roll  control  propellant  to  be  dumped.  As  a 
result,  less  residual  propellant  remains  postdump;  therefore,  the  chance  of  pod  freezeup  and 
postlanding  fire  is  decreased. 
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[CIL]  (CONTINUED) 


If  these  failures  occur  pre-MECO  and  after  last  TAL  capability  to  the  prime  site,  a  TAL  to  an  ACLS  may 
be  performed.  If  the  decision  to  abort  TAL  occurs  late  enough,  a  manual  MECO  may  be  required  in 
order  to  reach  the  TAL  R/V  line.  This  would  be  followed  by  TAL  selection  post-MECO.  There  are  risks 
associated  with  the  manned  MECO  TAL  abort  not  incurred  with  a  pre-MECO  TAL  selection  prior  to  the 
last  pre-MECO  TAL  boundary.  (1)  Manual  MECO  incurs  the  risk  of  missing  the  targeted  MECO  VI  and 
creating  cm  under-  or  over-speed  condition.  (2)  A  complete  OMS  dump  is  not  possible  and  this  may 
result  in  violation  of  landing  weight  or  eg  constrain  ts.  The  risks  associated  with  manual  MECO  TAL 
aborts  are  judged  to  be  less  than  those  associated  with  continuing  toward  a  nominal  MECO  with  critical 
systems  failu  res. 

If  these  failures  occur  after  last  capability  to  cm  ACLS,  then  post-MECO,  if  AT O  capability  does  not 
exist,  an  AOA  or  bailout  must  be  performed. 

2.  LOSS  OF  TWO  OMS  HE  TANKS  THAT  WILL  NOT  SUPPORT  HIGHER 
PRIORITY  ABORTS  (ATO/ SHALLOW,  AOA  STEEP) . 

A  TAL  will  be  selected  for  two  OMS  He  tank  failures  if  uphill  capability  is  not  available.  A  TAL  abort  is 
preferred  over  an  RTLS  for  the  reasons  listed  in  a.  and  b.  of  paragraph  B.l  rationale. 

If  these  failures  occur  pre-MECO  and  after  last  TAL  capability  to  the  prime  site,  a  TAL  to  cm  ACLS  may 
be  performed.  If  the  decision  to  abort  TAL  occurs  late  enough,  a  manual  MECO  may  be  required  in 
order  to  reach  the  TAL  R/V  line.  This  would  be  followed  by  TAL  selection  post-MECO.  There  are  risks 
associated  with  the  manual  MECO  TAL  abort  not  incurred  with  a  pre-MECO  TAL  selection  prior  to  the 
last  pre-MECO  TAL  boundary.  (I)  Manual  MECO  incurs  the  risk  of  missing  the  targeted  MECO  VI  and 
creating  cm  underspeed  or  overspeed  condition.  (2)  A  complete  OMS  dump  is  not  possible  and  this  may 
result  in  violation  of  landing  weight  or  eg  constrain  ts.  The  risks  associated  with  man  ual  MECO  TAL 
aborts  are  considered  much  less  than  those  associated  with  continuing  toward  a  nominal  MECO  with 
cri tical  systems  fa  i I u  res. 

If  these  failures  occur  after  last  capability  to  an  ACLS,  then  post-MECO,  if  ATO  capability  does  not 
exist,  an  AOA  or  bailout  must  be  performed. 
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[CIL]  (CONTINUED) 

3.  TWO  ARCS  PROPELLANT  TANKS  LEAKING,  DIFFERENT  SIDES,  SAME 
PROPELLANT  THAT  WILL  SUPPORT  TAL  ET  SEPARATION  AND  ENTRY 
TO  A  Q-BAR  =  20. 

If  one  pod  contains  >  75  percent  propellan  t  ET  separation  can  be  performed  (ref.  Rule  { A6-57} ,  AFT 
RCS  PROPELLANT  TANK  FAIL/HELIUM  INGESTION).  The  leak  rate  after  ET  separation  must  still 
support  Q-bar  =  20  to  guarantee  control  until  NO  YAW  JET  can  be  engaged.  If  either  leak  rate  supports 
TAL,  the  proper  course  of  action  is  to  abort  TAL.  If  the  leak  rate  does  not  support  TAL,  this  case 
becomes  the  same  as  two  propellant  tanks  fcdled. 

Two  propellan  t  tanks  fcdled  same  propellant  does  not  cdlow  any  type  of  certified  con  trol  mode  from  El 
to  Q-bar  =  20.  By  pressing  uphill,  time  is  gained  to  allow  complex  procedure  and/or  software  changes 
to  take  place  to  help  provide  control  until  a  Q-bar  -  20  ( i.  e. ,  DAP  or  procedure  changes  that  will  allow 
forward  RCS  control  in  pitch  and  yaw).  With  the  OI-8  NO  YAW  JET  software,  a  certified  entry  from  a 
Q-bar  =  20  to  touchdown  is  now  available.  An  uphill  abort  cutting  off  at  minimum  Hp  which  requires 
the  least  total  delta-V for  the  insertion  and  deorbit  burns,  and  ensures  orbited  lifetime  at  least  two  orbits 
beyond  the  first  day  PLS  is  selected  to  maximize  the  amount  ofOMS  remaining  to  protect  for 
interconnect  operations  post-deorbit  burn. 

4.  IMPENDING  LOSS  OF  ALL  APU/HYDRAULIC  SYSTEMS  CAPABILITY. 

®[1 1 1699-7070B] 

See  rationale  for  paragraph  A.l. 

5.  CABIN  LEAK  RESULTING  IN  A  DP/DT  >  -0.15  PSIA/MINUTE. 

See  rationale  for  paragraph  A.  3. 
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[CIL]  (CONTINUED) 

6.  IMPENDING  LOSS  OF  ALL  O2  (H2)  CRYO. 

See  rationale  for  paragraph  A.  4. 

7.  LOSS  OF  TWO  FREON  LOOPS. 

See  rationale  for  paragraph  A.  5. 

8.  LOSS  OF  RTLS  ET  SEPARATION  CAPABILITY  (WHEN  AN  RTLS  WOULD 
HAVE  BEEN  CALLED  FOR)  BASED  ON  RCS  JET  FAILURES  WHICH 
STILL  ALLOW  ET  SEPARATION  ON  A  TAL. 

Combinations  of  failures  could  result  in  the  loss  of  RCS  jets  such  that  an  RTLS  ET  separation  could  not 
be  accomplished  for  an  RTLS  abort  case.  In  this  situation,  a  TAL  would  be  performed  and  the  additional 
11  minutes  of  flight  time  would  have  to  be  accepted. 

9.  THREE  ET  LOW  LEVEL  SENSORS  FAILED  DRY  IN  THE  SAME  TANK 
AND  ARMING  MASS  WILL  NOT  SUPPORT  AOA  STEEP. 

If  multiple  low  level  sensors  fail  indicating  the  “dry”  state  in  the  same  tank  such  that  at  the  time  the 
arming  mass  is  reached  MECO  would  occur  in  a  contingency  downrange  abort  region,  a  TAL  will  be 
performed  to  avoid  the  downrange  contingency  abort.  If  the  arming  mass  supports  an  AOA  capability, 
assuming  -2-sigma  ME  performance,  then  an  AOA  will  be  performed. 
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C.  AN  AOA  WILL  BE  PERFORMED  FOR  THE  FOLLOWING: 

1.  TWO  OMS  PROPELLANT  TANKS  LEAKING/FAILED,  DIFFERENT  SIDES, 
POST-MECO. 


See  rationale  for  paragraph  B.l. 

2.  LOSS  OF  TWO  OMS  HE  TANKS  IF  ATO  SHALLOW  CAPABILITY  DOES 
NOT  EXIST. 


See  rationale  for  paragraph  B.2. 

3.  TWO  ARCS  PROPELLANT  TANKS  LEAKING,  DIFFERENT  SIDES, 

SAME  PROPELLANT,  POST-MECO  THAT  WILL  SUPPORT  ENTRY  TO  A 
Q-BAR  =  20. 

See  rationale  for  paragraph  B.3. 

4.  IMPENDING  LOSS  OF  ALL  APU/HYDRAULIC  SYSTEMS  CAPABILITY. 

®[1 1 1 699-7070B] 

See  rationale  for  paragraph  A.l. 

5.  AN  AOA  WILL  BE  PERFORMED  FOR  A  CABIN  LEAK  RESULTING  IN  A 
DP/DT  >  -0.02  PS  I A /MINUTE  (GROUND  CALL)  OR  FOR  LOSS  OF 
COMMUNICATION  A  DP/DT  >  -0.08  PSIA/MINUTE  (CREW  CALL). 


A  value  of -0.08  psia/minute  will  be  used  for  crew  loss  of  communication  procedures  because  it  creates  a 
C&W  alarm,  and  therefore  cues  the  crew  to  a  possible  cabin  leak  and  to  crosscheck  with  a  cabin 
pressure  decrease.  The  C&W  dp/dt  limit  is  set  at  -0.08  psi/minute  to  prevent  nuisance  alarms  during  the 
period  from  lift  off  to  MECO  when  cabin  pressure  is  transient  due  to  LES  helmet  flow,  thermal  and 
external  drop  effects. 
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[CIL]  (CONTINUED) 


A  leak  rate  in  the  range  -0.02  <-EQdp/dt<-0. 1 5  psi/minute  will  allow  continuing  to  orbit  and  then 
performing  leak  isolation  procedures  to  determine  whether  the  leak  can  be  stopped.  A  leak  rate  of  -0.02 
would  allow  a  landing  at  the  next  PLS.  However ,  an  AOA  will  be  performed  to  provide  additional 
margin  should  the  leak  rate  increase.  This  leak  rate  is  small  enough  to  allow  conservatism,  but  also 
large  enough  to  not  be  masked  by  the  post-MECO  transient  (approximately  -0.02)  so  that  a  NO-GO  call 
for  APU  shutdown  can  be  made  for  a  real  leak.  For  leak  rates  <  -0.02,  stay  time  will  be  determined  by 
Rule  [A1 7-201  Bf,  CABIN  PRESSURE  INTEGRITY.  ®[081 497-1 873  ] 

6.  IMPENDING  LOSS  OF  ALL  O2  (H2)  CRYO . 

See  rationale  for  paragraph  A.  4. 

7.  LOSS  OF  TWO  FREON  LOOPS. 

See  rationale  for  paragraph  A.  5. 

8.  LOSS  OF  TWO  WATER  LOOPS. 

An  AOA  will  be  performed  for  the  loss  of  two  water  loops  since  the  avionics  temperatures  cannot  be 
managed  for  the  extended  period  of  time  required  for  first  day  PLS.  The  avionics  can  be  managed  to 
allow  cm  AOA  while  maintaining  the  required  temperature  levels. 

9.  THREE  ET  LOW  LEVEL  SENSORS  FAILED  DRY  IN  THE  SAME  TANK  IF 
THE  EXPECTED  -2-SIGMA  CUTOFF  VELOCITY  SUPPORTS. 

See  rationale  for  paragraph  B.9.  Rules  / A2-51 },  STS  ABORT  CRITERIA;  ( A2-205 },  EMERGENCY 
DEORBIT;  {A4-56C},  PERFORMANCE  BOUNDARIES;  {A9-261},  IMPENDING  LOSS  OF  ALL  CRYO; 
{A10-21AJ.2,  LOSS  OF  APU /HYDRAULIC  SYSTEM  (S)  ACTIONS;  and  {A16-12A},  EMERGENCY 
POWERDOWN,  reference  this  rule. 
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A2-55  USE  OF  LOW  ENERGY  GUIDANCE 

A.  IF  THE  OPS  3  ENTRY  PULLOUT  LOADS  ARE  PREDICTED  TO  EXCEED 
3.5  G'S,  OPS  6  AUTO  CONTINGENCY  GUIDANCE  WILL  BE  USED  FOR 
ENTRY  .  @[120894-1663  ] 

B.  AUTO  NOMINAL  GUIDANCE  WILL  BE  USED  WHENEVER  THE  LANDING  SITE 
IS  WITHIN  THE  NOMINAL  GUIDANCE  CAPABILITY.  (REFERENCE  FIGURE 
A2-55-I)  .  (ALPHA  PROFILE  43/40)  . 

C.  AUTO  LOW  ENERGY  GUIDANCE  MAY  BE  ENABLED  WHENEVER  THE  LANDING 
SITE  IS  OUTSIDE  THE  NOMINAL  GUIDANCE  CAPABILITY.  (ALPHA 
PROFILE  42/31)  . 

D.  AUTO  LOW  ENERGY  GUIDANCE  MAY  BE  ENABLED  AND  MANUAL  PITCH 
FLOWN  THROUGH  THE  FIRST  PULLOUT  IF  THE  DOWNRANGE  TO  THE 
LANDING  SITE  EXCEEDS  THE  AUTO  LOW  ENERGY  GUIDANCE  CAPABILITY. 
THE  MCC  WILL  RECOMMEND  AN  ALPHA  OF  40  OR  37  DEGREES  FOR  THE 
FIRST  PULLOUT  TO  MAXIMIZE  RANGING  AND  MEET  THERMAL 
CONSTRAINTS.  (ALPHA  PROFILE  40/31  OR  37/31).  IF  NO  COMM,  AN 
ALPHA  OF  40  DEGREES  IS  FLOWN  MANUALLY  THROUGH  THE  FIRST 
PULLOUT  FOR  MECO  INERTIAL  VELOCITIES  LESS  THAN  21.2  K  FPS 
(20.4  FOR  INCLINATIONS  >  39  DEGREES). 

E.  AUTO  LOW  ENERGY  GUIDANCE  MAY  BE  ENABLED  AND  A  MANUAL  PITCH  OF 
37  DEGREES  FLOWN  THROUGH  THE  SECOND  PULLOUT  FOR  THE  FOLLOWING 
SCENARIOS.  (ALPHA  PROFILE  42/37). 

1.  IF  THE  LANDING  SITE  IS  OUTSIDE  THE  CROSSRANGE  CAPABILITY 
OF  NOMINAL  GUIDANCE  IN  THE  REGION  OF  THERMAL  CONCERN. 

2.  IF  THE  LANDING  SITE  IS  BEYOND  THE  CAPABILITY  OF  NOMINAL 
GUIDANCE  AND  THE  MECO  VELOCITY  IS  GREATER  THAN  THE  AUTO 
LOW  ENERGY  GUIDANCE  HIGH  VELOCITY  LIMIT. 
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A2-55  USE  OF  LOW  ENERGY  GUIDANCE  (CONTINUED) 

THE  MCC  WILL  DO  A  REAL-TIME  THERMAL  ASSESSMENT  OF  ALPHA 
42/31  TO  DETERMINE  IF  THE  SECOND  PULLOUT  CAN  BE  COMPLETED 
IN  AUTO.  PITCH  CONTROL  CAN  BE  RETURNED  TO  AUTO  AT  THE 
COMPLETION  OF  THE  SECOND  PULLOUT  OR  ON  AN  MCC  CALL. 

NOTE:  REFERENCE  RULE  {A2-209},  LANDING  SITE  SELECTION  FOR 

AN  INFLIGHT  EMERGENCY  @[120894-1663] 


FIGURE  A2-55-I  -  GENERIC  DOWNRANGE  ABOR1 
EVALUATOR  (DAE)  DEPICTIOK 

@[120894-1663] 
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A2-55  USE  OF  LOW  ENERGY  GUIDANCE  (CONTINUED) 

OPS  3  VS  OPS  6  -  For  a  large  MECO  underspeed,  entry  pullout  loads  determine  whether  to  use  OPS  6 
Contingency  Guidance  or  OPS  3  Low  Energy  Guidance.  The  MCC  uses  the  Downrange  Abort  Evaluator 
(DAE)  or  a  real-time  plot  of  flight  path  angle  versus  velocity  to  assess  the  3.5  g  limit  and  make  a  reed 
time  call  to  inform  the  crew  of  the  best  type  of  entry.  For  loss  of  COMM,  the  crew  uses  the  TAL  velocity 
boundary  on  the  three  engine  out  portion  of  the  contingency  abort  cue  card  to  determine  whether  to  use 
cm  OPS  6  or  OPS  3  entry.  If  three  engines  fail  simultaneously  before  this  velocity  boundary,  an  OPS  6 
entry  will  be  used  since  an  OPS  3  entry  will  result  in  more  than  a  3.5  g  pullout.  This  simple  velocity 
boundary  is  not  accurate  for  performance  dispersions  or  sequential  engine  failures. 

Low  Energy  Guidance  -  OPS  3  Low  Energy  Guidance  uses  a  42/31  alpha  profile  and  modified  roll 
command  logic  to  extend  the  orbiter’s  downrange  and  crossrange  capability  during  entry  and  increase 
the  probability  of  making  a  landing  site  that  would  be  unobtainable  using  nominal  entry  guidance.  A  42- 
degree  alpha  is  maintained  during  the  initial  pullout  to  avoid  thermal  damage  and  minimize  the  second 
pullout  temperatures.  Alpha  is  lowered  to  31  degrees  during  the  second  pullout  to  extend  the  downrange 
capability  without  exceeding  the  thermal  limits.  The  wing  leading  edge  temperature  must  not  exceed 
3320  deg  F  at  any  time  or  3220  deg  F for  more  than  40  seconds.  STSOC  Transmittals  DFD-92-5 10-041 
and  DFD-92-5 10-107  document  the  high  inclination  and  generic  low  alpha  thermal  assessments.  The 
low  energy  stretch  footprint  computed  by  the  Downrange  Abort  Evaluator  (DAE)  defines  the  region 
where  auto  low  energy  guidance  will  make  the  site  without  violating  thermal  constraints. 

Single  Engine  Limits  and  gap  management  take  low  energy  guidance  capability  into  account  when 
determining  performance  boundaries.  Reference  Rules  {A4-56J,  PERFORMANCE  BOUNDARIES,  and 
{A5-103},  LIMIT  SHUTDOWN  CONTROL. 

Low  Energy  Guidance  and  Manned  Pitch  Control  in  the  First  Pullout  -  Manual  pitch  control  may  be  used 
in  conjunction  with  auto  low  energy  guidance  to  increase  downrange  capability  by  flying  a  lower  alpha 
in  the  first  pullout.  The  MCC  can  evaluate  the  thermal  acceptability  of  alpha  40  and  37  degrees  through 
the  first  pullout.  Reference  A/E  FTP  #49,  9/15/88;  #79,  6/21/91;  and  #87,  2/21/92. 
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A2-55  USE  OF  LOW  ENERGY  GUIDANCE  (CONTINUED) 

High  Crossrange  in  Region  of  Thermal  Concern  -  For  landing  sites  outside  the  nominal  guidance 
crossrange  capability,  using  the  automatic  low  energy  logic  will  improve  the  chance  of  making  a  site  by 
trading  downrange  for  crossrange  but  may  exceed  thermal  limits.  While  it  is  known  that  the  area  beside 
the  nominal  footprint  contains  small  regions  that  violate  thermal  limits,  the  exact  definition  of  the 
regions  is  not  available.  For  this  reason,  the  conservative  course  of  action  is  to  plan  to  fly  the  second 
pullout  at  an  alpha  of  37  degrees.  The  MCC  will  do  a  real-time  thermal  evaluation  at  alpha  42/31  to 
determine  if  the  second  pullout  can  be  completed  in  auto.  Pitch  control  can  be  returned  to  auto  when  the 
pullout  is  complete  or  on  an  MCC  call. 

High  MECO  Velocities  -  High  MECO  velocities  that  require  low  energy  guidance  to  make  a  landing 
site  could  exceed  thermal  limits  during  the  second  pullout.  Flying  the  second  pullout  at  an  alpha  of 
37  degrees  will  avoid  any  thermal  problem.  The  MCC  will  do  a  real-time  thermal  evaluation  at 
alpha  42/31  to  determine  if  the  second  pullout  can  be  completed  in  auto.  Pitch  control  can  be 
returned  to  auto  when  the  pullout  is  complete  or  on  an  MCC  call. 

Rule  { A4-56 },  PERFORMANCE  BOUNDARIES,  references  this  rule.  ®[i  20894-1 663  ] 

A2-56  ABORT  GAP 

ASCENTS  WILL  BE  CONTINUED  TO  ORBIT  WITH  INTACT  ABORT  GAPS 
PROVIDED  THREE-SSME  UPHILL  PERFORMANCE  REMAINS  ACCEPTABLE. 
REFERENCE  RULE  {A4-56I},  PERFORMANCE  BOUNDARIES,  FOR  GAP  CLOSURE 
OPTIONS  AND  UPHILL  PERFORMANCE  CRITERIA.  ®[ED  ] 

Powered  flight  can  continue  through  an  intact  abort  gap  provided  three-engine  performance  is  assured. 
Mission  design  and  flight  rules  preclude  launching  with  a  known  single-engine-out  abort  gap;  however, 
one  may  arise  during  powered  flight  due  to  performance  problems  such  as  an  SSME  throttle  stuck  in  the 
first-stage  throttle  bucket  or  Pc  sensor  shifts.  In  these  cases,  if  performance  with  the  existing  SSME 
configuration  is  still  able  to  achieve  acceptable  MECO  conditions,  then  the  risk  of  losing  an  SSME  in  the 
abort  gap  is  accepted  rather  than  commit  to  a  three-engine  pre-MECO  abort.  This  risk  is  reasonable 
because  the  actual  need  for  an  abort  has  not  yet  arisen;  the  abort  itself  (RTLS  or  TAL)  carries  risks  of  its 
own;  and  the  abort  in  most  cases  will  not  recover  single-engine-failure  protection.  Also,  the  gap  will 
normally  be  closed  to  the  extent  possible  (ref.  Rule  {A4-56IJ,  PERFORMANCE  BOUNDARIES);  hence, 
any  remaining  gap  will  probably  be  of  short  duration.  ®[ED  ] 
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A2-57  CONTINGENCY  ASCENTS /ABORTS 

CONTINGENCY  ASCENTS/ABORTS  RESULT  FROM  THOSE  SITUATIONS  WHERE 

STRUCTURAL  FAILURES  OR  MULTIPLE  SYSTEMS/SSME  FAILURES  HAVE 

OCCURRED.  IN  SUCH  INSTANCES,  ACTION  WILL  BE  TAKEN  TO  PROVIDE  THE 

HIGHEST  PROBABILITY  OF  A  SAFE  RETURN  OF  THE  CREW  AND  ORBITER. 

THESE  CASES  WILL  USUALLY  RESULT  IN  ONE  OR  MORE  OF  THE  FOLLOWING: 

A.  CREW  BAILOUT/ ORBITER  DITCH  DUE  TO  THE  LOSS  OF  MULTIPLE  SSME'S 
IN  A  REGION  WHERE  NO  ACCEPTABLE  LANDING  SITE  IS  AVAILABLE. 

B.  AN  ATTEMPT  TO  LAND  AT  AN  RTLS ,  TAL,  AO A,  OR  ACLS  DUE  TO 
STRUCTURAL  OR  MULTIPLE  ORBITER  SYSTEMS  PROBLEMS  WHICH 
NECESSITATE  LANDING  AT  THE  EARLIEST  POSSIBLE  TIME. 

C.  AN  ATTEMPT  TO  LAND  AT  AN  RTLS,  TAL,  AO A,  ELS,  OR  ACLS  DUE  TO 
MULTIPLE  SSME  FAILURES  OR  SINGLE  SSME  FAILURES  COUPLED  WITH 
OTHER  ORBITER  FAILURES  (SUCH  AS  THE  LOSS  OF  AN  OMS  ENGINE) 
WHICH  RESULT  IN  SEVERE  ASCENT  PERFORMANCE  LOSS.  CONTINGENCY 
OR  INTACT  ABORT  PROCEDURES  (DEPENDING  ON  THE  PARTICULAR 
FAILURES  AND  THE  TIME  OF  EXECUTION)  WILL  BE  PERFORMED  AS 
REQUIRED  PER  THE  ASCENT  CHECKLIST  AND  ASSOCIATED  CUE  CARDS 
FOR  THE  FAILURES  DESCRIBED  ABOVE,  BUT  IN  ANY  CASE,  THE 
OPERATIONS  WILL  BE  CONSIDERED  "CONTINGENCY"  IN  NATURE. 
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A2-57  CONTINGENCY  ASCENTS/ABORTS  (CONTINUED) 

NOTE:  CONTINGENCY  ABORTS  DUE  TO  TOTAL  SSME  THRUST  LOSS  IN  A 

"BLACK  ZONE"  OF  THE  FLIGHT  PROFILE,  SO  DESIGNATED  DUE 
TO  THE  CHANCES  OF  SURVIVABILITY,  WILL  RESULT  IN 
VIOLATION  OF  VEHICLE  Q-BAR,  G-LOADING,  AND/OR  THERMAL 
LIMITS.  LOSS  OF  TWO  SSME' S  PRIOR  TO  EARLIEST  SINGLE 
ENGINE  DITCH  AVOIDANCE  CAPABILITY  (REF.  RULE  {A4-56}, 
PERFORMANCE  BOUNDARIES)  MAY  RESULT  IN  VEHICLE  LOSS  OF 
CONTROL  OR  ET  RUPTURE  DUE  TO  LOW  ALTITUDE  TRAJECTORY 
AND  THERMAL  CONDITIONS.  MANUAL  FLIGHT  PROCEDURES 
WILL  BE  USED  IN  THESE  CASES  TO  ATTEMPT  TO  SEPARATE 
FROM  THE  ET  FOR  SUBSEQUENT  BAILOUT  PRIOR  TO  ANY  LOSS 
OF  CONTROL. 

This  rule  addresses  the  general  conditions  and  actions  that  result  in  contingency  ascent/cibort  cases. 

These  cases  in  volve  structural  type  failures  such  as  the  loss  of  cabin  pressu  re  in  tegrity,  propellan  t  tank 
leaks,  etc.;  or  multiple  orbiter  systems  failures  such  as  the  loss  of  both  Freon  loops,  the  loss  of  both 
water  loops,  etc.;  or  the  loss  of  multiple  SSME’s  or  single  SSME,  in  conjunction  with  other  orbiter 
failures  such  as  the  loss  of  an  OMS  engine.  The  execution  of  a  contingency  ascent/cibort  may  or  may  not 
result  in  the  use  of  intact  abort  procedures  or  a  landing  at  cm  RTLS,  TAL,  or  AO  A  site.  While  this  type 
of  abort  would  use  these  sites  when  possible,  landing  at  an  augmented  contingency  landing  site  (ACLS) 
or  cm  ELS  may  be  required.  If  none  of  these  are  available,  then  a  crew  bailout  may  be  necessary.  While 
some  scenarios  will  allow  cm  intact  abort  to  be  completed  after  a  second  SSME  failure,  these  are  still 
considered  a  contingency  abort  from  a  programmatic  standpoint. 

Crew  procedures  for  flying  contingency  aborts  are  contained  in  the  ascent  checklist  but  are  only  used  if 
in  tact  abort  procedures  will  not  suffice  for  a  given  situation.  In  general,  con  tingency  abort  procedures 
are  not  certified/verified  to  the  level  of  intact  abort  procedures.  Certain  regions  of  the  ascent  trajectory 
profile  (black  zones)  may  not  be  survivable  if  a  con  tingency  abort  has  to  be  executed  due  to  multiple 
SSME  failures  since  violations  of  orbiter  or  ET  constraints  on  Q-bar,  G-level,  and  heating  will  occur. 
Earliest  ditch  avoidance  capability  refers  to  the  first  time  that  loss  of  two  SSME’s  will  still  allow  flight  to 
con  tinue  under  converged  guidance  and,  at  the  same  time,  will  not  cause  the  subsequent  trajectory  to 
droop  below  265,000 feet.  This  is  the  altitude  below  which  loss  of  control  may  occur  or  the  ET  may 
rupture  due  to  overheating.  In  these  regions,  should  a  contingency  abort  be  required,  manual  special 
procedures  may  be  used  in  an  attempt  to  achieve  ET  separation  and  at  least  a  subsequent  bailout 
capability. 

Rule  (A2-301 },  CONTINGENCY  ACTION  SUMMARY,  references  this  rule.  @[081497-6307] 
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A2-58  ABORT  LIGHT 

A.  ABORT  REQUEST  COMMANDS  ARE  TRANSMITTED  FROM  MCC,  VIA 

PUSHBUTTONS  LOCATED  ON  THE  FD,  FDO,  AND  EASTERN  RANGE  A  5th 
SPACE  WING  FCO  CONSOLES,  WHICH  ILLUMINATE  THE  ABORT  REQUEST 
LIGHT  ON  THE  COMMANDER'S  PANEL.  THE  ABORT  COMMAND  WILL  BE 
TRANSMITTED  AT  THE  SAME  TIME  THAT  THE  ABORT  REQUEST  IS  VOICED 
TO  THE  CREW  OVER  A/G  TO  INDICATE  ONE  OF  THE  FOLLOWING  ABORT 
MODES  OR  ACTIONS  IS  REQUIRED:  @[081497-6307] 


1.  RTLS 
2  .  TAL 
3 .  ATO 
4  .  AOA 

5.  CONTINGENCY  ABORT 

6.  MANUAL  MECO  (SECOND  STAGE  ONLY)  @[081497-6307] 

AFTER  THE  ABORT  REQUEST  IS  RECEIVED  AND  EXECUTED  BY  THE  CREW, 
THE  ABORT  LIGHT  WILL  BE  TURNED  OFF  VIA  GROUND  COMMAND. 

B.  ABORT  REQUEST  CUES  -  THE  GROUND  WILL  BASE  ABORT  REQUEST 
TRANSMISSIONS  ON  AT  LEAST  TWO  INDEPENDENT  CUES  (E.G., 
TELEMETRY  DATA,  CREW  VOICE  REPORTS,  FDO  PERFORMANCE 
INDICATIONS,  ACTUAL  OR  IMMINENT  RANGE  SAFETY  LIMIT  LINE 
VIOLATIONS) .  LIKEWISE,  TWO  CUES  ARE  REQUIRED  FOR  THE  CREW  TO 
TAKE  THE  NECESSARY  ACTION  TO  ABORT  THE  FLIGHT  (E.G., 
PHYSIOLOGICAL  CUES,  ILLUMINATED  ABORT  LIGHT,  VOICE  REPORT 
OVER  A/G,  COCKPIT  INDICATIONS) .  THIS  RULE  ASSUMES  NO 
FAILURES  WHICH  MAY  MASK  SECONDARY  INDICATIONS  OF  ABORT 
REQUIREMENT.  @[081497-6307] 
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A2-58  ABORT  LIGHT  (CONTINUED) 

C.  CREW  ACTION: 

1.  FIRST  STAGE  -  EXECUTE  ANY  AVAILABLE  ABORT  MODE  (NOTE  -  AT 
PRESENT,  NO  FIRST  STAGE  ABORT  EXISTS) . 

2.  SECOND  STAGE  -  EXECUTE  RECOMMENDED  ABORT  MODE  (RTLS ,  TAL, 
ATO,  CONTINGENCY,  MANUAL  MECO) 

3.  POST-MECO  -  AOA,  TAL,  DOWNRANGE  ABORT/CONTINGENCY 

This  rule  documents  the  conditions  under  which  the  abort  light  command  will  be  issued,  the  cue 
requiremen  ts  for  requesting  or  initiating  an  abort,  and  the  actions  to  be  taken  during  each  ascent  phase. 
Assuming  no  other  known  failures  are  present  which  may  mask  malfunction  indications,  two  independen  t 
cues  are  required  before  cm  abort  will  be  requested  or  initiated  in  order  to  provide  at  least  one 
confirming  indication  that  an  abort  is  required. 

If  cm  abort  is  necessary,  the  abort  light  command  will  be  issued  for  all  ascent  abort  modes.  It  was 
agreed  that  the  abort  command  would  be  sent  at  the  time  that  the  abort  request  is  passed  to  the  crew  as 
opposed  to  the  time  at  which  the  abort  is  initiated.  In  most  cases,  these  events  are  concurrent;  however, 
in  the  RTLS/TAL  overlap  region  it  is  usually  desirable  to  delay  abort  initiation  until  close  to  the  last 
RTLS  boundary.  The  abort  light  will  be  reset  (turned  off)  via  ground  command  so  that  it  may  be  used 
again  if  necessary  to  request  a  subsequen  t  AOA  and  also  to  remove  the  bright  light  source  in  the  case  of 
night  launches.  As  part  of  the  1996  ET  Range  Safety  System  removal  effort,  the  Eastern  Rcmge/45th 
Space  Wing  Flight  Control  Officer  (FCO)  was  provided  with  two  redundant  abort  light  switches  in  the 
event  a  range  safety  limit  line  is  violated.  Note  that  in  most  cases,  however,  MCC/flight  crew  action  will 
already  have  taken  place  before  FCO  activation  of  the  light  is  required.  @[081497-6307  ] 

Paragraph  C  semes  to  delineate  the  abort  options  available  for  each  ascent  flight  phase.  @[081497-6307  ] 
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A2-59  BFS  ENGAGE  CRITERIA 

A.  LOSS  OF  REDUNDANT  SET  (REF.  RULE  {A7-1A},  PASS  DPS  FAILURE). 

Loss  of  the  redundant  set  will  result  in  a  loss  of  vehicle  control.  Control  may  be  regained  by  engaging 
the  BFS. 

B.  LOSS  OF  CONTROL: 

1.  LOSS  OF  PASS  CAPABILITY  TO  CONTROL  THE  VEHICLE  DUE  TO 
GPC/MDM/LRU  FAILURES  (BFS  MUST  RECOVER  CRITICAL 
CAPABILITY) . 

Combinations  of  GPC/MDM/LRU  failures  may  cause  the  flight  control  system  to  use  bad  system  inputs 
resulting  in  loss  of  vehicle  con  trol.  The  BFS  should  only  be  engaged  if  it  will  pick  up  at  least  one  IMU, 
control  over  two  FCS  channels,  and  satisfy  the  LRU  constraints  stated  in  Rule  {A8-56J,  BFS  LRU 
REQUIREMENTS. 

2.  LOSS  OF  CONTROL  DUE  TO  DIVERGENT  TRAJECTORY.  AFTER  MET  1 
MINUTE  30  SECONDS,  CONTROL  STICK  STEERING  (CSS)  MAY  BE 
ATTEMPTED  BEFORE  BFS  ENGAGE. 

During  first  stage,  loss  of  control  may  occur  very  quickly  due  to  the  control  authority  of  the  SRB's. 

Early  in  the  STS  program  it  was  determined  that  the  crew  could  not  manually  control  the  vehicle  during 
first  stage  load  relief,  which  occurs  during  the  high  Q-bar  region,  even  though  CSS  is  available  in  PASS. 
Therefore,  prior  to  high  Q-bar,  the  crew  should  engage  the  BFS  to  regain  lost  system  capability  which 
may  recover  vehicle  control.  After  MET  1  minute  30  seconds,  CSS  control  is  an  option  the  crew  has 
available  to  regain  vehicle  control.  If  CSS  does  not  recover  vehicle  control,  then  engaging  BFS  is  the 
last  option  available  since  it  will  place  the  vehicle  control  under  different  software  commands.  (Note: 
only  AUTO  flight  control  mode  is  available  in  the  BFS  during  powered  flight,  MM  102  and  103).  The 
FCS  downmoding  ( AUTO  to  CSS  or  even  BFS  engage)  is  an  onboard  call.  Rule  {A8-54},  FIRST  STAGE 
LOSS  OF  CONTROL  DEFINITION,  defines  the  vehicle  rates  arid  attitude  errors  for  loss  of  control. 
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A2-59  BFS  ENGAGE  CRITERIA  (CONTINUED) 

C.  ROLL  MANEUVER  NOT  INITIATED  AS  SCHEDULED. 

Since  the  onboard  displays  are  inadequate  for  the  crew  to  manually  execute  the  roll/pitch  profile  through 
the  critical  high  Q  phase  with  the  PASS,  the  BFS  must  be  engaged  if  the  roll  maneuver  is  not  initiated  at 
the  planned  I-loaded  value  of  relative  velocity  (ref  Rule  {A4-58A},  AUTO  GUIDANCE  NO-GO).  The 
BFS  has  an  auto  capability  during  powered  flight. 

D.  PRE-MECO,  FOR  SET  SPLITS  SUBJECT  TO  THE  CRITERIA  LISTED  IN 
RULE  {A7-9A},  REDUNDANT  SET  SPLIT. 

PASS  GPC  set  splits  are  considered  to  be  a  low  probability  failure  mode  and  are  also  complex  to  deal 
with  in  the  short  amount  of  time  available  or  in  the  presence  of  other  failures.  In  many  instances,  BFS 
engage  is  the  quickest  and  simplest  approach  to  avoiding  catastrophic  results  (e.g.,  when  they  result  in 
multiple  command  path  failures  to  SSME’s  near  MECO).  Circumstances  where  PASS  reconfiguration  is 
preferred  over  BFS  engage  are  detailed  in  Rule  { A7-9AJ ,  REDUNDANT  SET  SPLIT,  which  also  contains 
the  procedures  required  in  those  cases. 

Rule  {A7-9},  REDUNDANT  SET  SPLIT,  references  this  rule. 


A2-60  NAVIGATION  UPDATE  CRITERIA 

WHEN  AN  INDEPENDENT  NAVIGATION  SOURCE  IS  AVAILABLE,  NAVIGATION 
UPDATES  WILL  BE  INITIATED  TO  PROVIDE  ACCEPTABLE  MECO 
CONDITIONS  AND  MAINTAIN  THE  HIGHEST  ASCENT  PRIORITY  MODE 
AVAILABLE.  IF  NAVIGATION  UPDATES  CANNOT  BE  PERFORMED,  MECO 
WILL  BE  COMMANDED  MANUALLY  (REF.  RULE  {A4-60},  MANUAL  SHUTDOWN 
CRITERIA)  .  ®[1 21 296-41 77D] 

Orbiter  navigation  velocity  errors  not  corrected  until  post-MECO  cause  an  almost  one  for  one  OMS 
penalty  during  OMS-1.  This  penalty  may  cause  downmoding  to  a  lower  ascent  priority  mode  because 
of  OMS  propellant  budget  limitations.  To  avoid  sacrifice  of  mission  objectives,  error  limits  are 
established  for  execution  of  pre-MECO  navigation  updates  ( ref.  Rule  {A4-57AJ,  NAVIGATION 
UPDATES ).  If  a  navigation  update  cannot  be  performed  due  to  the  unavailability  of  an  independent 
navigation  source,  loss  of  command  capability,  or  insufficien  t  time  prior  to  MECO,  then  the  manual 
shutdown  criteria  (ref.  Rule  (A4-60J,  MANUAL  SHUTDOWN  CRITERIA )  will  be  used  to  ensure  an 
acceptable  cutoff.  ®[i  21 296-41 77D] 
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A2-61  Q-BAR/G-CONTROL 

A.  A  FAILURE  OF  ALL  THREE  ENGINES  TO  THROTTLE  DOWN  FOR  Q-BAR 

CONTROL  IN  FIRST  STAGE  OR  G-CONTROL  IN  SECOND  STAGE  IS  CAUSE 
FOR  MANUAL  THROTTLE  TO  OBSERVE  THE  RESPECTIVE  Q-BAR  AND  G 
LIMITS.  FAILURE  OF  A  SINGLE  ENGINE  TO  THROTTLE  IN  THE  SAME 
REGIONS  REQUIRES  NO  ACTION.  FAILURE  OF  TWO  ENGINES  TO 
THROTTLE  IN  SECOND  STAGE  IS  CAUSE  TO  MANUALLY  SHUT  DOWN  ONE 
OF  THE  NONTHROTTLING  ENGINES. 

The  ascent  profile  is  designed  to  constrain  the  maximum  Q-bar  and  g  ’s  to  their  respective  limits.  During 
the  thrust  bucket,  the  throttles  are  reduced  to  ensure  that  the  maximum  dispersed  Q-bar  will  not  exceed 
the  structural  specification  limit  ( approximately  820  psf).  Should  all  three  of  the  SSME’s  fail  to  throttle 
down,  manual  throttledown  is  required  to  avoid  structural  damage. 

The  g-control  region  of  second  stage  adjusts  the  throttles  to  ensure  that  no  more  than  approximately  3g 
will  be  experienced.  This  limit  was  selected  to  protect  vehicle  and  payload  structure.  Therefore,  should 
none  of  the  SSME’s  throttle  down  at  initiation  of  the  g-control  region,  the  crew  will  manually  throttle  to 
maintain  approximately  3g. 

For  failure  of  a  single  SSME  to  throttle  down  in  either  the  thrust  bucket  or  in  the  g-control  regions,  no 
action  will  be  required  by  the  crew  to  manually  throttle.  Analysis  conducted  in  1996  ( reference  Shuttle 
Loads  and  Structural  Dynamics  Panel  Minutes  for  August  31,  1998 )  showed  that  there  will  be  an 
approximately  4  percen  t  exceedance  of  the  wing  certified  limit  load  during  maximum  Q-bar  should  a 
throttle  be  stuck  high  before  the  thrust  bucket.  This  stuck  throttle  condition  is  not  a  design  requirement 
and  has  been  documented  with  a  FMEA/CIL  in  accordance  with  NSTS  07700,  Volume  X  requirements. 
The  risk  clue  to  the  increased  loads  is  acceptable  because  a  safety  factor  greater  than  one  is  maintained. 
During  the  g-control  region,  the  healthy  SSME’s  will  throttle  lower  than  normal  and  the  maximum  g’s 
will  be  approximately  3.5.  This  is  in  violation  of  NSTS  07700,  Volume  X.  To  cover  this  case,  a  waiver 
was  approved  to  accept  a  one-time  high-G  exceedance  of  up  to  3.6  g’s.  Should  this  occur,  post-flight 
analysis  and  inspection  of  the  orbiter  will  be  required.  ®[041 097-491 0A]  @[111298-6788  ] 

Failure  of  two  engines  to  throttle  down  when  the  g-control  region  is  reached  will  definitely  lead  to  a 
violation  of  the  3g  limit  (in  excess  of4g).  The  good  engine  will  only  throttle  down  to  the  minimum 
percent  (approximately  67  percent).  Therefore,  one  of  the  appropriate  nonthrottling  engines  will  be  shut 
down  to  allow  the  remaining  good  engine  to  control  g’s  with  the  other  stuck  engine. 

Refer  to  the  Ascent  Flight  Techniques  meeting  # 53  minutes,  RI/Downey  memo  92MA1056,  and  Shuttle 
Loads  and  Structural  Dynamics  Panel  Minutes  for  August  31,  1998,  for  further  background.  @[041097- 
491 0A]  @[111298-6788] 

Rule  {A2-64},  MANUAL  THROTTLE  CRITERIA,  references  this  rule. 
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A2-62  ET  FOOTPRINT  CRITERIA 

DESIGN  MECO  CONDITIONS  AND  ABORT  MODE  BOUNDARIES  MUST  PROVIDE  AN 
ET  IMPACT  POINT  (IP)  FOOTPRINT,  INCLUDING  3-SIGMA  DISPERSIONS, 
WHICH  SATISFIES  THE  FOLLOWING  CONSTRAINTS: 

A.  NOMINAL  MECO  TARGET:  THE  ET  IP  FOOTPRINT  IS  MAINTAINED  AT  A 
MINIMUM  OF  200  NM  FROM  ALL  FOREIGN  LAND  MASSES  (EXCEPT  THE 
FRENCH-HELD  POLYNESIAN  ISLANDS,  WHERE  THE  MINIMUM  CLEARANCE 
MAY  BE  REDUCED  TO  60  NM  WHEN  DICTATED  BY  MISSION  OBJECTIVES) 
AND  25  NM  FROM  THE  PERMANENT  ICE  SHELF.  ALSO,  THE  ET  IP 
FOOTPRINT  MUST  BE  MAINTAINED  AT  LEAST  25  NM  FROM  U.S. 

ISLANDS.  @[092195-1777 A]  @[111699-7066] 

B.  TAL  MECO  TARGETS:  THE  ET  IP  FOOTPRINT  IS  MAINTAINED  A  MINIMUM 
OF  25  NM  OFF  ALL  FOREIGN  LAND  MASSES. 

C.  RTLS  MECO  TARGETS:  THE  ET  IP  FOOTPRINT  IS  MAINTAINED  A 
MINIMUM  OF  25  NM  FROM  ANY  LAND  MASSES. 

D.  EARLIEST  SINGLE  SSME  OUT  "PRESS"  TRAJECTORIES  (PRESS-TO-MECO 
AND  PRESS-TO-ATO) :  THE  ET  IP  FOOTPRINT  WILL  BE  MAINTAINED  OFF 
CRITICAL  LAND  MASSES.  CRITICAL  LAND  MASSES  INCLUDE: 

1.  FOR  DIRECT  INSERTION  28.5-DEGREE  INCLINATIONS:  AFRICAN 
MAINLAND  AND  MADAGASCAR 

2.  FOR  DIRECT  INSERTION  39-DEGREE  INCLINATIONS:  AFRICAN 
MAINLAND 

3.  FOR  DIRECT  INSERTION  51.6-DEGREE  INCLINATIONS:  AFRICAN 
MAINLAND  AND  THE  MIDDLE  EAST  @[0921 95-1 777A] 

4.  FOR  DIRECT  INSERTION  57-DEGREE  INCLINATIONS:  EUROPEAN  AND 
ASIAN  MAINLANDS 

5.  ALL  OTHER  INCLINATIONS  AND  INSERTION  TYPES  WILL  BE 
ANALYZED  ON  A  MISSION-SPECIFIC  BASIS.  @[0921 95-1 777A ] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-62  ET  FOOTPRINT  CRITERIA  (CONTINUED) 

E.  ET  FOOTPRINT  CONSTRAINTS  WILL  NOT  APPLY  TO  THE  FOLLOWING 

CASES : 

1.  MULTIPLE  SSME-OUT  CASES 

2.  SINGLE  SSME-OUT  CASES  COUPLED  WITH  ANY  OF  THE  FOLLOWING: 

a.  ANY  LOSS  OF  OMS  DUMP  CAPABILITY  (PROPELLANT  OR 
ENGINE) 

b.  ANY  AFT  RCS  PROPELLANT  LEAK/FAILURES 

C.  ANY  OTHER  SSME(S)  STUCK  IN  THE  THROTTLE  BUCKET 

The  premission-defined  MECO  targets  and  design  underspeed  MECO  conditions  are  selected  such  that 
they  will  not  violate  Eastern  Range  (ER)  guidelines  on  ET  IP  or  State  Department  requirements.  These 
guidelines  specify  that  a  3 -sigma  dispersion  footprint  be  used  for  application  of  the  ET  IP  limitation 
criteria. 

Nominal  MECO  target:  The  nominal  MECO  targets  must  meet  the  strictest  constrain  ts  on  the  ET  IP 
footprint.  The  200  nm  limit  from  any  foreign  land  mass  must  be  satisfied  through  the  ascent  flight  design 
process.  This  limit  will  preclude  infringement  of  the  territorial  boundaries  of  all  foreign  land  masses, 
ensuring  no  property  or  human  damage  occurs  from  ET  debris.  The  SSP  has  received  State  Departmen  t 
approval  to  reduce  the  limit  for  the  French-held  Polynesian  Islands  to  60  nm  (reference  NSTS  07700  Vol 
X  Section  3.2.1.1.17.2,  ET  Disposal).  This  ET  disposal  relief  allows  the  use  ofDI  to  122  nm  MECO 
targets  for  ISS  missions.  The  lower  MECO  target  increases  rendezvous  phasing  capability  and 
significan  tly  improves  the  possibility  of  cm  early  rendezvous.  Although  the  minimum  is  60  nm,  the  ET 
footprint  clearance  will  only  be  reduced  from  200  nm  as  required  to  meet  mission  objectives.  The  25  nm 
limit  applies  to  the  permanent  ice  shelf  which,  although  not  very  populated,  must  be  avoided  for 
environmental  protection.  A  lateral  clearance  of  25  nm  is  used  to  protect  U.S.  islands;  the  potential  for 
high  density  of  shipping  vessels  and  other  small  craft  in  these  waters  makes  this  margin  prudent  for  a 
planned  ET  disposed.  This  limit  was  previously  45  nm  prior  to  the  incorporation  of  01-21  flight 
software,  which  eliminated  worst-case  guided  MECO  lateral  dispersions  caused  by  a  side  engine  out  late 
in  the  nominal  trajectory.  The  45  nm  ensured  a  25  nm  clearance  for  these  cases;  however,  the  extra 
margin  is  no  longer  required.  ®[0921 95-1 777 A]  ®[1 1 1 699-7066  ] 
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A2-62  ET  FOOTPRINT  CRITERIA  (CONTINUED) 

TAL  and  RTLS  MECO  targets:  Once  an  abort  or  failure  has  occurred,  the  ET  IP  constraints  are  less 
strict.  The  TAL  and  RTLS  restrictions  on  the  ET  IP  footprint  ensure  that  no  land  mass  impact  damage 
occurs,  although  with  little  additional  margin. 

“PRESS”  trajectories:  The  earliest  PRESS,  single  SSME-out,  trajectories  (earliest  capability  to  continue 
the  ascent  to  an  orbital  condition:  AOA,  ATO,  or  nominal  mission  altitude)  must  protect  only  critical 
land  masses  from  ET  IP  debris.  For  these  cases,  no  margin  is  added  to  the  3-sigmci  footprint  beyond  the 
critical  land  mass  boundaries.  Critical  land  masses  are  determined  through  JSC,  ER,  and  State 
Departmen  t  agreements  considering  the  political  relations  with  the  U.S.  and  population  density.  The 
1990  ACTA  Incorporated  28.5-degree  inclination  hazards  analysis  shows  casualty  expectation  orders  of 
magnitude  for  Madagascar  of  10-2.  For  this  reason,  Madagascar  is  considered  a  critical  land  mass.  An 
abort  will  be  recommended  if  the  ET  IP  footprint  violates  the  PRESS  trajectory  limitations. 

Additionally,  if  the  ET  footprint  signifies  a  risk  to  the  eastern  U.S.  coastline,  real-time  action  will  be 
taken  to  correct  the  trajectory  (ref.  Rule  { A4-260 },  RANGE  SAFETY  LIMIT  AVOIDANCE  ACTIONS). 

When  multiple  performance-related  failures  occur,  as  noted  above  in  paragraph  E,  ET  IP  constraints 
will  no  longer  be  protected  due  to  substantial  risks  to  the  flightcrew  and  vehicle.  With  the  exception  of 
the  OMS  engine  failure,  SSME  stuck  in  the  throttle  bucket,  and  multiple  SSME-out  cases,  the  remaining 
cases  are  the  result  of  a  vehicle  structural  failure  (exten  t  unknown). 

It  is  more  hazardous  to  perform  a  TAL  abort  (in  order  to  protect  ET  IP)  without  some  knowledge  of  the 
con  trol  capability  losses  due  to  this  failure.  By  pressing  to  orbit,  there  is  a  greater  chance  of  assessing 
the  damage  and  determining  any  new  crew  procedures,  if  required.  Multiple  SSME-out  cases  are 
considered  to  be  contingency  cases,  and  for  that  reason  the  ET  constraints  are  no  longer  protected.  An 
OMS  engine  failure  is  typically  detected  after  an  OMS  dump  (ATO  abort)  because  ET  IP  protection  has 
already  been  initiated.  Here,  a  TAL  abort  is  considered  hazardous  as  a  TAL  abort  would  require  a 
second  abort  declaration  and  the  initiation  of  a  second  (con  tingency)  dump  which  would  necessitate 
manual  procedures.  These  cases  are  considered  in-flight  contingencies,  outside  the  program  recognized 
failure  cases. 

Rules  (A4-1J,  PERFORMANCE  ANALYSES;  {A4-55A},  DESIGN  AND  CRITICAL  MECO 
UNDERSPEED  DEFINITIONS;  and  {A4-56E},  PERFORMANCE  BOUNDARIES,  reference  this  rule. 
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A2-63  ASCENT  STRING  REASSIGNMENT 

A.  PRE-MECO,  RESTRINGING  WILL  BE  PERFORMED  TO  REGAIN  SSME 
THROTTLE  COMMAND  CAPABILITY  NECESSARY  TO  AVOID  AN 
RTLS/TAL/ CONTINGENCY  ABORT,  SUBJECT  TO  THE  FOLLOWING: 

1.  IF  THE  BFS  IS  NOT  AVAILABLE,  RESTRINGING  WILL  NOT  BE 
PERFORMED  TO  AVOID  AN  RTLS  OR  TAL  ABORT  PROVIDED  A 
RESTRING  IS  NOT  REQUIRED  TO  SUPPORT  THE  ABORT. 

2.  RESTRINGING  WILL  BE  PERFORMED  TO  AVOID  A  CONTINGENCY 
ABORT  INDEPENDENT  OF  THE  BFS  STATUS. 

NOTE:  THE  LAST  TIME  A  RESTRING  CAN  BE  COMPLETED  TO  REGAIN 

UPHILL  CAPABILITY  WILL  BE  DETERMINED  IN  REAL  TIME. 

The  SSME’s  are  throttled  down  for  maximum  dynamic  pressure  control  in  first  stage.  If  an  SSME 
experiences  a  command  path  failure  while  in  the  thrust  bucket,  the  ARD  will  be  used  to  evaluate  the 
effect  of  the  stuck  throttle  on  vehicle  performance.  On  performance  critical  missions,  an  RTLS  or  TAL 
may  be  required  even  though  the  remaining  two  SSME’s  have  nominal  performance;  a  contingency  abort 
may  be  required  when  a  separate  SSME  has  failed  or  is  operating  with  off-nominal  performance. 
Therefore,  restringing  will  be  performed  to  regain  SSME  throttle  command  capability  if  doing  so  will 
regain  uphill  capability  or  avoid  an  RTLS,  TAL,  or  contingency  abort.  The  BFS  is  normally  required  to 
protect  against  the  low  probability  occurrence  that  the  restring  action  may  result  in  loss  of  the  PASS  set. 
If  the  BFS  is  not  available  and  a  restring  is  required  to  support  the  abort  (pre-  or  post-ET  SEP),  no 
advantage  exists  with  aborting  RTLS/TAL  instead  of  restringing  to  regain  throttle  capability.  For  these 
cases,  restringing  is  acceptable  to  regain  throttle  command  capability  and  avoid  the  abort  independent 
of  the  BFS  status. 

The  last  time  a  restring  can  be  completed  to  regain  uphill  capability  will  be  determined  by  the  FDO. 

This  time  will  change  as  a  function  of  the  winds  of  the  day,  SRB  performance,  SSME  performance,  and 
SSME  throttle  setting  of  the  nonthrottling  engine.  Therefore,  this  time  will  be  determined  by  the  ARD  in 
real  time. 
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A2-63  ASCENT  STRING  REASSIGNMENT  (CONTINUED) 

B.  POST-MECO: 

1.  PRE-ET  SEPARATION:  RESTRING  WILL  ONLY  BE  PERFORMED  IF 
REQUIRED  TO  REGAIN  THE  APPROPRIATE  NUMBER  OF  RCS  JETS 
REQUIRED  FOR  RTLS  ET  SEPARATION  OR  NOM/TAL  ET  SEPARATION. 


ET  separation  cannot  be  performed  without  sufficient  RCS  jet  con  trol  authority.  RTLS  ET  separation 
is  especially  critical  because  of  the  increased  number  of  RCS  jets  required  for  mated  coast  and  ET 
separation.  Additionally,  for  either  RTLS  or  TAL,  delaying  ET  separation  is  not  an  option.  For 
nominal  conditions,  ET  separation  can  be  delayed  allowing  more  time  to  configure  for  the  restring. 

2.  POST-ET  SEPARATION: 

a.  RESTRING  WILL  NOT  BE  PERFORMED  PRIOR  TO  ACHIEVING  A 
SAFE  ORBIT  EXCEPT  FOR  THE  FOLLOWING: 

(1)  RESTRING  TO  MAINTAIN  SINGLE-FAULT  TOLERANCE. 

(2)  RESTRING  TO  REGAIN  INSIGHT  FOR  AN  UNRELATED 
CRITICAL  SYSTEM  FAILURE  WHERE  THE  FAILED  STRING 
MASKS  THE  SYSTEM  PROBLEM  ANALYSIS. 

(3)  IF  UNDERSPEED  CONDITIONS  EXIST  SUCH  THAT  AN  OMS-1 
BURN  IS  REQUIRED  AT  MECO  PLUS  2  MINUTES, 

RESTRING  WILL  NOT  BE  PERFORMED  PRIOR  TO  OMS-1 
UNLESS  REQUIRED  TO  MAINTAIN  BOTH  OMS  ENGINES. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-63  ASCENT  STRING  REASSIGNMENT  (CONTINUED) 

The  desire  is  to  rely  upon  system  fault  tolerance  capability  (BFS  is  coun  ted  as  a  level  of  redundancy) 
during  the  uphill  phases  of  the  mission  when  a  safe  orbit  has  not  yet  been  established  and  thereby  reduce 
the  risks  that  may  be  associated  with  restringing  (possible  GPC  failure,  set  split,  etc.).  Additionally, 
because  the  timeline  is  leading  into  a  quiescent  orbit  phase  ( versus  a  more  dynamic  entry  phase),  greater 
emphasis  is  placed  on  the  existing  systems  capability,  as  long  as  fault  tolerance  exists,  rather  than 
restringing  to  regain  full  capability. 

For  off-nominal  MECO  conditions  where  the  OMS-1  TIG  is  required  at  MECO  plus  2  minutes,  restring 
will  not  be  attempted  in  order  to  focus  atten  tion  on  the  critical  OMS-1  burn  and  preclude  restring  error 
from  jeopardizing  OMS-1  execution.  The  exception  to  this  rule  is  when  less  than  two  OMS  engines  are 
available.  Because  of  the  large  underspeecl  both  OMS  engines  are  required  in  order  to  overcome  large 
drag  effects  and  achieve  the  desired  targets.  Downmoding  to  the  RCSfour  +X  jets  may  not  be  an  option 
because  of  the  magnitude  of  the  required  delta  V  and  the  low  thrust/long  burn  time  requirements 
associated  with  the  RCS. 

b.  RESTRING  WILL  BE  PERFORMED  AT  THE  NORMAL  OPS 
TRANSITION  TIME  FOR  AOA  OR  TAL . 

The  OPS  transition  software  is  designed  to  perform  restrings  and  is  a  certified  capability. 

C.  RESTRINGING  WILL  NOT  BE  PERFORMED  WITHOUT  PRIOR  MCC 
COORDINATION. 

The  MCC  is  prime  for  determining  when  restringing  is  required  as  a  result  of  mu  ltiple  failures  and  the 
resulting  GPC/string  assignments  required  to  satisfy  critical  capability  and  systems  fault  tolerance  as 
identified  in  the  preceding  rules.  The  MCC  is  prime  for  determining  the  acceptability  of  restringing 
based  upon  the  failure  signature  and  conditions  and  for  determining  an  acceptable  data  bus 
reassignment  configuration.  Av  a  minimum,  voice  description  of  the  failure  and  identification  of  the 
proposed  bus  reassignment  must  be  coordinated  with  the  MCC  prior  to  performing  any  restring. 
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A2-63  ASCENT  STRING  REASSIGNMENT  (CONTINUED) 

D.  RESTRING  GPC/STRING  COMBINATIONS  WILL  BE  SELECTED  WHICH  MOVE 
THE  LEAST  NUMBER  OF  STRINGS. 

The  greater  the  number  of  strings  moved  during  a  restring  attempt,  the  more  complicated  the  restring 
process.  With  this  in  mind,  “good”  strings  should  not  be  taken  from  “good”  GPC’s  unless  there  is  no 
other  method  of  regaining  critical  capability. 

E.  RESTRINGING  WILL  BE  PERFORMED  TO  REGAIN  CRITICAL  CAPABILITY 
INDEPENDENT  OF  THE  BFS  STATUS.  FOR  CASES  WHERE  RESTRINGING 
IS  ACCEPTABLE  TO  REGAIN  FAULT  TOLERANCE  (REF.  PARAGRAPH 

B . 2  .  a .  ( 1 )  )  ,  AN  ENGAGEABLE  BFS  MUST  BE  AVAILABLE. 

The  BFS  is  normally  required  when  restringing  is  performed  as  a  precaution  against  the  low  probability 
occurrence  that  the  restring  action  may  result  in  loss  of  the  PASS  set.  However,  when  the  vehicle  has 
sustained  failures  such  that  less  than  critical  capability  remains  (a  capability  which  must  be  maintained 
or  a  loss  of  crew/vehicle  will  result),  restringing  will  be  performed  to  regain  the  needed  capability 
independent  of  the  BFS  status  in  order  to  maintain  the  flying  status  of  the  orbiter. 

If  the  BFS  is  not  available  and  less  than  critical  capability  remains,  restring  is  allowed  to  recover  the 
PASS  capability  to  con  trol  the  orbiter.  If  the  BFS  is  available  and  conditions  are  such  that  either  a  BFS 
engage  or  a  dynamic  restring  will  recover  the  critical  capability,  restring  will  be  attempted  if  time 
permits  completion  of  the  restring  while  still  maintaining  the  BFS  engage  option. 

Rules  (A2-5J,  PORT MODING/RESTRINGING  GUIDELINES;  (A2-69J,  REGAIN  RCS  JETS  FOR  RTLS 
ET  SEPARATION;  {A7-9J,  REDUNDANT  SET  SPLIT;  {A7-102C}.4,  PASS  DATA  BUS  ASSIGNMENT 
CRITERIA;  {A7-52},  ASCENT/ENTRY  BFS  MANAGEMENT  GUIDELINES;  and  {A8-55},  ET 
SEPARATION  RCS  REQUIREMENTS  reference  this  rule. 
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A2-64  MANUAL  THROTTLE  CRITERIA 

MANUAL  THROTTLE  CONTROL  WILL  BE  PERFORMED  WHEN  REQUIRED  TO 
PROTECT  SYSTEMS  LIMITS,  GUIDANCE  SOFTWARE  PERFORMANCE,  OR  MISSION 
CAPABILITY.  REFERENCE  RULES  {A2-61},  Q-BAR/G-CONTROL ;  {A4-59}, 

MANUAL  THROTTLE  SELECTION;  {A5-112},  MANUAL  THROTTLEDOWN  FOR  L02 
NPSP  PROTECTION  AT  SHUTDOWN;  {A5-152DJ.1,  PRE-MECO  MPS  HELIUM 
SYSTEM  INTERCONNECTS  [OIL];  AND  {A5-155},  LIMIT  SHUTDOWN  CONTROL 
AND  MANUAL  THROTTLING  FOR  LOW  LH2  NPSP,  FOR  SPECIFIC  CASES 
INVOLVING  MANUAL  THROTTLE.  @[090894-1 676A]  @[041 097-491 0A]  ®[ED  ] 

Normally,  all  SSME  throttling  action  will  be  commanded  by  the  flight  software.  However,  manual 
throttling  can  relieve  certain  failure  conditions,  some  potentially  catastrophic,  which  are  not  protected 
by  software;  examples  include  low  SSME  NPSP,  an  unstable  guidance  solution,  or  any  generic  failure  of 
the  software  throttling  logic  itself.  In  addition,  manual  throttle  can  be  used  to  maximize  performance  in 
propellant-critical  TAL  cases  as  well  as  to  avoid  a  TAL  or  RTLS  abort  when  design  underspeed  is  limited 
by  NPSP.  In  these  scenarios,  the  use  of  manual  throttle  control  is  preferred  to  the  alternatives.  The 
referenced  rules  spell  out  the  background  and  criteria  for  manual  throttle  usage  in  each  case. 
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A2-65  QMS— 1  DELAYED  TARGET  CRITERIA 

THE  OMS-1  BURN  WILL  UTILIZE  DELAYED  TARGET  FOR: 

A.  MAIN  PROPULSION  SYSTEM  (MPS)  PROPELLANT  DISCONNECT  VALVE 
FAILED  OPEN. 

B.  ANY  OMS  PROPELLANT  FAIL/LEAK  OR  OMS  HE  TANK  FAIL. 

C.  TWO  OMS  ENGINES  FAILED. 

NOTE:  UNDERSPEED  MECO  CONDITIONS  MAY  REQUIRE  USE  OF  ON-TIME 

(MECO  +  2)  OMS-1  TARGETS. 

Delayed  targets  are  designed  for  nominal  or  small  underspeed  MECO  conditions  only.  Larger 
underspeeds  ( mission-dependent )  may  require  on-time  targets  to  remain  within  orbiter  delta  V  capability. 

For  OMS  propellant  or  helium  tank  leaks/failures,  significant  delta  V  capability  will  be  lost.  Also,  loss 
of  two  OMS  engines  implies  that  all  the  delta  V  maneuvers  will  be  accomplished  with  the  RCS  4  +X 
thrusters.  Performing  delta  V  maneuvers  with  the  RCS  requires  a  significant  amount  of  additional 
propellant  to  compensate  for  the  reduced  engine  efficiency  of  the  RCS  jets  as  compared  to  the  OMS 
engines.  For  these  cases ,  a  delayed  ATO  OMS-1  burn  is  performed  to  minimize  delta  V  requirements  for 
insertion  and  deorbit  and  allow  time  for  a  thorough  assessmen  t  of  the  delta  V  capability  remaining. 
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A2-66 


APU  SHUTDOWN  DELAY  CRITERIA 


IF  ORBIT  CAPABILITY  IS  QUESTIONABLE,  THE  APU' S  WILL  REMAIN  "ON" 
WITH  THE  HYDRAULIC  PUMPS  DEPRESSURIZED  UNTIL  THE  DECISION  IS  MADE 
TO  CONTINUE  TO  ORBIT.®[ED  ] 


A2-67 


ARD  UPDATE  CRITERIA 


FOR  SSME  FAILURE  CONDITIONS  CAUSING  PERFORMANCE  DISPERSIONS, 
ADJUSTMENTS  WILL  BE  MADE  TO  MIXTURE  RATIO,  POWER  LEVEL,  SPECIFIC 
IMPULSE,  AND/OR  FLIGHT  PERFORMANCE  RESERVE  VALUES  IN  THE  MCC 
ABORT  REGION  DETERMINATOR  (ARD)  PROGRAM. 

Rule  {A4-54},  ABORT  MODE  RESPONSIBILITY,  states  that  the  MCC  is  prime  for  abort  mode 
determination.  Pre-MECO,  the  primary  tool  used  to  fulfill  this  responsibility  is  the  ARD  processor, 
which  resides  in  the  SDPC  computer.  Its  predictions  of  abort  capability  are  contingent  upon  accurate 
modeling  of  SSME  performance  parameters  and  usable  ET  propellant  remaining.  Certain  SSME  failure 
conditions  such  as  Pc  sensor  shifts,  valve  drift  following  lockup,  etc.,  can  cause  the  actual  SSME 
performance  to  vary  considerably  from  that  assumed  by  the  ARD;  therefore,  capability  is  provided  to 
manually  update  the  applicable  performance  data  in  real  time.  SSME  parameters  are  updated  per 
recommendation  from  the  MCC  Booster  officer,  while  FPR  adjustments  are  made  by  the  Flight  Dynamics 
team  based  on  the  predicted  LOX  or  LH2  unusable  quantity  at  MECO.  Such  adjustments  are  necessary 
to  preserve  protection  at  the  2-sigma  level  when  propellants  are  being  consumed  at  a  lion-nominal 
mixture  ratio. 
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A2-68  ET  PHOTOGRAPHY 

THE  MANEUVERS  FOR  ET  PHOTOGRAPHY  WILL  BE  CANCELED  FOR  THE 
FOLLOWING  REASONS: 

A.  OMS  OR  RCS  PROPELLANT  OR  HELIUM  SYSTEMS  LEAKS  OR  TANK 
FAILURES . 

B.  KNOWN  LOSS  OF  AN  OMS  ENGINE. 

C.  LOSS  OF  MULTIPLE  PRIMARY  RCS  JETS. 

D.  KNOWN  LOSS  OF  VERNIER  RCS  ATTITUDE  CONTROL  WHICH  WOULD  RESULT 
IN  A  PROPELLANT-CRITICAL  MISSION. 

E.  MECO  UNDERSPEED  >26  FPS. 

F.  ATO  PRE-MECO  OMS  DUMP  HAS  BEEN  EXECUTED. 

G.  ET  IN  DARKNESS  AT  PHOTOGRAPHY  TIME  (EACH  METHOD  EVALUATED 
SEPARATELY) . 

There  are  two  methods  of  photographing  the  ET.  Method  1  utilizes  automatic  cameras  in  the  ET 
umbilical  wells  of  the  orbiter  and  requires  a  +X  translation  immediately  following  the  -Z  separation 
burn.  The  +X  maneuver  requires  about  120  pounds  of  RCS  propellant.  Method  2  utilizes  crew  handheld 
cameras  and  requires  an  orbiter  pitch  maneuver  following  the  MPS  dump.  Method  2  is  only  effective  on 
direct  insertion  flights  since  the  photographs  are  at  too  great  a  distance  for  any  detail  following  an 
OMS-1  burn.  Method  2  requires  about  70  pounds  of  aft  RCS  and  30  pounds  of  forward  RCS  propellant. 

Significant  failures  in  the  OMS  and  RCS  systems  (propellant  or  helium  leaks  or  tank  failures  or  OMS 
engine  failure  or  MECO  underspeeds  requiring  an  OMS-1  on  a  direct  insertion  flight  or  the  dumping  of 
propellant)  results  in  a  loss  of  delta-V  capability  and  the  ET  photography  propellant  may  be  needed  to 
accomplish  flight-critical  maneuvers  ( e.  g. ,  OMS-1,  deorbit )  or  for  entry  control. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-68  ET  PHOTOGRAPHY  (CONTINUED) 

The  loss  of  multiple  primary  RCS  jets  requires  conservatism  in  the  use  of  the  remaining  jets  since  they 
are  required  for  on-orbit  and  entry  control. 

Loss  of  the  vern  ier  RCS  attitude  control  capability  due  to  MDM  or  electrical  bus  failure  can  result  in 
significant  mission  impact  depending  on  the  mission.  For  those  missions  where  loss  of  VRCS  results  in 
the  loss  of  high-priority  objectives,  the  ET  photograph  should  be  canceled  to  maximize  high-priority 
objectives. 

Consideration  of  lighting  at  ET  photography  time  is  not  a  constraint  for  launch.  ET  photography 
typically  is  scheduled  on  all  flights  where  at  least  part  of  the  launch  window  allows  sunlight  for  the 
photos.  Photos  of  the  ET  in  darkness  are  not  useful.  If  lighting  changes  during  the  launch  window,  ET 
photography  can  be  planned  and  trained  for  but  will  be  canceled  if  sunlight  will  not  be  present  at  the 
same  time  photos  are  to  be  taken.  Each  of  the  two  methods  will  be  evaluated  on  its  own  lighting 
conditions. 

If  the  ET  separation  will  be  in  darkness,  the  +X  translation  should  not  be  executed  because  this 
translation  increases  the  distance  between  the  orbiter  and  the  ET  for  photos  using  method.  @[072398- 
6530  ] 

Three-sigma  navigation  errors  can  result  in  MECO  underspeeds  of  up  to  26fps.  Greater  underspeeds 
indicate  significant  performance  anomalies  requiring  care  in  the  expenditure  of  propellant.  Therefore, 
any  maneuver  associated  with  ET  photography  (translations  or  rotations )  should  be  deleted  for 
underspeeds  greater  than  26fps.  @[072398-6530  ] 
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A2-69  REGAIN  RCS  JETS  FOR  RTLS  ET  SEPARATION 

DURING  RTLS,  FOR  THE  LOSS  OF  MORE  THAN  ONE  RCS  JET  USED  FOR  MATED 
COAST  RATE  DAMPING,  ET  SEPARATION,  OR  ATTITUDE  CONTROL  THROUGH 
THE  ALPHA  RECOVERY  PHASE,  RECOVERY  WILL  BE  ATTEMPTED  IF  THE 
FAILURE  IS  DUE  TO  DPS  FAILURES  OR  LOSS  OF  RCS  RM.  RESTRING  WILL 
BE  PERFORMED  POST-MECO/PRE-ET  SEP  PER  RULE  {A2-63},  ASCENT  STRING 
REASSIGNMENT.  ALL  OTHER  ACTIONS  WILL  BE  ACCOMPLISHED  ASAP 
(PREFERABLY  PRE-MECO) . 

Recent  aerodynamic  studies  show  that  early  RCS  jet  aerodynamic  models  were  incomplete  with  respect  to 
jet  failure  effects  for  RTLS  ET  separation.  With  worst  case  aero  assumptions  and  generic  mass 
properties,  a  successful  RTLS  ET  separation  can  be  accomplished  with  little  more  than  1-sigma  aero 
variations,  and  in  that  case  large  attitude  errors  will  be  incurred.  It  is  nearly  certain  that  the  crew 
would  engage  the  BFS  if  large  attitude  errors  occurred  in  a  dynamic  time  frame. 

While  either  dynamic  restringing  or  the  use  of  RCS  jets  without  redundancy  managemen  t  automatic 
deselection  is  subject  to  certain  risks,  the  probabilities  have  been  judged  to  be  much  less  likely  than  the 
1-sigma  aero  variations  that  are  described  above.  Additionally,  BFS  engage  at  ET  separation  with 
strings  down  in  the  PASS  has  been  documented  by  several  BFS  DR’s  that  lead  to  catastrophic  failure. 

Therefore,  the  lowest  risk  option  when  multiple  RCS  jets  are  lost  prior  to  ET  separation  on  an  RTLS  is  to 
perform  the  actions  required  to  regain  (or  prevent  loss  of)  the  jets  required  for  attitude  control  in  the 
dynamic  phases.  The  jets  involved  are  the  down,  part  of  the  up,  and  all  of  the  left  and  right  firing  jets 
(loss  of  +X,  -X,  and  +Z  forward  jets  is  no  impact).  Actions  would  include:  reselecting  jets  that  have 
been  erroneously  deselected  for  loss  of  instrumentation  (oxidizer  or  fuel  injector  temperature,  chamber 
pressure,  manifold  valved  discretes);  or  inhibiting  RMfrom  deselecting  them  in  the  future;  or  flight- 
critical  string  port  mode;  or  dynamic  restring.  All  actions  except  restring  would  be  performed  ASAP. 
Restring  would  be  performed  immediately  post-MECO/pre-ET  sep  as  described  in  Rule  {A2-63B}.!, 
ASCENT  STRING  REASSIGNMENT.  Rule  / A8-55  j,  ET  SEPARATION  RCS  REQUIREMENTS,  should 
be  understood  to  protect  only  I -sigma  aero  variations  for  RTLS  abort  ET  separation  conditions.  This 
rules  defines  what  action  will  be  taken  operationally  to  improve  protection  for  aero  variations. 

Only  appropriate  actions  will  be  taken,  e.g.,  restring  is  only  to  be  used  in  the  cases  where  it  will  restore 
the  jets  (GPC  failure,  GPC  port  failu  re). 

There  are  other  situations  ( i.  e. ,  MDM  total  failure,  RJD  half -box  failure,  manifold  leaks,  etc.)  that 
cannot  be  solved  by  any  of  these  options.  Reference  Rules  {A2-63},  ASCENT  STRING 
REASSIGNMENT,  and  {A8-55},  ET  SEPARATION  RCS  REQUIREMENTS. 
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A2-70  DELAYED  TRANSATLANTIC  LANDING  (TAL)  ABORT 

IN  THE  WINDOW  BETWEEN  TWO-ENGINE  TAL  PLUS  10  SECONDS  AND  PRESS- 
TO-ABORT  TO  ORBIT  (ATO)  FOR  51.6  DEGREE  INCLINATION  MISSIONS,  THE 
SELECTION  OF  THE  TAL  ABORT  MAY  BE  DELAYED.  THIS  DELAY  WILL 
MAXIMIZE  EAST  COAST  ABORT  LANDING  (ECAL)  ABORT  COVERAGE  WHILE 
PRESERVING  INTACT  TAL  ABORT  MARGIN.  THE  FOLLOWING  GROUND  RULES 
SHALL  APPLY  TO  THE  EXECUTION  OF  A  DELAYED  TAL  ABORT:  ®[092602-5667A] 

A.  PRIOR  TO  ABORTING  TAL,  A  MANUAL  OMS  DUMP  WILL  BE  INITIATED 
THROUGH  A  CREW  ITEM  ENTRY. 

B.  THE  TAL  ABORT  SHALL  BE  SELECTED  NO  LATER  THAN  THE  3-SIGMA 
MAIN  PROPULSION  SYSTEM  (MPS)  FLIGHT  PERFORMANCE  RESERVE  (FPR) 
PERFORMANCE  BOUNDARY  OR  THE  SINGLE-ENGINE  OPS  3  BOUNDARY 
(REF.  RULE  {A4-56G},  PERFORMANCE  BOUNDARIES),  WHICHEVER  COMES 
FIRST . 

C.  DELAYING  THE  SELECTION  OF  THE  TAL  ABORT  SHALL  NOT  APPLY  FOR 
THE  FOLLOWING  SCENARIOS: 

1.  LOSS  OF  COMMUNICATION 

2.  SIGNIFICANT  UNCERTAINTY  EXISTS  IN  THE  3-SIGMA  MPS  FPR 
PERFORMANCE  BOUNDARY. 

In  accordance  with  feasibility  studies  and  risk  trade  assessmen  ts  brought  to  the  Ascent/Entry  Flight 
Techniques  Panel  and  the  Space  Shuttle  Program  Office,  delayed  TAL  shall  be  implemented  on  all  ISS 
missions  starting  with  STS-110.  The  delayed  TAL  trajectory  results  in  a  groundtrack  that  is  closer  to  the 
Eastern  coast  of  the  Un  ited  States  than  if  the  TAL  abort  had  not  been  delayed.  The  benefits  of  a  delayed 
TAL  trajectory  include  increased  ECAL  landing  opportunities  and  improved  bailout  survival/recovery 
probabilities  while  maintaining  intact  TAL  performance  margins  to  no  less  than  a  3-sigmci  confidence 
level.  These  benefits  come  at  the  expense  of  delayed  single-engine  performance  boundaries  and  cm 
extended  Space  Shuttle  Main  Engine  (SSME)  run  time  that  vary  as  a  function  of  the  TAL  delay  time. 

An  ITEM  9  OMS  propellant  dump  will  be  initiated  prior  to  the  TAL  abort  to  improve  intact  TAL 
performance  margins  during  the  TAL  delay  period.  The  ECAL  trajectory  will  also  benefit  from  an  early 
ITEM  9  OMS  propellan  t  dump  because  of  cm  overall  reduction  in  orbiter  weight  that  should  improve 
safety  margins  with  respect  to  External  Tank  (ET)  separation  dynamics  and  overall  orbiter  load  factors. 
©[092602-5667 A  ] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-70  DELAYED  TRANSATLANTIC  LANDING  (TAL)  ABORT 

(CONTINUED) 


The  TAL  abort  shall  be  initiated  at  the  earlier  of  the  3 -sigma  MPS  FPR  performance  boundary  for  the 
prime  TAL  site  or  the  single-engine  OPS  3  performance  boundary.  It  is  expected  for  early  engine-out 
cases  close  to  the  two-engine  TAL  performance  boundary  that  TAL  aborts  will  be  initiated  based  on  the 
3-sigma  MPS  FPR  performance  boundary.  Later  engine-out  cases  and  cases  that  implement  an  early 
ITEM  9  OMS  propellant  clump  are  likely  to  initiate  TAL  aborts  based  on  the  single-engine  OPS-3 
boundary.  ®[092602-5667A] 

Av  discussed  with  the  Flight  Director  Office  and  the  Space  Shuttle  Program  Office,  TAL  delay  will  not 
be  implemented  during  loss  of  communication  situations,  since  the  crew  may  not  be  aware  of  ground- 
determined  performance  boundaries  used  to  terminate  the  TAL  delay.  More  specifically,  if  there  is  no 
comm  at  the  time  of  the  SSME  failure,  the  crew  will  follow  the  normal  no-comm  mode  boundaries  and 
abort  as  required.  For  all  other  cases,  if  comm  is  subsequently  lost,  then  the  crew  will  abort  TAL  at 
the  no  comm  Vi  per  the  MCC  Delayed  TAL  abort  call.  Also,  TAL  delay  will  not  be  implemented  for 
any  scenario  that  results  in  a  significan  t  uncertainty  in  the  real-tune  determination  of  the  3 -sigma 
MPS  FPR  performance  boundary  in  the  ground  Abort  Region  Determination  (ARD)  processor.  In  this 
instance,  where  significant  uncertainty  exists,  it  is  conservative  to  abort  TAL  prior  to  the  3-sigma 
MPS  FPR  boundary  to  ensure  adequate  performance  margin  in  support  of  the  intact  TAL  trajectory. 
©[092602-5667A] 
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A2-101  VEHICLE  SYSTEMS  REDUNDANCY  DEFINITIONS 

A.  TWO-FAULT  TOLERANT  (FAIL  OPERATIONAL/FAIL  SAFE)  -  THE 
CONDITION  OF  AN  ORBITER  SYSTEM  WHERE  IT  IS  FULLY  CAPABLE  OF 
PERFORMING  ITS  CRITICAL  FUNCTIONS  WITH  THE  ABILITY  TO 
SUSTAIN  ANY  TWO  FAILURES  (WITHIN  THE  SYSTEM)  AND  STILL  HAVE 
THE  CAPABILITY  TO  SAFELY  DEORBIT  AND  LAND  THE  ORBITER. 

@[101796-4561  A] 

B.  ONE-FAULT  TOLERANT  (FAIL  SAFE)  -  THE  CONDITION  OF  AN  ORBITER 
SYSTEM  WHERE  IT  IS  FULLY  CAPABLE  OF  PERFORMING  ITS  CRITICAL 
FUNCTIONS  WITH  THE  ABILITY  TO  SUSTAIN  ANY  ONE  FAILURE  AND 
STILL  HAVE  THE  CAPABILITY  TO  SAFELY  DEORBIT  AND  LAND  THE 
ORBITER. 

C.  ZERO-FAULT  TOLERANT  (FAIL  CRITICAL)  -  THE  CONDITION  OF  AN 
ORBITER  SYSTEM  WHERE  THE  SYSTEM  IS  FULLY  CAPABLE  OF 
PERFORMING  ITS  CRITICAL  FUNCTIONS  BUT  IS  UNABLE  TO  SUSTAIN 
ONE  OR  MORE  ADDITIONAL  FAILURES  AND  STILL  HAVE  THE  CAPABILITY 
TO  SAFELY  DEORBIT  AND  LAND  THE  ORBITER. 

D.  UNFLYABLE  -  A  SYSTEM  CONDITION  WHERE  THE  ORBITER  IS  INCAPABLE 
OF  PERFORMING  A  SUCCESSFUL  ENTRY  AND  LANDING.  @[101 796-4561  A] 


VOLUME  A  06/20/02  FINAL  FLIGHT  OPERATIONS  2-93 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A2-102  MISSION  DURATION  REQUIREMENTS 

THE  FOLLOWING  CRITERIA  WILL  APPLY  TO  PREMISSION  AND  REAL-TIME 
MISSION  DURATION  DECISIONS: 

A.  NOMINAL  EOM  LANDING  WILL  OCCUR  NO  EARLIER  THAN  THE 

BEGINNING  OF  THE  FIFTH  DAY  OF  FLIGHT  (APPROXIMATELY  96 
HOURS)  .  @[101796-4561  A] 

To  aid  in  postmission  orbiter  turnaround  planning  in  support  of  the  number  of  shuttle  flights  possible  in 
a  year,  it  was  necessary  to  define  the  constraints  for  a  nominal  mission.  For  a  nominal  mission,  the 
minimum  duration  is  designed  to  ensure  a  high  probability  of  having  a  healthy  crew  for  entry  and 
landing,  such  that  an  EOM  landing  would  not  be  attempted  or  planned  prior  to  FD5.  This  provides  a 
reasonable  amount  of  exposure  of  the  crew  to  zero-g  for  SAS  conditioning. 

B.  THE  FLIGHT  WILL  NORMALLY  CONTINUE  TO  NOMINAL  END  OF  MISSION 

(NEOM)  FOR  THE  FIRST  FAILURE  WHICH  IMPACTS  AN  ENTRY-CRITICAL 
SYSTEM.  IF  THE  SYSTEM  IS  NO  LONGER  FAIL-SAFE,  A  THOROUGH 
TECHNICAL  REVIEW  OF  THE  FAILURE  MODE  AND  REMAINING  SYSTEMS 
CAPABILITY  WILL  BE  CONDUCTED  TO  DETERMINE  WHETHER  NEOM  IS 
APPROPRIATE  .  @[101 796-4561  A] 

IF  THIS  ASSESSMENT  DETERMINES  THAT  A  GENERIC  FAILURE  OR 
GENERIC  GROUND  PROCESSING  PROBLEM  HAS  OCCURRED  AND  MAY  AFFECT 
THE  REMAINING  SYSTEMS,  TERMINATE  THE  FLIGHT  PLS . 

A  single  failure  in  any  system  which  leaves  that  system  with  single-fault  tolerance  is  an  acceptable 
configuration  to  continue  to  NEOM.  For  single  failures  that  result  in  less  than  fail-safe  redundancy,  a 
real-time  assessment  of  the  failure  mode,  remaining  systems’  capability,  health,  history,  and  redundancy 
will  be  completed  to  exonerate  generic  failures,  common  ground  processing  errors,  etc.  The 
APU /hydraulic  system  is  not  fail  safe  after  the  loss  of  one  system  since  the  orbiter  is  not  certified  for 
single  APU  operations.  After  the  first  failure,  the  IMU  and  FCS  are  fail  safe  with  the  exception  of 
certain  “smart  failures  ”  to  occur  during  a  certain  timeframe  during  entry.  For  the  IMU,  FCS  channel, 
or  associated  MDM,  the  risk  will  be  re-assessed  based  on  the  latest  run-time  and  failure  history. 
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A2-102  MISSION  DURATION  REQUIREMENTS  (CONTINUED) 


A  risk  assessment  of  the  IMU,  FCS,  APU /hydraulic  system,  and  MDM  was  completed  by  the  AEFTP  in 
1996  (reference  AEFTP  # 131  and  6/96  AEFTP  splin  ter  meeting).  This  assessment  was  quantitative  for 
those  items  which  have  a  sufficient  statistical  failure  database,  but  relied  on  engineering  judgment  for 
other  items.  This  assessmen  t  concluded  that  the  relative  risk  of  remaining  on-orbit  to  NEOM  rather  than 
returning  MDF  for  the  first  failure  in  these  systems  is  less  than  the  launch  risks  and  orbital  debris  risks. 
This  risk  is  acceptable  as  long  as  the  remaining  systems  are  good  and  generic  problems  are  exonerated. 

The  following  should  be  considered  when  making  a  flight  determination  decision:  crew  and  vehicle 
health,  vehicle  mass  properties,  weather,  trajectory,  and  landing  site. 

Reference  Rule  / A2-1001 },  ORBITER  SYSTEMS  GO/NO-GO,  for  the  number  of  failures  in  each  system 
which  result  in  early  mission  termination.  Reference  Rules  {A2-207J,  LANDING  SITE  SELECTION; 
{A10-21A},  LOSS  OF  APU /HYDRAULIC  SYSTEM(S)  ACTIONS;  and  {A10-23A},  APU  ENTRY  START 
TIME.  @[101796-4561  A]  ®[ED  ] 

C.  FOR  A  SECOND  FAILURE  AFFECTING  ANY  ENTRY-CRITICAL  SYSTEM 
@[101 796-4561  A] 

1.  TERMINATE  THE  FLIGHT  NEXT  PLS  IF  THE  AFFECTED  SYSTEM  HAS 
LOST  ALL  FAULT  TOLERANCE  OR  IF  THE  FAILURE  IS  CONSIDERED 
TO  BE  GENERIC. 

2.  CONTINUE  THE  FLIGHT  TO  MDF  IF  THE  ORBITER  IS  ONLY  SINGLE¬ 
FAULT  TOLERANT  IN  ORDER  TO  ACCOMPLISH  DEPLOYMENT  OF  A 
PRIMARY  PAYLOAD  AND  TO  ENSURE  CREW  ADAPTATION,  BOTH  OF 
WHICH  REDUCES  THE  OVERALL  RISK  TO  THE  CREW  AND  ORBITER. 

NOTE:  AN  MDF  WILL  LAST  APPROXIMATELY  72  HOURS  AND 

LANDING  WILL  OCCUR  AT  THE  PLS  PRIOR  TO  THE  END  OF 
THE  FLIGHT  DAY  4. 

Multiple  failures  in  an  entry  critical  system,  even  though  it  remains  single-fault  tolerant,  may  be 
indicative  of  a  generic  failure;  Exposure  to  additional  failures  should  be  minimized  by  early  termination 
of  the  mission. 
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A2-102  MISSION  DURATION  REQUIREMENTS  (CONTINUED) 

D.  MDF  GENERIC  PAYLOAD  RULES 

1.  THE  DEORBIT  OPPORTUNITY  WILL  NOT  BE  DELAYED  FOR  THE 
PURPOSE  OF  ACCOMPLISHING  PAYLOAD  OBJECTIVES. 

2.  FIRST  PRIORITY  WILL  BE  THE  ACCOMPLISHMENT  OF  THE  MINIMUM 
MISSION-SUCCESS  OBJECTIVES  OF  THE  PRIMARY  PAYLOAD (S). 

3.  LOWER  PRIORITY  MISSION  OBJECTIVES  WILL  BE  CONSIDERED  IN 
THE  PRIORITY  ORDER  AS  STATED  FOR  A  NOMINAL  MISSION. 
@[101796-4561  A] 

4.  SIGNIFICANT  CONTINGENCY  OPERATIONS,  E.G.,  AN  UNSCHEDULED 
EVA  OR  A  CONTINGENCY  RENDEZVOUS,  WILL  BE  UNDERTAKEN  ONLY 
IF  ALL  THE  FOLLOWING  ARE  MET  :  @[101796-4561  A] 

a.  IT  IS  NEEDED  TO  ACCOMPLISH  A  MINIMUM  MISSION-SUCCESS 
OBJECTIVE  FOR  A  PRIMARY  PAYLOAD. 

b.  THE  OPERATION  WOULD  NOT  RESULT  IN  AN  IMPACT  TO  THE 
MINIMUM  MISSION  SUCCESS  OF  ANOTHER  PRIMARY  PAYLOAD. 

C.  RULE  { A1 3-1 01},  SCHEDULED  AND  UNSCHEDULED  EVA 
CONSTRAINTS,  IS  SATISFIED. 
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A2-102  MISSION  DURATION  REQUIREMENTS  (CONTINUED) 

E.  A  NEXT  PLS  DEORBIT  WILL  BE  EXECUTED  AT  THE  EARLIEST  PRACTICAL 
TIME  TO  A  CONUS  LANDING  SITE  FOR  FAILURES  WHICH  PLACE  THE 
ORBITER  SYSTEM  AT  THE  ZERO-FAULT  TOLERANT  LEVEL  OR  RESULT  IN 
A  CONDITION  WHERE  ONE  MORE  FAILURE  CAUSES  A  SEVERE  ORBITER 
CONFIGURATION  MANAGEMENT  CONDITION.  CONUS  LANDING  SITE 
SELECTION  SHALL  PROVIDE  FOR: 

1.  LANDING  SITE  PRIORITY  (REF.  RULE  {A2-207},  LANDING  SITE 
SELECTION) 

a.  PLS 

b.  SLS 

c.  ANY  CONUS  SITE 

2.  EOM  LANDING  CONSTRAINTS  (CROSSRANGE,  LIGHTING,  WEATHER, 
AND  BACKUP  OPPORTUNITIES) 

3.  CREW  SCHEDULE  CONSTRAINTS 

4.  A  NOMINAL  DEORBIT  PREPARATION  TIMELINE  IF  POSSIBLE; 
OTHERWISE,  A  MINIMUM  OF  3.5  HOURS  DEORBIT  PREPARATION 

@[101796-4561  A] 
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A2-102  MISSION  DURATION  REQUIREMENTS  (CONTINUED) 

F.  IF  A  FAILURE  OCCURS  THAT  WOULD  NORMALLY  CAUSE  AN  MDF  BUT  THE 
TIME  OF  FAILURE  IS  PAST  72  HOURS  FLIGHT  DURATION,  A  LANDING 
WILL  BE  ACCOMPLISHED  AT  THE  NEXT  PLS  OPPORTUNITY  THAT 
PROVIDES  ADEQUATE  TIME  FOR  THE  NORMAL  EOM  TIMELINE  FOR 
VEHICLE  STOWAGE  AND  ENTRY  PREPARATION.  @[101796-4561  A] 


Since  a  failure  that  would  cause  declaration  of  an  MDF  is  a  reason  to  shorten  a  normal  flight,  further 
operations  of  a  payload/experiment  are  not  sufficien  t  reason  to  continue.  The  flight  would  be  terminated 
at  the  next  PLS  that  affords  time  to  accomplish  adequate  stowage  for  entry  and  also  allow  the  crew  to 
have  a  sufficient  sleep  period. 

G.  FOR  SOME  FAILURE  SITUATIONS  AND/OR  VIOLATION  OF  GO/NO-GO 

CRITERIA  FOR  FLIGHT  CONTINUATION,  IT  IS  SAFER  TO  REMAIN  IN 
ORBIT  INSTEAD  OF  ENTERING  AT  THE  NEXT  LANDING  OPPORTUNITY. 
THAT  IS,  IF  THE  ADDITIONAL  TIME  CAN  BE  USED  TO: 

1.  BETTER  UNDERSTAND  THE  FAILURE  AND  ITS  IMPLICATION  ON 
ENTRY 

2.  VERIFY  SYSTEMS  CONFIGURATION  PROCEDURES  AND  PERFORMANCE 
PRIOR  TO  ENTRY 

3.  PROVIDE  ADEQUATE  TIME  FOR  CREW  REST  THE  NIGHT  BEFORE 
ENTRY 

4.  PROVIDE  THE  OPPORTUNITY  TO  ACCOMPLISH  ACTIVITIES  THAT 
COULD  ENHANCE  ORBITER  ENTRY/LANDING  CONDITIONS  @[101 796-4561  A] 

Rules  { A2-202J ,  EXTENSION  DAY  GUIDELINES;  (A7-1001J,  DPS  GO/NO-GO  MATRIX;  and  { A8-4B }. 
FA  ULT  TOLERANT  PHILOSOPHY  reference  this  rule.  ®[ED  ] 
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A2-103  EXTENSION  DAY  REQUIREMENTS 

A.  ALL  STS  FLIGHTS  ARE  REQUIRED  TO  HAVE  2  EXTENSION  DAYS. 
EXTENSION  DAYS  WILL  BE  UTILIZED  AS  FOLLOWS: 

1.  ONE  OF  THE  2  EXTENSION  DAYS  IS  UTILIZED  PRIMARILY 

FOR  ACHIEVING  ACCEPTABLE  LANDING  WEATHER  CONDITIONS 
(REF.  RULES  {A2-6},  LANDING  SITE  WEATHER  CRITERIA 
[ HC ] ;  { A4-107A} . 3,  PLS/EOM  LANDING  OPPORTUNITY 

REQUIREMENTS;  AND  {A4-111},  RUNWAY  ACCEPTABILITY 
CONDITIONS)  .  ®[1 11 094-1 622B] 


An  extension  day  must  be  allocated  in  orbiter  resources  to  allow  for  improvement  in  weather  conditions 
forecast  at  the  PLS.  A  1-day  extension  on  orbit  is  preferred  to  preclude  loss  of  postflight  payload 
samples/data  and  to  maintain  full  postlanding  ground  processing  support  at  the  PLS. 

2.  THE  OTHER  EXTENSION  DAY  (DEORBIT  WAVE-OFF)  IS  UTILIZED 
FOR  AN  ORBITER  SYSTEMS  CONTINGENCY  WAVE-OFF. 


A  second  extension  day  must  be  allocated  to  allow  for  orbiter  system  problems  which  cause  an  unsafe  or 
compromised  configuration  for  entry.  The  1-day  wave-off  (which  includes  a  deorbit  preparation)  allows 
time  to  understand  a  problem  or  to  arrive  at  the  best  entry  configuration. 

B.  REAL-TIME  CONSIDERATIONS  TO  EXTEND  THE  FLIGHT  FOR  ADDITIONAL 
PAYLOAD  OPERATIONS  MUST  INCLUDE  2  EXTENSION  DAY  CAPABILITY. 

The  orbiter  should  not  be  exposed  to  unsafe/compromised  entry  conditions  to  further  payload  data  return 
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A2-103  EXTENSION  DAY  REQUIREMENTS  (CONTINUED) 

C.  IF  ORBITER  SYSTEMS  CONFIGURATION  MEETS  EOM  CRITERIA,  THEN  IN 
ORDER  TO  PROTECT  FOR  AN  UNSCHEDULED  EVA:  @[090894-1 670B] 

1.  PAYLOAD  OR  STS  ARTICLES  WHICH  HAVE  DEMONSTRATED  STOW 
REDUNDANCY  AND  MUST  BE  MECHANICALLY  SECURED  FOR  A  SAFE 
ENTRY/LANDING  WILL  BE  ALLOWED  TO  OPERATE  UNSECURED  UNTIL: 

a.  THE  BEGINNING  OF  THE  LAST  NON-ENTRY  CREW  WORKSHIFT 
PRIOR  TO  ENTRY  FOR  CREW  DUAL  WORKSHIFT  (24-HOUR 
CYCLE)  FLIGHTS. 

b.  THE  BEGINNING  OF  PRESLEEP  ON  THE  SLEEP  SHIFT  PRIOR  TO 
DEORBIT  DAY  FOR  CREW  SINGLE  WORKSHIFT  FLIGHTS 
(APPROXIMATELY  TIG  -  19  HOURS) . 

2.  ARTICLES  WHICH  HAVE  NOT  DEMONSTRATED  STOW  REDUNDANCY  WILL 
BE  STOWED  AT  LEAST  1  DAY  EARLIER  THAN  THE  TIMES  DEFINED 
IN  PARAGRAPH  C.l  IN  ORDER  TO  SUPPORT  A  LANDING  ON  THE 
NOMINAL  EOM  NO  LATER  THAN  THE  BEGINNING  OF  THE  CREW 
WORKDAY  PRIOR  TO  ENTRY. 

3.  (FLIGHT  SPECIFIC  EXCEPTION)  EXCEPTIONS  TO  THESE 

TIMELINES,  IN  ORDER  TO  ACHIEVE  MANDATORY  PAYLOAD  MISSION 
OBJECTIVES,  MUST  BE  JUSTIFIED  IN  THE  FLIGHT  SPECIFIC 
ANNEX  .  @[090894-1 670B] 

If  the  orbiter  systems  meet  EOM  criteria,  it  is  an  acceptable  risk  to  allow  a  payload  to  operate  late  in 
flight  which  may  require  an  unscheduled  EVA  to  occur  on  nominal  EOM  day  to  safe  that  payload  for 
entry.  For  this  case,  a  landing  would  occur  on  the  first  extension  day.  If,  however,  a  payload  or  STS 
article  has  had  a  failure  in  one  of  its  redundan  t  stow  or  jettison  systems,  then  it  must  be  mechan  ically 
secured  on  the  morning  ofEOM-1  to  allow  for  the  potential  of  an  unscheduled  EVA  on  the  end  of  that 
day  to  secure  the  article.  A  nominal  deploy  (release)  of  a  drive  mechanism  which  uses  a  different 
actuator/motors/motor  windings  to  deploy  and  stow  (or  release/latch)  does  not  verify  the  integrity  of  the 
drive  mechanism’s  stow  (latch)  capability.  Therefore,  allowing  operation  of  this  type  of  system  late  in 
flight  is  not  warranted. 
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A2-103  EXTENSION  DAY  REQUIREMENTS  (CONTINUED) 

For  dual-crew  workshift  flights,  allowing  a  payload  or  STS  article  to  operate  unsecured  until  the 
beginning  of  the  last  non-entry  team  work  shift  (approximately  deorbit  TIG- 12  hours).  This  usually 
allows  for  sufficient  time  to  begin  work  on  an  unscheduled  EOM  day  EVA,  with  entry  occurring  on  the 
first  extension  day.  The  specific  timeline  invoked,  however,  should  consider  the  n  umber  of  articles  to  be 
secured,  the  time  required  for  the  EVA  task(s),  crew  sleep  shifting,  and  assignment  of  EVA/IVA  crews.  A 
14. 7  psi  protocol  is  normally  used,  and  the  total  EVA  task  time  requires  about  12  hours  (for  a  2-hour 
EVA,  with  equipmen  t  checks  and  post-EVA  activities ).  ©[090894-1670B] 

On  single-crew  workshift  flights,  EVA  work  to  secure  an  unsafe  payload  or  STS  article  must  begin  prior 
to  the  last  sleep  period.  EVA  would  occur  on  nominal  EOM  with  entry  on  the  first  extension  day.  A  10.2 
psi  cabin  is  usually  established  for  12  hours  in  support  of  approximately  9  hours  of  EVA  related  tasks 
(from  equipment  checks  to  post-EVA,  including  a  2-hour  EVA).  Delaying  article  stowage  until  the 
morning  of  entry  and  performing  a  14.7  psi  EVA  may  also  be  possible  if  required;  but  this  timeline  is  not 
the  preferred. 

Reference  Rule  (A2-104A.9},  SYSTEMS  REDUNDANCY  REQUIREMENTS. 

Rules  {A10-301C},  ANTENNA  STOW  REQUIREMENT  [CIL],  and  (A12-4J,  RMS  ACTIVITY 
TERMINATION,  reference  this  rule.  ©[090894-1670B]  @[090999-6930] 

D.  IF,  AT  THE  BEGINNING  OF  THE  CREW  WORKDAY  PRIOR  TO  ENTRY,  THE 
FORECAST  FOR  THE  WEATHER  CRITERIA  ELEMENTS  IN  RULE  {A2-6}, 
LANDING  SITE  WEATHER  CRITERIA  [HC],  VIOLATES  THE  LIMITS  AT 
EOM  PLUS  1  DAY  FOR  THE  PRIME  AND  SECONDARY  LANDING  SITES, 
THEN  ALL  ARTICLES  WHICH  MUST  BE  MECHANICALLY  SECURED  FOR  A 
SAFE  ENTRY/LANDING,  WILL  BE  SECURED  FOR  THE  REMAINDER  OF  THE 
FLIGHT.  @[090894-1 670B]  ®[1 1 1094-1 622B] 

Any  forecast  for  weather  criteria  that  violates  the  limits  given  in  Rule  {A2-6},  LANDING  SITE 
WEATHER  CRITERIA  [HC],  for  the  landing  on  EOM  plus  1  day  at  the  primary  and  secondary  landing 
sites  makes  a  potential  EVA  on  EOM  unacceptable.  Since  the  EOM  plus  1  day  deorbit  opportunity  is  not 
expected  to  be  available,  this  rule  ensures  that  an  EVA  to  secure  mechanical  devices  does  not  preclude 
using  the  nominal  deorbit  opportunity,  leaving  the  orbiter  with  only  the  one  chance  to  deorbit  on  EOM 
plus  2  days.  Securing  mechanical  devices  early  allows  a  nominal  deorbit  with  a  short  contingency  EVA 
on  the  nominal  EOM  minus  1  day  to  secure  devices  that  cannot  be  made  safe  for  entry  using  nominal 
procedures. 
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A2-103  EXTENSION  DAY  REQUIREMENTS  (CONTINUED) 

E.  THE  KU-BAND  DEPLOYED  ASSEMBLY  WILL  BE  STOWED,  AND/OR  THE 
MPM'S  AND  MRL'S  WILL  BE  STOWED  AND  LATCHED,  AS  SOON  AS 
PRACTICAL  IF  SYSTEMS  FAILURES  HAVE  RESULTED  IN  LOSS  OF 
STOW/LATCH  REDUNDANCY.  @[090894-1 670B] 

1 .  STOW/LATCH  OPERATIONS  MAY  BE  DELAYED  IN  ORDER  TO 
COMPLETE  MANDATORY  MISSION  OBJECTIVES  (REF.  RULE 
{A10-301A},  ANTENNA  STOW  REQUIREMENT  [CIL],  AND  THE 
FLIGHT  SPECIFIC  ANNEX)  .  @[090999-6930] 

2.  ANY  STOW/LATCH  OPERATION  DELAYS  WILL  PROTECT  FOR  AN  EOM-1 
DAY  EVA. 

The  Ku-Bcind  deployed  assembly  ( antenna  dish,  gimbal  motors,  and  deployed  electronics),  and/or  the 
MPM’s  and  MRL's  (2  of  3),  must  be  stowed/latched  in  order  to  close  the  Payload  Bay  Doors  for  entry. 
Without  redundant  stow/latch  capability,  this  equipment  is  zero-fault  tolerant  to  a  jettison  scenario. 
Therefore,  if  stow/latch  redundancy  is  not  available,  these  mechanisms  should  be  secured  as  soon  as 
possible  in  order  to  minimize  the  time  of  exposure  to  the  next  failure  which  would  require  a  jettison. 

The  Ku-Band  is  essen  tial  in  achieving  high  priority  mission  objectives  during  flights,  such  as  for 
rendezvous  operations  or  when  payload  data  cannot  be  permanently  stored  on  on-board  media.  Stowing 
the  antenna  immediately  after  stow  redundancy  has  been  lost  would  preclude  downlinking  this  high 
priority  payload  data,  and  therefore,  compromise  mission  success.  Likewise,  stowing/latching  the 
MPM's/MRL  ’s  immediately  after  redundancy  has  been  lost  could  also  preclude  mission  success.  For 
these  flights,  exceptions  may  be  justified.  However,  because  of  the  cost  and  difficulty  in  replacing  these 
mechan  isms,  achieving  even  mandatory  payload  mission  objectives  does  not  warran  t  the  risk  of  losing  an 
antenna  or  RMS.  Therefore,  Ku-Band  and  MPM/MRL  operations  will  be  discontinued  in  time  to  protect 
for  an  EOM-1  day  EVA.  ®[090894-1670B]  @[090999-6930] 

Reference  Rules  {A10-301A},  ANTENNA  STOW  REQUIREMENT  [CIL];  {A12-72A},  MPM 
DEPLOY/STOW  CONSTRAINTS;  and  [ A12-73 j,  MRL  CONSTRAINTS. 

Rules  {A6-303A},  OMS  REDLINES  [CIL];  and  { A15-14C },  SCHEDULED  AND  UNSCHEDULED  EVA 
CONSTRAINTS,  reference  this  rule.  @[051 194-1 61 2A] 
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A2-104  SYSTEMS  REDUNDANCY  REQUIREMENTS 

A.  SYSTEMS  MANAGEMENT  FOR  MISSION  DURATION 

1.  EVA  WILL  BE  CONSIDERED  AS  A  LEVEL  OF  REDUNDANCY  FOR  THE 
FOLLOWING  ORBITER  SYSTEMS  FAILURES  IN  ORDER  TO 
ACCOMPLISH: 

a.  HIGH  PRIORITY  FLIGHT  OBJECTIVES  (AS  DEFINED  IN  THE 
FLIGHT  SPECIFIC  ANNEX) . 

PAYLOAD  DEPLOYMENT  RETRIEVAL  SYSTEM  (PDRS)  -  END 
EFFECTOR  (EE)  RELEASE,  MPM  STOW,  MRL  LATCHES, 
SHOULDER  BRACE  RELEASE,  AND  RMS  CRADLE  (REF.  RULE 
{ A2-112C } ,  PDRS) . 

b.  MDF 

PAYLOAD  BAY  DOOR  (PLBD )  -  CLOSE  DRIVE  CAPABILITY 

DUE  TO  ELECTRICAL  OR  MECHANICAL  FAILURE  (REF.  RULE 
{A10-209H},  PLBD  RULE  REFERENCE  MATRIX)  .  ®[1 21 296-31 94B] 

EVA  capability  is  considered  an  acceptable  backup  to  system  redundancy  for  completion  of  high  priority 
flight  objectives  in  the  following  areas: 

a.  Crews  are  trained  to  EVA-release  the  end  effector  from  a  payload.  This  means  that,  if  all  capability 
to  release  a  payload  is  lost  except  one,  the  activity  will  be  continued  relying  on  the  EVA  release, 
should  the  last  remaining  mode  fail. 

EVA  procedures  also  exist  to  overcome  total  electrical  failure  of  the  MPM’s  and  MRL’s  and  can 
back  up  system  redundancy. 

In  all  of  the  above  cases,  the  orbiter  is  still  fail  safe  as  payload/RMS  jettison  capability  is  available 
should  it  be  required  before  the  EVA  could  be  implemen  ted  to  fix  a  problem. 

b.  EVA  procedures  and  tools  are  available  to  protect  against  total  failure  of  PLBD  drive  and  can  be 
used  to  back  up  system  redundancy.  An  EVA  for  these  tasks  is  protected  against  in  all  the 
consumable  redlines.  Reference  Rule  { A10-209H j,  PLBD  RULE  REFERENCE  MATRIX. 

®[1 21 296-31 94B] 
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A2-104  SYSTEMS  REDUNDANCY  REQUIREMENTS  (CONTINUED) 

2.  GPC  REDUNDANCY  REQUIREMENTS: 

a.  CONTINUE  TO  END  OF  MISSION  IF  NO  MORE  THAN  ONE  GPC 
HAS  FAILED.  @[101096-4516] 

This  will  allow  a  DPS  configuration  of  at  least  one  G2,  one  SM,  a  BFS,  and  one  computer  left  to  be 
configured  as  a  redundant  G2  or  G3FD,  depending  on  the  flight  requiremen  ts. 

b.  MINIMUM  DURATION  FLIGHT  CAN  BE  SUPPORTED  IF  NO  MORE 
THAN  TWO  GPC'S  HAVE  FAILED.  @[101096-4516] 

The  minimum  GPC  requirements  to  sustain  orbit  activities  are  a  G2  GPC,  an  SM  GPC,  and  a  BFS  GPC, 
i.e.,  three  GPC’s  total.  A  subsequent  GPC  failure  leaves  only  two  GPC’s,  which  would  be  used  as  a 
single  PASS  GPC  and  a  BFS  GPC  for  reentry.  Because  a  BFS  GPC  is  designed  as  a  backup  for  a 
generic  PASS  software  failure,  a  BFS  GPC  is  always  maintained  as  long  as  two  good  GPC’s  exist.  The 
case  of  three  remaining  GPC’s  is  considered  a  fail-safe  case;  i.e.,  with  an  additional  failure,  a  PASS 
GPC  is  still  available  for  vehicle  con  trol.  Spare  GPC  usage  (if  manifested)  is  not  considered  for  meeting 
requirements  because  of  concerns  about  potential  generic  GPC  failures  that  arise  when  two  GPC’s  have 
failed.  ®  [0921 95-1 798  ]  ®[1 21 296-31 94B] 

3.  FOR  FLIGHT-CRITICAL  SYSTEM  GENERIC  FAILURES,  TERMINATE 
THE  FLIGHT  AT  THE  NEXT  PLS  OPPORTUNITY. 

If  it  is  determined  that  there  is  a  generic  fault  (i.e.,  two  units  fail  with  identical  failure  signatures)  with  a 
flight-critical  system,  then  it  is  prudent  to  land  at  the  next  PLS  opportunity  in  order  to  minimize  exposure 
to  subsequen  t  failures. 

4.  OMS  PROPELLANT  IS  NOT  REQUIRED  TO  PROTECT  ONE  OMS-TO-RCS 
DOWNMODING  IF  BOTH  OMS  ENGINES  ARE  AVAILABLE.  OMS 
PROPELLANT  IS  REQUIRED  TO  PROTECT  DEORBIT  TO  OMS  STEEP 
ENTRY  TARGETS. 

Protecting  one  OMS-to-RCS  downmoding  requires  saving  additional  OMS  propellant  to  compensate  for 
the  reduced  engine  efficiency  of  the  RCS  jets  as  compared  to  the  OMS  engines.  Programmatic  guidelines 
do  not  cdlow  loading  this  additional  propellant,  so  redlining  this  quantity  may  result  in  cancellation  of 
planned  on-orbit  activities.  With  two  good  OMS  engines,  fail-safe  redundancy  for  the  deorbit  burn  is 
maintained  without  requiring  RCS  deorbit  capability.  Propellant  required  to  deorbit  to  steep  targets 
using  the  OMS  engines  will  be  protected. 
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5.  ELECTRICAL  POWER  REDUNDANCY: 

a.  THE  FLIGHT  WILL  CONTINUE  FOR  A  SINGLE  FAILURE  WHICH 
RESULTS  IN  LOSS  OF  ELECTRICAL  POWER  REDUNDANCY  TO 
MULTIPLE  ENTRY-CRITICAL  LRU'S. 

b.  THE  FLIGHT  WILL  BE  TERMINATED  NEXT  PLS  IF  A  SINGLE 
ELECTRICAL  FAILURE  IN  CONJUNCTION  WITH  ANY  OTHER 
EXISTING  FAILURE  WOULD  RESULT  IN  AN  UNFLYABLE 
CONDITION. 

6.  A  NEXT  PLS  DEORBIT  WILL  BE  EXECUTED  FOR  INSTRUMENTATION 
LOSSES  WHICH  PREVENT  MONITORING  OF  CRITICALITY  1  FAILURES 
FOR  WHICH  THE  PROGRAM  RETENTION  RATIONALE  REQUIRES 
MONITORING. 


The  retention  rationale  for  some  criticality  1  failures  is  the  ability  to  monitor  that  system  and  take  action 
prior  to  a  poten  tially  catastrophic  event.  Therefore,  loss  of  monitoring  mandates  termination  of  the 
flight  at  the  next  PLS  because  rationale  for  retention  of  a  criticality  1  failure  no  longer  exists. 

7.  ENTRY  CONSUMABLES  MUST  BE  PROTECTED  AGAINST  WORST  CASE 
ENVIRONMENTAL  AND  AERODYNAMIC  VARIATIONS. 

8.  ORBITER  SYSTEMS  TROUBLESHOOTING/ IFM' S  HAVE  PRIORITY  OVER 
PDRS  AND  PAYLOAD  OPERATIONS  IF  CONFLICTS  CANNOT  BE 
AVOIDED  (I.E.,  ACTIVITY  SCHEDULING  OR  INTERRUPTION  OF 
REQUIRED  ORBITER  SERVICES) . 


The  prime  objective  on  every  flight  is  crew  safety. 
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9.  STOW  REDUNDANCY  DEMONSTRATION:  ®[090894-l 670B] 

a.  A  PAYLOAD  OR  STS  ARTICLE  THAT  HAS  DEPLOYED  NOMINALLY 
ON  DUAL  MOTORS,  AND  HAS  SUSTAINED  NO  MECHANICAL, 
COMMAND,  OR  ELECTRICAL  FAILURES  WHICH  WOULD  PRECLUDE 
DUAL  MOTOR  STOW,  WILL  BE  ASSUMED  TO  HAVE  DEMONSTRATED 
STOW  REDUNDANCY. 

b.  STOW  REDUNDANCY  WILL  STILL  BE  ASSUMED  TO  HAVE  BEEN 
DEMONSTRATED  WHERE  A  PROCEDURAL  WORKAROUND  IS 
AVAILABLE  FOR  ELECTRICAL/COMMAND  PATH  FAILURES  THAT 
WOULD  NORMALLY  PRECLUDE  DUAL  MOTOR  STOW  OPERATIONS. 

A  nominal  deploy  ( release )  of  a  drive  mechanism  which  uses  the  same  actuator/motors/motor  windings  to 
deploy  and  stow  (or  release/latch)  will  verify  the  integrity  of  that  drive  mechanism’ s  capability  to  stow 
(latch).  Although  drive  mechanisms  typically  use  different  switch  contacts,  motor  control  assembly 
(MCA)  relays,  and  electrical/ command  paths  for  deploy  and  stow  (release/latch)  operations,  these  unlike 
componen  ts  are  thoroughly  tested  during  ground  turnaround.  And  due  to  the  nature  of  mechanical 
equipment,  performing  a  nominal  stow  using  these  stow  path  components  does  not  necessarily  guarantee 
dual  motor  operation  during  the  following  stow  sequence.  Therefore,  stow  redundancy  can  be 
sufficiently  demonstrated  by  verifying  a  nominal  deploy,  without  the  requirement  to  actually  perform  a 
stow  operation.  Failed-on  microswitches,  or  other  failure  scenarios,  which  may  be  overcome  by  cm  SSR, 
malfunction,  or  IFM  procedure  (EVA  procedures  not  included),  do  not  actually  inhibit  dual  motor  stow 
capability.  Therefore,  these  type  failures  will  not  be  cause  for  early  stowage  of  the  affected  drive 
mechanism,  or  for  additional  demonstration  of  stow  redundancy. 

Rule  (A2-103C},  EXTENSION  DAY  REQUIREMENTS,  references  this  rule.  ®[090894-i670B] 
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B.  PAYLOAD  OPERATIONS 

ONCE  THE  DECISION  HAS  BEEN  MADE  FOR  EARLY  FLIGHT  TERMINATION, 
PAYLOAD  OPERATIONS  MAY  CONTINUE  UNTIL  DEORBIT  MINUS  6  HOURS 
PROVIDED  THAT  THE  OPERATIONS  WOULD  NOT  JEOPARDIZE  DEORBIT 
CAPABILITY.  PAYLOAD  OR  SPACE  SHUTTLE  ARTICLES  WHICH  MUST  BE 
MECHANICALLY  SECURED  FOR  SAFE  ENTRY/LANDING  WILL  BE  SECURED 
PRIOR  TO  PRESLEEP  ON  DEORBIT  MINUS  2  DAYS.  IF  STOW 
REDUNDANCY  CAN  BE  DEMONSTRATED,  OPERATIONS  WILL  BE  ALLOWED  TO 
CONTINUE  UNTIL  THE  MORNING  OF  DEORBIT  MINUS  1  DAY. 


If  a  payload  activity  has  no  failure  mode  that  could  delay  PLBD  closing,  there  is  no  risk  associated  with 
allowing  it  to  operate  until  deorbit  minus  6  hours.  If  however,  the  payload  or  space  shuttle  article  must 
be  mechanically  or  operationally  secured  prior  to  PLBD  closure,  then  this  operation  should  begin  early 
enough  to  conduct  an  EVA  (if  required)  without  extending  beyond  the  selected  deorbit  opportunity.  This 
correlates  to  securing  2  days  prior  to  deorbit  which  allows  for  an  EVA  on  deorbit  minus  1  day.  If  the 
poten  tial  of  having  to  do  an  EVA  has  been  significan  tly  reduced  (i.e.,  by  demonstrating  stow 
redundancy),  then  operation  may  con  tinue  until  the  morning  of  deorbit  minus  1  day.  Stowing  in  the 
morning  will  cdlow  time  for  troubleshooting  any  unforeseen  difficulties. 

Rule  { A9-4j ,  CAUTION  AND  WARNING  (C&W),  references  this  rule.  ®[ED  ] 
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A2-105  IN-FLIGHT  MAINTENANCE  ( IFM) 

A.  DEFINITIONS: 

1.  SCHEDULED  IN-FLIGHT  MAINTENANCE  (IFM)  IS  ACCOMPLISHED  ON 
A  PERIODIC  (NOT  NECESSARILY  TIMELINED)  BASIS  TO  KEEP 
EQUIPMENT  OPERATIONAL  AND  EXTEND  ITS  LIFE.  SCHEDULED  IFM 
TASKS  INCLUDE  INSPECTION,  CLEANING,  AND  REPLACING  FILTERS 
AND  CONSUMABLES.  SPECIFICALLY  EXCLUDED  FROM  THIS 
DEFINITION  ARE  REPAIR  TYPE  ACTIVITIES  TO  CORRECT  OR  WORK 
AROUND  MALFUNCTIONS. 


Examples  of  this  type  of  maintenance  are  filter  cleaning,  LiOH  canister  replacement,  and  calibration  of 
equipment. 

2.  UNSCHEDULED  IFM  IS  UNDERTAKEN  AS  A  RESULT  OF  ANOMALIES 

AND  SPECIFICALLY  INCLUDES  TEST,  MEASUREMENT,  INSPECTION, 
AND  REPAIR  TYPE  ACTIVITIES  TO  CORRECT  OR  WORK  AROUND 
MALFUNCTIONS . 


Definitions  of  categories  of  maintenance  provide  common  terms  for  activities  which  may  be  constrained 
by  flight  rules.  For  example,  scheduled  maintenance  is  planned  and  approved  preflight  and  usually 
accomplished  without  real-time  consultation  with  the  MCC-H.  Unscheduled  maintenance,  which  is 
conducted  as  a  result  of  a  hardware  malfunction,  is  usually  reviewed  real  time  by  the  MCC-H  whether 
or  not  it  was  preflight  approved.  This  real-time  review  is  conducted  to  determine  orbiter/crew  safety 
impacts. 
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A2-105  IN-FLIGHT  MAINTENANCE  ( IFM)  (CONTINUED) 

B.  IMPLEMENTATION  OF  IFM 
1.  SCHEDULED  IFM: 

a.  IN  GENERAL,  SCHEDULED  MAINTENANCE  IS  PERFORMED  AS 

REQUIRED  WITHOUT  CONSULTING  MCC .  EXCEPTIONS  TO  THIS 
RULE  MAY  BE  REQUIRED  FOR  EQUIPMENT  WHICH  CANNOT  BE 
ISOLATED  FROM  THE  ORBITER  ELECTRICAL  POWER  SYSTEM, 
AIR  REVITALIZATION  SYSTEM,  PRESSURE  CONTROL  SYSTEM, 
OR  THERMAL  SYSTEM.  THOSE  SCHEDULED  IFM  PROCEDURES 
WHICH  REQUIRE  MCC  NOTIFICATION  PRIOR  TO 
IMPLEMENTATION  WILL  BE  NOTED  IN  THE  FLIGHT  SPECIFIC 
FLIGHT  RULE  ANNEX. 


Scheduled  maintenance  is  usually  considered  a  routine  task.  These  procedures  are  reviewed  preflight  for 
impact  on  orbiter  systems.  In  the  interest  of  safety,  some  procedures  may  require  MCC  notification  prior 
to  implementation. 

b.  SCHEDULED  IFM  PROCEDURES  ON  ORBITER  HARDWARE  WILL  BE 
PERFORMED  BY  THE  CDR,  PLT,  OR  MISSION  SPECIALISTS. 
PAYLOAD  HARDWARE  MAY  BE  MAINTAINED  BY  PAYLOAD 
SPECIALISTS . 


CDR’s,  PLT’s,  and  MS’s  undergo  training  specific  to  orbiter  scheduled  maintenance. 

2.  UNSCHEDULED  IFM: 

a.  UNSCHEDULED  IFM  PROCEDURES  ON  ORBITER  HARDWARE  WILL 

BE  PERFORMED  BY  THE  CDR,  PLT,  OR  MISSION  SPECIALISTS. 
REPAIR  PROCEDURES  ON  PAYLOAD  HARDWARE  MAY  BE 
PERFORMED  BY  PAYLOAD  SPECIALISTS  IF  THE  CDR/PLT  OR  MS 
IS  COGNIZANT  OF  THIS  ACTIVITY. 


CDR's,  PLT’s ,  and  MS’s  have  an  experience  and  training  base  to  assess  the  overall  impact  of  a  repair 
procedure  on  hardware  in  general  and  the  orbiter  in  particular. 
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A2-105  IN-FLIGHT  MAINTENANCE  ( IFM)  (CONTINUED) 

b.  UNSCHEDULED  IFM  PROCEDURES  SHALL  BE  INITIATED  ONLY 

WITH  THE  APPROVAL  OF  MCC-H .  WHEN  COMMUNICATION  WITH 
THE  MCC-H  IS  NOT  POSSIBLE  AND  THE  CDR  DETERMINES  THE 
SITUATION  TO  BE  CRITICAL,  REPAIR  MAY  BE  PERFORMED  TO 
ENSURE  THE  INTEGRITY  OF  THE  ORBITER  OR  SAFETY  OF  THE 
CREW.  SPECIFIC  PAYLOAD  REPAIR  PROCEDURES  MAY  BE 
EXEMPTED  FROM  THIS  RULE  PREFLIGHT  FOR  EQUIPMENT 
ISOLATED  FROM  THE  ORBITER  ELECTRICAL  POWER  SYSTEM, 

AIR  REVITALIZATION  SYSTEM,  PRESSURE  CONTROL  SYSTEM, 

OR  THERMAL  SYSTEM.  THESE  EXEMPTIONS  WILL  BE  NOTED  IN 
THE  MISSION  SPECIFIC  FLIGHT  RULES  ANNEX. 


Repair  procedures  are  written  preflight  assuming  particular  hardware  configurations,  interrelationships, 
and  sequences  of  hardware  failures.  In  the  in  terest  of  safety,  the  procedu  re  is  reviewed  reed  time  by  the 
MCC-H  to  ensure  that  the  assumptions  under  which  it  was  written  actually  exist  during  on-orbit 
operations. 


C.  UNSCHEDULED  IFM  PROCEDURES  WILL  BE  PERFORMED  ONLY  IF 
ADEQUATE  TECHNICAL  DOCUMENTATION  AND  POSSIBLY 
REPRESENTATIVE  HARDWARE  ARE  AVAILABLE.  MCC-H  WILL 
DETERMINE  THE  ADEQUACY  OF  THIS  DOCUMENTATION/HARDWARE 
WHICH  MAY  INCLUDE,  BUT  IS  NOT  LIMITED  TO,  TECHNICAL 
DRAWINGS,  FLIGHT  LIKE  HARDWARE,  AND  CLOSEOUT  PHOTOS. 

IFM  procedures  are  always  verified  to  the  maximum  extent  possible.  Past  orbiter  flight  experience  has 
shown  that,  when  working  to  repair  hardware,  line  drawings  and  specifications  are  not  adequate  to 
ensure  that  the  fined  equipment  closeout  is  known.  On  numerous  occasions,  preflight  closeout  photo 
documen  tation  has  revealed  the  presence  of  safety  wire,  ground  straps,  and  other  articles  which  could 
pose  a  hazard  or  cause  permanen  t  damage  to  the  hardware.  Closeout  photos  in  the  con  text  of  this  rule 
include  interior  views  of  hardware  taken  during  equipment  fabrication/assembly  as  well  as  final 
module/pallet  installation. 
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A2-105  IN-FLIGHT  MAINTENANCE  ( IFM)  (CONTINUED) 

3 .  GENERAL : 

a.  WHEN  MULTIPLE  IFM'S  ARE  REQUIRED,  THE  FOLLOWING 
PRIORITY  WILL  BE  USED  IN  THEIR  IMPLEMENTATION. 

MISSION  SPECIFIC  EXCEPTIONS  WILL  BE  NOTED  IN  THE 
FLIGHT  RULE  ANNEX. 

(1)  ORBITER  SYSTEMS. 

(2)  SPACELAB  SYSTEMS  (WHEN  APPLICABLE) . 

(3)  EXPERIMENTS/PAYLOADS. 

Self-explanatory. 

b.  AN  IFM  WILL  BE  PERFORMED  ASAP  TO  REGAIN  THE 
REDUNDANCY  AND/OR  CAPABILITY  NECESSARY  TO  SATISFY  THE 
GO/NO-GO  REQUIREMENTS  TO  CONTINUE  PAST  THE  NEXT  PLS 
OPPORTUNITY.  AN  IFM  TO  ESTABLISH  ORBITER  FAIL-SAFE 
CAPABILITY  WILL  HAVE  PRIORITY  OVER  ALL  FLIGHT 
ACTIVITIES  AND  WILL  BE  PERFORMED  ASAP.  FOR  EXISTING 
VALIDATED  IFM  REPAIR  PROCEDURES,  IF  TIME  DOES  NOT 
PERMIT  COMPLETION  PRIOR  TO  THE  NEXT  PLS  OPPORTUNITY, 

A  "GO"  WILL  BE  GIVEN  ASSUMING  A  SUCCESSFUL  COMPLETION 
(FOR  REAL-TIME  DEVELOPED  IFM'S,  CONSIDERATION  WILL  BE 
GIVEN  TO  DECLARING  A  "GO"  PRIOR  TO  COMPLETION) . 
@[011801-3851  ] 

There  is  a  high  level  of  confidence  in  existing,  validated  IFM’s.  Therefore,  the  orbiter  will  remain  on 
orbit,  assuming  the  IFM  will  be  successful,  rather  than  terminate  the  mission  for  lack  of  time  to  complete 
the  IFM.  The  confidence  level  may  not  be  as  great  for  real-time  developed  IFM’s;  therefore,  the  GO  to 
stay  on  orbit  is  not  automatic,  but  instead,  depends  on  the  level  of  confidence  in  the  procedure. 
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A2-105  IN-FLIGHT  MAINTENANCE  ( IFM)  (CONTINUED) 

C.  ON  ENTRY  DAY,  PRIOR  TO  BEGINNING  DEORBIT  PREPARATION 
(DEORBIT  TIG  MINUS  4.0  HOURS),  AN  IFM  WILL  BE 
PERFORMED  ONLY  IF  REQUIRED  TO  REGAIN  THE  REDUNDANCY 
AND/OR  CAPABILITY  NECESSARY  TO  SATISFY  THE  MINIMUM 
ENTRY  REQUIREMENTS.  AN  IFM  WILL  NOT  BE  ATTEMPTED 
DURING  DEORBIT  PREPARATION  EXCEPT  FOR  THE  FOLLOWING 
SCENARIOS : 

(1)  AN  RHC  OR  DDU  WILL  BE  REPLACED  IF  FAILURES  IN 
THESE  SYSTEMS  RESULT  IN  THE  LOSS  OF  TWO  RHC 
CHANNELS  PRIOR  TO  ENTERING  OPS  3. 

(2)  ENTRY  WILL  BE  DELAYED  TO  DO  AVIONICS  BAY  FAN 
CHANGEOUT  IF  BOTH  FANS  HAVE  FAILED  IN  AVIONICS 
BAYS  1  OR  2  AND  A  FAN  CHANGEOUT  MAY  RECOVER 
COOLING  IN  THAT  AVIONICS  BAY.  @[101096-4516] 

IFM’s  require  use  of  equipment  and  tools  which  are  normally  stowed.  Their  use  affects  the  stowage 
timeline  and  other  activities  related  to  preparing  the  orbiterfor  entry.  Rationale  for  the  above 
exceptions  is  contained  under  the  appropriate  system  in  paragraph  C. 

d.  IFM  PROCEDURES  ON  EXPERIMENTS  WITH  TOXIC  HAZARDS  -  NO 
IFM  PROCEDURES  WILL  BE  INITIATED  ON  AN  EXPERIMENT 
KNOWN  TO  REPRESENT  A  TOXIC  HAZARD  WITHOUT  MCC-H 
CONCURRENCE.  PROTECTIVE  EQUIPMENT  MAY  BE  REQUIRED 
(REF.  RULE  {A13-155},  ORBITER  HAZARDOUS  SUBSTANCE 
SPILL  RESPONSE) .  PAYLOAD  EQUIPMENT  THAT  REPRESENTS  A 
TOXIC  HAZARD  WILL  BE  IDENTIFIED  IN  THE  FLIGHT  RULE 
ANNEX . 


A  real-time  assessmen  t  of  the  possibility  of  repairing  and  the  risk  of  exposing  the  crew  to  a  toxic 
substance  during  the  repair  will  be  required.  The  IFM  may  require  that  the  cleanup  equipment  specified 
in  Rule  [A1 3- 155},  ORBITER  HAZARDOUS  SUBSTANCE  SPILL  RESPONSE,  be  used  to  minimize  risk 
of  crew  exposu  re  to  toxic  substance. 
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C.  SYSTEMS  REPLACEMENT  CRITERIA: 

1.  ANY  FORWARD  CRT  WILL  BE  REPLACED  WITH  THE  AFT  CRT  (N/A 

FOR  MEDS  VEHICLES)  .  @[101096-4516]  @[021397-4763]  ©[040899-2459B] 

An  IFM  to  replace  any  forward  CRT  with  the  aft  CRT  is  required  for  entry  to  ensure  at  least  two  CRT’s 
are  available:  One  to  monitor/control  (item  entry  deselect/select)  entry  LRU’s  and  PASS  software,  and 
the  other  to  monitor/control  orbiter  systems  via  BFS  software.  CRT  3  satisfies  the  redundancy  issues 
since  it  can  be  used  by  either  the  CDR  or  PLT.  @[021397-4763  ] 

2.  ANY  MDU  CAN  BE  REPLACED  WITH  ANY  OTHER  MDU . 

Because  of  the  large  number  of  MDU’ s  ( 11 ),  an  IFM  to  replace  a  failed  aft  MDU  with  a  forward  MDU 
may  aid  the  crew  in  critical  aft  station  operations  (RNDZ,  dock/undock)  without  losing  any  capability  in 
the  forward  cockpit.  Because  of  the  simple  and  low  risk  MDU  IFM  (45  minutes),  the  MDU  can  be 
reinstalled  in  the  forward  cockpit  after  the  critical  aft  operations. 

3.  A  KEYBOARD  (1  OR  2 )  WILL  BE  REPLACED  WITH  THE  AFT 
KEYBOARD . 

The  same  rationale  is  used  for  the  keyboard  1  or  2  IFM  as  for  CRT’s  and  also  satisfies  the  requirement 
for  fail-safe  redundancy  in  entry-critical  LRU’s. 

4.  A  SPECIFIC  KEY  ON  (KEYBOARD  1  OR  2 )  WILL  BE  REPLACED  WITH 
THE  "ACK"  OR  "MSG  RST"  KEY  FROM  THE  AFT  KEYBOARD. 

If  a  specific  key  in  one  of  the  forward  keyboards  is  identified  as  failed,  replacing  that  key  with  the  ACK 
key  from  the  aft  keyboard  can  restore  the  keyboard  to  full  operational  status.  Since  the  ACK  key  is  only 
used  to  acknowledge  fault  messages  by  stopping  them  from  flashing  and  turning  off  cd  arm  tones,  the  aft 
keyboard  may  continue  to  be  used  even  if  the  ACK  key  has  been  removed.  Av  an  alternative  to  the  ACK 
key,  the  MSG  RST  key  may  be  used.  Forward  keyboards  are  required  for  entry  purposes,  while  no 
requirement  exists  for  the  aft  keyboard.  An  IFM  on  a  forward  keyboard  key  will  be  done  when  required, 
while  cm  IFM  on  an  aft  keyboard  may  be  done. 
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A2-105  IN-FLIGHT  MAINTENANCE  ( IFM)  (CONTINUED) 

5.  A  DEU  (1,  2,  OR  3)  WILL  BE  REPLACED  WITH  DEU  4. 

IFM  for  DEU  replacement  rationale  is  the  same  as  the  CRT’s  except  DEU  3,  due  to  its  location,  is 
capable  of  being  replaced  whereas  CRT  3  cannot.  ®[040899-2459B] 

6.  AN  ADI  (LEFT  OR  RIGHT)  WILL  BE  REPLACED  WITH  THE  AFT  ADI 

(N/A  FOR  MEDS  VEHICLES)  .  @[101096-4516]  ®[040899-2459B] 

An  IFM  to  replace  a  failed  ADI  with  the  aft  ADI  is  required  for  entry  for  the  minimum  required  fail-safe 
capability  and  to  allow  the  mission  to  continue  past  PLS.  At  least  one  ADI  is  required  to  ensure  manned 
takeover  capability  is  available  high  in  the  entry  profile  where  the  HUD  is  not  available.  In  addition,  the 
ADI  is  a  prime  pilot  tool  used  to  monitor  the  performance  of  the  auto  entry  guidance  to  ascertain  if  a 
takeover  is  required. 

7.  AN  RHC  (LEFT  OR  RIGHT)  WILL  BE  REPLACED  WITH  THE  AFT 

RHC  IF  MORE  THAN  ONE  CHANNEL  IS  FAILED  ON  THE  SAME 
CONTROLLER.  @[101096-4516] 

Although  the  loss  of  two  RHC  channels  does  not  violate  minimum  entry  requirements  (system  is  still  fail¬ 
safe),  an  RHC  will  be  changed  out  to  increase  redundancy  anytime  prior  to  OPS  3  transition  due  to  its 
criticality  in  the  CSS/tcikeover  role  for  en  try/landing. 

8.  THE  FORWARD  THC  WILL  BE  REPLACED  WITH  THE  AFT  THC . 

An  IFM  to  replace  the  forward  THC  with  the  aft  THC  is  required  to  ensu  re  at  least  fail-safe  redundancy 
is  available  for  manned  translational  control  for  the  deorbit  burn. 

9.  A  DDU  (LEFT  OR  RIGHT)  WILL  BE  REPLACED  WITH  AFT  DDU . 

An  IFM  to  replace  a  failed  DDU  is  required  for  entry  to  cdlow  use  of  the  ADI  in  non  MEDS  configured 
vehicles  ( ref.  paragraph  6  for  ADI  entry  criticality).  This  IFM  may  also  be  performed  if  necessary  to 
regain  RHC  redundancy  (ref.  paragraph  7). 
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10.  THE  LEFT  OR  RIGHT  HUD  WILL  BE  REPLACED  WITH  THE  SPARE 
HUD.  FOR  FLIGHTS  WHICH  DO  NOT  CARRY  A  SPARE  HUD, 
REPLACEMENT  OF  THE  LEFT  HUD  WITH  THE  RIGHT  HUD  WILL  BE 
PERFORMED,  TIME  PERMITTING,  IF  A  NIGHT  LANDING  IS 
PLANNED.  ©[040899-2459B] 

HUD  replacemen  t  is  considered  highly  desirable  for  entry  in  cases  where  visibility  is  restricted  on  the 
outer  glide  slope  or  for  night  landings.  If  a  night  landing  is  planned  and  no  spare  is  available,  the  right 
HUD  can  be  moved  to  the  left  side  to  provide  the  CDR  with  an  operable  HUD.  The  decision  to  perform 
the  IFM  will  be  based  on  consideration  of  the  severity  of  the  situation  ( e. g. ,  weather,  day  or  night,  etc.). 
Reference:  Memorandum  CB-89-265. 

11.  AN  OPS  RECORDER  (1  OR  2)  WILL  BE  REPLACED  WITH  THE 
PAYLOAD  RECORDER  IF  BOTH  OPS  RECORDERS  HAVE  FAILED. 

®[1 01 096-451 6  ]  ®[040899-2459B] 

OPS  recorder  replacemen  t  is  required  only  if  both  OPS  recorders  1  and  2  have  failed.  The  OPS 
recorder  is  required  up  to  the  deorbit  burn  to  ascertain  systems  problems  which  occur  during  LOS. 

12.  THOSE  CASES  WHEN  A  FAILED  PAYLOAD  RECORDER  WILL  REQUIRE  A 
PAYLOAD  RECORDER  REPLACEMENT  WILL  BE  DEFINED  IN  THE 
FLIGHT  SPECIFIC  FLIGHT  RULES  ANNEX.  @[101096-4516] 

OPS  recorder  or  PL  recorder  IFM  criticality  is  addressed  by  the  flight  specific  Annex  rules.  The  payload 
or  certain  flight  specific  orbiter  DTO’s  affect  the  criticality  of  entry  related  data  requirements. 

13.  AN  ACCU  (1  OR  2)  WILL  BE  REPLACED  WITH  BYPASS  CONNECTOR 
J4  . 

An  IFM  to  bypass  a  failed  ACCU  is  required  to  ensure  redundant  voice  links  for  entry  and  to  determine 
whether  next  PLS  must  be  declared.  A  failed  IFM  would  be  cause  for  next  PLS  with  one  ACCU  down. 
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14.  TRANSPONDER  (1  OR  2)  BYPASS  WILL  BE  CONSIDERED  IF  ONE 
FAILED.  THE  BYPASS  WILL  BE  PERFORMED  IF  BOTH  HAVE 
FAILED . 


An  IFM  to  recover  S-band  downlink  telemetry  is  required  if  both  transponders  have  failed.  If  one  is 
failed,  consider  expenditure  of  crew  time  to  perform  the  IFM  to  ensure  redundancy. 

15.  IF  BOTH  AVIONICS  FANS  IN  AV  BAY  1  OR  2  HAVE  FAILED,  ENTRY 

WILL  BE  DELAYED  TO  REPLACE  ONE  FAN  WITH  A  FAN  FROM 
ANOTHER  AV  BAY .  ®[040899-2459B] 

AV  bay  fan  replacement  is  done  to  recover  cooling  for  two  GPC’s  which  provide  redundancy  for  entry. 

16.  THE  PF1/PF2  MDM'S  WILL  BE  SWAPPED  ONLY  IF  REQUIRED  TO 
CLOSE  PLBD'S.  PLBD  MOTOR  OPERATION  UTILIZING  THE  IFM 
PIN  KIT  WILL  BE  USED  IN  LIEU  OF  SWAPPING  PL  MDM'S  IF, 
AFTER  THE  MDM'S  ARE  SWAPPED,  THE  PLBD  MOTOR  IFM  WOULD 
STILL  BE  REQUIRED  TO  CLOSE  AND/OR  LATCH  THE  DOORS. 

®[1 01 096-451 6  ]  ®[040899-2459B] 

Due  to  the  potential  for  connector  pin  damage  during  demate/mate  operations,  replacement  or  swapping 
of  PL  MDM’s  is  only  considered  for  PLBD  closure.  No  consideration  is  made  to  swap  PL  MDM’s  for 
mission  success  reasons.  The  PLBD  motor  operation  IFM  is  a  collection  of  pin  kit  procedures  to  recover 
PLBD  motor  functions  lost  as  a  result  of  a  failed  PL  MDM,  and  the  motor  driven  by  the  other  PL  MDM 
has  hard  fcdled.  If  swapping  PL  MDM’s  will  not  recover  all  the  necessary  functions  to  close  and  latch 
the  doors,  the  pin  kit  procedures  will  be  used  to  regain  the  lost  functions  in  lieu  of  swapping  the  MDM’s. 
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17.  FOR  FLIGHT  CRITICAL  MDM' S  -  FF4  WILL  BE  SWAPPED  WITH  FF1, 
FF2,  OR  FF3  AFTER  POWER  CYCLING  AND  PORT  MODING  FAILS  TO 
CLEAR  A  NON-GPC  CAUSED  "I/O  ERROR  FFX"  OR  TOTAL  OUTPUT 
CARD  FAILURE  AND  IT  RESULTS  IN  THE  LOSS  OF:  @[101096-4516] 
©[040899-2459B] 

a.  A  SECOND  IMU. 

b.  A  SECOND  ACCELEROMETER  ASSEMBLY  (AA)  ( AA4  MUST  BE 
FAILED) . 


Where  previous  LRU  failures  would  cause  a  loss  of  at  least  fail-safe  redundancy  in  an  entry  critical 
system,  it  is  considered  viable  to  replace  FF1,  FF2,  or  FF3  with  FF4.  The  operation  would  be 
accomplished  to  recover  cm  IMU  for  redundancy  in  onboard  navigation  for  entry.  The  same  is  true  for 
an  AA  to  regain  redundancy  for  entry  control. 

Rules  { A7-5C j,  PASS  GPC  BCE  FAILURE  MANAGEMENT;  {A7-109D},  IN-FLIGHT  MAINTENANCE 
(IFM);  and  {A8-7},  ENTRY  SYSTEMS  SINGLE-FAULT  TOLERANCE  VERIFICATION;  reference  this 
rule. 
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LAUNCH  DAY  LANDING  PLBD  OPS: 

A.  IF  A  LANDING  IS  REQUIRED  AND  SUPPLY/WASTE  WATER  WILL  SUPPORT 
FES  OPERATIONS  UNTIL  ENTRY,  NO  ATTEMPT  WILL  BE  MADE  TO  OPEN 
ONE  OR  BOTH  OF  THE  PLBD'S.  @[0201 96-1 804A] 

For  launch  day  landings  at  the  first  available  PLS,  the  supply  and  waste  water  tanks  are  loaded  such  that 
there  is  sufficient  water  for  FES  operations;  therefore,  there  is  no  requirement  to  incur  the  risks 
associated  with  opening  the  PLBD’s,  thus  eliminating  an  increase  in  the  crew  workload  during  this 
timeframe. 

B.  IF  A  LANDING  IS  REQUIRED  AFTER  PREDICTED  EXHAUSTION  OF  SUPPLY 
AND  WASTE  WATER  FOR  THE  FES,  THE  PLBD'S  MAY  BE  OPENED. 

For  launch  day  landings  after  the  first  PLS  opportunity,  insufficient  supply/waste  water  may  have  been 
loaded  to  support  FES  operations  to  entry.  If  the  first  PLS  opportunity  is  NO-GO  or  likely  to  be  NO-GO, 
then  PLBD  opening  will  be  required.  This  situation  may  result  in  having  to  open  the  PLBD  without  close 
redundancy. 

C.  FOR  PROBLEMS  PROHIBITING  NECESSARY  HEAT  REJECTION,  THE  PLBD'S 
MAY  BE  OPENED  (TIME  PERMITTING)  WITHOUT  REGARD  TO  CLOSE-MOTOR 
REDUNDANCY,  FES  WATER  SUPPLY  AVAILABILITY,  OR  MET  OF  LANDING. 
@[0201 96-1 804A] 

For  cases  where  there  are  cooling  problems  and  opening  the  PLBD’s  is  required  to  alleviate  heating  of 
entry-critical  equipment,  the  PLBD’s  should  be  opened  to  provide  the  increased  cooling  capability.  This 
may  be  necessary  even  though  redundant  door  closure  does  not  exist  and/or  the  timeline/crew  workload 
would  be  increased. 
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A.  EVA  WILL  NORMALLY  BE  PERFORMED  BY  TWO  EVA  CREWMEMBERS; 

HOWEVER,  ONE  MAN  EVA  MAY  BE  PERFORMED  IN  THESE  CIRCUMSTANCES: 

1.  CONTINGENCY  EVA. 

Two  crewmembers  are  always  required  for  EVA  to  ensure  that,  if  one  EVA  crewmember  should 
experience  trouble,  the  other  is  available  to  provide  assistance.  For  contingency  EVA,  this  rule  is 
waived  since  the  safety  of  the  orbiter  is  involved  and  the  risk  of  a  one  man  EVA  is  therefore  acceptable. 

2  .  SCHEDULED  EVA  -  A  SCHEDULED  EVA  MAY  BE  PERFORMED  BY  A 
SINGLE  CREWMEMBER  IF: 

a.  A  SINGLE  CREWMEMBER  CAN  EXECUTE  THE  TASK(S)  ASSIGNED. 

b.  THE  SECOND  CREWMEMBER  IS  ABLE  TO  GO  TO  VACUUM  AND 
REMAIN  ON  THE  SERVICE  AND  COOLING  UMBILICAL  (SCU)  FOR 
POSSIBLE  RESCUE. 

C.  THE  SCHEDULED  EVA  TASK(S)  MUST  BE  CAPABLE  OF  BEING 

TERMINATED  AT  ANY  POINT  AND  LEAVE  THE  PLB  IN  AN  ENTRY 
COMPATIBLE  CONFIGURATION. 

3.  UNSCHEDULED  EVA  -  AN  UNSCHEDULED  EVA  TO  MEET  HIGH 

PRIORITY  MISSION  OBJECTIVES  OR  TO  PREVENT  JETTISON  OF  A 
PAYLOAD  MAY  BE  ACCOMPLISHED  BY  A  SINGLE  CREWMEMBER  IF  THE 
FOLLOWING  CRITERIA  ARE  MET: 

a.  A  SINGLE  CREWMEMBER  CAN  EXECUTE  THE  TASK(S)  ASSIGNED. 
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b.  THE  SECOND  CREWMEMBER  MUST  BE  ABLE  TO  GO  TO  VACUUM 

AND  REMAIN  ON  SERVICE  AND  COOLING  UMBILICAL  (SCU)  FOR 
POSSIBLE  RESCUE. 

C.  THE  UNSCHEDULED  EVA  TASK(S)  MUST  BE  CAPABLE  OF  BEING 
TERMINATED  AT  ANY  POINT  AND  LEAVE  THE  PLB  IN  AN  ENTRY 
COMPATIBLE  CONFIGURATION. 

4.  AN  EVA  WILL  BE  DEFINED  IN  THE  FLIGHT  SPECIFIC  ANNEX  AS 
BEING  CAPABLE  OF  BEING  ACCOMPLISHED  BY  A  SINGLE 
CREWMEMBER. 

B.  IF  CONTINGENCY  EVA  SUCCESSFULLY  RESTORES  PLBD'S,  LATCHES, 

ETC.,  TO  NORMAL  OPERATION  (E.G.,  FOREIGN  OBJECT  REMOVED),  THE 
EVA  WILL  BE  TERMINATED  AND  THE  FLIGHT  COMPLETED  AS  PLANNED. 

If  a  contingency  EVA  is  successful  in  restoring  complete  orbiter  capability,  there  is  no  added  risk  to 
remaining  on  orbit  and  accomplishing  the  full  mission  duration. 

C.  FOR  EVA,  DENITROGENATION  WILL  BE  ACCOMPLISHED  IN  ACCORDANCE 
WITH  AEROMED  RULE  {A13-103},  EVA  PREBREATHE  PROTOCOL. 

Self-explanatory. 

D.  EVA/ORBITER  ATTITUDE,  AND  ATTITUDE  CONTROL  CONSTRAINTS: 

1.  DURING  SIDE-TO-SUN  ATTITUDE,  THE  SUN  SIDE  FORWARD 
RADIATOR  PANEL  WILL  BE  STOWED. 

2.  DURING  TOP  SUN  ATTITUDE,  CREWMEMBERS  WILL  AVOID  THE  AREA 
WITHIN  15  FEET  ABOVE  DEPLOYED  RADIATORS. 
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For  a  side-to-Sun  attitude  during  the  EVA,  the  forward  radiators  must  be  stowed  to  preclude  exposing  a 
crewmember  to  the  focusing  effect  of  the  Sun  shining  through  the  gap  between  the  door  and  radiator. 
Short  term  exposure  could  produce  thermal  gradients  which  could  overload  the  EMU  capability  to 
control  the  thermal  environment,  and  longer  term  exposure  could  cause  suit  degradation.  The  same  type 
of  focusing  effects  are  experienced  at  approximately  15  feet  above  the  radiator  when  the  vehicle  is  in  a 
top  Sun  attitude  and  are  potentially  more  severe. 

E.  MINIMUM  COMMUNICATIONS  REQUIREMENTS  FOR  SCHEDULED  EVA: 

IN  ORDER  TO  COMMIT  TO  OR  CONTINUE  A  SCHEDULED  EVA,  EACH  EVA 
CREWMEMBER  MUST  HAVE  TWO-WAY  COMMUNICATIONS  WITH  THE  ORBITER 
EITHER  DIRECTLY  OR  VIA  THE  OTHER  EVA  CREWMEMBER. 

It  is  difficult  to  be  totally  aware  of  the  condition  of  cm  EVA  crewmember  by  visual  inspection.  Minimum 
communication  is  required  to  ensure  crew  status  and  safety  throughout  the  EVA  period. 

F.  EVA  WILL  BE  TERMINATED  FOR  MALFUNCTIONS  WHICH  RESULT  IN 
SECONDARY  OXYGEN  PACK  (SOP)  C£  FLOW. 

Malfunctions  which  result  in  SOP  flow  indicate  no  other  source  of  oxygen  can  supply  total  requirements 
for  continued  operation  of  the  suit/EMU.  Regardless  of  whether  or  not  the  primary  life  support  system 
(PLSS)  is  functioning  properly,  SOP  flow  depletes  the  EVA  crewmember’ s  backup  source  of  oxygen  and 
is  therefore  cause  to  terminate  the  EVA.  ©[021199-6747B] 
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A2-108 


CONSUMABLES  MANAGEMENT 


A. 


REDLINES  WILL  BE  MANAGED  TO  ASSURE  THAT  THE  FOLLOWING 
RESERVES  ARE  PROTECTED: 


In  order  to  achieve  acceptable  consumables  margins  (cryo,  water,  or  OMS/RCS  propellant,  N2,  LiOH, 
etc.)  required  to  continue  on-orbit  flight  operations,  flight  activities  requiring  the  limited  consumable 
may  be  reduced/deleted.  The  capabilities  that  must  be  protected  along  with  the  potential  activities  that 
are  candidates  for  deletion  are  identified.  ®[092800-7247A] 

1.  DEORBIT  CAPABILITY  -  OMS/RCS  PROPELLANTS  WILL  NORMALLY  BE 
MANAGED  TO  PROVIDE  THE  CAPABILITY  TO  DEORBIT  TO  STEEP 
TARGETS.  HOWEVER,  SHALLOWING  TARGETS  IS  ALLOWED  TO 
PROTECT  ITEMS  2  THROUGH  8  BELOW. 

NOTE:  OMS  PROPELLANT  RESERVED  TO  PROTECT  FUTURE  EXTENSION 

DAYS  (PARAGRAPHS  9  AND  11  BELOW)  MAY  BE  COMMITTED  TO 
PROVIDE  STEEP  DEORBIT  TARGET  CAPABILITY  FOR  A  CURRENT 
OPPORTUNITY.  ®[051 194-1 61 2A] 

Deorbit  capability  is  protected  to  allow  safe  return  of  the  orbiter.  This  rule  addresses  consumables 
limitations  and  not  deorbit  methods.  Other  rules  identify  actions  required  for  the  loss  of  one  OMS,  etc. 

2.  EOM  DEORBIT  PREPARATION. 

Consumables  required  to  successfully  perform  the  nominal  EOM  deorbit  preparation  are  protected. 

3.  POST-DEORBIT  AND  ENTRY  USAGE  (EXCEPT  PTI'S). 

Consumables  required  to  support  orbiter  operations  from  deorbit  burn  cutoff  through  landing  are 
protected.  PTI’s  are  not  considered  as  mandatory  and,  if  scheduled,  appear  as  a  tradable  item  in  the 
Flight  Rules  Annex  propellant  priority  table.  ®[092800-7247A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  FLIGHT  OPERATIONS  2-122 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A2-108  CONSUMABLES  MANAGEMENT  (CONTINUED) 

4.  CONTINGENCY  RESERVES  (SYSTEM  MALFUNCTION  OR  FLIGHT 
CONTINGENCY) . 

Consumables  are  reserved  to  protect  against  certain  anomalies  in  order  to  guarantee  system 
capabilities.  For  example,  OMS/RCS  propellan  t  is  redlined  to  accoun  t  for  attitude  dispersions  during 
the  deorbit  burn  associated  with  an  OMS  engine  failure. 

5.  X/Y  CG  BALLAST  -  RESERVES  CONSUMABLES  TO  MAINTAIN  THE 
ORBITER  CG  WITHIN  ESTABLISHED  LIMITS. 

Self-explanatory. 

6.  DISPERSION  ALLOWANCE  (PERFORMANCE  VARIATION) . 
Self-explanatory. 

7 .  MEASUREMENT  ERROR. 

Self-explanatory. 

8.  TRAPPED  RESIDUALS. 


Self-explanatory. 

9.  DEORBIT  WAVE-OFF  EXTENSION  DAY  -  INCLUDES  CONSUMABLES 

RESERVED  TO  BACK  OUT  OF  THE  DEORBIT  BURN  CONFIGURATION, 
MAINTAIN  ATTITUDE  CONTROL  FOR  ANOTHER  DAY  ON  ORBIT 
UTILIZING  PRIMARY  JETS  (ONE  IMU  ALIGNMENT,  -ZLV  -XVV  OR 
THERMAL  PROTECT  ATTITUDE,  IF  REQUIRED) ,  PLUS  ALLOW 
STANDARD  DEORBIT  PREPARATION  ACTIVITIES.  @[0511 94-1 61 2A] 
®[092800-7247A] 

Deorbit  wave -off  extension  day:  Consumables  required  to  support  a  deorbit  backout,  one  day  of  orbit 
stay  time  on  primary  jets,  plus  an  additional  deorbit  preparation  are  protected.  This  wave-off  extension 
day  is  reserved  for  orbiter  contingencies  per  Rule  {A2-103J,  EXTENSION  DAY  REQUIREMENTS.  See 
also  Rule  {A2-110},  STRUCTURES  THERMAL  CONDITIONING,  for  thermal  conditioning  attitude 
profiles  if  required.  Note  that  primary  jets  are  protected  for  this  extension  day  since  many  of  the  failures 
which  require  a  deorbit  wave-off  extension  day  also  fail  the  vernier  jets.  ®[092800-7247A] 
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A2-108  CONSUMABLES  MANAGEMENT  (CONTINUED) 

10.  POSTLANDING  REQUIREMENTS. 

Self-explanatory. 

11.  WEATHER  WAVE-OFF  EXTENSION  DAY  -  RESERVES  CONSUMABLES  FOR 
ONE  DAY  OF  ORBITER  MAINTENANCE  ACTIVITIES  WITH  NORMAL 
SYSTEMS  CONFIGURATION.  THIS  INCLUDES  CONSUMABLES 
RESERVED  TO  DELAY  ONE  ORBIT  IN  THE  DEORBIT  BURN 
CONFIGURATION,  BACK  OUT  OF  THE  DEORBIT  BURN 
CONFIGURATION,  MAINTAIN  ATTITUDE  CONTROL  FOR  ANOTHER  DAY 
ON  ORBIT  UTILIZING  VERNIER  JETS  (ONE  IMU  ALIGNMENT,  -ZLV 
-XVV  OR  THERMAL  PROTECT  ATTITUDE,  IF  REQUIRED,  FOLLOWED 
BY  A  NOMINAL  (VERNIER)  DEORBIT  PREPARATION.  THE  WEATHER 
WAVE-OFF  EXTENSION  DAY  MAY  BE  GIVEN  UP  FOR  CRITICAL 
ACTIVITIES  (REF.  PARAGRAPH  C).  @[0511 94-1 61 2A]  ©[092800-7247A] 

Weather  wave-off  extension  day:  Consumables  required  to  support  a  one-orbit  delay  in  the  deorbit  burn 
configuration  followed  by  one  day  wave-off  for  adverse  weather  conditions  are  protected.  Vernier  jets 
are  assumed  to  be  available  since  the  weather  extension  day  presumes  a  normal  (non-contingency) 
systems  configuration  per  Rule  {A2-103},  EXTENSION  DAY  REQUIREMENTS.  See  also  Rule  {A2-110}, 
STRUCTURES  THERMAL  CONDITIONING,  for  thermal  conditioning  attitude  profiles,  if  required. 

B.  VIOLATION  OF  THE  RESERVES  IDENTIFIED  IN  PARAGRAPH  A  WILL  BE 
CAUSE  TO  SCHEDULE  ENTRY  AT  THE  NEXT  PLS  OPPORTUNITY  (EXCEPT 
FOR  LOSS  OF  THE  WEATHER  WAVE-OFF  EXTENSION  DAY  CAPABILITY) . 

C.  FOR  CONSUMABLES  CONTINGENCIES,  FLIGHT  ACTIVITIES  IN  ORDER  OF 
PRIORITY  (HIGHEST  FIRST)  ARE  AS  FOLLOWS: 
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A2-108  CONSUMABLES  MANAGEMENT  (CONTINUED) 


PRIORITY  FLIGHT  ACTIVITY 


1.  TARGET  45  DEGREES  TO  90  DEGREES  PREBANK. 

2.  TARGET  0  DEGREES  TO  45  DEGREES  PREBANK. 

3.  SHORTEN  MISSION  TO  LESS  THAN  MDF .  [1] 

4.  RAISE  ORBIT  TO  MINIMUM  ALTITUDE  REQUIRED  TO  ALLOW 

CRITICAL  ON-ORBIT/PAYLOAD  ACTIVITIES.  [2] 

5.  WEATHER  WAVE-OFF  EXTENSION  DAY.  [3] 

6.  FLIGHT  SPECIFIC  ACTIVITIES  (MDF  PLUS  TWO  EXTENSION 

DAYS  REMAIN  HIGHER  PRIORITY  THAN  FLIGHT  SPECIFIC 
ACTIVITIES) .  [4] 


NOTE:  EXCEPT  FOR  THE  WEATHER  WAVE-OFF  EXTENSION  DAY, 

CONSUMABLES  RESERVED  IN  PARAGRAPH  A  HAVE  HIGHER 
PRIORITY  THAN  THE  ABOVE  TABLE.  ©[092800-7247A] 

NOTES : 

[1]  SHORTEN  IN  INCREMENTS  OF  NEXT  DAILY  PLS  OPPORTUNITIES. 

[2]  REFERENCE  FLIGHT  RULES  ANNEX  FOR  MINIMUM  ALTITUDE  AND 
PAYLOAD/MISSION  PRIORITIES. 

[3]  ASSUMES  ONE  REV  IN  THE  DEORBIT  BURN  CONFIGURATION 
FOLLOWED  BY  A  VERNIER  EXTENSION  DAY  IN  -ZLV  -XVV  OR 
THERMAL  PROTECT  ATTITUDE,  IF  REQUIRED,  FOLLOWED  BY  A 
NOMINAL  (VERNIER)  DEORBIT  PREP. 

[4]  MISSION  SPECIFIC  CONSUMABLES  PRIORITIES  ARE  DOCUMENTED  IN 
THE  FLIGHT  RULES  ANNEX.  ©[092800-7247A] 
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A2-108  CONSUMABLES  MANAGEMENT  (CONTINUED) 

When  insufficient  consumables  are  available  to  complete  planned  mission  activities,  the  priority  table  is 

used  to  determine  the  remaining  capability  by  deleting  items  from  the  bottom  and  moving  upwards.  A 

discussion  of  each  priority  follows: 

Priority  1.  Target  45  to  90  degrees  prebcmk:  Committing  to  a  prebcmk  greater  than  45  degrees 
introduces  considerable  impact  to  the  orbiter  as  a  result  of  the  increased  thermal 
environment.  Consequently,  prebank  greater  than  45  degrees  will  only  be  utilized  to  protect 
the  minimum  requiremen  ts  established  as  a  higher  priority  than  the  priority  table. 

Priority  2.  Target  0  to  45  degrees  prebcmk:  Flight  Techniques  concluded  that  the  minimal  propellant 
gained  as  a  result  of  committing  to  a  prebcmk  for  the  deorbit  burn  did  not  warrant  the 
increased  procedural/crew  task  complexity  associated  with  the  prebcmk  (reference  Entry 
Techniques  minutes  DA8-86-59). 

Priority  3.  Shorten  mission  to  less  than  MDF:  All  activities  will  be  deleted  to  protect  MDF 
requirements. 

Priority  4.  Raise  orbit  to  minimum  altitude  required  to  cdlow  critical  on-orbit/payload  activities:  The 
weather  wave-off  extension  day  capability  may  be  deleted  in  order  to  accomplish  critical  on- 
orbit  and/or  payload  activities  which  provide  a  direct  orbiter  benefit  for  deorbit  and  entry, 
or  to  accomplish  a  vital  agency  goal.  One  specific  example  of  this  would  be  the  requiremen  t 
to  rendezvous  with  ISS  and  install/transfer  a  payload,  thereby  improving  orbiter  entry 
weight,  required  deorbit  consumables,  entry  c.g.,  and  flight  control  margins,  etc.  Similar 
rationale  applies  for  a  deployable  payload  with  a  minimum  deploymen  t  altitude.  However, 
the  weather  wave-off  extension  day  may  not  be  deleted  merely  to  provide  an  incremen  tal 
increase  in  payload  science  or  mission  duration.  ©[092800-7247A] 
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A2-108  CONSUMABLES  MANAGEMENT  (CONTINUED) 

Priority  5.  Weather  wave-off  extension  day:  The  weather  wave-off  extension  day  provides  the  capability 
to  delay  the  deorbit  burn  for  one  orbit  in  the  deorbit  burn  configuration  and  then  wave  off 
for  another  24  hours  if  weather,  etc.,  make  landing  on  the  planned  day  unacceptable. 
Consumables  budgeted  for  the  weather  wave-off  extension  assume  VRCS  control  and 
minimum  orbiter  maintenance  activities  (IMU  align,  etc.).  Combined  with  the  deorbit  wave- 
off  extension  capability  (the  latter  reserved  at  a  higher  level  than  this  table),  the  weather 
wave-off  extension  day  provides  a  toted  capability  of  four  deorbit  attempts  with  three  deorbit 
preparations.  It  is  the  inten  t  to  maintain  the  weather  wave-off  extension  capability  at  a  high 
priority  to  account  for  unforeseen  weather  problems  (due  to  the  unpredictability  of  the 
weather  and  forecasting  uncertainty). 

Priority  6.  Flight-specific  activities:  All  flight  specific  activities  are  prioritized  in  the  Flight  Rules 
Annex.  The  priority  of  each  activity  considering  specific  flight  objectives  is  established 
prelaunch.  Implementation  of  the  Flight  Rule  Annex  propellant  priority  table  must  be 
completed  before  deleting  high  priority  activities  identified  in  this  table. 

The  following  rules  reference  this  rule: 

{A2-121A},  RNDZ/PROX  OPS  PROPULSION  SYSTEMS  MANAGEMENT ; 

(A6-51M,  V},  OMS  FAILURE  MANAGEMENT  [CIL ]; 

(A6-351},  OMS  PROPELLANT  MANAGEMENT  MATRIX; 

{A6-354},  RCS  ENTRY  REDLINE  PROTECTION; 

(A6-355},  OMS  PROPELLANT  DEFICIENCY  FOR  DEORBIT; 

{. A6-303A },  OMS  REDUNES  [CIL]; 

{A6-304A},  FORWARD  RCS  REDLINES; 

{ A6-305A },  AFT  RCS  REDLINES;  ©[092800-7247A] 

{A6-358J,  VIOLATION  OF  MISSION  COMPLETION  REDLINES  MATRIX; 

{A9-257CJ,  POWER  REACTANT  STORAGE  AND  DISTRIBUTION  (PRSD)  H2  AND  02  REDLINE 
DETERMINATION.  [ED] 
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A2-109  PREFERRED  ATTITUDE  FOR  WATER  DUMPS 

A.  TO  MINIMIZE  RECONTACT  POTENTIAL  OF  HIGH  VELOCITY  WATER 
PARTICLES  WITH  THE  ORBITER  OR  PAYLOADS,  SPECIFIC  DUMP 
ATTITUDES  ARE  PREFERRED  DURING  SUPPLY/WASTE  WATER  DUMPS.  THE 
REQUIRED  ATTITUDE  DEPENDS  ON  THE  ORBITER  POSITION  RELATIVE  TO 
THE  PAYLOAD.  THAT  POSITION  IS  DEFINED  AS  BEING  IN  ONE  OF 
FOUR  REGIONS  IN  THE  PAYLOAD  CENTERED  LVLH  FRAME  DEPICTED  IN 
THE  FOLLOWING  DIAGRAM. 

FIGURE  A2-109-I  -  PREFERRED  ATTITUDE  FOR  WATER  DUMPS 
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REGION  DUMP  ATTITUDE 

A  +YVV  (RETROGRADE  DUMP) 

B  +YVV  (RETROGRADE  DUMP) 

C  +Y  40  DEG  OUT  OF  PLANE  FROM  VV 

(BIASED  RETROGRADE  DUMP) 

D  -Y  20  DEG  OUT  OF  PLANE  FROM  VV 

(BIASED  RETROGRADE  DUMP) 

ORBITER  ALONE  +YVV  (RETROGRADE  DUMP) 

THIS  RULE  CONTINUED 


RESTRICTIONS 


THE  ORBITER  RELATIVE  APOGEE  MUST  BE  BELOW  THE 
BOUNDARY  OF  REGION  A.  THE  ORBITER  MUST  REMAIN 
WITHIN  REGION  A  FOR  THE  DURATION  OF  THE  DUMP. 

THE  ORBITER  MUST  BE  IN  A  STATIONKEEPING  OR  SLOW 
SEPARATION  SITUATION  AND  REMAIN  WITHIN  REGION  B 
FOR  THE  DURATION  OF  THE  DUMP. 

THE  ORBITER  MUST  BE  IN  A  STATIONKEEPING  OR  SLOW 
SEPARATION  SITUATION  AND  REMAIN  WITHIN  REGION  C 
FOR  THE  DURATION  OF  THE  DUMP. 

THE  ORBITER  RELATIVE  PERIGEE  MUST  BE  ABOVE  THE 
BOUNDARY  OF  REGION  D.  THE  ORBITER  MUST  REMAIN 
WITHIN  REGION  D  FOR  THE  DURATION  OF  THE  DUMP. 

INCLUDES  PAYLOAD  ATTACHED  CASE. 
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A2-109  PREFERRED  ATTITUDE  FOR  WATER  DUMPS  (CONTINUED) 

B.  THE  FOLLOWING  GUIDELINES  ARE  TO  BE  USED  FOR  THE  CASE  OF 

INTERSECTING  ORBITS  WHICH  DO  NOT  SATISFY  REGIONS  A,  B,  C, 

OR  D  ABOVE. 

1.  IF  THE  ORBITS  INTERSECT  WITH  THE  ORBITER  BEHIND  THE 
PAYLOAD  AND  THE  ORBITER  IS  MOVING  AWAY  FROM  THE  PAYLOAD 
OR  CLOSING  AT  LESS  THAN  50  NM/REV,  THEN  THE  DUMP  ATTITUDE 
WILL  BE  -Y,  20  DEG  OUT  OF  PLANE  FROM  +VV  (BIASED 
POSIGRADE) . 

2.  IF  THE  ORBITS  INTERSECT  WITH  THE  ORBITER  AHEAD  OF  THE 
PAYLOAD  AND  THE  ORBITER  IS  MOVING  AWAY  FROM  THE  PAYLOAD 
OR  CLOSING  AT  LESS  THAN  50  NM/REV,  THEN  THE  DUMP  ATTITUDE 
WILL  BE  -Y,  20  DEG  OUT-OF-PLANE  FROM  -W  (BIASED 
RETROGRADE) . 

3.  DUMPS  FOR  CASES  1  AND  2  SHOULD  BE  COMPLETED  AT  LEAST  TWO 
ORBITS  BEFORE  THE  POINT  OF  CLOSEST  APPROACH. 
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A2-109  PREFERRED  ATTITUDE  FOR  WATER  DUMPS  (CONTINUED) 

C.  GENERIC  ATTITUDE  RECOMMENDATIONS  CANNOT  BE  MADE  FOR  ORBITAL 
GEOMETRIES  WHICH  DO  NOT  MEET  THE  CONDITIONS  LISTED  ABOVE. 

These  recommendations  were  approved  at  the  On-Orbit  Flight  Techniques  Panel  #120.  The  major 
ground  rules  and  assumptions  are  listed  below: 

a.  Particle  ejection  velocity  is  assumed  to  be  between  30  and  100  ft/sec.  Measuremen  ts  from  an  STS-29 
supply  dump  video  show  particle  velocities  of  30-75  ft/sec.  It  is  also  known  that  waste  dump  rates 
are  typically  3.3  Ib/min,  compared  to  2.5  Ib/minfor  supply  dumps.  Since  each  dump  uses  the  same 
nozzle,  the  maximum  velocity  for  a  waste  dump  is  assumed  to  increase  in  proportion  to  the  flowrate. 
Thus,  the  maximum  velocity  is  3.372.5  X  75  =  100 ft/sec. 

b.  The  distribution  of  particle  ejection  angles  is  such  that  95  percent  of  the  particles  are  ejected  within 
a  10  degree  hcdf-cone  angle  of  the  orbiter  -Y  axis.  An  additional  10  degree  hcdf-cone  angle  is 
protected  in  these  recommendations. 

c.  The  boundaries  protect  a  1  nm  radius  sphere  of  position  uncertainty  for  both  the  orbiter  and 
payload. 

d.  All  particles  are  assumed  to  experience  more  atmospheric  drag  than  either  the  orbiter  or  the 
payload. 

Retrograde  dumps  preclude  particle  recontact  because  differential  drag  aids  in  moving  particles 
downward  and  forward. 

Posi  grade  dumps  may  result  in  cm  eventual  return  of  particles  due  to  differential  drag.  Some  particles 
may  travel  to  the  vicinity  of  the  payload  on  the  first  orbit.  The  in  tensity  of  recon  tact  is  minimized  by  the 
following  effects  which  act  to  disperse  the  particle  cloud: 

a.  Differential  drag  among  particles  of  different  sizes. 

b.  Out-of-plcine  velocity  of  particles  minimizes  time  in  plane. 

c.  Particles  sublimate  over  time. 
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A2-110 

STRUCTURES  THERMAL  CONDITIONING 

A.  IF  ANALYSIS  SHOWS  THAT  ALL  THERMAL  CONSTRAINTS  ARE  SATISFIED 
(THROUGH  El,  INCLUDING  WAVEOFFS)  PRIOR  TO  EXECUTION  OF  THE 
DEORBIT  PREP  ATTITUDE  SEQUENCE  DEFINED  BELOW,  REAL-TIME 
THERMAL  ANALYSIS  OF  THE  NOMINAL  AND  WAVEOFF  DEORBIT  ATTEMPTS 
IS  NOT  REQUIRED.  @[050495-1 768A] 


NOTE  : 

THE  BENDING-EFFECT  TEMPERATURE  (BET)  PROFILE  WILL  BE 
PREDICTED  ON  A  FLIGHT-SPECIFIC  BASIS  TO  DETERMINE  THE 

MAXIMUM  TIME  TO  PLBD  CLOSURE. 

TIG  - 

-4:40  MNVR  TO  IMU  ALIGNMENT  AND  VERIFICATION 

ATTITUDES  (ANY  INERTIAL)  @[072398-6645] 

TIG  - 

4:00  MNVR  TO  TAIL  SUN/COLD  SOAK  ATTITUDE  COMPLETE 

BIASED  -XSI :  PITCH  +184,  YAW  0, 

OMICRON  270  FOR  +  BETA 

90  FOR  -  BETA 

TIG  - 

2:55  RAD  BYPASS,  FES  CHECKOUT  @[072398-6645] 

TIG  - 

2:40  PLBD  CLOSING 
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A2-110  STRUCTURES  THERMAL  CONDITIONING  (CONTINUED) 

TIG  -? 2 : 2 5 *  MNVR  TO  THERMAL/COMM  ATTITUDE  WITH  THE 

FOLLOWING  GENERIC  REQUIREMENTS:  @[072398-6645] 

1.  SUN  LOS  VECTOR  AT  -X  BODY  AXIS  ?  30  DEGREES  IN 
YAW  AND  ?  5  DEGREES  IN  PITCH  (SUN  TO  STARBOARD 
DESIRED) . 

2.  ROLL  ORIENTATION  ABOUT  THE  SUN  VECTOR  SELECTED  TO 
OPTIMIZE  S-BAND  COMM.  DESIRE  TO  BE  PLB  TO  SPACE 
AT  NOON.  @[050495-1 768A] 

TIG  -  :  2  0  *  *  MNVR  TO  DEORBIT  BURN  ATTITUDE  (ANY)  @[072398-6645] 

TIG  +  ?:05  MNVR  TO  El  ATTITUDE  (ANY) 

*  MNVR  TO  THE  THERMAL/COMM  ATTITUDE  AT  THE  EARLIEST 

OPPORTUNITY  FOLLOWING  PAYLOAD  BAY  CLOSURE  TO  IMPROVE 
ORBITER  THERMAL  CONDITIONING  FOR  ENTRY.  @[072398-6645] 

**  FOR  WAVEOFFS  WHICH  ARE  DECLARED  AFTER  THE  START  OF 

DEORBIT  PREP,  THE  ADDITIONAL  TIME  WILL  BE  SPENT  IN  THE 
COMM  ATTITUDE.  IF  WAVEOFF  IS  DECLARED  AFTER  THE  MNVR  TO 
THE  D/O  BURN  ATTITUDE,  MNVR  BACK  TO  THE  COMM  ATTITUDE 
UNTIL  THE  NEXT  D/O  TIG-20  MINUTES.  @[050495-1 768A]  @[072398-6645] 
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A2-110  STRUCTURES  THERMAL  CONDITIONING  (CONTINUED) 

B.  IF  THE  ABOVE  SEQUENCE  IS  NOT  FOLLOWED,  FLIGHT-SPECIFIC 

ANALYSIS  IS  REQUIRED.  FLIGHT-SPECIFIC  ANALYSIS  OF  NOMINAL 
DEORBIT  PREP  PLUS  WAVEOFF  ATTITUDES  WILL  EVALUATE  THE 
FOLLOWING  SEQUENCES: 

1.  NOMINAL: 

|-  IMU  -|-  XSI  -|-  COMM  -|-  DEORBIT  |~  El  -|  @[072398-6645] 

PLBD  EOM 

CLOSE  TIG 

2.  NOMINAL  +  1  REV: 

|-  IMU  -|-  XSI  -|-  COMM  |  COMM  •  |  DEORBIT  -|-  El  -| 

@[072398-6645  ] 

PLBD  EOM  EOM+1  REV 

CLOSE  TIG  TIG 

3 .  NOMINAL  +  2  REVS : 

|-  IMU  -|-  XSI  -|-  COMM  -|-  COMM  -|-  COMM  -|-  DEORBIT  -|-  El  -| 
@[072398-6645  ] 

PLBD  EOM  EOM+1  REV  EOM+2  REVS 

CLOSE  TIG  TIG  TIG 

WORST-CASE  El  BONDLINE  LIMITS  (FROM  ALL  POSSIBLE  DEORBIT 
OPPORTUNITIES)  WILL  BE  USED. 

DETAILS  REGARDING  THE  USE  OF  COMPUTER  ANALYSIS  TO  EVALUATE 
DEORBIT  ATTITUDE  SEQUENCES  ARE  PROVIDED  IN  FLIGHT  RULES 
{A18-401},  THERMAL  PROTECTION  SYSTEM  (TPS)  BONDLINE 
TEMPERATURES,  AND  {A18-451},  ORBITER  THERMAL  CONSTRAINTS  AND 
ATTITUDE  MANAGEMENT  [CIL] . 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  FLIGHT  OPERATIONS  2-133 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A2-110  STRUCTURES  THERMAL  CONDITIONING  (CONTINUED) 

C.  THE  FOLLOWING  GUIDELINES  FOR  PRE-ENTRY  THERMAL  CONDITIONING 
SHOULD  BE  USED  FOR  INITIAL  PREFLIGHT  PLANNING  PURPOSES: 


BETA  ANGLE  AT 

START  OF  THERMAL 
CONDITIONING 


0  TO  ?  60  DEGREES 


>  ?  60  DEGREES 


10  HOURS  OF: 


FOLLOWED  BY: 


— ZLV,  PTC 
OR 


NORMAL  DEORBIT  ATL 
SEQUENCE  AS  DEFINED 
IN  PARAGRAPH  A 


?XLV,  ±ZVV 

PTC  NORMAL  DEORBIT  ATL 

SEQUENCE  AS  DEFINED 
IN  PARAGRAPH  A 


@[050495-1 768A] 

FLIGHT-SPECIFIC  ANALYSIS  OF  THE  ON-ORBIT  TIMELINE  WILL 
DETERMINE  WHETHER  SPECIAL  THERMAL  CONDITIONING  IS  NEEDED 
PRIOR  TO  DEORBIT  PREP.  IF  FLIGHT-SPECIFIC  THERMAL 
CONDITIONING  IS  REQUIRED,  IT  WILL  BE  DOCUMENTED  IN  THE  FLIGHT 
RULES  ANNEX.  @[050495-1 768A] 

Depending  on  the  flight-specific  attitude  timeline,  it  is  possible  that  the  deorbit  prep  attitude  sequence 
described  in  paragraph  a  will  not  satisfy  all  orbiter  or  payload  thermal  constraints.  This  is  especially 
true  for  high  beta  or  attitude  intensive  missions.  Attitudes  during  the  last  sleep  and  postsleep  period  are 
typically  -ZLV,  unless  payload  desires  drive  otherwise.  If  analysis  of  cm  attitude  timeline  predicts 
violations,  then  attitudes  prior  to  deorbit  prep  may  need  to  be  modified  to  improve  the  predicted 
temperatures.  Typical  conditioning  attitudes  could  be  a  specific  LVLH  orientation,  solar  inertial 
attitude,  PTC,  etc.  The  durations  and  orientations  of  these  conditioning  attitudes  will  be  worked  on  a 
flight-specific  basis,  and  the  plan  will  be  documented  in  the  flight-specific  annex. 
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A2-110  STRUCTURES  THERMAL  CONDITIONING  (CONTINUED) 

D.  DEORBIT  BURN  WILL  NOT  BE  DELAYED  IF  A  TPS  BONDLINE 

TEMPERATURE  IS  ABOVE  ITS  FLIGHT-SPECIFIC  LIMIT,  PROVIDED  ALL 

OF  THE  FOLLOWING  ARE  MET: 

1.  NO  TPS  BONDLINE  VIOLATIONS  WERE  PREDICTED  FOR  THE  PLANNED 
DEORBIT  SEQUENCE. 

2.  RADIATOR  COLDSOAK  AND  COMM  ATTITUDES  IN  DEORBIT  PREP  HAVE 
BEEN  CHOSEN  TO  MINIMIZE  SOLAR  EXPOSURE  ON  THE  TPS 
BONDLINES.  (THE  COMM  ATTITUDE  MAY  BE  BIASED  FROM  TAIL- 
SUN  AS  SPECIFIED  IN  PARAGRAPH  A  TO  MAINTAIN  TDRS  COMM.) 
@[050495-1 768A] 

3.  IF,  IN  DEORBIT  PREP,  OFF-NOMINAL  ATTITUDES  AND/OR  TIMES 
ARE  REQUIRED  DUE  TO  FAILURES  OR  OTHER  UNEXPECTED 
SITUATIONS,  THE  PLANNED  ATTITUDE  TIMELINE  IS  RESUMED  AS 
SOON  AS  CONDITIONS  ALLOW.  @[050495-1 768A] 

4.  THE  FLIGHT  SPECIFIC  EXCEEDENCE  IS  NO  GREATER  THAN  5  DEG 
OR  HAS  BEEN  APPROVED  BY  THE  MER . 


Flight-specific  limits  on  bondline  temperatures  at  entry  in  terface  (El)  are  defined  in  each  flight-specific 
annex.  These  limits  must  be  met  when  the  attitude  timeline  is  analyzed  and  bondline  temperatures  are 
predicted  at  El.  However,  if  a  temperature  is  actually  above  its  limit  prior  to  the  deorbit  burn,  the  burn 
is  not  waved  off,  because  reasonable  actions  are  taken  ahead  of  time  to  attempt  to  preclude  violations. 
Any  surprise  violations  should  be  very  small,  possibly  even  due  to  instrumentation  error  (which  is  not 
protected). 

The  flight-specific  bondline  limits  protect  orbiter  thermal/structural  certification  envelopes  (with  1.4 
factor  of  safety  (FOS)  during  “design  entry  ”  mechanical  loading).  The  bondline  temperature  upper 
limits  are  in  place  to  protect  a  gradient  temperature.  Since  the  method  of  gradient  protection  is  generic, 
and  the  limits  protect  for  design  cases  plus  1.4  FOS,  it  is  considered  less  risk  to  proceed  with  a  small 
violation  than  to  wave  off  deorbit  burn.  On  STS-55,  a  3-degree  violation  ofV09T1012  occurred  at  entry 
interface.  More  detailed  assessment  by  Engineering  indicated  that  in  this  case  there  was  actually 
approximately  20  degrees  margin  at  TAEM  and  touchdown  (the  points  really  being  protected). 
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A2-110  STRUCTURES  THERMAL  CONDITIONING  (CONTINUED) 

A  cold  cittitude(s)  will  be  used  for  radiator  coldsocik  and  “comm  attitude,  ”  to  reduce  bondline 
temperatures  to  the  extent  possible  during  deorbit  prep.  It  is  typically  difficult,  however,  to  satisfy  the 
bondline  limits,  even  when  cold  attitudes  are  chosen  such  as  tail-sun  or  nose-sun.  If  bondline  solar 
exposure  is  already  minimized,  there  would  be  little  or  no  corrective  action  available  so  nothing  is 
gained  by  delaying  the  deorbit  burn.  STEP  will  be  the  primary  tool  used  by  the  MCC  to  analyze  the 
nominal  attitude  timeline.  Any  predicted  violations  ( which  include  STEP  accuracy  biases)  will  be 
resolved  either  (I)  by  changing  attitudes,  including  those  prior  to  deorbit  prep  if  necessary,  or  (2)  by 
comparing  STEP  predictions  to  previous  flight  data  in  similar  beta  angles  and  attitudes,  or  to  other 
thermal  models,  and  “outvoting”  the  STEP  prediction.  The  rationale  for  Rule  {A1 8-401},  THERMAL 
PROTECTION  SYSTEM  (TPS)  BONDLINE  TEMPERATURES,  provides  more  information  on  STEP 
analysis  and  biases. 

Instrumentation  error  is  not  protected  for  the  bondline  temperature  sensors.  Instrumentation  error  is  not 
considered  in  the  structural  analyses  which  are  used  to  generate  the  El  limit  models,  nor  are  any  other 
uncertainties.  When  analyzing  structural  stress,  it  is  generally  not  known  whether  a  positive  or  negative 
error  causes  worse  structural  gradients,  so  only  “actual”  temperatures  are  used.  Analysis  of  all 
possible  uncertainty  combinations  would  require  prohibitively  large  numbers  of  simulations.  Also, 
inclusion  of  instrumen  tation  error  would  cause  frequen  t  limit  exceedences. 

If  real-time  deviations  from  the  planned  attitude  timeline  are  required  (for  reasons  such  as  single  star 
tracker  IMU  aligns,  missed  stars,  time  taken  to  troubleshoot  a  failure,  etc.),  they  will  take  priority  and 
will  not  be  rushed  or  canceled  in  favor  of  bondline  thermal  limits.  However,  the  orbiter  will  return  to 
the  planned  cold  attitude  as  soon  as  the  situation  allows,  and  deorbit  burn  will  proceed  as  planned. 
®[050495-1768A] 

A  small  limit  exceedence  of  up  to  5  degrees  is  acceptable  to  the  technical  community  without  further 
discussion.  Exceedences  greater  than  5  degrees  should  be  understood  or  accepted  given  whether  it  could 
realistically  be  brought  back  into  tolerance  by  further  activity  prior  to  deorbit.  ©[050495-1768A] 

Documentation:  Ascent/Entry  Flight  Techniques  #111,  3/25/94;  Orbiter  CCB  6/14/94,  8/9/94; 
Engineering  Judgment.  ®[050495-l  768A] 
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A2-110  STRUCTURES  THERMAL  CONDITIONING  (CONTINUED) 

E.  ADEQUATE  THERMAL  CONDITIONING  IS  PROVIDED  FOR  EMERGENCY 

ABORTS  FROM  ORBIT  BY  MAINTAINING  NORMAL  THERMAL  LIMITS  AND  BY 
ENSURING  THAT  THE  PROJECTED  MISSION  PROFILE  OF  BENDING  EFFECT 
TEMPERATURE  (BET)  REMAINS  LESS  THAN  200  DEG  F.  THERE  ARE  NO 
BONDLINE  TEMPERATURE  CONSTRAINTS  FOR  EMERGENCY  DEORBIT. 

Maintaining  BET  <  200  deg  F  ensures  that  PLBD  dosing  can  be  accomplished  for  anytime  deorbit 
opportunities.  Typical  bondline  temperature  constraints  for  El  protect  for  a  1.4  factor  of  safety  above 
design  structural  loads.  Since  typical  entry  loads  are  well  below  design  loads,  it  is  not  necessary  to 
protect  the  1.4  factor  of  safety  over  design  entry  loads  in  the  event  of  an  emergency  deorbit. 

DOCUMENTATION:  SODB,  pg  3.4. 1.1 -5, and  NASA  JSC  Memo  ES2-93-096. 

Rule  l A1 8-451},  ORB1TER  THERMAL  CONSTRAINTS  AND  ATTITUDE  MANAGEMENT  [CIL], 
references  this  rule. 

Reference  Rule  {A10-206},  PLBD  CLOSE  GO/NO-GO,  for  BET  definition  and  constraints. 
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A2-111  DPS  COMMAND  CRITERIA 

A.  GPC  MEMORY  WRITE  PROCEDURES  CAN  BE  USED  IN  FLIGHT  TO  MODIFY 
DATA  AND  CODE  IN  BOTH  THE  PASS  AND  BFS . 

The  Orbiter  Avionics  Software  Board  (OASCB)  has  authorized  the  use  of  GPC  memory  write  procedures 
to  modify  data  or  code  in  PASS  or  BFS.  This  is  allowed  to  restore  orbiter  capabilities  lost  because  of 
real-tune  orbiter  hardware  problems  or  to  correct  software  problems  that  do  not  require  a  recompilation 
of  the  software. 

B.  THE  USE  OF  GPC  MEMORY  WRITE  PROCEDURES  ARE  SUBJECT  TO  THE 
GUIDELINES  DEFINED  BY  RULE  {A7-16},  GPC  MEMORY  WRITE  CRITERIA 
[CIL] . 

All  GPC  memory  procedures  must  adhere  to  rigorous  verification  prior  to  their  use  to  ensure  crew  and 
vehicle  safety.  Reference  Rule  { A7-16 j,  GPC  MEMORY  WRITE  CRITERIA  [ CIL],  for  such  guidelines, 
as  well  as  the  different  types  of  GPC  memory  write  procedures. 

C.  DEU  EQUIVALENT  COMMANDING  DURING  CREW  SLEEP  WILL  NOT  BE 
PERFORMED  UNTIL  ALL  OF  THE  FOLLOWING  REQUIREMENTS  HAVE  BEEN 

MET  :  @[072795-1 775A] 

1.  CONFIRMED  PERIOD  OF  AOS  AND  GOOD  COMM  BOTH  BEFORE  AND 
AFTER  SCHEDULED  COMPLETION  OF  THE  DEU  EQUIVALENT  COMMAND 
LOAD  . 

A  valid  downlist  is  required  for  the  MCC  to  be  able  to  verify  DEU  equivalent  command  execu  tion.  In 
addition,  an  active  downlist  is  required  from  the  destination  GPC  or  major  function  for  the  ground 
command  processing  software  to  verify  the  uplink  and  automatically  send  the  buffer  execute  command. 

A  period  of  good  conun  is  required  so  that  the  crew  can  be  contacted  in  the  event  of  an  off  nominal 
situation.  During  maneuvers,  there  may  be  brief  periods  of  LOS  or  bad  comm  while  the  vehicle 
changes  attitudes.  These  brief  periods  are  acceptable,  as  long  as  the  resultant  attitude  is  confirmed  to 
have  good  comm. 

2.  THE  MCC  MUST  BE  ABLE  TO  VERIFY  ALL  DEU  EQUIVALENT  LOADS 
VIA  METHODS  OTHER  THAN  SCRATCHPAD  LINE  RESPONSE. 
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A2-111  DPS  COMMAND  CRITERIA  (CONTINUED) 

Due  to  the  timing  differences  between  the  downlist  cycle  and  when  the  GPC  polls  the  DEU,  the 
possibility  exists  such  that  all  uplinked  commands  may  not  be  seen  on  the  downlisted  scratchpad  line. 
Since  there  is  a  requirement  for  ground  confirmation  of  all  DEU  loads,  there  must  be  an  alternate  way  to 
verify  the  uplink  through  end  item  telemetry  feedback’ s.  ©[072795-1775A] 

3.  DEU  EQUIVALENT  LOADS  SHOULD  AVOID  CONTAINING  ITEM  SERIES 
WHICH  MUST  BE  UPLINKED  AT  A  SPECIFIC  TIME  OR  WITHIN  A 
SPECIFIC  TIME  INTERVAL.  @[072795-1 775A] 

Due  to  the  dynamic  nature  of  commanding  and  the  requirement  for  good  comm  and  AOS  to  allow  the 
MCC  to  properly  verify  the  execution  of  each  DEU  equivalent  load,  there  may  be  times  when  the  ground 
cannot  uplink  a  required  load  at  a  specific  time.  Therefore,  the  MCC  should  not  be  constrained  by 
specific  time  requiremen  ts  for  DEU  equivalent  loads.  There  may  be  occasions  where  this  cannot  be 
avoided,  but  time  specific  loads  need  to  be  closely  analyzed  for  any  risks  associated  with  delaying  their 
uplink. 


4.  IF  A  SERIES  OF  DEU  EQUIVALENT  LOADS  ARE  PLANNED,  THE 
IMPACT  OF  NOT  COMPLETING  ALL  UPLINKS  MUST  BE  EVALUATED. 
FUTURE  MANEUVER  LOADS,  CREW  ALERT  SPC'S,  AND/OR  CREW 
BAILOUT  ATTITUDES  MUST  BE  USED  AS  REQUIRED  TO  PROVIDE  AN 
APPROPRIATE  LEVEL  OF  PROTECTION  FOR  UNEXPECTED  LOSS  OF 
COMMUNICATION. 

Due  to  the  dynamic  nature  of  commanding  and  the  requirement  for  good  comm  and  AOS  to  allow  the 
MCC  to  properly  verify  the  execution  of  each  DEU  equivalent  load,  there  may  be  times  when  the  ground 
cannot  uplink  a  required  load  at  a  specific  time.  Because  of  this,  there  exists  the  potential  to  be  in  a 
specific  orbiter  configuration  longer  than  originally  intended.  The  MCC  must  have  evaluated  all 
associated  risks  (e.g.,  comm,  thermal,  payload  constraints,  etc.)  with  these  situations  and  analyzed  the 
cost/benefit  tradeoff  before  proceeding  with  the  uplink  of  the  first  load. 

Based  on  the  complexity  of  the  desired  DEU  equivalent  load(s)  there  may  or  may  not  be  a  desire  to  use  a 
crew  alert  SPC  to  wake  the  crew  at  some  time  in  the  future  in  case  cm  off  nominal  situation  were  to 
occur.  The  SPC  would  be  set  to  time  out  far  enough  in  advance  to  cdlow  the  MCC  to  clear  it  once  they 
were  able  to  verify  the  correct  orbiter  configuration  after  the  DEU  equivalent  execution  was  complete. 

The  crew  should  be  notified  prior  to  sleep  of  any  poten  tial  bailout  attitudes  in  the  event  they  are 
awakened  by  an  SPC  and  cannot  establish  communications  with  the  MCC. 

5.  DPS  DEU  EQUIVALENT  COMMANDING  ARE  SATISFIED  PER  RULE  {A7- 
108},  DEU  EQUIVALENT  CRITERIA.  @[072795-1 775A] 
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A2-112  PDRS 

A.  NORMAL  PDRS  OPERATIONS  WILL  CEASE  AND  THE  RMS  WILL  BE  CRADLED 
IF  BACKUP  PLUS  ONE  OTHER  SINGLE  JOINT  MODE  IS  NOT  AVAILABLE 
TO  DRIVE  EACH  JOINT. 


Reference  Rule  {A12-1  j,  EVA  FOR  RMS  OPERATION,  for  rationale. 

B.  ANY  ORBITER  FAILURE  THAT  REQUIRES  A  NEXT  PLS  DEORBIT 

OPPORTUNITY  IS  CAUSE  TO  TERMINATE  RMS  ACTIVITIES  IMMEDIATELY. 


In  the  event  of  a  next  PLS  situation,  the  orbiter  must  be  configured  for  entry  as  soon  as  possible,  which 
requires  that  the  RMS  be  cradled,  latched,  and  stowed  prior  to  PLBD  closing.  If  critical  operations  are 
being  performed,  such  as  berthing  a  payload,  the  situation  may  allow  for  those  operations  to  be 
completed  depending  on  the  time  available  prior  to  deorbit. 

C.  EVA  IS  CONSIDERED  A  BACKUP  CAPABILITY  FOR  THE  FOLLOWING  RMS 
FUNCTIONS  FOR  THE  ACCOMPLISHMENT  OF  HIGH  PRIORITY  OBJECTIVES 
AS  DEFINED  IN  THE  FLIGHT  SPECIFIC  ANNEX: 

1.  END  EFFECTOR  RELEASE. 

2.  MPM  STOW/DEPLOY. 

3 .  MRL  LATCHES . 

4 .  SHOULDER  BRACE  RELEASE . 

5 .  RMS  CRADLE . 

EVA  techniques  exist  to  accomplish  the  above  activities.  For  high  priority  objectives,  it  may  be 
acceptable  to  continue  with  the  redundant  method  of  accomplishing  these  operations  requiring  an  EVA. 
Operating  under  these  conditions  is  still  safe  since  the  arm  can  be  jettisoned  if  an  EVA  cannot  be 
performed. 
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A2-112  PDRS  (CONTINUED) 

D.  NORMALLY  DURING  CREW  SLEEP  PERIODS  OF  NON-RMS  OPERATIONS,  THE 
RMS  WILL  BE  CRADLED  AND  LATCHED  AND  THE  SYSTEM  LEFT  IN  THE 
TEMPERATURE  MONITOR  MODE. 

This  is  the  safest  configuration  should  an  emergency  entry  be  required  and  protects  against  RMS  or 
MRL  failures.  There  is  no  system  constraint  against  leaving  the  arm  out  other  than  as  noted  in 
paragraph  E. 

E.  CONSIDERATION  WILL  BE  GIVEN  TO  PARKING  THE  RMS  DURING  CREW 
SLEEP  PERIODS  IF  A  PAYLOAD  CANNOT  BE  BERTHED  AND  DEORBIT  IS 
NOT  PLANNED  WITHIN  24  HOURS. 

In  the  event  of  a  PRLA  failure  or  some  other  failure  which  prevents  berthing  the  payload,  the 
RMS/payload  may  be  positioned  and  left  with  the  brakes  on  during  crew  sleep.  Various  factors  must  be 
considered  in  order  to  accept  this  including  payload  inertias  which  have  cm  important  effect  on  DAP 
stability.  In  addition,  when  large  payloads  are  attached  to  the  arm  with  the  brakes  on,  PRCS  control  jet 
firings  can  result  in  large  arm  movemen  ts  which  are  not  annunciated  as  failures.  MCC  must  be  able  to 
mon  itor  joint  movemen  t  during  the  sleep  period. 

F.  PRIOR  TO  RMS  AND/OR  PAYLOAD  JETTISON,  AN  EVA  MAY  BE  PERFORMED 
TO  AID  PAYLOAD  BERTHING,  ARM  CRADLE,  AND/OR  STOWAGE  OF  THE 
RMS  WHEN  ALL  OTHER  ATTEMPTS  HAVE  FAILED. 

EVA  techniques  are  available  for  RMS  cradle  and  latch  as  well  as  the  MPM.  In  addition,  EVA 
techniques  may  be  possible  for  releasing,  berthing,  and  latching  of  the  payload  in  the  event  of  a  failed 
RMS.  In  essence,  this  rule  gives  authority  to  attempt  any  method  to  berth  the  payload  and/or  cradle  the 
arm  prior  to  payload  and/or  arm  jettison. 

G.  ONCE  THE  MPM' S  ARE  DEPLOYED,  PROVIDING  THERE  IS  DUAL-MOTOR 
STOW  CAPABILITY,  THE  MPM' S  MAY  BE  LEFT  DEPLOYED  UNTIL  THE  RMS 
MISSION  OPERATIONS  ARE  COMPLETED. 

Reference  Rule  {A12-142},  EE  CAPTURE/RIGIDIZE,  for  rationale. 

Rule  (A2-104J,  SYSTEMS  REDUNDANCY  REQUIREMENTS,  references  this  rule. 
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A2-113  OMS/RCS  DOWNMODING  CRITERIA 

A.  OMS/RCS  DOWNMODING  IS  DEFINED  AS  THE  CHANGING  OF  THE  OMS/RCS 
ENGINE  CONFIGURATION (S)  SO  AS  TO  ALLOW  CONTINUATION  OF  A 
DELTA  V  MANEUVER: 

1.  DUAL  REDUNDANCY  DOWNMODE  (TRIPLE  DOWNMODE)  PROTECTION 
IS  DEFINED  AS  THE  CAPABILITY  TO  CHANGE  THE  BURN 
CONFIGURATION  FROM  THE  OMS  ENGINES  TO  ONE  OMS  ENGINE 
AND  FURTHER  DOWNMODE  TO  RCS  WHILE  STILL  RETAINING  THE 
ABILITY  TO  COMPLETE  THE  PLANNED  MANEUVER. 

2.  SINGLE  REDUNDANCY  DOWNMODE  IS  DEFINED  AS  TWO  OMS, 

ENGINES  DOWNMODE  TO  ONE  OMS  ENGINE,  ONE  OMS  ENGINE 
DOWNMODE  TO  RCS,  OR  RCS  RM  DOWNMODE  TO  MAINTAIN  TWO 
±X  JETS. 

B.  DOWNMODING  FROM  TWO  OMS  ENGINES  TO  ONE  OMS  ENGINE  IN  RESPONSE 
TO  AN  ENGINE  FAILURE  IS  ALLOWED  UTILIZING  OMS  CROSSFEED  AS 
REQUIRED . 

C.  FOR  ONE  OMS  ENGINE  MANEUVER  DOWNMODING  TO  RCS,  THE  BURN  CAN 
BE  CONTINUED  USING  OMS  PROPELLANT  (ON-ORBIT  ONLY  IF  RCS  WAS 
INTERCONNECTED  DURING  THE  OMS  BURN)  OR  RCS  PROPELLANT  TO  RCS 
JETS  AS  LONG  AS  DEORBIT  PROPELLANT  REQUIREMENTS  ARE 
PROTECTED . 


Due  to  lifetime  concerns,  single  OMS  engine  bums  will  be  planned  when  possible  in  order  to  increase 
OMS  engine  lifetime.  Additionally,  because  a  sufficiently  large  TIG  slip  capability  exists  during  the 
orbit-critical  burns,  utilizing  the  RCS  to  provide  a  downmode  capability  is  reasonable  as  long  as 
sufficient  RCS  margin  is  available  to  perform  the  minimum  required  separation  delta  V.  Declaring  the 
RCS  as  a  viable  downmode  option  decreases  the  number  of  times  two  OMS  engines  will  be  scheduled  for 
on-orbit-critical  burns  ( i.  e. ,  increases  lifetime ). 

Only  the  minimum  separation  delta  V  is  obtained  by  the  RCS  to  complete  the  burn  (subsequent  to  an 
OMS  engine  failure).  Minimum  propellant  resources  are  expended  to  satisfy  safety  criteria  while 
optimizing  remaining  propellant  (OMS  and  RCS)  available  to  protect  RCS  steep  deorbit  requirements. 

On-orbit,  downmo  ding  from  two  ±X  jets  to  a  different  set  of  two  ±X  jets  by  RCS  RM  is  allowable  for  crew 
safety-critical  burns  since  the  downmode  provides  the  same  single  failure  protection  as  the  OMS/OMS 
and  OMS/RCS  downmodes. 
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A2-114  OMS/RCS  MANEUVER  CRITICALITY 

A.  DELTA  V  MANEUVERS  CRITICAL  FOR  CREW  SAFETY  WILL  BE  TARGETED 
SUBJECT  TO  THE  FOLLOWING  GUIDELINES: 

1.  OMS-1,  OMS-2,  AND  DEORBIT  BURNS  WILL  BE  PERFORMED  USING 
TWO  OMS  ENGINES  UTILIZING  DUAL  OR  SINGLE-DOWNMODE 
CAPABILITY  (AS  AVAILABLE)  IF  REQUIRED  TO  MEET  DELTA  V 
REQUIREMENTS . 

2.  SPACECRAFT  SEPARATION  BURNS  WILL  BE  PLANNED  SUCH  THAT  A 
SINGLE-DOWNMODE  CAPABILITY  (OMS  OR  RCS)  EXISTS  TO  MEET 
MINIMUM  DELTA  V  REQUIREMENTS. 

B.  FLIGHT  SUCCESS  DELTA  V  MANEUVERS  ARE  DEFINED  AS  THOSE 
MANEUVERS  ESSENTIAL  TO  FLIGHT  SUCCESS  WHICH  CANNOT  BE 
POSTPONED  BEYOND  THE  SPECIFIED  TIG  SLIP.  A  SINGLE  DOWNMODE 
ACTION  WILL  BE  ACCOMPLISHED  IF  REQUIRED  TO  COMPLETE  A  FLIGHT 
SUCCESS  DELTA  V  MANEUVER  IF  A  PROPELLANT  SYSTEM  FAILURE  DOES 
NOT  EXIST,  AND  PROPELLANT  IS  AVAILABLE  TO  COVER  RCS  STEEP 
DEORBIT  DELTA  V  REQUIREMENTS.  @[121296-4213] 

C.  NONCRITICAL  DELTA  V  MANEUVERS  ARE  DEFINED  AS  ALL  THOSE 
MANEUVERS  WHICH  DO  NOT  FALL  IN  THE  CATEGORIES  DEFINED  IN 
PARAGRAPHS  A  AND  B.  DOWNMODING  TO  COMPLETE  A  NONCRITICAL 
BURN  IS  NOT  ALLOWED. 


For  all  maneuvers  critical  for  crew  safety,  engine  downmode  capability  is  required  to  maintain  fail-safe 
engine  redundancy  during  the  burn.  Single  OMS  engine  burns  with  downmode  capability  to  the  RCS 
+X  jets  are  preferable  to  dual  OMS  engine  burns,  minimizing  OMS  engine  starts,  and  increasing  OMS 
engine  lifetime.  Sufficiently  large  delta  V  maneuvers  such  as  OMS-1,  OMS-2,  and  the  deorbit  burn  will 
be  performed  using  two  OMS  engines  in  order  to  avoid  any  OMS  valve  reconfiguration  during  a 
nominal  burn  ( i. e. ,  crossfeeding  halfway  through  the  burn  so  that  OMS  propellant  remains  balanced) 
and  to  reduce  the  amount  of  OMS  propellant  required  for  the  burn  if  the  downmode  option  is  utilized. 

®[  ED  ] 
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A2-114  OMS/RCS  MANEUVER  CRITICALITY  (CONTINUED) 

For  spacecraft  separation  burns,  downmoding  will  be  performed  only  to  satisfy  the  minimum  delta  V 
requirement  necessary  to  avoid  any  orbiter  damage  from  the  spacecraft  PKM  firing.  Following  cm  OMS 
engine  failu  re,  propellan  t  redlines  must  be  redefined  to  protect  RCS  steep  deorbit  capability  and 
propellant  may  not  be  available  to  complete  the  separation  maneuver  to  the  nominal  delta  V 
requirement. 

Downmoding  will  be  performed  on  flight  success  delta  V  maneuvers  only  for  OMS  engine  failures 
providing  preburn  analysis  shows  that  sufficient  propellant  is  available  to  protect  RCS  steep  deorbit 
delta  V  requirements.  For  a  propellant  system  failure  or  an  engine  failure  and  insufficient  propellant 
remaining  to  protect  RCS  steep  deorbit  capability,  the  burn  must  be  terminated  and  deorbit  will  be 
attempted  at  the  next  PLS  opportunity.  The  Flight  Rules  Annex  may  redefine  the  deorbit  propellant 
requirement  to  allow  RCS  deorbit  to  45-degree  prebank  targets. 

Downmoding  will  not  be  performed  on  noncritical  burns  so  that  propellant  redlines  can  be  redefined 
prior  to  committing  propellant  to  a  delta  V  maneuver  unnecessarily. 
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A2-115  ENGINE  SELECTION  CRITERIA 

ENGINE  SELECTION  WILL  BE  BASED  UPON  OMS/RCS  DOWNMODING  CRITERIA, 
MANEUVER  CRITICALITY,  AND  THE  SPECIFIC  DELTA  V  REQUIREMENTS  FOR 
THE  MANEUVER: 

A.  DELTA  V  <  6  FPS  -  PERFORM  MANEUVER  WITH  RCS .  DOWNMODING 
PROTECTION  IS  PROVIDED  BY  JET  REDUNDANCY. 

B.  DELTA  V  >6  FPS  -  PREFERENCE  WILL  BE  GIVEN  TO  SELECTING  A 
SINGLE  OMS  ENGINE  CONFIGURATION  VERSUS  TWO  OMS  ENGINES, 
SUBJECT  TO  MANEUVER  CRITICALITY  AND  PROCEDURAL  COMPLEXITY 
CONCERNS,  IN  ORDER  TO  ACCOMMODATE  ENGINE  LIFETIME 
CONSIDERATIONS.  RCS  MAY  BE  USED  IF  APPLICABLE. 

For  large  delta  V  maneuvers  (>  6fps)  OMS  engines  are  selected  over  RCS  jets  in  order  to  reduce 
propellant  consumption  and  minimize  burn  residuals.  RCS  jets  are  used  for  smaller  delta  V  maneuvers 
( <  6  fps)  to  avoid  unnecessary  OMS  engine  starts  when  propellant  savings  will  be  negligible.  Also,  for 
small  OMS  burns  ( <  6  seconds)  guidance  runs  open-loop  so  postburn  residuals  may  be  large.  If 
following  these  guidelines  creates  unnecessary  procedural  complexity  ( e. g. ,  burns  planned  originally 
using  the  RCS  system  must  be  switched  real  time  to  OMS  burns),  it  is  acceptable  to  use  RCS  jets  for  delta 
V  maneuvers  of  greater  than  6  fps  provided  the  additional  propellant  necessary  is  available. 

Rule  {A2-121EJ.3,  RNDZ/PROX  OPS  PROPULSION  SYSTEMS  MANAGEMENT,  references  this  rule. 
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A2-116  RENDEZVOUS  (RNDZ ) /PROXIMITY  OPERATIONS  (PROX  OPS) 

DEFINITIONS 

A.  RNDZ  OPS  ARE  DEFINED  TO  INCLUDE  ALL  ORBITER  RNDZ  MANEUVERS 
AND  ASSOCIATED  RNDZ  ACTIVITIES  TERMINATING  WITH  THE 
INITIATION  OF  PROX  OPS. 

B.  PROX  OPS  BEGIN  AT  THE  COMPLETION  OF  RNDZ  OPS  WHEN  THE  ORBITER 
RANGE  TO  THE  TARGET  IS  <1000  FEET  AND  THE  LVLH  RELATIVE 
VELOCITY  IS  <1  FPS  IN  EACH  AXIS. 


RNDZ  OPS  utilize  closed  loop  guidance,  navigation,  and  control  to  achieve  a  desired  relative  state. 
PROX  OPS  is  a  post-RNDZ  activity  where  different  techniques  used  to  “control”  the  orbiter  trajectory 
than  those  used  during  RNDZ  OPS.  These  techniques  rely  on  crew  visual  observations  and  piloting 
techniques  to  achieve  a  desired  relative  state.  These  definitions  are  provided  for  reference. 
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A2-117 

RNDZ/PROX  OPS  GNC  SYSTEMS  MANAGEMENT 

FAILURE 

TO  MAINTAIN  THE  FOLLOWING  CAPABILITIES  WILL  PRECLUDE 

APPROACH  CLOSER  THAN  250  FEET  FROM  A  TARGET.  IF  THE  FOLLOWING 
CAPABILITY  IS  NOT  MAINTAINED  WHILE  OPERATING  WITHIN  250  FEET  OF  A 
TARGET,  A  MANEUVER  TO  250  FEET  WILL  BE  PERFORMED  UNTIL  THE  LOST 
CAPABILITY  CAN  BE  REGAINED:  ®[021 1 99-6798A] 

A.  ROTATION  AND  TRANSLATION  CAPABILITY  IN  EACH  AXIS.  MINIMUM 
JET  REQUIREMENTS  FOR  TRANSLATION  ARE  AS  FOLLOWS: 


1  . 

+X  -  ONE  AFT-FIRING  JET  IN  EACH  AFT  POD  [1]  ®[081497-6283A] 

2  . 

-X  -  ONE  FORWARD-FIRING  JET 

3. 

±Y  -  ONE  FORWARD  YAW  JET  PER  SIDE,  ONE  FORWARD  DOWN  JET 
PER  SIDE,  AND  ONE  AFT  YAW  JET  PER  SIDE  [3] [4] 

4  . 

-Z  -  ONE  DOWN-FIRING  JET  IN  THE  FORWARD  MODULE  AND  EACH 
AFT  POD  [3] [4] 

5  . 

NORMAL  +  Z  -  ONE  UP-FIRING  JET  IN  THE  FORWARD  MODULE  AND 

EACH  AFT  POD 

6. 

LOW  +Z  -  TWO  FORWARD-FIRING  JETS  AND  ONE  AFT-FIRING  JET 
PER  POD  [2] 
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A2-117  RNDZ/PROX  OPS  GNC  SYSTEMS  MANAGEMENT  (CONTINUED) 

NOTES : 

[1]  IF  THE  ORBITER  IS  UNDER  ACTIVE  ATTITUDE  CONTROL,  ONLY  ONE 
JET  TOTAL  IS  REQUIRED,  BUT  PROPELLANT  CONSUMPTION  WILL  BE 
GREATER  DUE  TO  RESULTANT  CROSS-COUPLING. 

[2]  LOW  +Z  IS  DESIRABLE  BUT  NOT  NORMALLY  REQUIRED  LOW  Z  ATTITUDE 
CONTROL  IS  UNAFFECTED  BY  LOSS  OF  THESE  JETS. 

[3]  DAP  LOGIC  WILL  INHIBIT  Y  TRANSLATIONS  IF  BOTH  FORWARD  SIDE¬ 
FIRING  OR  DOWN-FIRING  JETS  ON  EITHER  SIDE  ARE  NOT  AVAILABLE. 

®[081 497-6283A] 

[4]  FOR  DOCKING  MISSIONS,  POST  CONTACT  THRUST  (PCT)  REQUIRES  ONE 
FORWARD  DOWN-FIRING  JET  PER  SIDE  AND  ONE  DOWN-FIRING  JET  IN 
EACH  AFT  POD  (FOUR  JETS  TOTAL) .  THESE  JET  REQUIREMENTS  ARE 
SATISFIED  AS  LONG  AS  ±Y  AND  -Z  TRANSLATION  CAPABILITIES 
EXIST.  ®[021 199-6798A]  ®[ED  ] 

If  the  above  capabilities  are  not  maintained  outside  of  250 feet  while  approaching  a  target ,  proximity 
operations  inside  250 feet  will  be  postponed  until  reconfiguration  regains  the  lost  capability.  A 
minimum  range  of  250 feet  is  used  because  the  ISS  approach  corridor  begins  at  250 feet,  and  it  would 
not  be  prudent  to  approach  within  the  corridor  without  full  control  capability.  For  other  rendezvous 
targets,  this  minimum  range  is  somewhat  arbitrary,  and  250 feet  is  used  for  consistency  across  all 
rendezvous  flights.  ®[021 1 99-6798A] 

Proximity  operations  within  250 feet  of  a  target  vehicle  requires  complete  rotation  and  translation 
capability.  Rotation  is  required  for  attitude  control  while  maneuvering  the  orbiter  to  the  target  vehicle 
and  can  be  achieved  with  either  VRCS  or  PRCS.  Translation  (PRCS  only)  is  required  to  properly 
achieve  a  relative  position  to  the  target  vehicle.  Satisfying  the  minimum  jet  requiremen  ts  for  translation 
listed  above  also  ensures  that  full  PRCS  attitude  control  is  available  for  both  Low  Z  and  Norm  Z  modes 
(rotational  control  requires  a  subset  of  the  jets  used  for  translation).  Failure  to  maintain  full  capability 
could  jeopardize  crew  safety,  loads  margins,  and  mission  success.  The  number  of  jets  required  for  each 
group  is  specified. 
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A2-117  RNDZ/PROX  OPS  GNC  SYSTEMS  MANAGEMENT  (CONTINUED) 

Low  Z  capability  is  desirable  for  some  target  vehicles  in  order  to  minimize  plume  impingemen  t  on  the 
target  vehicle  from  the  up-firing  PRCS  jets  during  attitude  hold  or  +Z  translations.  ®[081 497-6283A] 

Low  Z  is  defined  in  terms  of  two  capabilities: 

a.  Translation:  Simultaneous  plus  and  minus  X  jets  will  fire  in  response  to  a  +Z  THC 

command. 

b.  Attitude  control:  The  DAP  will  not  command  any  up-firing  jets  (TAIL-ONLY  option  for  pitch 

control  selected  on  SPEC  20  is  overridden  by  Low  Z,  resulting  in  forward 
down-firing  jets  being  commanded  for  pitch-up  control).  Therefore,  one 
forward  down-firing  jet  on  each  side  and  one  down-firing  jet  in  each  aft 
pod  is  required  to  maintain  pitch  and  roll  control  (yaw  requiremen  ts  are 
unchanged).  The  Low  Z  mode  will  be  deselected  and  the  DAP  will  mode  to 
FREE  if  the  IMU  ATT  DG  flag  is  set  BAD. 

Docking  missions  require  Post  Contact  Thrusting  (PCT)  for  successful  capture.  PCT  capability  is 
ensured  as  long  as  the  minimum  jet  requiremen  ts  for  translation  listed  above  are  satisfied.  @[021199- 
6798A] 

B.  AFT  CONTROLLERS  REQUIRE  AS  A  MINIMUM  ONE  CONTACT/CHANNEL  PER 
AXIS  (EXCEPT  FOR  -Z  THC  WHICH  REQUIRES  TWO  CONTACTS) . 

The  aft  RHC  is  required  to  have  one  channel  per  axis  in  order  to  retain  complete  rotation  capability. 

The  loss  of  the  forward  RHC  is  not  a  constrain  t  due  to  the  difficulty  in  performing  proximity  operations 
from  the  forward  station.  The  aft  THC  is  required  to  have  at  least  one  contact  per  axis  per  direction 
( i. e. ,  +X,  -X,  +Y,  -Y,  +Z,  -Z)  in  order  to  retain  complete  translation  capability  using  normal 
procedures.  It  is  possible  in  some  cases  to  perform  THC  operations  from  the  forward  station,  but 
exclusive  use  of  the  forward  station  should  not  be  planned. 

Reference  rationale  for  paragraph  C.2for  the  -Z  THC. 
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A2-117  RNDZ/PROX  OPS  GNC  SYSTEMS  MANAGEMENT  (CONTINUED) 

C.  Z  TRANSLATION  MUST  BE  ONE-FAULT  TOLERANT.  THIS  REQUIRES  AS  A 
MINIMUM: 

1.  PLUS  Z  TRANSLATION 

a.  SUFFICIENT  JETS  TO  MAINTAIN  +Z  TRANSLATION  FOR  THE 
LOSS  OF  ANY  SINGLE  JET  OR  MANIFOLD.  EITHER  NORMAL  +Z 
OR  LOW  +Z  ARE  ACCEPTABLE  FOR  BRAKING  AND  SEPARATION 
MANEUVERS . 

b.  TWO  +Z  TRANSLATION  CONTACTS.  ONE  CONTACT  IN  EACH  THC 
IS  REQUIRED  IF  ONLY  TWO  CONTACTS  REMAINING. 

2.  MINUS  Z  TRANSLATION 

TWO  -Z  TRANSLATION  CONTACTS  FOR  ANY  THC  WHICH  IS  POWERED 
ON.  ONLY  ONE  CONTACT  IS  REQUIRED  IF  THE  OTHER  AVAILABLE 
CONTACT  IS  FAILED  OFF. 

+Z  translation  capability  must  be  retained  at  ail  times  in  order  to  be  able  to  back  away  from  the  target 
vehicle  should  failures  cause  the  loss  of  critical  system  redundancy.  Backing  away  to  200 feet  gives  the 
crew  time  to  reconfigure  their  systems,  if  possible,  to  allow  for  safe  continuation  ofPROX  OPS. 
Continuing  PROX  OPS  without  one-fault  tolerance  in  the  +Z  translation  direction  is  a  risk  to  the  safety 
of  the  crew/vehicle  should  subsequen  t  failures  cause  the  loss  of  vehicle  con  trol  in  close  proximity.  One 
+Z  contact  is  required  in  each  THC  to  maintain  one-fault  tolerance,  since  neither  a  single  contact  in 
one  THC  nor  two  con  tacts  on  a  single  THC  provide  any  fault  tolerance.  If  two  contacts  were  on  one 
THC  and  none  on  the  other,  the  crew  would  have  insufficient  time  to  resolve  and  correct  a  dilemma 
(should  one  of  the  two  fail  low)  thereby  providing  no-fault  tolerance.  It  is  understood  in  the  two-contact 
case  that  a  fail  high  of  the  remaining  contact  on  either  THC  would  result  in  jets  firing  to  achieve  a  +Z 
translation  which  would  cause  plume  impingement  on  the  payload. 
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A2-117  RNDZ/PROX  OPS  GNC  SYSTEMS  MANAGEMENT  (CONTINUED) 

A  fail  “on  ”  of  the  last  remaining  -Z  translation  contact  in  a  powered  THC  will  drive  the  orbiter  toward 
the  target  with  six  PRCS  jets.  Commanding  either  THC  in  the  +Z  direction  would  cancel  the  +Z  THC 
output  but  would  not  provide  the  intended  backaway  since  a  plus  and  minus  command  in  the  same  axis 
would  be  algebraically  summed  to  zero  resulting  in  no  selected  output.  Should  afailed-on  contact  occur 
while  prime  selected,  the  flight  controller  power  for  the  affected  THC  must  be  powered  off  to  eliminate 
the  erroneous  THC  command  and  cdlow  the  crew  the  capability  to  command  a  backaway  maneuver  along 
the  +Z  axis  using  the  other  THC.  Since  there  may  not  be  time  to  accomplish  this  while  in  proximity  to  a 
target,  two  con  tacts  for  a  powered  THC  are  required  to  be  fail-safe  (i.e.,  failure  of  one  con  tact  at  the 
two-level  results  in  a  dilemma  and  therefore  no  erroneous  commanding  of  jets). 

For  a  fail-off  of  one  of  the  two  remaining  contacts  there  is  no  single  failure  which  would  result  in 
translation  toward  the  target.  For  this  case  operating  with  only  one  good  contact  is  allowed  and  the 
flight  controller  power  can  remain  on  and  the  sense  switch  in  the  preferred  position.  If  one  of  the  last 
two  remaining  contacts  fails  high,  however,  the  next  failure  (fail-on  or  comm  fault  of  good  contact)  will 
result  in  translation  toward  the  target.  For  this  case  either  the  flight  controller  must  be  powered  off  or 
the  sense  switch  placed  in  a  different  position  to  avoid  the  next  failure  in  the  orbiter  -Z  direction. 

It  should  be  noted  that  for  the  aft  THC  different  contacts  would  be  involved  depending  upon  which  sense 
is  selected  and  taking  into  accoun  t  the  fact  that,  due  to  a  fit  problem,  the  aft  THC  is  installed  90  degrees 
clockwise.  For  example,  if  the  -Z  sense  is  selected,  the  +X  THC  axis  (-Z  orbiter  translation  axis,  +X  on 
crew  display)  must  have  at  least  two  contacts  to  be  fail  safe.  If  the  -X  sense  is  selected,  the  -Y  THC  axis 
(-Z  orbiter  translation  axis,  -Y  on  crew  display)  must  have  at  least  two  contacts.  For  the  forward  THC, 
the  -Z  THC  axis  must  be  redundant.  If  the  DAP  is  in  translation  NORM,  failu  re  of  the  last  -Z  contact 
will  command  six  PRCS  jets  ON  until  either  the  flight  con  troller  power  is  turned  off  or  until  either  THC 
is  deflected  (and  held  out  of  deten  t)  in  the  +Z  direction.  If  the  DAP  is  in  translation  PULSE,  six  PRCS 
jets  will  fire  to  achieve  the  translation  rate  increment  loaded  on  the  DAP  CONFIG  display.  Deflection 
and  release  of  either  THC  in  the  +Z  direction  will  result  in  another  pulse  in  the  -Z  direction  (toward  the 
target).  Subsequen  t  cycling  of  either  THC  in  the  +Z  direction  will  result  in  more  pulses  toward  the 
target. 
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A2-117  RNDZ/PROX  OPS  GNC  SYSTEMS  MANAGEMENT  (CONTINUED) 

D.  TWO  IMU'S.  (CONSIDERATION  WILL  BE  GIVEN  TO  CONTINUING 
NOMINAL  V-BAR  OPERATIONS  WITH  ONE  IMU.) 

Two  IMU’s  are  required  to  commit  to  TI.  Since  Tl  is  the  first  burn  which  targets  for  an  intercept 
trajectory,  the  orbiter  systems  should  be  healthy  enough  to  support  the  requiremen  ts  of  the  rendezvous. 

Post  TI  to  V-bcir  arrival  (PROX  OPS),  two  IMU’s  are  required  to  ensure  a  safe  post-breakout  trajectory. 
The  RNDZ  breakout  sequence  was  not  designed  to  cover  trajectory  dispersions  due  to  failed  IMU 
accelerometers.  The  velocity  output  at  the  two-level  is  the  average  of  the  two  remaining  IMU’s.  If  one  of 
the  two  IMU’s  has  bad  velocity  output,  the  state  vector  will  be  corrupted.  It  would  be  very  difficult  to 
quickly  determine  the  damage  done  to  the  state  vector  should  one  IMU  fail.  RNDZ  sensors  may  not 
correct  the  vector  quickly  enough  to  ensure  cm  adequate  breakout  trajectory. 

The  RNDZ  breakou  t  also  uses  IMU  attitude  to  correctly  perform  the  breakout.  If  the  IMU  attitudes  are 
incorrect,  the  breakout  may  not  be  executed  in  the  proper  direction. 

Plus  or  minus  R-bctr  approaches  will  not  be  considered  on  less  than  two  IMU’s  because  of  the  separation 
dynamics.  For  cm  R-bctr  approach,  the  separation  sequence  requires  two  burns,  the  first  to  ensure  no 
immediate  recontact  and  a  second  posigrcrde  burn  to  ensure  no  long-term  recontact  concern.  The  second 
separation  burn  requires  an  IMU  to  provide  the  posigrade  reference. 

PROX  OPS  imposes  similar  requiremen  ts  as  the  TI  to  V-bcir  phase,  in  that  a  correct  reference  is  required 
to  correctly  perform  the  breakout.  Thus,  two  IMU’s  are  required  to  ensure  a  safe  breakout. 

One  exception  to  the  two-IMU  requirement  is  nominal  PROX  OPS  on  the  V-bcir.  The  breakout  for  this 
situation  is  ci  posigrade  burn  executed  manually,  and  not  relying  on  the  IMU’s  to  provide  a  thrust 
direction.  It  is  assumed  that  IMU  drift  would  not  take  the  orbiter  far  enough  out  of  attitude  to  degrade 
the  breakout  maneuver  and  the  crew  can  use  the  Earth  horizon  as  a  reference  check  that  the  IMU’s  are 
good. 

Loss  of  two  IMU’s  is  cause  to  in  voke  next  PLS.  This  should  be  the  reason  for  terminating  PROX  OPS, 
not  that  the  loss  of  the  last  IMU  will  result  in  loss  of  vehicle  control.  Manual  control  will  still  exist  with 
the  loss  of  all  IMU’s.  Loss  of  IMU  reference  will  mode  the  DAP  to  MAN;  PULSE  in  rotation  and 
translation.  Low  Z  will  also  be  automatically  deselected. 
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A2-117  RNDZ/PROX  OPS  GNC  SYSTEMS  MANAGEMENT  (CONTINUED) 

E.  STRINGING  SUCH  THAT  FOR  THE  LOSS  OF  ONE  GPC  THE  FOLLOWING 
FUNCTIONS  ARE  MAINTAINED: 

1.  EITHER  LOW  +Z  OR  NORMAL  +Z  TRANSLATION  CAPABILITY 

2.  IMU  REFERENCE  (IF  TWO  IMU' S  AVAILABLE) 

It  is  important  to  remember  to  string  such  that  a  GPC  failure  can  be  sustained  without  loss  of  +Z 
translation  capability  (Low  +Z  or  Normal  +Z)  for  backaway  operations  or  IMU  reference. 

Two  GNC  GPC’s  are  required  for  operations  within  200 feet.  This  requirement  is  stated  in  DPS  Rule 
{A2-120},  RNDZ/PROX  OPS  DPS  SYSTEMS  MANAGEMENT.  While  this  DPS  rule  is  standalone,  the 
GNC  reasons  to  maintain  two  GNC  GPC’s  are  to  retain  fail-safe  redundancy  in  the  hand  controllers 
and  jets. 


A2-118  RNDZ/PROX  OPS  COMMUNICATION  SYSTEMS  MANAGEMENT 

A.  THE  KU-BAND  SYSTEM  WILL  BE  USED  IN  RADAR  MODE  DURING 
RNDZ/PROX  OPS,  BUT  MAY  BE  USED  IN  COMMUNICATIONS  MODE  DURING 
PERIODS  WHEN  RADAR  DATA  IS  NOT  REQUIRED.  @[061396-1961] 

The  Ku-band  system  can  be  switched  between  radar  and  communications  mode  as  necessary. 

B.  WHILE  IN  RADAR  MODE,  IF  THE  AZIMUTH  ANGLE  EXCEEDS  30  DEGREES 
FROM  THE  ORBITER  -Z  AXIS,  THE  KU  WILL  BE  PLACED  IN  AUTO 
TRACK.  WHILE  IN  THIS  NO-SEARCH  ZONE,  A  MANUAL  SEARCH  SHOULD 
ONLY  BE  INITIATED  UPON  MCC  GO.  @[061396-1961] 

Radar  scans  should  not  be  initiated  for  beta  gimbal  angles  greater  than  +38  degrees  (reference  SODB, 
Communications  and  Tracking  Subsystems  -  Constraints  and  Limitations  page  3. 4. 5.2-6).  An  azimuth 
angle  of  30  degrees  satisfies  this  beta  gimbal  limit,  and  is  independent  of  the  elevation  angle.  While  in 
this  “No  Search  Zone,  ”  a  manual  search  can  be  initiated  upon  evaluation  by  the  MCC  of  the  actual  beta 
gimbal  angles. 

Reference  {All-16},  KU-BAND  MANAGEMENT.  @[061396-1961  ] 
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A2-119  RNDZ/PROX  OPS  SENSOR  REQUIREMENTS  ®[091 098-6707B] 

A.  DATA  FROM  THE  KU  RADAR,  -Z/-Y  STAR  TRACKER,  OR  COAS  (IN  ORDER 
OF  PRIORITY  FROM  HIGHEST  TO  LOWEST)  MUST  BE  INCORPORATED  INTO 
THE  ONBOARD  NAVIGATION  FILTER  DURING  DAY  OF  RENDEZVOUS 
OPERATIONS  BETWEEN  NC  AND  MANUAL  TAKEOVER. 

The  intent  of  this  rule  is  twofold.  First ,  it  identifies  that  Ku,  Star  Tracker,  and  COAS  systems  are 
required  for  rendezvous  operations  at  a  higher  priority  than  other  users  (Comm,  IMU  align,  etc.). 

Second,  it  identifies  that  rendezvous  may  not  be  possible  within  the  pre-mission  defined  limits  of  the 
propellant  budget  without  the  incorporation  of  data  from  one  of  these  systems  into  the  onboard 
navigation  system.  Continuation  of  the  rendezvous  without  having  incorporated  this  data  will  likely  lead 
to  reaching  the  breakout  criteria  specified  in  Rule  { A2-126J ,  RNDZ/PROX  OPS  BREAKOUT. 

Rendezvous  may  be  possible  without  these  sensors  given  a  wide  margin  of  error  in  the  propellant  budget. 

Rendezvous  maneuvers  prior  to  the  actual  day  of  rendezvous  do  not  require  onboard  navigation  sensors 
and  are  targeted  strictly  off  ground-based  solutions. 

PRIOR  TO  TI,  THE  RNDZ  MAY  BE  DELAYED  IF  REGAINING  A  HIGHER 
PRIORITY  SENSOR  IS  POSSIBLE. 

Regaining  a  higher  priority  sensor  will  result  in  a  more  accurate  onboard  navigation  filter  state  which 
will,  in  turn,  result  in  a  higher  probability  of  a  successful  rendezvous  and  a  more  propellant-efficien  t 
manual  phase.  Rendezvous  delays  up  through  and  including  Ti  can  be  achieved  with  aft  propellant 
usage  only  and  hence  may  be  worthwhile  if  doing  so  allows  for  the  recovery  of  a  more  accurate 
rendezvous  sensor,  resulting  in  the  savings  of  forward  propellant  during  the  manual  phase.  Rendezvous 
Delay  is  described  in  Rule  { A2-125 ),  RNDZ  OPS  DELAY. 
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A2-119  RNDZ/PROX  OPS  SENSOR  REQUIREMENTS  (CONTINUED) 

B.  THE  KU  SYSTEM,  IF  AVAILABLE,  WILL  BE  CONFIGURED  FOR  RADAR 
OPERATIONS  DURING  MANUAL  PHASE  UNTIL  THE  CDR  DEEMS  THAT  IT  IS 
NOT  REQUIRED  TO  SUPPORT  PILOTING  OPERATIONS  GIVEN  THE 
AVAILABILITY  OF  OTHER  RANGING  SENSORS  (HHL  OR  TCS) .  AT  THIS 
TIME,  THE  KU  SYSTEM  MAY  BE  CONFIGURED  FOR  COMM. 

The  Ku  radar  system  is  the  prime  range/range  rate  sensor  during  the  manual  phase  until  reliable  HHL 
or  TCS  data  becomes  available.  ®[091098-6707B] 

C.  COAS  NAVIGATION  CONSTRAINTS  ®[031 500-71 78A] 

1.  THE  -Z  COAS  MUST  BE  CALIBRATED  PRIOR  TO  EXECUTING  COAS 
NAV. 

COAS  mounting  errors  are  significant  enough  (typically  0.5  deg)  to  result  in  unacceptable  navigation 
performance  if  COAS  marks  are  taken  with  cm  uncalibrated  COAS.  The  calibration  is  no  longer  valid  if 
the  cabin  pressure  changes  significan  tly,  such  as  a  depress  from  14.7  to  10.2  psi. 

2.  VERNIER  ATTITUDE  CONTROL  IS  REQUIRED  TO  PERFORM  COAS  NAV. 

PRI  jets  provide  coarser  control  than  VERN’s.  The  coarse  control  degrades  the  performance  of  COAS 
nav  due  to  one  or  more  of  the  following  factors:  1)  fewer  marks  can  be  taken  in  the  limited  time 
available,  2)  less  accurate  marks  can  be  taken,  and  3)  larger  trajectory  perturbations  due  to  increased 
cross  coupling  of  rotation  into  translation.  In  addition,  PRI  control  can  use  significantly  more 
propellant.  Given  the  degraded  performance  and  the  potential  use,  more  propellant  analysis  has  shown 
that  it  is  better  to  continue  the  rendezvous  without  performing  COAS  nav. 
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A2-119  RNDZ/PROX  OPS  SENSOR  REQUIREMENTS  (CONTINUED) 

3.  UNLESS  THE  CREW  IS  TOLD  TO  PROCEED  WITH  COAS  NAV  ALMOST 
IMMEDIATELY  AFTER  COMPLETING  THE  TI  BURN,  IT  IS  NOT 
AVAILABLE  AS  A  SENSOR  DOWNMODE  OPTION. 

The  act  of  taking  COAS  NAV  marks  perturbs  the  trajectory.  To  overcome  this  effect,  the  COAS  NAV 
pass  must  be  long  enough  to  ensure  that  an  adequate  number  of  marks  are  taken  to  converge  the 
onboard  nav  state.  Rather  than  attempting  to  determine  through  analysis  the  latest  time  that  COAS  NAV 
could  be  started,  cm  operationally  acceptable  limit  was  defined  and  all  analysis  was  performed  using  this 
limit.  To  be  consistent  with  the  analysis,  the  first  COAS  NAV  mark  must  be  taken  no  later  than  Ti  +10 
minutes.  Because  there  are  several  events  that  must  happen  between  Ti  and  taking  the  first  COAS  mark, 
such  as  completing  the  Ti  burn,  OMS  gimbal  check,  maneuver  to  -Z  axis  target  track,  ground  uplink  of 
COAS  NAV  covariance  matrix,  and  step  1  of  the  COAS  NAV  procedure,  the  crew  must  be  instructed  to 
perform  COAS  NAV  almost  immediately  after  Ti.  ®[031 500-71 78A] 

4.  IF  COAS  NAVIGATION  IS  EXECUTED,  DO  NOT  EXECUTE  MCI  OR  THE 
OUT-OF-PLANE  NULL.  ®[031 500-71 78A] 

There  is  not  enough  time  between  Ti  and  MCI  to  take  enough  COAS  marks  to  generate  a  converged  nav 
state  in  support  of  MCI.  Analysis  indicates  it  is  better  to  forego  MCI  and  take  COAS  nav  through  that 
time  to  get  a  good,  converged  nav  state  to  support  the  MC2  burn. 

COAS  nav  is  not  accurate  enough  to  support  execution  of  an  out-of-plane  null  burn.  The  Y  and  Ydot  on 
SPEC  33  will  be  quite  dynamic  from  one  COAS  mark  to  the  next  and  it  is  best  to  delay  any  out-of-plcine 
control  until  the  manual  phase  where  more  accurate  sensors  and  visual  observation  can  be  used  to  null 
the  out-of-plane  motion. 

Constraints  1,  2,  3,  and  4  were  presented  to  and  approved  by  Orbit  Flight  Techniques  Panel  # 175  on 
July  9,  1999.  ®[031 500-71 78A] 
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A2-120  RNDZ/PROX  OPS  DPS  SYSTEMS  MANAGEMENT 

A.  THREE  GNC  GPC'S  ARE  PREFERRED  FOR  RNDZ/PROX  OPS.  TWO  GNC 
GPC'S  ARE  REQUIRED  AT  TI  AND  WITHIN  250  FEET  OF  THE  TARGET 
VEHICLE:  ®[021 1 99-6798A] 

Three  GNC  GPC’s  are  preferred  for  rendezvous/prox  ops  to  simplify  recovery  procedures  if  a  GNC  GPC 
fails  during  the  period  when  rendezvous  nav  is  enabled.  If  a  GNC  GPC  fails,  a  restring  to  the  remaining 
two  GPC’s  recovers  all  LRU  redundancy ,  still  meets  rendezvous  GPC  requirements,  and  does  not  affect 
rendezvous  nav  functions  as  long  as  the  target  set  is  not  changed. 

TI  is  the  starting  point  for  requiring  redundant  GNC  GPC’s  because  this  is  the  first  burn  which  puts  the 
orbiter  on  an  in  tercept  cou  rse  with  the  target.  This  means  that  continuous  control  of  the  orbiter  is 
required  to  preclude  a  collision  with  the  target.  Single  fault-tolerance  for  control  of  braking  and 
separation  maneuvers  is  required,  and  redundant  GNC  GPC’s  meet  this  requirement.  Prior  to  TI,  the 
orbiter  is  not  on  an  in  tercept  course  and  momen  tary  loss  of  control  is  not  critical;  therefore,  single 
fault-tolerance  is  not  required. 

1 .  FOR  LOSS  OF  ONE  GNC  GPC  OUT  OF  A  TWO  GNC  GPC  REDUNDANT 
SET  WHEN  FURTHER  THAN  250  FEET  FROM  TARGET, 
RECONFIGURATION  TO  A  TWO-GNC  REDUNDANT  SET  WILL  BE 
DELAYED  TO  THE  NEXT  OPERATIONALLY  CONVENIENT  POINT. 

The  crew  is  very  busy  flying  the  manual  phase  of  rendezvous  operations.  Reconfiguration  would 
interfere  (and  may  promote  errors )  with  the  manual  task  and,  therefore,  will  be  delayed  to  the  next 
convenient  point  as  long  as  the  orbiter-to-target  distance  is  greater  than  250 feet. 

2 .  LOSS  OF  ONE  GNC  GPC  OUT  OF  A  TWO  GNC  GPC  REDUNDANT  SET 
DURING  PROX  OPS  WITHIN  250  FEET  WILL  RESULT  IN  A  BACKOUT 
MANEUVER  AWAY  FROM  THE  TARGET  OUT  TO  A  DISTANCE  OF  250 
FEET  UNTIL  RECONFIGURATION  TO  A  TWO-GNC  REDUNDANT  SET  IS 
COMPLETED . 

The  fail-safe  status  afforded  by  two  GNC  GPC’s  is  required  for  close  proximity  of  the  orbiter  to  other 
objects.  Loss  of  one  of  the  two  GNC  GPC  ’S  within  250 feet  is  reason  to  terminate  PROX  OPS  and  back 
away  from  the  target  due  to  the  possibility  of  vehicle  contact  with  the  target  on  the  next  failure  (no  longer 
fail-safe).  A  distance  of  at  least  250 feet  provides  a  safety  margin  before  attempting  to  reconfigure. 

®[021 1 99-6798A] 
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A2-120  RNDZ/PROX  OPS  DPS  SYSTEMS  MANAGEMENT  (CONTINUED) 

3.  FOR  LOSS  OF  ONE  GNC  GPC  OUT  OF  A  THREE  GNC  GPC  REDUNDANT 
SET  DURING  PROX  OPS,  RESTRING  TO  REMAINING  TWO  GNC  GPC'S 
WHEN  POSSIBLE. 

When  starting  with  a  three  GNC  GPC  set ,  loss  of  a  single  GPC  is  not  critical.  A  simple  restring  can  be 
performed  to  regain  the  lost  string(s)  without  disruption  of  rendezvous  nciv  operations.  With  the 
standard  stringing  configuration  for  three  GPC’s  (ref.  Rule  (A7-102C}.2.b,  PASS  DATA  BUS 
ASSIGNMENT  CRITERIA )  loss  of  a  single  GPC  does  not  require  immediate  action. 

B.  IN  A  TWO  GNC  GPC  SET  CONFIGURATION  FOR  GNC  OR  SM  GPC 
FAILURES,  THE  FREEZE-DRY  GPC  (G2FD)  MAY  BE  RECONFIGURED  AS 
GNC  OR  SM.  IF  G3  ARCHIVE  HAS  BEEN  LOST  AND  A  G3FD  GPC  HAS 
BEEN  CONFIGURED,  THE  G3FD  MAY  BE  GIVEN  UP  IF  TWO  G3  SOURCES 
(MMU  1,  MMU  2)  ARE  AVAILABLE. 

Recovery  of  a  redundan  t  GNC  GPC  is  done  to  provide  fail-safe  vehicle  con  trol  during  rendezvous  or 
PROX  OPS.  Recovery  of  cm  SM  function  is  done  to  provide  rendezvous  radar  antenna  initialization, 
insight  into  or  control  of  payloads,  and  GPC  control  for  PDRS  usage.  The  G2FD  GPC  may  be  given  up 
without  regard  to  the  number  of  available  sources  of  entry  software  because  of  G3  archive  capability  as 
long  as  there  are  two  other  sources  of  PASS  G3  software.  Two  sources  are  considered  to  be  an  adequate 
level  of  redundancy  for  obtain  ing  G3  software. 

Reference  Rule  {A7-201C},  DPS  REDUNDANCY  REQUIREMENTS. 

C.  IN  A  THREE  GNC  GPC  SET  CONFIGURATION  FOR  AN  SM  GPC  FAILURE, 
ONE  OF  THE  GNC  GPC'S  MAY  BE  RECONFIGURED  AS  AN  SM  GPC. 

Since  only  two  GNC  GPC’s  are  required  for  providing  a  fail-safe  capability  during  the  critical 
maneuvers  of  RNDZ/Prox  Ops,  it  is  allowable  to  give  up  one  of  the  three  GNC  GPC’s  to  recover  the  SM 
function. 
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A2-121  RNDZ/PROX  OPS  PROPULSION  SYSTEMS  MANAGEMENT 

A.  RNDZ/PROX  OPS  ACTIVITIES  WILL  BE  TERMINATED  AND  A  BREAKOUT 
MANEUVER  WILL  BE  PERFORMED  WHEN  PROPELLANT  AVAILABLE 
DECREASES  TO  THE  TOTAL  OF: 

1.  DEORBIT  REDLINES: 

a.  OMS  DEORBIT  REDLINE  (REF.  RULE  {A6-303A},  OMS 
REDLINES  [CIL]). 

b.  FRCS  DEORBIT  REDLINE  (REF.  RULE  {A6-304A},  FORWARD 
RCS  REDLINES) . 

C.  ARCS  ENTRY  REDLINE  (REF.  RULE  {A6-305},  AFT  RCS 
REDLINES) . 

OMS  and  RCS  deorbit  redlines  must  be  protected  in  order  to  continue  any  on-orbit  operations. 

Violation  of  these  redlines  is  cause  to  enter  at  the  next  PLS  opportunity.  Note  that  per  Rule 
{A2-108},  CONSUMABLES  MANAGEMENT,  the  weather  wave-off  extension  day  may  be 
deleted  in  favor  of  critical  on-orbit/payload  activities.  ®[092800-7247A] 

2.  PROPELLANT  REQUIRED  FOR  ORBITER  MAINTENANCE  (ATTITUDE 
CONTROL  -ZLV  -XVV  OR  THERMAL  PROTECT  ATTITUDE  IF 
REQUIRED,  1  DEGREE  VRCS,  ONE  IMU  ALIGN/DAY)  FOR  1  DAY. 
@[0511 94-1 61 2A] 

Following  either  a  successful  or  aborted  rendezvous,  propellant  must  be  available  for  attitude  control 
until  the  next  PLS  deorbit  opportunity  (which  could  be  up  to  24  hours  away). 

3.  RNDZ/PROX  OPS  BREAKOUT /SEPARATION  MANEUVER. 

If  it  is  necessary  to  abort  a  rendezvous  attempt  when  in  close  proximity  to  the  target,  a  breakou  t 
maneuver  is  required  in  order  to  establish  a  safe  separation  rate  from  the  target.  The  exact  nature  of  the 
breakout  maneuver  is  dependent  upon  the  relative  position  to  the  target,  but  the  maneuver  usually  entails 
several  RCS  translations.  Also,  for  a  successful  rendezvous,  a  separation  maneuver  (e.g.,  ISS  Joint 
Expedited  Undock  and  Sep)  may  be  required  to  safely  separate  from  the  target  prior  to  deorbit.  Thus, 
the  worst  case  breakout  propellant  requirements  will  be  covered  in  the  terminate  quantities. 
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A2-121  RNDZ/PROX  OPS  PROPULSION  SYSTEMS  MANAGEMENT 

(CONTINUED) 

4.  HIGHER  PRIORITY  ACTIVITIES  (REF.  RULE  {A2-108}, 
CONSUMABLES  MANAGEMENT) . 

Propellant  must  be  available  to  complete  all  post-rendezvous  activities  of  higher  priority  than  the 
rendezvous  in  order  to  continue  with  the  rendezvous.  Activities  are  listed  in  order  of  priority  in  Rule 
{A2-108},  CONSUMABLES  MANAGEMENT.  ©[092800-7247A] 

5.  PROPELLANT  REQUIRED  TO  COVER  RETURN  OF  THE  PAYLOAD 
INCLUDING:  ®[092800-7247A] 

a.  X  OR  Y  CG  BALLAST  (IF  REQUIRED) . 

For  payloads  planned  on  being  berthed  in  the  payload  bay,  either  for  repair  and  redeploy  or  for  return 
to  Earth,  OMS  or  RCS  propellant  may  be  required  as  ballast  in  order  to  maintain  the  orbiter  CG  within 
the  acceptable  envelope  as  outlined  in  Flight  Rule  {A4-153},  CG  PLANNING. 

b.  THERMAL  PROTECT  ATTITUDE  AS  REQUIRED. 

Certain  payloads  may  have  thermal  constraints  which  would  necessitate  maintaining  the  orbiter  in 
attitudes  and/or  deadbands  that  require  more  than  the  nominal  -ZLV 1  degree  deadband  propellant 
allocation.  This  item  also  applies  to  any  payload  planned  on  being  berthed  in  the  payload  bay  either 
temporarily  or  for  return.  ®[051 1 94-1 61 2A] 

C.  INCREASED  DEORBIT  VEHICLE  WEIGHT  (INCLUDES  WEIGHT  OF 
PAYLOAD) . 

OMS  propellant  required  for  deorbit  will  be  calculated  using  the  vehicle  weight  with  the  payload  on 
board  unless  the  payload  is  incapable  of  being  returned  to  earth  (in  which  case  the  separation  maneuver 
must  be  protected  in  paragraph  3  above).  This  guarantees  enough  propellant  to  deorbit  safely  with  the 
payload  onboard.  This  propellant  requirement,  if  applicable,  may  be  mutually  exclusive  with  the 
rndz/prox  ops  breakout  maneuver,  so  only  the  greater  of  the  two  must  be  protected.  ®[092800-7247A] 
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B.  IF  EITHER  FORWARD  OR  AFT  QUANTITIES  DECREASE  TO  THE  RNDZ/PROX 
OPS  TERMINATION  QUANTITIES,  THEN  IT  IS  ACCEPTABLE  TO  ADJUST 
REDLINES  BY  THE  USE  OF  NOSE-ONLY  OR  TAIL-ONLY  PRCS  CONTROL 
FOR  ACTIVITIES  (INCLUDING  NON-RENDEZVOUS  ACTIVITIES) 

NOMINALLY  PLANNED  FOR  NOSE/TAIL  CONTROL. 

Certain  activities  budgeted  using  nose/tail  control  may  be  switched  to  tail-only  con  trol  if  the  aft 
propellant  is  available.  These  activities  include  the  deorbit  wave-off  extension  day  included  in  the 
OMS/RCS  deorbit  redlines,  deorbit  preparation,  and  one  day  of  attitude  con  trol.  Nose-only  pitch/yaw 
control  may  also  be  utilized  when  aft  propellant  is  critical.  The  breakout  maneuver  may  not  be  adjusted. 
®[051 194-1 61 2A] 

C.  TO  CONTINUE  RNDZ  OPS,  PROPELLANT  MUST  BE  AVAILABLE  TO  COVER 
THE  "GO  FOR  TI"  AS  DEFINED  IN  PARAGRAPH  I  AND  THE  MCC 
PREDICTED  REQUIREMENTS  FOR  THE  REMAINING  MANEUVERS  UP  TO  TI. 

In  order  to  continue  a  rendezvous,  propellant  must  be  available  to  ensure  a  reasonable  chance  of 
completion.  When  it  is  clear  that  adequate  propellant  is  not  available  to  complete  a  “best  day” 
rendezvous,  RNDZ  OPS  should  be  terminated  and  propellan  t  can  be  made  available  for  lower  priority 
activities  which  would  have  been  canceled  in  order  to  complete  the  rendezvous.  The  “GO  for  TI” 
requirements  represent  the  minimum  amount  of  propellant  required  to  complete  a  rendezvous  from  TI 
through  target  retrieval.  Propellant  required  to  complete  all  of  the  required  phasing  maneuvers  up  to  TI 
is  also  covered  here,  based  upon  maneuver  delta  V’s  as  calculated  by  the  Flight  Dynamics  Officer. 
Because  the  “Continue  RNDZ  Ops”  quantities  are  based  on  minimum  propellant  requirements  from  TI 
through  grapple,  rendezvous  maneuvers  may  con  tinue  to  be  performed  with  only  a  minimal  chance  of  a 
successful  rendezvous. 

D.  RENDEZVOUS  WILL  NOT  BE  ATTEMPTED  IF  THE  FRCS  IS  NOT 
AVAILABLE.  ©[092800-7247A] 

FRCS  propellant  is  necessary  in  order  to  maintain  attitude  in  close  proximity  to  the  target  (stationkeep). 
The  FRCS  is  also  required  to  perform  a  safe  breakout  maneuver.  Without  the  FRCS  it  is  not  safe  to 
remain  in  close  proximity  to  the  target.  Additionally,  terminal  phase  requires  frequen  t  small  multi-axis 
translations  which  are  not  practical  without  the  FRCS. 
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E.  THE  FOLLOWING  GUIDELINES  WILL  BE  USED  WHEN  EXECUTING 

RENDEZVOUS  BURNS  UP  TO  AND  INCLUDING  TI : 

1.  IF  TOTAL  DELTA  V  IS  LESS  THAN  4  FPS,  BURN  WILL  BE 
PERFORMED  MULTI-AXIS. 

2.  IF  TOTAL  DELTA  V  IS  BETWEEN  4  AND  6  FPS,  A  MANEUVER  TO 
BURN  ATTITUDE  MAY  BE  PERFORMED  AND  THE  BURN  ACCOMPLISHED 
USING  AFT  RCS  +X  JETS. 

3.  IF  TOTAL  DELTA  V  IS  GREATER  THAN  6  FPS,  THE  BURN  MAY  BE 
ACCOMPLISHED  USING  OMS  ENGINE  (S).  OMS  ENGINE  GUIDELINES 
ARE  ESTABLISHED  PER  FLIGHT  RULE  {A2-115B},  ENGINE 
SELECTION  CRITERIA.  (AFT  RCS  +X  MAY  BE  USED  IF  MARGINS 
EXIST  .  ) 

The  above  guidelines  for  rendezvous  burn  execution  have  been  established  to  ensure  optimum  use  of 
OMS  and  RCS  propellant.  These  guidelines  are  incorporated  in  the  Rendezvous  Flight  Data  File  to 
assist  the  crew  in  burn  execution  and  can  be  overridden  by  the  MCC  depending  upon  OMS/RCS 
propellant  margins/system  problems. 

a.  Because  the  crew  has  no  way  to  determining  the  forward  RCS  contribution  to  the  rendezvous  burn, 
the  4  fps  criteria  (equates  to  2  fps  forward  RCS  usage)  was  established  to  determine  if  a  maneuver 
to  burn  attitude  is  required. 

b.  With  rendezvous  burns  between  4  and  6  fps  the  attitude  maneuver  will  be  performed  and  the  burn 
accomplished  using  aft  RCS  +Y  jets.  This  is  performed  to  increase  fwd  RCS  propellant  availability. 
The  OMS  engines  are  not  used  because  guidance  is  locked  out  if  the  OMS  burns  are  6  seconds  or 
less  (6-second  countdown  is  used). 

c.  OMS  engine(s)  will  be  used  if  delta  V  requirements  are  greater  than  6  fps  (per  Flight  Rule 
{ A2-115B j,  ENGINE  SELECTION  CRITERIA,  guidelines).  Aft  RCS  +X  jets  may  be  used 
straight  feed  or  interconnected  if  propellant  margins  exist. 
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F.  IF  RENDEZVOUS  MANEUVERS,  UP  TO  AND  INCLUDING  TI,  ARE  TARGETED 
TO  USE  MORE  THAN  2  FPS  (50  LB)  FROM  THE  FORWARD  RCS,  A 
MANEUVER  TO  BURN  ATTITUDE  MAY  BE  PERFORMED  SO  THAT  THE  BURN 
WILL  BE  ACCOMPLISHED  USING  OMS  OR  AFT  RCS  PROPELLANT. 

During  rendezvous/PROX  OPS  mission  profiles,  the  forward  RCS  system  is  usually  propellant-critical 
with  the  aft  RCS  and  OMS  systems  having  sufficient  margins.  It  is  usually  desirable  to  save  as  much 
forward  RCS  propellan  t  as  possible  to  maximize  the  chances  for  mission  success  (rendezvous 
completion)  without  altering  the  planned  mission  profile  ( deletion  of  mission  events).  Rendezvous  burns 
that  require  more  than  2  fps  (50  lb)  from  the  forward  RCS  will  normally  incorporate  a  maneuver  to  burn 
attitude.  Burn  targets  will  be  computed  by  onboard  software,  and  the  burn  performed  using  aft  RCS  or 
OMS  propellants  to  minimize  forward  RCS  use.  (Maneuvering  to  and  from  the  burn  attitude  takes 
approximately  6  lb  (VRCS)  and  17  lb  ( PRCS ).)  Since  attitude  maneuvers  can  disturb  the  orbiter  state 
vector,  which  is  critical  during  rendezvous  profiles,  the  decision  to  maneuver  will  be  a  tradeoff  between 
disturbing  the  orbiter  state  and  saving  forward  RCS.  If  forward  RCS  mission  completion  redline 
margins  cdlow  a  multi-axis  burn,  a  maneuver  to  burn  attitude  may  not  be  required.  The  2  fps  (50  lb) 
constrain  t  was  selected  to  provide  a  compromise  between  increasing  forward  RCS  propellant  availability 
and  avoiding  excess  maneuvering.  ®[092800-7247A] 

G.  NOSE/TAIL  PRIMARY  JET  CONTROL  WILL  BE  SELECTED  POST-NCC  BURN 
FOR  THE  LOSS  OF  VERNIER  JET  CONTROL  CAPABILITY. 

Nose/tail  control  is  required  post-NCC  in  order  to  maintain  coupled  jet  firings  for  rotational  attitude 
control.  With  nose-only  or  tail-only  rotational  attitude  control,  translation  is  induced  which  may 
significantly  impact  predicted  TI  and  midcourse  corrections. 
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H.  TO  BE  GO  FOR  TI  DELAY,  PROPELLANT  MUST  BE  AVAILABLE  TO  COVER 
THE  TOTAL  OF: 

1.  TERMINATION  QUANTITIES  AS  DEFINED  IN  PARAGRAPH  A. 

2.  ORBITER  MAINTENANCE  FOR  THE  DELAY  PERIOD  (USUALLY  ONE  OR 
TWO  ORBITS) . 

3.  MCC  PREDICTED  T I -DELAY  PLUS  NEW  TI  USAGE. 

4.  MEAN  USAGE  FROM  POST-TI  TO  R-BAR,  OR  AS  SPECIFIED  IN  THE 
FLIGHT  RULE  ANNEX.  ®[021 1 99-6706B]  ©[092800-7247A] 

5.  MEAN  USAGE  FROM  R-BAR  TO  GRAPPLE/DOCK,  IF  SCHEDULED,  OR 
AS  SPECIFIED  IN  THE  FLIGHT  RULE  ANNEX. 

Delaying  TI  may  be  desired  when  time  is  required  to  better  understand  an  orbiter  problem.  From  a 
propellant  standpoint ,  delaying  TI  is  only  acceptable  when  the  delay  does  not  significantly  impact  the 
chance  of  a  successful  rendezvous.  For  this  reason,  mean  propellant  usages  are  covered  in  this  rule 
from  post-TI  through  grapple  as  opposed  to  the  minimum  usages  covered  in  the  “  GO  for  TI”  call. 
Additional  propellant  is  also  required  to  perform  a  maneuver  (usually  at  the  nominal  TI  opportunity )  to 
maintain  a  safe  distance  from  the  target  for  the  period  of  the  delay  and  to  perform  a  subsequent  TI  burn. 
If  in  sufficien  t  propellan  t  exists  to  be  GO  for  TI  delay,  then  either  a  breakou  t  maneuver  must  be 
performed  or  the  reason  to  delay  TI  must  be  waived.  It  is  not  acceptable  to  reduce  the  TI  delay 
requiremen  t  by  going  to  minimum  usages  for  terminal  phase  and  PROX  OPS.  The  Flight  Rules  Annex  is 
referenced  in  order  to  identify  the  details  of  the  manual  phase  profile. 
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I.  TO  BE  GO  FOR  TI,  PROPELLANT  MUST  BE  AVAILABLE  TO  COVER  THE 
TOTAL  OF 

1.  TERMINATION  QUANTITIES  AS  DEFINED  IN  PARAGRAPH  A. 

2.  USAGE  FOR  MCC  PREDICTED  TI . 

3.  MEAN  MINUS  3  SIGMA  USAGE  POST-TI  TO  R-BAR  ARRIVAL. 

®[021 1 99-6706B]  ®[092800-7247A] 

4.  MEAN  MINUS  3  SIGMA  USAGE  FROM  R-BAR  ARRIVAL  THROUGH 
GRAPPLE/DOCK.  ®[021 1 99-6706B]  ©[092800-7247A] 

The  “GO  for  TI ”  propellant  requirements  are  based  upon  the  minimum  amount  of  propellant  required  to 
complete  a  rendezvous  prior  to  the  TI  burn.  Mean  minus  3  sigma  protection  based  on  Monte  Carlo 
analysis  provides  a  slim  chance  at  being  able  to  complete  the  rendezvous.  If  any  chance  exists  that  the 
rendezvous  can  be  successfully  completed,  TI  will  be  performed  and  the  rendezvous  will  be  continued 
until  the  terminate  quantities  are  violated  or  violation  of  the  terminate  quantities  becomes  imminent  in 
accordance  with  this  rule  and  paragraph  A.  ®[092800-7247A] 

J.  POST-TI,  IF  THE  NEXT  PLANNED  MANEUVER  VIOLATES  THE 
TERMINATION  QUANTITIES  AS  DEFINED  IN  PARAGRAPH  A,  THE 
RENDEZVOUS  WILL  BE  TERMINATED. 

When  it  is  obvious  that  termination  quantities  will  be  violated  before  completion  of  the  rendezvous,  there 
is  no  reason  to  continue  the  rendezvous. 
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K.  FOR  DEPLOY/RELEASE  MISSIONS  TO  BE  GO  FOR  FREE  FLYER 

RELEASE/RETRIEVE,  PROPELLANT  MUST  BE  AVAILABLE  TO  COVER  THE 
TOTAL  OF : 

1.  TERMINATION  QUANTITIES  AS  DEFINED  IN  PARAGRAPH  A. 

2.  ORBITER  MAINTENANCE  FOR  THE  PLANNED  DURATION  OF  FREE 
FLIGHT . 

3.  MCC  PREDICTED  DELTA  V  FOR  PAYLOAD  SEPARATION  AND 
REQUIREMENTS  FOR  THE  REMAINING  MANEUVERS  THROUGH  TI . 

4.  AT  LEAST  MEAN  USAGE  POST-TI  TO  R-BAR  (UP  TO  MEAN  +  3 
SIGMA  USAGE  PER  FLIGHT  RULES  ANNEX) . 

5.  AT  LEAST  MEAN  USAGE  FROM  THE  R-BAR  THROUGH  GRAPPLE  (UP  TO 
MEAN  +  3  SIGMA  USAGE  PER  FLIGHT  RULES  ANNEX) . 


Before  releasing  a  retrievable  free  flyer  (e.g.,  SPARTAN),  propellant  must  be  available  to  ensure  a 
reasonable  likelihood  of  the  return  of  the  free  flyer.  As  such,  at  least  mean  usage  will  be  covered  for  all 
rendezvous  maneuvers  and  PROX  OPS  activities.  The  Flight  Rules  Annex  may  redefine  this  requirement 
to  require  enough  propellant  to  complete  a  rendezvous  with  up  to  3-sigma  usage.  ®[021 1 99-6706B] 

L.  DURING  A  FAILED  GRAPPLE /DOCKING  ATTEMPT,  TO  PROTECT  A  RE¬ 
RENDEZVOUS  CAPABILITY  ON  A  SUBSEQUENT  FLIGHT  DAY,  PROPELLANT 
MUST  BE  AVAILABLE  TO  COVER  THE  TOTAL  OF:  ®[021 1 99-6706B] 

The  quantities  indicated  below  are  intended  to  provide  guidelines  for  use  after  a  failure  to  grcipple/dock 
or  during  a  grapple/docking  attempt  that  is  not  proceeding  smoothly.  These  quantities  are  required  to 
en  tertain  the  option  of  a  re-rendezvous  on  a  subsequen  t  day.  These  numbers  can  be  used  to  generate  a 
“re-rendezvous  bingo”  quantity  at  which  grcipple/dock  activities  should  be  terminated  for  that  day  and  a 
separation  burn  performed.  Once  the  separation  burn  is  performed  and  the  re-rendezvous  sequence  is 
underway,  propellant  minimums  to  complete  the  re-rendezvous  are  outlined  in  Paragraph  I  of  this  rule. 
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If  propellant  quantities  are  below  the  re-rendezvous  bingos,  then  re-rendezvous  is  most  likely  not 
possible  and  the  ongoing  attempts  to  grapple/dock  should  continue  until  a  successful  grapple/docking  is 
achieved  or  the  terminate  quan  tities  as  indicated  in  Paragraph  A  of  this  rule  are  reached. 

1.  TERMINATION  QUANTITIES  AS  DEFINED  IN  PARAGRAPH  A. 

Propellant  must  be  protected  to  break  out  from  the  subsequent  rendezvous,  to  provide  a  safe  deorbit,  and 
allow  for  the  completion  of  higher  priority  mission  activities. 

2.  MCC  PREDICTED  USAGE  TO  TERMINATE  CURRENT  GRAPPLE/DOCK 
ACTIVITIES  AND  SEPARATE. 

Predicted  usage  to  terminate  the  ongoing  grapple/dock  activities  is  based  on  a  real-time  assessment  of 
these  activities.  For  example,  if  a  fly  around  alignment  is  underway  in  an  attempt  to  grapple  a 
rotating  free-flyer,  propellant  to  arrest  the  orbiter’s  rotation  rate,  maneuver  to  the  separation  burn 
attitude,  and  separate  must  be  protected.  The  separation  burn  will  consist  of  the  appropriate 
breakout  per  Rule  { A2-126C j,  RNDZ/PROX  OPS  BREAKOUT. 

3.  MCC  PREDICTED  DELTA  V  FOR  THE  RE-RENDEZVOUS  MANEUVERS 
THROUGH  TI. 

Mean  re-rendezvous  propellant  costs  are  included  in  the  flight  specific  rendezvous  propellant  budget 
(Rndz-03  Flight  Design  product).  ®[02i  1 99-6706B]  ®[092800-7247A] 
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4.  AT  LEAST  MEAN  USAGE  POST-TI  THROUGH  GRAPPLE /DOCK .  BASED 
ON  A  REAL-TIME  ASSESSMENT  OF  GRAPPLE /DOCKING  ACTIVITIES, 
UP  TO  MEAN  +  3  SIGMA  USAGE  MAY  BE  PROTECTED.  ®[021 1 99-6706B] 

At  least  mean  usage  is  protected  for  all  rendezvous  maneuvers  and  prox  ops  activities  to  ensure  a 
reasonable  chance  of  being  able  to  re-rendezvous.  Protecting  only  minimum  usage  post-Ti  through 
grapple/docking  is  not  recommended  as  it  would  significantly  reduce  the  probability  of  being  able  to  re- 
rendezvous  before  reaching  the  propellant  terminate  quantities  while  only  reducing  the  propellant 
requirements  by  approximately  200  lb  (1/3  fwd  and  2/3  aft).  In  fact,  depending  on  propellant  availability 
and  a  real-time  assessment  of  the  ongoing  grapple/dock  activities,  it  may  be  prudent  to  protect  more  than 
mean  propellant  (up  to  3  sigma)  for  all  re-rendezvous  maneuvers  and  prox  ops  activities.  For  example, 
if  the  ongoing  grapple/docking  activities  have  little  chance  for  success  due  to  the  nature  of  the  problem, 
then  separating  with  3  sigma  protection  will  maximize  prop  availability  for  the  subsequent 
grapple/docking  attempt  after  troubleshooting  steps  have  been  performed.  However,  if  a  successful 
grapple/docking  is  imminent,  then  continuing  below  3  sigma  protection  may  allow  the  grapple/docking  to 
be  completed  without  assuming  the  risk  of  a  re-rendezvous  attempt.  Protecting  3  sigma  usage  post-Ti 
through  grapple/clock  increases  the  propellant  minimums  by  approximately  200  lb  over  mean  usage  (1/3 
fwd  and  2/3  aft).  Post-Ti  through  grapple/dock  prop  costs  (mean  and  sigmas)  are  included  in  the  flight 
specific  rendezvous  propellant  budget  (Rndz-03  Flight  Design  product).  ©[092800-7247A] 

5.  CONTINGENCY  PROX  OPS  PROPELLANT  AS  APPROPRIATE  GIVEN  THE 
NATURE  OF  THE  FAILURE. 

Depending  on  the  nature  of  the  difficulty  that  led  to  the  failure  to  grapple/dock,  additional  propellan  t 
should  be  protected  for  prox  ops  contingencies  during  the  subsequent  grapple/docking  attempt  (i.e. 
orbiter/target  flyaround  alignment,  extended  stationkeeping,  etc.).  Propellant  requirements  for 
con  tingency  prox  ops  activities  are  included  in  the  flight  specific  rendezvous  propellan  t  budget  (Rndz-03 
Flight  Design  product). 

6.  ORBITER  ATTITUDE  MAINTENANCE  FOR  THE  PLANNED  DURATION  OF 
FREE  FLIGHT  THROUGH  GRAPPLE/DOCK. 

Propellant  for  orbiter  attitude  maintenance  during  the  re-rendezvous  sequence  must  be  protected. 

®[021 1 99-6706B] 
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A2-122  RENDEZVOUS  MANEUVERS 

A.  THE  GROUND  WILL  COMPUTE  TARGETS  FOR  ALL  MANEUVERS  UP  TO  AND 
INCLUDING  TI.  ADDITIONALLY,  THE  GROUND  WILL  PROVIDE  THE 
INITIAL  ORBIT  TARGETING  BASETIME  (TI  TIG)  USED  FOR  NCC,  TI, 
AND  MCI  MANEUVERS. 

B.  THE  ORBITER  WILL  COMPUTE  TARGETS  FOR  NCC  AND  SUBSEQUENT 
MANEUVERS.  THE  ORBITER  WILL  REDEFINE  THE  ORBIT  TARGETING 
BASETIME  (MC2  TIG)  FOR  THE  MC2 ,  MC3 ,  AND  MC4  MANEUVERS. 

NOTE:  FLIGHT  SPECIFIC  MANEUVER  DEFINITIONS  AND  TARGETING 

CRITERIA  ARE  SPECIFIED  IN  THE  FLIGHT  RULE  ANNEX  (THE 
ANNEX  FLIGHT  RULE,  ORBITAL  MANEUVER  CRITICALITY)  .  ®[ED  ] 

Because  of  its  relative  navigation  capability  (ST,  COAS,  and  RR),  the  orbiter  is  considered  prime  for  all 
maneuvers  from  NCC  to  intercept.  Typical  criteria  for  TIG  selection  and  maneuver  targeting  are  given 
in  the  table.  It  should  be  emphasized  that  these  data  are  flight-specific  I-Ioads  to  orbit  targeting  (SPEC 
34). 

For  pre-NCC  maneuvers,  the  ground  is  the  only  system  capable  of  targeting  rendezvous  maneuvers;  clue 
to  software,  orbit  targeting  (SPEC  34)  can  only  target  two-impulse  maneuvers.  The  rendezvous 
maneuver  sequence  is  designed  to  allow  orbit  targeting  to  compute  NCC  and  subsequent  maneuvers 
because  the  orbiter  relative  navigation  systems  can  provide  the  most  accurate  states  for  the  orbiter  and 
target.  For  NCC  and  TI,  the  ground  will  provide  an  independently  targeted  solution  for  comparison  with 
the  orbiter  solution.  The  solution  will  be  selected  per  Rule  { A2-123 },  RENDEZVOUS  MANEUVER 
SOLUTION  SELECTION  CRITERIA. 

The  NCC,  TI,  and  MCI  maneuvers  are  scheduled  relative  to  the  initial  basetime  (TI  TIG),  which  is 
usually  a  few  minutes  prior  to  orbital  noon.  This  time  is  provided  by  the  ground  because  the  orbiter  does 
not  have  the  capability  to  compute  it.  For  MC2,  MC3,  and  MC4,  the  orbiter  will  redefine  the  basetime 
(MC2  TIG)  automatically  with  orbit  targeting.  MC2  must  be  targeted  at  least  once  for  this  to  occur. 
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A2-123  RENDEZVOUS  MANEUVER  SOLUTION  SELECTION  CRITERIA 

A.  GROUND  SOLUTIONS  WILL  BE  EXECUTED  FOR  ALL  MANEUVERS  UP  TO 
NCC  . 

Reference  Rule  (A2-122J,  RENDEZVOUS  MANEUVERS,  for  rationale. 

B.  THE  SOLUTIONS  FOR  THE  NCC  AND  TI  MANEUVERS  WILL  BE  SELECTED 
ACCORDING  TO  THE  FOLLOWING  PRIORITIES: 

1.  ONBOARD  FILTER  SOLUTION  IF,  FOR  THE  PRESENT  SENSOR  IN 
ACQUISITION  (RR,  ST),  40  NAVIGATION  MARKS  HAVE  BEEN 
ACCEPTED  WITH  A  STATE  VECTOR  POSITION  UPDATE  LESS  THAN 
0.5K  FEET  FOR  THE  LAST  FOUR  MARKS.  IF  COAS ,  THIS 
CRITERION  DOES  NOT  APPLY  (REF.  PARAGRAPH  B.2). 

The  onboard  filtered  solution,  with  sufficient  relative  navigation  data  incorporated,  consists  of  the  most 
accurate  and  current  relative  state  information  and,  therefore,  should  be  considered  the  best  solution. 
Sufficient  navigation  data  is  indicated  by  premission  analysis  to  be  greater  than  40  marks  in  the  current 
sensor  pass  and  position  updates  of  less  than  0.5k  feet  for  the  last  four  measurement  cycles.  This  is  not 
the  definition  of  the  absolute  best  solution,  but  it  ensures  that  the  onboard  solution  will  be  more  accurate 
than  ground  solution.  Four  consecutive  marks  with  state  vector  position  errors  less  than  0.5k  feet  was 
added  to  this  criterion  to  eliminate  transien  t  effects  and  to  ensure  stability  in  the  filtered  state. 

Obtaining  and  incorporating  40  COAS  navigation  marks  are  unrealistic,  time-consuming,  manual  tasks. 
Statistical  studies  show  that,  after  the  first  few  COAS  marks,  updates  to  the  filtered  state  are  random  and 
do  not  significantly  contribute  to  the  knowledge  of  the  relative  state.  Therefore,  since  the  COAS  can 
never  meet  these  criteria  for  sufficient  navigation  data,  proceeding  to  paragraph  B.2  forces  a 
comparison  with  the  ground  solution. 

2.  ONBOARD  FILTERED  SOLUTION  IF  IT  AGREES  WITH  THE  GROUND 
SOLUTION. 

NOTE:  MANEUVER  SOLUTIONS  ARE  DEFINED  TO  BE  IN  AGREEMENT  IF, 

FOR  EACH  AXIS,  THE  DELTA  V  DIFFERS  BY  NO  MORE  THAN 
THE  PREMISSION  ONBOARD  MINUS  GROUND  3  SIGMA 
COMPARISONS  LIMITS. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-123  RENDEZVOUS  MANEUVER  SOLUTION  SELECTION  CRITERIA 

(CONTINUED) 

3.  ONBOARD  PROPAGATED  SOLUTION  IF  IT  AGREES  WITH  THE  GROUND 
SOLUTION. 

NOTE:  MANEUVER  SOLUTIONS  ARE  DEFINED  TO  BE  IN  AGREEMENT  IF, 

FOR  EACH  AXIS,  THE  DELTA  V  DIFFERS  BY  NO  MORE  THAN 
THE  PREMISSION  ONBOARD  MINUS  GROUND  3  SIGMA 
COMPARISONS  LIMITS. 

The  onboard  filtered  and  propagated  solutions  will  be  better  than  the  ground  solution  because  they  will 
have  been  computed  on  at  least  the  ground  initialization  state  vector  plus  any  IMU -sensed  delta 
velocities.  These  solutions  may  contain  additional  improvements: 

a.  The  filtered  solution,  even  without  sufficien  t  relative  navigation  data  as  defined  in  paragraph  B.l, 
will  be  as  good  or  better  than  the  propagated  or  ground  solutions  because  it  may  have  some  relative 
navigation  data  incorporated  in  it. 

b.  The  propagated  solution  will  be  as  good  as  or  better  than  the  ground  solution  because  it  may  have 
been  computed  on  a  filtered  state  vector  containing  relative  navigation  data  from  a  previous  sensor 
pass  that  has  been  saved  via  a  filter  to  propagator  transfer. 

4.  GROUND  SOLUTION. 

Agreement  with  the  ground  solution  serves  as  a  gross  quality  check  for  the  onboard  solution  and, 
therefore,  only  needs  to  fall  within  the  3 -sigma  comparison  limits. 

The  ground  solution  would  be  performed  as  a  last  resort. 

C.  ONBOARD  SOLUTIONS  WILL  BE  EXECUTED  FOR  POST-TI  MIDCOURSE 
MANEUVERS . 

The  ground  has  no  capability  to  improve  the  relative  state  information  between  the  orbiter  and  target  for 
the  midcourse  correction  maneuver  computations.  This  is  due  to  ground  tracking  uncertainties  and  the 
relatively  close  proximity  of  the  two  vehicles.  Hence,  the  orbiter  solution  for  these  maneuvers  will 
always  be  selected. 

Rule  (A2-122J,  RENDEZVOUS  MANEUVERS,  references  this  rule. 
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A2-124  RENDEZVOUS  MANEUVER  EXECUTION 

A.  ALL  MANEUVERS  COMPONENTS  WILL  BE  TRIMMED  TO  VGO  <  0.2  FPS  IN 
ALL  AXES . 

Based  on  flight  experience,  the  required  trim,  <  0.2  fps,  is  the  best  trim  accuracy  achievable  by  the  crew 
on  a  consisten  t  basis.  This  accuracy  is  required  during  rendezvous  to  keep  deviations  from  premission 
and  real-time  planned  profiles  to  a  minimum. 

B.  MIDCOURSE  MANEUVERS,  MCI,  MC2 ,  AND  MC3 ,  AS  WELL  AS  THE  OUT- 
OF-PLANE  NULL  WILL  ALWAYS  BE  EXECUTED.  @[021199-6732] 

Midcourse  maneuvers  are  designed  to  correct  the  orbiter  intercept  trajectory  based  on  the  most  current 
relative  state  information.  Even  with  no  additional  relative  state  sensor  data,  these  maneuvers  correct 
for  trim  errors  from  previous  burns  and  attitude  maneuver  effects  that  are  sensed  via  the  accelerometers. 
Additionally,  executing  MCI  reduces  the  probability  of  experiencing  targeting  alarms  and/or  significant 
TIG  slips  at  MC2  as  a  result  of  these  dispersion  effects.  Executing  MC2  with  its  elevation  angle 
constraint  reduces  dispersions  at  the  manual  phase  take-over  point.  The  radar  fail  correction  burn  “rule 
of  thumb’’  used  in  the  radar  fail  procedures  at  MC3  +  2  min  is  most  valid  when  the  MC3  burn  is 
executed,  resulting  in  a  more  benign  manual  phase  and  slightly  lower  prop  usage  (ref.  Orbit  Flight 
Techniques  # 166  on  June  26,  1998).  The  out-of-plane  null  is  performed  when  the  orbiter  is  at  the  out-of- 
plane  node  which  is  the  optimum  point  to  null  out-of-plane  motion. 

This  rule  is  a  result  of  the  implementation  of  the  ORBT  Rendezvous  Profile  baselined  during  Orbit  FTP 
#161,  February  14,  1997. 

C.  MC4  WILL  NOT  BE  PERFORMED  IN  RADAR  FAILED  CASES. 

The  radar  fail  procedures  have  the  CDR  begin  manual  piloting  immediately  after  MC3,  so  MC4  should 
not  be  performed  in  this  case.  The  onboard  navigation  state  is  not  accurate  enough  to  support  a 
targeted  in  tercept  of  the  R-bar  when  the  radar  is  failed. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-124  RENDEZVOUS  MANEUVER  EXECUTION 

IN  THE  EVENT  THAT  RADAR  DATA  BECOMES  AVAILABLE  P0ST-MC2 ,  THE 
DATA  MAY  BE  INCORPORATED  INTO  THE  NAV  FILTER  BUT  WILL  NOT  BE 
USED  FOR  ORBITER  POINTING  OR  TARGETING.  RADAR  FAILED 
PROCEDURES  WILL  CONTINUE  TO  BE  PERFORMED  UNLESS  MCC  DEEMS 
THAT  THE  ONBOARD  RELATIVE  STATE  IS  SUFFICIENTLY  CONVERGED  AND 
THAT  THE  TRAJECTORY  WOULD  BENEFIT  FROM  A  TARGETED  MC4  BURN. 
@[021199-6732] 

In  the  event  that  a  previously  failed  (or  unavailable)  radar  system  becomes  available  after  MC2,  then 
radar  failed  procedures  will  continue  to  be  executed  including  the  MC3  +  2  minute  radar  failed 
correction  burn  based  on  target  position  in  the  -Z  COAS.  Since  the  radar  failed  correction  burn  is 
dependen  t  on  orbiter  poin  ting  ( i.  e. ,  position  of  target  in  -Z  COAS),  the  radar  data  may  be  incorporated 
into  the  FLTR  vector  only  if  the  PROP  vector  has  been  selected  as  the  UPP  source  on  RelNav  ( SPEC  33) 
so  as  not  to  impact  the  target  track  attitude.  At  this  point,  the  radar  failed  procedures  are  at  least  as 
good  as  executing  MC3  and  MC4  off  an  onboard  relative  state  that  may  not  be  completely  converged. 

The  ground  has  the  authority  to  return  the  crew  to  nominal  MC3  and  MC4  targeting  making  use  of  the 
new  radar  sensor  data  if  it  can  be  shown  in  real  time  that  the  onboard  relative  state  is  sufficiently 
converged  and  the  trajectory  would  benefit  from  targeted  burns.  In  general,  targeted  burns  will  benefit 
trajectories  that  are  short  of  the  targeted  MC4  point  while  radar  failed  procedures  are  better  suited  for 
long  trajectories.  @[021 1 99-6732  ] 

This  rule  is  a  result  of  the  implementation  of  the  ORBT  Rendezvous  Profile  baselined  during  Orbit 
FTP  #161,  February  14,  1997. 

D.  LAMBERT  GUIDANCE  BURNS  MUST  BE  COMPLETED  BY  T1  TIG  +  90 
SECONDS.  @[121 296-41 12A]  @[021199-6732] 

1.  IF  THE  START  OF  A  BURN  IS  DELAYED  SUCH  THAT  IT  CANNOT  BE 
COMPLETED  BY  T1  TIG  +  90  SECONDS,  THE  BURN  WILL  BE 
RETARGETED  PRIOR  TO  STARTING  THE  BURN. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-124  RENDEZVOUS  MANEUVER  EXECUTION 

2.  IF  A  BURN  IN  PROGRESS  IS  NOT  COMPLETE  (I.E.,  VGO' S  STILL 
>0.2  FPS)  BY  T 1  TIG  +  90  SECONDS,  THC  INPUTS  WILL  BE 
STOPPED  AND  THE  BURN  WILL  BE  RETARGETED  PRIOR  TO 
COMPLETION. 

Due  to  limitations  in  the  onboard  guidance  software,  Lambert  guided  burns  should  be  completed 
within  90  seconds  of  the  Tl  TIG.  This  constrain  t  is  necessary  because  errors  in  the  Lambert  guidance 
solution  increase  as  the  time  between  Tl  TIG  and  burn  completion  increases.  At  Tl  TIG  +  90  seconds, 
the  worst  case  errors  can  be  slightly  larger  than  trim  errors  (0.2  fps)  and  can  grow  rapidly  after  that. 

®[1 21 296-41 12A] 

Flight  history  shows  that  rendezvous  burns  are  usually  complete  30  to  40  seconds  after  burn  start.  With 
rare  exceptions,  a  burn  started  soon  after  TIG  should  be  easily  completed  by  Tl  TIG  +  90  seconds.  If 
the  start  is  delayed  to  the  point  its  completion  by  Tl  TIG  +  90  seconds  is  in  doubt,  the  burn  should  be 
retargeted  prior  to  execution.  When  retargeted,  the  onboard  software  automatically  computes  a  new  Tl 
TIG  equal  to  “current  time  +  1  minute.  ”  The  bum  must  now  be  completed  by  the  new  Tl  TIG  +  90 
seconds.  In  the  unlikely  event  that  a  burn  was  started  on  time  but  not  completed  at  Tl  TIG  +  90  seconds, 
THC  inputs  should  be  terminated  and  the  burn  retargeted  prior  to  completion. 

Because  Tl  TIG  can  be  easily  reset  to  a  futu  re  time  by  simply  retargeting  the  burn,  this  rule  places  no 
constraint  on  the  total  time  a  burn  can  slip  past  the  planned  TIG.  The  total  slip  capability  is  determined 
by  the  MCC  on  a  burn  by  burn  basis  and  is  usually  constrained  by:  1 )  excess  propellant  usage;  2 ) 
Lambert  targeting/guidance  constraints  that  are  not  addressed  in  this  rule,  such  as  180  degree  transfers; 
or  3)  links  to  ground  targeted  maneuvers  such  as  the  link  between  Ti  and  Ti  delay.  Other  unique 
constraints  are  also  possible. 

Error  in  the  burn  solution  arises  from  the  fact  that  Lambert  Cyclic  Guidance  (LCG)  models  the  effects  of 
gravitational  oblateness  (J2)  in  a  fashion  inconsistent  with  Lambert  Targeting.  This  inconsistency  and 
its  effects  on  guidance  performance  are  thoroughly  documented  in  the  references  listed  below.  Reference 
Rockwell  Transmitted  Form  #  660-NAV-7 10-96-037,  “ Lambert  Cyclic  Guidance  Error  Analysis,  ” 

J.L.  Goodman,  13  May  1996;  and  Rockwell  Transmittal  Form  #  D250-300-24,  “STS-69  SPARTAN  NCC 
Burn  Guidance  Performance,  ”  J.L. Goodman,  27  Sept  1995.  ®[1 21 296-41 12A] 
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A2-125  RNDZ  OPS  DELAY 

A.  FOR  DELAYS  PRIOR  TO  TI,  IF  CONVENIENT,  THE  NOMINAL  MANEUVERS 
WILL  BE  ADJUSTED  TO  SLOW  PHASING  SO  THAT  THE  ORBITER  ARRIVES 
AT  THE  TI  POINT  AT  THE  DESIRED  DELAY  TIME.  OTHERWISE,  THE 
NOMINAL  RENDEZVOUS  PLAN  WILL  BE  EXECUTED  UNTIL  TI  WHERE  A 
DELAY  WILL  BE  DONE. 

The  most  efficient  way,  from  a  propellant  standpoint,  to  delay  a  rendezvous  is  to  slow  the  catch-up  rate 
such  that  the  orbiter  will  rendezvous  with  the  target  at  the  desired  time,  in  an  integral  number  of  orbits. 
Desirable  lighting  conditions  will  be  maintained  since  there  is  an  integral  number  of  orbits.  This  can  be 
done  at  any  preplanned  phasing  maneuver  (NC),  typically  with  no  propellant  penalty,  or  an  additional 
maneuver  can  be  inserted  into  the  rendezvous  profile.  Mission  activities  and  propellant  budgets  will 
determine  which  option  to  use. 

In  order  to  efficiently  perform  a  phasing  adjustment,  an  apogee  point  must  be  available  prior  to  TI  where 
the  perigee  can  be  raised  and  the  catchup  rates  slowed.  Any  point  other  than  apogee  will  necessitate  a 
larger  burn  and  fuel  consumption.  Communication  availability  and  time  to  adjust  the  maneuver  must 
also  be  considered.  If  any  problems  in  these  areas  arise,  it  is  no  longer  convenient  to  adjust  phasing, 
and  a  TI  delay  should  therefore  be  executed. 

B.  FOR  SHORT  TI  DELAYS  (ONE  OR  TWO  ORBITS),  MANEUVERS  WILL  BE 
EXECUTED  TO  RETURN  TO  THE  TI  POINT  WITH  THE  DESIRED  LIGHTING 
CONDITIONS.  FOR  LONG  TI  DELAYS  (GREATER  THAN  TWO  ORBITS), 
MANEUVERS  WILL  BE  EXECUTED  TO  GUARANTEE  A  SAFE  OPENING  RATE 
OF  AT  LEAST  1  NM  PER  ORBIT. 

TI  is  the  last  convenient  point  to  delay  the  rendezvous.  This  delay  may  be  desirable  to  recover  lost 
capability  prior  to  committing  to  intercept.  For  short  delays,  the  ground  will  compute  a  phasing 
maneuver  to  return  to  the  TI  position  based  on  the  most  current  onboard  relative  state.  Desirable 
lighting  conditions  will  be  maintained  since  there  is  an  integral  number  of  orbits  between  the  original 
and  new  TI  maneuvers. 

A  long  delay  requires  an  opening  rate  to  eliminate  the  need  for  the  crew  to  continuously  monitor  the 
target.  Long  delays  usually  involve  at  least  one  crew  sleep  cycle.  In  this  case,  if  propellant  is  available, 
the  delay  maneuver  is  targeted  to  a  point  in  the  following  morning  equivalen  t  to  where  the  original  final 
phasing  maneuver  was  executed.  This  range  minimizes  the  possibility  of  awakening  the  crew  to  execute  a 
trajectory  con  trol  maneuver;  shorter  ranges  may  require  in  terruption  of  crew  sleep.  In  this  manner,  the 
second  rendezvous  trajectory  will  be  similar  to  the  original  trajectory. 

There  is  a  propellan  t  penalty  for  executing  a  TI  delay.  The  magn  itude  of  this  penalty  is  dependen  t  on  the 
specific  mission  profile  and  delay  scenario. 

Rule  { A2-119 j,  RNDZ/PROX  OPS  SENSOR  REQUIREMENTS,  references  this  rule.  ©[091098-6707B] 
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A2-126  RNDZ/PROX  OPS  BREAKOUT 

A.  PRIOR  TO  TI,  A  GROUND-COMPUTED  BREAKOUT  MANEUVER  WILL  BE 
EXECUTED,  IF  NECESSARY,  TO  GUARANTEE  A  SAFE  MISS  DISTANCE 
BETWEEN  THE  ORBITER  AND  TARGET. 

Prior  to  Ti,  dispersions  and  the  lack  of  a  standard  rendezvous  profile  prevent  designing  a  “canned” 
breakout  maneuver.  The  ground  will  compute  a  maneuver,  if  required,  to  ensu  re  the  orbiter  avoids  the 
target  by  a  safe  distance.  Possibly  not  executing  a  preplanned  rendezvous  maneuver  will  provide  an 
acceptable  miss  distance. 

B.  BETWEEN  TI  AND  STABLE  AT  500  FEET  ON  THE  +RBAR,  THE  BREAKOUT 
MANEUVER  WILL  BE  A  3-FPS  RETROGRADE  MULTI-AXIS  MANEUVER. 
INITIATION  OF  THIS  MANEUVER  WILL  BE  AS  FOLLOWS:  ®[091 098-6705A] 
®[040899-6799C] 

A  single  3-fps  retrograde  breakout  maneuver  is  required  between  Ti  and  the  point  of  stability  at  500 feet 
on  the  +Rbar  to  ensure  safe  relative  motion.  Prior  to  visual  acquisition  of  the  target  and  commencemen  t 
of  the  manual  phase,  this  maneuver  provides  an  orbiter  CG  to  target  CG  miss  distance  of  at  least  500 
feet  (to  allow  for  vehicle  dimensions)  based  on  Monte  Carlo  analysis.  The  3 -sigma  dispersion  ellipse 
will  maintain  at  least  a  500-foot  miss  distance  if  the  breakout  is  initiated  due  to  failure  to  acquire  the 
target  per  the  sub-parts  below. 

After  visual  acquisition  of  the  target,  the  pilot  is  allowed  to  continue  the  rendezvous  to  the  manual 
takeover  point  and  begin  to  affect  the  relative  motion  of  the  orbiter  with  respect  to  the  target  via  manual 
piloting  techniques.  This  breakout  should  still  provide  safe  relative  motion  all  the  way  to  Rbar  arrival 
assuming  the  manual  phase  has  been  flown  in  a  nominal  manner  ( i.  e. ,  the  braking  gates  have  been 
followed  and  the  target  has  been  maintained  within  the  CO  AS).  However,  after  the  manual  phase  has 
commenced,  it  is  the  responsibility  of  the  CDR  to  ensure  that  the  breakout  is  adequate  and  positive 
clearance  with  the  target  exists.  Assuming  a  nominally  flown  manual  phase,  this  maneuver  provides  an 
orbiter  CG  to  target  CG  miss  distance  of  approximately  370ft  if  executed  at  the  minimum  500ft  range. 
This  satisfies  the  “rule  of  halves  ”  groundrule  and  constraint  for  separations  which,  for  this  case,  would 
require  at  least  a  250ft  miss  distance.  ®[040899-6799C] 
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A  maneuver  to  burn  attitude  is  prohibited  because  of  the  delay  in  initiating  the  maneuver  and  the  loss  of 
target  acquisition  while  still  on  an  intercept  trajectory.  Since  this  retrograde  breakout  maneuver  can 
occur  anytime  from  Ti  through  Rbar  arrival  and  the  orbiter  is  in  a  -Z  target  track  attitude,  propellant  to 
cover  the  breakout  maneuver  for  the  range  of  orbiter  attitudes  during  the  terminal  phase  must  be 
protected.  Worst  case  prop  usage  for  this  breakout  maneuver  is  80  lb  fwd  (at  Rbar  arrival)  and  40  lb 
aft  (45  deg  below  Vbcir).  Prop  requiremen  ts  for  the  maneuver  are  independent  of  the  Low  Z  transition 
range  since  the  breakout  maneuver  will  be  a  pure  -X  burn  when  the  orbiter  is  in  the  Low  Z  regime. 

®[091 098-6705A] 

1.  FOR  INSUFFICIENT  PROPELLANT  OR  ORBITER  CONTINGENCIES 
REQUIRING  BREAKOUT,  THE  BREAKOUT  CAN  BE  INITIATED  ANYTIME 
POST-TI.  IF  POSSIBLE,  THE  BREAKOUT  SHOULD  BE  INITIATED 
BETWEEN  MCI  AND  MC2 . 

Since  relative  perigee  occurs  between  MCI  and  MC2,  the  effects  of  the  retrograde  maneuver  will  be 
maximized.  ®[091 098-6705A] 

2.  IF  NO  TARGET  SENSOR  DATA  (RR,  ST,  COAS )  HAS  BEEN 
INCORPORATED  INTO  NAV  AND  UTILIZED  FOR  BURN  EXECUTION 
DURING  THE  RENDEZVOUS,  THE  BREAKOUT  MANEUVER  MUST  BE 
EXECUTED  WITH  TIG  NO  LATER  THAN  MC2+20  MINUTES  UNLESS 
THE  TARGET  IS  ACQUIRED  VISUALLY  OR  WITH  THE  RADAR. 
®[091098-6705A] 

With  no  target  sensor  data,  the  actual  relative  position  between  the  orbiter  and  the  target  is  not  known 
with  sufficient  accuracy  to  warrant  completion  of  the  rendezvous.  The  breakout  maneuver  may  be 
delayed  to  a  point  no  later  than  MC2+20  min  u  tes  to  cdlow  the  maximum  time  for  crew  visual  acquisition 
of  the  target  while  main  taining  the  3  sigma  miss  distance  of 500 ft. 

Note  that  this  breakout  point  will  be  operationally  implemented  2  minutes  earlier  than  defined  in  this 
rule  to  provide  enough  time  for  the  crew  to  execute  the  Rendezvous  Breakout  procedure  such  that  TIG 
occurs  at  MC2+20  min  per  this  rule. 
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3.  IF  GOOD  TARGET  SENSOR  DATA  (RR,  ST,  COAS )  HAS  BEEN 
INCORPORATED  INTO  NAV  AND  UTILIZED  FOR  BURN  EXECUTION 
DURING  THE  RENDEZVOUS,  THE  BREAKOUT  MANEUVER  MUST  BE 
EXECUTED  WITH  TIG  NO  LATER  THAN  MC2+24  MINUTES  UNLESS  THE 
TARGET  IS  ACQUIRED  VISUALLY  OR  WITH  THE  RADAR. 

With  good  target  sensor  data ,  trajectory  dispersions  are  reduced,  and  as  a  result,  the  breakout  maneuver 
may  be  delayed  beyond  MC2+20  min  (per  paragraph  2)  to  a  point  no  later  than  MC2+24  minutes  while 
still  providing  an  acceptable  miss  distance.  “  Good”  sensor  data  means  that  at  least  one  full  star  tracker- 
pass  has  occurred  prior  to  MC2  resulting  in  small  state  vector  updates.  The  quality  of  the  sensor  pass 
will  be  evaluated  in  real  time  by  the  MCC,  and  the  go  to  delay  the  breakout  point  from  MC2+20  min  to 
MC2+24  min  will  be  per  ground  call.  Note  that  the  MC2+20  min  point  will  always  occur  in  orbited 
daylight,  so  this  extra  4  minutes  is  not  particularly  valuable  (it  is  very  unlikely  that  the  target  would  be 
visually  acquired  at  MC2+24  min  but  not  visually  acquired  at  MC2+20  min).  Time  from  MC2  is  used  as 
a  reference  since  the  MC2  TIG  is  variable. 

Note  that  this  breakout  point  will  be  operationally  implemented  2  minutes  earlier  than  defined  in  this 
rule  to  provide  enough  time  for  the  crew  to  execute  the  Rendezvous  Breakout  procedure  such  that  TIG 
occurs  at  MC2  +24  min  per  this  rule.  ®[09i  098-6705A] 

4.  IF  THE  TARGET  IS  ACQUIRED  VISUALLY  OR  WITH  THE  RADAR  PER 
PARAGRAPHS  2  OR  3  ABOVE  AND  IT  IS  MORE  THAN  30  DEG  FROM 
THE  ORBITER  -Z  AXIS,  THE  BREAKOUT  MANEUVER  SHOULD  BE 
EXECUTED.  IF  MISSION  DURATION  DOES  NOT  ALLOW  FOR  THE 
POSSIBILITY  OF  RERENDEZVOUS,  THEN  THE  MANUAL  APPROACH  MAY 
CONTINUE  ON  A  BEST  EFFORT  BASIS. 
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Even  if  the  crew  visually  acquires  the  target,  certain  off-nominal  cases,  particularly  no  sensor  cases,  can 
lead  to  trajectory  dispersions  that  are  unrecoverable  via  manual  piloting  techniques,  or  the  manual 
recovery  will  expend  more  prop  them  a  breakout  and  rerendezvous.  Target  displacement  from  the  orbiter 
-Z  axis  is  a  key  indicator  to  the  dispersed  nature  of  the  trajectory  and  hence  the  fly  ability  of  the 
approach.  Target  displacement  of  30  deg  or  more  is  significantly  greater  than  that  seen  in  the  3 -sigma 
radar  fail  trajectories  used  in  the  generation  of  the  rendezvous  propellant  budget,  and  it  would  not  be 
pruden  t  to  con  tin  ue  with  the  rendezvous  in  this  case  if  a  rerendezvous  capability  exists.  Rendezvous  on 
another  day  provides  the  opportunity  to  troubleshoot  the  sensor/systems  problems  that  led  to  the  failure 
of  the  first  rendezvous  or  to  adjust  rendezvous  timing  and  procedures  to  maximize  ground  navigation 
effectiveness  in  cm  effort  to  increase  the  probability  of  a  successful  rerendezvous.  If  mission  duration 
cannot  accommodate  a  rerendezvous,  the  approach  may  continue  on  a  best  effort  basis  with  a  high 
probability  that  the  rendezvous  cannot  be  completed  due  to  exceedance  of  propellant  bingo  constraints. 

This  rule  is  a  result  of  the  implemen  tation  of  the  ORBT  Rendezvous  Profile  baselined  during  Orbit  FTP 
#161,  February  14,  1997.  ®[091098-6705A] 

C.  THE  SHUTTLE  NOSE  IN-PLANE  BREAKOUT  MAY  BE  EXECUTED  WHEN  THE 
SHUTTLE  STATE  SATISFIES  THE  FOLLOWING  CONDITIONS  :  ©[040899-6799C] 

SHUTTLE  IS  WITHIN  500  FT  (CG  TO  CG)  OF  THE  TARGET 
VEHICLE . 

SHUTTLE  X  AND  Z  BODY  AXES  ARE  IN  THE  ORBITAL  PLANE  OF  THE 
TARGET  VEHICLE. 

THE  TARGET  VEHICLE  IS  IN  A  STABLE  POSITION  ON  THE  SHUTTLE 
-Z  AXIS.  ®[040899-6799C] 

THE  IN-PLANE  BREAKOUT  MANEUVER  SEQUENCE  WILL  BE  AS  FOLLOWS: 
®[040899-6799C] 
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1.  IF  WITHIN  75  FT  INTERFACE  TO  INTERFACE,  THE  SHUTTLE  CREW 
WILL  NULL  THE  CLOSING  RATE,  THEN  BACK  OUT  BY  INITIATING 
AND  MAINTAINING  AT  LEAST  0.1  FT/SEC  OPENING  RATE  WHILE 
MAINTAINING  THE  TARGET  VEHICLE  POSITIONED  NEAR  THE 
SHUTTLE  -Z  BODY  AXIS. 

For  ranges  inside  75  ft,  a  backout  must  be  initiated  to  provide  adequate  clearance  to  complete  the 
breakout  sequence.  For  ISS  flights,  this  would  involve  performing  a  Corridor  Backout. 

2.  WHEN  RANGE  IS  GREATER  THAN  75  FT  INTERFACE  TO  INTERFACE, 
PERFORM  AT  LEAST  A  1.5  FPS  BURN  IN  THE  "CLOCKWISE" 
DIRECTION  (+X  ORBITER  BODY  BURN  IF  OMICRON  IS  0,  -X 
ORBITER  BODY  BURN  IF  OMICRON  IS  180  DEGREES) .  FOLLOWING 
THE  BURN,  MODE  TO  INERTIAL  HOLD. 

This  X  burn  results  in  the  orbiter  opening  from  the  target  vehicle.  Moding  the  DAP  to  INRTL  results  in 
cm  orbiter  attitude  profile  that,  when  coupled  with  the  relative  motion ,  maintains  the  target  vehicle  near 
the  orbiter  -Z  body  axis.  This  relative  orientation  minimizes  plume  loads  on  the  target  when  the  DAP  is 
in  Low  Z  mode.  The  1.5  fps  burn  was  sized  to  ensure  that  the  orbiter  is  at  least  1000 ft  from  the  target 
after  22  min  at  which  time  Low  Z  is  deselected  and  the  maneuver  to  attitude  for  the  next  burn 
commences.  Since  this  breakou  t  exposes  the  target  vehicle  to  possible  direct  PRCS  firings  just  ou  tside  of 
1000ft,  it  is  not  adequate  for  target  vehicles  that  require  Low  Z  protection  outside  1000ft. 

3.  AT  30  MINUTES  AFTER  THE  ±X  BURN,  PERFORM  A  3  FPS  OUT-OF- 
PLANE  AND  3.5  FPS  POSIGRADE/RETROGRADE  BURN  USING  THE  +X 
RCS  JETS.  AT  22  MINUTES  AFTER  THE  ±X  BURN,  DESELECT  LOW 
Z  AND  INITIATE  THE  MANEUVER  TO  BURN  ATTITUDE. 

This  final  burn  needs  to  be  performed  30  minutes  after  the  ±X  burn  to  provide  a  safe  trajectory.  The  size 
of  this  burn  (4.6  ft/sec  RSS)  was  designed  to  provide  a  safe  trajectory  for  all  initial  conditions  that  satisfy 
the  con  ditions  of  applicability  for  this  breakou  t.  The  breakout  also  allows  for  the  selection  of  either  a 
posigrcide  or  retrograde  component  to  provide  flexibility  for  subsequent  mission  objectives.  The  burn 
combines  the  out-of-plane  and  posigrcide/ retro  grade  components  and  is  performed  as  a  +X  bum  with  a 
maneuver  to  attitude  in  order  to  save  propellant.  Time  is  allotted  to  allow  a  worst  case  180  deg 
maneuver  to  attitude  at  0.5  deg/sec.  ®[040899-6799C] 
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D.  THE  RBAR  BREAKOUT  MAY  BE  EXECUTED  WHEN  THE  SHUTTLE  STATE 
SATISFIES  THE  FOLLOWING  COND I T I ONS  :  ©[040899-6799C] 

SHUTTLE  IS  WITHIN  500  FT  (CG  TO  CG)  OF  THE  TARGET 
VEHICLE . 

SHUTTLE  X  AND  Z  BODY  AXES  ARE  IN  THE  ORBITAL  PLANE  OF  THE 
TARGET  VEHICLE. 

THE  SHUTTLE  IS  POSITIONED  ON  THE  +RBAR  WITH  THE  TARGET 
VEHICLE  IN  A  STABLE  POSITION  ON  THE  SHUTTLE  -Z  BODY  AXIS. 

THE  RBAR  BREAKOUT  MANEUVER  SEQUENCE  WILL  BE  AS  FOLLOWS: 

1.  IF  WITHIN  75  FT  INTERFACE  TO  INTERFACE,  THE  SHUTTLE  CREW 
WILL  NULL  THE  CLOSING  RATE,  THEN  BACK  OUT  BY  INITIATING 
AND  MAINTAINING  AT  LEAST  0.1  FT/SEC  OPENING  RATE  WHILE 
MAINTAINING  THE  TARGET  VEHICLE  POSITIONED  NEAR  THE 
SHUTTLE  -Z  BODY  AXIS. 


For  ranges  inside  75  ft,  a  backout  must  be  initiated  to  provide  adequate  clearance  to  complete  the 
breakout  sequence.  For  ISS  flights,  this  would  involve  performing  a  Corridor  Backout. 

2.  WHEN  RANGE  GREATER  THAN  75  FT  INTERFACE  TO  INTERFACE, 
PERFORM  A  3  FPS  +X  OR  -X  TRANSLATION. 


This  +X  or  -X  burn  results  in  either  retrograde  or  posigrcide  motion  relative  to  the  target  vehicle.  The 
direction  of  the  burn  should  be  selected  based  on  subsequen  t  mission  objectives.  The  burn  will  result  in 
the  orbiter  phasing  away  from  the  target  vehicle  at  approximately  8  nm/rev.  ©[040899-6799C] 
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E.  THE  VBAR  BREAKOUT  MAY  BE  EXECUTED  WHEN  THE  SHUTTLE  STATE 
SATISFIES  THE  FOLLOWING  CONDITIONS:  ©[040899-6799C] 

SHUTTLE  IS  WITHIN  500  FT  (CG  TO  CG)  OF  THE  TARGET 
VEHICLE . 

SHUTTLE  X  AND  Z  BODY  AXES  ARE  IN  THE  ORBITAL  PLANE  OF  THE 
TARGET  VEHICLE. 

THE  SHUTTLE  IS  LOCATED  ON  THE  +VBAR  WITH  THE  TARGET 
VEHICLE  IN  A  STABLE  POSITION  ON  THE  SHUTTLE  -Z  BODY  AXIS. 

THE  VBAR  BREAKOUT  MANEUVER  SEQUENCE  WILL  BE  AS  FOLLOWS: 

1.  IF  WITHIN  75  FT  INTERFACE  TO  INTERFACE,  THE  SHUTTLE  CREW 
WILL  NULL  THE  CLOSING  RATE,  THEN  BACK  OUT  BY  INITIATING 
AND  MAINTAINING  AT  LEAST  0.1  FT/SEC  OPENING  RATE  WHILE 
MAINTAINING  THE  TARGET  VEHICLE  POSITIONED  NEAR  THE 
SHUTTLE  -Z  BODY  AXIS. 


For  ranges  inside  75  ft,  a  backout  must  be  initiated  to  provide  adequate  clearance  to  complete  the 
breakout  sequence.  For  ISS  flights,  this  would  involve  performing  a  Corridor  Backout. 

2.  WHEN  RANGE  GREATER  THAN  75  FT  INTERFACE  TO  INTERFACE, 
MODE  TO  INERTIAL  HOLD  AND  PERFORM  A  1  FPS  RADIAL  BURN 
WITH  THE  +X  OR  -X  JETS.  IF  THE  SHUTTLE  IS  ON  THE 
+VBAR,  PERFORM  THE  BURN  RADIAL  UP.  IF  THE  SHUTTLE  IS 
ON  THE  -VBAR,  PERFORM  THE  BURN  RADIAL  DOWN. 

This  +X  or  -X  burn  results  in  a  trajectory  that  lofts  the  orbiter  above  (for  +Vbar)  or  below  ( for  - Vbar ) 
the  target.  Moding  the  DAP  to  INRTL  results  in  cm  orbiter  attitude  profile  that,  when  coupled  with  the 
relative  motion,  maintains  the  target  vehicle  near  the  orbiter  -Z  body  axis  in  order  to  protect  the  target 
vehicle  from  jet  plume  loads  during  the  subsequen  t  burn. 
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3.  AT  22  MINUTES  AFTER  THE  RADIAL  BURN,  PERFORM  A  3  FPS  +X 
OR  -X  TRANSLATION. 


This  +X  or  -X  burn  results  in  either  retrograde  or  posigrade  motion  relative  to  the  target  vehicle.  The 
direction  of  the  burn  should  be  selected  based  on  subsequen  t  mission  objectives.  The  burn  will  result  in 
the  orbiter  phasing  away  from  the  target  vehicle  at  approximately  8  nm/rev.  ®[040899-6799C] 

F.  THE  FLYAROUND  BREAKOUT  MAY  BE  EXECUTED  WHEN  THE  SHUTTLE  STATE 
SATISFIES  THE  FOLLOWING  CONDITIONS: 

SHUTTLE  IS  WITHIN  500  FT  (CG  TO  CG)  OF  THE  TARGET 
VEHICLE . 

SHUTTLE  X  AND  Z  BODY  AXES  ARE  IN  THE  ORBITAL  PLANE  OF  THE 
TARGET  VEHICLE. 

THE  SHUTTLE  IS  PITCHING  AT  A  CONSTANT  RATE  LESS  THAN  0.2 
DEG/SEC  WITH  THE  TARGET  VEHICLE  IN  A  STABLE  POSITION  ON 
THE  SHUTTLE  -Z  AXIS. 

THE  FLYAROUND  BREAKOUT  MANEUVER  SEQUENCE  WILL  BE  AS  FOLLOWS: 

1.  CONTINUE  FLYAROUND  PROCEDURE  TO  NEXT  RBAR  CROSSING. 

2.  PERFORM  A  3  FPS  +X  OR  -X  PRCS  TRANSLATION. 

The  simplest  and  most  expedient  way  to  break  out  from  aflyaround  is  to  continue  the  flyaround  to  the 
next  Rbar  crossing  and  perform  a  single  +X  or  -X  burn,  resulting  in  either  retrograde  or  posigrade 
) notion  relative  to  the  target  vehicle.  The  direction  of  the  burn  should  be  selected  based  on  subsequent 
mission  objectives.  If  it  is  desirable  to  minimize  the  use  of  forward  propellant  when  performing  the 
breakout,  then  performing  the  Shuttle  Nose  In-Plane  Breakout  (paragraph  C)  may  be  better  depending 
on  the  orientation  of  the  orbiter  during  the  flyaround  and  the  desired  breakout  direction. 
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G.  IF  A  BREAKOUT  IS  DESIRED  ASAP  AND  THE  SHUTTLE  STATE  DOES  NOT 
SATISFY  THE  CONSTRAINTS  OF  PARAGRAPHS  C  THROUGH  F,  THEN 
PERFORM  THE  FOLLOWING  1-2-3  BREAKOUT  (AKA  SEP  MANEUVER,  ORB 
OPS  CHECKLIST) : 

1.  MANUALLY  ROTATE  THE  ORBITER  SUCH  THAT  THE  TARGET  IS 
VISIBLE  THROUGH  THE  OVERHEAD  WINDOW. 

The  target  must  be  positioned  near  the  orbiter  -Z  axis  so  that  the  crew  can  acquire  it  with  either  the  KU 
radar  or  the  HHL  and  null  any  closing  rate  with  orbiter  +Z  translations.  ®[040899-6799C] 

2.  NULL  ANY  CLOSING  RATE  AND  ESTABLISH  A  1  FPS  OPENING  RATE 
IN  NORM  Z.  THIS  BURN  MAY  BE  PERFORMED  IN  LOW  Z  (ON  MCC 
CALL,  IF  PROP  AVAILABLE)  IN  ORDER  TO  PROVIDE  PLUME 
PROTECTION  TO  THE  TARGET  VEHICLE.  ©[040899-6799C] 

This  1  fps  opening  rate  ensures  short  term  relative  motion  will  not  result  in  a  collision  with  the  target 
vehicle.  Although  use  of  Low  Z  for  this  burn  provides  plume  protection  to  the  target  vehicle,  the  prop 
requirements  are  so  high  that  it  should  only  be  performed  in  Low  Z  if  MCC  deems  that  prop  is  available 
to  support  it. 

3.  22  MIN  AFTER  THE  1  FPS  OPENING  BURN,  PERFORM  A  2  FPS 
MULTI-AXIS  OUT-OF-PLANE  BURN  IN  NORM  Z.  IN  TIME  CRITICAL 
SITUATIONS,  THIS  BURN  CAN  BE  PERFORMED  2  MIN  AFTER  THE 
OPENING  BURN. 

Since  this  2  fps  out-of-plane  burn  is  performed  multi-axis,  it  is  possible  that  a  significant  component  of 
the  burn  will  be  directed  at  the  target  vehicle.  Waiting  22  minutes  to  perform  this  burn  maximizes  the 
out-of-plane  separation  of  the  orbiter  from  the  target  as  a  result  of  the  initial  opening  burn,  thus 
minimizing  plume  impingement  on  the  target  vehicle.  In  time  critical  situations,  however,  this  out-of- 
plane  burn  can  be  performed  almost  immediately  after  the  initial  opening  burn  with  the  possibility  of 
significantly  pluming  the  target  vehicle.  Use  of  Norm  Z  is  required  to  avoid  the  excessive  cross-coupling 
resulting  from  performing  a  multi-axis  burn  in  Low  Z. 
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4.  15  MIN  AFTER  THE  OUT-OF-PLANE  BURN,  PERFORM  A  3  FPS 

POSIGRADE  BURN  IN  NORM  Z. 

Coasting  15  min  after  execution  of  the  2fps  out-of-plane  burn  results  in  the  orbiter  moving 
approximately  1500ft  out-of-plane,  well  outside  the  Low  Z  range  for  most  target  vehicles.  Burning 
posi grade  will  then  allow  the  orbiter  to  phase  behind  the  target  to  set  up  for  a  subsequent  rendezvous,  if 
desired.  Three  fps  ensures  that  the  resultant  posigrcide  component  after  the  completion  of  the  1-2-3  burn 
sequence  is  at  least  2  fps,  which  provides  a  safe  separation  rate  of  approximately  5  nm/rev.  @[040899- 
6799C] 

THIS  BREAKOUT  IS  NOT  PROTECTED  IN  THE  RNDZ/PROX  OPS  TERMINATE 
QUANT  I  TY  .  ©[040899-6799C] 

Plume  impingement  analysis  does  not  protect  for  breakout  scenarios.  However,  all  the  above  prox  ops 
breakout  sequences  have  been  designed  to  use  “common  sense”  piloting  techniques  to  minimize  plume 
impingement  on  the  target  vehicle  and  provide  safe  relative  motion.  The  breakouts  outlined  in 
paragraphs  C  through  F  are  optimized  to  cover  the  nominal  operating  regimes  of  the  orbiter  while  in 
proximity  operations.  If  outside  these  normal  regimes,  then  the  breakout  procedure  described  in 
paragraph  G  (ref.  SEP  MANEUVER,  Orbit  Ops  Checklist)  will  provide  safe  relative  motion  for  any 
in  itial  condition  at  the  cost  of  more  propellan  t  and  possible  plume  impingemen  t  of  the  target  vehicle. 
Propellant  for  this  breakout  will  not  be  protected  given  the  extremely  low  probability  of  requiring  such  a 
breakout  (ref.  Flight  Rule  { A2-121 j,  RNDZ/PROX  OPS  PROPULSION  SYSTEMS  MANAGEMENT ). 
Furthermore,  it  is  typically  more  propellant  efficient  to  fly  the  orbiter  to  a  state  that  satisfies  the 
constrain  ts  of  one  of  the  paragraphs  C  through  F,  then  execute  the  applicable  breakout.  The  above 
breakouts  were  approved  at  a  Splinter  Generic  Orbit  Flight  Techniques  meeting  held  on  March  26,  1999. 
@[040899-67990] 
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A2-127  RENDEZVOUS  GUIDANCE 

A.  THE  ONBOARD  ORBITER  AND  TARGET  NAVIGATION  STATES  WILL  BE 
INITIALIZED  BY  GROUND  UPLINK  PRIOR  TO  INITIATION  OF  RNDZ 
NAVIGATION. 


An  onboard  software  restriction  prohibits  enabling  rendezvous  navigation  if  the  timetag  of  the  target 
state  vector  is  older  than  15  hours.  The  target  state  vector  timetag  I-load  is  zero;  therefore,  without  a 
ground  uplink  of  the  target  state  vector ,  rendezvous  navigation  cannot  be  enabled. 


It  is  also  desirable  for  both  the  ground  and  the  onboard  to  have  the  most  accurate  orbiter  and  target 
state  vectors  available,  hence  the  most  accurate  relative  state  vector  to  initialize  rendezvous  navigation 
for  the  first  navigation  sensor  tracking  interval.  This  allows  the  filter  to  rapidly  determine  the  “true” 
state  and  prevents  undesirable  transients  caused  by  large  updates. 


B.  THE  PROPAGATED  STATE  VECTOR  WILL  BE  SELECTED  FOR  USER 

PARAMETER  PROCESSING  (UPP)  STATE  VECTOR  UNTIL  THE  BEGINNING 
OF  THE  FIRST  RELATIVE  TRACKING  INTERVAL.  THE  FILTER  STATE 
VECTOR  WILL  BE  SELECTED: 


1.  IF  10  ST  MEASUREMENTS  HAVE  BEEN  ACCEPTED  WITH  THE  LAST 
STATE  VECTOR  POSITION  UPDATE  <1 . OK  FEET,  OR, 

2.  IF  10  RR  MEASUREMENTS  HAVE  BEEN  ACCEPTED  WITH  THE  LAST 
STATE  VECTOR  POSITION  UPDATE  <0.3K  FEET,  OR, 


3.  IF  3  COAS  MEASUREMENTS  HAVE  BEEN  ACCEPTED. 


Accepting  10  ST  or  RR  measurements  prior  to  selecting  the  filtered  state  vector  for  the  UPP  prevents 
filtered  vector  transients  from  reaching  the  UPP.  This  delay  also  allows  the  crew  time  to  take 
appropriate  action  to  prevent  the  use  of  a  filtered  state  which  may  have  incorporated  bad  measurements. 
Since  COAS  processing  takes  longer,  only  three  marks  are  taken  prior  to  selecting  the  filtered  state 
vector. 
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A2-127  RENDEZVOUS  GUIDANCE  (CONTINUED) 

C.  FOR  ALL  TRACKING  INTERVALS,  MEASUREMENT  INCORPORATION  WILL  BE 
INHIBITED  PRIOR  TO  SENSOR  ACQUISITION. 


Inhibiting  data  prior  to  sensor  acquisition  prevents  marks  from  being  immediately  incorporated.  This 
allows  the  crew  time  to  assess  the  quality  of  the  sensor  data  prior  to  its  incorporation  into  the  filtered 
state  vector. 


D.  ST  MEASUREMENTS  WILL  NOT  BE  INCORPORATED  INTO  THE  FILTERED 
STATE  UNTIL  PROPER  TARGET  LOCK  IS  VERIFIED.  IF  AFTER  FOUR 
CONSECUTIVE  MEASUREMENT  CYCLES  (31  SECONDS) ,  THE  RESIDUAL 
VALUES  CHANGE  <0.05  DEGREE  PER  CYCLE  AND  THE  RATIO  VALUES  ARE 
<1.0,  THEN  THE  AUTO/ INH IBI T/FORCE  OPTION  FOR  ANGLES  WILL  BE 
SELECTED  TO  AUTO. 


In  target  track  attitude  hold,  the  target  should  remain  essentially  stationary  in  the  ST  field  of  view;  a  star- 
will  have  cm  angular  rate  of  0.5  degree  per  cycle.  If  the  residuals  are  continuously  changing  by  more 
than  0.05  degree  per  cycle,  the  object  being  tracked  is  most  likely  a  star.  Monitoring  four  consecutive 
measurement  cycles  (31  seconds)  allows  the  data  quality  to  be  assessed  and  ensures  that  the  ST  has  not 
locked  onto  a  false  target. 

E.  RR  MEASUREMENTS  WILL  BE  INCORPORATED  INTO  THE  FILTERED  STATE 
AS  FOLLOWS.  IF  AFTER  FOUR  CONSECUTIVE  MEASUREMENT  CYCLES  (31 
SECONDS)  THE  RESIDUAL  VALUES  ARE  STABLE  AND  THE  RATIO  VALUES 
ARE  <1.0  THEN  THE  AUTO/ INHIBIT/FORCE  OPTION  WILL  BE  SELECTED 
TO  AUTO.  RADAR  DATA  WILL  NOT  BE  INCORPORATED  INTO  NAVIGATION 
AT  RANGES  GREATER  THAN  135K  FEET. 


Four  consecutive  measurement  cycles  (31  seconds)  allow  transients  to  settle  and  the  crew  to  assess  the 
quality  of  the  data.  Stable  measurements  are  an  indirect  indication  that  the  radar  sensor  is  locked  onto 
the  target  with  the  main  lobe  instead  of  a  side  lobe.  Ratios  <1.0  indicate  that  the  measuremen  ts,  if 
accepted  by  selecting  AUTO,  will  not  be  rejected  by  the  navigation  filter.  At  ranges  greater  than  135k 
feet,  the  radar  range  becomes  biased  due  to  eclipsing  of  the  return  signed. 
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A2-127  RENDEZVOUS  GUIDANCE  (CONTINUED) 

F.  WHENEVER  EITHER  RR  ANGLE  EXCEEDS  30  DEGREES  FROM  THE  -Z  AXIS, 
RADAR  ANGLE  MEASUREMENTS  WILL  BE  INHIBITED. 

Angle  data  is  considered  valid  only  within  a  30-degree  half -cone  of  the  -Z  axis. 

G.  THE  FOLLOWING  PRIORITIZED  ACTIONS  WILL  BE  TAKEN  IF  SUCCESSIVE 
SENSOR  MEASUREMENTS  ARE  REJECTED  BY  RESIDUAL  EDITING  (RATIO 
VALUES  >1.0)  AT  THE  START  OF  A  TRACKING  INTERVAL: 

1.  BREAK  LOCK  AND  REACQUIRE  TARGET  (ST  ONLY). 

If  residual  editing  continuously  occurs,  most  likely  the  ST  has  either  locked  onto  a  star,  has  a 
malfunction,  or  very  large  relative  state  errors  are  presen  t.  To  preven  t  bad  measuremen  ts  from  being 
incorporated  into  the  filtered  state  vector,  breaking  lock  and  reacquiring  the  target  is  the  desirable  first 
step  since  it  does  not  update  anything  in  the  relative  navigation  state. 

2.  REINITIALIZE  COVARIANCE. 

If  the  covariance  matrix  has  been  reduced  (e.g.,  measurement  incorporation,  wrong  covariance 
uplinked),  reinitializing  the  covariance  will  expand  it  and  cdlow  larger  updates  to  be  incorporated  into 
the  filtered  state.  Incorporating  these  larger  updates  should  correct  the  relative  state  vector  which  will 
stop  the  residual  editing. 

3.  FORCE  UP  TO  THREE  MEASUREMENTS. 

If  covariance  reinitialization  is  not  sufficient  to  prevent  residual  editing,  data  can  be  forced  into  the 
filtered  state.  Three  consecutive  measurements  should  correct  the  relative  state  vector  sufficiently  to  stop 
the  residual  editing.  If  measurements  continue  to  be  edited,  a  generic  problem  may  exist;  and  forcing 
more  measurements,  most  likely,  will  not  improve  the  situation. 

4.  FILTER  RESTART  (PROPAGATOR  TO  FILTER  TRANSFER). 

A  filter  restart  eliminates  all  data  incorporated  into  the  filtered  state  vector  since  the  last  filtered  to 
propagated  state  vector  transfer.  This  is  a  last  resort  procedure  to  correct  the  rendezvous  navigation 
relative  state. 
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A2-127  RENDEZVOUS  GUIDANCE  (CONTINUED) 

H.  FOR  ALL  BUT  THE  INITIAL  TRACKING  INTERVAL,  A  FILTERED  TO 
PROPAGATED  STATE  VECTOR  TRANSFER  WILL  BE  PERFORMED  AFTER 
SUCCESSFUL  SENSOR  LOCK-ON  TO  THE  TARGET  BUT  PRIOR  TO  DATA 
INCORPORATION. 


A  filtered  to  propagated  state  vector  transfer  is  done  to  maintain  a  good  backup  state  vector 
(propagated)  for  restart  purposes  in  the  event  that  the  filtered  state  vector  subsequently  incorporates  bad 
sensor  data.  Sensor  lock-on  is  an  independent  means  of  evaluating  the  filtered  state  vector  prior  to 
executing  the  transfer.  A  transfer  is  not  required  prior  to  the  first  sensor  pass  because  the  filtered  state 
vector  and  the  propagated  state  vector  are  identical  at  that  time. 

I.  IF  FILTER  MINUS  PROPAGATOR  CHANGES  BY  MORE  THAN  40K  FEET 

WITHIN  AN  ST  PASS,  THEN  ALL  OF  THE  FOLLOWING  WILL  BE  DONE: 

1.  SELECT  PROPAGATED  STATE  VECTOR  FOR  UPP . 

2.  INHIBIT  ANGLES. 

3.  FILTER  RESTART  (PROPAGATED  TO  FILTERED  STATE  VECTOR). 

4.  BREAK  TRACK  AND  USE  NOMINAL  PROCEDURES  TO  REACQUIRE. 

If  filtered  minus  propagated  state  changes  by  more  than  40k  feet  during  a  single  ST  pass,  the  ST  data  is 
considered  bad  and  has  corrupted  the  filtered  state.  These  actions  will  recover  rendezvous  navigation  to 
a  point  equivalent  to  the  beginning  of  the  ST  tracking  interval. 
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A2-128  EMCC/TMCC  ACTIVATION 

IN  THE  EVENT  THAT  THE  EMERGENCY  MISSION  CONTROL  CENTER  (EMCC)  OR 
TEMPORARY  MISSION  CONTROL  CENTER  (TMCC)  MUST  BE  ACTIVATED,  THE 
FLIGHTCREW  WILL  BEGIN  ORDERLY  TERMINATION  OF  ANY  PAYLOAD-RELATED 
OR  HAZARDOUS  ACTIVITY.  WHEN  THE  ACTIVITY  HAS  BEEN  TERMINATED, 
THE  ORBITER  WILL  BE  MANEUVERED  TO  +XW,  -ZLV  AND  REMAIN  IN  THIS 
ATTITUDE  UNTIL  FURTHER  INSTRUCTIONS  FROM  THE  EMCC/TMCC.  FLIGHT 
SPECIFIC  EXCEPTIONS  AND  CRITERIA  FOR  ORDERLY  TERMINATION  MAY  BE 
IDENTIFIED  IN  THE  FLIGHT  SPECIFIC  ANNEX. 


When  the  EMCC  or  TMCC  is  required  to  be  utilized,  a  major  portion  of  the  real-time  telemetry 
monitoring,  flight  planning,  and  data  analysis  capability  provided  by  the  MCC  is  not  available.  In 
addition,  the  capability  to  provide  payload  data  to  the  POCC/payload  customer  may  be  lost.  With  the 
loss  of  these  MCC  capabilities,  the  ground  cannot  provide  adequate  support  to  safely  execute  a  nominal 
flight  plan  and  must  use  the  reduced  facilities  provided  by  the  EMCC/TMCC  to  monitor  orbiter  systems. 
The  selected  attitude  is  thermally  benign  and  restrictions  on  attitude  maneuvers  significantly  reduces  the 
support  required  for  ground  monitoring. 


VOLUME  A  06/20/02  FINAL  FLIGHT  OPERATIONS  2-190 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A2-129  ORB ITER  ON-ORBIT  HIGH  DATA  RATE  REQUIREMENTS 

THE  ORBITER  ON-ORBIT  HIGH  DATA  RATE  REQUIREMENTS  ARE  SUMMARIZED 
BELOW.  PAYLOAD  DATA  SHALL  BE  GIVEN  UP  IF  REQUIRED  TO  SATISFY  THE 
ORBITER  HIGH  DATA  RATE  REQUIREMENT.  IF  HIGH  DATA  RATE  CANNOT  BE 
ACHIEVED  DUE  TO  SYSTEMS  PROBLEMS,  THE  LISTED  ACTIVITIES  MAY  STILL 
BE  ACCOMPLISHED. 


ORBITER  OPERATION 


MMACS 

FCS  CHECKOUT 
EECOM 

BONDLINE  TEMP  MONITORING 
PROP 

OMS  BURNS  (TIG  MINUS  5  TO  TIG 
PLUS  5)  (SEE  RULE  {A6-103}, 

OMS  BURN  DOWNLIST  REQUIREMENT) 

RMS 

RMS  C/O 

RMS  TROUBLESHOOTING 

RMS  OPS  (PORT  ARM  SELECTED) 

FDO/RNDZ 
PROX  OPS 

RNDZ  OPS  (SENSORS,  TARGETING) 
EVA 

DURING  EVA 
@[061297-6200] 


HIGH  DATA  RATE  REQUIREMENT  [1] 


OI 

GNC 

SM 

M 

NR 

NR 

[2] 

NR 

NR 

NR 

M 

NR 

NR 

NR 

M 

NR 

NR 

M 

NR 

NR 

HD 

NR 

HD 

NR 

NR 

HD 

NR 

HD 

NR 

NR 

(M  =  MANDATORY,  NR  =  NOT  REQUIRED,  HD  =  HIGHLY  DESIRABLE) 
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A2-129  ORBITER  ON-ORBIT  HIGH  DATA  RATE  REQUIREMENTS 

(CONTINUED) 

NOTES : 

[1]  HIGH  DATA  RATE  MAY  BE  REQUIRED  ANYTIME  FOR  FAILURE 
ANALYSIS  OR  TROUBLESHOOTING. 

[2]  MUST  HAVE  HIGH  DATA  RATE  PERIODICALLY  TO  CHECK 
TEMPERATURES.  ONCE  PER  ORBIT  IS  TYPICALLY  THE  MAXIMUM 
REQUIREMENT.  ACTUAL  FREQUENCY  DEPENDS  ON  THE  ATTITUDES 
BEING  FLOWN  AND  THE  BETA  ANGLE. 

EECOM  -  All  orbiter  TPS  measurements  lost  except  V09T1524A  cabin  upper  skin  center  line.  Data  is 
used  to  determine  flight  rule  impacts  for: 

Payload  bay  door  closing  vehicle  gradients  (Rule  {A10-206AJ,  PLED  CLOSE  GO/NO-GO). 

Entry  prep  maximum  temperatures  (Rule  {A18-401A}.b,  THERMAL  PROTECTION  SYSTEM  (TPS) 
BONDLINE  TEMPERATURE).  ®[ED  ] 

Anytime  minimum  temperatures  for  glassy  transition  ofRTV  (Rule  {A18-451A},  ORBITER 
THERMAL  CONSTRAINTS  AND  ATTITUDE  MANAGEMENT  [CIL ] ). 

FDO/RNDZ  -  Rendezvous  loses  data  required  to  verify  proper  configuration.  Prime  NAV  and  sensor 
evaluation  job  can  still  be  performed.  This  applies  to  PROX  OPS  only  if  a  universal  pointing  fly-around 
is  being  performed.  Rendezvous  data  lost: 

Universal  pointing  -  body  vector,  target  ID,  MNVR  attitude,  attitude  error. 

DAP  configuration  -  attitude  and  rate  deadbands,  translational  pulse  size,  discrete  MNVR  rate. 

Guidance  mode  -  Lambert  or  external  delta  V,  TV  roll. 

Star  tracker  status  -  Shuttle  position,  track  indications,  star  present. 

Navigation  -  Uplink  timetags  associated  with  onboard  vectors. 

RMS  -  Virtually  all  RMS  data  lost  in  SM  low  data  rate.  This  includes  all  data  required  to  analyze 
failures. 

EVA  -  Data  is  highly  desirable  for  biomed. 

All  requirements  were  reviewed  at  Orbit  Flight  Techniques  #106. 
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A2-130  PAYLOAD  OBJECTIVES  VS.  PAYLOAD  DAMAGE  POLICY 

A.  THE  HARDWARE  FOR  ANY  PAYLOAD  WILL  NOT  BE  JETTISONED  SOLELY  TO 
ACCOMPLISH  MISSION  SUCCESS  OBJECTIVES  FOR  ANOTHER  PAYLOAD. 

B.  CONSIDERATION  WILL  BE  GIVEN  TO  ALLOWING  HARDWARE  DAMAGE  TO 
A  PAYLOAD  TO  OCCUR  IF  THIS  ALLOWS  ACCOMPLISHING  MANDATORY 
MISSION  SUCCESS  OBJECTIVES  OF  ANOTHER  PAYLOAD  AS  LONG  AS 
SUCH  DAMAGE  DOES  NOT  PRESENT  AN  ORBITER  OR  CREW  SAFETY 
CONCERN. 


A  payload  can  be  reflown  if  its  mission  success  objectives  cannot  be  met,  but  this  is  a  significant  expense 
to  the  program.  It  may  be  worth  the  impact  of  repairing  damage  to  one  payload  as  opposed  to  reflying  a 
payload  which  will  not  meet  its  objectives.  Such  an  option  should  be  considered.  Each  case  must  be 
looked  at  individually  to  determine  if  hardware  damage  is  an  appropriate  tradeoff.  The  jettisoning  of 
hardware  has  such  severe  implications  to  the  agency  as  a  whole  that  it  is  judged  not  appropriate  for  any 
mission-success  objective  gain. 
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A2-131  ATTITUDE  RESTRICTIONS  FOR  ORBITAL  DEBRIS 

A.  TIME  IN  THE  FOLLOWING  ATTITUDES  WILL  BE  MINIMIZED  IN 
PREFLIGHT  PLANNING  AND  IN  REAL  TIME: 

1.  -ZVV  (PAYLOAD  BAY  FORWARD). 

2.  +XVV,  +ZLV  OR  ±YLV  (NOSE  FORWARD,  PAYLOAD  BAY  UP  OR  OUT 
OF  PLANE) . 

B.  - ZLV  WILL  BE  THE  NORMAL  ORBITER  ATTITUDE  UNLESS  PAYLOAD  OR 
ORBITER  REQUIREMENTS  DICTATE  OTHERWISE.  TIME  IN  +XW  WILL  BE 
MINIMIZED . 

FOR  THE  PURPOSE  OF  THIS  RULE,  THE  ORBITER  WILL  BE  CONSIDERED  TO 
BE  IN  ONE  OF  THE  ABOVE  ATTITUDES  IF  THE  -Z (X)  AXIS  IS  CLOSER  TO 
ONE  OF  THE  REFERENCED  LVLH  AXES  (+V,  +R,  ±H)  THAN  TO  ANY  OTHER. 

IF  MORE  THAN  48  HOURS  CUMULATIVE  TIME  IN  THESE  ATTITUDES  IS 
PLANNED,  FLIGHT-SPECIFIC  EXCEPTIONS  WILL  BE  DOCUMENTED  IN  THE 
FLIGHT-SPECIFIC  ANNEX. 


Both  the  Rockwell  orbital  debris  study  and  the  JSC  Space  and  Life  Sciences  studies  looked  at  various 
shuttle  attitudes  and  assessed  the  risk  of  catastrophic  damage  due  to  orbital  debris  and 
micrometeroids.  The  JSC  study  also  assessed  the  probable  window  replacements  and  radiator  repairs 
required  from  various  attitudes.  Data  was  presented  to  Orbit  Flight  Techniques  Panel  meeting 
n  umber  131  on  August  14,  1992.  Numbers  are  for  a  160  nm  orbit.  This  rule  addresses  relative  risk 
of  different  attitudes  and  not  absolute  risk. 
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A2-131  ATTITUDE  RESTRICTIONS  FOR  ORBITAL  DEBRIS 

(CONTINUED) 


There  are  two  fundamental  reasons  to  restrict  attitudes.  One  is  the  risk  of  catastrophic  damage  from 
debris;  the  other  is  not  a  catastrophic  risk,  but  will  much  more  likely  cause  damage  that  will  result  in 
turnaround  impacts  and  increased  costs.  The  major  turnaround  drivers  are  the  windows  and  the 
radiators. 

The  -ZW  attitude,  regardless  of  the  yaw  about  the  Z  axis,  is  the  worst  attitude  from  a  catastrophic 
damage  perspective.  The  risk  was  between  three  and  five  times  greater  in  -ZW  than  the  best  attitude 
which  is  -ZLV,  -XW  (bay  down,  teal  forward).  The  -ZW  attitudes  were  noticeably  more  risky  than  other 
attitudes  in  both  studies.  Other  attitudes  fall  in  between  the  two,  but  the  uncertainty  in  the  studies  was 
judged  great  enough  to  not  put  any  restrictions  on  other  attitudes  than  -ZW  with  regard  to  critical 
damage  from  orbital  debris. 

The  radiator  damage  is  16  times  worse  in  -ZW  than  in  -ZLV.  Window  damage  is  also  worse  in  -ZW 
(20  times  worse)  with  +XW  (nose  forward)  being  a  close  second.  The  +XW  attitude  is  relatively  safe 
from  catastrophic  damage. 

Time  in  attitude  is  an  important  factor.  The  longer  the  time  in  the  attitude,  the  greater  the  risk.  Forty-eight 
hours  was  chosen  somewhat  arbitrarily.  Forty-eight  hours  results  in  an  expectation  of  less  than  0.5  window 
replacements  and  15  radiator  dings.  Some  flights  will  have  objectives  that  justify  the  increased  risk  of  these 
attitudes.  These  must  be  documen  ted  as  exceptions  in  the  flight-specific  annex. 

Time  in  the  listed  attitudes  will  be  minimized  in  reed  time,  but  it  is  impractical  to  compute  and  police  the 
48-hour  number  or  any  other  number  in  real  time. 

Many  attitudes  will  not  be  purely  in  one  of  the  directions  spelled  out  above.  Thus  the  orbiter  -Z  (and  X 
for  part  B)  axis  will  be  considered  to  be  pointed  in  the  direction  of  the  LVLH  axis  that  it  is  closest  to. 
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A2-132  THERMAL  CONDITIONING  FOR  FLIGHT  DAY  1  LANDING 

IN  THE  EVENT  THAT  A  FD1  LANDING  IS  REQUIRED,  PRE-ENTRY  THERMAL 
CONDITIONING  WILL  BE  ON  A  "BE ST -EFFORT"  BASIS,  CONSISTENT  WITH 
OTHER  ATTITUDE  REQUIREMENTS.  FLIGHT-SPECIFIC  END-OF-MI SS ION 
BONDLINE  LIMITS  SHOULD  BE  MET  IF  POSSIBLE.  THE  FOLLOWING  GENERIC 
GUIDELINES  SHOULD  BE  USED  FOR  THE  PERIOD  BETWEEN  OMS-2  AND  D/O 
BURN  (BRIEF  EXCURSIONS  FOR  IMU  ALIGN,  ETC.  ARE  ACCEPTABLE) : 


ATTITUDE  GUIDELINES  * 

0  <  |B|  <60 

60  <  |6|  <  90 

REV  3 

ORBIT:  -ZLV  -YVV  (+BETA)  (1HR28M) 

ORBIT:  -ZLV -YVV  (+BETA)  (1HR28M) 

D/O 

ZLV  +YVV  (-BETA) 

-ZLV  +YVV  (-BETA) 

BURN 

D/O  COMM:  TAIL  SI,  SUN  45?  STBD  (1HR05M) 

D/O  COMM:  NOSE  SI,  (1  HR  05M) 

BAY-EARTH  AT  NOON 

BAY-EARTH  AT  NOON 

REV  4 

ORBIT:  -ZLV  -YVV  (+BETA)  (1HR23M) 

ORBIT:  -ZLV  -YVV  (+BETA)  (1HR23M) 

D/O 

-ZLV  +YVV  (-BETA) 

-ZLV  +YVV  (-BETA) 

BURN 

D/O  COMM:  TAIL  SI,  SUN  30?  STBD  (2HR  10M) 

D/O  COMM:  TAIL  SI,  SUN  40?  STBD  (2HR  10M) 

BAY-EARTH  AT  NOON 

BAY-EARTH  AT  NOON 

REV  5 

ORBIT:  -ZLV -YVV  (+BETA)  (1HR18M) 

ORBIT:  -ZLV -YVV  (+BETA)  (2HR  48M) 

D/O 

-ZLV  +YVV  (-BETA) 

-ZLV  +YVV  (-BETA) 

BURN 

THEN:  ORB  RATE,  SUN  45?  STBD  OF  TAIL  (1  HR  30M) 

D/O  COMM:  TAIL  SI,  SUN  30?  STBD  (2HR  10M) 

D/O  COMM:  TAIL  SI,  SUN  40?  STBD  (2HR10M) 

BAY-EARTH  AT  NOON 

BAY-EARTH  AT  NOON 

REV  6 

ORBIT:  -ZLV -YVV  (+BETA)  (1HR18M) 

ORBIT:  -ZLV -YVV  (+BETA)  (2HR  48M) 

D/O 

-ZLV  +YVV  (-BETA) 

-ZLV  +YVV  (-BETA) 

BURN 

THEN:  ORB  RATE,  SUN  45?  STBD  OF  TAIL  (3HR  00M) 

THEN:  ORB  RATE,  SUN  40?  STBD  OF  TAIL  (1  HR  30M) 

D/O  COMM:  TAIL  SI,  SUN  30?  STBD  (2HR  10M) 

D/O  COMM:  TAIL  SI,  SUN  40?  STBD  (2HR  10M) 

BAY-EARTH  AT  NOON 

BAY-EARTH  AT  NOON 

REV  7 

ORBIT:  -ZLV -YVV  (+BETA)  (1HR48M) 

ORBIT:  -ZLV -YVV  (+BETA)  (3HR  28M) 

D/O 

-ZLV  +YVV  (-BETA) 

-ZLV  +YVV  (-BETA) 

BURN 

THEN:  ORB  RATE,  SUN  45?  STBD  OF  TAIL  (4HR  00M) 

THEN:  ORB  RATE,  SUN  40?  STBD  OF  TAIL  (2HR  20M) 

D/O  COMM:  TAIL  SI,  SUN  30?  STBD  (2HR  10M) 

D/O  COMM:  TAIL  SI,  SUN  40?  STBD  (2HR  10M) 

BAY-EARTH  AT  NOON 

BAY-EARTH  AT  NOON 
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A2-132  THERMAL  CONDITIONING  FOR  FLIGHT  DAY  1  LANDING 

(CONTINUED) 


For  a  launch  day  deorbit,  time  may  not  be  available  to  meet  all  thermal  constraints,  due  to  other 
constraints  such  as  landing  opportunity,  burn  attitudes,  IMU  alignment  and  verification,  and 
communications.  Within  these  other  constraints,  attitudes  will  be  chosen  to  meet  thermal  constraints, 
such  as  tail-sun  for  bondlines  or  biased  starboard-sun  for  OMS  Ox  Hi  Point  Bleedline  QD  and  aft-firing 
RCS  thrusters.  ®[0921 95-1 787B] 


*  TABLE  NOTES: 

ORBIT  AND  THEN”  REFERS  TO  THE  TIME  FROM  NOMINAL  PLBD  OPENING  ATTITUDE  (1 :12)  UNTIL  MANEUVER  TO 
DEORBIT  IMU  ATTITUDE  (OR  DEORBIT  COMM  ATTITUDE  FOR  REV  3). 

TIMES  IN  PARENTHESES  SHOW  THE  ATTITUDE  DURATIONS  WHICH  WERE  ASSUMED  AND  ANALYZED.  THESE 
TIMES  ALSO  REFLECT  THE  DESIRED  DURATIONS.  IF  MORE  (LESS)  ATTITUDE  TIME  IS  AVAILABLE  BETWEEN  THE 
ACTUAL  OMS-2  AND  DEORBIT  COMM  ATTITUDES,  THE  ‘ORBIT’  ATTITUDE  MAY  BE  LENGTHENED  (SHORTENED). 

IF  TWO  ATTITUDES  ARE  SHOWN,  I.E.,  ORBIT’  AND  ‘THEN’,  THE  DURATIONS  MAY  BE  ADJUSTED 
PROPORTIONALLY. 

ORB  RATE  DEFINITION:  ORBITER  WILL  ROTATE  ABOUT  A  SUN  POINTING  VECTOR  OF  P=1 80,  Y=40  OR  45  AT 
ORBIT  RATE,  KEEPING  THE  ORBITER  BOTTOM  TOWARD  SPACE  DURING  ROTATION  (I.E.,  EQUIVALENT  TO 
OMICRON  90  FOR  POSITIVE  BETA  AND  OMICRON  270  FOR  NEGATIVE  BETA  AT  NOON). 

-ZLV  AND  ORB  RATE  ATTITUDES  REQUIRE  GNC  OPS  2  SOFTWARE.  IF  GNC  OPS  2  IS  NOT  AVAILABLE, 
“THERMALLY  SIMILAR”  SOLAR  INERTIAL  ATTITUDES  WILL  BE  SELECTED. 


DOCUMENTATION:  CCB  February  28,  1995,  May  16,  1995,  SODB  Volume  V.  ®[092i  95-1 787B] 
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A2-133  POCC  THROUGHPUT  COMMAND  RATES 

THE  GENERIC  COMMAND  SERVER  (GCS)  WILL  BE  CONFIGURED  TO  ALLOW  ONLY 
ONE  POCC  THROUGHPUT  COMMAND  PER  SECOND  TO  BE  OUTPUT  INTO  THE 
ORBITER  UPLINK  DATA  STREAM.  @[121197-6398]  @[062702-5513] 

The  Network  Signal  Processor  (NSP)  interface  with  the  Flight  Software  (FSW)  Systems  Management 
(SM)  command  application  may  require  as  much  as  960  msec  to  completely  process  a  single  uplinked 
payload  throughput  command  (PTC)  without  error.  The  POCC  INPUT  RATE  CONTROL  adjusts  the 
rate  at  which  commands  will  be  accepted  into  the  GCS.  By  setting  this  control  to  one  command  per 
second,  first  word/last  word  (FW/LW)  rejects  of  commands  by  the  SM  GPC  caused  by  too  rapid  payload 
commanding  can  be  eliminated.  Any  setting  of  this  control  above  one  command  per  second,  even  if  the 
commands  are  routed  to  the  same  vehicle  address,  will  allow  the  potential  for  onboard  rejects  of 
commands  to  exist.  See  Section  6. 2. 2. 5  of  the  Space  Shuttle  Computer  Program  Development 
Specifications  (CPDS)  -  SS  Downlist/Uplink  Software  Requirements  (SS-P-0002-140).  @[062702-5513  ] 

Rejection  of  commands,  for  whatever  reason,  requires  analysis  of  the  command  system  to  ensure  that  it 
remains  intact  with  no  failures.  By  eliminating  this  source  of  command  rejects,  resources  can  be  more 
efficiently  used.  Limitation  of  payloads  to  one  PTC  per  second  should  not  present  a  significant  impact  if 
command  timelines  are  planned  appropriately.  @[121197-6398  ] 
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A2-134  ON-ORBIT  CRYO  MARGIN  BUYBACKS 

THE  FOLLOWING  CRYO  MARGIN  BUYBACKS  CAN  BE  USED  AS  SPECIFIED  BELOW 
TO  EXTEND  MISSION  DURATION  IF  REQUIRED,  INCREASE  THE  NUMBER  OF 
DEORBIT  OPPORTUNITIES,  INCREASE  THE  AVAILABLE  POWER  FOR  HIGH 
PRIORITY  MISSION  OBJECTIVES,  OR  IN  OTHER  SITUATIONS  WHICH 
INCREASE  THE  OVERALL  SAFETY  AND  SUCCESS  OF  THE  MISSION.  @[052401 -4386A] 

This  rule  uses  the  Group  C  Powerdown  as  a  starting  point  for  the  listed  items  and  assumes  that  the 
shuttle  is  already  at  a  Group  B  Powerdown  level.  Some  items  in  the  Group  C  Powerdown  have  already 
been  unpowered  per  the  Group  B  Powerdown.  Those  items  were  not  listed  in  this  rule.  The  estimated 
savings  is  listed  next  to  each  item.  Paragraphs  A  through  D  are  not  necessarily  listed  in  priority  order 
although  paragraphs  A  and  B  are  considered  minimal  impact  and  will  be  considered  first.  Specific 
priorities  will  depend  on  flight  specific  trades. 

A.  THE  CIRC  PUMP  THERMAL  CONTROL  LIMITS  MAY  BE  LOWERED  TO  REDUCE 
DUTY  CYCLES  AND  RUN  TIME  AS  LONG  AS  THE  SODB  AND  FLIGHT  RULE 
LIMITS  ARE  PROTECTED.  CRYO  SAVINGS  MAY  BE  BUDGETED 
PREFLIGHT . 


SODB  and  flight  limits  for  the  Hydraulic  system  will  be  maintained.  Circ  pumps  can  be  cycled  manually 
to  protect  CIRC  PUMP  INLET  TEMP  and  BODY  TEMP  >  20  deg  ( SODB  and  Flight  Rule  limit  to 
preclude  potential  Circ  pump  cold  start).  Reference  SODB  paragraph  3.4.2.4-lc  and  Rule  {A10-74AJ.6, 
HYDRAULIC  CIRCULATION  PUMP  OPERATION  [CIL]. 

B.  THE  FOLLOWING  ITEMS  MAY  BE  UNPOWERED  REAL  TIME  AND  INCLUDED 
IN  THE  PREFLIGHT  BUDGET: 

The  following  items  are  not  necessarily  in  priority  order  since  the  priority  will  depend  on  mission 
activities  but  are  all  minimal  impact. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-134  ON-ORBIT  CRYO  MARGIN  BUYBACKS  (CONTINUED) 

1.  KU-BAND  SYSTEM  TO  STANDBY  WHEN  NOT  IN  USE  160  WATTS 

Ku-band  system  will  be  commanded  to  Standby  when  antenna  is  in  blockage  or  during  a  ZOE.  While  in 
Standby,  the  transponder  is  still  transmitting  but  the  power  amplifier  is  not  amplifying  the  signed.  The 
Ku-band  draws  370  watts  when  on  but  not  radiating,  and  only  210  watts  while  in  Standby,  resulting  in  a 
160-wcitt  reduction. 

2.  MIDDECK  LIGHTS  (3)  16  WATTS  EACH 


The  Group  B  Powerdown  includes  all  but  three  middeck  lights.  These  lights  may  be  powered  off  at  the 
crew’s  discretion,  but  this  results  in  small  savings.  @[052401 -4386 A] 


3.  MDU'S 

3  @  66  WATTS  EACH 

IDP 

55  WATTS 

MDU’s  will  be  cycled  on  only  when  required;  at  all  other  times,  they  will 
can  also  be  turned  off  if  all  MDU’s  are  off.  @[052401 -4386A] 

remain  off.  Remaining  IDP 

4.  S-BAND  PL  (PSP  &  PI) 

130  WATTS 

PDI 

25  WATTS 

The  PSP.  PI,  and  PD1  may  be  required  for  orbiter,  ISS,  or  payload  telemetry  and  command  interface. 
The  PI  is  typically  unpowered  for  ISS  and  non-deployable  payloads.  The  PDI  will  remain  off  when  there 
are  no  payload  data  telemetry  processing  requirements.  With  the  PDI  off,  PCMMU  element  bypass 
checks  will  be  masked  on  severed  SM  GPC  tables  because  these  tables  will  be  bypassed. 
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A2-134  ON-ORBIT  CRYO  MARGIN  BUYBACKS  (CONTINUED) 

5.  S-BAND  FM  81  WATTS 

The  S-bcind  FM  system  is  typically  only  powered  on  for  about  10  minutes  each  orbit  and  only  ifKu-band 
is  unavailable  (for  ops  recorder  dumps). 

6.  STAR  TRACKERS  18  WATTS  EACH 

Star  trackers  can  be  powered  off  with  no  impact  if  the  tracker  is  blocked  or  pointed  at  Earth.  For 
example,  the  -Z  star  tracker  is  predicted  to  be  blocked  when  docked  to  ISS.  Star  trackers  that  have  a 
clearfield  of  view  can  be  powered  off  with  minimal  impact  but  would  need  to  be  powered  on  as  required 
for  IMU  alignments  (approximately  10  minutes  every  48  hours  depending  on  alignment  and  star 
availability).  There  is  a  poten  tial  tradeoff  between  orbiter  propellan  t  and  cryo  if  stars  of  opportunity  are 
missed  while  the  star  trackers  are  powered  off,  requiring  a  maneuver  to  attitude  for  IMU  align. 

However,  this  can  be  mitigated  since  the  Pointing  Officer  can  predict  when  stars  of  opportunity  are 
expected  such  that  the  tracker(s)  can  be  powered  on  at  the  appropriate  time. 

C.  THE  FOLLOWING  ITEMS  MAY  BE  UNPOWERED  REAL  TIME  BUT  WILL 
GENERALLY  NOT  BE  INCLUDED  IN  THE  PREFLIGHT  BUDGET: 

The  following  items  have  more  substantial  impacts  to  operations,  are  not  necessarily  listed  in  priority 
order,  and  will  not  generally  be  included  in  the  preflight  budget. 

1.  FES  CONTROLLER  PRI,  SEC  120  WATTS  MAX  (ACTIVE) 

4  WATTS  (STANDBY) 

FES  operations  will  be  based  on  projected  Evcip  Out  temperatures.  Thermal  analysis  would  be  required 
to  assess  the  FES  requiremen  ts  and  impacts.  FES  will  only  be  turned  off  after  thermal  analysis  verifies 
that  the  FES  is  not  required.  @[052401 -4386A] 
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A2-134  ON-ORBIT  CRYO  MARGIN  BUYBACKS  (CONTINUED) 

2.  TOPPING  EVAP  NOZ,  DUCT  HTRS  700  W  MAX  (100%  DUTY  CYCLE) 

255  W  (FES  IN  STANDBY) 

If  the  FES  is  not  required,  the  nozzle  and  duct  heaters  may  be  powered  off.  Thermal  analysis  would  be 
required  to  assess  the  FES  requirements  and  impacts.  The  FES  heaters  would  need  to  be  powered  on 
approximately  1  hour  prior  to  requiring  the  FES  for  duct  warm-up.  @[052401 -4386A] 

3.  RADIATOR  DEPLOY 

Radiator  deploy  can  be  considered  to  minimize  FES  usage,  resulting  in  the  savings  in  paragraphs  1  and 
2  for  the  periods  where  rad  deploy  eliminates  the  need  for  the  FES.  Thermal  analysis  would  be  required 
to  assess  the  FES  requirements  and  radiator  deploy  impacts. 

4.  OPS  RECORDER  56  WATTS  (RECORD  MODE) 

17  WATTS  (STANDBY  MODE) 

One  Ops  Recorder  can  be  powered  off  if  the  other  Ops  Recorder  is  in  RECORD  con  tin  uously.  Since  the 
second  Ops  Recorder  is  generally  in  Standby,  this  would  result  in  approximately  1 7  watts  savings. 
However,  with  only  one  recorder  operating,  onboard  recording  would  not  be  available  during  Ops 
Recorder  dumps. 

5.  RMS  D&C  92  WATTS 

RMS  HEATERS  627  WATTS  MAX  (-125  W  AVG) 

The  Port  RMS  D&C  panel  and  heaters  may  be  powered  off  as  long  as  the  Port  RMS  heaters  are  cycled 
on  for  approximately  30  minutes  when  a  low  temperature  message  (PDRS  PORT  TEMP)  is  annunciated. 
Heaters  will  be  managed  for  crew  sleep  periods  to  ensure  the  crew  is  not  awakened  by  alarms/heater 
action.  All  panel  A7  D&C  lights  will  be  unpowered  when  the  D&C  circuit  breaker  is  open.  The  125-watt 
average  power  for  the  heaters  is  based  on  a  20-percent  duty  cycle. 
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A2-134  ON-ORBIT  CRYO  MARGIN  BUYBACKS  (CONTINUED) 

6.  OCAC  50  WATTS 

The  OCAC  is  a  crew  preference  item,  which  provides  white  noise  for  crew  sleep,  reduces  dust  and  debris 
particles  in  the  air,  and  reduces  avionics  filter  cleaning.  The  OCAC  may  also  be  used  for  air  mixing 
within  the  orbiter  or  between  the  orbiter  and  ISS.  @[052401 -4386A] 

7.  PF  MDM  50  WATTS 

A  PF  MDM  can  be  powered  off  but  will  result  in  some  loss  of  commanding  and  data.  PF2  will  result  in- 
loss  of  commanding  to  CCTV,  Ops  Recorder  2,  PSP  2,  and  commanding  through  antenna  electronics  #2. 
PF  I  will  result  in  loss  ofKu  commanding,  Ops  Recorder  1,  PSP  1,  and  commanding  through  antenna 
electronics  # 1 .  IfMDMPFl  or  2  is  powered  off  for  cryo  savings,  it  will  be  cycled  on  to  regain 
commanding  and  data  as  required.  @[052401 -4386A] 

8.  STOW  KU-BAND  EARLY  OR  DEPLOY  LATE  460  WATTS 

Although  the  hardware  community  is  uncomfortable  with  an  additional  in-flight  power  cycle  of  the  Ku- 

bcmd  system,  it  is  acceptable  from  a  hardware  perspective  to  stow  the  Ku-band  early  or  deploy  it  late  for 
cryo  savings.  Prior  to  Ku-band  activation  and  after  deactivation,  downlink  video  and  the  primary 
method  of  OCA  capability  (KFX)  are  lost.  Furthermore,  two-way  voice,  command,  and  telemetry 
redundancies  are  lost  as  well  as  high  rate  payload  telemetry.  Reducing  Ku-band  system  use  may  also 
require  additional  recorder  dumps  and  the  scheduling  of  S -band  FM  ground  sites.  Stowing  the  Ku-band 
early  is  generally  preferred  over  deploying  late  since  the  SSME  data  is  downlinked  using  the  Ku-band 
system  and  any  problems  with  the  Ku-band  system  will  be  identified  earlier.  However,  flight  specific 
requirements  could  reverse  this  priority.  Depending  on  mission  requirements,  changing  the  nominal  Ku- 
band  deploy  and  stow  times  may  have  minimal  or  significant  impacts  and  may  or  may  not  be  an 
acceptable  option. 
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A2-134  ON-ORBIT  CRYO  MARGIN  BUYBACKS  (CONTINUED) 

9.  S-BAND  PM  TO  STANDBY  (KU-BAND  ON)  310  WATTS  (S-BAND  PM) 

Although  this  is  an  option  that  can  be  considered  by  the  flight  control  team,  it  is  an  undesirable  option 
since  it  results  in  the  loss  of  S-band  downlink  voice  and  data  (uplink  still  available).  If  S-band  is  in 
Standby  and  the  Ku-band  is  unavailable,  data  will  be  recorded  onboard  but  not  available  real  time.  This 
will  result  in  requiremen  t  for  additional  recorder  dumps,  the  scheduling  of  FM  ground  sites,  and 
additional  INCO  backroom  personnel.  Furthermore,  the  S-band  PM  system  is  used  to  obtain  TDRS 
tracking  data  on  the  orbiterfor  state  vector  maintenance.  TRDS  tracking  may  be  required  for  certain 
mission  activities  (Post  Insertion,  Rndz/Docking,  etc.).  Without  TDRS  tracking,  C-bcmd  sites  will  have  to 
be  scheduled  if  required  for  onboard  state  vector  update. 

10.  COMBINATION  OF  KU-BAND  AND  S-BAND  TO  STANDBY  -250  WATTS 

This  is  also  an  option  that  can  be  considered  by  the  flight  control  team  but  is  undesirable  since  it  places 
a  high  workload  on  the  INCO  position.  INCO  would  manage  the  comm  system  manually  such  that  while 
one  system  is  being  used,  the  other  system  would  be  in  Standby  mode.  Although  this  config  would 
main  tain  the  curren  t  level  of  communications  coverage  and  provide  some  cryo  savings,  there  would  be  a 
significant  operational  effort  required  to  effectively  operate  in  this  configuration.  Additional  manning 
(INCO)  would  be  required  for  this  operation.  This  type  of  operation  may  increase  the  likelihood  of  loss 
of  communication  due  to  human  error.  @[052401 -4386A] 

D.  THE  FOLLOWING  ITEMS  MAY  ONLY  BE  UNPOWERED  REAL  TIME  OR 
INCLUDED  IN  THE  PREFLIGHT  BUDGET  WITH  PROGRAMMAT IC/MMT 
CONCURRENCE:  @[052401 -4386A] 

The  following  items  are  additional  orbiter  powerdowns  included  in  the  Priority  Powerdown  Group  C  that 
have  more  substantial  impacts  to  hardware  or  ops.  These  items  will  be  unpowered  only  with  concurrence 
from  the  Program: 
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A2-134  ON-ORBIT  CRYO  MARGIN  BUYBACKS  (CONTINUED) 

1.  KU-BAND  SYSTEM  OFF  460  WATTS 

Powering  off  the  Ku-bcmd  has  operational  impacts  and  potential  hardware  issues.  When  the  Ku-band 
system  is  powered  off,  downlink  video  and  the  primary  method  of  OCA  capability  (KFX)  are  lost. 
Furthermore,  two-way  voice,  command,  and  telemetry  redundancies  are  lost  as  well  as  high  rate  payload 
telemetry.  Powering  off  the  Ku-band  system  may  also  require  additional  recorder  dumps  and  the 
scheduling  of  S -band  FM  ground  sites.  The  engineering  community  is  concerned  that  powering  off  the 
Ku-band  system  will  increase  the  likelihood  of  a  girnbcd  failure,  preventing  the  Ku-band  deployed 
assembly  from  being  stowed.  To  address  these  concerns,  if  the  Ku-band  is  considered  as  a  ctyo  saving 
measure,  the  priority  will  be  to  first  simply  stow  the  Ku-band  radar  early  or  deploy  it  late,  eliminating  cm 
additional  in-flight  power  cycle.  However,  if  additional  cryo  savings  are  still  required,  and  the  Program 
concurs  with  an  additional  power  cycle  of  the  Ku-band,  the  gimbals  will  be  locked  prior  to  powering  the 
Ku  system  off.  If  cm  EVA  is  available  to  lock  the  gimbals,  this  may  also  be  acceptable  risk  mitigation  to 
protect  against  a  Ku  jettison  scenario. 

2.  MDM'S  FF2,  FF4 ,  FA 4  50  WATTS  EACH 

When  the  MDM’s  are  powered  off,  the  corresponding  jets  are  unavailable  for  use,  but  more  importantly, 
there  is  no  direct  insight  into  jet  leaks  using  orbiter  instrumentation.  Although  it  is  expected  that  there 
will  be  other  means  of  detecting  a  jet  leak  (crew  visual  obsen’cition  or  indirect  insight  via  chamber 
pressure  data),  the  Program  deems  this  an  undesirable  option.  If  this  option  is  utilized,  the  MDM’s 
would  be  cycled  on  as  required  to  periodically  snapshot  PROP  RCS  data.  These  MDM’s  would  also  be 
powered  on  for  rendezvous  operations,  FCS  checkout,  RCS  Hot  Fire,  and  other  periods  where  RCS 
insight  is  desirable.  When  the  MDM’s  are  required,  they  will  be  powered  on  at  least  15  minutes  prior  to 
the  desired  activity.  Note  that  MDM  FF2  is  required  for  single-string  MAGR  (GPS)  data  interface  and 
would  also  be  powered  on  when  data  is  required.  @[052401 -4386A] 
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A2-135  COMMANDER  (CDR)  AND  PILOT  (PLT)  PARTICIPATING  AS 

TEST  SUBJECTS 

THE  CDR  AND  PLT  MAY  PARTICIPATE  AS  TEST  SUBJECTS  ON  A  VOLUNTEER 
BASIS  AND  AS  NEGOTIATED  PREFLIGHT.  THE  CDR  MAY  NOT  PARTICIPATE 
AS  A  TEST  SUBJECT  IN  ANY  EXPERIMENT  OF  A  PROVOCATIVE  OR 
DISORIENTING  NATURE.  THE  CDR  AND  PLT  MAY  NOT  SIMULTANEOUSLY 
PARTICIPATE  IN  ANY  EXPERIMENT  THAT  IS  PHYSICALLY  RESTRAINING. 

®[1 1 1501-4962A] 

The  CDR  may  not  participate  in  any  experiment  which  might  compromise  the  CDR’s  ability  to  command 
and  fly  the  orbiter.  Either  the  CDR  or  PLT  must  always  be  available  to  handle  emergencies  or  other 
actions.  ®[1 1 1 501 -4962A] 
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DEORBIT 


A2-201  DEORBIT  GUIDELINES 

A.  LOSS  OF  ALL  REDUNDANCY  IN  DEORBIT  METHODS  WILL  BE  CAUSE  TO 
DEORBIT  AT  THE  NEXT  PLS  OPPORTUNITY 


1 . 

LOSS 

OF 

ONE 

OMS 

ENGINE  AND 

ONE  RCS 

+X 

JET 

2  . 

LOSS 

OF 

TWO 

OMS 

ENGINES 

3. 

INSUFFICIENT 

PROPELLANT  TO 

SUPPORT 

TWO 

METHODS  OF  STEEP 

DEORBIT 


When  all  redundancy  in  deorbit  methods  has  been  lost,  the  orbiter  is  fail-critical  with  respect  to  deorbit 
capability.  Deorbit  must  be  performed  at  the  next  opportunity  to  avoid  prolonged  exposure  to  the  failu  re 
of  the  remaining  deorbit  method. 

Three  deorbit  methods  are  considered  in  assessing  the  ability  to  remain  on  orbit:  the  left  OMS  engine, 
the  right  OMS  engine,  and  the  four  +X  RCS  jets.  The  availability  of  a  deorbit  method  is  based  upon  tw>o 
criteria:  the  health  of  the  hardware  and  the  availability  of  sufficient  propellant  to  satisfy  the  deorbit 
delta  V  requirements  through  the  respective  engine(s). 

While  a  three  +X  RCS  deorbit  is  possible,  the  increased  burn  arc  and  the  imbalance  in  thrust  (creating  a 
yawing  moment  which  must  be  countered  by  the  RCS  yaw  jets)  make  the  deorbit  propellant  requirement 
prohibitively  large. 

B.  IF  INSUFFICIENT  PROPELLANT  EXISTS  TO  PROVIDE  TWO  METHODS  OF 
STEEP  DEORBIT  CAPABILITY,  MISSION  DURATION  MAY  BE  EXTENDED 
BEYOND  THE  NEXT  PLS  IF  THE  DEORBIT  DELTA  V  CAPABILITY  CAN  BE 
IMPROVED  AS  A  RESULT  OF  THE  FOLLOWING  (WHILE  PROVIDING  AT 
LEAST  TWO  METHODS  OF  DEORBIT) : 

1.  PAYLOAD  DEPLOY. 

2.  DECREASE  IN  DEORBIT  DELTA  V  REQUIREMENTS. 
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A2-201  DEORBIT  GUIDELINES  (CONTINUED) 

NOTE:  IF  PAYLOAD  DEPLOY  IS  CONSIDERED  AS  AN  OPTION  TO 

IMPROVE  THE  OVERALL  DELTA  V  CAPABILITY,  SUFFICIENT 
PROPELLANT  MUST  BE  AVAILABLE  TO  PROTECT  TWO  METHODS 
OF  DEORBIT  ASSUMING  THE  PAYLOAD  IS  NOT  DEPLOYED  IN 
ORDER  TO  PASS  THE  NEXT  PLS  OPPORTUNITY. 

Consideration  should  be  given  to  remaining  on  orbit  if  two  methods  (steep  or  shallow )  of  deorbit 
capability  will  be  available  cmd  improved  deorbit  capability  guaranteed  at  the  next  day  PLS  and 
activities  beneficial  to  orbiter  safety  can  be  achieved. 

The  gain  in  delta  V  more  than  makes  up  the  additional  propellant  cost  for  an  additional  24  hours  on 
orbit  plus  deploy  operations  and  the  minimum  separation  required  for  each  payload.  The  net  gain  in 
delta  V  for  all  deploys  is  positive  thereby  adding  additional  capability  for  deorbit.  The  heavier  the 
payload,  the  greater  the  increase  in  delta  V. 

For  an  ATO  or  elliptical  orbit,  the  deorbit  delta  V  may  decrease  with  on-orbit  stay  time.  For  some 
ATO’s,  the  shallow  deorbit  delta  V  on  day  1  is  greater  than  the  steep  deorbit  delta  V on  day  2.  For  this 
case,  staying  on  orbit  24  hours  may  gain  steep  deorbit  delta  V  capability  eliminating  any  risk  due  to  a 
shallow  entry. 

C.  IF  OMS  PROPELLANT  IS  NOT  AVAILABLE  TO  ACCOMPLISH  OMS  DEORBIT 
TO  STEEP  TARGETS,  TWO  STAGE  DEORBIT  BURNS  ARE  ACCEPTABLE  TO 
MAINTAIN  DEORBIT  STEEP  CAPABILITY  WHEN  SUFFICIENT  PROPELLANT 
IS  AVAILABLE  (IN  ACCORDANCE  WITH  RCS  JET  REDUNDANCY 
REQUIREMENTS  AS  SPECIFIED  IN  RULE  {A6-355},  OMS  PROPELLANT 
DEFICIENCY  FOR  DEORBIT) . 

If  propellant  is  not  available  in  the  OMS  to  complete  a  steep  deorbit  burn,  a  perigee  adjust  burn  may  be 
planned  using  the  forward  or  aft  RCS,  reducing  the  OMS  propellant  requirement  for  deorbit.  Reserving 
propellant  for  a  two-stage  deorbit  is  only  acceptable  when  sufficient  RCS  jet  redundancy  exists  as  stated 
in  Rule  {A6-355},  OMS  PROPELLANT  DEFICIENCY  FOR  DEORBIT. 

Rules  {A6-51},  OMS  FAILURE  MANAGEMENT  [CIL];  and  { A6-107J ,  OMS  ENGINE  FAILURE 
MANAGEMENT,  reference  this  rule. 
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A2-202  EXTENSION  DAY  GUIDELINES 

A.  IF  MANDATORY  LANDING  AIDS,  GROUND  TRACKING,  COMMAND,  VOICE, 

OR  TELEMETRY  EQUIPMENT  AT  THE  PLS  (REF.  SEC.  3,  GROUND 
INSTRUMENTATION  REQUIREMENTS)  ARE  NOT  AVAILABLE  OR  IF  WEATHER 
CONDITIONS  AT  THE  PLS  ARE  OBSERVED  AND/OR  FORECAST  TO  BE 
UNACCEPTABLE  FOR  LANDING,  A  WAVE-OFF  OF  2 4  HOURS  OR  MORE  MAY 
BE  PERFORMED  TO  ACHIEVE  A  LANDING  AT  THE  PRIMARY  LANDING  SITE 
IF  ALL  OF  THE  FOLLOWING  CONDITIONS  ARE  MET: 

1.  THE  ORBITER  EXCEEDS  MDF  SYSTEMS  CONFIGURATION  STATUS. 

2.  CONSUMABLES  PROVIDE  FOR  AT  LEAST  A  48-HOUR  MISSION 
EXTENSION  (WAVE-OFF  24  HOURS  TO  THE  NEXT  PLS  OPPORTUNITY 
WITH  AN  ADDITIONAL  24  HOURS  MORE  FLIGHT  DURATION  TO  ALLOW 
RECOVERY  FROM  ANY  ORBITER  SYSTEM  FAILURES) . 

3.  THE  WEATHER  FORECASTS  INDICATE  THERE  IS  A  HIGH 
PROBABILITY  THAT  THE  WEATHER  AT  THE  PRIMARY  LANDING  SITE 
(WHILE  MAINTAINING  REASONABLE  OPTIONS  AT  THE  SECONDARY 
LANDING  SITE)  WILL  BE  ACCEPTABLE  ON  A  LANDING  OPPORTUNITY 
PRIOR  TO  24  HOURS  BEFORE  THE  EXPIRATION  OF  CONSUMABLES. 

4.  ORBITAL  ALTITUDE  ALLOWS  AT  LEAST  A  48-HOUR  MISSION 
EXTENSION. 

5.  ANY  MANDATORY  EQUIPMENT  OUTAGE  HAS  AN  ETRO  THAT  WILL 
SUPPORT  A  PLS  LANDING  PRIOR  TO  24  HOURS  BEFORE  EXPIRATION 
OF  CONSUMABLES. 
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A2-202  EXTENSION  DAY  GUIDELINES  (CONTINUED) 

B.  IF  THE  EXTENSION  DAY  GUIDELINES  ABOVE  CANNOT  BE  MET  AND  THE 
PLS  IS  NOT  AVAILABLE,  THEN  AN  SLS  LANDING  WILL  BE 
IMPLEMENTED . 

It  is  desirable  to  land  at  the  primary  landing  site  if  possible.  Mission  extension  is  acceptable  to 
accomplish  this  goal.  If  the  PLS  weather  is  unacceptable,  either  observed  at  the  decision  time  or 
forecast  for  landing  time  (ref.  Rule  { A2-6 },  LANDING  SITE  WEATHER  CRITERIA  [HC],  and  Rule  (A4- 
156}.  HAC  SELECTION  CRITERIA),  then  consideration  will  be  given  to  a  mission  extension  to  achieve 
a  PLS  landing.  Similarly,  for  an  outage  of  mandatory  equipmen  t  supporting  a  landing  at  the  PLS  (ref. 
rules  in  Section  3,  GROUND  INSTRUMENTATION  REQUIREMENTS). 

It  is  programmatically  desirable  to  land  at  the  primary  landing  site.  Diversion  to  alternate  sites  results 
in  significant  additional  postflight  work  and  may  involve  some  risk  to  orbiter  or  payload  hardware 
reusability.  If  the  orbiter  system  status  and  consumables  will  support  continued  flight,  then  continuing  to 
attempt  landings  at  the  PLS  is  preferable  to  early  diversion  to  an  SLS.  However,  when  orbiter  systems 
status  is  such  that  an  MDF  or  PLS  is  required  (systems  redundancy  is  compromised)  or  if  consumables 
cannot  support  an  additional  48-hour  flight  extension,  then  the  risk  incurred  by  continuing  the  flight 
outweighs  the  programmatic  advan  tages  of  a  landing  at  the  primary  site.  The  consumables  and  orbital 
altitude  must  support  the  24-hour  extension  to  the  next  PLS  opportunity  and  cm  additional  24-hour 
mission  lifetime  if  an  orbiter  systems  problem  occurs  late  in  the  preparations  for  deorbit  that  requires  a 
day  to  fix. 

Reference  Rule  {A2-102},  MISSION  DURATION  REQUIREMENTS. 

Rules  {A4-156},  HAC  SELECTION  CRITERIA,  and,  {A2-207}  LANDING  SITE  SELECTION,  reference 
this  rule. 
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A2-203  DEORBIT  DELAY  GUIDELINES 

A.  DELAY  A  MAXIMUM  OF  ONE  ORBIT  TO  UNDERSTAND,  VERIFY, 
RECONFIGURE,  OR  (WHERE  A  REASONABLE  PROBABILITY  EXISTS) 

TO  FIX  A  PROBLEM  ASSOCIATED  WITH  A  BASIC  GROUND  OR 
VEHICLE  CAPABILITY,  INCLUDING  ADDITIONAL  FAULT  TOLERANCE. 

B.  CONSIDERATION  WILL  BE  GIVEN  TO  EXTENDING  1  DAY  TO  REGAIN 
REDUNDANCY  IN  AN  ENTRY-CRITICAL  SYSTEM  PROVIDED  FAIL-SAFE 
REDUNDANCY  EXISTS  IN  ALL  OTHER  SYSTEMS  CRITICAL  TO 
ENTRY/LANDING. 

C.  ON  ENTRY  DAY,  DELAY  A  MAXIMUM  OF  1  DAY  TO  PROVIDE  A  SINGLE¬ 
FAULT  TOLERANT  PASS  SYSTEM,  A  BFS ,  ACCEPTABLE  NAVIGATION, 
PLBD  CLOSURE,  OR  MANDATORY  GROUND  CAPABILITY. 

D.  AN  INTERNAL  OMS ,  RCS,  OR  APU  LEAK  RESULTING  IN  THE  VIOLATION 
OF  MINIMUM  THERMAL  OPERATING  CONSTRAINTS  RESULTING  FROM  THE 
LOSS  OF  THE  POD  OR  APU  IS  CAUSE  FOR  A  DEORBIT  DELAY. 
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A2-203  DEORBIT  DELAY  GUIDELINES  (CONTINUED) 

E.  FOR  A  SINGLE  GPC  FAILURE  PRIOR  TO  DEORBIT  PREPARATION  OR  FOR 
MULTIPLE  GPC  FAILURES  PRIOR  TO  TIG,  UNLESS  OTHER  FACTORS 
DICTATE  DEORBIT  ON  THE  SCHEDULED  DAY,  ENTRY  WILL  BE  DELAYED 
UP  TO  24  HOURS  TO  ALLOW  FOR  RECOVERY,  ANALYSIS,  AND  POSSIBLE 
IFM  TO  INSTALL  THE  CARRY-ON  SPARE  GPC  (IF  MANIFESTED) .  FOR  A 
SINGLE  GPC  FAILURE  DURING  DEORBIT  PREPARATION,  ENTRY  MAY  BE 
DELAYED  ONE  ORBIT  TO  ALLOW  FOR  GPC  RECOVERY.  @[092195-1798] 

It  is  desired  to  have  all  GPC’ s  for  use  during  entry.  Some  GPC  failures  may  be  recovered  by  an  IPL,  but 
such  a  transient  GPC  may  fail  again  and  therefore  use  of  a  transient  GPC  shall  be  avoided  if  possible. 

It  is  also  undesirable  to  assign  two  flight-critical  strings  to  a  single  GPC  which  would  be  required  if 
en  tering  with  only  three  PASS  GPC’s.  During  the  deorbit  preparations,  however,  backing  out  of  the 
deorbit  preparation  requires  systems  reconfiguration  which  entails  inherent  risks  of  its  own.  At  that 
point,  it  is  better  to  use  a  transient  GPC  or  con  tin  ue  without  it  if  it  can  not  be  recovered.  The  failure  of 
two  or  more  GPC’s  is  a  more  serious  case  that  implies  a  significant  loss  of  redundancy;  therefore,  entry 
will  be  delayed  a  day  to  allow  for  the  best  attempt  at  GPC  recovery  which  could  include  a  changeout  of 
one  of  the  failed  GPC’s  if  a  spare  is  manifested.  @[092195-1798  ] 

Rule  {A7-17Bj,  GPC  MEMORY  DUMP  CRITERIA,  references  this  rule.  @[0921 95-1 798  ] 

F.  A  CONFIRMED  OMS  LEAK  MAY  DELAY  DEORBIT. 

G.  THE  FLIGHT  WILL  NOT  BE  EXTENDED  PAST  THE  NEXT  PLS 
OPPORTUNITY  UNLESS  ORBITAL  LIFETIME  CAN  BE  GUARANTEED 
THROUGH  THE  LAST  PLS  OPPORTUNITY  OF  THE  FOLLOWING  DAY. 

A  REAL-TIME  DETERMINATION  OF  THE  MINIMUM  24-HOUR  PERIGEE 
WILL  BE  MADE  FOR  OFF-NOMINAL  ORBITS. 

The  24-hour  minimum  orbital  lifetime  is  required  to  ensure  crew  and  vehicle  safety  if  extending  past  the 
next  PLS  opportunity.  As  perigee  approaches  the  entry  interface  altitude,  the  drag  buildup  significantly 
increases  orbital  decay  curd  is  thermally  more  severe  on  the  vehicle.  At  these  low  altitudes,  the  MCC 
modeling  of  the  orbit  is  also  greatly  deteriorated.  Exposure  to  very  low  altitudes  would  eventually  result 
in  an  uncontrolled  reentry,  which  would  likely  result  in  loss  of  crew  and  vehicle. 
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A2-203  DEORBIT  DELAY  GUIDELINES  (CONTINUED) 

H.  FOR  PROPELLANT  LEAKS  THAT  OCCUR  AFTER  LOS  AND  PRIOR  TO  THE 
DEORBIT  BURN,  THE  FOLLOWING  ACTIONS  WILL  APPLY: 

1.  OMS  LEAK  -  A  PERIGEE  ADJUST  MANEUVER  WILL  BE  PERFORMED  AT 
THE  NOMINAL  DEORBIT  TIG. 

2.  RCS  LEAK  -  THE  DEORBIT  BURN  WILL  BE  DELAYED  TO  ASSESS  THE 
THERMAL  ENVIRONMENT. 


A  perigee  adjust  is  performed  on  an  OMS  leak  in  order  to  minimize  the  deorbit  delta  V.  Since  the 
thermal  effects  of  an  OMS  or  RCS  leak  cannot  be  predicted,  the  deorbit  burn  will  be  delayed  to  evaluate 
whether  the  pod  thermal  environment  can  support  deorbit.  A  leak  can  result  in  OMS  and  RCS  feedlines 
freezing,  rendering  both  systems  unusable  for  deorbit  and  entry. 

I.  DEORBIT  MAY  BE  DELAYED  TO  ACHIEVE  A  PLS  LANDING  IF  THE 
WEATHER  CONDITIONS  ARE  UNACCEPTABLE  OR  MANDATORY  GROUND 
EQUIPMENT  IS  NOT  AVAILABLE. 

It  is  desirable  to  land  a  the  primary  landing  site  if  possible.  Mission  extension  is  acceptable  to 
accomplish  this  goal. 

Rule  {A7-17D},  GPC  MEMORY  DUMP  CRITERIA,  references  this  rule. 


A2-204  MDF  DEORBIT  GUIDELINES 

AN  ENTRY  PREPARATION  TIMELINE  WILL  PROVIDE  FOR  ENTRY  STOWAGE  AND 
PREPARATION  ON  THE  AFTERNOON  OF  ENTRY  MINUS  1  DAY  FOR  THE 
FOLLOWING: 

A.  MDF. 

B.  A  NEXT  PLS  IF  REQUIRED  DUE  TO  A  CONDITION  WHICH  REQUIRES  MDF, 
BUT  AFTER  MDF  OBJECTIVES  HAVE  BEEN  SATISFIED. 
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A2-205  EMERGENCY  DEORBIT 

A.  EMERGENCY  DEORBIT  IS  REQUIRED  FOR: 

1.  LOSS  OF  TWO  FREON  LOOPS. 

If  both  loops  are  lost,  an  abort  from  orbit  is  required  because  there  is  absolutely  no  cooling  of  the 
vehicle.  The  fuel  cell  stack  temperature  will  reach  the  specification  limit  of 250  deg  F  within 
approximately  50  minutes.  In  addition,  the  electrolyte  concentration  will  reach  the  25  percent 
operational  limit  in  approximately  75  minutes.  At  this  point,  continued  operation  of  the  fuel  cells  is 
questionable.  This  assumes  a  simultaneous  purge  of  all  three  fuel  cells  and  a  12.54  kWh  (4.18  kWh/fuel 
cell)  power  level.  Without  the  purge,  the  fuel  cells  will  flood  in  approximately  18  minutes  based  on  an 
8.0  kWh  ( 2.67  kWh/fuel  cell)  power  level  (ref.  Rule  {A2-54},  RTLS,  TAL,  AND  AOA  ABORTS  FOR 
SYSTEMS  FAILURES  [CIL]). 

DOCUMENTATION:  DUAL  FREON  LOOP  FAILURE  ENTRY  ANALYSIS,  Rockwell  International  IL  # 
388-301-79-018,  July  21,  1981,  and  SODB  table  3. 4. 4. 1-1. 

2.  ANY  OF  THE  FOLLOWING  THAT  WILL  NOT  SUPPORT  A  NEXT  PLS : 

a.  CABIN  LEAK. 

Cabin  pressure  integrity  is  lost  when  O2  and  N2  consumables  are  not  enough  to  maintain  the  cabin 
pressure  at  14. 7  psia  to  the  next  PLS  opportunity  while  protecting  the  165-minute  hole-in-the-cabin 
con  tingency  requiremen  t.  If  a  cabin  leak  is  such  that  the  consumables  will  not  main  tain  the  minimum 
metabolic  pressure  (8.0  psia)  until  the  next  PLS,  the  only  option  left  is  an  emergency  deorbit. 

DOCUMENTATION :  Engineering  judgment. 

b.  IMPENDING  LOSS  OF  ALL  O2  (H2)  CRYO . 

If  the  pressure  cannot  be  main  tained  in  at  least  one  cryo  tank  and  manifold,  the  fuel  cells  will  eventually 
stop  producing  electrical  power,  no  matter  what  the  quantity  is  in  the  cryo  tanks.  Therefore,  this 
condition  warrants  the  selection  of  the  earliest  abort  opportunity  (ref.  Rule  [A9-261  j,  IMPENDING 
LOSS  OF  ALL  CRYO). 

DOCUMENTATION :  Engineering  judgment. 
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C.  LEAKING  PROPELLANT  FROM  THE  REMAINING  DEORBIT  BURN 
SYSTEM. 

Capability  will  be  lost  to  successfully  complete  the  deorbit  burn. 

d.  TWO  ARCS  PROPELLANT  TANKS  LEAKING,  SAME  PROPELLANT 
AND  EITHER  LEAK  RATE  SUPPORTS  ENTRY  TO  A  Q-BAR  =  20 
FOR  A  DAYLIGHT  LANDING  AT  AN  ELS  (IF  A  NIGHT  LANDING 
AND  NO  LANDING  AIDS  DELAY  DEORBIT) . 

If  the  leak  rate  supports  entry  to  a  Q-bar  =  20  for  any  ELS,  perform  cm  emergency  deorbit  to  that  site. 
This  action  would  provide  entry  control  until  NO  YAW  JET  selection.  The  risk  of  an  ELS  landing 
without  landing  aids  at  night  is  considered  to  be  higher  than  proposed  options  of  procedure/software 
changes  to  provide  control  from  El  to  Q-bar  =  20.  Therefore,  for  a  night  landing  without  landing  aids, 
the  deorbit  will  be  delayed. 

e.  IMPENDING  LOSS  OF  ALL  APU/HYDRAULIC  SYSTEMS 
CAPABILITY.  ®[1 1 1699-7070B] 

Loss  ofcdl  APV /hydraulic  systems  capability  will  result  in  loss  of  aero  surface  control  required  for  entry 
(ref.  Rule  { A10-21A}.4 ,  LOSS  OF  APU/HYDRAULIC  SYSTEM  (S)  ACTIONS).  ®[i  1 1 699-7070B] 

f.  LOSS  OF  TWO  WATER  LOOPS. 

Thermal  analysis  indicates  that,  if  two  water  loops  are  lost,  cabin  conditions  will  become  intolerable 
within  2  hours  of  the  failure.  Cabin  temperatures  approach  90  deg  F  and  relative  humidity  reaches 
100  percen  t.  Avionics  temperatures  exceed  their  loss  of  cooling  operate  periods  and  must  be  powered 
down.  The  cabin  conditions  can  be  relieved  by  performing  cabin  depress/repress  (DEP/REP)  cycles. 

The  4-hour  time  to  landing  is  based  on  a  crew  of  seven  with  an  N2  quan  tity  of 262  lb.  Crew  exposure 
to  the  extreme  cabin  conditions  is  the  primary  driver  for  terminating  the  flight.  The  DEP/REP  cycles 
provide  relief  from  the  high  heat  and  humidity  by  dumping  the  excessive  heat  and  humidity  overboard 
and  replacing  the  air  with  cool,  dry  N2  and  02- 

DOCUMENTATION:  Lockheed  Technical  memorandum,  G189A  ECLSS  ANALYSIS  OF  THE  LOSS  OF 
TWO  WATER  LOOPS  AFO  (TIG  >2.5),  to  be  published.  Document  no.  LESC-24843. 
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B.  IN  THE  EVENT  AN  EMERGENCY  DEORBIT  IS  REQUIRED,  ORBITER 

CONSUMABLES  LIFETIME  IS  THE  PRIMARY  CONSIDERATION.  WHEN 
CHOOSING  BETWEEN  VARIOUS  ELS  OPPORTUNITIES,  BOTH  OF  THE 
FOLLOWING  CRITERIA  MUST  BE  SATISFIED,  AS  A  MINIMUM: 

®[1 20894-1 744B] 

1.  ENTRY  CROSSRANGE  <  UNDISPERSED  CROSSRANGE  LIMIT. 

2.  LANDING  FACILITY  REQUIREMENTS  AS  SPECIFIED  IN  RULE 
{ A2 -2  64 } ,  EMERGENCY  LANDING  FACILITY  CRITERIA. 


Consumables  lifetime  will  limit  the  emergency  landing  site  choices  available.  If  no  landing  site  is 
available  within  time  limits,  then  a  bailout  is  required. 

The  undispersed  entry  crossrange  limit  represents  the  toted  vehicle  crossrange  capability,  assuming 
perfect  onboard  navigation,  design  winds  and  atmosphere,  and  nominal  vehicle  energy,  control,  and 
response.  Landing  sites  outside  this  limit  are  not  achievable  on  an  average  (zero  sigma )  day  and; 
therefore,  deorbiting  to  such  a  site  is  not  much  better  than  a  bailout. 

Minimum  ground  equipment,  including  night  landing  equipment,  is  specified  in  rule  {A2-264}, 
EMERGENCY  LANDING  FACILITY  CRITERIA. 

C.  WHEN  ALL  THE  CRITERIA  IN  PARAGRAPH  B  ARE  MET  AND  A  CHOICE 
BETWEEN  SITES  CAN  STILL  BE  MADE,  THEN  THE  FOLLOWING 
PRIORITIES  APPLY  (NOTE:  IF  TIME  PERMITS,  CONSIDERATION 
WILL  BE  GIVEN  TO  ADDITIONAL  CRITERIA  AS  SPECIFIED  IN  RULE 
{ A4-1 07 } ,  PLS/EOM  LANDING  OPPORTUNITY  REQUIREMENTS): 

1 .  NASA  CONUS : 

a.  EDW 

b.  KSC 

c.  NOR 
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NOTE:  A  NIGHT  LANDING  AT  A  NASA  CONUS  SITE  EQUIPPED  WITH 

NAV-LANDING  AIDS  AND  XENON  LIGHTS  IS  PREFERRED  OVER  A 
DAYLIGHT  LANDING  TO  ANY  OTHER  SITE  BELOW. 

2.  TAL  SITES  PRIOR  TO  RELEASE  FROM  LAUNCH  SUPPORT  ®[1 20894-1 744B] 

3  .  DOD  :  ®[1 20894-1 744B] 

a.  HICKAM  AFB,  HAWAII 

b.  ANDERSEN  AFB,  GUAM 

c.  MORON,  SPAIN  (POST-RELEASE  FROM  TAL  SUPPORT) 

d.  DIEGO  GARCIA,  CHAGOS  ISLANDS 

e.  OTHER  DOD,  LISTED  IN  NSTS-07700,  VOLUME  X,  BOOK  3 

4.  NON-DOD  WITH  UHF  COMM  AVAILABLE: 

a.  KING  KHALID,  SAUDI  ARABIA 

b.  ZARAGOZA,  SPAIN  (POST-RELEASE  FROM  TAL  SUPPORT) 

c.  OTHER  NON-DOD  WITH  UHF,  LISTED  IN  NSTS-07700, 

VOLUME  X,  BOOK  3 

5.  ALL  OTHER  NON-DOD  (NO  UHF): 

a.  BEN  GUERIR,  MOROCCO  (POST-RELEASE  FROM  TAL  SUPPORT) 

b.  BANJUL,  THE  GAMBIA  (POST-RELEASE  FROM  TAL  SUPPORT) 

c.  OTHER  NON-DOD  WITHOUT  UHF,  LISTED  IN  NSTS-07700, 
VOLUME  X,  BOOK  3 
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6.  OTHER  SITES  NOT  LISTED  IN  NSTS-07700,  VOLUME  X,  BOOK  3 

First  priority  for  emergency  deorbit  landings  are  the  NASA  CONUS  sites.  The  only  time  a  night  landing 
is  preferred  over  daylight  for  emergency  deorbit  is  when  it  can  be  made  at  a  CONUS  site  equipped  with 
operational  navaids,  landing  aids,  and  xenon  lights.  TAL  sites  are  not  staffed  after  release  of  launch 
support;  however,  for  failures  very  early  in  the  mission  which  require  cm  emergency  deorbit,  any  TAL 
site  which  is  still  available  and  staffed  would  be  preferred  over  an  ELS.  Sites  with  permanen  t  DOD 
presence  are  next  since  ELS  augmentation  for  emergency  deorbit  use  has  been  eliminated.  Further 
priorities  are  based  upon  available  landing  site  security,  control,  and  communications.  Ben  Guerir  and 
Banjul  are  ranked  very  low  as  they  have  no  UHF  support  and  minimal  (at  best)  security  and  control  after 
TAL  launch  support  is  gone.  ®[1 20894-1 744B] 

D.  EMERGENCY  DEORBIT  PROTECTION  REQUIREMENTS:  ®[1 20894-1 744B] 

1.  SYSTEMS  AND  PAYLOADS  MUST  BE  CONFIGURED  TO  PROTECT 
EMERGENCY  DEORBIT  WITHIN  1  HR  55  MINUTES  FOR  ISS  DOCKED 
AND  ASSEMBLY  OPERATIONS  AND  WITHIN  30  MINUTES  FOR  NON-ISS 
OPERATIONS.  ®[1 1 0900-3758B] 

2.  IF  A  CONFIGURATION  OR  ACTIVITY  WILL  RESULT  IN  EXCEEDING 
THE  ALLOTTED  TIME  ABOVE,  THE  CONFIGURATION  OR  ACTIVITY 
WILL  BE  TERMINATED  OR  THE  SAFING  TIMELINE  UPDATED  BASED 
ON  MMT  CONCURRENCE  OR  FLIGHT  SPECIFIC  EXCEPTIONS 
DOCUMENTED  IN  THE  FLIGHT  RULES  ANNEX. 

3.  IF  EXTERNAL  HARDWARE  SAFING  TIME  EXCEEDS  THE  ACTUAL  TIME 
AVAILABLE,  HARDWARE  MAY  BE  JETTISONED  AS  REQUIRED  FOR 
CREW  SAFETY. 
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4.  EXCEPTIONS  TO  THIS  RULE  WILL  BE  DOCUMENTED  IN  THE  FLIGHT 
SPECIFIC  ANNEX. 

It  is  the  policy  of  the  SSP  to  protect  the  capability  to  perform  an  emergency  deorbit.  For  unmated  shuttle 
operations,  the  quickest  time  the  crew  can  respond  to  an  emergency  situation  and  perform  a  deorbit  burn 
is  30  minutes.  To  support  this  requirement,  cabin  payloads  must  be  stowed  and  external  payloads  must 
be  “safed”  to  cdlow  payload  bay  door  closure  in  less  than  20  minutes.  If  the  RMS  is  in  use  by  the 
payload,  only  approximately  10  minutes  will  be  available  to  safe  the  payload  since  approximately  10 
minutes  is  required  to  configure  the  RMS  in  preparation  for  deorbit. 

While  docked  to  the  ISS,  the  capability  to  perform  an  emergency  deorbit  within  30  minutes  no  longer 
exists.  Therefore,  the  emergency  deorbit  protection  timeline  is  extended  for  joint  shuttle/ISS  operations. 
The  SSP  has  accepted  the  slight  additional  risk  of  extending  the  rapid  scifing  duration  to  1  hr  45  minutes 
for  ISS  to  allow  payload  bay  door  closure  approximately  10  minutes  after  separation,  and  deorbit  10 
min  utes  later  ( minimum  time  between  separation  and  deorbit  burn  is  approximately  20  minutes).  If  the 
RMS  is  in  use  by  an  elemen  t  or  payload,  only  1  hr  35  min  utes  will  be  available  for  the  elemen  t  on  the 
RMS  to  perform  safing  functions  required  to  clear  the  PLED  envelope  since  approximately  10  minutes  is 
required  to  configure  the  RMS  in  preparation  for  deorbit.  ®[1 1 0900-3758B] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  FLIGHT  OPERATIONS  2-219 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A2-205  EMERGENCY  DEORBIT  (CONTINUED) 

Non-ISS  Timeline:  ®[110900-3758B] 


PLBD 

Close 

◄ — ► 


0:00  0:10  0:20  0:30 

RMS  fnnfic 


Emergency  D/O  Burn 

D/O  Decision  Ignition 


ISS  Timeline: 


PLBD 

Close 


0:00  0:10  0:20  0:30  0:40  0:50  1:00  1:10 


1:20  1:30 


1:40 


<  -  ►  | 

1:50  2:00 


L.  i 

k,  RMS  Config  i 

◄ - *\ 

Egress  and  prep  for  undock 

Sep  Sequence 

◄ - ► 

◄ - ► 

Emergency  Undock  D/O  Burn 

D/O  Decision  Ignition 


The  single  failure  that  drives  the  requirement  to  maintain  an  emergency  deorbit  capability  is  an  orbital 
debris  impact  that  results  in  the  loss  of  cabin  pressure  integrity.  The  risk  of  a  debris  strike  requiring  a 
deorbit  within  1  hr  55  minutes  for  a  typical  10-day  mission  is  approximately  1  in  10,000.  @[022201-4123  ] 
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This  risk  is  mitigated  by  maintaining  sufficient  nitrogen  reserves  to  protect  the  contingency  165-minute 
return  capability,  plus  the  nitrogen  budgeted  for  the  typical  2  days  between  undocking  and  nominal  end 
of  mission  landing.  For  a  typical  station  trajectory,  the  165-minute  nitrogen  reserve  would  cover  1  hour 
40  minutes  prior  to  the  burn,  plus  1  hour  5  minutes  from  burn  to  landing.  To  stretch  this  by  15  minutes, 
and  maintain  nitrogen  flowing  through  the  8  psi  regulator  until  landing,  requires  cm  additional  12.5  Ibm 
of  nitrogen  in  reserve.  This  is  approximately  the  amount  that  is  budgeted  for  the  2  days  of  standard 
mission  usage  between  nominal  undocking  and  landing.  Reference  Rule  {A1 7-202 },  8  PSIA  CABIN 
CONTINGENCY  165 -MINUTE  RETURN  CAPABILITY.  @[022201  -4123] 

In  addition  to  payload  safing,  systems  must  also  be  configured  to  support  deorbit  within  the  specified 
time  in  Paragraph  D.l.  (e.g.,  DAP,  Ku-band  antenna,  radiators,  APU/HYD.  FES,  IMU’s,  payload  bay 
doors).  The  safing  timeline  for  each  flight  phase  is  defined  in  the  flight  specific  Flight  Rules  Annex, 
which  defines  the  actions  required  during  a  rapid  safing  scenario  and  may  include  hardware  jettison  if 
required  to  meet  the  time  requiremen  t  or  a  flight  specific  exception  to  this  rule.  If  during  real-time 
operations,  a  failu  re  or  unplanned  configuration  or  activity  occurs  requiring  more  safing  time  than 
allowed,  the  activity  or  configuration  will  be  terminated  or  the  additional  risk  incurred  accepted  by  the 
MMT.  ®[1 1 0900-3758B] 

If  an  event  occurs  which  requires  deorbit  in  less  time  than  allocated  per  this  flight  rule  or  the  flight 
specific  Flight  Rules  Annex,  every  effort  will  be  made,  including  hardware  jettison  if  required,  to 
maximize  crew  safety.  ®[i  1 0900-3758B] 

DOCUMENTATION :  SSP  50021  Safety  Requirements  Document  International  Space  Station  Program; 
DA8-96-039,  “  Orbit  Flight  Techniques  Panel  Meetings  # 157  and  158  Minutes,  ”  MA2-96-157,  “Payload 
Rapid  Safing  Requirements,  ”  MA2-96-190,  “Contingency  Return  and  Rapid  Safing.  ” 
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E.  EMERGENCY  LANDING  SITE  NOTIFICATION:  ®[1 20894-1 744B] 

SHOULD  AN  EMERGENCY  LANDING  BE  REQUIRED,  NOTIFICATION  WILL  BE 
PROVIDED  AS  SOON  AS  POSSIBLE  TO  THE  INTENDED  LANDING  SITE  BY 
MCC/GROUND  PERSONNEL  THROUGH  STATE  DEPARTMENT-APPROVED 
CHANNELS.  HOWEVER  IN  SOME  CASES,  IT  MAY  NOT  BE  POSSIBLE  TO 
PROVIDE  ADVANCED  NOTIFICATION  PRIOR  TO  THE  DEORBIT/ATTEMPTED 
LANDING.  WHEN  SELECTING  THE  LANDING  SITE,  CONSIDERATION  WILL 
BE  GIVEN  TO  THOSE  SITES  THAT  HAVE  AN  ORBITER  COMPATIBLE  UHF 
SYSTEM  IN  ORDER  TO  PROVIDE  LANDING  NOTIFICATION  BY  THE  CREW 
DURING  DESCENT  IF  POSSIBLE. 

SHOULD  NOTIFICATION  OF  THE  SELECTED  LANDING  SITE  NOT  BE 
POSSIBLE,  THE  DECISION  ON  WHETHER  TO  ATTEMPT  THE  LANDING  OR 
BAILOUT  WILL  BE  THE  RESPONSIBILITY  OF  THE  CDR  BASED  ON 
LANDING  SITE  CONDITIONS  AT  THE  TIME  OF  ARRIVAL  WITH  RESPECT 
TO  WEATHER,  AIRCRAFT  TRAFFIC,  RUNWAY  CONDITIONS,  ETC. 

®[1 20894-1 744B] 

In  order  to  reduce  the  risk  to  the  orbiter  crew  and  the  general  public/civilian  population  should  an 
emergency  landing  be  required ,  it  is  necessary  that  an  in  tended  landing  site  be  notified  of  an  attempted 
landing  as  soon  as  possible.  This  will  cdlow  the  airspace  and  runways  to  be  cleared  as  well  as 
emergency  equipment  to  be  prepared.  Notification  may  be  via  state  department  prearranged  channels, 
NASA  agreed  to  communication  channels,  or  possibly  via  communication  directly  with  the  orbiter.  As  a 
last  resort,  a  landing  may  be  attempted  at  a  site  that  has  not  been  notified,  with  the  fined  decision  on 
whether  to  attempt  the  landing  or  bailout  resting  with  the  CDR  based  on  conditions  at  the  time  of 
arrival. 

Rules  { A6-52J ,  RCS  FAILURE  MANAGEMENT;  (A8-1001D}.9,  GNC  GO/NO-GO  CRITERIA,  and 
{ A16-12A },  EMERGENCY  POWERDOWN,  reference  this  rule.  ®[i  1 0900-3758B] 
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A.  NOMINAL  DEROTATION  WILL  BE  TARGETED  FOR  185  KEAS  USING  BEEP 
TRIM. 

B.  IN  THE  EVENT  OF  A  BEEP  TRIM  FAILURE,  THE  CDR  WILL  INITIATE 
MANUAL  DEROTATION  BY  APPROXIMATELY  175  KEAS  AND  TARGET  FOR  A 
1-2  DEG/SEC  RATE. 

C.  FOR  A  LEAKING/FLAT  MAIN  GEAR  TIRE,  BEEP  TRIM  DEROTATION  MAY 
BE  DELAYED  TO  NO  SLOWER  THAN  165  KEAS  TO  ACHIEVE  A  1 0  KT 
DELTA  FROM  THE  ACTUAL  DRAG  CHUTE  DEPLOY  VELOCITY.  ®[041097-4009E] 

Nominal  derotation  is  initiated  by  the  crew  using  beep  trim  at  185  KEAS  on  both  concrete  and  lakebed 
runways  and  for  all  vehicles.  Based  on  a  nominal  195  KEAS  lightweight  MEG  touchdown,  the  drag 
chute  is  deployed  immediately  after  touchdown.  Flight  data  and  testing  at  Ames  (1/96  and  7/96)  show 
that,  to  ensure  disreef  prior  to  NGTD,  the  chute  should  be  deployed  10  knots  prior  to  derotation.  If  the 
drag  chute  is  deployed  at  195  knots  (post  MGTD),  the  chute  will  be  in  the  full-open  configuration  just 
prior  to  nose  gear  touchdown,  thus  reducing  the  slapdown  loads.  Faster  touchdowns  result  in  more  time 
spent  in  the  2-pt  attitude  hold  stance  waiting  for  the  velocity  to  decelerate  to  the  nominal  chute 
deploy/vehicle  derotation  cues.  Although  a  nominal  drag  chute  deploy  and  derotation  sequence  will 
usually  result  in  a  chute  disreef  prior  to  NGTD,  dispersions  in  touchdown  speed,  chute  deploy,  and 
derotation  velocities  may  result  in  chute  disreef  after  NGTD.  Derotation  may  therefore  be  delayed  until 
10  knots  below  the  actual  chute  deploy  velocity  to  ensure  maximum  load  relief  for  a  leaking/flat  tire.  The 
165  KEAS  minimum  derotation  velocity  protects  nose  gear  slap  down  loads,  assinning  no  beep  trim 
failures.  (Reference  AEFTP  Splinter,  October  8,  1996.)  ®[041097-4009E] 

Reference  Rules  {A4-108A},  TIRE  SPEED,  BRAKING,  AND  ROLLOUT  REQUIREMENTS,  and 
{A10-142},  TIRE  PRESSURE  [CIL ].  ®[050495-i774A] 
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NORMAL  LANDING  SITE  SELECTION  WILL  BE  BASED  ON  THE  FOLLOWING 
PRIORITIES.  ALL  REQUIREMENTS  FOR  ACCEPTABLE  WEATHER,  LIGHTING 
CONDITIONS,  RUNWAY  CONDITIONS,  AND  ENTRY  CONSTRAINTS  MUST  BE 
SATISFIED  FOR  A  SITE/RUNWAY  TO  BE  USED.  ®[1 02402-5804C] 

NOTE:  REFERENCE  THE  FLIGHT-SPECIFIC  FLIGHT  RULE  ANNEX  FOR  ANY 

EXCEPTIONS  TO  THE  FOLLOWING  LANDING  SITE  PRIORITIES  DUE 
TO  SPECIAL  CIRCUMSTANCES/REQUIREMENTS. 

A.  RTLS/TAL  PRIORITIES: 


RTLS  [1] 

INCLINATION  <39° 

INCLINATION  >39° 

KSC  15 

KSC  33 

KSC  33 

KSC  15 

NOTE: 

[1]  FOR  INCLINATIONS  OF  EXACTLY  39  DEGREES,  THERE  IS  NO  DIFFERENCE  IN  DOWNMODE  RANGING 
BETWEEN  KSC  1 5/33.  RUNWAY  WILL  BE  CHOSEN  BASED  ON  WEATHER,  SURFACE  WINDS, 
TOUCHDOWN/ROLLOUT  MARGINS,  ETC.  @[0201 96-1 802A] 


TAL 

28.5 

39 

51.6 

57 

BEN  GUERIR  (BEN) 

BEN  GUERIR  (BEN) 

ZARAGOZA  (ZZA) 

ZARAGOZA  (ZZA) 

MORON  (MRN) 

MORON  (MRN) 

MORON  (MRN) 

MORON  (MRN) 

ZARAGOZA  (ZZA) 

BEN  GUERIR  (BEN) 

BEN  GUERIR  (BEN) 

@[0201 96-1 802A]  ®[1 02402-5804C] 


RUNWAY  SELECTION  FOR  RTLS  OR  TAL  SHOULD  BE  IN  PRIORITY  ORDER  OF  GO  RUNWAYS.  HOWEVER,  IF  A 
RUNWAY  APPROACHES  FLIGHT  RULE  LIMITS  OR  OTHER  CONDITIONS  MAKE  A  RUNWAY  LESS  DESIRABLE  (I.E., 
SUN  GLARE,  STA  EVALUATION,  ETC.),  THEN  CONSIDERATION  MAY  BE  GIVEN  TO  SELECTING  A  LOWER  PRIORITY 
RUNWAY.  @[0201 96-1 802A]  ®[1 02402-5804C] 


Run  way  priorities  for  RTLS  are  based  solely  on  energy  downmode  capability.  For  inclinations  less  than 
39  degrees,  GRTLS  range-to-go  analysis  has  shown  that  a  larger  range  recovery  capability  exists  for  an 
OVHD  KSC  15  downmode  to  STIN  KSC  33  than  OVHD  KSC  33  downmode  to  STIN  KSC  15. 


TAL  runway  priorities  were  determined  based  on  the  site  that  provides  the  best  single-engine  coverage 
once  a  TAL  abort  has  been  selected. 
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A2-207  LANDING  SITE  SELECTION  (CONTINUED) 

B.  AOA  PRIORITIES  ®[1 02402-5804C] 

NOTE:  AOA  PRIORITIES  ARE  MODIFIED  BY  INCLINATION.  AT 

28.5  AND  39  DEGREE  INCLINATIONS,  ALL  AOA  SITES 
ARE  AVAILABLE  FOR  SELECTION.  AT  57  DEGREES, 
ONLY  NOR  IS  AVAILABLE,  AND  AT  51.6  DEGREES,  NOR 
AND  KSC  ARE  AVAILABLE.  @[0201 96-1 802A] 

1.  EDWARDS  22/04 

2  .  KSC 

3 .  NORTHRUP 


Since  AOA  landings  are  typically  heavyweight,  the  Edwards  complex  provides  more  margin  in  the  event 
of  landing/rollout  or  vehicle  energy  problems.  For  high  inclination  missions,  Northrup  may  be  the  only 
AOA  landing  site  available  due  to  the  large  crossrange  required  to  land  at  Edwards  or  KSC.  ( ref.  Rule 
I A4-107 j,  PLS/EOM  LANDING  OPPORTUNITY  REQ  UIREMENTS).  ®[i  1 1 094-1 622B] 

C.  EOM  PRIORITIES 

1  .  KSC 

2.  EDWARDS  22/04 

3 .  NORTHRUP 

Due  to  the  advantages  in  vehicle  turnaround,  the  Space  Shuttle  Program  has  directed  that  nominal  end 
of  mission  (EOM)  landings  utilize  KSC  as  the  first  priority  landing  site. 

After  KSC,  next  in  the  EOM  runway  selection  priority  is  Edwards,  because  of  the  availability  of  the 
concrete  runway  and  because  of  the  significant  vehicle  post  landing  and  turnaround  operations 
capabilities.  NOR  is  generally  last  priority,  because  although  it  provides  an  excellen  t  orbiter 
landing  site  ( laser-leveled  runways,  crossing  runways,  significant  runway  lateral  and  longitudinal 
margin,  all  required  landing  aids  and  NAVAIDS  for  day  and  night,  etc.),  the  ability  to  support  the 
orbiter  systems  postlanding  and  for  turnaround/ferry  operations  is  much  reduced  as  compared  to 
KSC  or  Edwards,  resulting  in  the  potential  for  significant  (several  weeks)  shuttle  schedule/manifest 
impacts.  ®[1 02402-5804C] 

Reference  Rule  { A4-109J ,  DEORBIT  PRIORITY  FOR  EOM  WEATHER. 

Reference  Rule  (A2-202J,  EXTENSION  DAY  GUIDELINES,  for  cases  where  the  PLS  is  NO-GO. 
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D.  SYSTEMS  FAILURE  PRIORITIES  [1  ]  [3  [5]  [6]  ®[1 02402-5804C] 

FOR  SYSTEMS  FAILURES  THE  LANDING  SITE  PRIORITY  SHALL  FOLLOW 
THE  EOM  PRIORITIES.  CONSIDERATION  WILL  BE  GIVEN  TO  THE 
FOLLOWING  EXCEPTIONS: 


SYSTEM  FAILURES  [1] 

PRIORITY 

1  OR  2  APU/HYD  SYSTEMS 

LANDING  SITES  WITHIN  SINGLE  APU  WX  PLACARDS 

[2] 

2  IMU'S 

EDW  22/04 

2  NORM/LAT  AA'S 

NORTHRUP 

KSC 

2  RGA'S 

2  ADTA’S 

LANDING  SITE  WITH  MOST  FAVORABLE  ATMOSPHERIC  CONDITIONS 

[4] 

2  FCS  CHANNELS 
(SAME  SURFACE) 

NORTHRUP 

EDW  22/04 

KSC 

®[1 02402-5804C] 


NOTES: 

[1]  ALL  FAILURES  OCCUR  PRIOR  TO  DEORBIT  BURN. 

[2]  WX  PLACARDS  ARE  AS  FOLLOWS: 

A.  CEILING  -  GREATER  THAN  OR  EQUAL  TO  1 0K  FEET 

B.  VISIBILITY  -  GREATER  THAN  OR  EQUAL  TO  7  STATUTE  MILES 

C.  CROSSWIND  -  LESS  THAN  OR  EQUAL  TO  1 0  KNOTS  (PEAK) 

D.  NO  GREATER  THAN  LIGHT  TURBULENCE 

E.  ACCEPTABLE  ROLLOUT  MARGIN/BRAKE  ENERGY  ON  HALF  BRAKES  WITHOUT  NOSEWHEEL  STEERING 
(DIFFERENTIAL  BRAKING) 

(REF.  RULE  {A10-23A},  APU  ENTRY  START  TIME.)  LANDING  SITE  PRIORITY  SHALL  MINIMIZE  CROSSWINDS  AND 
TURBULENCE. 

[3]  IF  THE  PRIMARY  LANDING  SITE  IS  NO-GO  AND  IF  THE  FORECAST  CONDITIONS  ARE  PREDICTED  TO  IMPROVE, 
DEORBIT  WILL  BE  DELAYED,  IF  PRACTICAL. 

[4]  UNFAVORABLE  ATMOSPHERIC  CONDITIONS  ARE  DEFINED  AS  UPPER  LEVEL  HAC  WINDS  IN  EXCESS  OF  80 
KNOTS,  HAC  DYNAMICS  THAT  COULD  AFFECT  THE  VEHICLES  ENERGY  STATE  (I.E.,  ENERGY  DUMP  MANEUVERS), 
OR  DENSITY  ALTITUDE  AFFECTS  THAT  BIAS  THE  INDICATED  AIRSPEED.  PRESENCE  OF  ANY  OF  THESE 
CONDITIONS  INCREASES  THE  WORKLOAD  ASSOCIATED  WITH  MANUALLY  FLYING  THETA  LIMITS,  COULD  RESULT 
IN  ADDITIONAL  ENERGY  LOSS,  AND  INCREASES  THE  POSSIBLITY  OF  LANDING  FASTER  OR  SLOWER  THAN  THE 
TARGETED  AIRSPEED.  (REF.  RULE  {A8-1 11},  AIR  DATA  SYSTEM  MANAGEMENT). 

[5]  LIGHTED  RUNWAY  REQUIRED  AT  NIGHT. 

[6]  REFERENCE  RULE  {A2-202},  EXTENSION  DAY  GUIDELINES,  FOR  WAVE-OFF  CRITERIA.  ®[1 02402-5804C] 
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The  NEOM  landing  site  priority  of  KSC,  EDW  22/04,  NOR  is  driven  by  Space  Shuttle  Program  directive, 
based  on  the  cost  in  time  and  money  for  vehicle  turn-around.  Exceptions  to  this  standard  priority  order 
will  be  reviewed  on  a  case-by-case  basis  for  orbiter  systems  failures.  Factors  in  selecting  the  best 
landing  site  include,  but  are  not  limited  to,  weather  conditions,  runway  lateral  and  rollout  margins,  and 
touch-down  margins  for  flight  control  or  navigation  issues.  KSC  15/33  is  a  300ft  wide  grooved  concrete 
runway  with  50  ft  loadbearing  paved  shoulders  and  has  a  total  length  of  17,000 ft  including  the  1,000ft 
underrun  and  1,000ft  overrun.  The  KSC  runway  is  surrounded  by  a  non-loadbearing  grassy  area  and  a 
moat.  EDW  22/04  is  a  300 ft  wide  non-grooved  concrete  runway  with  25  ft  Icikebed  material  shoulders 
that  are  not  generally  considered  loadbearing.  EDW  22/04  has  a  toted  length  of  16,975 ft.  The  EDW  04 
end  has  a  1,000 ft  underrun  and  an  1,800ft  overrun  with  the  possibility  of  rollout  onto  another  9,588ft 
of  prepared  Icikebed  surface.  The  EDW  22  end  has  a  1,800ft  underrun  and  no  overrun.  NOR  17/35  and 
05/23  are  300ft  wide  leveled  Icikebed  runways  with  300ft  shoulders  of  the  same  hard  mantle  material. 
Each  runway  has  a  total  length  of 39,000 ft  including  ci  12,000ft  underrun  and  12,000ft  overrun.  For 
all  runways,  the  existence  and  location  of  obstructions  in  the  shoulders  should  be  discussed  in  situations 
where  lateral  margins  are  a  factor  in  landing  site  selection.  ®[1 02402-5804C] 

The  following  cases  have  been  addressed  in  the  developmen  t  of  this  rule  (ref  AEFTP  #187): 

1  or  2  APU  HYP  SYSTEMS:  For  loss  of  ci  single  APU /hydraulic  system,  vehicle  hydraulic  capability  is 
unimpaired.  However,  loss  of  a  second  APU,  results  in  potential  system  losses  (nosewheel  steering, 
braking  capability,  control  effectiveness  at  denotation,  etc.)  requiring  more  stringent  weather  placards  to 
assure  a  safe  landing.  If  two  APU /hydraulic  systems  are  lost,  it  is  desirable  to  provide  significant  lettered 
and  longitudinal  margins  while  providing  a  surface  that  is  hard  enough  to  allow  better  control  of 
denotation  rate  in  order  to  limit  nose  gear  touchdown  loads.  Concrete  runways  provide  a  lower- 
coefficient  of  friction  than  Ictkebeds,  including  Northrup.  A  lower  coefficient  of  friction  reduces  the  pitch 
down  moment  and,  thus,  reduces  hydraulic  load.  With  only  one  APU  remaining  for  flight  control,  an 
evaluation  of  appropriate  weather  conditions,  including  upper  level  and  surface  winds,  is  critical  in  the 
planned  landing  site  selection  criteria.  Since  the  control  degradation  and  systems  losses  would  only  be 
apparent  with  a  single  operating  APU  during  approach  and  landing,  denotation,  and  rollout,  it  is 
prudent  to  pick  the  best  runway  within  the  stated  weather  placards.  The  stability  of  the  weather,  and 
minimizing  cross-winds  and  turbulence,  are  the  key  consideration  if  more  than  one  landing  site  is  within 
placards.  ®[i  02402-5804C] 
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2  IMU's,  2  NORM/LAT  AA's.  2  RGA’s:  The  IMU’s,  AA  ’s,  and  RGA  ’s  provide  feedback  to  the  orbiter 
flight  control  loops.  Specifically,  the  IMU’s  are  used  to  propagate  the  vehicle  navigation  state  vector 
and  provide  attitude  and  attitude  rate  information  to  the  flight  control  system.  Lettered  AA's  provide 
feedback  to  the  flight  control  system  to  improve  stability  during  turn  coordination  and  roll  reversals,  and 
are  used  to  provide  feedback  during  use  of  nose  wheel  steering  (NWS)  on  the  runway.  Normal  AA’s  are 
used  to  sense  normal  acceleration  (Nz)  during  TAEM  to  prevent  from  overstressing  the  vehicle’s 
structure  by  maintaining  the  pitch  angle  such  that  the  vehicle  stays  below  the  Nz  limits.  The  RGA’s  are 
used  to  stabilize  the  flight  control  sy  stem  by  providing  high  frequency  rate  information  between  IMU  rate 
samples.  The  IMU’s,  AA ’s,  and  RGA ’s  are  used  by  the  Aerojet  DAP  during  the  EI-5  through  landing 
and  rollout  timeframe  (MM304  and  MM305).  A  critical  failure  in  one  of  these  systems  could  result  in 
degraded  vehicle  control  and/or  significan  t  energy  loss  during  the  entry  profile.  The  inten  t  of  selecting 
Edwards  22/04  as  the  primary  landing  site  is  to  provide  the  maximum  n  umber  of  con  tingency  energy 
downmode  options  in  the  event  the  next  LRU  fails  early  in  the  entry  profile  and  results  in  significant 
energy  loss.  Down  mode  options  in  the  vicin  ity  of  Edwards  22/04  include  Palmdale,  China  Lake,  the 
Edwards  Icrkebed,  etc.  If  Edwards  is  not  available,  then  Northrup  provides  the  next  best  energy 
downmode  capability  because  the  Northrup  landing  site  complex  has  multiple  runways  available,  and  it 
is  collocated  with  several  other  contingency  landing  sites  ( i.  e. ,  Holloman,  etc).  If  Edwards  and  Northrup 
are  unavailable,  then  a  KSC  landing  should  be  targeted  since  the  probability  of  the  next  worst  failure  is 
low  and  it  is  the  prime  landing  site  with  significant  ground  forces  available.  ®[1 02402-5804C] 

2  APT  A 's:  The  ADTA  ’s  are  only  used  during  TAEM,  provide  altitude  data  to  navigation,  and  determine 
the  Mach  number  and  angle  of  attack  (Alpha)  for  use  by  flight  control.  This  limits  the  window  of 
exposure  for  another  ADTA  problem  to  only  the  last  portion  of  entry.  Next  worst  failures  could  include  a 
loss  of  all  air  data  measuremen  ts  (due  to  dilemma  or  a  probe  problem).  Landing  site  selection  with  two 
ADTA ’s  failed  protects  for  landing  withou  t  air  data.  Flying  without  air  data  requires  use  of  manual 
flying  techniques  ( i.  e. ,  theta  limits).  The  level  of  difficulty  associated  with  main  taining  theta  limits  and 
survivability  is  significantly  affected  by  the  atmospheric  conditions.  Av  such,  only  the  landing  site  with 
the  most  benign  atmospheric  conditions  should  be  targeted.  Unfavorable  atmospheric  conditions  that 
could  result  in  a  loss  of  control,  significant  energy  loss  due  to  flying  outside  the  HAC,  or  difficulty  in 
maintaining  theta  limits  include  high  upper  level  winds  on  the  HAC  ( i. e. ,  winds  in  excess  of  80  knots)  or 
other  HAC  dynamics  such  as  cm  energy  dump  pull-up  maneuver.  Density  altitude  effects  should  also  be 
considered  when  targeting  a  landing  site,  because  the  density  altitude  could  bias  the  indicated  airspeed 
and  result  in  a  landing  that  is  considerably  faster  or  slower  than  the  targeted  touchdown  airspeed.  This 
is  due  to  the  fact  that  the  flight  control  system  assumes  a  standard  atmosphere  as  the  default  with  no  air 
data  and  that  default  may  differ  significantly  from  the  actual  atmospheric  conditions  of  the  day  at  the 
selected  landing  site.  (Ref.  rule  (A8-1 1 1 },  AIR  DATA  SYSTEM  MANAGEMENT.)  ®[i  02402-5804C] 
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2  FCS  CHANNELS:  The  FCS  channels  control  the  orbiter  cierosurfaces  during  the  later  portion  of  entry 
once  sufficient  atmospheric  density  has  built  up  to  give  those  aerosurfaces  effective  control  authority. 

This  limits  the  window  of  exposure  of  a  next  worse  failure  (i.e.,  a  1 -on- 1  force  fight,  bad  feedback  going 
into  flight  control,  etc.)  to  the  later  portion  of  entry.  Such  a  failure  could  result  in  a  control  transient  or 
persistent  vehicle  control  problems  that  impact  the  vehicle’s  energy  state.  Most  flights  require  a 
concrete  runway  landing  (or  equivalent  runway  hardness )  due  to  the  large  mass  moment  at  nose  gear 
touchdown.  Northrup  provides  the  most  flexibility  of  the  available  primary  landing  sites  due  to  the 
availability  of  several  runways  of  sufficient  hardness.  If  Northrup  is  unavailable,  then  Edwards  should 
be  targeted  because  it  provides  the  option  to  downmode  to  the  large  lakebed  landing  complex  in  the  event 
that  it  is  not  possible  to  reach  the  concrete  runway.  The  Edwards  lakebed  would  only  be  used  in  a 
con  tingency.  If  Edwards  and  Northrup  are  unavailable,  then  a  KSC  landing  should  be  targeted  since  the 
probability  of  the  next  worst  failure  occurring  is  low  and  KSC  is  the  prime  landing  site  with  significant 
ground  forces  available.  The  landing  site  selection  philosophy  for  FCS  channels  assumes  that  sufficient 
aft  RCS  margin  is  available  to  perform  the  entry  with  Wrap-DAP  active.  Use  ofWrap-DAP  provides 
yaw  jet  control  authority  to  fight  any  drag  that  may  be  caused  by  degraded  aerosurface  movement  above 
Mach  1  (i.e.,  performing  an  entry  with  no-yaw-jet  selected  does  not  limit  window  of  exposure  to  TAEM 
because  sufficient  RCS  jet  control  authority  does  not  exist  to  fight  a  bad  aerosurface).  ®[i  02402-5804C] 

MEG  TIRE  PREDICTED  TO  BE  BELOW  THE  MINIMUM  ACCEPTABLE  PRESSURE  AT 
TOU  CHD  O  WN:  If  a  tire  pressure  is  low,  due  to  temperature  or  leakage,  such  that  sufficient  load- 
carrying  capability  of  that  tire  may  not  exist  (ref.  rule  {A10-142},  TIRE  PRESSURE  [ CIL]),  total  loss  of 
that  tire  may  occur  at  derotation,  when  the  highest  tire  loading  is  reached.  Based  on  Northrup  hardness 
data,  Northrup  is  acceptable  for  blown  tire  cases.  However,  the  coefficient  of  friction  on  the  strut  if  both 
tires  on  a  MLGfciil  is  greater  than  at  a  concrete  runway,  indicating  that  the  vehicle  would  be  harder  to 
control  on  the  Northrup  lakebed  than  at  KSC  or  EDW  22/04.  Runway  prioritization,  consequently,  gives 
preference  to  concrete  runways.  Consideration  should  be  given  to  minimizing  crosswind  during  landing 
site  selection  to  reduce  loads  on  the  remaining  tires.  Landing  with  the  crosswind  on  the  side  of  the 
vehicle  with  the  flat  tire  will  help  reduce  loads  on  the  affected  landing  gear,  reducing  the  risk  of  blowing 
the  remaining  tire.  Loads  on  the  NLG  tires  are  low  enough  that  if  one  tire  is  failed,  the  remaining  tire  is 
not  likely  to  blow.  Loss  of  one  or  both  NLG  tires  is  not  considered  a  directional  con  trol  problem,  since 
the  vehicle  should  be  controllable  with  differential  braking. 

NWS  FAILED  (ALL):  With  the  loss  of  NWS,  differential  braking  remains  as  the  only  method  of 
directional  control.  Sufficient  braking  system  redundancy  exists  to  accept  the  risk  of  landing  at  KSC  or 
EDW  vs.  NOR.  Consideration  should  be  given  to  minimizing  crosswind  during  landing  site  selection. 

®[1 02402-5804C] 
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E.  PREDEORBIT  LANDING  SITE  EVALUATION  ®[1 02402-5804C] 

1.  AFTER  DEORBIT  MINUS  2.5  HOURS,  IF  UNACCEPTABLE  WEATHER 
CONDITIONS  EXIST  (OBSERVED  OR  FORECAST)  OR  ENTRY 
REQUIREMENTS  CANNOT  BE  SATISFIED  (TAEM,  A/L,  TOUCHDOWN, 
ROLLOUT,  ETC.),  THE  AFFECTED  LANDING  SITE  MAY  BE 
ELIMINATED  AS  A  PRIMARY  OPTION. 

2.  AFTER  DEORBIT  MINUS  1.5  HOURS,  ONLY  A  SINGLE  LANDING  SITE 
WILL  CONTINUE  TO  BE  EVALUATED.  OTHER  LANDING  SITE 
OPTIONS  MAY  BE  REEVALUATED  IN  THE  EVENT  OF  A  DEORBIT 
WAVE-OFF . 

The  above  guidelines  will  allow  the  evaluation  of  multiple  run  ways  at  multiple  landing  sites  for  multiple 
deorbit  opportunities  without  significantly  compromising  the  required  evaluation  of  the  actual  runway 
where  landing  will  occur.  It  is  always  prudent  to  eliminate  landing  site/runway  options  as  they  become 
unlikely  to  remain  within  limits  .  This  is  especially  true  after  deorbit  minus  2.5  hours,  the  standard  time 
at  which  deorbit  pads  will  be  voiced  to  the  crew.  Up  until  deorbit  minus  1.5  hours,  sufficient  time  is 
available  to  evaluate  multiple  landing  sites  for  the  nominal  deorbit  as  well  as  preliminary  evaluation  of 
landing  sites  on  the  next  deorbit.  Due  to  multiple  wind  sets,  landing  sites,  runways,  aimpoints,  etc.  being 
evaluated,  a  toted  team  focus  on  the  primary  runway  on  the  last  orbit  prior  to  deorbit  is  necessary. 

Rules  (A2-102J,  MISSION  DURATION  REQUIREMENTS,  and  (A2-6J,  LANDING  SITE  WEATHER 
CRITERIA  [ HC ],  reference  this  rule. 
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A2-208 

ACES  PRESSURE  INTEGRITY  CHECK  @[012402-5089] 

DEORBIT  WILL  NOT  BE  DELAYED  FOR  FAILURE  OF  ANY  ADVANCED  CREW 
ESCAPE  SUIT  (ACES)  PRESSURE  INTEGRITY  CHECK. 

ACES  pressure  integrity  is  not  required  for  the  present  bailout  scenario.  In  addition,  beyond  verifying 
the  proper  connections,  there  is  little  that  the  crew  could  do  during  flight  to  locate  the  source  of  a  leak  in 
an  ACES  or  to  repair  it.  @[012402-5089  ] 
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A2-209  LANDING  SITE  SELECTION  FOR  AN  INFLIGHT  EMERGENCY 

A.  AN  INFLIGHT  EMERGENCY  WILL  BE  DECLARED  AND  AN  ATTEMPT  WILL  BE 
MADE  TO  PERFORM  AN  EMERGENCY  LANDING  IF  A  LANDING  AT  THE 
TARGETED  SITE  IS  IMPOSSIBLE.  ®[1 20894-1 744B] 

NOTE:  THE  DETERIORATION  OF  WEATHER  (WINDS,  TURBULENCE, 

CEILING,  PRECIPITATION,  ETC.)  AND/OR  LANDING  AND 
ROLLOUT  MARGINS,  WHICH  RESULT  IN  FLIGHT  RULE 
EXCEEDANCES  POST-DEORBIT  BURN,  ARE  NOT  CAUSE  TO 
REDESIGNATE  FROM  THE  TARGETED  SITE. 

B.  LANDING  WILL  BE  ATTEMPTED  AT  AN  EMERGENCY  LOCATION  THAT  MEETS 
THE  FOLLOWING  CRITERIA: 

1.  THE  LANDING  FIELD  IS  WITHIN  THE  ENERGY  CAPABILITY  OF  THE 
ORBITER  AS  DEFINED  IN  RULE  {A2-251},  BAILOUT. 

2.  THE  LANDING  FIELD  FACILITIES  SATISFY  THE  REQUIREMENTS 
DOCUMENTED  IN  RULE  {A2-264},  EMERGENCY  LANDING  FACILITY 
CRITERIA. 

C.  TIME  PERMITTING,  WITH  MULTIPLE  SITES  OF  SIMILAR  ENERGY 
CAPABILITY,  SELECTION  OF  THE  EMERGENCY  LANDING  FIELD  WILL  BE 
BASED  ON  THE  FOLLOWING  PRIORITY: 

1.  ANOTHER  NASA  AUGMENTED  LANDING  SITE 

2.  A  DOD  AIRFIELD  WITH  COMPATIBLE  SHUTTLE  UHF  COMMUNICATIONS 

3.  A  DOD  AIRFIELD  WITHOUT  COMPATIBLE  SHUTTLE  UHF 
COMMUNICATIONS 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  FLIGHT  OPERATIONS  2-232 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A2-209  LANDING  SITE  SELECTION  FOR  AN  INFLIGHT  EMERGENCY 

(CONTINUED) 

4.  A  COMMERCIAL  AIRFIELD  WITH  COMPATIBLE  SHUTTLE  UHF 
COMMUNICATIONS 

5.  A  COMMERCIAL  AIRFIELD  WITHOUT  COMPATIBLE  SHUTTLE  UHF 
COMMUNICATIONS 

Should  orbiter  or  facility  problems  be  encountered  which  make  landing  at  the  designated  NASA  landing 
field  impossible,  the  actions  to  be  taken  are  identified  in  order  of  priority  in  an  attempt  to  save  the  crew 
and  orbiter  (national  resource),  while  at  the  same  time  minimizing  public  exposure  to  additional  risk. 
During  entry  should  the  need  arise,  an  “inflight  emergency”  (as  declared  by  all  aircraft  if  in  trouble ) 
will  be  declared,  and  a  landing  at  an  ELS  will  be  attempted  if  energy  is  sufficient  to  reach  the  landing 
site  (reference  Rule  {A2-251  j,  BAILOUT )  and  the  facility  meets  the  minimum  requirements  (reference 
Rule  (A2-264),  EMERGENCY  LANDING  FACILITY  CRITERIA).  ®[i  20894-1 744B] 

Weather  forecasts  for  shuttle  landings  are  made  by  well-trained,  experienced  meteorologists  with  the 
best  tools  available  and  within  90  minutes  of  landing.  At  the  A/E  FTP  #73,  the  results  of  a  multimonth 
study  of  forecasting  accuracy  showed  that  these  forecasts  were  extremely  accurate  and  in  the  very  small 
percentage  of  cases  where  a  GO  prediction  turned  into  a  NO-GO  situation,  the  violations  were  minor 
and  survivable.  It  is  inconceivable  that  these  forecasts  would  be  in  error  by  a  degree  that  would  entail 
greater  risk  by  continuing  to  the  landing  site  than  would  be  incurred  by  diverting  to  an  emergency  field 
with  its  lack  of  facilities,  navigation  aids,  trained  personnel,  and  flightcrew  familiarity. 

Diverting  from  the  targeted  site  will  not  be  done  just  for  deteriorating  weather  conditions  which  will 
violate  weather  flight  rules  or  landing  and  rollout  margin  reductions.  We  will  accept  the  nonoptimum 
conditions  rather  than  divert  to  another  site  since  it  is  believed  that  this  option  provides  less  risk  to  the 
orbiter  and  crew  as  well  as  the  general  public.  ®[1 20894-1 744B] 

Should  it  be  necessary  to  divert  from  the  primary  landing  field,  another  NASA  augmented  landing  field 
will  be  selected  if  available.  Otherwise,  site  selection  will  be  based  on  facility  type  (DOD  uv  commercial ) 
and  the  availability  of  compatible  shuttle  UHF  communications.  The  facility  priority  has  been  selected 
to  minimize  risk  to  the  general  public.  ®[1 20894-1 744B] 
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A2-251  BAILOUT 

A.  THE  CDR  IS  RESPONSIBLE  FOR  BAILOUT  ACTION. 

B.  THE  MCC  WILL  EVALUATE  ALL  POSSIBLE  ENERGY  MANAGEMENT  ACTIONS 
PRIOR  TO  RECOMMENDING  BAILOUT.  ®[1 20894-1 744B] 

C.  THE  FOLLOWING  DEFINITIONS  APPLY  TO  THE  BAILOUT  REGIONS 
DEFINED  BELOW: 

1.  MCC  MAX  RANGE  LINE:  THIS  LINE  IS  GENERATED  ON  LANDING 
DAY  AND  BASED  ON  A  STRAIGHT-IN  APPROACH  TO  THE  MINIMUM 
ENTRY  POINT  HAC,  WITH  MAXIMUM  L/D  STRETCH  TECHNIQUES  AND 
ACTUAL  WINDS  AND  ATMOSPHERIC  CONDITIONS. 

2.  MCC  RTLS  MINIMUM  ENERGY  LINE:  THIS  LINE  IS  GENERIC  FOR 
ALL  FLIGHTS  AND  ASSUMES  A  FORWARD  CG,  MID-WEIGHT, 
HEAVYWEIGHT  I-LOADS,  COLD  ATMOSPHERE,  AND  NO  WINDS. 

3.  MCC  BAILOUT  LINE:  THIS  LINE  IS  GENERIC  FOR  ALL  FLIGHTS 
AND  REPRESENTS  A  BEST-ON-BEST  MAXIMUM  CAPABILITY,  BASED 
ON  3  SIGMA  FAVORABLE  WINDS,  MAXIMUM  HAC  SHRINK,  AND 
MAXIMUM  ORBITER  L/D. 

D.  AN  MCC  BAILOUT  RECOMMENDATION  WILL  BE  MADE  BASED  ON  THE 
FOLLOWING  CRITERIA,  USING  THE  BEST  AVAILABLE  SITE,  RUNWAY, 
AND  STATE  VECTOR  SOURCE,  AND  WITHOUT  REGARD  TO  TOUCHDOWN, 
BRAKE  ENERGY  AND  ROLLOUT  MARGIN  PLACARDS: 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-251  BAILOUT  (CONTINUED) 

1.  GREEN:  BAILOUT  NOT  REQUIRED  (CALL  ONLY  REQUIRED  IF 
TRANSITIONING  FROM  THE  "YELLOW"  REGION) . 

a.  EOM  LANDINGS:  ORBITER  ENERGY/WEIGHT  ABOVE  THE  MAX 
RANGE  LINE. 

b.  ALL  OTHER  LANDINGS:  ORBITER  ENERGY/WEIGHT  ABOVE  THE 
MCC  RTLS  MINIMUM  ENERGY  LINE.  ®[1 20894-1 744B] 

2.  YELLOW:  BAILOUT  IF  DEEMED  NECESSARY  BY  THE  CDR;  MCC 
CONTINUES  TO  MONITOR.  ®[1 20894-1 744B] 

a.  EOM  LANDINGS:  ORBITER  ENERGY/WEIGHT  BELOW  THE  MAX 
RANGE  LINE  AND  ABOVE  THE  MCC  BAILOUT  LINE. 

b.  ALL  OTHER  LANDINGS:  ORBITER  ENERGY/WEIGHT  BELOW  THE 
MCC  RTLS  MINIMUM  ENERGY  LINE  AND  ABOVE  THE  MCC 
BAILOUT  LINE. 

3.  RED:  MCC  RECOMMENDS  BAILOUT. 

ORBITER  ENERGY/WEIGHT  BELOW  THE  MCC  BAILOUT  LINE. 

E.  IF  POSSIBLE,  BAILOUT  WILL  BE  DECLARED  NO  LOWER  THAN  50K  FT 
ALTITUDE  ( 7  OK  FT  FOR  ECAL)  . 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-251  BAILOUT  (CONTINUED) 

F.  NORMALLY,  ZERO  DEGREES  OF  BANK  WILL  BE  USED  FOR  BAILOUT 
GUIDANCE  "FREEZE"  CONDITIONS.  HOWEVER,  THE  MCC  MAY  PROVIDE  A 
DESIRED  BANK  ANGLE  (UP  TO  10  DEG)  IF  REQUIRED  TO  AVOID 
ORBITER  IMPACT  IN  POPULATED  AREAS. 

G.  IF  BAILOUT  IS  DECLARED  FOR  ECAL,  A  TURN  SHALL  BE  EXECUTED  TO 
A  HEADING  OF  120  DEG,  UNLESS  FDO  DETERMINES  IN  REAL  TIME  A 
HEADING  MORE  FAVORABLE  FOR  SAR  OPERATIONS  (E.G.,  PARALLEL  THE 
COAST,  ETC.) 

Reference  Rule  (A1-6J,  SHUTTLE  COMMANDER  AUTHORITY,  for  CDR  responsibilities. 

The  MCC  has  more  accurate  evaluation  tools  with  which  to  determine  energy  capability  and  uses  radar 
tracking  data  ( when  available)  as  the  prime  state  vector  source.  All  energy  management  and  recovery 
procedures  will  be  evaluated  prior  to  any  bailout  recommendation  being  issued  by  the  MCC.  Three 
bailout  zones,  green,  yellow,  and  red,  have  been  identified  for  MCC  bailout  recommendation,  based  on 
areas  delineated  on  FDO  Energy fW eight  versus  Rcmge-to-go  displays. 

The  bailout  green  zone  is  defined  as  that  area  above  the  MCC  maximum  ranging  capability  line  which  is 
generated  for  EOM  on  landing  day,  based  on  a  straight-in  approach  to  the  minimum  entry  point  HAC, 
with  maximum  L/D  stretch  techniques  and  actual  winds  and  atmospheric  conditions.  For  all  other  cases, 
this  flight  and  landing  day-specific  actual  capability  line  does  not  exist,  and  the  MCC  RTLS  minimum 
energy  line  will  be  used.  This  line  is  generic  for  all  flights  and  assumes  a  forward  CG,  mid-weight, 
heavyweight  I-loads,  cold  atmosphere,  and  no  winds.  These  two  lines  generally  lie  very  close  together. 

In  the  green  region,  bailout  is  not  required.  A  green  zone  call  is  not  made  unless  the  vehicle  has 
recovered  from  the  yellow  zone  below.  ®[1 20894-1 744B] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-251  BAILOUT  (CONTINUED) 

The  bailout  yellow  zone  is  defined  as  that  area  below  the  MCC  maximum  ranging  capability  line, 
described  above  (again,  when  a  max  range  line  is  not  available,  the  generic  MCC  RTLS  minimum 
energy  line  will  be  used),  but  above  the  MCC  bailout  line.  The  bailout  line  is  generic  for  all  flights  and 
represents  a  best-on-best  maximum  capability,  based  on  3  sigma  favorable  winds,  maximum  HAC  shrink, 
and  maximum  orbiter  L/D.  In  this  region,  the  a  “bailout  yellow  zone”  call  will  be  made.  Requests  are 
likely  to  be  made  for  runway/HAC  redesignation,  stretch  techniques,  arid  relaxation  ofNZ,  surface  wind, 
touchdown  point,  and  rollout  margin  constraints  to  increase  available  runways.  Below  the  maximum 
ranging  capability  line,  there  is  less  than  a  50  percent  chance  of  reaching  the  field.  In  this  region,  the 
MCC  will  only  advise  the  crew  of  the  energy  situation  and  continue  to  monitor  their  progress  in  making 
up  the  energy  shortfall.  A  final  bailout  decision  is  the  CDR’s  call.  ®[1 20894-1 744B] 

The  bailout  red  zone  is  defined  as  that  area  below  the  MCC  bailout  line  described  above.  In  this  region, 
there  is  no  chance  of  reaching  the  runway  threshold  and  the  MCC  will  recommend  bailout.  To  provide 
adequate  time  for  bailout  operations,  bailout  will  be  declared  at  an  altitude  no  lower  than  50Kft,  if 
possible.  For  ECAL  trajectories,  70Kft  is  used  to  allow  adequate  time  to  execute  a  maximum  turn  of 
180  deg  prior  to  initiating  bailout,  thus  ensuring  bailout  over  water. 

The  MCC  will  recommend  a  bank  angle  in  order  to  improve  recovery  effectiveness  or  to  steer  away  from 
populated  areas.  Analysis  has  shown  that  a  bank  angle  of  greater  than  10  deg  can  cause  the  vehicle  to 
turn  a  full  360  deg  of  heading  with  impact  occurring  in  the  crew  bailout  landing  area.  If  bailout  is 
required  during  an  ECAL,  a  turn  to  a  standard  heading  of  120  deg  will  be  made  to  avoid  orbiter  land 
impact  and  to  provide  search  and  rescue  (SAR)  forces  with  a  consistent  heading  with  which  to  begin 
rescue  operations,  un  less  the  FDO  can  determine  a  more  favorable  heading  based  on  knowledge  of  the 
positions  and  poten  tial  ranging  capability  of  the  SAR  forces.  ®[1 20894-1 744B] 


A2-252  GCA  CRITERIA 

IF  THE  TRAJECTORY  DIVERGES  AND  APPROACHES  ENERGY  LIMITS  POST¬ 
TRACKING,  CSS  WILL  BE  SELECTED  AND  GCA  PERFORMED.  AUTO  GUIDANCE 
WILL  BE  RESELECTED  WHEN  ENERGY  AND  NAVIGATION  ARE  WITHIN  LIMITS, 
THE  GCA  WILL  ALSO  BE  TERMINATED  WHEN  THE  CREW  TAKES  OVER  AFTER 
VISUAL  ACQUISITION  OF  THE  RUNWAY.  @[120894-1663] 


Generally,  the  entry  trajectory  can  get  into  an  off-nominal  emergency  situation  by  (1)  incorporating 
erroneous  navigation  data  into  guidance  and  flight  control,  and  (2)  selecting  an  incorrect  or  invalid 
landing  site.  Performing  GCA  provides  a  possibility  of  making  the  runway. 
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A2-253  ENERGY  MANAGEMENT 

IF  INSUFFICIENT  OR  EXCESS  ENERGY  EXISTS  TO  ACHIEVE  THE  TARGETED 
APPROACH  TO  THE  SELECTED  RUNWAY,  THE  FOLLOWING  OPTIONS  WILL  BE 
EVALUATED  FOR  CORRECTION  OF  THE  ENERGY  ERROR. 

A.  OVERHEAD/STRAIGHT-IN  HAC  RESELECTION 

B.  NOMINAL/MINIMUM  ENTRY  POINT  SELECTION 

C.  RUNWAY  REDESIGNATION  -  MAY  RESULT  IN  VIOLATION  OF  TOUCHDOWN, 
BRAKING,  AND/OR  ROLLOUT  MARGIN  CONSTRAINTS 

D.  GROUND  CONTROLLED  APPROACH  (GCA) 

Several  options  are  available  to  correct  a  bad  energy  situation.  These  options  include  HAC  reselection 
(overhead/straight-in),  runway  redesignation,  final  approach  entry  point  downmoding  (NEP/  MEP),  or 
GCA.  No  action  will  be  recommended  until  data  shows  that  the  energy  error  is  large  enough  that  the 
prime  selected  runway/HAC  cannot  be  achieved  or  will  cause  the  vehicle  to  exceed  H-dot  or  g-Iimits 
while  following  auto  guidance. 

Runway  redesignation  or  HAC  reselection  are  both  very  powerful  methods  of  changing  the  required 
range-to-go  (energy  requirements).  These  two  methods  are  preferred  since  valid  guidance  commands 
are  available.  Runway  redesignation  may  be  recommended  over  HAC  reselection,  based  on  the  amount 
of  energy  correction  required.  The  approach  direction  relative  to  the  run  way  layout  will  define  which  is 
the  most  effective  option  for  correcting  the  energy  error  (range  error).  Redesignation  may  result  in 
selection  of  a  runway  which  violates  some  of  the  touchdown,  rollout,  or  brake  energy  constraints. 
Reaching  the  runway  final  approach  within  an  acceptable  energy  corridor  has  priority  over  satisfying 
the  touchdown  and  rollout  constraints.  All  efforts  will  be  made  to  redesignate  to  runways  which  satisfy 
the  touchdown  and  rollout  criteria. 

Downmoding  the  final  approach  entry  point  (NEP  to  MEP)  does  provide  valid  guidance  commands; 
however,  the  MEP  selection  greatly  reduces  the  amount  of  time  available  for  trajectory  corrections  on 
final  approach.  (NEP  intercepts  final  approach  at  approximately  12Kfeet;  MEP  is  at  approximately  6K 
feet.)  Once  each  of  the  above  options  has  been  evaluated  and  excessive  energy  error  persists,  a  GCA 
will  be  required.  The  GCA  may  include  HAC  or  runway  reselection  and  will  require  action  outside  of 
the  current  guidance  capability  in  order  to  correct  the  range  error. 
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A2-254  ENTRY  STRING  REASSIGNMENT 

A.  PRIOR  TO  MM  304,  RESTRINGING  WILL  BE  PERFORMED  TO  REGAIN  FULL 
CAPABILITY  FOLLOWING  A  GPC  FAILURE. 

The  timeframe  between  post-deorbit  burn  and  the  transition  to  MM  304  is  generally  quiet  from  a 
computer  point  of  view  and  crew  workload.  As  such,  the  risk  of  restringing  is  considered  to  be  low. 
Consequently,  restringing  will  be  performed  to  regain  full  capability  for  the  dynamic  phases  of  entry 
(MM  304/305). 

B.  RESTRING  GPC/STRING  COMBINATIONS  WILL  BE  SELECTED  WHICH 
MOVE  THE  LEAST  NUMBER  OF  STRINGS  WHILE  SATISFYING  CRITICAL 
CAPABILITY  OR  ONE-FAULT  TOLERANT  REQUIREMENTS  AS  IDENTIFIED 
IN  PARAGRAPH  C. 

The  greater  the  number  of  strings  moved  during  a  restring  attempt,  the  more  complicated  the  restring 
process.  With  this  in  mind,  “good”  strings  should  not  be  taken  from  “good”  GPC’s  unless  there  is  no 
other  method  of  satisfying  the  identified  requirements  in  orbiter  systems. 

C.  DURING  ENTRY/GRTLS  (MM  304,  305,  602,  AND  603),  RESTRINGING 

WILL  BE  PERFORMED  AS  FOLLOWS  (TIME  PERMITTING)  TO  REGAIN  THE 
FOLLOWING  CRITICAL  SYSTEMS  CAPABILITY: 

Certain  systems  capabilities  are  required  to  be  maintained  for  safety  considerations  where  the  BFS 
cannot  provide  additional  systems  capability. 

1.  NOSE  WHEEL  STEERING  (FOR  RTLS/TAL/AOA  (KSC)  OR  ANY  SITE 
WITH  KNOWN  DIRECTION  CONTROL  PROBLEMS) . 

NWS  is  required  to  maintain  lateral  control  during  rollout  at  landing  sites  where  the  lateral  runway 
environment  is  limited.  BFS  engage  at  touchdown  to  recover  NWS  is  an  option.  However,  it  was 
determined  to  attempt  restring  during  entry  to  regain  NWS  and  accept  risk  of  BFS  engage  as  a  result 
of  the  restring  instead  of  n  ominally  engaging  the  BFS  for  this  case  at  NGTD.  Reference  Rule  (A10- 
141A},  NOSE  WHEEL  STEERING  (NWS),  for  NWS  directional  control  requirements. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-254  ENTRY  STRING  REASSIGNMENT  (CONTINUED) 

2.  ASA  COMMAND  (MAINTAIN  TWO  ELEVON,  RUDDER,  AND  SPEEDBRAKE; 

MAINTAIN  ONE  BODY  FLAP) . 

Two  elevon,  rudder,  and  speedbrake  FCS  command  channels  (each  of  which  have  four  command 
channels)  are  required  since  flying  with  only  one  FCS  channel  on  an  actuator  is  an  uncertified  flight 
control  mode.  Only  one  of  three  body  flap  command  channels  is  required  to  maintain  acceptable  drive 
capability.  Control  may  be  available  long  enough  to  allow  restring  procedures  to  be  completed  to 
regain  the  required  FCS  channels  rather  than  defaulting  over  to  the  BFS. 

3 .  VENT  DOORS : 

a.  FORWARD/AFT  VENT  DOORS  IF  REQUIRED  TO  REGAIN  THE 
CAPABILITY  TO  OPEN  AT  LEAST  ONE  SIDE  OF  THE  FWD  AND 
AFT  COMPARTMENTS  FOR  SUFFICIENT  VENTING. 

Data  presented  at  the  Ascent/Entry  Flight  Techniques  Panel  (A/E  FTP)  #43  (August  1988)  showed  that 
adequate  venting  margins  could  be  main  tained  if  at  least  one  side  of  the  forward  and  aft  compartmen  ts  is 
opened  by  70,000 feet  altitude.  Failures  resulting  in  loss  of  open  capability  on  both  sides  of  the  forward 
or  aft  compartmen  ts  would  result  in  structured  failure  and  loss  of  crew/vehicle.  Therefore,  a  critical  bus 
reassignment  prior  to  or  at  TAEM  to  regain  the  open  capability  on  at  least  one  side  should  be 
performed,  when  applicable. 

b.  MIDBODY  VENT  DOORS:  ®[051 1 94-1 586A] 

(1)  FOR  LOSS  OF  MORE  THAN  TWO  MIDBODY  VENT  DOORS 
OR 

(2)  FOR  LOSS  OF  OPPOSING  MIDBODY  VENT  DOORS 

JSC  Engineering  presented  a  venting  analysis  of  the  modified  vent  door  configuration  (vents  4  and  7 
deleted)  at  the  A/E  FTP  #87  (February  1992).  The  data  showed  that  positive  structured  margins  exist  for 
a  nominal  entry  trajectory,  even  after  two  midbody  vent  doors  have  failed  closed.  This  analysis  was 
performed  only  for  scenarios  that  could  result  from  two  electrical/avionics  failures.  Because  opposite 
vent  door  failures  (i.e.,  left/right  5)  require  more  than  two  failures,  they  were  not  specifically  analyzed, 
but  to  assure  adequate  venting,  a  restring  should  be  performed.  JSC  Engineering  also  presented  data 
which  suggested  that  opposite  forward  and  aft  compartment  vent  doors  are  redundant  to  each  other  in 
providing  adequate  ven  ting  for  a  nominal  entry.  ®[051 1 94-1 586A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-254  ENTRY  STRING  REASSIGNMENT  (CONTINUED) 

The  A/E  FTP  # 87  members  concluded  that  a  critical  bus  reassignment  should  only  be  performed  after 
loss  of  more  than  two  midbody  vents  has  occurred  for  either  vehicle  configuration.  Restringing  for  these 
cases  provides  the  most  pruden  t  ven  ting  management  plan,  trading  the  effects  of  a  poten  tially  dispersed 
entry  trajectory  with  the  potential  risks  of  a  dynamic  restring  of  flight-critical  buses. 

4.  MPS  LH2  MANIFOLD  ENTRY  PRESSURIZATION  (FOR  RTLS/TAL) . 

@[022802-5221  ] 

There  is  insufficien  t  time  on  RTLS  and  TAL  entries  to  dump  all  hydrogen  from  the  Main  Propulsion 
System  (MPS)  LH2  manifold.  The  pressurization  of  the  LH2  manifold  with  helium  prevents  air  from 
being  ingested  into  the  manifold  during  entry.  The  loss  of  this  helium  pressurization  will  result  in  the 
creation  of  cm  explosive  mixture  in  the  LH2  manifold  as  air  is  ingested  and  mixes  with  the  hydrogen 
residuals.  Although  difficult  to  quantify,  the  hazard  to  the  flight  crew  from  an  explosive  mixture  in  the 
MPS  LH2  manifold  represents  cm  unnecessary  risk.  At  the  A/E  FTP  # 168  ( October  27,  2000),  it  was 
decided  that  the  recovery  technique  for  the  loss  ofLH2  manifold  pressurization  could  be  a  switch  throw, 
temporary  port  mode  (to  latch  the  LH2  manifold  pressurization  commands),  or  restring.  In  general,  a 
switch  throw  will  be  attempted  before  a  port  mode,  which  will  be  attempted  before  a  restring;  however, 
the  recovery  technique  used  will  depend  upon  the  specific  flight  phase  and  failure  scenario  present  in  the 
orbiter.  @[022802-5221  ] 

D.  RESTRINGING  WILL  NOT  BE  PERFORMED  WITHOUT  PRIOR  MCC 
COORDINATION. 

The  MCC  is  prime  for  determin  ing  when  restringing  is  required  as  a  result  of  mu  ltiple  failures  and  the 
resulting  GPC/string  assignments  required  to  satisfy  critical  capability  and  systems  fault  tolerance  as 
iden  tified  in  the  preceding  rules.  The  MCC  is  prime  for  determin  ing  the  acceptability  of  restringing 
based  upon  the  failure  signature  and  conditions  and  for  determining  cm  acceptable  data  bus 
reassignmen  t  configuration.  As  a  min  imum,  voice  description  of  the  failu  re  and  identification  of  the 
proposed  bus  reassignment  must  be  coordinated  with  the  MCC  prior  to  performing  any  restring. 

E.  FOR  A  SINGLE  GPC  FAILURE,  RESTRINGING  WILL  NOT  BE  PERFORMED 
AFTER  El  MINUS  5  MINUTES. 

El  minus  5  minu  tes  was  selected  as  the  last  time  for  which  restringing  would  be  performed  as  a  result  of 
a  single  GPC  failure  in  order  to  allow  recovery  time  prior  to  El  to  regain  PASS  capability  should  the 
restring  be  unsuccessful. 
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A2-254  ENTRY  STRING  REASSIGNMENT  (CONTINUED) 

F.  RESTRINGING  WILL  NOT  BE  PERFORMED  AFTER  HAC  INTERCEPT. 

Crew  workload  increases  after  HAC  acquisition  as  concentration  is  directed  towards  the  immediate 
landing  tasks.  Restringing  will  not  be  performed  during  this  timeframe  so  as  not  to  divert  crew  attention 
away  from  the  critical  landing  phase  tasks.  Although  no  fault  tolerance  exists,  the  exposure  to  the  next 
failure  is  minimized  since  the  time  between  HAC  intercept  and  touchdown  is  relatively  short. 

G.  RESTRINGING  WILL  BE  PERFORMED  TO  REGAIN  CRITICAL  CAPABILITY 
INDEPENDENT  OF  THE  BFS  STATUS.  FOR  CASES  WHERE  RESTRINGING 
IS  ACCEPTABLE  TO  REGAIN  FAULT  TOLERANCE  (REF.  PARAGRAPH  A), 
AN  ENGAGEABLE  BFS  MUST  BE  AVAILABLE. 

The  BFS  is  normally  required  when  restringing  is  performed  as  a  precaution  against  the  low  probability 
occurrence  that  the  restring  action  may  result  in  loss  of  the  PASS  set.  However,  when  the  vehicle  has 
sustained  failures  such  that  less  than  critical  capability  remains  (a  capability  which  must  be  maintained 
or  a  loss  of  crew/vehicle  will  result),  restringing  will  be  performed  to  regain  the  needed  capability 
independent  of  the  BFS  status  in  order  to  main  tain  the  flying  status  of  the  orbiter. 

If  the  BFS  is  not  available  and  less  than  critical  capability  remains,  restring  is  allowed  to  recover  the 
PASS  capability  to  con  trol  the  orbiter.  If  the  BFS  is  available  and  conditions  are  such  that  either  a  BFS 
engage  or  a  dynamic  restring  will  recover  the  critical  capability,  restring  will  be  attempted  if  time 
permits  completion  of  the  restring  while  still  maintaining  the  BFS  engage  option. 

Rules  {A2-5j,  PORT MODING/RESTRINGING  GUIDELINE;  {A5-209},  ENTRY MPS  HELIUM 
PURGING  FOR  CRITICAL  VEHICLE  POWER/COOLING;  {A7-6},  DATA  PATH  FAILURE;  {A7-102J, 
PASS  DATA  BUS  ASSIGNMENT  CRITERIA;  {A7-105},  MDM  PORT  MODING;  {A7-52J, 
ASCENT/ENTRY  BFS  MANAGEMENT  GUIDELINES;  and  {A10-25},  APU  HIGH  SPEED 
SELECTION/SHIFT  reference  this  rule.  @[022802-5221  ]  ®[ED  ] 
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A2-255  CREW  TAKEOVER 

CREW  TAKEOVER  (DOWNMODING  FROM  AUTO  TO  CSS)  PRIOR  TO  NOMINAL 
TAKEOVER  ALTITUDE  WILL  BE  PERFORMED  FOR  THE  FOLLOWING  REASONS 
ONLY  (REF.  RULE  {A4-208},  ENTRY  TAKEOVER  RULES): 

A.  TO  AVOID  LOSS  OF  CONTROL  OF  THE  VEHICLE. 

B.  TO  PRESERVE  THE  TRAJECTORY  WITHIN  THE  TARGETED  RUNWAY  LANDING 
CAPABILITY. 

Whenever  the  crew  must  override  the  guidance  limitations  to  maintain  adequate  energy  capability  for 
reaching  the  prime  selected  runway,  the  CSS  mode  must  be  selected.  Whether  under  GCA  control  or 
manually  flying  with  visual  assistance,  the  crew  must  select  CSS  and  bypass  the  onboard  guidance 
commands. 

C.  DELTA  STATE  UPDATES: 

1.  ANY  POSITION  AND  VELOCITY  DELTA  STATE. 

2.  A  POSITION-ONLY  DELTA  STATE  BETWEEN  M5  AND  TAEM  (M2 . 5  FOR 
EOM/AOA,  M3. 2  FOR  RTLS) . 

CSS  mode  is  required  for  all  position/velocity  delta  states  to  avoid  severe  attitude  transients  once  the 
onboard  NAV  is  updated.  For  OPS  3  position-only  delta  states  between  M5  and  TAEM,  CSS  must  be 
selected  to  avoid  strong  attitude  transients.  MM  304  entry  guidance  will  very  aggressively  attempt  to 
remove  energy  errors  by  TAEM  interface  (M2. 5).  Above  M5,  the  guidance  has  more  time  to  correct 
energy  errors.  Therefore,  position  delta  states  above  M5  should  not  cause  severe  transients.  After  the 
energy  has  converged  close  to  nominal,  the  crew  can  reselect  auto.  GRTLS  guidance  is  not  as 
aggressive  as  OPS  3  guidance  in  removal  of  energy  errors  by  TAEM  in  terface  (M3. 2).  @[052401 -4524A] 

D.  GPS  NAVIGATION  UPDATES  WHEN  PERFORMED  AS  AN  ALTERNATIVE  TO 
DELTA  STATE  UPDATES. 

Once  GPS  state  vector  accuracy  has  been  confirmed  with  ground  filter  solutions,  a  GPS  update  is 
preferred  over  the  delta  state  update  process  to  correct  onboard  navigation  errors  that  exceed  flight  rule 
limits.  Metering  logic,  which  limits  the  updates  to  the  user  parameter  reset  state,  may  be  overridden 
prior  to  the  GPS  force  procedure  to  expedite  the  time  required  to  update  the  user  parameter  reset  state. 

If  metering  is  overridden,  CSS  mode  is  required  for  all  GPS  to  NAV  force  operations  to  avoid  severe 
attitude  transients  once  the  user  parameter  reset  state  is  updated.  @[052401 -4524A] 
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A2-256  EARLY  POWERDOWN 

EARLY  POWERDOWNS  ARE  DEFINED  AS  REMOVAL  OF  POWER  FROM  THE  ORBITER 
ELECTRICAL  BUSES  PRIOR  TO  EOM  POWERDOWN.  EARLY  POWERDOWN  WILL 
BE  ACCOMPLISHED  FOR  ELS  LANDINGS,  FAILURE  OF  THE  COOLING  CART, 

ANY  ORBITER  MALFUNCTIONS  THAT  CONSTITUTE  A  SAFETY  HAZARD  (E.G., 
FUEL  LEAK) ,  OR  THE  THREAT  OF  SIGNIFICANT  ORBITER  EQUIPMENT 
DAMAGE.  IN  ALL  CASES,  THIS  WILL  BE  WITHOUT  REGARD  TO  THE 
INTEGRITY  OF  ANY  RETURNED  PAYLOAD. 

A2-257  DEORBIT  BURN  TERMINATION 

THE  DEORBIT  BURN  WILL  BE  TERMINATED  (PRIOR  TO  EXCEEDING  A  SAFE 
PERIGEE  AS  PROVIDED  ON  THE  DEORBIT/ENTRY/LANDING  (DEL)  PAD  FOR 
THE  FOLLOWING  FAILURES: 

A.  OMS  PROPELLANT  TANK  (ABOVE  SINGLE  TANK  COMPLETION  HP  ON  DEL 
PAD)  . 

B.  PASS  REDUNDANT  SET  FAIL  OR  RS  SPLIT  FOR  WHICH  RECOVERY  HAS 
NOT  BEEN  ATTEMPTED. 

C.  IMU  DILEMMA. 

D.  TWO  MAIN  BUSES. 

E.  TWO  OMS  ENGINES  (IF  RCS  DOWNMODE  CAPABILITY  DOES  NOT  EXIST). 


The  deorbit  burn  will  be  terminated  for  systems  failures  which  preclude  controllability  or  the  ability  to 
perform  a  safe  entry.  Loss  of  fault-tolerance  will  not  be  cause  for  terminating  the  deorbit  burn. 

For  failure  of  both  OMS  engines,  propellant  may  not  be  available  to  complete  the  deorbit  burn  with  the 
RCS  +X  jets  to  the  original  targets.  The  deorbit  burn  must  be  terminated  and  retargeted  to  shallower 
targets.  This  retargeting  will  require  a  24-hour  deorbit  delay. 


A2-258  BFS  ENGAGE 

BFS  WILL  BE  ENGAGED  IN  ENTRY  FOR  THE  FOLLOWING: 

A.  LOSS  OF  REDUNDANT  SET. 

B.  LOSS  OF  CONTROL. 

Reference  Rule  (A7-1 },  PASS  DPS  FAILURE.  ®[07i 494-1 636  ] 
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A2-259  CHASE  AIRCRAFT  OPERATIONS 

A.  T-38  CHASE  AIRCRAFT  WILL  BE  UTILIZED  ON  AN  "AS  REQUIRED" 
BASIS . 


T-38  chase  aircraft  can  be  used  to  provide  photo  documentation  of  orbiter  condition  and  damage  prior 
to  touchdown  and  rollout,  visual  inspection  for  fluids,  flames,  gear  door  damage,  etc.,  backup  for 
altitude  and  airspeed,  visual  call  to  orbiter  crew  in  case  of  wind  screen  obscurations,  and  downlink  TV  to 
NASA/PAO. 

B.  T-38  CHASE  RENDEZVOUS  WILL  BE  DISCONTINUED  IF: 

1.  VISUAL/RADAR  CONTACT  NOT  ESTABLISHED  WITHIN  1  MINUTE  OF 
ORBITER  RENDEZVOUS  POINT  AT  40K  FEET  MSL 

2.  VISUAL  CONTACT  NOT  ESTABLISHED  WHEN  WITHIN  4  NM  AS 
REPORTED  BY  RADAR  CONTROLLER  DIRECTING  THE  INTERCEPT 

3.  CHASE  RENDEZVOUS  NOT  COMPLETE  BY  PREFLARE 

4.  VISUAL  CONTACT  LOST  AFTER  RENDEZVOUS 

The  T-38  chase  aircraft  will  break  off  from  the  rendezvous  attempt  when  it  is  considered  unsafe  to 
con  tinue.  Attempting  a  join-up  without  visual  contact  could  result  in  vehicle  collision  or  create  a 
situation  that  would  cause  the  orbiter  to  maneuver  to  avoid  impact.  Chase  aircraft  procedures  are  found 
in  Aircraft  Operating  Procedures,  Volume  1,  T-38A  Aircraft. 

C.  CHASE  AIRCRAFT  WILL  MAINTAIN  A  MINIMUM  LATERAL  SEPARATION  OF 
200  FEET  FROM  THE  ORBITER  DURING  THE  AUTOLAND  PORTION  OF  THE 
LANDING  APPROACH. 

The  orbiter  autoland  flight  path  characteristics  are  unpredictable  and  may  be  abrupt.  A  200-foot  T-38 
chase  aircraft  separation  will  allow  the  chase  pilot  adequate  time  to  safely  avoid  unexpected  orbiter 
maneuvers. 
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A2-260  ENTRY  LOAD  MINIMIZATION 

IF  IT  IS  REQUIRED  TO  MINIMIZE  ENTRY  LOADS,  THE  FOLLOWING  STEPS 
WILL  BE  CONSIDERED: 

A.  DELETE  ENTRY  TEST  MANEUVERS  . 

B.  SELECT  RUNWAY  AND  HAC  TO  MINIMIZE  TAILWIND  COMPONENT  AT  HAC 
INTERCEPT . 

C.  SELECT  AN  SLS  IF  SIGNIFICANT  WINDS  AND/OR  TURBULENCE  CANNOT 
BE  AVOIDED  AT  THE  PLS . 

Reference  Rule  {A10-203B},  PLBD  CRITICAL  LATCHES. 
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A2-261  ENTRY  DTO/AUTO  MODE /CROSSWIND  DTP  GO/NO-GO 


FAILURE  OF 

AERO  PTI  DTO 

AUTO  MODE 

XWIND  DTO 

NO-GO 

NO-GO  [11 

NO-GO 

[10[ 

APU/HYD 

1  APU 

[3] 

X 

2  APU 

f31 

X 

X 

DISPLAYS 

2  ADI'S 

X 

CDR  HUD 

X 

(IF  NO  PAPI’S  AND  BALL  BAR) 

CONTROLLERS 

RHC:  1  LCH 

X 

L  RHC 

X 

2LAND2R 

[3] 

X 

X 

RPTA:  2LOR2R 

X 

[91 

GNC 

2  AA’S  (LAT) 

[3] 

X 

X 

2  AA’S  (NORM) 

[12] 

X  (<M  2.5) 

X  (<M  2.5) 

2  RGA'S 

[3] 

X 

X 

2  IMU  (OR  1  IMU  +  BITE) 

[3] 

X 

X 

2  ADTA’S 

[5] 

X 

ADTA  NOT  INCORP 

X  (<M  2)  [7] 

FCSCH:  2ELEV 

[3] 

X 

X 

2  S/B 

[3] 

X 

X 

2  RUD 

[3] 

X 

X 

2  BF 

[3] 

X 

X 

RDDU:  2  POWER  SUPPLY  (A,  B,  OR  C) 

X 

LOSS  OF  WOW/WONG  NO  SSME  REPOSITIONING 

X 

DPS 

GPC  1  (NOT  RSTNG) 

X 

GPC  2  (NOT  RSTNG) 

X 

GPC  3  (NOT  RSTNG) 

X 

2 GPC  (RSTNG) 

X 

2  GPC  (NOT  RSTNG) 

X 

X  (<M  2.5)  [12] 

X 

FF1 

X 

FF2 

X 

FF3 

X 

2  FF 

X 

X  (<M  2.5)  [12] 

X 

2  FA 

X 

X 

AFT  RCS 

LEAK 

X 

2  YAW  JETS  ON  SAME  SIDE 

X 

1  YAW  JET  AND  CG  OUTSIDE  NOM  LIMITS 

X 

2  P  JETS,  SAME  SIDE,  SAME  DIR 

X  (q<40) 

MIN  RCS  QTY 

X 

FWD  RCS  (FWD  RCS  DTO  ONLY) 

2  YAW  JETS  SAME  SIDE 

X 

MIN  FWD  RCS  QTY 

[2] 

X 

LEAK 

X 

LOSE  LK  DETECT 

[8] 

LOSE  FAIL  OFF  DETECT 

[8] 

LOSS  OF  FRCS  GAUGING 

X 

PROP  BULK  TK  TEMP  <70°  F 

X 

@[090894-1562]  ®[1 1 1094-1 690B]  @[0411 96-1 782A]  @[041 097-4890A] 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  FLIGHT  OPERATIONS  2-247 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A2-261 


ENTRY  DTO/AUTO  MODE/CROSSWIND  DTP  GO/NO-GO 
(CONTINUED) 


FAILURE  OF 


LANDING/DECEL 


TIRE  (LEAK) 
ISOL  VLV 
<100%  BRAKES 
NWS 


XRANGE  >  DTO  XRANGE  LIMIT 


?  PRIOR  TO  FIRST  ROLL  REVERSAL 
?  AFTER  FIRST  ROLL  REVERSAL 


TRIM/RATES 

AIL  >±1.5° 

ELEV  >  3°  (FROM  EXPECTED) 
RATES  (PTI) 

PITCH  >  3  DEG/SEC 
YAW  >  3  DEG/SEC 
ROLL  >  7  DEG/SEC 


DOWNMODE 

FCS  PROBLEM  [3 

AOA 


ENERGY  OFF  NOMINAL 

ROLL  REF.  ALERT 
ABOVE  UPPER  TRAJ  LINE 
NAV  PROBLEM  REQ  MCC  GCA  OR  VEL 
AND  POS  UPDATE 
NO  A/L  BY  6K 


PLB 

PLBD LATCHES 


DATA 

OPS  RECORDERS 


GROUND  SYSTEMS 


NO  RUNWAY  AIMPOINT 


XWIND 

<10  KNOTS  PEAK 
>15  KNOTS  PEAK 
>10  KNOTS  GUST 


VENT  DOORS  (FWD  RCS  DTO  ONLY 


ANY  OPEN  VENT  DOOR  (FWD,  MID, 
AFT) 


®[1 11 094-1 690B]  @[0411 96-1 782A]  @[041 097-4890A] 


AERO  PTI  DTO 
NO-GO 
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(CONTINUED) 

NOTES: 

[1]  GROUND  OR  CREW  CALL. 

[2]  PROVIDED  BY  FLIGHT-SPECIFIC  ANNEX. 

[3]  RETARGET  TO  REQUIRED  RUNWAY  IF  AVAILABLE  (REF.  RULE  {A2-207},  LANDING  SITE  SELECTION). 

®[ED  ] 

[4]  CRITICAL  LATCH  RULE  {A1 0-203B},  PLBD  CRITICAL  LATCHES,  APPLIES. 

[5]  PTI's  AUTOMATICALLY  INHIBITED  BELOW  M  =  2.5  WITHOUT  AIR  DATA. 

[6]  GROUND  CALL  REQUIRED  FOR  INITIATION  OF  PTI’s  (REF.  RULE  {A4-209},  AERO  TEST  MANEUVERS).  VALID 
TELEMETRY  REQUIRED  FOR  EVALUATION  OF  ORBITER  ENERGY  STATE  AND  DRAG  PROFILE.  ®[ED  ] 

[7]  RESERVED  ®[041 196-1 782A] 

[8]  DESELECT  AFFECTED  JET. 

[9]  RESERVED  ®[041 196-1 782A] 

[10]  CONSIDER  RUNWAY  REDESIGNATION  (>M  6)  TO  AVOID  CROSSWIND  LANDING. 

[11]  RESERVED 

[1 2]  PITCH  AUTO  MODE  NO-GO  FOR  M  <  2.5. 

[13]  PTI's  AUTOMATICALLY  TERMINATED  WHEN  RATE  LIMITS  EXCEEDED. 

[14]  RESERVED 

[15]  RESERVED 

[16]  RESERVED 

[17]  RESERVED  ®[041097-4890A] 

[18]  RESERVED  ®[1 1 1094-1 690B] 

[19]  RESERVED  ®[041097-4890A] 

[20]  FWD  RCS  DTO  IS  GO.  H2  CONCENTRATIONS  PREDICTED  TO  BE  WELL  BELOW  FLAMMABILITY  HAZARD. 
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(CONTINUED) 

a.  AERO  PTI DTO  NO-GO: 

The  AERO  PTI  and  Xwind  DTO’s  will  not  be  performed  when  navigation  or  flight  control  systems 
are  fail  critical.  Maintaining  single-fault  tolerance  for  AUTO  flight  control,  and  allowing  an 
acceptable  crew  workload  are  required  for  performing  the  DTO’s.  In  addition  to  be  GO  for  the 
Xwind  DTO,  single-fault  tolerance  is  required  for  the  CDR's  displays  and  controls. 

(1)  APU/HYD 

2  APU  -  If  two  APU/HYD  systems  are  lost,  the  remaining  system  must  supply  all  necessary 
loading  to  perform  entry.  PRL  will  limit  the  available  hydraulic  power  in  an  optimum 
management  scheme  in  order  to  prevent  overloading  the  single  remaining  system.  Data  has 
shown  that  entry  PTI’s  place  a  short  duration  high  load  on  a  hydraulic  system.  For  this 
reason,  aero  PTI'S  should  not  be  performed  in  order  to  minimize  stress  on  the  single 
APU/HYD  system. 

(2)  DISPLAYS 

(a)  ADI 

AERO  PTI  DTO: 

The  ADI  is  required  to  monitor  vehicle  attitude  and  rates  for  crew  takeover. 

(b)  CDRHUD 
XWIND  DTO: 

The  CDR  relies  on  the  HUD  for  critical  landing  data  and  cues.  Flying  is  more  difficu  lt 
withou  t  this  instrumen  t,  and  landing  in  high  crosswinds  increases  the  level  of  difficulty. 
The  CDR’s  HUD  is  not  required  if  PAPE  s  and  ball  bar  are  available,  since  these 
landing  aids  provide  guidance  for  the  approach  and  glide  slope. 
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(CONTINUED) 

(3)  CONTROLLERS 

(a)  RHC 

L  RHC- ONE  CHNL  FAILED  L  RHC  FAILED 
XWIND  DTO: 

The  left  RHC  is  either  zero-fault  tolerant  or  failed.  It  is  very  desirable  for  the  CDR  to 
manually  control  the  vehicle  during  approach  and  landing.  For  this  reason,  the  PLT  will 
not  execute  the  DTO.  If  the  PLT  must  fly  ( left  RHC  failed),  then  it  is  prudent  to 
redesignate,  if  possible,  to  a  runway  with  more  nominal  conditions. 

TWO  RHC  CHNL ’S  FAILED  EACH  SIDE 

AERO  PTI  DTO,  XWIND  DTO: 

The  next  failure  could  cause  vehicle  control  problems  since  the  output  from  the 
remaining  two  channels  is  summed.  The  additional  maneuvers  associated  with  the 
DTO’s  increase  the  possibility  of  having  vehicle  control  problems  with  the  next  failure. 
For  these  failures,  at  least  one  of  the  flight  controller  power  switches  should  be  turned 
OFF,  and  both  when  not  being  used  (ref.  Rule  {A8-105J,  CONTROLLERS). 

(b)  RPTA 

TWO  RPTA  CHNL 's  FAILED  ONE  SIDE 
XWIND  DTO: 

The  RPTA  channels  are  zero-fault  tolerant  and  the  DTO  is  NO-GO  since  NWS  must  be 
powered  off  (ref.  Rule  {A10-141E},  NOSE  WHEEL  STEERING  (NWS)). 
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(CONTINUED) 

(4)  GNC 

(a)  AA’s 

TWO  LATERAL  AA  's  FAILED 
AERO  PTI  DTO: 

The  AA  lateral  feedback  is  used  for  turn  coordination  to  reduce  the  effects  ofIMU 
errors.  It  is  also  used  in  the  roll/yciw  channel  to  help  form  the  lateral  (Ny)  command. 
The  next  failure  could  cause  bad  vehicle  control. 

XWIND  DTO: 

The  lateral  AA  feedback  is  zero-fault  toleran  t  and  the  DTO  is  NO-GO  since  NWS  must 
be  powered  off  (ref.  Rule  {. A10-141E },  NOSE  WHEEL  STEERING  (NWS)). 

(b )  TWO  NORMAL  AA ’s  FAILED 
AERO  PTI  DTO ,  AUTO  MODE: 

The  NORM  AA  feedback  is  used  by  guidance  to  form  the  Nz  command  for  flight  control 
in  MM  305.  After  two  failures  the  system  is  zero-fault  tolerant  in  AUTO.  The  crew  is 
required  to  fly  CSS  in  pitch  in  MM  305  (ref.  Rule  (A8-5f  ACCELEROMETER 
ASSEMBLIES  (AA)  FAULT  TOLERANCE),  and  aero  PTI's  are  automatically  inhibited 
while  in  CSS. 

(c)  RGA’s 

AERO  PTI  DTO,  XWIND  DTO: 

The  system  is  zero-fault  tolerant  for  feeding  bad  vehicle  rate  data  to  the  flight  control 
system.  It  is  not  pruden  t  to  perform  the  DTO’s  since  the  added  maneuvers  increase  the 
risk  for  control  problems  with  the  next  failure. 
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ENTRY  DTO/AUTO  MODE/CROSSWIND  DTP  GO/NO-GO 
(CONTINUED) 


IMU’s 

AERO  PTI DTO ,  XWIND  DTO: 

After  the  second  IMU  failure  or  when  one  of  the  remaining  two  IMU’s  has  a  BITE,  the 
system  is  fail  critical.  In  either  case,  the  next  failure  can  cause  navigation  and  flight 
control  to  use  bad  IMU  data.  The  additional  maneuvers  associated  with  the  DTO’s 
increase  the  probability  of  vehicle  con  trol  problems  with  the  next  failure. 

ADTA’s 

TWO  ADT A’ s  FAILED 
XWIND  DTO: 

The  system  is  zero-fault  tolerant  because  the  next  failure  requires  the  crew  to  fly  theta 
limits.  Manual  flying  is  more  difficult  with  no  air  data,  and  the  higher  crosswinds 
increase  the  piloting  task. 

ADTA  NOT  INCORPORATED 

AERO  PTI  DTO,  AUTO  MODE: 

If  AD  is  not  incorporated  into  G&C  below  M=2.5,  aero  PTI’s  are  automatically 
inhibited.  If  below  M=2.0  and  AD  is  not  incorporated  into  G&C,  the  crew  is  required  to 
fly  CSS  in  the  pitch  axis  to  control  theta  limits.  Manual  speedbrake  is  required  below  5k 
feet  (ref.  Rule  / A8-111 },  GNC  AIR  DATA  SYSTEMS  MANAGEMENT  [CIL]).  Note  that 
the  XWIND  DTO  is  NO-GO  if  it  is  known  that  AD  will  not  be  incorporated  and  it  is  still 
possible  to  redesignate. 

FCSCHNL’s 

AERO  PTI  DTO,  XWIND  DTO: 

The  system  is  zero-fault  tolerant  for  being  in  an  uncertified  flight  control  mode.  The 
additional  maneuvers  associated  with  the  DTO’s  incur  more  risk  with  the  next  failure. 
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(CONTINUED) 

(g)  RIGHT  DDU 
XWIND  DTO: 

The  right  DDU  provides  power  for  NWS.  With  two  power  supplies  failed  the  DTO  is 
NO-GO  since  NWS  must  be  powered  off  (ref.  Rule  {A10-141EJ,  NOSE  WHEEL 
STEERING  (NWS). 

(h)  LOSS  OF  WOW/WONG 
XWIND  DTO: 

The  crosswinds  further  complicate  the  piloting  task  for  loss  of  WOW  or  WONG.  Both 
WOW  and  WONG  are  required  in  order  to  enable  NWS,  activate  AUTO  load  relief  and 
enter  the  rollout  DAP  mode  at  nose  gear  TD.  A  known  loss  of  WOW  or  WONG  requires 
the  crew  to  manually  set  the  WOW  and  WONG  discretes  by  pushing  the  SRB  or  ET  Sep 
pushbutton  after  nose  gear  TD.  Potential  delays  in  enabling  NWS  and  increased  piloting 
task  cause  the  DTO  to  be  NO-GO. 

Av  a  result  of  01-21  WOW  modifications,  the  only  two-failure  scenarios  of  concern 
in  volve  the  loss  of  both  WONG  discretes  (MDM,  BUS,  or  the  discretes  themselves). 

(5)  AFTRCS 

(a)  Once  a  leak  is  detected,  the  PTI’s  will  be  inhibited.  This  action  prevents  the  PTI’s  from 
occurring  while  performing  leak  troubleshooting.  The  leak  procedures  isolate  a  leg  of 
RCS  jets  at  a  time  thus  minimizing  the  amount  of  jets  available  for  attitude  control. 
Inhibiting  the  PTEs  ensures  that  any  off-nominal  perturbations  that  could  possibly  occur 
during  PTI  execu  tion  will  be  preven  ted.  If  a  nonisolatable  leak  is  presen  t  or  the  NO-GO 
criteria  is  violated  due  to  isolation  of  the  leak  (minimum  RCS  quantity,  loss  of  jets),  no 
further  PTEs  will  be  performed. 

(b)  Due  to  the  loss  of  fail-safe  redundancy  for  orbiter  control,  the  PTEs  will  not  be 
performed. 

(c)  RCS  quantity  checks  are  performed  at  different  points  during  entry.  The  minimum 
quantity  includes  3-sigma  entry  usage  at  the  check  and  PTI  usage  to  the  next  check. 

PTEs  will  be  inhibited  to  protect  3-sigma  entry  redlines.  ®[041 1 96-1 782A] 
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(CONTINUED) 

(6)  FWD  RCS 

(a)  Loss  of  two  FWD  RCS  yaw  jets  on  the  same  side  would  result  in  unbalanced  jet  firings 
during  PTFs.  The  entry  command  SOP  software  will  prevent  the  PTFs  from  occurring 
as  long  as  RCS  RM  has  deselected  the  jets.  If  the  FRCS  yaw  jets  have  become 
unavailable  prior  to  entry,  the  PTFs  will  not  be  enabled  @[090894-1562  ] . 

(b)  FWD  RCS  quantity  checks  are  performed  at  different  points  during  entry.  The  minimum 
quantity  includes  PTI  usage  to  the  next  check  and  ensures  positive  propellant  flow  from 
the  FWD  RCS. 


Tank  residual  required  to  preven  t  screen  breakdown 


6771b 

( FWD  RCS  tanks  not  designed  for  entry  use) 

+  84  lb 

Gauge  error 

761  lb 

Total  tank 

-307  lb 

Hardware  trapped 

4541b 

Minimum  usable  FWD  RCS 

+PT1  lb 

PTI  usage 

XXX  lb 

Total  quantity  check 

(c)  Once  a  leak  is  detected,  the  PTFs  will  be  inhibited.  This  action  ensures  that  the  PTFs 
will  not  occur  during  leak  isolation.  Leak  troubleshooting  consists  of  securing  the  entire 
system.  If  the  leak  is  nonisolatable  or  the  minimum  FWD  RCS  quantity  is  violated  or 
minimum  jets  violated,  the  PTFs  will  remain  inhibited. 

(d)  For  the  loss  of  RCS  RM.  the  jets  will  be  deselected  and  not  utilized  for  the  PTFs.  Per 
Rule  {A6-156},  RCS  RM  LOSS  MANAGEMENT,  jets  with  loss  ofRM  will  only  be 
selected  if  required  for  attitude  hold  or  to  maintain  fail-safe  redundancy.  Because  of  the 
risk  of  firing  jets  without  RM  and  the  low  priority  of  FWD  RCS  PTFs,  the  jets  will  not  be 
reselected  to  perform  PTFs. 

(e)  FWD  RCS  gaging  is  required  to  monitor  the  propellant  quantity  to  ensure  that  minimum 
FWD  RCS  quantity  will  not  be  violated. 

(f)  The  FWD  RCS  bulk  propellant  temperature  must  be  70  deg  F  or  greater  at  deorbit  TIG. 
This  is  required  to  prevent  ZOT’s  from  occurring  during  PTFs.  This  is  an  MCC  call 
since  the  crew  has  no  insight  into  the  parameter  during  OPS-3.  @[090894-1562  ] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  FLIGHT  OPERATIONS  2-255 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A2-261  ENTRY  DTO/AUTO  MODE/CROSSWIND  DTP  GO/NO-GO 
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(7)  TRIM/RATES/CG  ®[04ii 96-1 782A] 

TRIM 

( a )  AILERON  TRIM  >  ±2.0  DEGREES  ®[04i  1 96-1 782A] 

AERO  PTIDTO: 

The  aileron  trim  saturation  limit  is  3.0  degrees.  When  the  trim  reaches  2.0  degrees ,  the 
PTI’s  should  be  inhibited  to  avoid  possible  control  problems  or  high  RCS  usage.  Based 
on  SES  analysis  and  previous  flight  data,  2.0  degrees  is  a  comfortable  margin  for 
control,  while  not  being  too  restrictive.  ®[041 1 96-1 872A] 

(b )  ELEVON  TRIM  >3.0  DEGREES  (FROM  EXPECTED ) 

AERO  PTIDTO: 

The  elevator  schedule  has  a  1-degree  deadband.  Performing  PTI's  with  large  elevator 
trim  could  increase  the  level  of  difficulty  in  trimming  the  vehicle.  Three  degrees  off 
schedule  is  a  sufficiently  large  elevator  trim  limit  to  permit  aero  maneu  vers  in  any 
reasonable  flight  condition,  yet  provides  adequate  safety  margins  for  con  trol. 

XWIND  DTO: 

This  elevon  trim  condition  indicates  that  the  vehicle  is  in  an  off-nominal  configuration 
which  may  lead  to  additional  problems.  It  is  prudent  then  to  NO-GO  the  XWIND  DTO 
and  avoid  complicating  the  situation  during  A/L  and  rollout. 

(c)  VEHICLE  RATES  (PTI) 

AERO  PTIDTO: 

These  limits  are  in  the  software  and  will  automatically  inhibit  (terminate)  any  PTI  in 
progress.  The  additional  maneuvers  associated  with  the  PTEs  could  make  it  more 
difficult  for  the  FCS  to  damp  the  rates  and  regain  good  control. 
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(CONTINUED) 


(d)  CG 

AERO  PTI  DTO: 

With  the  X  or  Y  CG  out  of  the  nominal  CG  box,  continuous  firing  of  ARCS  jets  may  be 
required  to  maintain  attitude  control.  To  ensure  maximum  control  authority  in  cm 
uncertified  configuration,  as  well  as  to  save  propellant,  PTI’s  will  not  be  performed. 

®[041 196-1 782A] 

(8)  DOWNMODE 
FCS  PROBLEM 

AERO  PTI DTO,  AUTO  MODE,  XWIND  DTO: 

If  the  vehicle  is  experiencing  problems  with  the  FCS,  due  to  mu  ltiple  systems  failures  and/or 
unpredicted  effects  of  the  environment,  then  all  flight  control  DTO’s  are  NO-GO,  and  the 
crew  should  fly  CSS,  if  required.  The  risks  associated  with  performing  the  DTO’s  are  too 
great  while  vehicle  control  is  off-nominal. 

(9)  PLB 

PLBD  LATCHES  -  It  is  acceptable  to  perform  an  entry  with  any  one  latch  gang  (bulkhead  or 
centerline)  failed  open.  Entry  loads  should  be  minimized  (per  Rule  {A10-203B},  PLBD 
CRITICAL  LATCHES,  and  SODB  3. 4. 2. 3).  Aero  PTI's  will  not  be  performed  in  order  to 
ensure  a  nominal  entry. 

(10)  DATA 

According  to  the  sponsor  of  the  aero  PTI  DTO,  the  crew  cannot  evaluate  the  results  from 
onboard  indications.  Either  real-time  or  recorded  telemetry  is  required.  This  is  in  agreement 
with  the  DTO  requirements  as  documented  in  NSTS  16725,  Flight  Test  and  Supplementary 
Objectives  Document. 
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(CONTINUED) 

b.  XWIND  DTO  NO-GO 

(1)  APU/HYD 

1  APU  and  2  APU 

Loss  of  one  APU/HYD  system  places  the  orbiter  a  single  failure  away  from  performing 
entry/rollout  on  a  single  system.  Orbiter  handling  qualities  have  been  demonstrated  to  be 
degraded  when  only  a  single  APU/HYD  system  is  operating.  If  only  one  APU/HYD  system 
remains,  conditions  that  could  adversely  affect  the  already  degraded  handling  qualities 
should  be  avoided  if  possible.  Therefore,  if  one  or  two  APU/HYD  systems  are  lost,  the 
crosswind  DTO  should  be  NO-GO. 

(2)  LANDING/DECEL 

(a)  TIRE  {LEAK) 

For  a  confirmed  mean  gear  tire  leak,  a  landing  with  a  crosswind  from  the  side  of  the 
affected  tire  is  desirable.  If  a  leak  is  confirmed  in  a  main  or  nose  gear  tire,  the  load- 
carrying  capability  of  that  tire  is  reduced. 

(b)  BRAKE  ISOLVLV 

Loss  of  the  ability  to  open  one  brake  isolation  valve  puts  the  orbiter  one  failure  away 
from  having  only  50  percent  braking  capability.  Full  braking  capability  is  required  for 
the  crosswind  DTO  in  order  to  ensure  good  con  trol  of  the  vehicle  in  high  crosswind 
conditions. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  FLIGHT  OPERATIONS  2-258 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A2-261  ENTRY  DTO/AUTO  MODE/CROSSWIND  DTP  GO/NO-GO 

(CONTINUED) 


(c)  <100  PERCENT  BRAKES 


Full  braking  capability  is  required  for  the  crosswind  DTO  in  order  to  ensure  good 
con  trol  of  the  vehicle  in  high  crosswind  conditions. 

(d)  NWS 


NWS  is  the  primary  means  of  steering  the  vehicle  during  rollout.  In  a  strong  crosswind, 
differential  braking  may  not  be  sufficient  to  maintain  directional  control. 


(3)  XWIND 


(a)  <10  KNOTS  PEAK  ®[041 097-4890A] 

Winds  less  than  10  knots  are  not  within  the  DTO  limits  and  would  not  produce 
conditions  appropriate  for  collecting  the  required  DTO  data. 

(b)  >15  KNOTS  PEAK 

Crosswinds  greater  than  15  knots  peak  violate  nominal  crosswind  limits. 

(c)  >10  KNOTS  GUST  ®[041 097-4890A] 

Crosswinds  with  gusts  greater  than  10  knots  above  the  steady-state  wind  violate  nominal 
limits. 
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A2-261  ENTRY  DTO/AUTO  MODE/CROSSWIND  DTP  GO/NO-GO 

(CONTINUED) 

c.  DPS 

In  general,  DPS  failures  that  cause  aero  PTI DTO,  auto  mode,  and  crosswind  DTO  to  be  NO-GO 
are  driven  by  various  failures  in  the  GNC,  MMACS,  and/or  PROP  systems. 

GPC  1  (NOT  RSTNG),  GPC  2  (NOT  RSTNG),  FF1,  FF2  -  Crosswind  DTO  is  NO-GO  due  to  loss  of 
a  left  RHC  channel,  and  for  vehicles  without  improved  NWS,  loss  of  GPC  NWS. 

GPC  3  (NOT  RSTNG),  FF3  -  Crosswind  DTO  is  NO-GO  due  to  loss  of  a  left  RHC  channel. 

2  GPC  (RSTNG)  -  Aero  PTI  DTO  is  NO-GO  due  to  the  inherent  risk  of  another  GPC  failure  which 
would  cause  GNC  systems  violations  for  the  DTO. 

2  GPC  (NOT  RSTNG),  2  FF  -  Aero  PTI  DTO,  auto  mode  ( <M2.5),  and  crosswind  DTO  are  all  NO- 
GO  due  to  multiple  GNC  LRU  failures. 

2  FA  -  Aero  PTI  DTO  and  crosswind  DTO  are  NO-GO  due  to  multiple  GNC  LRU  failures.  The 
aero  PTI  DTO  is  also  NO-GO  due  to  two  aft  jets  being  down. 

For  additional  technical  information  concerning  the  rationale  for  aero  PTI  DTO,  auto  mode,  and 
crosswind  DTO  NO-GO  requiremen  ts,  refer  to  the  rationale  for  the  GNC,  MMACS,  and  PROP 
systems.  ®[041 097-4890A] 
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A2-262  LANDING  DTP'S 

A.  BRAKING  OR  NOSE  WHEEL  STEERING  DTO  TASKS  MAY  BE  PERFORMED  ON 
DAYLIGHT  LANDINGS  REGARDLESS  OF  THE  WEIGHT / CG  OR  FLIGHT 
DURATION.  ®[1 1 1 894-1 690B] 

B.  BRAKING  DTO  TASKS  MAY  BE  PERFORMED  ON  NIGHT  LANDINGS  SO  LONG 
AS  THEY  INVOLVE  ONLY  VARIATIONS  IN  BRAKING  PROFILE  OR 
DECELERATION  LEVEL.  NO  DTO  STEERING  TASKS  USING  DIFFERENTIAL 
BRAKING  WILL  BE  PERFORMED  ON  NIGHT  LANDINGS  .  ®[1 11 894-1 690B] 

C.  NO  DTO  STEERING  TASKS  USING  DIFFERENTIAL  BRAKING  OR  NWS  WILL 
BE  PERFORMED  ON  NIGHT  LANDINGS.  ®[1 1 1894-1 690B] 

D.  CROSSWIND  LANDING  DTO' S  ABOVE  12  KNOTS  PEAK  WILL  NOT  BE 
PERFORMED  ON  NIGHT  LANDINGS  OR  EXTENDED  DURATION  ORBITER 
(EDO)  FLIGHTS.  ®[111 894-1 690B] 

Braking  or  nose  wheel  steering  testing  is  acceptable  during  daylight  landings  since  vehicle  weight  and  CG 
have  minimal  effects  on  the  rollout  piloting  task,  and  visual  cues  are  available  to  the  crew  to  assess  test 
inputs/results.  Braking  tests  at  night  are  acceptable  if  they  only  involve  basic  braking  functions  such  as 
varying  the  deceleration  levels  or  specific  braking  profile.  Steering  task  DTO’s  involving  either 
differen  tial  braking  or  nosewheel  steering  are  not  acceptable  at  night  due  to  the  loss  of  visual  cues  and 
runway  shadowing  effects  which  put  the  crew  and  orbiter  at  unnecessary  additional  risk.  The  crosswind 
limit  for  EDO  or  night  flights  has  been  set  at  12  knots  regardless  of  where  you  land.  You  may  land  with  a 
crosswind  between  8  and  12  knots  and  still  meet  the  crosswind  DTO  requirements,  but  the  peak  wind  will 
not  be  allowed  to  exceed  12  knots  and  approach  the  15-knot  normal  crosswind  DTO  limit.  ®[ED  ] 

E.  THE  CROSSWIND  DTO  MAY  RESULT  IN  EXCEPTIONS  TO  RULE  {A10-143}, 
DRAG  CHUTE  DEPLOY  TECHNIQUES. 

If  the  crosswincl  DTO  is  GO  per  Rule  (A2-261J,  ENTRY  DTO/AUTO  MODE/CROSSWIND  DTO 
GO/NO-GO,  the  drag  chute  will  be  deployed  after  NGTD,  as  stated  in  the  applicable  Flight  Rule  Annex. 
®[041097-4890A] 

F.  LANDING  AND  ROLLOUT  DTO' S  WILL  NOT  BE  PERFORMED  ON  ABORTS 
(RTLS ,  TAL,  AOA,  FD1  PLS)  UNLESS  THEY  ARE  DATA  GATHERING 
ONLY,  INVOLVE  NO  CREW  ACTIONS,  AND  POSE  NO  ADDITIONAL  RISK  TO 
THE  CREW  OR  VEHICLE.  HOWEVER,  DATA  FROM  ANY  ABORT  LANDING 
MAY  BE  USED  TO  SATISFY  PROGRAM  DTO  OBJECTIVES.  ®[1 00997-6294A] 

Programmatic  risk  is  high  during  an  abort.  Additional  risk  or  crew  distraction  should  not  be  incurred 
for  the  sake  of  engineering  data  that  can  more  safely  be  obtained  on  another  flight.  However,  some 
DTO’s  are  data  gathering  only  and  are  transparent  to  the  crew;  these  are  allowed.  Some  DTO’s  cannot 
be  avoided  ( e.  g. ,  crosswincl  landings )  during  aborts  and  thus  will  be  accomplished  anyway.  This  rule 
means  that  off-nominal  crew  actions  (such  as  delayed  drag  chute  deploy  for  the  crosswind  DTO)  will  not 
be  performed.  ®[1 00997-6294A] 
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A2-263 


STA/WEATHER  AIRCRAFT  RUNWAY  APPROACH  OPERATIONS 
FOR  SITES  WITH  ONLY  ONE  RUNWAY 


A.  PRELAUNCH  (RTLS/TAL) /PREDEORBIT  ( AOA/EOM) 

STA  AND/OR  WEATHER  AIRCRAFT  APPROACHES  TO  PLANNED  LANDING 
SITES  WITH  ONLY  ONE  RUNWAY  (OPPOSITE  END  MAY  OR  MAY  NOT  BE 
AVAILABLE)  MAY  BE  PERFORMED  AS  REQUIRED  TO  ASSESS 
NAVAID /VIS IBI LITY  STATUS.  ONCE  THE  FINAL  GO  FOR  LAUNCH  OR 
THE  DEORBIT  BURN  HAS  BEEN  GIVEN,  THESE  OPERATIONS  WILL  BE 
TERMINATED  UNLESS  REQUIRED  PER  PARAGRAPH  B. 


B  . 


POSTLAUNCH 


(RTLS/TAL) /POSTDEORBIT  BURN  (AOA/EOM) 


POSTLAUNCH  OR  POSTDEORBIT  BURN,  STA  OR  WEATHER  AIRCRAFT 
APPROACHES  TO  THE  SELECTED  RUNWAY  AT  LANDING  SITES  WITH  ONLY 
ONE  RUNWAY  (OPPOSITE  END  MAY  OR  MAY  NOT  BE  AVAILABLE) ,  WILL 
ONLY  BE  DONE  IF  CONDITIONS  MAKE  SUCH  AN  APPROACH  NECESSARY. 
APPROACHES  WILL  BE  MINIMIZED  AND  WILL  BE  PERFORMED  TO  REDUCE 
THE  RISK  OF  RUNWAY  LOSS  DUE  TO  AIRCRAFT  PROBLEMS  ON  APPROACH. 
TO  REQUIRE  AN  APPROACH  POSTLAUNCH  OR  POSTDEORBIT,  A  CHANGE  OR 
CONCERN  IN  ONE  OR  MORE  OF  THE  FOLLOWING  AREAS  MUST  EXIST: 


1.  VISIBILITY. 

2.  NAVAID  STATUS /CAPABILITY. 


For  the  case  where  a  landing  facility  has  only  one  runway  ( availability  of  its  alternate  end  does  not 
matter),  approaches  to  landing  runways  are  still  performed  prelaunch  or  predeorbit  burn  to  aid  in 
assuring  that  landing  flight  rules  are  met  with  respect  to  navaid  and  visibility  status.  Such  approaches 
are  not  considered  a  threat  to  landing  prior  to  launch  or  the  deorbit  burn. 


Once  committed  to  a  runway,  approaches  to  that  runway  or  its  alternate  end,  should  not  be  done  unless 
necessary  to  confirm  the  ability  to  land  on  that  runway.  There  is  no  reason  to  continue  to  shoot 
approaches  to  the  selected  runway  if  conditions  have  not  changed  since  the  commitment  to  use  the 
runway.  If  changes  are  suspected,  however,  addition  al  approaches  may  be  performed.  If  required,  they 
will  be  done  such  that  risk  of  losing  the  runway  due  to  approach  aircraft  problems  will  be  minimized  in 
order  to  preserve  shuttle  landing  capability.  Techniques  to  accomplish  this  include  breaking  off  an 
approach  early  or  runway  flybys  vice  approaches. 
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A2-264  EMERGENCY  LANDING  FACILITY  CRITERIA 

THIS  RULE  DOCUMENTS  THE  MINIMUM  ACCEPTABLE  LANDING  FACILITY 
REQUIREMENTS  FOR  COMMITMENT  TO  AN  EMERGENCY  LANDING  VERSUS 
BAILOUT.  IT  APPLIES  FOR  ALL  LANDINGS.  ®[1 20894-1 744B] 

A.  RUNWAY  AT  LEAST  7500  FT  LONG  AND  130  FT  WIDE.  ®[1 1 0900-3733C] 

B.  RUNWAY  COORDINATES  RESIDENT  IN  THE  ONBOARD  SOFTWARE  OR 
AVAILABLE  FOR  UPLINK. 

C.  OPERATIONAL  TACAN  OR  DME  WITHIN  50  NM  OF  THE  SITE,  AVAILABLE 
FOR  INCORPORATION  INTO  THE  NAV  (MAY  REQUIRE  UPLINK) . 

D.  AIRSPACE  AND  RUNWAY  CLEAR. 

E.  CONFIRMATION  OF  FACILITY  READINESS  FOR  ORBITER  LANDING  VIA 
MCC  OR  CREW  VOICE  CONTACT  WITH  THE  AIRFIELD. 

F.  ACCEPTABLE  WEATHER  FOR  ORBITER  EMERGENCY  LANDING  OPERATIONS 
(REFERENCE  RULE  {A2-6},  LANDING  SITE  WEATHER  CRITERIA  [HC] ) - 

G.  ACCEPTABLE  LIGHTING  FOR  ORBITER  EMERGENCY  LANDING  OPERATIONS. 
IF  LANDING  AT  NIGHT  WITHOUT  XENONS,  THE  FOLLOWING  MINIMUM 
REQUIREMENTS  APPLY: 

1.  OPERATIONAL  RUNWAY  EDGE  LIGHTS 

2.  ONE  HUD  OPERATIONAL 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-264  EMERGENCY  LANDING  FACILITY  CRITERIA  (CONTINUED) 

Due  to  the  inherent  hazards  of  an  orbiter  landing,  especially  at  a  non-augmented  facility,  adequate  site 
readiness  must  be  ensured  before  a  landing  will  be  attempted.  The  runway  to  be  used  must  be  of 
sufficient  length  and  width  to  accommodate  a  safe  orbiter  landing.  The  130  ft  value  corresponds  to  the 
narrowest  approved  ELS  runways  in  NSTS-07700,  Volume  X,  Book  3.  Although  the  effects  of  landing  on 
130  ft  wide  run  ways  have  not  been  evaluated  directly,  examination  of  data  from  the  2/00  Ames  VMS 
study  on  minimum  acceptable  runway  length  indicates  adequate  performance  should  be  expected.  This 
study  included  crosswinds  up  to  15  kt  on  runways  between  148ft  to  200ft  wide.  The  maximum  lateral 
excursions  seen  in  this  study  were  less  than  that  required  to  stay  on  a  130  ft  wide  runway.  Rio  Gallegos, 
Argentina,  the  only  Program-approved  Emergency  Site  <  148ft  wide,  is  considered  acceptable  given  the 
significant  gain  in  emergency  deorbit  capability  it  provides.  However,  until  a  minimum  runway  width 
study  is  performed,  any  new  runways  less  than  148  ft  being  considered  for  SSP  use  should  be  evaluated 
on  a  case-by-case  basis.  The  7500ft  length  is  based  on  studies  performed  in  the  2/00  NASA  Ames  VMS 
session  that  showed  acceptable  performance  can  be  obtained  if  additional  TD  energy  is  removed  from 
the  system.  ®[i  1 09-3733C  ] 

Prior  to  01-30,  a  manual  speedbrake  technique  can  be  used  to  stop  the  orbiter  on  a  7500ft  runway  and 
assumes  the  following:  short  field  speedbrake  logic  is  selected;  Auto  speedbrake  is  used  down  to  3000 
ft;  the  speedbrake  is  manually  set  to  the  Auto  speedbrake  retract  command  plus  20  percent  at  3000ft; 
limiting  the  maximum  speedbrake  setting  to  75  percent;  no  speedbrake  adjustment  made  at  500 ft; 
touchdown  at  195  KEAS;  at  maingear  touchdown  deploy  the  chute,  derotate,  and  set  the  speedbrake  to 
100  percent;  use  maximum  braking  at  nose  gear  touchdown.  01-30  software  changes  will  eliminate  the 
need  for  the  maimed  speedbrake  procedure.  Rule  {A4-110},  A1MP01NT,  EVALUATION  VELOCITY, 
AND  SHORT  FIELD  SELECTION,  will  define  when  the  manual  technique  is  to  be  employed.  Minimum 
runway  length  for  Space  Shuttle  purposes,  as  defined  in  Vol  X,  Book  3,  considers  usable  underruns  and 
overruns  for  runway  length.  Usable  runway  length  is  measured  from  the  threshold  (actual  or  displaced ) 
to  the  end  of  the  usable  overrun.  If  no  overrun  is  available,  usable  runway  length  is  measured  to  the 
end  of  the  usable  runway.  Refer  to  AEFTP  # 165  minutes  for  further  details.  The  runway  must  be 
residen  t  in  the  onboard  software  or  available  for  uplink  to  allow  guidance  and  navigation  aids  to  be 
used.  ®[1 1 0900-3733C] 
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A2-264  EMERGENCY  LANDING  FACILITY  CRITERIA  (CONTINUED) 

An  operational  TACAN  or  DME  is  required  to  provide  sufficient  onboard  navigation  accuracy.  The 
coordinates  must  be  resident  in  the  onboard  software  or  available  for  uplink  to  cdlow  incorporation  into 
the  navigation  state.  Fifty  miles  distance  from  the  TACAN  to  the  field  is  based  on  Monte  Carlo  analysis 
of  various  TAL  scenarios.  Redundancy  in  the  TACAN  or  its  power  supply  is  desirable  but  not  required. 
®[1 20894-1 744B] 

The  airspace  and  the  chosen  runway  must  be  clear.  MCC  or  crew  voice  contact  with  the  airfield  is 
required  to  ensure  that  the  facility  is  prepared  for  the  landing.  In  order  to  reduce  the  risk  to  the  orbiter, 
crew,  and  the  general  public/civilian  population,  it  is  necessary  that  an  intended  landing  site  be  notified 
of  an  attempted  landing  as  soon  as  possible.  This  will  allow  the  airspace  and  runways  to  be  cleared  as 
well  as  emergency  equipment  prepared.  Notification  may  be  via  state  department  prearranged  channels, 
NASA  agreed  to  communication  channels,  or  via  communication  directly  with  the  orbiter  crew. 

®[1 20894-1 744B] 

Acceptable  weather  for  orbiter  landing  operations  is  required.  These  criteria  are  documented  in  rule 
I A2-6 },  LANDING  SITE  WEATHER  CRITERIA  [HC]. 

Restrictions  are  placed  on  night  landings  due  to  a  significant  loss  of  visual  cues.  Av  a  min  imum,  runway 
edge  lights  and  a  HUD  must  be  operational  to  assist  in  visually  acquiring  the  runway  and  the  outer  glide 
slope  (if  MLS  is  not  available)  and  to  provide  a  visual  reference  during  braking  and  rollout  (regardless 
of  MLS  status). 

Rules  (A2-205J,  EMERGENCY  DEORBIT,  and  {A2 -209},  LANDING  SITE  SELECTION  FOR  AN 
INFLIGHT  EMERGENCY,  reference  this  rule.  ®[i  20894-1 744B]  ®[ED  ] 
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A2-265  SINGLE  STRING  GPS  OPERATIONS  ®[072398-6586A]  @[040899-6847  ] 

A.  THE  GPS  A/I/F  FLAGS  WILL  REMAIN  IN  INHIBIT  FOR  ANY  CERTIFIED 
FLIGHT  MODE  (NOMINAL  ASCENT,  ATO,  AO A,  TAL,  RTLS ,  ORBIT,  AND 
NOMINAL  ENTRY) .  GPS  USE  IN  THE  PASS  AND/OR  BFS  IN  OTHER  THAN 
THE  INHIBIT  MODE  MAY  BE  CONSIDERED  FOR  CONTINGENCY  CASES 
WHERE  ITS  USE  COULD  PREVENT  A  CREW  BAILOUT  AND  LOSS  OF  THE 

0  RB I T  E  R  .  ®[072398-6586A]  @[040899-6847  ] 

The  PASS  and  BFS  have  been  certified  for  flight  only  if  the  GPS  to  NAV  and  GPS  to  G&C 
auto/inhibit/force  flags  remain  in  the  inhibit  position.  Testing  has  been  performed  to  confirm  the  PASS 
and  BFS  continue  to  function  with  incorporation  of  GPS;  however,  full  certification  testing  has  not  been 
completed.  Performance  testing  of  GPS  data  incorporated  into  the  onboard  navigation  has  not  been 
completed.  Potential  contingency  scenarios  in  which  GPS  may  be  used  could  include,  but  are  not  limited 
to,  a  contingency  landing  to  a  site  with  no  ground  TACAN  or  DME  and  no  radar  tracking  support;  a 
con  tingency  landing  to  a  site  with  no  ground  MLS  and  a  low  cloud  ceiling  and  visibility;  multiple 
onboard  problems  resulting  in  an  unacceptable  navigation  state  requiring  a  command  or  manual  delta 
state  update;  multiple  IMJJ  problems  resulting  in  a  runaway  navigation  state  which  is  not  manageable 
with  delta  state  updates.  In  OPS  1  and  Major  Mode  (MM)  601,  GPS  is  only  available  for  incorporation 
in  the  BFS.  Contingency  use  of  GPS  in  OPS  1  and  MM  601  in  the  BFS  would  require  CSS  in  the  PASS  to 
fly  out  the  BFS  ADI  digital  errors,  unless  the  commander  deemed  it  necessary  to  engage  in  order  to  fly 
the  vehicle.  If  possible,  contingency  use  of  GPS  should  be  delayed  until  OPS  3  or  MM  602/603.  GPS 
state  vector  accuracies  can  be  degraded  during  powered  flight  due  to  external  tank  blockage  of  GPS 
satellite  signals.  BFS  navigation  updates  with  GPS  during  powered  flight  would  only  be  required  to 
correct  extreme  errors  which  could  result  in  unsafe  MECO  conditions.  Caution  should  be  taken  when 
using  GPS  state  vectors  with  FOM’s  >5  (650 feet  position  error  one  sigma),  since  the  estimated  position 
error  increases  rapidly  with  higher  FOM  values.  The  GPS  DTO  objectives  expected  to  be  performed  on 
single  string  GPS  missions  may  call  for  the  GPS  A/I/F  function  to  be  in  a  position  other  than  inhibit.  If 
so,  the  flight  specific  flight  rules  annex  will  document  the  exception  to  this  rule  and  specify  the  conditions 
under  which  the  DTO  objectives  will  be  performed.  @[040899-6847  ]  @[052401-4525  ] 

B.  EXCEPTIONS  TO  THIS  RULE  WILL  BE  DOCUMENTED  IN  THE  FLIGHT 
SPECIFIC  FLIGHT  RULES  ANNEX.  ®[072398-6586A] 
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A2-266  SUBSONIC  PILOT  FLIGHT  CONTROL 

AT  THE  DISCRETION  OF  THE  COMMANDER  ( CDR) ,  THE  PILOT  (PLT )  MAY  FLY 
CONTROL  STICK  STEERING  (CSS)  FOR  A  SINGLE  PERIOD  (APPROXIMATELY 
20  SECONDS)  BELOW  MACH  1.00  WITH  THE  FOLLOWING  CONSTRAINTS: 
@[082202-5636  ]  ®[ED  ] 

A.  THE  CDR  WILL  FLY  THE  ORBITER  FROM  15  SECONDS  PRIOR  TO  HAC 
INTERCEPT  THROUGH  THE  INITIAL  ROLL  ONTO  THE  HAC. 

B.  THE  CDR  WILL  FLY  FRCM  AN  ALTITUDE  AGL  OF  20,000  FT  THROUGH 
LANDING  AND  ROLLOUT. 

C.  WHEN  CSS  IS  ENGAGED,  ONBOARD  GUIDANCE  COMMANDS  WILL  BE 
FOLLOWED . 

D.  THE  CDR  WILL  FLY  (NO  TRANSFER  OF  CONTROL)  FOR  THE  FOLLOWING 
CASES : 

1.  IF  THE  MCC  RECOMMENDS  "DELAYED  CSS  PREFERRED"  PER  RULE 
{ A4- 1 56},  HAC  SELECTION  CRITERIA. 

2.  SYSTEMS  OR  NAVIGATION  PROBLEMS  THAT  REQUIRE  CSS,  PER 
RULES  { A2-2  61 } ,  ENTRY  DTO/AUTO  MODE/CROSSWIND  DTO  NO-GO, 
AND  { A4-208 } ,  ENTRY  TAKEOVER  RULES. 

3.  VEHICLE  ENERGY  PROBLEMS  REQUIRING  A  GROUND  CONTROLLED 
APPROACH  (GCA) . 

4.  ANY  ABORT  LANDING. 

5.  BFS  ENGAGED.  @[082202-5636] 
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A2-266  SUBSONIC  PILOT  FLIGHT  CONTROL  (CONTINUED) 

6.  ANY  GUIDANCE,  NAVIGATION,  OR  FLIGHT  CONTROL  SYSTEM (S) 
FAILURE  (E.G.,  CDR  HUD)  THAT  INCREASES  THE  PROBABILITY  OF 
A  TRAJECTORY  TRANSIENT  RESULTING  FROM  THE  TRANSFER  OF 
CONTROL  (MCC  CALL) .  LOSS  OF  A  SINGLE  STRING  OF 
REDUNDANCY  IN  ANY  SYSTEM  (E.G.,  ONE  AA,  ONE  FCS  CHANNEL, 
ONE  RHC  CHANNEL,  ETC.)  WITH  NO  OTHER  FAILURES  IS  NOT 
CAUSE  FOR  PRECLUDING  TRANSFER  OF  CONTROL.  @[082202-5636] 

7.  IF  THE  MCC  RECOMMENDS  NO-GO  FOR  PLT  FLYING  BASED  ON  HAC 
DYNAMICS  (E.G.,  HIGH  TAIL  WINDS  AT  HAC  INTERCEPT). 

E.  THE  PLT  IS  THE  BACKUP  TO  THE  CDR  FOR  ANY  FLIGHT  PHASES 

REQUIRING  CSS  CONTROL.  IF  REQUIRED  FOR  VEHICLE  SAFETY,  THE 
CDR  MAY  TRANSFER  CONTROL  TO  THE  PLT  AT  ANY  TIME. 

Allowing  the  PLT  to  fly  for  a  short  period  of  time  during  entry  enhances  training  and  better  prepares  the 
pilot  for  future  orbiter  flying  tasks.  Regular  in-flight  exercise  of  transfer  of  vehicle  control  between  the 
CDR  and  PLT  during  nominal  approaches  will  better  prepare  crews  for  poten  tial  off  nominal  situations 
where  an  efficien  t  transfer  of  con  trol  would  be  required  to  ensure  vehicle  and  crew  safety.  The  in  ten  t  of 
this  rule  is  to  allow  the  PLT  to  fly  for  approximately  20  seconds  during  a  single  period ,  either  prior  to 
HAC  intercept  or  once  established  on  the  HAC.  During  a  normal  entry,  there  is  sufficient  time  below 
Mach  1.00  to  allow  the  PLT  to  control  the  orbiter  and  still  cdlow  the  CDR  sufficient  time  to  complete  the 
more  critical  maneu  vers,  such  as  the  initial  roll  onto  the  HAC  and  lining  up  on  fined.  For  periods  prior 
to  HAC  intercept,  control  must  be  transferred  back  to  the  CDR  no  later  than  15  seconds  prior  to  HAC 
intercept  to  allow  the  CDR  sufficient  time  to  prepare  for  the  time-critical  maneuver  to  roll  onto  the  HAC. 
The  15-second  limit  was  chosen  based  on  flight  experience  (STS-102,  100,  108,  109,  and  110)  and  to 
make  the  best  use  of  the  onboard  cues,  primarily  the  HAC  predictor  (the  HAC  predictor  begins  flashing 
20  seconds  prior  to  HAC  intercept  and  begins  moving  10  seconds  prior  to  HAC  intercept).  For  periods 
after  HAC  intercept,  or  for  straight-in  approaches,  control  must  be  transferred  back  to  the  CDR  prior  to 
20,000 feet  altitude  above  ground  level  (AGL).  For  an  overhead  HAC  approach  this  equates  to 
approximately  the  90-degrees  to  go  point  on  the  HAC.  When  CSS  is  engaged,  onboard  guidance  will  be 
followed,  and  no  inputs  will  be  made  other  than  those  required  to  fly  to  the  glideslope  and  course 
centerline,  or  otherwise  ensure  a  safe  landing.  @[082202-5636  ]  ®[ED  ] 
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A2-266  SUBSONIC  PILOT  FLIGHT  CONTROL  (CONTINUED) 


There  are  some  cases  in  which  it  is  not  prudent  to  allow  the  PLT  to  have  this  training  time,  however.  If 
the  6  degrees  of  freedom  entry  simulation  as  explained  in  Rule  {A4-156j,  HAC  SELECTION  CRITERIA, 
indicates  that  delaying  CSS  until  a  HAC  turn  angle  of  180  degrees  is  preferred,  the  CDR  should  fly  from 
CSS  initiation  through  rollout.  For  these  HAC  cases,  energy  stops  diverging  at  the  180-degree  point  and 
begins  to  slowly  recover.  Handing  control  of  the  vehicle  between  the  CDR  and  PLT  in  this  timeframe  is 
not  prudent,  since  the  vehicle  energy  is  already  lower  than  typical  and  the  time  to  correct  any  energy 
problems  is  diminished.  Likewise  a  vehicle  problem  as  outlined  in  Rules  {A2-261},  ENTRY DTO/AUTO 
MODE/CROSSWIND  DTO  NO-GO  or  {A4-208}, ENTRY  TAKEOVER  RULES,  requires  significant 
concentration  on  the  flying  task,  and  a  handover  of  control  is  inappropriate.  Systems  failures  that  would 
invoke  this  rule  are  two  AA  failures,  no  or  single  air  data,  no  yaw  jet  flight  control  mode,  or  a  navigation 
system  anomaly  that  affects  the  vehicle  energy  state  (GCA).  In  the  event  of  an  abort,  flight  control 
handovers  between  CDR  and  PLT  should  be  avoided  due  to  the  increased  risk  inherently  associated  with 
the  abort,  and  to  eliminate  the  possibility  of  introducing  any  handover  dispersions  to  an  already 
challenging  abort  landing.  The  transfer  of  control  is  assumed  to  have  an  insignificant  impact  on  the 
vehicle  trajectory  and  energy  state,  although  arguably  that  impact  is  non-zero.  That  is,  in  most  cases  it 
is  nearly  impossible  to  transfer  vehicle  control  without  introducing  some  very  small  transient,  which  for 
the  nominal  case  is  acceptable.  However,  the  transfer  of  control  is  not  warran  ted  for  any  guidance, 
navigation,  or  flight  control  system(s)  problem)  s)  that  could  cause  a  transfer  of  control  to  result  in  more 
than  an  insignificant  impact  on  the  trajectory.  Additionally,  for  certain  HAC  dynamics  ( e. g. ,  high  tail 
winds  at  HAC  intercept),  the  flying  task  requires  more  setup  time  prior  to  HAC  intercept,  and  more  time- 
critical  inputs  before,  during,  and  after  HAC  intercept.  In  these  cases,  vehicle  energy  state  can  be  less 
forgiving  for  delayed  piloting  response  (at  HAC  intercept,  and  for  the  first  180  deg  of  HAC)  and  transfer 
of  vehicle  control  is  not  warranted.  @[082202-5636  ] 


Flight  crews  are  trained  preflight  to  transfer  control  positively  and  verbally  in  a  CRM  environment.  Any 
time  that  a  situation  occurs  that  detracts  from  the  CDR’s  ability  to  fly  the  vehicle,  it  is  acceptable  for  the 
CDR  to  hand  control  of  the  vehicle  over  to  the  PLT,  regardless  of  the  constraints  imposed  by  this  rule,  if 
required  to  ensure  a  safe  landing.  Ref.  A/E  FTP  #174,  March  30,  2001,  A/E  FTP  #184,  May  17,  2002 
and  A/E  FTP  #185,  June  28,  2002.  @[082202-5636  ] 

A2-267  THROUGH  A2-300  RULES  ARE  RESERVED  @[082202-5636] 
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A2-301  CONTINGENCY  ACTION  SUMMARY 


FAILURE 


R 

T 

L 
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O 

A 


A 

T 

O 


ENTER 

FIRST 

DAY 

PLS 

ENTER 

ASAP 

(PLS, 

SLS 

ELS) 

ENTER 

IMMED. 

MAX 

DEORBIT 

DELAY 

[84] 

[1] 

[1] 

1 

ORB 

24 

HR 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

A.  GROUND  INSTRUMENTATION 

1.  REMOTE  STATIONS 

a.  EDW  LANDING 

(1)  LOSS  OF  DFRF,  GDS,  AND  TDR 
(HDR  AND  LDR) 

(2)  LOSS  OF  ALL  DFRF,  GDS,  AND 
TDRS  VOICE  (S-BAND  AND  UHF) 

(3)  LOSS  OF  DFRF,  GDS,  AND  TDRS 
CMD 


[2] 

[2] 


b.  KSC  LANDING 

(1)  LOSS  OF  MIL,  PDL,  AND  TDRS  TLM 

(HDR  AND  LDR)  [2] 

(2)  LOSS  OF  MIL,  PDL,  AND  TDRS 

VOICE  (S-BAND  AND  UHF)  [2] 

(3)  LOSS  OF  MIL,  PDL,  AND  TDRS  CMD 

c.  NOR  LANDING 

(1)  LOSS  OF  ALL  UHF  AND  TDRS  S 

BAND  VOICE  [2] 

(2)  LOSS  OF  TDRS  TLM  [2] 

(3)  LOSS  OF  TDRS  CMD 

2.  TRACK 

a.  LOSS  OF  DUAL  TRACK  SOURCES  TO 
100KFT  ALT 

b.  LOSS  OF  ALL  LANDING  AREA 

3.  MCC 

a.  LOSS  OF  MOC  AND  DSC  [3] 

b.  LOSS  OF  ALL  TPC’S 

c.  LOSS  OF  ALL  A/G  CAPABILITY 


@[121593-1590] 
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FAILURE 


B.  TRAJECTORY/GUIDANCE 

1.  TRAJECTORY 

a.  PERFORMANCE  VIOLATIONS  [5] 

b.  PROTECT  ATO  CAPABILITY 

c.  PROTECT  3  ENGINE  RTLS  GUIDANCE 
MECO 

d.  ONBOARD  PREDICTED  MECO  2  SEC 
DIFFERENT  THAN  GND  (CONFIRMED 
BY  NAV  VEL  ERRORS)  (MAN  C/O  ON 
GND  COMP  VALUE) 

e.  CG  OUTSIDE  OF  NOMINAL 
BOUNDARY 

f.  CG  OUTSIDE  CONTINGENCY 
BOUNDARY 

g.  MNVR  COMP  DOES  NOT  INCLUDE  AT 
LEAST  1  REPEAT  STDN  SITE  PASS 
FOLLOWING  A  PERIGEE  ADJUST  MNVR 

h.  PREDICTED  DOWNTRACK  ERROR  AT 
El  >20  NM 

i.  EOM  WEATHER  FORECAST 

VIOLATIONS  [38] 

2.  RANGE  SAFETY 

a.  RSO  ARM  CMD  RECEIVED  [7] 

b.  DEVIATION  TOWARDS  LIMIT  LINE  [7] 


X 

X 


X 


X 

X  X 


X 


XXX 


[9]  [9]  [9] 


X 
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FAILURE 

M 
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X 
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X 
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A 

X 

[31] 

A 

T 

O 

X 

ENTER 

FIRST 

DAY 

PLS 

[84] 

ENTER 

ASAP 

(PLS, 

SLS 

ELS) 

[1] 

ENTER 

IMMED. 

[1] 

MAX 

DEORBIT 

DELAY 

1 

ORB 

24 

HR 

C.  MPS 

1 .  MANUAL  THROTTLE  REQUIRED  FOR 

lh2  npsp 

2.  He  TK  LOST  (<750  PSI)  W/LMT  S/D  INH 

3.  CMD  PATH  FAIL 

4.  DATA  PATH  FAIL  WITH  UNVERIFIED 

CMD  PATH 

5.  CMD  AND  DATA  PATH  FAIL 

6.  2  STUCK  THROTTLE  W/3  SSME’S  ON  [8] 

7.  1  STUCK  THROTTLE  W/3  SSME’S  ON  [6] 

8.  3  ET  LOW  LVL  SENS  FAIL  DRY  SAME  TNK 

D.  OMS/RCS 

1.  QMS 

a.  LOSS  OF  1  OMS  He  TK  PRIOR  TO  OMS  1 

EB1 

b.  2  OMS  He  TK  FAIL 

(1)  PRIOR  TO  OMS  1 

D 

D 

KB1 

(2)  BETWEEN  OMS  1  AND  OMS  2  [1 2][1 5] 

[62] 

c.  1  OMS  PROP  TK  LK/FAIL  OR  2  TKS 

SAME  SIDE  LK/FAIL 

(1)  BEFORE  OMS  2  [25] 

ESI 

ran 

X 

(2)  BEFORE  DEORBIT  TIG  [1 5][1 6] 

[56] 

(3)  AFTER  DEORBIT  TIG  BUT  BEFORE 

HP  <  PROP  FAIL  HP  [1 4][1 5] 

X 

d.  2  OMS  PROP  TK  LK/FAIL,  DIFF  SIDE 

continued... 

■ 

■ 

■ 

X 

m 

■ 

■ 

X 

[13] 
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FAILURE 


D.  OMS/RCS  (continued) 

e.  2  OMS  ENG  FAIL 

(1)  BEFORE  OMS  1 

(2)  AFTER  OMS  1  [12] 

(3)  AFTER  DEORBIT  TIG  BUT  BEFORE 
HP  <  SAFE  HP 

f.  1  OMS  FAIL  AND  1  +  X  RCS  JET  FAIL 

g.  1  OMS  INLET  LINE  OR  2  SAME  SIDE 


(1)  BEFORE  OMS-2  [25] 

(2)  BEFORE  DEORBIT  TIG  [15][63] 

h.  2  OMS  INLET  LINES,  DIFF  SIDES,  SAME 
PROPELLANT 

i.  2  OMS  INLET  LINES,  DIFF  SIDES,  DIFF 

PROPELLANT  [25] 

2.  RCS 

a.  2  AFT  RCS  He/PROP  TK  LK/FAIL-DIFF 
SIDE 

(1)  DIFF  PROP  [19] 

(2)  SAME  PROP 

b.  2  AFT  JETS  SAME  AXIS/POD  FL'D  OFF 

BY  RM  [10] 


c.  1  AFT  RCS  He/PROP  TK  LK/FAIL  OR  2 
TKS  SAME  SIDE  LK/FAIL 
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FAILURE 


T  A 

A  O 

L  A 


B  ENTER  ENTER  ENTER  MAX 

A  FIRST  ASAP  IMMED.  DEORBIT 

I  DAY  (PLS,  DELAY 

L  PLS  SLS 

O  ELS) 


[1]  1  24 

ORB  HR 


1.  LOSS  OF  1  GPC 

2.  REDUNDANT  SET  FAILURE  OR  GPC 

SPLITS  [20]  [53] 

3.  LOSS  OF  BFS  WITH  A  2  OR  MORE  GPC 
PASS  SET 

4.  LOSS  OF  2  GPC'S  (SPARE  AVAILABLE) 

5.  LOSS  OF  2  PL  MDM’S 

6.  LOSS  OF  2  FA  MDM’S 

7.  LOSS  OF  2  FF  MDM’S 

8.  GPC  BITE  (MULTIPLE  GPC’S) 

9.  LOSS  OF  2  MMU’S  [83] 

F.  EECOM 

1 .  FIRE  (AV  BAY  OR  CABIN)  [58] 

2.  ARS/PCS 


[60][39] 


a.  LOSS  OF  2  CABIN  FANS  [i 

b.  LOSS  OF  AV  BAY  COOLING  IN  BAY  1 
OR  2 


c.  LOSS  OF  AV  BAY  COOLING  IN  BAY  3  [30] 

d.  LOSS  OF  3  OF  6  AV  BAY  FANS  [74] 

e.  LOSS  OF  3  IMU  FANS 

f.  LOSS  OF  CABIN  PRESS  INTEGRITY  [37] 

g.  LOSS  OF  PP02  CONTROL  [78] 

h.  LOSS  OF  1  H20  LOOP 

i.  LOSS  OF  2  H90  LOOPS  [28] 


@[090894-1 675  ]  ®[1 02402-5804C] 
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FAILURE 


F.  EECOM  (CONCLUDED) 

2.  ATCS 

a.  LOSS  OF  1  FREON  LOOP 

b.  LOSS  OF  2  FREON  LOOPS 

c.  LOSS  OF  FES  (TOPPING  AND  HI  LOAD 

EVAPS)  [24]  [26] 

d.  LOSS  OF  HI  LOAD  EVAP 

e.  RESERVED 

f.  FREON  TO  CABIN  H20  LOOP  LEAK 

g.  LOSS  OF  2  RFCA'S 

G. EGIL 

1.  CRYO 

a.  LOSS  OF  ALL  CRYO  02  TANKS  OR  ALL 


CRYO  H2  TANKS  IMPENDING  [51] 

b.  H2  MANIFOLD  OR  TANK  LEAK  [43] 

2.  FUEL  CELL 

a.  LOSS  OF  2  FUEL  CELLS  [32] 

b.  FC  PRIMARY  H20  FLOW  TO  ECLSS  (3)  [72] 

3.  EPDC 

a.  MNAANDB  [46] 

b.  MN  B  AND  C  [46] 

c.  MNAANDC  [46] 

d.  ANY  MN,  AC,  OR  CNTL  BUS 

e.  MULTI-F  ON  AN  AC  BUS  (NOT  SHORTED) 

f.  CNTLCA1  [71] 
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H.  MMACS 

1.  APU/HYD/WSB 

a.  LOSS  OF  2  WSB 

b.  LOSS  OF  1  APU/HYD 

c.  LOSS  OF  2  APU/HYD 

d.  DELETED 

e.  IMPENDING  LOSS  OF  ALL  APU/HYD 
CAPABILITY 

f.  LOSS  OF  2  LND  GEAR  DEPLOY 
METHODS 

2.  MECHANICAL 

a.  PBD  CENTERLINE  NOT  WITHIN  LIMITS 

b.  ANY  PBD  LATCH  GANG  FAILED 
CLOSED 

c.  LOSS  OF  ONE  MOTOR  ON  TWO 
DIFFERENT  PBD  C/L  OR  BULKHEAD 
LATCH  GANGS 

d.  PBD  C/L  OR  BULKHEAD  LATCH  GANG 
FAILS  IN  TRANSIT  (NOT  CLEAR  OF 
ROLLERS) 

e.  STARBOARD  PBD  FAILS  IN  TRANSIT 
(READY-TO-LATCH  INDICATORS 
PRESENT 

f.  CONFIRMED  TIRE  LEAK 

g.  LOSS  OF  NWS 

3.  STRUCTURAL 

a.  THERMAL  WINDOWPANE  FAILURE 

b.  PRESSURE  OR  REDUNDANT 
WINDOWPANE  FAILURE 
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FAILURE 


I.  COMM 

1.  LOSS  OF  ALL  A/G  VOICE 

2.  LOSS  OF  BOTH  A/G  VOICE  AND  CMD 

3.  LOSS  OF  TLM  (HDR  AND  LDR) 

4.  RESERVED 

5.  LOSS  OF  CMD 

J.  GNC/AERO 

1.  TVC  PROBLEM  RESULTING  IN 
HARDOVER  ACTUATOR 

2.  LOSS  OF  CONTROL 

a.  IN  1ST  STG  AND  NOT  REGAINED  BY 
BFS 

b.  IN  2ND  STG  AND  NOT  REGAINED  BY 
MAN  TVC  OR  BFS  ENGAGE 

3.  LOSS  OF  4  OF  6  RHC  CH 


4.  LOSS  OF  2  AA’s  (LAT),  2  RGA’s,  OR  2 
ADTA’s  (CONCRETE  RUNWAY) 

5.  LOSS  OF  3  AA’s  (LAT)  3  RGA’s,  OR  3 
ELEV/BF  FDBK's  (SAME  SURFACE) 

6.  LOSS  OF  2  FCS  CHANNELS  (SAME 
SURFACE)  (CONCRETE  RUNWAY) 

7.  LOSS  OF  3  ADTA’s 

8.  LOSS  OF  2  IMU’s 

9.  IMU  DILEMMA 

10.  LOSS  OF  1  IMU,  2  TACAN/GPS,  OR  1  MLS 


@[041196-1914]  @[092602-5640] 
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LEGEND 

X  =  PERFORM  CONTINGENCY  ACTION 

[ ]  =  NOTE 

( )  =  QUANTITY _ 


NOTES: 

[1]  CERTAIN  RAPID  ENTRY  CONDITIONS  COULD  REQUIRE  ENTRY  PRIOR  TO  MCC  AND  LANDING  SITE  NOTIFICATION. 

[2]  COMM/DATA  LINES  TO  SUPPORT  LISTED  REQUIREMENTS  ALSO  MANDATORY. 

[3]  24  OF  64  DTE  CHANNELS  MANDATORY. 

[4]  ASSUMES  THREE  UNRECOVERABLE  GPC’S. 

[5]  ACCEPT  HIGHEST  ABORT  MODE  AVAILABLE. 

[6]  REFERENCE  RULE  {A5-108},  MANUAL  SHUTDOWN  FOR  HYDRAULIC  OR  ELECTRICAL  LOCKUP.  ®[ED  ] 

[7]  SECOND  STAGE  ONLY  (REF.  RULES  {A4-260},  RANGE  SAFETY  LIMIT  AVOIDANCE  ACTIONS. 

[8]  REFERENCE  RULE  {A5-109},  MANUAL  SHUTDOWN  FOR  TWO  STUCK  THROTTLES  (NOT  DUAL  APU  FAILURES). 
®[ED  ] 

[9]  TAL/AOA  IS  ACCEPTED  TO  PROTECT  THE  CONTINGENCY  CG  BOX.  IF  TAL/AOA  DUMP  MGMT  WILL  NOT  RECOVER 
CG,  CONTINUE  UPHILL. 

[1 0]  TO  ALLOW  TESTING  JETS  PRIOR  TO  ENTRY. 

[11]  IF  PRIOR  TO  OMS-1 ,  PERFORM  DELAYED  ATO.  FOR  DIRECT  INSERTION  CUTOFF  OMS-2  AT  MINIMUM  HP.  FOR 
DELAYED  ATO,  THE  RAISE  ORBIT  MANEUVER  WILL  NOMINALLY  BE  PLANNED  FOR  TTA  =  2  (TIME  TO  APOGEE). 

[12]  AFTER  OMS-1.  CUTOFF  OMS-2  AT  MINIMUM  HP. 

[13]  WHERE  LEAK  IN  BOTH  SIDES  SAME  PROPELLANT.  IF  LEAK  RATE  SUPPORTS  (PROPELLANT  ONLY) 

(IF  RCS  MUST  SUPPORT  TO  A  Q-BAR  =  20). 

[14]  AFTER  DEORBIT  TIG,  TERMINATING  BURN  FOR  THIS  FAILURE  REQUIRES  DEORBIT  24  HOURS  LATER. 

[15]  SHALLOW  ENTRY  IF  REQUIRED. 

[16]  IF  LEAK,  PERFORM  PERIGEE  ADJUSTMENT  AT  PLANNED  DEORBIT  TIG  IF  LEAK  RESULTS  IN  PROJECTED 
VIOLATION  OF  POD  THERMAL  CONSTRAINTS. 

[17]  THIS  HP  ALLOWS  DEORBIT  OPPORTUNITY  24  HOURS  LATER  WITH  WORST  CASE  ATT  PROFILE  (PTC). 

[18]  DEORBIT  DELAY  ONLY  REQUIRED  IF  RCS  DOWNMODE  CAPABILITY  DOES  NOT  EXIST. 

[19]  IF  BOTH  LEAKS  IN  SAME  SIDE  OR  BOTH  SIDES  LEAKING  BUT  DIFFERENT  PROPELLANT,  PERFORM  NOM. 

[20]  IF  UNABLE  TO  OBTAIN  VIABLE  GNC  3  OPERATION,  ENTER  ON  BFS. 

[21]  FAILURE  PRECLUDES  SINGLE  FAULT  TOLERANCE.  DELAY  TO  VERIFY  RM  DECLARED  FAILURES  OR  TO  RESOLVE 
A  DILEMMA  CASE  (REF.  RULE  {A8-7},  ENTRY  SYSTEMS  SINGLE-FAULT  TOLERANCE  VERIFICATION;  AND  RULE  {A8- 
8},  ENTRY  SYSTEMS  RM  DILEMMA). 

[22]  A  ONE-ORBIT  WAVE-OFF  MAY  OR  MAY  NOT  ALLOW  SUFFICIENT  TIME  TO  REGAIN  SINGLE-FAULT  TOLERANCE. 

IN  MANY  CASES,  DELAYING  UP  TO  ONE  DAY  WILL  BE  NECESSARY  IN  ORDER  TO  ALLOW  SYSTEM 
COMPENSATION/RECONFIGURATION  (REF.  RULE  {A8-7},  ENTRY  SYSTEMS  SINGLE-FAULT  TOLERANCE 
VERIFICATION). 

[23]  POST-MECO  OMS-1/OMS-2,  SHALLOW  ENTRY  IF  REQUIRED. 

[24]  IF  NECESSARY  TO  RECONFIGURE  TO  REDUCED  POWER  LEVEL. 

[25]  AFTER  OMS-1 ,  CHECKOUT  OMS-2  WHEN  MINIMUM  HP.  NEXT  PLS  DEORBIT  WITH  MIXED  CROSSFEED  IF 
REQUIRED. 
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[26]  GO  TO  ORBIT  AND  OPEN  PLBD’S  ASAP. 

[27]  ATTITUDE  ERROR  (>3  DEGREES  IN  PITCH  OR  YAW  OR  >10  DEGREES  IN  ROLL)  WITHOUT  CONVERGING  RATES 
OR  RATES  GREATER  THAN  3  DEG/SEC  WITHOUT  CORRESPONDING  ATTITUDE  ERRORS  (REF.  RULE  {A8-1},  FCS 
DOWNMODE). 

[28]  IMMEDIATE  POWERDOWN  REQUIRED. 

[29]  POWER  DOWN  TO  SURVIVAL  POWER  LEVEL. 

[30]  DELAY  IF  REQUIRED  TO  RECONFIGURE  DPS  TO  TWO  PASS  AND  ONE  BFS  OR  ALLOW  3.5  HOURS  OF  GPC 
COOLDOWN  TO  REGAIN  ALL  GPC’S. 

[31]  IF  A  2-SIGMA  CONFIDENCE  LEVEL  OF  ACHIEVING  AOA  CAPABILITY  EXISTS.  (REF.  RULE  {A5-157},  ET  LOW  LEVEL 
CUTOFF  SENSOR  FAILED  DRY). 

[32]  POWER  DOWN  FOR  SINGLE  FC  ENTRY. 

[33]  RESERVED. 

[34]  IF  INSUFFICIENT  DELTA  V  AVAILABLE  TO  ACHIEVE  ATO,  PERFORM  AOA  SHALLOW  OMS-1  ,-2. 

[35]  REFERENCE  RULE  {A8-2},  SSME  THRUST  VECTOR  CONTROL  (TVC)  HARDOVER. 

[36]  REFERENCE  RULES  [A1 1 -52A  AND  B},  LOSS  OF  BOTH  VOICE  AND  COMMAND. 

[37]  WITH  CABIN  AT  14.7  PSIA  AND  BOTH  14.7  PSI  REGULATORS  CLOSED,  DP/DT  DECAY  RATE  >  0.1 5  PSI/MIN,  RTLS 
ORTAL.  IF  ?  0.15  AND  >0.02  PSI/MIN  PLS  OR  AOA  (REF.  RULE  {A17-201},  CABIN  PRESSURE  INTEGRITY).  ®[ED  ] 

[38]  OTHER  OPTIONS  AND  PRIORITIES  PER  RULE  {A4-1 09},  DEORBIT  PRIORITY  FOR  EOM  WEATHER. 

[39]  LOSS  OF  BOTH  CABIN  FANS  WILL  REQUIRE  IMMEDIATE  POWERDOWN  AND  EXTENSIVE  HARDWARE  CYCLING  TO 
OBTAIN  ORBIT  AND  ENTRY. 

[40]  LIMITING  TIME  OF  ~18  MINUTES  (BASED  ON  2.76  KWH/FC  FOR  FC  FLOOD  WITHOUT  PURGING). 

[41]  ASSUMES  PLBD  NOT  OPEN. 

[42]  REF.  RULE  [A1 0-23A},  APU  ENTRY  START  TIME. 

[43]  DELAY  DEORBIT  TO  DEPLETE  A  LEAKING  H2  TANK  OF  ANY  SIZE.  IF  TANK  CANNOT  BE  DEPLETED  OR  IF  LEAK  IS 
IN  MANIFOLD,  DELAY  DEORBIT  TO  ALLOW  PRESSURE  BLOWDOWN  TO  REDUCE  LEAK  RATE  TO  <1  LB/HR. 
REFERENCE  RULE  [A9-260C}.1 ,  CRYO  SYSTEM  LEAKS  [CIL], 

[44]  DELAYED  ATO  IF  SUFFICIENT  PROPELLANT  AVAILABLE  IN  BLOWDOWN.  FOR  DELAYED  ATO,  THE  RAISE  ORBIT 
MANEUVER  WILL  NOMINALLY  BE  PLANNED  FOR  TTA  =  2  (TIME  TO  APOGEE). 

[45]  RESERVED 

[46]  RTLS  UNTIL  NEGATIVE  RETURN  BECAUSE  OF  INABILITY  TO  CLOSE  ET  DOORS. 

[47]  RESERVED 

[48]  IF  DEPLOYABLE  PAYLOADS  ARE  ONBOARD,  PERFORM  NEXT  PLS  ENTRY  AFTER  ATTEMPTS  HAVE  BEEN  MADE  TO 
DEPLOY  THE  PAYLOADS.  OTHERWISE  ENTER  FIRST  DAY  PLS  (REF.  RULES  [A1 0-21  A}. 2,  LOSS  OF 
APU/HYDRAULIC  SYSTEM(S)  ACTIONS,  AND  {A10-122},  LOSS  OF  WSB(S)  ACTIONS. 

[49]  IF  FREEZEUP  SUSPECTED,  REMAIN  ON  ORBIT  TO  ATTEMPT  TO  THAW  OUT  THE  HI-LOAD  EVAPORATOR. 

[50]  THE  SIMULTANEOUS  CLOSE  PROCEDURE  IS  AN  OPTION  FOR  THE  EXCESSIVE  OVERLAP  CASE  (REF.  RULE  [A1 0- 
207},  PLBD  OVERLAP). 

[51]  SELECT  ABORT  MODE  WITH  SHORTEST  RETURN  TIME. 
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[52]  IF  BOTH  LOOPS  FAILED  IN  BYPASS  OR  MEDIUM  FLOW. 

[53]  AFTER  DEORBIT  TIG,  TERMINATE  BURN  FOR  FAILURE  IF  HP  >  SAFE  HP.  REQUIRES  DEORBIT  24  HOURS  LATER. 

[54]  RATES  >  5  DEG/SEC  IN  PITCH  OR  YAW.  REFERENCE  RULE  {A8-54},  FIRST  STAGE  LOSS  OF  CONTROL 
DEFINITION.  ®[ED  ] 

[55]  AT  LEAST  ONE  CHANNEL  REQUIRED  EACH  SIDE.  REFERENCE  RULE  {A8-1001},  GNC  GO/NO-GO  CRITERIA. 

[56]  IF  ONE  ORBIT  DELAY  NOT  AVAILABLE,  DELAY  1  DAY.  FOR  PROPELLANT  LEAKS,  IT  MAY  BE  NECESSARY  TO 
DELAY  LONGER  THAN  ONE  ORBIT  IN  ORDER  TO  ALLOW  POD  THERMAL  ENVIRONMENT  TO  SUPPORT  ENTRY. 

[57]  IF  TIG  BETWEEN  45  AND  1 5  MINUTES  AND  ONE  REV  LATE  DEORBIT  IS  AVAILABLE,  REOPEN  PLB  DOORS  AND 
WAVE  OFF  ONE  REV.  IF  RADS  ARE  COLDSOAKED  AND  ONE  REV  LATE  DEORBIT  NOT  AVAILABLE,  UTILIZE  THE 
COLDSOAK  TO  CONTINUE  WITH  PLANNED  TIG.  IF  RADS  ARE  NOT  COLDSOAKED  AND  ONE  REV  LATE  IS  NOT 
AVAILABLE,  REOPEN  PLB  DOORS  AND  WAVE  OFF  1  DAY.  ®[0201 96-1 81 OA ] 

[58]  IF  TOXIC  COMBUSTION  PRODUCTS  CANNOT  BE  SATISFACTORILY  REMOVED  FROM  THE  CABIN  ATMOSPHERE, 
THE  CREW  WILL  REMAIN  ON  QDM/LES  UNTIL  ORBITER  EGRESS.  EOM  IS  BASED  UPON  AVAILABLE  1^ 
CONSUMABLES  FOR  MAINTAINING  THE  02  CONCENTRATION  WITHIN  ACCEPTABLE  LIMITS.  REF.  RULE  [A13- 

1 52C},  CABIN  ATMOSPHERE  CONTAMINATION  AND  [A1 7-254},  CABIN  02  CONCENTRATION.  @[070201 -4726A] 

ON  ASCENT,  FIRST  DAY  PLS  WILL  ONLY  BE  NECESSARY  IF  THE  CABIN  ATMOSPHERE  CANNOT  BE  CLEANED  UP. 
IF  THE  EXTENT  OF  THE  DAMAGE  TO  EQUIPMENT  AND  WIRE  BUNDLES  IS  UNKNOWN,  EVEN  IF  THE  ATMOSPHERE 
HAS  BEEN  CLEANED  UP,  A  NEXT  DAY  PLS  WILL  BE  PERFORMED  TO  MINIMIZE  THE  RISK  OF  THE  OCCURRENCE 
OF  AN  ADDITIONAL  FIRE  OR  ARC  TRACKING.  @[072795-1779]  @[070201 -4726A] 

[59]  PROPELLANT  LEAK  ONLY. 

[60]  ELS  WILL  PROBABLY  BE  REQUIRED  IF  THE  NEXT  PLS  OR  SLS  IS  GREATER  THAN  8  HOURS.  AS  LONG  AS  CABIN 
ENVIRONMENT  IS  ACCEPTABLE,  A  PLS  WILL  BE  TARGETED.  @[0201 96-1 81 0A] 

[61]  CAUSES  LOSS  OF  ONE  MOTOR  IN  EACH  OF  TWO  SEPARATE  PLBD  LATCH  GANGS  (REF.  RULE  [A10-209B],  PLBD 
RULE  REFERENCE  MATRIX).  DC  AND  AC  SUB-BUSES  THAT  CAUSE  THIS  FAILURE  ARE: 

MNA  MPC1,  MMC1 ,  MMC3 
MNB  MPC2,  MMC2,  MMC4 
MNC  MPC3,  MMC2,  MMC4 
AC1  MMC1 ,  MMC3 
AC2  MMC2,  MMC4 
AC3  MMC2,  MMC4 

[62]  ENTER  FIRST  DAY  PLS  UNLESS  DELTA  V  IMPROVEMENT  POSSIBLE. 

[63]  PERFORM  PERIGEE  ADJUST  BURN  SEPARATION. 

[64]  ORBIT  2  DEORBIT  REQUIRED.  (REF.  RULE  [A1 1  -52],  LOSS  OF  BOTH  VOICE  AND  COMMAND.) 

[65]  RESULTS  IN  LOSS  OF  TWO  FCS  CHANNELS. 

[66]  EXCEPT  COMBINATION  OF  MDM'S  FF4  AND  ANY  OTHER  FF  MDM.  OTHERWISE,  THE  FAILURE  OF  ANY 
COMBINATION  OF  MDM'S  FF1 ,  FF2,  OR  FF3  WILL  RESULT  IN  THE  LOSS  OF  TWO  IMU’S.  MDM  IFM  MAY  BE 
PERMITTED  TO  MEET  IMU  REQUIREMENT.  REFERENCE  RULE  {A7-109},  IN-FLIGHT  MAINTENANCE  (IFM). 
@[090894-1684] 

[67]  RESERVED 

[68]  REFERENCE  RULE  [A9-1 58B],  AC  POWER  TRANSFER  CABLE. 

[69]  IF  REQUIRED  TO  MAINTAIN  TWO-FC  ENTRY  CAPABILITY. 
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[70]  FIRST  DAY  PLS  FOR  CONFIRMED,  UNRECOVERABLE  LOSS  OF  TWO  AFT  RCS  PITCH  JETS,  SAME  AXIS,  SAME  POD 
(N/A  YAW  JETS). 

[71]  LOSS  OF  CNTL  CA1  LOSES  BFS  ENGAGE  CAPABILITY  FOR  GPC  3  AND  5.  A  DELAY  WILL  BE  INVOKED  TO  SWITCH 
BFS  MACHINES.  REFERENCE  RULE  {A7-53B},  ON-ORBIT  BFS  MANAGEMENT  GUIDELINES. 

[72]  LOSS  OF  COMPLETE  PRIMARY  SYSTEM  MAY  HAVE  RESULTED  FROM  FREEZING  OF  THE  FC  H20  RELIEF  PANEL. 
THIS  COULD  ALSO  CAUSE  LOSS  OF  OVERBOARD  RELIEF  AND  LEAVE  ONLY  THE  ALTERNATE  SYSTEM  FOR  FC 
H20  REMOVAL.  REFERENCE  RULE  {A9-1001},  ELECTRICAL  GO/NO-GO  CRITERIA. 

[73]  RESERVED 

[74]  ENTER  NEXT  PLS  IF  A  SINGLE  ELECTRICAL  FAILURE  (AC  BUS)  COULD  CAUSE  THE  LOSS  OF  AIR  COOLING  TO 
TWO  AVIONICS  BAYS. 

[75]  DELAY  TO  VERIFY  POWER,  MDM,  AND  BITE  RELATED  FAILURES,  AND  TO  ASSESS  THE  RISKS  OF  FLYING  THETA 
LIMITS  VS.  INCORPORATING  THE  LAST  ADTA  (REF.  RULE  {A8-7},  ENTRY  SYSTEMS  SINGLE-FAULT  TOLERANCE 
VERIFICATION,  AND  RULE  [A8-1 1 1 B},  GNC  AIR  DATA  SYSTEM  MANAGEMENT  [CIL]). 

[76]  DELAY  TO  TARGET  FOR  REQUIRED  RUNWAY  (REF.  RULE  {A2-207},  LANDING  SITE  SELECTION). 

[77]  A  LANDING  WILL  BE  REQUIRED  WITHIN  4  HOURS  OF  THE  FAILURE. 

[78]  PLS  REQUIRED  IF  AUTO/MANUAL  PP02  CONTROL  CANNOT  MAINTAIN  AEROMED  MINIMUM  (REF.  RULE  [A13- 
53A}.1 ,  MINIMUM  PP02  CONSTRAINTS)  AND  LESS  THAN  30  PERCENT  C^  AT  TOUCHDOWN.  ELS  REQUIRED 
IF  40  PERCENT  02  IS  EXPECTED  TO  BE  EXCEEDED  PRIOR  TO  NEXT  PLS  TOUCHDOWN. 

[79]  ENTER  NEXT  PLS  IF  TIRE  PRESSURE  WILL  BE  £  275  PSI  MAIN,  260  PSI  NOSE  AT  NEXT  PLS  LANDING 
OPPORTUNITY  PLUS  2  DAYS. 

[80]  RESERVED 

[81]  RESERVED  ®[1 02402-5804C] 

[82]  REFERENCE  RULE  {A8-61},  SSME  SHUTDOWN  DUE  TO  HYDRAULIC  SYSTEM  FAILURES. 

[83]  FOR  LOSS  OF  TWO  MMU’S  DURING  ASCENT,  CONSIDERATION  WILL  BE  GIVEN  TO  PERFORMING  THOSE  MISSION 
OBJECTIVES  THAT  DO  NOT  REQUIRE  MASS  MEMORY  RESIDENT  FUNCTIONS  (I.E.,  GNC  2,  SM,  SM  ROLL-IN 
DISPLAYS,  OR  TELEMETRY/DECOM  FORMAT  LOADS). 

[84]  REFERENCE  RULE  {A2-2},  ABORT  LANDING  SITE  REQUIREMENTS.  IF  FD  1  LANDING  SITE  IS  GO,  LAND  FD  1 .  IF  FD 
1  LANDING  SITE  IS  NO-GO,  IF  POSSIBLE,  DELAY  DEORBIT  TO  FD  2.  @[121593-1590] 

[85]  IF  HIGH-SPEED  C-BAND  RADAR  NOT  SCHEDULED  FOR  ENTRY,  DELAY  AS  REQUIRED  TO  SCHEDULE  (REF.  RULE 
{A3-1 },  GROUND  AND  NETWORK  DEFINITIONS),  UNLESS  GPS  IS  AVAILABLE  AND  FUNCTIONING  PROPERLY  (REF. 
RULE  {A8-1 1 5},  GPS  SYSTEM  MANAGEMENT).  IF  MLS  FAILURE,  DELAY  ONLY  IF  MLS  REQUIRED  PER  RULE  {A3- 
202},  MLS.  @[041196-1914]  ®[ED  ]  @[092602-5640] 

[86]  A  TOTAL  COMBINATION  OF  2  TACAN/GPS  LRU’S  MUST  BE  LOST  FOR  THIS  RULE  TO  APPLY  GIVEN  THAT  THE 
REMAINING  2  LRU’S  PROVIDE  AT  LEAST  FAIL-SAFE  CAPABILITY  WITHOUT  REGARD  FOR  TRACKING  AVAILABILITY. 
@[092602-5640  ] 
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SPACEHAB  OPERATIONS  MANAGEMENT 


A2-311  SPACEHAB  SAFETY  DEFINITION  AND  MANAGEMENT 

A.  DEFINITIONS:  @[102793-1552] 

1 .  RAPID  SAFING  -  SECURING  OF  ANY  PAYLOAD  ELEMENT  IN  A 
TIME-CRITICAL  MANNER  AS  DEFINED  BY  THE  SPACE  SHUTTLE 
PROGRAM  FOR  ABORTS  AND  CONTINGENCY  RETURN  OF  THE 
ORBITER.  ®[1 11501-4981 E] 

2.  UNSAFE  -  ONLY  TWO  INHIBITS  CAN  BE  VERIFIED  TO  A 
CATASTROPHIC  HAZARD. 

3.  HAZARDOUS  -  ONLY  ONE  INHIBIT  CAN  BE  VERIFIED  TO  A 
CATASTROPHIC  HAZARD. 

4.  SAFE  -  SHALL  BE  DEFINED  AS  ANY  ONE  OF  THE  FOLLOWING: 

a.  AT  LEAST  THREE  INHIBITS  REMAIN  TO  A  CATASTROPHIC 
HAZARD,  TWO  OF  WHICH  MUST  BE  MONITORABLE. 

b.  RESTRAINT/SECURING  OF  ANY  PAYLOAD  ELEMENT  CAPABLE  OF 
PENETRATING  A  MODULE  AS  A  RESULT  OF  ORBITER  INDUCED 
ENTRY/LANDING  LOADS. 

Reference:  NSTS  18798A,  MA2-96- 190,  “CONTINGENCY  RETURN  AND  RAPID  SAFING,”  memo 
dated  January  9,  1997.  ®[1 11501 -4981 E] 
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(CONTINUED) 


B.  GENERALIZED  RESPONSES  TO  UNSAFE/HAZARDOUS  CONDITIONS: 

1.  RAPID  SAFING  -  FOR  SPACEHAB,  CONTINGENCY 
DEACTIVATION/EGRESS  PROCEDURES  ARE  USED  FOR  OFF 
NOMINAL/EMERGENCY  SITUATIONS  REQUIRING  AN  EXPEDITED 
RESPONSE  TO  SECURE  THE  MODULE  FOR  A  SAFE  ENTRY  AS  DEFINED 
IN  RULE  {A2-329},  SPACEHAB  DEACTIVATION/ENTRY  PREP. 
@[102793-1552]  ®[1 1 1501-4981 E]  ®[ED  ] 

2.  UNSAFE  -  NO  IMMEDIATE  ACTION  IS  REQUIRED.  IF  POSSIBLE, 
RESTORATION  OF  THE  SAFE  CONDITION  WILL  NORMALLY  BE 
ATTEMPTED,  BUT  SUCH  ACTION  WILL  NOT  BE  ALLOWED  TO 
JEOPARDIZE  MISSION  SUCCESS. 

3.  HAZARDOUS  -  QUICK  RESPONSE  IS  MANDATORY:  TAKE  POSITIVE 
ACTION  TO  RESTORE  THE  SYSTEM  TO  NO  WORSE  THAN  AN  UNSAFE 
CONDITION.  IF  UNSUCCESSFUL,  TERMINATE  THE  EXPERIMENT  AS 
SOON  AS  POSSIBLE  (ASAP)  .  ®[1 11501  -4981 E] 
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A2-312  REAL-TIME  SAFETY  COORDINATION 

A.  ANY  SPACEHAB  PAYLOAD  FAILURE  WHICH  POSES  AN  IMMEDIATE  THREAT 
TO  ORBITER  SYSTEMS  OR  CREW  HEALTH  (FOR  EXAMPLE:  BROKEN 
GLASS,  TOXIC  SPILLS,  SMOKE/FIRE,  ANIMAL  WASTE,  AND  FREE 
WATER)  WILL  BE  COORDINATED  BY  THE  CREW  DIRECTLY  WITH  HOUSTON 
FLIGHT  THROUGH  EECOM  AND  SURGEON,  WITH  ASSISTANCE  FROM 
HOUSTON  PAYLOADS/ACO.  HOUSTON  PAYLOADS/ACO  WILL  IMMEDIATELY 
NOTIFY  THE  PAYLOAD  OPERATIONS  CONTROL  CENTER  (POCC)  AND  WILL 
PROVIDE  ANY  ADDITIONAL  COORDINATION  WITH  OTHER  MCC  FCT 
DISCIPLINES,  IF  NECESSARY.  @[060800-7124]  ®[11 1501 -4981 E] 

This  approach  allows  the  MCC  FCT  to  prioritize,  coordinate,  and  address  the  immediate  health  threat  to 
the  crew.  All  payload-specific  questions  will  be  relayed  to  the  POCC.  It  is  understood  that  the  crew  will 
work  the  appropriate  onboard  contingency  procedures  to  reduce  the  immediate  threat  without  talking  to 
the  ground  first.  Crew  indication  of  an  electrical  short  is  fire/smoke  ( covered  in  paragraph  A),  popped 
circuit  breaker  ( covered  in  paragraph  B),  or  maintained  increase  in  current  (covered  in  paragraph  B). 

For  coordination  of  electrical  problems/ shorts,  reference  Rule  {A9-355J,  FUSE/CIRCUIT  BREAKER 
MANAGEMENT.  ®[i  1 1501-4981 E]  ®[ED  ] 

B.  ANY  PAYLOAD  FAILURES,  WHICH  ORIGINATE  FROM  PAYLOAD  HARDWARE 
AND  DO  NOT  POSE  AN  IMMEDIATE  THREAT  TO  ORBITER  SYSTEMS  OR 
CREW  HEALTH  AS  DEFINED  IN  PARAGRAPH  A,  WILL  BE  COORDINATED  BY 
THE  CREW  DIRECTLY  WITH  THE  POCC.  THE  POCC  WILL  IMMEDIATELY 
NOTIFY  HOUSTON  PAYLOADS/ACO  OF  ANY  SITUATION  AFFECTING  SAFETY 
(I.E.,  LOSS  OF  CONTAINMENT  LEVEL,  LOSS  OF  REDUNDANCY, 
POTENTIAL  SHORT  WITHIN  PAYLOAD  HARDWARE,  ETC.).  IF  THE 
SITUATION  IS  NOT  WITHIN  THE  SCOPE  OF  THE  PREMISSION-DEFINED 
FLIGHT  RULES  AND  PROCEDURES,  NO  ACTION  (OTHER  THAN  REMOVAL  OF 
THE  HAZARD  POTENTIAL)  WILL  BE  TAKEN  WITHOUT  FULL  AND  PRIOR 
COORDINATION  WITH  THE  MCC  FCT.  ®[1 1 1 501 -4981 E] 

Safety  related  payload  failures  which  can  be  addressed  directly  between  the  crew  and  POCC  are  those 
which  originate  in  payload  equipment  and  which  do  not  affect  the  atmosphere  leading  to  an  immediate 
threat  to  orbiter  systems  or  crew  health.  These  payload-originated  failures  must  be  specifically 
addressed  in  premission-defined  flight  rules  and  procedures.  Although  the  MCC  Flight  Director  is 
ultimately  responsible  for  the  safety  of  the  orbiter/Spacehab  and  crew,  it  is  recognized  that  the  POCC 
has  the  expertise  on  and  sufficient  data/insight  into  the  payload  hardware.  As  soon  as  the  POCC  is 
cognizant  of  a  payload  safety  situation;  however,  the  MCC  must  be  notified  for  further  assessment  of 
orbiter/Spacehab  and  crew  impacts.  The  only  action(s)  which  may  be  taken  that  is  (are)  not  in  the  scope 
of  the  premission  defined  flight  rules  or  procedures  and  without  prior  coordination  with  the  MCC  is 
(are)  to  eliminate  the  hazard  cause(s)  ( i.  e. ,  remove  power,  etc.).  For  coordination  of  electrical 
problems/ shorts,  reference  Rule  { A9-355 j,  FUSE/CIRCUIT  BREAKER  MANAGEMENT.  @[060800-7124] 

®[1 11501-4981 E]  ®[ED  ] 
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A2-313  GROUND  COMMANDING 

A.  ALL  PAYLOAD  COMMANDING  WILL  BE  COORDINATED  WITH  HOUSTON 
FLIGHT  THROUGH  HOUSTON  PAYLOADS /ACO .  NOMINALLY,  POCC 
COMMANDING  WILL  BE  THROUGHPUT  COMMANDS.  TWO-STAGE 
COMMANDING,  CONTINGENCY  COMMANDING,  AND  KU-BAND  128  COMMAND 
LINK  (RDM  ONLY)  WILL  REQUIRE  COORDINATION  WITH  INCO.  @[060800- 
7125]  ®[1 11501-4981 E] 

HOUSTON  FLIGHT  is  responsible  for  all  commanding  to  the  shuttle  vehicle,  and  all  commanding  must 
be  done  with  the  cognizance  of  HOUSTON  FLIGHT.  The  specific  coordination  tasks  and  configuration 
authority  is  usually  delegated  on  Spacehab  missions  to  the  Instrumentation  And  Communications 
Officer,  call  sign  HOUSTON  INCO,  HOUSTON  PAYLOADS/ ACO,  and  their  support  personnel. 

Payload  commanding  will  be  identified  premission  with  POCC  command  windows  reflected  in  the 
command  timeline.  Nominally,  the  Payload  Operations  Control  Center  (POCC)  will  only  be  enabled 
during  these  premission-defined  windows.  If  off-nominal  conditions  arise  real  time  which  necessitate 
sending  commands  outside  the  premission-defined  windows,  coordination  between  the  POCC  and 
HOUSTON  PAYLOADS/ ACO  will  be  required  to  discuss  these  changes  to  the  Command  Timeline  during 
the  Tracking  and  Data  Relay  Satellite  (TDRS)  pre-pass  briefing  and/or  just  prior  to  the  command 
sequence.  As  a  minimum,  the  need  to  use  a  premission  scheduled  command  window  will  be  identified  to 
HOUSTON  PAYLOADS/ ACO  during  the  TDRS  pre-pass  briefing. 

The  Ku-band  128-command  link,  in  addition  to  PSP  commanding,  is  used  for  Spacehab  RDM  experiment 
and  experiment  data  system  commanding.  ®[1 11501  -4981 E] 

B.  IF  COMMAND  VOLUMES  ARE  SUCH  THAT  COMMAND  COORDINATION  IS  A 
SIGNIFICANT  DETRIMENT  TO  MISSION  SUCCESS,  CONSIDERATION  WILL 
BE  GIVEN  TO  SIMULTANEOUS  (SIMO)  POCC  COMMANDING  THROUGHOUT 
EACH  TDRS  PASS  UNDER  THE  FOLLOWING  CONDITIONS.  SIMO 
COMMANDING  MUST  BE  APPROVED  BY  HOUSTON  FLIGHT. 

1.  THE  COMMANDING  PARTY  IS  RESPONSIBLE  FOR  DETECTING  AND 
RETRANSMITTING  ANY  LOST  COMMANDS. 

2.  ALL  POCC  HAZARDOUS  COMMANDING  WILL  BE  COORDINATED  WITH 
HOUSTON  PAYLOADS/ACO  PRIOR  TO  COMMAND  INITIATION. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-313  GROUND  COMMANDING  (CONTINUED) 

3.  LARGE  COMMAND  BLOCKS  WILL  BE  COORDINATED. 

SIMO  commanding  includes  two  or  more  POCC’s  enabled  for  commanding.  The  addition  of  the  payload 
throughput  buffer  in  the  systems  managemen  t  ( SM )  GPC  allows  for  con  tinuous  commanding  by  both  the 
MCC  and  the  POCC’s;  therefore,  MCC  and  POCC  commanding  is  not  considered  SIMO  commanding. 
@[060800-7125] 

SIMO  commanding  is  possible,  with  the  risk  of  the  ground  system  rejecting  commands  that  have 
insufficient  spacing.  The  ground  system  is  set  to  cdlow  a  maximum  of  one  command  per  second.  If  this 
rate  is  exceeded,  then  the  ground  system  will  reject  the  additional  commands.  This  method  of 
commanding  is  less  desirable  than  a  more  structured  method  where  ground  system  rejects  are 
procedurally  avoided.  If  the  overhead  of  the  coordination  is  judged  to  be  a  significant  impact  to  payload 
operations  and  the  overhead  of  retransmitting  the  commands  is  judged  to  be  less,  consideration  will  be 
given  to  SIMO  commanding.  Due  to  safety  considerations,  hazardous  commands  must  always  be 
coordinated.  Since  large  blocks  of  commands  require  more  command  system  time,  more  care  must  be 
used  to  avoid  ground  system  rejects  and  loss  of  these  types  of  commands;  therefore,  large  command 
blocks  will  still  require  coordination.  @[060800-7125  ] 

C.  IF  TWO-STAGE  POCC  COMMANDING  IS  REQUIRED,  POCC  COMMANDING 
AND  MCC  COMMANDING  TO  THE  SAME  GENERAL  PURPOSE  COMPUTER 
(GPC)  TWO-STAGE  BUFFER  WILL  BE  MANAGED  SO  THAT  ONLY  ONE 
IS  COMMANDING  AT  A  TIME.  ®[1 1 1 501 -4981 E] 

A  POCC  may  require  two-stage  commanding  for  critical  commanding  or  troubleshooting  command 
problems.  To  avoid  two-stage  buffer  contention,  POCC  and  MCC  commanding  will  be  coordinated. 
@[060800-7125] 

D.  FOR  FAILURE  OF  THE  SPACEHAB  FAN  IN  USE  OR  FAILURE  OF  A  WATER 
COOLING  LOOP  PUMP  DURING  ASCENT/ENTRY,  CONTINGENCY  COMMANDS 
WILL  BE  SENT  TO  SWAP  FANS  OR  PUMPS  ASAP  POST  MAIN  ENGINE  CUT 
OFF  (MECO)  OR  DURING  ENTRY  PER  RULES  {A17-706},  SPACEHAB  FAN 
CONFIGURATIONS  OR  {A18-553},  SPACEHAB  SUBSYSTEM  PUMP 
OPERATIONS . 

Air  circulation  is  required  to  maintain  module  airflow  over  the  Spacehcib  fire/ smoke  detectors.  Without 
switching  fans  following  the  loss  of  the  fan  in  use,  all  fire/smoke  detection  capability  is  lost.  The 
Spacehcib  water-cooling  loop  is  required  for  achieving  thermal  control  of  the  module  environment. 

Withou  t  switching  pumps  following  a  pump  failure,  all  module  cooling  is  lost.  Withou  t  smoke  detection 
or  adequate  cooling,  the  module  would  need  to  be  powered  down.  Powering  the  module  down  has  the 
potential  for  a  significant  mission  success  impact.  No  on-board  command  capability  exists  in  OPS  1  or 
OPS  3  (SM  GPC  not  available),  so  reconfiguration  during  ascent/entry  must  be  performed  via  ground 
commands.  The  water  line  heaters  must  be  turned  ON,  to  prevent  freezing  of  the  PLHX,  if  the  PLBD’s 
are  open.  ®[i  1 1 501  -4981 E] 
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A2-314  SPACEHAB  MINIMUM  DURATION  FLIGHT  CRITERIA 

FOR  AN  ORBITER  FREON  LOOP  TO  SPACEHAB  WATER  LOOP  LEAK,  THE 
SPACEHAB  MODULE  WILL  BE  PREPARED  FOR  ENTRY,  EGRESSED,  ISOLATED, 
AND  A  MINIMUM  DURATION  FLIGHT  (MDF )  WILL  BE  INSTITUTED.  @[111501- 
4981 E] 

Entry  prep  and  egress  of  the  Spacehab  module  are  performed  to  configure  the  module  for  entry  and  to 
avoid  the  possibility  of  the  crew  being  exposed  to  toxic  Freon.  Although  the  water  loop  is  compatible 
with  Freon  21,  a  relatively  high  pressure  in  the  water  loop  (caused  by  Freon  leaking  into  the  water  loop ) 
increases  the  chances  of  the  water  loop  developing  a  leak  into  the  module  and  exposing  the  crew  to 
Freon. 

An  MDF  is  called  for  a  heat  exchanger  leak  between  dissimilar  fluids  because  the  possibility  exists  that  a 
generic  problem,  such  as  corrosion,  exists  in  the  heat  exchanger.  This  problem  could  eventually  result  in 
a  total  loss  of  the  heat  exchanger  and  orbiter  due  to  the  subsequent  loss  of  two  Freon  loops.  The  risk  of 
losing  the  heat  exchanger  does  not  warrant  a  next  primary  landing  site  (PLS)  but  does  warrant  an  MDF. 
®[1 1 1501-4981 E] 

A2-315  POWERING  OFF  AND  REPOWERING  SPACEHAB  EQUIPMENT 

A.  SPACEHAB  EQUIPMENT/COMPONENTS  WILL  BE  POWERED  OFF  IF  THEY 
HAVE  FAILED  AND  HAVE  ON/OFF  CAPABILITY.  REFERENCE  FAILURE 
DEFINITIONS  IN  SECTION  9,  SPACEHAB  SUPPORT  AND  SPACEHAB 
ELECTRICAL  POWER  SUBSYSTEM  (EPS)  MANAGEMENT.  ®[1 1 1 501 -4981 E] 

Failed  equipment  will  be  powered  off  to  prevent  possible  intermittent  operation  and/or  shorting. 

Powering  off  failed  equipment  also  saves  power.  Equipment  powered  by  the  Emergency  Bus  cannot 
be  powered  off  unless  both  the  PL  AUX  and  PL  AFT  B  busses  are  powered  off. 

B.  SPACEHAB  EQUIPMENT  NOT  CONCERNED  WITH  SAFETY  MAY  BE  OPERATED 
OUTSIDE  THE  QUALIFICATION  LIMITS  BASED  ON  CUSTOMER  CALL. 

Operation  to  the  qualification  limits  may  result  in  unpredictable  operation  and/or  violation  of  lifetime 
limits.  The  Spacehab  customer  has  chosen  to  allow  for  equipment  operations  (ops)  outside  of 
qualification  limits  based  on  preflight  test  experience. 

C.  REPOWERING  SPACEHAB  EQUIPMENT  AFTER  FAILURE  OR  AFTER 
EXCEEDING  QUALIFICATION  TEST  LIMITS  WILL  BE  ON  MCC  CALL  ONLY. 

The  MCC  has  the  ability  to  evaluate  data  on  the  equipment.  Consideration  must  be  given  to  possible 
damage  to  orbiter  systems  or  further  damage  to  the  affected  equiptnent  if  repowered.  MCC  may  give 
consideration  to  an  inflight  maintenance  ( IFM )  procedure,  trend  data,  etc.,  after  careful  review. 
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A2-316  ORBITER-TO-SPACEHAB  HATCH  CONFIGURATION 

A.  FOR  THOSE  OPERATIONS  REQUIRING  THE  ORBITER  INNER  HATCH  OR  THE 
SPACEHAB  HATCH  TO  BE  CLOSED  AND  LATCHED,  ALL  CREWMEMBERS  ARE 
REQUIRED  TO  REMAIN  ON  THE  ORBITER  SIDE  OF  THE  CLOSED  AND 
LATCHED  HATCH.  ®[1 1 1 501 -4981 E] 


There  is  no  air  exchange  between  the  orbiter  and  the  Spacehab  module  with  the  hatch(es)  closed.  In 
addition,  conditions  could  occur,  such  as  an  airlock  leak  or  hatch  malfunction,  which  could  trap  a 
crewmember  in  the  Spacehab  module. 

B.  THE  SPACEHAB  HATCH  WILL  REMAIN  OPEN  FOR  NOMINAL  OPERATIONS, 
UNLESS  REQUIRED  TO  BE  CLOSED  FOR  EXTRAVEHICULAR  ACTIVITY 
(EVA)  OPERATIONS  OR  DOCKING  OPERATIONS. 


Reference:  Rule  / A2-317J ,  EVA  CONSTRAINTS. 

C.  THE  MODULE  WILL  BE  CONFIGURED  FOR  A  SAFE  ENTRY  AS  REQUIRED  BY 
PAYLOAD  SAFETY  PRIOR  TO  CLOSING  THE  HATCH. 


The  module  is  configured  for  safe  entry  ( i.  e. ,  all  penetration  hazards  restrained/stowed)  in  the  event  the 
module  cannot  be  re-entered.  ®[1 11501  -4981 E] 
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A2-317  EVA  CONSTRAINTS 

A.  PREBREATHING  AT  10.2  PS  I  CAN  BE  DONE  WITH  THE  SPACEHAB  MODULE 
AT  14.7  PSI  AND  THE  SPACEHAB  HATCH  CLOSED  OR  WITH  THE 
SPACEHAB  AT  10.2  PSI.  THE  STRATEGY  WILL  BE  DETERMINED  ON  A 
MISSION  SPECIFIC  BASIS  AND  DOCUMENTED  IN  THE  FLIGHT  SPECIFIC 
ANNEX.  ®[1 11501-4981 E] 


The  minimum  design  operating  pressure  for  Spacehab  components  is  10  psia.  Freon  flow  to  the  payload 
heat  exchanger  will  be  reduced  in  order  to  keep  the  orbiter  cabin  within  temperature  limits.  This  is 
accomplished  by  moving  one  of  the  orbiter' s  Freon  flow  proportioning  valves  (FPV’s)  from  the  nominal 
on-orbit  payload  heat  exchanger  position  to  the  interchanger  position.  This  will  reduce  the  cooling 
capability  in  the  Spacehab  water  loop. 

Spacehab  may  be  able  to  operate  at  the  reduced  pressure  (and  cooling  level)  of  10.2  psi  if  these 
conditions  are  compatible  with  experiment  science  and  hardware  requirements  and  if  overall  module 
thermal  loads  allow.  The  benefit  of  open  hatch  operations  at  10.2  psi  is  increased  crew  access  time  to 
the  module  during  prebreathe. 

Assessment  of  10.2  psi  prebreathe  strategy  will  be  conducted  on  a  flight  specific  basis.  ®[1 11501  -4981 E] 

B.  SPACEHAB  LEAK  DURING  EVA  ®[1 1 1 501 -4981 E] 

SCHEDULED/UNSCHEDULED  EVA 

1.  IF  A  SPACEHAB  CABIN  LEAK  OCCURS  DURING  AIRLOCK/TUNNEL 
ADAPTER  DEPRESS  WHICH  IS  NOT  UNDERSTOOD  OR  WHICH  IS 
PREDICTED  TO  REDUCE  CABIN  PRESSURE  BELOW  10.2  POUNDS  PER 
SQUARE  INCH  ABSOLUTE  (PSIA)  BEFORE  NOMINAL  EVA  COMPLETION 
TIME,  THE  EVA/AIRLOCK  DEPRESS  WILL  BE  TERMINATED. 

2.  IF  A  SPACEHAB  CABIN  LEAK  OCCURS  DURING  EVA,  THE  EVA  WILL 
BE  TERMINATED  AND  THE  AIRLOCK/TUNNEL  ADAPTER 
REPRESSURIZED  BEFORE  THE  SPACEHAB  IS  PREDICTED  TO  REACH 
10.2  PSIA. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-317  EVA  CONSTRAINTS  (CONTINUED) 

CONTINGENCY  EVA 

3.  IF  THE  EVA  IS  AN  ORBITER  CONTINGENCY  EVA,  IT  WILL 

CONTINUE  AND  THE  SPACEHAB  WILL  BE  UNPOWERED  EXCEPT  FOR 
EMERGENCY  POWER  (AUX  A  AND  AFT  B)  PRIOR  TO  REACHING  10 
PSIA. 


The  Spacehab  systems  are  certified  to  operate  above  a  cabin  pressure  greater  than  or  equal  to  10  psia. 

For  example,  a  leak  rate  of  7.3  lb/hrfor  4  hours  based  on  14. 7  equivalent  will  bring  the  cabin  to  10  psia. 
PL  AUX  A  and  AFT  MN  B  provide  redundan  t  power  to  Spacehab  sensors.  AFT  MN  B  is  the  only  source 
of  power  to  the  Spacehab  water  line  heaters  that  protect  the  Spacehab  water  line  from  freezing. 
Additionally,  smoke/fire  detection  sensors  are  powered  by  the  emergency  circuits. 

C.  EXPERIMENT  IMPACTS  TO  A  10.2  PSI  PREBREATHE  ARE  DOCUMENTED  IN 
THE  FLIGHT  SPECIFIC  ANNEX.  ®[1 1 1 501 -4981 E] 

A2-318  ORBITAL  MANEUVERING  SYSTEM/REACTION  CONTROL  SYSTEM 

(OMS/RCS)  CONSTRAINTS 

ORBITAL  MANEUVERING  SYSTEM/REACTION  CONTROL  SYSTEM  (OMS/RCS) 
CONSTRAINTS  ARE  EXPERIMENT  COMPLEMENT  DEPENDENT  AND  ARE 
DOCUMENTED  IN  THE  FLIGHT  SPECIFIC  ANNEX.  ®[1 1 1 501 -4981 E] 

A2-319  CONTAMINATION  AND  MICROGRAVITY  CONSTRAINTS 

ANY  CONSTRAINTS  SPACEHAB  HAS  ON  WATER  DUMPS,  FES  OPS,  OMS/RCS 
LEAKS,  ORBITER  LEAKS,  OR  FUEL  CELL  PURGES  WILL  BE  DOCUMENTED  IN 
THE  FLIGHT  SPECIFIC  ANNEX.  ®[1 1 1 501 -4981 E] 


VOLUME  A  11/21/02  FINAL,  PCN-1  FLIGHT  OPERATIONS  2-291 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A2-320  COMMAND  AND  DATA  SYSTEM  CONSTRAINTS 

A.  FOR  A  NONRECOVERABLE  LOSS  OF  THE  DATA  MANAGEMENT  UNIT  (DMU) , 
SPACEHAB  ACTIVITIES  WILL  CONTINUE.  HOWEVER,  THE  WATER  LINE 
HEATERS  WILL  BE  TURNED  ON  TO  PREVENT  FREEZING.  ®[1 1 1 501 -4981 E] 

Loss  of  the  DMU  results  in  loss  of  all  Payload  Data  Interleaver  (PDI )  data  to  the  Orbiter  Display 
System,  Payload  General  Support  Computer  (PGSC)  downlink,  and  all  subsystem  control  capabilities 
(except  that  which  is  routed  through  the  orbiter  multiplexer/demultiplexer  (MDM)).  All  experiment  data 
to  the  DMU  would  also  be  lost.  However,  safety  critical  monitoring  and  control  is  all  routed  through  the 
PL  MDM  and  Caution  and  Warning  Electronics  Assembly  ( CWEA).  Water  line  heaters  are  turned  on 
because  a  DMU  failure  results  in  loss  of  water  pump  monitoring  capability. 

B.  FOR  LOSS  OF  THE  NODULE  SYSTEMS  PGSC  CAPABILITY,  SPACEHAB 
OPERATIONS  WILL  CONTINUE. 

The  PGSC  is  used  for  backup  monitoring  only.  Primary  monitoring  still  exists  at  the  Orbiter  Display 
System,  as  well  as  through  the  Fault  Detection  and  Annunciation  (FDA)  and  CWEA  systems.  Ground 
monitoring  via  the  PDI  downlink  is  also  still  available. 

C.  PDI  DECOM  LOSS  IMPACTS  WILL  BE  DOCUMENTED  IN  THE  FLIGHT 
SPECIFIC  ANNEX.  ®[1 11501 -4981 E] 
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A2-321  SPACEHAB  AIR-TO-GROUND  (A/G)  USAGE 

A.  THE  STANDARD  ORBITER  A/G  CHANNEL  (A/G  1)  WILL  BE  USED  FOR  ANY 
DISCUSSIONS  RELATED  TO  SPACEHAB  SUBSYSTEMS.  THE  SSP  CAPCOM 
WILL  BE  THE  GROUND  COMMUNICATOR.  ®[1 1 1 501 -4981 E] 

Since  the  module  is  integrated  to  the  orbiter,  it  is  necessary  that  any  systems  issues  be  discussed  on  A/G 
1,  which  all  Space  Shuttle  Program  (SSP)  flight  control  team  members  monitor.  In  addition,  this 
strategy  guarantees  that  emergency/time  critical  issues  are  discussed  on  the  prime  A/G  loop. 

B.  EITHER  A/G  1  OR  A/G  2  WILL  BE  USED  FOR  ANY  DISCUSSIONS 
RELATED  TO  SPACEHAB  EXPERIMENTS  DEPENDING  ON  THE  AMOUNT  OF 
A/G  USAGE.  A  SPACEHAB  CREW  INTERFACE  COORDINATOR  (CIC)  WILL 
BE  THE  GROUND  COMMUNICATOR. 


Spacehab  is  responsible  for  all  experiment  procedures  and  the  experiment  flight  datafile.  Therefore,  the 
most  efficient  communication  path  is  directly  between  the  crew  and  the  CIC.  The  CIC  will  be  in  the  JSC 
POCC.  The  Flight  Director  will  decide  which  A/G  loop  is  the  most  appropriate  to  use.  ®[1 11501  -4981 E] 

C.  ANY  SAFETY-RELATED  ISSUES,  INCLUDING  THOSE  RELATED  TO 

EXPERIMENTS,  WILL  BE  CONDUCTED  ON  THE  PRIME  A/G  LOOP  (A/G 
1)  .  ®[1 1 1501-4981 E] 


Self-explanatory. 

D.  ROUTINE  CONVERSATIONS  DURING  SPACEHAB  EXPERIMENTS  OPERATIONS 
BETWEEN  THE  CIC  AND  THE  CREW  ON  A/G  1  OR  A/G  2  WILL  NORMALLY 
BE  INITIATED  BY  CREW  REQUEST.  THE  FOLLOWING  RESTRAINTS  SHALL 
APPLY  TO  CIC  PROTOCOL  AND  A/G  1  OR  A/G  2  USAGE. 
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A2-321  SPACEHAB  AIR-TO-GROUND  (A/G)  USAGE  (CONTINUED) 

1.  THE  VOICE  PROTOCOL  SHALL  BE  THE  SAME  AS  THAT  USED  BY  THE 
JSC  CAPCOM . 

2.  THE  SPACEHAB  OPERATIONS  DIRECTOR  (SHOD)  IS  RESPONSIBLE 
FOR  APPROVING  ALL  CALLS  INITIATED  FROM  THE  GROUND  TO  THE 


CREW. 

3. 

DIRECT  EXPERIMENTER  CALLS  TO  THE  CREW  ON  A/G 
SHALL  BE  UPON  CREW  REQUEST  ONLY. 

1  OR  A/G  2 

4  . 

THE  CALL  SIGN  FOR  THE  SPACEHAB  POCC  SHALL  BE 

POCC. " 

"SPACEHAB 

5  . 

OCA  S-BAND  (MFX)  OPERATIONS  WILL  TAKE  PRECEDENCE  OVER 
ROUTINE  SPACEHAB  A/G  2  USAGE. 

6. 

EXCEPTIONS  TO  THIS  RULE  ARE  DOCUMENTED  IN  THE 

SPECIFIC  ANNEX. 

FLIGHT 

Past  flight  crew  comments  on  overuse  of  A/G  by  payloads  point  out  the  need  for  more  rigid  control  of 
the  traffic  and  voice  protocol.  In  addition,  use  of  the  OCA  S-Bcind  ( OCA  Ku-Band  is  nominal)  adds 
complexity  to  the  scheduled  use  of  one  of  the  A/G  links.  With  the  many  users  as  well  as  the  many 
experimenters  on  a  Spacehab  flight,  careful  definition  of  the  A/G  1  or  A/G  2  usage  is  required.  This 
rule  represents  an  agreed  to  baseline  with  the  customer  for  Spacehab  flights.  ®[1 11501  -4981 E]  ®[1 11501- 
4981 E]  ®[1 11501 -4976A]  @[092701  -4872  ] 


A2-322  SPACEHAB  CAUTION  AND  WARNING  ANNUNCIATION  IN  MODULE 

LOSS  OF  ALL  CAUTION  AND  WARNING  ANNUNCIATION  CAPABILITY  IN  THE 
SPACEHAB  MODULE  IS  NOT  CAUSE  TO  TERMINATE  SPACEHAB  ACTIVITIES 
PROVIDED:  ®[1 11501  -4981 E] 

A.  ANNUNCIATION  CAPABILITY  EXISTS  IN  THE  ORBITER  AND, 

B.  VOICE  COMMUNICATION  BETWEEN  THE  ORBITER  AND  SPACEHAB  IS 
AVAILABLE . 


All  emergency  safety  parameters  are  redundantly  monitored  by  the  orbiter  GPC  and  CWEA.  In  addition, 
both  of  these  monitoring  systems  cause  annunciating  in  both  Spacehab  and  the  orbiter.  Loss  of  the 
Spacehab  C&W  annunciating  capability  is  therefore  only  loss  of  redundancy.  The  orbiter  crew  would 
alert  the  Spacehab  crew  of  any  emergencies.  ®[1 11501  -4981 E] 
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A2-323  COMMUNICATIONS  CONSTRAINTS 

LOSS  OF  VOICE  COMMUNICATION  BETWEEN  THE  ORBITER  AND  SPACEHAB 
CREWMEMBERS  IS  NOT  CAUSE  TO  TERMINATE  SPACEHAB  OPERATIONS 
PROVIDED  CAUTION  AND  WARNING  ANNUNCIATION  CAPABILITY  STILL  EXISTS 
IN  SPACEHAB.  ®[1 1 1501-4981 E] 

Loss  of  voice  communication  does  not  present  a  hazard  to  the  crew  if  caution  and  warning  alarms  are 
still  available  from  the  audio  control  system  (ACS).  Spacehab  operations  would  be  impacted,  but  may  be 
continued  in  the  best  possible  manner.  Coordination  can  be  carried  out  by  voice  calls  down  the  tunnel 
or  possibly  by  using  the  BPSMU  or  a  wireless  crew  comm  unit  (WCCU)  connected  in  the  airlock. 

®[1 11501-4981 E] 


A2-324  SPACEHAB  IN-FLIGHT  MAINTENANCE  (IFM)  PROCEDURES 

A.  IN  SUPPORT  OF  ALL  FLIGHTS  RULE  {A2-105},  IN-FLIGHT 

MAINTENANCE  (IFM),  ALL  SPACEHAB  UNSCHEDULED  IFM  PROCEDURES 
CONTAINED  IN  THE  SPACEHAB  OPERATIONS  CHECKLIST  (JSC-48089) 

AND  SPACEHAB  RDM  MALFUNCTION  PROCEDURES  (JSC-48099)  HAVE  BEEN 
PREMISSION  COORDINATED  AND  REQUIRE  REAL-TIME  MCC  APPROVAL 
ONLY  PRIOR  TO  IMPLEMENTATION,  EXCEPT  THOSE  LISTED  IN 
PARAGRAPH  B.  EXPERIMENT  IFM' S  ARE  DOCUMENTED  IN  THE  FLIGHT 
SPECIFIC  ANNEX.  ®[1 1 1 501 -4981 E] 


These  IFM’s  have  been  reviewed  preflight  and  identified  as  acceptable;  however,  because  of  their  nature, 
implementation  must  be  coordinated  with  the  MCC. 

B.  THE  FOLLOWING  ARE  LISTS  OF  SPACEHAB  SCHEDULED  IFM  PROCEDURES 
IN  THE  SPACEHAB  OPERATIONS  CHECKLIST  (JSC-48089)  WHICH  DO  NOT 
REQUIRE  REAL-TIME  APPROVAL  OR  COORDINATION  PRIOR  TO 
IMPLEMENTATION. 

1.  FAN  CLAMP  REMOVAL  (IFM- 1.3) 

2.  FAN  CLAMP  REPLACEMENT  (IFM- 1.4) 

C.  ALL  REAL-TIME  DEVELOPED  SPACEHAB /EXPERIMENT  IFM  PROCEDURES 
WILL  BE  COORDINATED  AND  APPROVED  BY  THE  MCC. 


Implementation  of  unplanned  IFM’s  may  require  activities  which,  if  not  properly  reviewed  and 
coordinated,  could  result  in  an  array  of  unsafe  conditions.  Therefore,  unplanned  IFM  activity  must  be 
coordinated  with  MCC  to  ensure  the  safety  of  the  orbiter,  payloads,  and  crew.  If  no  previous  IFM  work 
has  been  done,  a  minimum  of  24  hours  may  be  expected  before  an  experiment  IFM  may  be  approved  and 
uplinked.  ®[i  1 1 501  -4981 E] 
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A2-325  IFM  PROCEDURES  ON  EXPERIMENTS  WITH  TOXIC  HAZARDS 

NO  IFM  PROCEDURES  WILL  BE  INITIATED  BY  THE  CREW  ON  AN  EXPERIMENT 
KNOWN  TO  REPRESENT  A  TOXIC  HAZARD  UNTIL  CONCURRENCE  FOR  THE 
REPAIR  PROCEDURE  IS  OBTAINED  FROM  THE  MCC  FLIGHT  DIRECTOR. 
SPACEHAB  EVACUATION  AND/OR  PROTECTIVE  EQUIPMENT  MAY  BE  REQUIRED 
(SEE  RULE  { A1 3-1 5 6 } ,  SPACEHAB  HAZARDOUS  SUBSTANCE  SPILL 
RESPONSE) .  ALL  PAYLOAD  EXPERIMENTS / SAMPLES  CONTAINING  HAZARDOUS 
MATERIALS  ARE  DEFINED  IN  THE  FLIGHT  SPECIFIC  ANNEX.  ®[1 1 1 501 -4981 E] 


A  real-time  assessment  of  the  possibility  of  repairing  an  experiment  and  the  risk  of  exposing  the  crew  to 
a  toxic  substance  during  the  repair  will  need  to  be  made.  The  IFM  may  require  that  the  cleanup 
equipment  specified  in  Rule  {A13-156},  SPACEHAB  HAZARDOUS  SUBSTANCE  SPILL  RESPONSE,  be 
used  to  minimize  risk  of  crew  exposu  re  to  toxic  substances.  ®[111501-4981E] 
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A2-326  EQUIPMENT  EXCHANGE  BETWEEN  ORBITER  CABIN  AND 

SPACEHAB  MODULE 

A.  ELECTRICAL  EQUIPMENT  OR  EXPERIMENTS,  SELF-POWERED  OR 

FACILITY-POWERED,  SHALL  NOT  BE  TRANSFERRED  BETWEEN  THE 
ORBITER  AND  SPACEHAB  UNLESS  CERTIFIED  FOR  USE  IN  BOTH 
LOCATIONS.  APPROVED  EQUIPMENT  WILL  BE  IDENTIFIED  IN 
PARAGRAPH  B.  ®[1 1 1501-4981 E] 


Equipment  may  only  be  used  in  areas  where  it  has  been  approved  from  an  electromagnetic  compatibility 
standpoint.  In  addition,  power  budgeting/planning  can  only  be  accomplished  effectively  if  equipment 
movement  strategy  is  coordinated  preflight  via  this  rule. 

B.  SPACEHAB  SUBSYSTEM  GENERIC  EQUIPMENT 

1.  WIRELESS  CREW  COMMUNICATION  SYSTEM  (WCCS) 

2.  ORBITER  COMM  EQUIPMENT 

3.  VACUUM  CLEANER  AND  ACCESSORIES  (CABLE  AND  ATTACHMENT) 

4.  ORBITER  CAMCORDER  AND  ACCESSORIES 

5.  PAYLOAD  AND  GENERAL  SUPPORT  COMPUTER  (PGSC)  AND 
ACCESSORIES 

6.  ORBITER  CAMERA  AND  ACCESSORIES 

7.  ELECTRONIC  STILL  CAMERA  (ESC) 

EXCEPTIONS  TO  THIS  RULE  ARE  DOCUMENTED  IN  THE  FLIGHT  SPECIFIC 
ANNEX.  ®[1 11501-4981 E] 
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A2-327  SPACEHAB  MODULE/TUNNEL  SLEEP  CONSTRAINTS 

A.  NO  CREWMEMBERS  SHALL  SLEEP  IN  THE  SPACEHAB-TO-ORBI TER  TUNNEL. 
®[1 11501-4981 E] 

In  the  event  it  was  necessary  to  rapidly  evacuate  the  module,  a  sleeping  crewmember  either  tethered  or  in 
a  sleeping  bag  would  pose  a  hazard.  In  addition,  the  tunnel  does  not  offer  the  same  amount  of  protection 
for  radiation  that  is  provided  by  the  module  or  orbiter  cabin. 

B.  CREWMEMBERS  MAY  SLEEP  IN  THE  SPACEHAB  MODULE  IF: 

1.  SPACEHAB  SYSTEM  DATA  IS  BEING  NOMINALLY  TRANSMITTED  TO 
THE  ORBITER' S  SM  GPC  AND  TELEMETERED  TO  THE  GROUND. 

2.  THE  CAUTION  AND  WARNING  LINK  BETWEEN  THE  ORBITER  AND 
SPACEHAB  IS  OPERATIONAL. 

3.  AT  LEAST  ONE  SPACEHAB  SMOKE  SENSOR  IS  OPERATIONAL. 

4.  THE  AUDIO  LINK  BETWEEN  THE  ORBITER  AND  SPACEHAB  IS 
OPERATIONAL. 

5.  THE  ARS  FAN  AND  AT  LEAST  ONE  ARS  FAN  DELTA  PRESSURE 
SENSOR  ARE  OPERATIONAL  IN  ADDITION  TO  THE  FOLLOWING: 

a.  (LDM  ONLY)  THE  AFT  MODULE  FAN  AND  ITS  ASSOCIATED 
DELTA  PRESSURE  SENSOR  ARE  OPERATIONAL. 

b.  (RDM  ONLY)  AT  LEAST  ONE  HAB  FAN  ASSEMBLY  ( HFA)  FAN 
AND  ONE  HFA  FAN  DELTA  PRESSURE  SENSOR  ARE 
OPERATIONAL . 


Nominal  safety  monitoring  is  via  the  SM  GPC  and  the  Caution  and  Warning  Electronics  Assembly 
( CWEA).  Ground  monitoring  of  safety  parameters  provides  a  further  safety  monitoring  capability.  The 
audio  link  to  the  Spacehab  is  desirable  for  communication  in  the  case  of  a  contingency  commencing 
during  sleep.  The  ARS  fan  and  the  ARS  fan  delta  pressure  sensor  are  required  to  verify  that  the  ARS  fan 
is  operating,  thus  ensuring  air  exchange  with  the  orbiter.  In  addition  to  the  ARS  fan  and  ARS  fan  delta 
pressure  sensor,  one  HFA  fan  and  one  HFA  fan  delta  pressure  sensor  in  the  RDM  configuration  are 
required  for  cooling,  or  the  aft  module  fan  and  its  associated  delta  pressure  sensor  in  the  LDM 
configuration  are  required  to  ensure  adequate  airflow  through  the  aft  module.  Any  one  AC  fan  ( Cabin 
or  ARS)  in  the  SM/LDM  or  one  HFA  fan  in  the  RDM  is  adequate  for  smoke  detection. 

Reference:  Rule  {A17-706},  SPACEHAB  FAN  CONFIGURATIONS,  Boeing  memo,  2 C-SPA CEHAB- 
01044,  A90-SPACEHAB-97088,  A90-SPACEHAB-2000192,  MDC92W5610,  and  MDC95W5829. 

®[1 1 1501-4981 E] 
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A2-328  CREW  LIMITATIONS  IN  THE  SPACEHAB  MODULE 

A.  THE  MAXIMUM  NUMBER  OF  CREWMEMBERS  PERMITTED  IN  THE  MODULE  MAY 
BE  LIMITED  BASED  ON  REAL-TIME  EVALUATION  OF  (£  AND  CO2 
LEVELS,  RELATIVE  HUMIDITY,  AND  CABIN  TEMPERATURE  .  ®[11 1501 -4981 E] 

Spacehab  SM/LDM  is  designed  to  reject  1400/1000  watts  (respectively)  of  waste  heat  from  surface  air¬ 
cooled  experiments  with  two  crewmembers  in  the  module.  Spacehab  RDM  is  designed  to  reject  2000 
watts  of  waste  heat  from  surface  air-cooled  experiments  with  three  crewmembers  in  the  module. 
Boeing/Spacehab  analysis  shows  that  each  additional  crewmember  over  the  design  value  of  two  will 
decrease  the  available  experiment  air  heat  rejection  accommodations  by  115  watts  minimum  and  265 
watts  maximum  ( SM/LDM  only).  Each  additional  crewmember  is  expected  to  increase  module  dew  point 
by  about  1  deg  F.  Moisture  is  not  a  limiting  factor  for  the  Spacehab  RDM  since  it  has  moisture  removal 
capability.  The  RDM  with  the  53  cfin  air  exchange  rate  with  the  orbiter  is  designed  to  accommodate 
three  crewmembers  continuously.  In  the  RDM,  CO  2  generation  may  be  the  limiting  factor  for  crew 
occupancy  above  its  design  limit.  Increases  in  oxygen  (O2)  consumption  show  no  immediate  concern  for 
nominal  operations  in  all  module  configurations. 

B.  ORBITER  CREWMEMBERS  MAY  ASSIST  IN  OPERATIONS  IN  THE  SPACEHAB 
MODULE  OR  SERVE  AS  TEST  SUBJECTS  (SUBJECT  TO  ALL  FLIGHTS  RULE 
{ A2-135 } ,  COMMANDER  ( CDR)  AND  PILOT  (PLT )  PARTICIPATING  AS 
TEST  SUBJECTS)  AS  NEGOTIATED  PREFLIGHT. 

Preflight  coordination  will  guarantee  that  the  workloads  of  the  orbiter  crewmembers  are  acceptable  and 
that  All  Flights  Rule  {A2-135}  COMMANDER  (CDR)  AND  PILOT  (PLT)  PARTICIPATING  AS  TEST 
SUBJECTS,  is  not  violated.  ®[i  1 1 501-4981 E] 
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A2-32  9  SPACEHAB  DEACTIVATION/ENTRY  PREP  ®[1 11501  -4981 E] 

SPACEHAB  DEACTIVATION  WILL  PROCEED  BY  ONE  OF  THE  FOLLOWING 
METHODS  DEPENDING  ON  CIRCUMSTANCES:  ®[1 1 1 501 -4982A] 

A.  NOMINAL  ENTRY  PREP  -  SECURING  OF  THE  SPACEHAB  BY  NOMINAL 

CHECKLIST  PROCEDURES.  THE  NOMINAL  ENTRY  PREP  WILL  BE  DONE 
FOR: 

1.  NOMINAL  END -OF -MISS ION 

2.  ANY  FAILURE  THAT  RESULTS  IN  A  PRIMARY  LANDING  SITE  (PLS) 
WITH  DEORBIT  TIME  OF  IGNITION  (TIG)  OCCURRING  BEYOND  12 
HOURS . 


Nominal  entry  prep  requires  approximately  1-2  hours  and  is  scheduled  in  the  Flight  Plan.  A  PLS  TIG 
greater  than  12  hours  away  will  allow  the  crew  to  perform  the  desirable,  nominal  module  entry  prep. 

The  procedure  will  include  equipment  stowage,  nominal  deactivation  of  experiments,  and  an  orderly 
reconfiguration  to  the  Spacehab  entry  configuration. 

B.  SPACEHAB  30-MINUTE  CONTINGENCY  DEACTIVATION  -  SECURING  OF 
SPACEHAB  AND  EXPERIMENT  HARDWARE  IN  MINIMUM  TIME  WITHOUT 
INCURRING  DAMAGE  TO  SPACEHAB,  AND  WHEN  POSSIBLE,  EXPERIMENT 
EQUIPMENT.  SPACEHAB  30-MINUTE  CONTINGENCY  DEACTIVATION 
PROCEDURES  WILL  BE  DONE  FOR: 

1.  ANY  FAILURE  THAT  RESULTS  IN  A  PLS  WITH  DEORBIT  TIG 
OCCURRING  BETWEEN  3.5  TO  12  HOURS. 

2.  UNRECOVERABLE  LOSS  OF  ALL  SPACEHAB  AIR  CIRCULATION  FANS. 

Spacehab  30-minute  contingency  deactivation  is  intended  to  perform  as  much  of  the  normal  deactivation 
of  the  module  as  possible.  It  also  provides  a  balance  between  deactivating  the  module  in  a  shorter-than- 
nominal  time  and  preserving  equipment  (and  science,  if  possible).  The  procedure  will  include  critical 
entry  stowage,  an  abbreviated  but  orderly  Spacehab  shutdown,  and  safing  of  experiments,  if  time 
permits.  ®[1 1 1 501 -4982A] 
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A2-329  SPACEHAB  DEACTIVATION/ENTRY  PREP  (CONTINUED) 

C.  SPACEHAB  EMERGENCY  DEACTIVATION  -  IMMEDIATE  STOW  OF  ANY 

PENETRATORS,  EGRESS,  AND  CLOSURE  OF  THE  HATCH  WITHOUT  ANY 
OTHER  ACTIVITIES  WITHIN  THE  3-MINUTE  CONSTRAINT.  IF 
CIRCUMSTANCES  WARRANT,  ALL  POWER,  EXCEPT  PL  AFT  MN  B,  WILL  BE 
REMOVED.  SPACEHAB  EMERGENCY  DEACTIVATION  PROCEDURES  WILL  BE 
DONE  FOR:  ®[1 1 1501-4982A] 

1.  ORBITER  PROBLEMS  REQUIRING  EMERGENCY  DEORBIT 

2.  AN  ORBITER/MODULE  LEAK  (DEACTIVATION  STEPS  ONLY  NEEDED  IF 
LEAK  CANNOT  BE  ISOLATED) .  IF  THE  LEAK  IS  ISOLATED  TO  THE 
SPACEHAB  MODULE  AFTER  EGRESS,  THE  CREW  MAY  REOPEN  THE 
SPACEHAB  TO  PERFORM  ADDITIONAL  DEACTIVATION/ENTRY  PREP, 

IF  CONSUMABLES  PERMIT  PER  RULE  {A17-751},  MODULE  PRESSURE 
INTEGRITY. 

3.  FOR  SPACEHAB  MODULE  FIRE  (DEACTIVATION  STEPS  ONLY  NEEDED 
IF  FIRE  SUPPRESSION  NOT  SUCCESSFUL.) 

4.  DISCHARGE  OF  ALL  HALON  SYSTEM  BOTTLES  (EGRESS  STEPS  ONLY) 

5.  SPACEHAB  MODULE  LEVEL-4  TOXIC  SPILL  (EGRESS  STEPS  ONLY) 

In  emergency  situations  (i.e.,fire,  depress,  or  toxic  spill),  the  crew  must  be  able  to  safe  and  isolate  the 
module  within  3  minutes.  Safe  return  of  the  crew  is  paramount  in  these  cases.  Only  payload  procedures 
required  for  safe  entry  (restraint  of  penetrators,  crew  module  egress,  and  hatch  closure)  are  allowed  in 
these  time  critical  situations.  No  attempt  is  made  to  prevent  damage  to  the  module  or  experiments, 
except  stowing  any  penetrators.  Reference  NSTS  18798A,  MA2-96-190,  “CONTINGENCY  RETURN 
AND  RAPID  SAFING,  ”  memo  dated  January  9,  1997.  The  Spacehcib  Emergency  Deactivation 
procedure  includes  steps  for  egress  and  power  removal.  All  mean  AC  and  DC  power,  except  PL  AFT  MN 
B,  which  is  required  to  power  the  Spacehcib  water  line  heaters,  is  removed  for  an  emergency 
deactivation.  In  some  cases,  Spacehab  emergency  egress  steps  are  integrated  into  the  applicable  orbiter 
procedures  (i.e.,  cabin  leak)  and  Payload  powerdowns,  when  it  is  appropriate.  ®[1 1 1 501 -4982A] 
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A2-330  EXTENSION  DAY  GROUND  RULES 

A.  POWER  LEVELS  ®[1 1 1501-4981 E] 

THE  SPACEHAB  AND  ITS  EXPERIMENTS  WILL  BE  POWERED  DOWN  TO  THE 
GREATEST  EXTENT  POSSIBLE  (SURVIVAL  POWER  CONFIGURATION)  AS 
DEFINED  IN  RULE  {A9-357},  SPACEHAB  SURVIVAL  POWER 
CONFIGURATION.  ®[ED  ] 

The  amount  of  consumables  remaining  at  the  nominal  end  of  flight  does  not  allow  for  operations  of 
experiments  without  degrading  the  capability  of  the  orbiter  to  remain  in  orbit.  For  those  cases  which 
require  that  additional  power  be  provided  to  allow  for  presentation  of  experiment  samples/data,  the 
consumable  must  be  allocated  preflight  and  thus  affect  the  mission  duration. 

B.  CONSUMABLES 

NO  SPACEHAB  EXPERIMENT  ACTIVITIES  WHICH  REQUIRE  ORBITER 
CONSUMABLES  WILL  NORMALLY  BE  PLANNED.  FLIGHT-SPECIFIC 
OPTIONS  ARE  DEFINED  IN  THE  FLIGHT  SPECIFIC  ANNEX. 

Extension  days  would  generally  be  required  only  for  weather ,  orbiter,  and/or  landing  site  problems  that 
would  benefit  from  extra  time  before  landing.  To  preven  t  further  complications,  the 
Spacehab/ experiments  should  be  maintained  in  a  safe,  deactivated  state.  This  should  not  impact  the 
Spacehab/experiments  since  all  payload  activities  should  have  already  been  completed  by  the  nominal 
end  of  mission.  In  addition,  the  crew  must  be  available  to  perform  necessary  orbiter  activities  to  ensure 
a  safe  return. 

C.  SPACEHAB  CONSTRAINTS  ON  EXTENSION  DAY  ATTITUDE  WILL  BE 
DOCUMENTED  IN  THE  FLIGHT  SPECIFIC  ANNEX. 

-ZLV  attitude  will  normally  provide  a  stable  thermal  environment  for  the  orbiter  and  Spacehab  module 
during  an  extension  day  and  is  accomplished  with  a  minimum  amount  of  propellant  for  attitude 
maintenance.  With  radiators  deployed,  the  -ZLV  attitude  will  provide  sufficient  orbiter  heat  rejection 
when  flying  with  any  beta  angle.  With  radiators  stowed,  the  -ZLV  attitude  may  be  acceptable,  or  a  flight- 
specific  attitude  can  be  determined.  If  a  cooler  attitude  is  required,  the  orbiter  can  execute  passive 
thermal  control  (PTC)  which  gives  the  advantage  of  providing  a  consistent  thermal  environment  for  the 
entire  vehicle.  ®[1 11501  -4981 E] 
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A2-331  CONSTRAINTS  ON  CABLES  THROUGH  THE  SPACEHAB  HATCH 

AND  TUNNEL 

THE  SPACEHAB  HATCHWAY  AND  TUNNEL  SHALL  BE  FREE  AND  CLEAR  OF 
OBSTRUCTION  TO  ENSURE  THAT  THE  CREW  IS  CAPABLE  OF  SAFING  AND 
ISOLATING  THE  MODULE  WITHIN  3  MINUTES  FOR  AN  EMERGENCY. 

@[111501-4984] 

Every  effort  shall  be  made  to  preclude  routing  cables  through  the  Spacehab  hatch  and  tunnel.  In 
emergency  situations  ( i.  e. ,  fire,  depress,  or  toxic  spill),  the  crew  must  be  able  to  secure  penetrators  and 
isolate  the  module  within  3  minutes.  The  hatch  closure  itself  takes  approximately  1  minute,  which  leaves 
approximately  2  minutes  to  safe  the  module  and  clear  the  hatchway.  Cables,  in  addition  to  anything  that 
may  pose  interference  with  hatch  closure,  are  considered  “drag-throughs.  ” 

IN  THE  EVENT  DRAG-THROUGH  ROUTING  CANNOT  BE  PRECLUDED,  THE 
FOLLOWING  CRITERIA  SHALL  APPLY: 

A.  THE  ABILITY  TO  SAFE  AND  ISOLATE  THE  MODULE  WITHIN  3  MINUTES 
SHALL  BE  RETAINED. 


The  3-minute  constraint  is  paramount  for  the  crew  to  have  the  ability  to  respond  to  any  emergency 
situation  ( i.e.,  fire,  depress,  or  toxic  spill )  and  allow  the  hatch  to  be  closed  regardless  of  whether  or  not 
drag-throughs  are  present  across  the  hatchway.  Tests  show  it  takes  approximately  10  seconds  to  break 
each  quick  disconnect  ( QD )  by  a  single  crewmember. 

B.  IF  THE  DRAG-THROUGH  IS  NOT  UNDER  THE  CONTROL  OF  A  CREWMEMBER, 
IT  SHALL  BE  RESTRAINED  TO  AVOID  CREW  ENTANGLEMENT  WHILE 
TRANSLATING  THROUGH  THE  HATCH  AND  TUNNEL.  IF  A  QUICK 
DISCONNECT  RELATED  TO  THE  DRAG-THROUGH  HAS  BEEN  POSITIONED  IN 
PROXIMITY  TO  THE  HATCH,  THE  RESTRAINT  SHALL  NOT  BE  LOCATED 
BETWEEN  THE  DISCONNECT  AND  THE  HATCH. 


A  drag-through  that  is  under  the  control  of  a  crewmember  implies  short-term  use  and  will  be  taken  back 
through  the  hatch  as  a  crewmember  exits  when  circumstances  dictate  hatch  closure.  A  restraint  between 
the  hatch  and  the  quick  disconnect  complicates  the  effort  to  clear  the  hatchway  and  close  the  hatch. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A2-331 


CONSTRAINTS  ON  CABLES  THROUGH  THE  SPACEHAB  HATCH 
AND  TUNNEL  (CONTINUED) 


C.  DRAG-THROUGHS  SHALL  NOT  IMPEDE  CREW  NAVIGATION  THROUGH  THE 
HATCHWAY.  A  TRANSLATION  CORRIDOR,  SUFFICIENT  TO  ALLOW  A 
CREWMEMBER  TO  PASS  THROUGH  THE  HATCH,  SHALL  BE  MAINTAINED. 


A  32-inch  minimum  diameter  must  be  maintained  through  the  Spacehab  hatch.  ®[1 11501-4984  ] 


D.  WHERE  PRACTICAL,  AND  WITHIN  DESIGN  LIMITATIONS  AND  TIME 
CONSTRAINTS  IMPOSED  BY  THE  HARDWARE  AND  OPERATIONAL 
REQUIREMENTS,  THE  FOLLOWING  CONSTRAINTS  WILL  BE  IMPLEMENTED: 

@[111501-4984] 

1.  ALL  DRAG-THROUGHS  ROUTED  THROUGH  THE  SPACEHAB  HATCH  SHALL 
BE  CONFIGURED  WITHIN  A  SINGLE  90-DEGREE  SECTION  OF  THE 
HATCH  AS  SHOWN  BY  THE  FIGURE  BELOW: 


DRAG-THROUGHS 


Drag-throughs  should  be  routed  within  the  90-degree  section  of  the  Spacehab  hatch  to  aid  in  the  ability 
of  the  crew  to  quickly  locate  and  remove  hatch  obstructions. 
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A2-331  CONSTRAINTS  ON  CABLES  THROUGH  THE  SPACEHAB  HATCH 

AND  TUNNEL  (CONTINUED) 

2.  DRAG-THROUGHS  SHOULD  BE  ROUTED  SUCH  THAT  A  QUICK  RELEASE 
CONNNECTOR  IS  LOCATED  WITHIN  2  FEET  ON  EITHER  SIDE  OF  THE 
SPACEHAB  HATCH.  DISCONNECT  FEATURES  FOR  ALL  DRAG- 
THROUGHS  ROUTED  THROUGH  THE  HATCH  SHOULD  BE  ON  THE  SAME 
SIDE  OF  THE  HATCH. 


The  quick  release  connector  features,  and  constraints  on  having  all  such  connectors  lie  within  2  feet  of 
the  Spacehcib  hatch  and  on  the  same  side  of  the  hatch  for  all  drag-throughs,  allows  quick  location  and 
removal  (tests  show  at  10  seconds  per  quick  release  connector )  of  drag-through  obstructions(s)  to  hatch 
closure.  ®[i  1 1 501  -4984  ] 

3.  DRAG-THROUGHS  SHOULD  BE  LIMITED  TO  NO  GREATER  THAN  FOUR 
DURING  CREW  AWAKE  TIME  AND,  IF  LEFT  IN  PLACE  DURING  THE 
CREW  SLEEP  PERIOD,  THE  NUMBER  OF  DRAG-THROUGHS  ROUTED 
THROUGH  THE  SPACEHAB  HATCH  AND  TUNNEL  SHOULD  BE  REDUCED 
TO  TWO.  @[111501-4984] 


An  operational  limit  of  two  drag-throughs  across  the  Spacehcib  hatch  during  the  crew  sleep  period  has  a 
better  chance  of  accommodating  the  3 -minute  constraint  on  scifing  and  isolating  the  module.  Limiting 
the  number  of  drag-throughs  to  a  maximum  of  four  drag-throughs,  whether  temporary  or  permanent,  will 
minimize  the  risk  in  not  being  able  to  meet  the  3-minute  rapid  scifing  constraint. 

4.  IF  TIME  ALLOWS,  PRIOR  TO  DEMATING  AN  ELECTRICAL 

CONNECTION  EXCEEDING  32  VOLTS  UPSTREAM,  POWER  WILL  BE 
REMOVED . 

E.  THE  BPSMU  IS  THE  ONLY  DRAG-THROUGH  APPROVED  GENERICALLY  FOR 

USE  IN  SPACEHAB.  ADDITIONAL  DRAG-THROUGHS  MAY  BE  APPROVED  ON 
A  MISSION  SPECIFIC  BASIS  AND  LISTED  IN  THE  FLIGHT  SPECIFIC 
ANNEX . 


The  BPSMU  meets  the  requiremen  ts  for  drag-throughs  in  this  rule  and  was  the  only  drag-through 
iden  tified  at  the  time  this  rule  was  written.  It  can  be  used  nominally  for  communication  between  the 
Spacehcib  and  orbiter  or  Spacehcib  and  ISS  when  the  Spacehab  ACS  is  not  available  or  operational. 
®[1 1 1501 -4984]  @[111 501 -4981 E]  ®[1 1 1501-4962A]  ®[1 1 1 501 -4982A  ] 
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A2-332  LOSS  OF  SM  GPC  DURING  SPACEHAB  ACTIVATION/ENTRY 

PREP  ®[1 11501-4981 E] 

A.  LOSS  OF  THE  SYSTEMS  MANAGEMENT  (SM)  GPC  PRIOR  TO  ARS  FAN 
ACTIVATION  WILL  REQUIRE  SUSPENSION  OF  SPACEHAB  ACTIVITIES 
UNTIL  THE  SM  GPC  IS  RECOVERED  OR  THE  ARS  FAN  IS  POWERED. 
CONSIDERATION  WILL  BE  GIVEN  TO  WHICH  EXPERIMENTS  COULD  BE 
OPERATED  IN  THE  SPACEHAB  ASCENT  CONFIGURATION.  @[060800-71 1 6A] 

Nominal  Spacehab  ARS  fan  activation  and  subsystem  reconfiguration  are  achieved  via  the  SM  GPC. 

The  ARS  fan  provides  the  only  means  for  conditioned  air  exchange  with  the  orbiter.  Therefore, 

Spacehab  operations  must  be  postponed  until  the  ARS  fan  can  be  activated.  When  the  Spacehab  is 
powered  for  ascen  t,  the  water  pump  and  several  experimen  t  utility  outlets  are  powered  in  addition  to  the 
ARS  fan  or  Cabin/HFA  fan.  In  the  SM  and  LDM  configurations,  the  ARS  fan  is  the  preferred  fan  to 
operate  during  ascen  t.  In  the  RDM  configuration,  one  HFAfan  is  preferred  over  the  ARS  fan.  Spacehab 
RDM  is  always  powered  for  ascent.  Reference  Rule  / A17-706 },  SPACEHAB  FAN  CONFIGURATIONS. 

B.  LOSS  OF  THE  SYSTEMS  MANAGEMENT  (SM)  GPC  AFTER  SPACEHAB 
ACTIVATION  AND  BEFORE  ENTRY  PREP  IS  NOT  CAUSE  TO  TERMINATE 
SPACEHAB  ACTIVITIES.  @[111094-1733] 

Spacehab  activities  may  continue  because  the  module  remains  in  a  good  configuration  for  operation. 
Nominal  reconfiguration  of  Spacehab  subsystems  during  entry  prep  cannot  be  achieved  without  the  SM 
GPC.  Consideration  will  be  given  to  leaving  Spacehab  equipment  configured  on  orbiter  power  for  entry 
provided  orbiter  resources  are  available.  ®[1 1 1 501-4981 E] 
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A2-333  LOSS  OF  PAYLOAD  MDM  DURING  SPACEHAB  ACT/ENTRY  PREP 

®[1 11501-4981 E] 

A.  PAYLOAD  MDM  FAILURE 

LOSS  OF  PAYLOAD  (PL)  MDM  PL1,  PRIOR  TO  ARS  FAN  ACTIVATION, 
WILL  REQUIRE  SUSPENSION  OF  SPACEHAB  ACTIVITIES  UNTIL  THE  MDM 
IS  RECOVERED  OR  THE  ARS  FAN  IS  POWERED.  CONSIDERATION  WILL 
BE  GIVEN  TO  WHICH  EXPERIMENTS  COULD  BE  OPERATED  IN  THE 
SPACEHAB  ASCENT  CONFIGURATION.  @[060800-71 1 7A] 

Spacehab  Activation  and  subsystem  reconfiguration  are  achieved  via  the  Payload  MDM  1  (PL1 )  and 
otherwise  cannot  be  nominally  performed.  The  ARS  fan  is  important  because  it  provides  the  only  means 
for  conditioned  air  exchange  with  the  orbiter.  Spacehab  operations  must  be  postponed  until  the  ARS  fan 
can  be  activated.  Hard  failure  ofPLl  will  result  in  the  inability  to  activate  Spacehab.  All  Flights  Rule 
{. A7-109F },  IN-FLIGHT  MAINTENANCE  (IFM),  specifies  that  a  PL  MDM  will  only  be  swapped  to 
regain  PLBD  close  capability.  When  the  Spacehab  is  powered  for  ascent,  the  water  pump  and  several 
experiment  utility  outlets  are  powered  in  addition  to  the  ARS  fan  or  Cabin/HF A  fan.  In  the  SM  and  LDM 
configurations,  the  ARS  fan  is  the  preferred  fan  to  operate  during  ascent.  In  the  RDM  configuration,  one 
HFAfan  is  preferred  over  the  ARS  fan.  Spacehab  RDM  is  always  powered  for  ascent.  Reference  Rule 
(A1 7-706},  SPACEHAB  FAN  CONFIGURATIONS. 

B.  LOSS  OF  PAYLOAD  MDM  PL2  DURING  SPACEHAB  ACTIVATION  WILL  NOT 
REQUIRE  SUSPENSION  OF  SPACEHAB  ACTIVITIES.  @[111094-1734] 

Spacehab  activation  does  not  require  Payload  MDM  PL2.  @[060800-71 17A] 

C.  LOSS  OF  EITHER  PAYLOAD  MDM,  PL1  OR  PL2 ,  AFTER  ACTIVATION  AND 
BEFORE  ENTRY  PREP  IS  NOT  CAUSE  TO  TERMINATE  SPACEHAB 
ACTIVITIES . 

Caution  and  warning  parameters,  which  are  nominally  redundantly  monitored  by  the  CWEA  directly  and 
via  the  PL1-GPC-PL2  string,  are  still  monitored  by  the  CWEA  if  either  PL  MDM  fails.  Significant 
command  capability,  including  that  used  during  the  nominal  deactivation  process  (ARS  fan,  cabin/HF A 
fan,  and  water  pump  reconfiguration  for  powered  entry),  is  lost  ifPLl  is  lost.  However,  some  operations 
may  still  be  conducted.  Safety-related  redundant  command  capability  for  fire  suppression  still  exists 
(Standard  Switch  Panel  and  C3A5 ). 

D.  IF  A  CHOICE  EXISTS  BETWEEN  PL1  AND  PL2 ,  SPACEHAB  PREFERS  PL1 . 

The  majority  of  MDM  discretes  are  through  PL1.  The  impact  of  losing  PL1  is  greater  than  the  impact  of 
losing  PL2.  ®[1 1 1 501-4981 E] 
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A2-334  LOSS  OF  SM  MAJOR  FUNCTION 

TEMPORARY  LOSS  OF  SM  MAJOR  FUNCTION  AFTER  SPACEHAB  ACTIVATION  AND 
BEFORE  SPACEHAB  ENTRY  PREP  IS  NOT  A  CONSTRAINT  TO  CONTINUING 
SPACEHAB  OPERATIONS  IF:  ®[1 11501  -4981 E] 

A.  THE  SPACEHAB-TO-CWEA  INTERFACE  IS  OPERATING  NOMINALLY. 

B.  THE  FOLLOWING  SAFETY  SENSORS  ROUTED  TO  THE  CWEA  ARE 
OPERATIONAL : 

1.  FIRE/SMOKE  DETECTOR  A  OR  B 

2 .  ARS  FAN  DELTA  P  -  SENSOR  2 

3.  (RDM  ONLY)  HFA  FAN  DELTA  P  -  SENSOR  2 

If  the  SM  interface  is  down,  one  of  two  redundant  methods  of  monitoring  safety-critical  parameters  is 
lost.  Module  operations  may  continue  if  the  CWEA  is  still  monitoring  safety  parameters  and  the  sensors 
feeding  the  CWEA  (at  least  one  fire/smoke  and  the  ARS  fan)  are  nominal.  Note  that  monitoring  of 
Spacehab  parameters  is  still  available  on  the  ground  and  via  the  PGSC  in  the  module.  Redundancy  for 
partial  pressure  of  oxygen  ( PPO2 )  and  total  cabin  pressure  is  provided  by  the  orbiter  sensors  via 
hardware  caution  and  warning. 

Loss  of  SM  also  eliminates  a  significant  amoun  t  of  command  capability;  however ,  redundant  methods 
are  still  available  for  fire  suppression.  ®[1 11501 -4981 E] 
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A2-335  LOSS  OF  ORBITER  MASTER  TIMING  UNIT  (MTU) /PAYLOAD 

TIMING  BUFFER 

A.  LOSS  OF  THE  MTU  DURING  SPACEHAB  ACTIVATION  OR  DEACTIVATION  IS 
NOT  A  CONSTRAINT  TO  CONTINUING  SPACEHAB  ACTIVITIES;  HOWEVER, 
NOMINAL  ACTIVATION/DEACTIVATION  CANNOT  BE  PERFORMED. 
CONSIDERATION  WILL  BE  GIVEN  TO  WHICH  EXPERIMENTS  CAN  OPERATE 
IN  THE  SPACEHAB  ASCENT/ENTRY  CONFIGURATION.  ®[1 1 1 501 -4981 E] 


Loss  of  the  MTU  results  in  loss  of  a  clock  signal  to  the  Payload  Signal  Processor  (PSP),  which  causes 
loss  of  commanding  to  Spacehab.  PSP  commanding  is  required  to  perform  a  nominal  Spacehab 
activation  and  deactivation.  Operations  may  still  be  conducted  in  the  ascent/entry  configuration.  If 
Spacehab  is  unpowered  during  ascent,  operations  may  still  be  conducted  using  SSP  and  MDM 
commanding.  ®[1 11501  -4981 E] 

B.  LOSS  OF  THE  MTU  AFTER  SPACEHAB  ACTIVATION  AND  BEFORE  SPACEHAB 
DEACTIVATION  IS  NOT  A  CONSTRAINT  TO  CONTINUING  SPACEHAB 
ACTIVITIES;  HOWEVER,  THE  FOLLOWING  IMPACTS  OCCUR:  ®[1 11501 -4981 E] 

1.  LOSS  OF  PSP  UPLINK  COMMANDING  IS  DOCUMENTED  IN  THE  FLIGHT 
SPECIFIC  ANNEX. 


PSP  commanding  is  lost  when  the  MTU  fails.  All  nominal  uplink  commanding  to  Spacehab  subsystem 
equipment  and  to  some  experiments  is  through  the  PSP. 

2.  LOSS  OF  GREENWICH  MEAN  TIME  (GMT)  TIMETAG  INFORMATION 
INSERTED  BY  THE  DMU  INTO  THE  PDI  DATA  STREAM. 


The  GMT  timetag  is  inserted  into  the  PDI  data  stream  by  the  DMU  for  subsystem  information.  It  is  not 
used  onboard  Spacehab. 

3.  LOSS  OF  GMT  AND  MISSION  ELAPSED  TIME  (MET)  TO  SPACEHAB 
EXPERIMENTS  IS  DOCUMENTED  IN  THE  FLIGHT  SPECIFIC  ANNEX. 


The  MTU  is  the  only  source  of  synchronized  GMT  and  MET  to  Spacehab  and  experimen  ts.  This  could 
cause  degraded  experiment  results.  ®[1 11501  -4981 E] 
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ORBITER  SYSTEMS  GO/NO-GO 


A2-1001  ORBITER  SYSTEMS  GO/NO-GO 


FOR  LOSS  OF  THE  FOLLOWING:  MDF  NXT  PLS 


PROP 


OMS  ENG 

- 

2? 

OMS  PROP  TNK  LK 

- 

X? 

OMS  ENG  and  1  +X  PROS  JET 

- 

X? 

OMS  ENG  and  <  RCS  STEEP  DEORB  CAP 

- 

X? 

OMS/RCS  FLOW  PATH  (XFD) 

1? 

2? 

AFT  RCS  He  OR  PROP  TNK  LK 

- 

X? 

AFT  PRCS  MANIFOLDS 

- 

2?  SAME  SIDE 

OMS  INLET  LNE  LEAK 

- 

1? 

DPS 

GPC’s 

2? 

3? 

MDM's  SAME  TYPE:  (FF,  FA,  or  PL) 

- 

2? 

MMU 

2? 

- 

FWD  KEYBOARD  (1) 

- 

1? 

DEU/CRT  (4) 

2? 

2 FWD  ?  (1) 

IDP  (4)  DPS  FUNCTION 

2? 

[15] 

2 FWD  ?  (1) 

[14]  [15] 

IDP  (4)  FLIGHT  INSTRUMENT  FUNCTION 

MDU  (11) 

ADC  (4) 

2 FWD  ?  (1) 

[14]  [15] 

GNC 

RHC  CHAN  (LFT  OR  RT)  (1) 

2? 

SAME  SIDE 

5? 

THC  (LFT)  and  OMS  ENG  (1) 

- 

X?  +X  ONLY 

SBTC  (LFT  OR  RT)  (CHAN) 

3? 

ONE  SIDE 

5?  AD  NOT  AVAILABLE  TO  G&C 

1? 

OTHER  SIDE 

FCS  MODE  AUTO  SW 

" 

2?  ONE  SIDE  and 

1?  OTHER  SIDE 

FCS  MODE  B/F 

2? 

2?  ONE  SIDE  and 

1?  OTHER  SIDE 

SBTC  (LFT  OR  RT)  T/O  SW 

3? 

ONE  SIDE  and 

5?  AD  NOT  AVAILABLE  TO  G&C 

1? 

OTHER  SIDE 

STAR  TRACKER 

2? 

1? 

AND 

COAS  OR  ATT  REF  OR  DAP  PULSE  PB  (2) 

1? 

ADTA 

2? 

3? 

ADI  (LFT  AND  RT)  (2) 

1? 

[13] 

- 

AFT  ADI  (1) 

- 

[13] 

- 

HUD/AMI  (4) 

2? 

[13] 

3? 

[13] 

HUD/AVVI  (4) 

2? 

[13] 

3? 

[13] 

HUD/FWD  ADI  (4) 

2? 

[13] 

3? 

[13] 

HUD  (2) 

- 

- 

HIS  (2) 

- 

[13] 

- 

SPI  (1) 

- 

[13] 

- 

G-METER  (1) 

- 

[13] 

- 

AFT  RCS 

- 

2?  SAME  AXIS  SAME  SIDE 

ELEV,  RUD,  S/B  OR  BF  ACT  CHAN 

- 

2?  SAME  ACT 

ELEVOR  BF  POSN  FDBK 

2? 

3?  SAME  ACT 

ELEV  PRI  DELTA  P 

2? 

3?  SAME  ELEV 

AA  (LAT) 

2? 

3? 

IMU 

- 

2? 

CG  ANOMALY  AND  1  YAW  JET 

- 

X? 

RGA 

2? 

3? 

TACAN 

2? 

3? 

@[101796-4561  A]  ©[040899-2459B]  @[031 500-71 72D] 
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FOR  LOSS  OF  THE  FOLLOWING: 

MDF 

NXT  PLS 

COMM 

VOICE  (3)  (A/G  1 ,2,UHF) 

- 

2? 

COMMAND  (2) 

2? 

VOICE  +  COMMAND 

- 

ALL? 

PCMMU  (2) 

1? 

2? 

NSP  (2) 

1  D/L? 

2?  (U/LORD/L) 

XPONDER  (2)  1 

2  D/L?? 

2  U/L?  OR  2  D/L+  (1)?? 

ACCU  (2)  (1) 

2? 

1?(l)? 

TELEMETRY 

- 

ALL? 

EECOM 

FES  (TOPPER) 

1? 

- 

FES  (HI-LOAD) 

- 

1? 

FES  PRIMARY  CNTLR 

2? 

3? 

FES  FEED  LINE 

- 

2? 

FREON  LOOP 

- 

1? 

FREON  LOOP  LEAK 

[12] 

FREON  PUMPS 

- 

2?  (IF  FCL  1  PMP  B  AND  FCL  2  PMP  A) 

RFCA  (FAIL  IN  BYPASS/MIN  FLOW) 

1? 

[16] 

RAD  ISOL  VALVE  (FAILED  IN  ISOLATE  OR  LEAK 

1? 

[16] 

ISOLATED  TO  THE  RADIATOR) 

h2o  LOOP 

- 

1? 

h2o  LOOP  LEAK 

1? 

- 

HX  LEAK  (FREON  TO  CABIN  H20) 

- 

1? 

HX  LEAK  (EXCEPT  FREON  TO  CABIN  H20) 

1? 

- 

CABIN  FANS 

1? 

2?  (LANDING  REQUIRED  WITHIN  8  HRS) 

AV  BAY  COOLING 

[1] 

[3]  [4] 

IMU  FANS 

- 

2? 

H20  TANKS  (SUPPLY) 

- 

2? 

H20  TANK  (WASTE) 

- 

(ULLAGE  WILL  DETERMINE  EOM) 

CAB  PRESS  INTEGRITY 

- 

X? 

165  MIN,  8  PSI  RTN 

- 

X? 

PP02  CNTL 

- 

X? 

C02  CNTL 

- 

X? 

CAB T CNTL 

- 

X? 

CAB  HUM  CNTL 

- 

X? 

RCRS 

[7] 

[7] 

SPLY  H20  DMP 

- 

X?  (ULLAGE  WILL  DETERMINE  EOM) 

WST  H20  DMP 

- 

X?  (ULLAGE  WILL  DETERMINE  EOM) 

WCS  (ALL  FECAL  OR  ALL  URINE  COLLECTION 

[6] 

[6] 

CAPABILITY) 

SMOKE  DETECTION  (AV  BAY  3A) 

2? 

[2] 

SMOKE  DETECTION  (CABIN) 

3? 

[9] 

FIRE  DETECTED  /SUPPRESSED 

[10]  [11] 

HALON  DISCHARGE  (W/O  FIRE  CONFIRMATION) 

[11] 

HALON  DISCHARGE  (W/O  FIRE  CONFIRMATION) 

[11] 

®[020196-1810A]  ®[061 396-31 04A]  @[050400-7192]  ®[ED  ] 
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A2-1001  ORBITER  SYSTEMS  GO/NO-GO  (CONTINUED) 


FOR  LOSS  OF  THE  FOLLOWING: 

MDF 

NXT  PLS 

1  EGIL 

h2oro2  tanks 

- 

2? 

[8] 

02,  h2  manifolds 

1? 

2? 

FUEL  CELL 

r 

2? 

FC  COMMOM  VENT  LINE  BLOCKAGE 

- 

X? 

FUEL  CELL  02  PURGE 

- 

-  (PERFORMANCE  WILL  DETERMINE  EOM) 

FUEL  CELL  PRIMARY  H20  FLOW  TO  ECLSS 

2? 

3? 

PRI  &  B/U  C&W 

- 

2? 

MAIN  DC  BUSES 

DAI,  DA2,  OR  DA3 

- 

1? 

FPC1  OR  FPC2  OR  FCP3 

1? 

- 

FLC2  OR  FLC3 

1? 

- 

MPC1 ,  MPC2,  OR  MPC3 

- 

1? 

MNAMMC1  OR  3 

- 

1? 

MNBMMC2  0R4 

- 

1? 

MNCMMC2  0R4 

- 

1? 

MNC  016 

1? 

- 

CONTROL  BUSES 

AB1 ,  AB2,  AB3,  BC1 ,  BC2,  BC3, 

- 

1?  (1) 

[17]  [18] 

CA1 ,  CA2,  OR  CA3 

- 

1?  (1) 

[17] 

ESSENTIAL  BUSES 

1 BC  DAI ,  1 BC  MPC1 ,  OR  1 BC  FD 

1?  (FC1  LOST) 

- 

2CA  DAI ,  2CA  MPC1 ,  OR  2CA  FD 

1?  (FC2  LOST) 

- 

3AB  DAI ,  3AB  MPC1 ,  OR  3AB  FD 

1?  (FC  3  LOST) 

- 

AC  INVERTERS  OR  NONSHORTED  BUS 

X(l) 

- 

(2  OF  3  PHASES) 

AC  BUSES 

ANY  AC  PHASE  (SHORT) 

- 

1? 

AC1  MMC  1  OR  3 

- 

1? 

AC2  MMC  2 

- 

X? 

AC2  MMC  4 

- 

X? 

AC3  MMC  2  OR  4 

- 

1? 

AC2  OR  AC3  (ANY  PHASE) 

- 

1?  +  CAB  FAN 

1  ill  MACS 

APU  OR  HYD 

- 

2? 

WSB 

- 

2? 

LDG  GEAR  DPLY  METHODS 

- 

2? 

PBD  DRIVE  MTRS 

1  CLS  ? 

2  OPEN  ? 

PBD  NOT  OPEN 

1  C/L? 

X? 

PRESS/REDUN  WNDW  FL 

- 

X? 

CONFIRMED  TIRE  LEAK 

- 

[51 

@[101796-4561  A]  ®[ED  ]  @[011801-3851] 

1  LEGEND 

- 

= 

NO  REQUIREMENT 

? 

= 

(DOWN  ARROW)  SYSTEM/CAPABILITY  LOSS 

1? 

= 

ONE  SYSTEM  INOPERATIVE 

X? 

= 

ANY  NUMBER  OF  SYSTEM/CAPABILITIES  LOST 

i!) _ 

= 

IFM  CAPABILITY  EXISTS 
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A2-1001  ORBITER  SYSTEMS  GO/NO-GO  (CONTINUED) 


NOTES: 

[1]  MDF  FOR  LOSS  OF  COOLING  TO  TWO  GPC’s  (DUE  TO  UNACCEPTABLE  TEMPERATURE). 

[2]  PLS  FOR  POWERDOWN  OF  C&W.  C&W  MAY  REMAIN  POWERED  IF  IT  WAS  NOT  THE  SOURCE  OF  A  POTENTIAL 
FIRE  INDICATION  AND  IF  THE  AVIONICS  BAY  IS  EXPOSED  TO  THE  CABIN  FOR  USE  OF  THE  CABIN  SMOKE 
DETECTORS.  REF  RULES  {A1 7-51  A}.3,  MANAGEMENT  FOLLOWING  LOSS  OF  SMOKE  DETECTION,  AND  [A17- 
1001  A},  LIFE  SUPPORT  GO/NO-GO  CRITERIA.  @[090894-1675]  ®[ED  ] 

[3]  PLS  FOR  LOSS  OF  COOLING  TO  THE  C&W. 

[4]  ENTER  NEXT  PLS  IF  A  SINGLE  ELECTRICAL  FAILURE  (AC  BUS)  COULD  CAUSE  THE  LOSS  OF  AIR  COOLING  TO 
AVIONICS  BAYS. 

[5]  ENTER  NEXT  PLS  IF  TIRE  PRESSURE  WILL  BE  <l275  PSIG  (290  PSIA)  MAINS,  260  PSIG  (275  PSIA)  NOSE  AT  NEXT  PLS 
LANDING  OPPORTUNITY  PLUS  2  DAYS.  @[090894-1675  ] 

[6]  THE  NUMBER  OF  ALTERNATE  WASTE  COLLECTION  BAGS,  NUMBER  OF  CREW  AND  THEIR  DEFECATION/ 
URINATION  RATE  WILL  DETERMINE  EOM. 

[7]  QUANTITY  OF  LIOH  CANISTERS  AND  CREW  SIZE  WILL  DETERMINE  EOM.  A  MINIMUM  OF  2  DAYS  OF  UNUSED 
LIOH  MUST  BE  HELD  IN  RESERVE  TO  PASS  A  PLS  OPPORTUNITY.  REF.  RULE  {A17-157},  LIOH  REDLINE 
DETERMINATION.  @[092293-15316] 

[8]  EDO  PALLET  TANKS  ARE  EXEMPT  FROM  THIS  RULE  UNLESS  THE  FAILURES  ARE  DETERMINED  TO  BE  GENERIC. 

[9]  PLS,  UNLESS  AT  LEAST  ONE  CREWMEMBER  REMAINS  AWAKE  IN  ORBITER  CABIN  TO  MONITOR  SMOKE 
CONDITIONS  AT  ALL  TIMES.  REF  RULE  [A1 7-51 B},  MANAGEMENT  FOLLOWING  LOSS  OF  SMOKE  DETECTION. 

[10]  ELS  OR  PLS  IS  REQUIRED  BASED  UPON  AVAILABLE  1^  FOR  02  CONTROL  SINCE  CREW  MUST  REMAIN  ON 
QDM/LES  IF  TOXIC  COMBUSTION  PRODUCTS  CANNOT  BE  SATISFACTORILY  REMOVED  FROM  THE  CABIN 
ATMOSPHERE.  REF  RULE  {A13-152C},  CABIN  ATMOSPHERE  CONTAMINATION.  FOR  AV  BAY  FIRES,  THE 
EXTENT  OF  THE  DAMAGE  TO  EQUIPMENT  AND  WIRE  BUNDLES  IS  UNKNOWN;  THEREFORE,  EVEN  IF  THE 
ATMOSPHERE  HAS  BEEN  CLEANED  UP,  A  PLS  WILL  BE  PERFORMED  TO  MINIMIZE  THE  RISK  OF  THE 
OCCURRENCE  OF  AN  ADDITIONAL  FIRE  OR  ARC  TRACKING. 

[11]  EOM  IS  BASED  UPON  HALON  EXPOSURE  CRITERIA.  REF  RULE  [A13-152],  CABIN  ATMOSPHERE  CONTAMINATION. 
@[090894-1675] 

[12]  FOR  A  LEAKING  FREON  LOOP  THAT  WILL  SUPPORT  NEXT  PLS  BUT  NOT  THE  FOLLOWING  PLS,  A  PLS  WILL  BE 
DECLARED  IN  ORDER  TO  ACHIEVE  A  NOMINAL  D/O  PREP  AND  ENTRY.  A  LOSS  OF  ONE  FREON  LOOP  ENTRY 
REQUIRES  A  POWERDOWN  TO  14  KW.  @[061 396-31 04A] 

[13]  N/A  FOR  MEDS  CONFIGURED  VEHICLES.  ©[040899-2459B] 

[14]  IDP'S  ARE  REQUIRED  FOR  PASS  AND  BFS  INTERFACE  AND  TO  DISPLAY  THE  ADI,  AMI,  AND  AVVI  AND  HSI. 
©[040899-2459B]  @[031 500-71 72D] 

[15]  LOSS  OF  EITHER  FUNCTION,  DPS  OR  FLIGHT  INSTRUMENT,  IN  ANY  THREE  SEPARATE  IDP'S  IS  PLS. 

[16]  NEXT  PLS  IS  REQUIRED  (NOT  INCLUDING  FIRST  DAY  PLS),  FOR  LOSS  OF  RADIATOR  COOLING  IN  ONE  LOOP,  IF 
SUPPLY  H20  QUANTITIES  AND  MANAGEMENT  PLAN  WILL  NOT  SUPPORT  THE  FOLLOWING  PLS  WITH  THE  NEXT 
WORST  FAILURE  (LOSS  OF  THE  GOOD  FREON  LOOP).  ASSUMING  WATER  QUANTITIES  WILL  SUPPORT  THE  NEXT 
WORST  FAILURE,  THE  MISSION  MAY  BE  EXTENDED  TO  THE  SUBSEQUENT  PLS  OPPORTUNITIES.  @[050400-71 92] 
@[092701 -4865D] 

ELS  WILL  BE  REQUIRED  IF  THE  NEXT  WORSE  FAILURE  OCCURS  BEFORE  SUPPLY  WATER  QUANTITIES  CAN 
SUPPORT  NEXT  PLS.  @[050400-7192]  @[092701 -4865D] 

[17]  FOR  FAILURES  OF  CONTROL  BUSSES  AB1 ,  AB2,  BC1 ,  BC2,  CA1,  ORCA2  SUCH  THAT  A  PUBLISHED  IFM  WOULD 
RECOVER  PLBD  FUNCTIONS  LOST  WITH  THE  FAILED  BUS,  THE  IFM  MAY  BE  CONSIDERED  A  LEVEL  OF 
REDUNDANCY  FOR  MISSION  PLANNING  PURPOSES.  (REF  RULE  [A9-57],  REUSABLE  FC.)  @[011801-3851  ] 

[18]  FAILURE  OF  CNTLAB1  RESULTS  IN  LOSS  OF  OMS  X-FEED  AND  REPRESS  CAPABILITY.  A  G-MEM  MAY  BE  SENT  TO 
REGAIN  THE  LOST  FUNCTION.  @[011801-3851  ] 
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SECTION  3  -  GROUND  INSTRUMENTATION  REQUIREMENTS 


GENERAL 


A3-1  GROUND  AND  NETWORK  DEFINITIONS 

A.  MCC  IS  DEFINED  AS  THE  EQUIPMENT  AND  FUNCTIONALITY  PROVIDED  BY 

THE  JSC  BUILDING  30  COMPLEX  AND  ASSOCIATED  INFRASTRUCTURE  AT 
JSC  WHICH  PROVIDES  POWER,  COOLING,  AND  COMMUNICATIONS  TO 
BUILDING  30.  ©[062702-5502C] 

B.  INTEGRATED  NETWORK  INCLUDES  THE  FOLLOWING : 

1.  THE  NASA  GROUND  TRACKING  AND  DATA  STATIONS  AT  MILA,  DFRC, 
WLP ,  PDL ,  AND  INCLUDING  JDI . 


Even  though  JDI  is  part  of  the  Eastern  Range  operated  by  the  USAF  45th  Space  Wing  at  the  Jonathan 
Dickinson  Missile  Test  Annex  (JDMTA),  for  the  purposes  of  this  rule  it  is  considered  part  of  the  NASA 
network. 

2.  THE  SPACE  NETWORK  INCLUDING  THE  WHITE  SANDS  COMPLEX  (WSC) 
FACILITY  AND  FUNCTIONALITY  AS  WELL  AS  THE  TDRS 
SATELLITES . 

3.  GSFC  FACILITIES  THAT  PROVIDE  COMMUNICATIONS  RELAY  AND 

SCHEDULING:  THE  MISSION  OPS  SUPPORT  AREA  (MOSA)  ,  FLIGHT 

DYNAMICS  FACILITY  (EDF )  AND  THE  NETWORK  CONTROL  CENTER 
(NCC)  AND  ASSOCIATED  INFRASTRUCTURE  AT  GSFC  WHICH 
PROVIDES  POWER,  COOLING,  AND  COMMUNICATIONS  TO  THOSE 
FACILITIES . 

4.  NASA  AND  USAF  RADAR  TRACKING  SITES  AS  SHOWN  IN  THE  MATRIX 
IN  RULE  { A3-102 } ,  INTEGRATED  NETWORK  FAILURE  DECISION 
MATRIX.  ®[ED  ] 

5.  COMMERCIAL  LINKS  CONNECTING  JSC,  GSFC,  WSC,  KSC,  DFRC, 

ETC  . 

6.  INTERCONNECTIVITY  TO  USAF  RTS  SITES  ©[062702-5502C] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  GROUND  INSTRUMENTATION  3-1 

REQUIREMENTS 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A3-1  GROUND  AND  NETWORK  DEFINITIONS  (CONTINUED) 

C.  CRITICAL  SHUTTLE  FLIGHT  PHASES  ARE  DEFINED  AS  LAUNCH  THROUGH 

GO  FOR  ORBIT  OPS  OR  INTACT  ABORT  LANDING  AND  GO  FOR  DEORBIT 
BURN  THROUGH  WHEELSTOP  .  ®[062702-5502C] 

D.  TRAJECTORY  PROCESSING  IS  DEFINED  AS  THE  CAPABILITY  OF  THE  MCC 
TO  TAKE  TRAJECTORY  DATA  FROM  VARIOUS  SOURCES  (RADAR  TRACKING, 
S-BAND  DOPPLER,  ONBOARD  INERTIAL  NAVIGATION,  ONBOARD  GPS)  AND 
IN  REAL  TIME  COMPUTE  CURRENT  STATE  AND  PERFORMANCE  CAPABILITY 
THAT  ARE  USED  TO  DETERMINE  ABORT  MODE  CAPABILITY,  MANEUVER 
TARGETS,  AND  TO  MAKE  OTHER  MISSION  CRITICAL  DECISIONS. 
REFERENCE  RULE  {A3-51},  TRAJECTORY  PROCESSING  REQUIREMENTS. 
®[062702-5502C] 

A3-2  GROUND  AND  NETWORK  OVERALL  PHILOSOPHY 

A.  MANDATORY  REQUIREMENTS:  AIR  TO  GROUND  VOICE,  COMMAND,  HDR 
TELEMETRY,  AND  TRAJECTORY  PROCESSING  DURING  CRITICAL  PHASES 
OF  FLIGHT  IS  MANDATORY.  THE  MCC  AND  INTEGRATED  NETWORK 
EQUIPMENT  AND  ASSOCIATED  SOFTWARE  TO  PROVIDE  THESE  MANDATORY 
FUNCTIONS  MUST  BE  AVAILABLE  AND  SCHEDULED  TO  INITIATE  A 
CRITICAL  ACTIVITY.  ®[062702-5502C] 


The  MCC  and  network  provide  the  ability  to  collect,  process,  and  display  the  information  needed  to 
invoke  mission  rule  decision,  analyze  subsystem  performance  to  prevent  failures,  and  to  relieve  the  flight 
crew  of  the  need  to  monitor  subsystems  in  detail.  Command  provides  the  means  to  configure  onboard 
systems  for  nominal  operations  as  well  as  for  anomaly  resolu  tion.  Command  is  required  to  provide 
uplink  remedies  to  systems  problems  which  require  off-nominal  systems  configurations  that  can  be  most 
effectively  accomplished  or  in  some  cases  only  accomplished  from  the  ground.  A/G  voice  provides  the 
means  to  communicate  between  the  flight  crew  and  the  flight  control  team  for  mission  activities,  abort 
region  definition,  anomaly  resolutions,  and  many  other  activities. 

This  rule  states  a  general  principle  which  must  be  understood  in  the  light  of  what  is  technically  feasible. 
For  example,  the  mandatory  requirement  is  not  meant  to  imply  that  there  can  be  no  short  gaps  since  site 
handovers,  etc.,  will  lead  to  momentary  outages.  Additionally,  the  next  rule  gives  greater  detail  to  parts 
of  critical  periods  when  longer  outages  can  be  allowed.  ®[062702-5502C] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A3— 2  GROUND  AND  NETWORK  OVERALL  PHILOSOPHY  (CONTINUED) 

B.  REDUNDANCY:  ©[062702-5502C] 

1.  SCHEDULING:  REDUNDANCY  IN  MANDATORY  MCC  AND  INTEGRATED 
NETWORK  FUNCTIONS  SHALL  BE  SCHEDULED  AND  PLANNED  TO  BE 
AVAILABLE  AT  THE  INITIATION  OF  A  CRITICAL  ACTIVITY. 

NOTE:  REDUNDANCY  IS  NOT  REQUIRED  WHEN  SCHEDULING  FOR  THE 

TDRSS  NETWORK. 

TDRSS  network  redundancy  is  well  demonstrated  and  tying  up  resources  by  scheduling  redundant 
services  is  not  required.  Loss  of  TDRSS  service  has  been  demonstrated  in  practice  to  be  very  remote  and 
emergency  rescheduling  using  alternate  equipment  is  very  rapid.  TDRSS  network  redundancy  is  based 
on  having  multiple  satellites  in  both  eastern  and  western  locations,  two  independent  ground  stations, 
multiple  communication  paths  between  WSC  and  MCC,  and  full  redundancy  in  scheduling  and  other 
supporting  equipment.  The  TDRSS  network  has  more  users  than  can  be  scheduled  so  it  is  pruden  t  to  not 
explicitly  schedule  redundant  TDRSS  coverage. 

2.  LOSS  OF  REDUNDANCY:  REDUNDANCY  IS  NOT  REQUIRED  TO 
INITIATE  A  CRITICAL  ACTIVITY.  FOLLOWING  A  FAILURE  THAT 
CAUSES  LOSS  OF  REDUNDANCY,  IF  FEASIBLE,  THE  REMAINING 
SINGLE  STRING  SHOULD  BE  DEMONSTRATED  TO  BE  FUNCTIONAL 
PRIOR  TO  THE  INITIATION  OF  A  CRITICAL  ACTIVITY. 

It  is  prudent  to  support  mission  critical  operations  with  redundancy.  MCC  and  Network  functions  are  by 
design  very  reliable.  Operational  history  has  demonstrated  that  MCC  and  Network  functioned  reliability 
is  very  high.  When  operating  on  a  single  string  of  equipment  that  is  demonstrated  to  be  functioning, 
which  is  not  annunciating  an  alarm  or  operating  in  an  anomalous  manner,  there  is  a  very  low 
probability  of  failure  in  the  short  time  duration  of  a  shuttle  critical  phase.  Unless  there  is  direct 
evidence  to  conclude  a  failure  is  imminen  t  on  operating  equipmen  t,  there  is  no  reason  to  delay  a  critical 
scheduled  event  for  failure  of  a  redundant  string.  Conversely,  if  analysis  of  a  failed  system  clearly 
indicates  a  threat  to  the  remaining  equipment,  it  is  prudent  not  to  initiate  a  critical  activity  if  possible. 

3.  RECOVERY  OF  LOST  REDUNDANCY:  RECOVERY  OF  REDUNDANT 
EQUIPMENT  SHOULD  NOT  BE  ATTEMPTED  IF  THERE  IS  RISK  TO  THE 
PLANNED  T=0  OR  DEORBIT  TIG. 

Recovery  of  redundant  equipment  or  function  generally  has  a  non-zero  risk  of  operator  error  or  other 
reason  causing  loss  of  the  functioning,  mandatory  equipmen  t  string.  At  pre-defmed  times  for  launch  or 
deorbit,  this  risk  should  not  be  incurred.  ©[062702-5502C] 
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A.  ASCENT 

1.  NOMINAL  ASCENT:  AIR  TO  GROUND  VOICE,  COMMAND,  TELEMETRY, 
AND  TRAJECTORY  PROCESSING  ARE  MANDATORY  FROM  LIFTOFF 
THROUGH  MET  15  MINUTES.  FROM  MET  15  MINUTES  THROUGH  GO 
FOR  ORBIT  OPS,  IT  IS  HIGHLY  DESIRABLE  TO  HAVE  THE  MAXIMUM 
DURATION  OF  COVERAGE  POSSIBLE  FOR  AIR  TO  GROUND  VOICE, 
COMMAND,  TELEMETRY,  AND  TRAJECTORY  PROCESSING.  ®[062702-5502C] 

IN  ADDITION  TO  MANDATORY  S-BAND  TWO-WAY  VOICE,  UHF  TWO 
WAY  VOICE  IS  REQUIRED  AS  A  BACKUP  DURING  LAUNCH  FROM 
LIFTOFF  THROUGH  NOMINAL  HANDUP  TO  TDRS  AND  IS  HIGHLY 
DESIRABLE  THROUGH  MILA  LOS  OR  UNTIL  RTLS  LANDING. 

Redundant  A/G  voice  is  necessary  for  abort  request  and  abort  region  calls  and  to  rapidly  convey  verbal 
responses  to  observed  subsystem  anomalies  and  rule  violations.  The  availability  of  both  S-band  and 
UHF  ensures  that  SRB  plume,  station  handovers,  and  most  onboard  and  ground  subsystem  failures  will 
not  result  in  disruption  of  A/G  voice  capability  causing  critical  calls  to  be  missed.  Early  in  ascent, 

TDRS  is  not  thought  to  be  acceptable  due  to  antenna  look  angles,  structural  blockage,  etc.  Therefore, 
MILA,  PDL,  and  JDI  provide  communications  link  capability. 

The  latter  stages  of  ascent,  after  TDRS  handup  between  7  and  8  minutes  MET,  are  supported  by  TDRS. 
The  TDRS  network  has  more  user  requirements  than  can  be  accommodated  thus  requiring  priority 
scheduling.  TDRS  schedule  should  include  uninterrupted  communications  through  the  latest  underspeed 
MECO  that  occurs  no  later  than  MET  13  minutes.  An  additional  2  minutes  to  assess  the  situation  and 
provide  maneuver  direction  to  the  crew  can  be  accomplished  by  a  well-practiced  MCC  team.  This  means 
that  TDRS  scheduling  should  support  through  MET  15  minutes  at  a  minimum. 

To  ensure  mission  success  for  rendezvous  missions  and  to  resolve  any  anomalies  that  may  have  occurred 
during  ascent,  it  is  prudent  and  highly  desirable  to  have  the  maximum  available  communications 
capability  through  OMS-2  cutoff.  Following  that,  to  ensure  timely  anomaly  resolution  and  to  provide  the 
maximum  efficiency  and  mission  success  through  the  complex  tasks  of  early  post  insertion  ( OPS  2 
transition,  opening  payload  bay  doors,  initiating  radiator  cooling,  etc.),  communications  is  vital.  Go  for 
Orbit  Ops  normally  occurs  at  about  1  hr  30  min  MET. 

From  the  TDRS  perspective,  command,  telemetry,  and  voice  are  either  both  available  simultaneously  or 
not;  they  are  not  independent.  ©[062702-5502C] 
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2.  RTLS ,  TAL:  CONTINUOUS  AIR  TO  GROUND  VOICE,  COMMAND, 
TELEMETRY,  AND  TRAJECTORY  PROCESSING  ARE  MANDATORY  FOR 
RTLS  OR  TAL  FOLLOWING  ABORT  DECLARATION  THOUGH  INTACT 
ABORT  LANDING  INCLUDING  POST-LANDING.  ©[062702-5502C] 

This  requirement  for  TAL  may  be  met  by  the  use  of  an  emergency  SHO  for  the  TDRS  network  since 
landing  occurs  at  approximately  MET  37  minutes.  RTLS  requirements  may  be  covered  by  scheduling 
MILA  alone.  The  declaration  of  cm  RTLS  or  TAL  abort  results  in  procedures  that  involve  additional 
risk.  MCC  support  is  required  and  will  normally  be  available  throughout  the  RTLS  or  TAL.  This 
increased  insight  into  systems  performance  and  additional  expertise  significantly  increases  the 
probability  of  a  successful  landing  with  a  vehicle  that  has  already  had  a  major  systems  failure.  A/G 
voice  is  required  to  coordinate  any  recommendations  to  the  crew  and  to  relay  to  the  crew  fined  weather , 
runway,  landing  aid,  and  major  systems  status. 

3.  ATO,  AOA :  FOR  THE  PERIOD  FROM  MET  15  MINUTES  THROUGH 
LANDING  FOR  AOA  OR  LANDING  FOR  FIRST  DAY  PLS  OR  THROUGH 
GO  FOR  ORBIT  OPS  FOR  ATO,  IT  IS  HIGHLY  DESIRABLE  TO  HAVE 
THE  MAXIMUM  DURATION  OF  COVERAGE  POSSIBLE  FOR  AIR  TO 
GROUND  VOICE,  COMMAND,  TELEMETRY,  AND  TRAJECTORY 
PROCESSING. 

4.  ASCENT  TRAJECTORY  PROCESSING  SUPPORT: 

a.  ASCENT  RADAR  TRACKING:  DUAL  TRACKING  IS  HIGHLY 

DESIRABLE  FROM  EITHER  ONE  S-BAND  AND  ONE  C-BAND,  OR 
TWO  C-BANDS  FROM  LIFT-OFF  THROUGH  MECO  PLUS  1  MINUTE. 

Dual  source  tracking  is  desired  to  allow  monitoring  of  the  health  of  onboard  navigation  during  powered 
flight,  to  provide  delta  state  uplink  capability  to  correct  extreme  onboard  navigation  errors  which  could 
result  in  unsafe  or  mission  -limiting  MECO  conditions  for  an  ascent  to  orbit  or  an  RTLS,  and  to  provide 
cm  independent  ground  navigation  source  for  ascent  performance  boundary  calls.  To  obtain  an  accurate 
post-MECO  ground  filter  vector,  a  minimum  of  1  minute  of  tracking  post-MECO  is  required  for 
processor  convergence.  An  accurate  post-MECO  ground  filter  vector  may  be  used  to  update  onboard 
navigation  before  OMS-2  if  required  to  significantly  decrease  deltcr-V  cost  due  to  planar  error  for 
ground-up  rendezvous  flights,  or  before  OMS-1  or  OMS-2  if  the  gain  in  deltci-V  capability  would  prevent 
ascent  capability  downmoding.  ®[062702-5502C] 
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Ground  tracking  through  MECO+1  is  highly  desirable  rather  than  mandatory  because  flight  history  and 
Mean  Time  Between  Failure  (MTBF)  data  show  that  the  probability  of  either  software  or  hardware 
failures  corrupting  onboard  navigation  during  ascent  are  extremely  small.  MTBF  studies  for  the  HAINS 
IMU’s,  GPC’s,  and  MDM's  indicate  a  probability  of  loss  of  two  IMU’s  to  be  on  the  order  of  10'^. 
Although  recovery  of  corrupted  onboard  navigation  by  means  of  a  powered  flight  delta  state  is 
theoretically  possible,  and  would  be  attempted  if  required,  success  at  all  times  during  the  ascent  is  not  a 
certainty.  With  regard  to  onboard  navigation  errors  which  are  not  large  enough  to  pose  a  safety 
concern,  but  which  could  affect  the  mission,  the  history  of  post-MECO  state  vector  updates  shows  that 
although  there  are  worthwhile  paybacks  in  propellant  margin,  their  absence  would  not  adversely  impact 
propellant  budgets.  For  these  reasons,  ground  tracking  requirements  through  MECO  for  due  east 
launches  were  abandoned  by  the  shuttle  program  as  a  cost  savings  measure.  Ground  tracking  through 
MECO  +1  is  only  available  for  high  inclination  launches.  ©[062702-5502C] 

Upon  removed  of  the  Range  Safety  destruct  package  from  the  external  tank,  the  flight  crew/MCC  assumes 
responsibility  for  public  safety  during  second  stage.  The  tracking  navigation  state  precludes  limit  line 
violation  due  to  severe  onboard  navigation  problems  ( state  vector  update  or  manual  MECO)  and 
preven  ts  loss  of  External  Tank  Impact  Point  prediction  due  to  telemetry  loss/data  dropouts.  At  the 
existing  limits  of  ground  tracking,  ET  IP  no  longer  endangers  North  American  landmasses  or  islands. 

Ground  radar  tracking  is  only  highly  desirable  for  NASA  pu  rposes  during  the  early  phases  of  ascen  t  as 
shown  by  the  table  in  Rule  {A3-102J,  INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX.  Note 
that  the  Eastern  Range  has  a  more  constraining  requirement.  If  all  east  coast  radars  are  functioning,  for 
high  inclination  launches  radar  tracking  can  be  extended  to  nominal  MECO  +1  minute.  For  low 
inclination  launches,  radar  tracking  is  lost  prior  to  8  minutes  MET.  It  is  desirable  to  have  ground  radar 
verification  of  the  MECO  state.  ®[ED  ] 

b.  RTLS  ENTRY  RADAR  TRACKING:  TRACKING  IS  HIGHLY 

DESIRABLE  FROM  EITHER  ONE  S-BAND  AND  ONE  C-BAND,  OR 
TWO  C-BANDS  FROM  RTLS  MECO  TO  100K  FEET. 

The  TSU  trajectory  processor  Kalman  filter  cannot  meet  ground  accuracy  requiremen  ts  with  only  one 
source  of  tracking  data;  the  filter  requires  at  least  two  sources.  The  100k  feet  altitude  constrain  t  was 
chosen  to  allow  sufficient  time  to  assess  the  vehicle  energy  conditions  and  to  update  onboard  navigation 
state  (after  nominal  TACAN  acquisition)  in  order  to  correct  a  violation  of  delta  state  limits.  Dual 
tracking  capability  also  cdlows  time  to  GCA  to  within  guidance  limits  prior  to  TAEM.  ©[062702-5502C] 
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c.  AOA/PLS :  DUAL  TRACKING  CAPABILITY  ABOVE  100K  FEET  IS 

HIGHLY  DESIRABLE  BUT  IS  NOT  SCHEDULED  FOR  AOA  AND  PLS 
D  E  0  RB I  T  .  ®[062702-5502C] 

In  the  event  that  a  delta  state  is  uplinked,  it  allows  proper  onboard  verification  to  be  performed  through 
100k  feet  (tracking  not  required  below  100k  feet). 

d.  FD1  PLS  ONLY:  AT  LEAST  ONE  TDRS  OR  TWO  C-BAND  RADAR 
PASSES  ARE  REQUIRED  TO  SUPPORT  PRE-DEORBIT  STATE 
VECTOR  ACCURACY. 

For  AOA  and  PLS  deorbits,  best  effort  call  up  of  high  speed  tracking  resources  is  accepted  (ref  Rule 
{A3- 102},  INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX).  The  time  between  launch  and 
landing  for  an  AOA  deorbit  is  short  enough  to  consider  onboard  navigation  autonomous,  and  although 
best  effort  tracking  call  up  will  be  requested,  it  is  not  mandatory.  There  is  a  high  probability  of 
obtaining  PLS  tracking  support  from  KSC  or  EDW  area  radars  on  a  best  effort  basis  if  the  ranges  are 
given  more  than  3  hours  advance  notice.  There  is  little  chance  of  obtaining  such  support  for  a  NOR  PLS 
deorbit  unless  the  request  is  made  during  duty  hours.  Tracking  support  is  virtually  assured  at  all  three 
CONUS  sites,  given  24  hours  notice  (ref.  AEFTP  #82  minutes).  ®[ED  ] 

Post  MECO  tracking  is  required  for  flight  day  1  deorbit  cases  in  order  to  ensure  the  onboard  state 
vector  meets  deorbit  burn  accuracy  requirements.  For  high  inclination  launches  (57  deg  and  51.6  deg), 
at  least  one  TDRS  is  required  for  orbit  3  cases,  because  the  ground  tracks  for  orbits  1  through  3  do  not 
permit  adequate  C-Band  coverage  (ref.  Rules  { A4-101 },  ONBOARD  NAVIGATION  MAINTENANCE, 
and  (A3- 102},  INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX  -  Note  [2]).  ®[ED  ] 

e.  FOR  COMMIT  TO  LAUNCH  AND  SCHEDULING  PURPOSES,  EOM 
DUAL  TRACKING  CAPABILITY  (TWO  C-BANDS  OR  ONE  S-BAND 
AND  ONE  C-BAND)  FROM  ABOVE  10  OK  FEET  TO  THE  GROUND  IS 
NOT  MANDATORY.  IF  ANY  OF  THE  CAPABILITIES  LISTED  IN 
PARAGRAPH  B3  BELOW  ARE  NOT  EXPECTED  TO  BE  AVAILABLE 
PRIOR  TO  DEORBIT  TIG,  SCHEDULING  EOM  DUAL  TRACKING 
BECOMES  MANDATORY.  ®[062702-5502C] 
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5.  REDUNDANCY  FOR  ASCENT  INCLUDING  INTACT  ABORTS: 

©[062702-5502C] 

a.  REDUNDANCY  IN  EQUIPMENT  AND  NETWORK  SCHEDULING  FOR 
AIR  TO  GROUND  VOICE,  COMMAND,  TELEMETRY,  AND 
TRAJECTORY  PROCESSING  SHALL  BE  PLANNED  AND  SCHEDULED 
FOR  LAUNCH  THROUGH  GO  FOR  ORBIT  OPS  OR  INTACT  ABORT 
LANDING.  NOTE:  FOR  TDRS  SCHEDULING  REDUNDANCY  IS 
NOT  REQUIRED. 

b.  CONSIDERATION  WILL  BE  GIVEN  TO  ATTEMPTING  TO  REGAIN 
FAILED  REDUNDANT  EQUIPMENT  IF  THE  RECOVERY  WILL  NOT 
AFFECT  THE  REMAINING  MANDATORY  EQUIPMENT  AND  RECOVERY 
PROCEDURES  ETRO  IS  PRIOR  TO  THE  NOMINAL  PLANNED  TIME 
FOR  COMING  OUT  OF  THE  T-9  MINUTE  HOLD. 

C.  RECOVERY  EFFORTS  FOR  FAILED  REDUNDANT  EQUIPMENT  IN 

THE  MCC  AND  INTEGRATED  NETWORK  WILL  NOT  BE  PERFORMED 
BETWEEN  T-9  MINUTES  AND  COUNTING  AND  MET  15  MINUTES 
OR  LANDING  FOR  RTLS  OR  TAL . 

B.  DEORBIT/ENTRY 

1.  PRE-DEORBIT:  IT  IS  HIGHLY  DESIRABLE  TO  HAVE  THE  MAXIMUM 

DURATION  OF  COVERAGE  POSSIBLE  FOR  AIR  TO  GROUND  VOICE, 
COMMAND,  TELEMETRY,  AND  TRAJECTORY  PROCESSING  FROM  TIG-4 
HR  TO  DEORBIT  DECISION.  REDUNDANCY  IS  DESIRABLE  BUT  NOT 
REQUIRED . 


Preparing  the  orbiterfor  entry  includes  a  number  of  complex  and  critical  steps  such  as  moding  flight 
software  to  OPS  3,  closing  the  payload  bay  doors,  activating  FES  cooling.  Having  MCC  connectivity 
troubleshoot  any  anomalies  that  may  occur  is  very  useful.  Additionally,  MCC  is  prime  to  provide  deorbit 
maneuver  targets  and  to  assess  landing  site  readiness  including  weather.  Deorbit  decision  time  is 
normally  TIG  -  23  minutes.  ®[062702-5502C] 
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2.  DEORBIT  DECISION:  GROUND  AND  INTEGRATED  NETWORK 

EQUIPMENT  FUNCTIONALITY  AND  SCHEDULING  MUST  PROVIDE  AIR 
TO  GROUND  VOICE,  COMMAND,  TELEMETRY,  AND  TRAJECTORY 
PROCESSING  FROM  THE  MCC  GO  FOR  DEORBIT  TO  POST  LANDING. 
REDUNDANCY  FOR  MANDATORY  FUNCTIONS  IS  HIGHLY  DESIRABLE 
BUT  NOT  REQUIRED.  ©[062702-5502C] 

UHF  TWO-WAY  VOICE  IS  HIGHLY  DESIRABLE  DURING  ENTRY  TO  KSC 
OR  DFRC  WHEN  IN  RANGE  OF  THE  GROUND  STATION  AS  A  BACKUP 
TO  S-BAND  VOICE.  S-BAND  VOICE  IS  MANDATORY  AS  DESCRIBED 
ABOVE . 


Monitoring  vehicle  systems,  energy  management,  anomaly  resolution,  and  landing  site  evaluation  from 
touchdown  parameters  to  weather  conditions  is  the  primary  job  of  the  MCC  du  ring  shuttle  entry. 

3.  TRAJECTORY  PROCESSING  SUPPORT  FOR  ENTRY: 

IF  ALL  OF  THE  CAPABILITIES  LISTED  BELOW  ARE  EXPECTED  TO 
BE  AVAILABLE  PRIOR  TO  DEORBIT  TIG,  C-BAND  TRACKING  IS  NOT 
MANDATORY.  S-BAND  TRACKING  IS  HIGHLY  DESIRABLE  IN  THE 
ABSENCE  OF  C-BAND  TRACKING.  IF  DURING  THE  MISSION  ANY  OF 
THE  FOLLOWING  CAPABILITIES  ARE  LOST,  EOM  DUAL  TRACKING 
CAPABILITY  BECOMES  MANDATORY  FOR  COMMIT  TO  DEORBIT: 

a.  IMU'S:  FULL  REDUNDANCY  (THREE  LRU'S  AND  ASSOCIATED 
DPS  AND  EPS  FUNCTIONALITY) . 

b.  ONBOARD  TACAN:  AT  LEAST  TWO-FAULT  TOLERANCE  IN  THE 
TACAN/GPS  SYSTEM  AND  ASSOCIATED  DPS  AND  EPS 
FUNCTIONALITY)  (REF.  RULE  {A8-115},  GPS  SYSTEM 
MANAGEMENT).  @[092602-5641] 

C.  ONBOARD  MLS:  FULL  REDUNDANCY  (THREE  LRU'S  AND 

ASSOCIATED  DPS  AND  EPS  FUNCTIONALITY)  REQUIRED  IF 
MLS  IS  REQUIRED  FOR  LANDING  (REF.  RULE  {A3-202}, 

MLS).  ®[062702-5502C]  @[092602-5641] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  GROUND  INSTRUMENTATION  3-9 

REQUIREMENTS 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A3-3  GROUND  AND  NETWORK  DETAILED  REQUIREMENTS 

(CONTINUED) 


d.  GROUND  TACAN  STATIONS:  TWO  STATIONS  AVAILABLE  AND 
CONFIRMED  OPERATIONAL  WITHIN  SPECIFICATIONS  (REF. 
RULE  { A8-52B }  .  2 ,  SENSOR  FAILURES),  OR  ONE  STATION 
AVAILABLE  AND  CONFIRMED  OPERATIONAL  WITHIN 


SPECIFICATIONS 
FAILURES)  WITH 
RULE  { A8-115 } , 
SPECIFICATIONS 
VOL  X,  BOOK  3, 

@[092602-5641  ] 


(REF.  RULE  { A8-52B} . 2 , 
A  GPS  LRU  FUNCTIONING 
GPS  SYSTEM  MANAGEMENT) 
ARE  NOT  ADEQUATE  (REF. 
PARAGRAPH  1 . 3 . 1 . 1  .  1 )  . 


SENSOR 

PROPERLY  (REF 
FAA/USAF 
NSTS  07700, 

©[062702-5502C] 


In  order  to  maximize  launch  probability  by  alleviating  C-Band  tracking  data  scheduling  conflicts  with 
the  Eastern  Range  Operations  Control  Center  (ROCC),  the  mandatory  requirement  for  scheduling  dual 
source  high  speed  tracking  for  EOM  is  eliminated,  provided  that  sufficien  t  redundancy  is  available 
(TACAN/GPS  and  IMU)  to  correct  the  navigation  state  prior  to  violation  of  entry  guidance  limits.  If 
sufficient  redundancy  is  lost  during  the  mission,  dual  source  high-speed  tracking  becomes  mandatory 
for  commit  to  deorbit.  The  TSU  trajectory  processor  Kalman  filter  cannot  meet  ground  accuracy 
requiremen  ts  with  only  one  source  of  tracking  data.  The  filter  requires  at  least  two  sources.  The  100k 
feet  altitude  constraint  was  chosen  to  allow  sufficien  t  time  to  assess  the  vehicle  energy  conditions  and  to 
update  onboard  navigation  state  (after  nominal  TACAN  acquisition )  in  order  to  correct  a  violation  of 
delta  state  limits.  This  requirement  also  allows  time  to  GCA  to  within  guidance  limits  prior  to  TAEM. 
©[062702-5502C] 

With  three  functioning  IMU’s  and  the  associated  DPS/EPS  equipment,  the  first  failure  is  fully  protected 
by  redundancy  managemen  t.  When  two  IMU’s  are  available,  95  percen  t  of  the  cases  in  volving  the 
second  failure  are  properly  resolved  by  the  IMU  RM  which  uses  the  IMU  BITE  logic. 


With  three  functioning  onboard  TACAN  transceivers  and  their  associated  DPS  equipment,  the  first 
failure  is  fully  protected  by  redundancy  management.  When  two  TACAN’s  are  available,  90  percent  of 
the  cases  involving  the  second  failure  are  covered  with  TACAN  self -test.  GPS  provides  additional 
redundancy  to  the  onboard  TACAN  transceivers  (particularly  at  the  TACAN  1-LRU  level)  assuming  that 
the  conditions  in  Rule  {A8-115},  GPS  SYSTEM  MANAGEMENT,  are  satisfied.  @[092602-5641  ] 

With  three  functioning  onboard  MLS  transceivers  and  their  associated  DPS  equipment,  the  first  failure 
is  fully  protected  by  redundancy  management.  When  two  MLS’s  are  available,  a  dilemma  between  the 
LRU’s  will  remain  unresolved  unless  a  BITE  had  been  previously  set  against  one  of  the  LRU’s.  If  the 
dilemma  is  unresolved,  MLS  may  not  process  at  all  for  range/azimuth  dilemmas)  or  only  partially 
process  (for  elevation  dilemmas).  For  days  when  MLS  is  required,  as  defined  in  Rule  {A3 -202},  MLS, 
ground  tracking  is  required  to  resolve  dilemmas  in  order  to  make  the  MLS  useable.  Reference  Rule 
I A8-18A },  LANDING  SYSTEMS  REQUIREMENTS.  ©[062702-5502C]  @[092602-5641  ] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A3-3  GROUND  AND  NETWORK  DETAILED  REQUIREMENTS 

(CONTINUED) 


To  ensure  that  valid  TACAN  data  are  available,  both  primary  and  secondary  ground  stations  must  be 
confirmed  to  be  within  programmatically  required  limits  (NASA  operational  requirements  of  1  deg  and 
0.3  mile  per  Rule  j A8-52B J.2,  SENSOR  FAILURES,  rather  than  FAA/DOD  certification  (2.5  deg  and  0.5 
mile  per  NSTS  07700,  Vol  X  specification) ).  With  the  pre-deorbit  ground  station  checks,  full  single  fault 
tolerance  exists.  If  both  the  primary  and  the  secondary  ground  station  were  to  fail  after  deorbit,  the 
MCC  can  uplink  another  TACAN  station.  ®[062702-5502C]  @[092602-5641  ] 

If  GPS  is  functioning  properly  (ref.  Rule  { A8-115 j,  GPS  SYSTEM  MANAGEMENT),  then  the  following 
failures  will  result  in  requiring  high  speed  tracking  for  EOM 

a.  Any  failure  in  either  the  onboard  IMU’s  or  MLS  LRU’s. 

b.  Loss  of  two-fault  tolerance  in  the  GPS/TACAN  system. 

c.  No  TACAN  ground  stations  available. 

If  GPS  is  NOT  functioning  properly  (ref.  Rule  (A8-115J,  GPS  SYSTEM  MANAGEMENT),  then  the 
following  failures  will  result  in  requiring  high  speed  tracking  for  EOM: 

a.  Any  failure  in  either  the  onboard  IMU’s,  TACAN’ s,  or  MLS  LRU’s. 

b.  Only  1  TACAN  ground  station  available.  @[092602-5641  ] 

S-band  data  is  highly  desired  because  it  may  provide  insight  in  the  case  of  a  TACAN  bias,  although  it 
cannot  by  itself  be  used  as  a  source  of  “ground  truth.  ” 

In  relaxing  the  tracking  data  requirement  from  mandatory  to  highly  desirable,  it  is  understood  and 
acknowledged  to  be  an  acceptable  risk  to  rely  totally  on  TACAN  and  GPS  as  required  to  achieve  a  safe 
landing.  If  the  normal  ceiling  limit  exists,  and  TACAN  data  is  not  processed  by  navigation,  and  no 
independent  valid  tracking  data  are  present,  the  vehicle  is  unlikely  to  achieve  the  runway  unless  GPS  is 
incorporated.  @[092602-5641  ] 

4.  POST  LANDING:  GROUND  EQUIPMENT  WILL  PROVIDE  FOR  AIR  TO 
GROUND  VOICE,  COMMAND,  AND  TELEMETRY  FROM  LANDING  UNTIL 
VEHICLE  HANDOVER  TO  GOM .  REDUNDANCY  IS  NOT  REQUIRED. 
©[062702-5502C] 
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MCC  INSTRUMENTATION  PRELAUNCH  REQUIREMENTS 

A3- 51  TRAJECTORY  PROCESSING  REQUIREMENTS  ®[061 396-4005A]  ©[022802- 

Si  98] 

A.  HIGH-SPEED  TRAJECTORY  DETERMINATION: 

1.  HIGH  SPEED  S-BAND  -  HIGHLY  DESIRABLE  FOR  LAUNCH  AND 
LANDING  @[061297-6004] 

2.  HIGH  SPEED  C-BAND  -  HIGHLY  DESIRABLE  FOR  LAUNCH  AND 
LANDING 

3.  KALMAN  FILTER  PROCESSING  -  HIGHLY  DESIRABLE  FOR  LAUNCH 
AND  LANDING  @[061297-6004] 

B.  ARD/AME  PROCESSING  -  MANDATORY  FOR  LAUNCH  @[022802-5198] 

C.  EPHEMERI S  MAINTENANCE  PROCESSING  -  MANDATORY 

D.  ORBIT  DETERMINATION  PROCESSING: 

1 .  LOW  SPEED  TRACKING  DATA  -  MANDATORY 

2.  BATCH  RADAR  PROCESSING  -  MANDATORY 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  GROUND  INSTRUMENTATION  3-12 

REQUIREMENTS 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A3— 51  TRAJECTORY  PROCESSING  REQUIREMENTS  (CONTINUED) 

E.  DEORBIT  PLANNING  PROCESSING  -  MANDATORY 

F.  ENTRY  PROFILE  PROCESSING  -  MANDATORY 

G.  COMMAND /TRAJECTORY  INTERFACE  PROCESSING  -  MANDATORY 

H.  TRAJECTORY/TELEMETRY  AND  TELEMETRY/ TRAJECTORY  INTERFACE 
PROCESSING  -  MANDATORY 

I.  HIGH  SPEED  ENTRY  RGO  AND  TAEM  PROCESSING  -  MANDATORY  FOR 
LAUNCH  AND  LANDING  @[022802-5198] 

J.  RENDEZVOUS  TARGETING  PROCESSING  -  MANDATORY  FOR  RENDEZVOUS 
FLIGHT  ©[061396-4005A] 

K.  LAUNCH  WINDOW/LAUNCH  TARGETING  PROCESSING  -  MANDATORY  UNTIL 
THE  LAUNCH  TARGET  COMMANDS  HAVE  BEEN  GENERATED.  THIS  ONLY 
APPLIES  TO  GROUND-UP  RENDEZVOUS  AND  INERTIALLY  TARGETED 

FLIGHTS.  @[061 396-4005A] 

All  mandatory  trajectory  processing  is  required  to  be  operational  prior  to  launch,  including  support 
processors  as  well.  Any  loss  of  trajectory  processing  will  be  assessed  in  reed  time  in  order  to  determine 
applicability  of  the  lost  capability  to  the  flight  at  hand. 

L.  DOLILU  STRUCTURAL  LOADS  AND  TRAJECTORY  ANALYSIS  TOOLS  - 
MANDATORY  UNTIL  THE  DOLILU  I-LOAD  HAS  BEEN  TRANSFERRED  INTO 
THE  MCC  COMMAND  SYSTEM;  THEREAFTER,  HIGHLY  DESIRABLE  (REF. 
RULE  {  A4  -4  }  ,  DOLILU  OPERATIONS).  @[091 098-6622C] 


DOLILU  and  Loads  assessments  are  nominally  run  concurrently  by  JSC  and  USA/Systems  Integration. 
In  the  event  that  JSC  fails  to  complete  analysis  after  the  MCC  I-locid  transfer,  USA/Systems  Integration 
becomes  prime  for  providing  the  remaining  prelaunch  assessments.  This  contingency  condition  is 
considered  acceptable  to  proceed  based  on  the  joint  system  checkouts  that  have  occurred  (L-3  week,  L-2 
day,  and  completed  launch  day  verifications).  @[091 098-6622C] 

M.  DESCENT  DESIGN  SYSTEM  (DDS )  -  MANDATORY  @[061 396-4005A]  @[022802-5198] 
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A3-52  MCC  INTERNAL  VOICE 

LOSS  OF  INTERNAL  VOICE  LOOPS  FD,  A/G  1,  OIS  232  AND  FLIGHT 
CONTROL  OFFICER  (FCO) ,  WOULD  NOT  CAUSE  A  LAUNCH  HOLD  BECAUSE  OF 
SUFFICIENT  AVAILABLE  WORKAROUNDS: 

A.  MCC  FLIGHT  CONTROL  TEAM  COORDINATION  CAPABILITY  -  ONE  OF 
THREE  MANDATORY: 


1 . 

FD 

2  . 

AFD 

CONF 

3. 

LOOP 

CONFERENCING 

One  common  voice  loop  between  all  MCC  flight  control  team  members  is  required  for  expedient 
communication  of  system  conditions/anomalies. 

B.  A/G  TALK  CAPABILITY  -  TWO  OF  FOUR  MANDATORY: 


1  . 

A/G 

1 

2  . 

A/G 

2 

3. 

A/G 

UHF 

4  . 

OTHER  LOOP  WITH  KEYING  CAPABILITY 

Two  MCC  voice  loops  with  keying  capability  are  required  to  provide  continuous  S-band  A/G  and  UHF 
A/G  (ref  Rule  {A3-lA}.l.d,  GROUND  AND  NETWORK  DEFINITIONS).  ®[ED  ] 

C.  COMMUNICATIONS  INTERFACE  WITH  LAUNCH  TEST  DIRECTORS  -  ONE  OF 
FOUR  MANDATORY: 


1  . 

OIS  131 

2  . 

OIS  232 

3. 

FD  (EXTENDED  TO  LAUNCH 

SITE) 

4  . 

OTHER  LOOP  PATCHING  TO 

LAUNCH  SITE 

One  MCC  voice  loop  (extended  to  launch  site  long  lines )  is  required  to  call  an  MCC-initiated  countdown 
hold. 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A3-52  MCC  INTERNAL  VOICE  (CONTINUED) 

D.  COMMUNICATIONS  INTERFACE  WITH  FCO  -  TWO  OF  FOUR  MANDATORY: 
@[101096-4550] 

1.  FCO  PVT  LINE 

2.  FD  (EXTENDED  TO  FCO) 

3.  FCO  PRIME 

4.  OTHER  LOOP  PATCHING  TO  FCO  LONG  LINE 

A  minimum  of  two  MCC  voice  loops,  extended  to  the  Eastern  Range  45th  Space  Wing,  are  required 
for  FD  and  FDO  voice  communication  with  the  FCO.  Removed  of  the  FT  Range  Safety  Flight 
Termination  System  resulted  in  additional  flightcrew  responsibility  as  agents  of  the  45th  Space 
Wing  Commander  for  public  safety  during  second  stage  flight,  with  crew-initiated  manual  MECO 
replacing  range  safety  command  destruct  capability.  Redundant  FCO/MCC  communications  is 
therefore  mandatory  to  provide  the  interaction  and  situational  awareness  necessary  to  implement 
this  requirement.  @[101096-4550] 

Rules  {A3 -15 1C}  and  D,  MCC/KSC/45  SPW  INTERFACE,  reference  this  rule. 

E.  COMMUNICATIONS  CAPABILITY  WITH  REQUIRED  ASCENT  ABORT  SITES  - 

1  OF  3  MANDATORY:  ®[1 11094-1 71 6A]  ®[ED  ] 

1.  LONGLINE  ( LFP 1 ) 

2  .  INMARSAT 

3.  COMMERCIAL  TELEPHONE 

Prelaunch,  the  MCC  must  be  able  to  communicate  with  the  required  ascent  abort  landing  sites  (ref. 

Rule  { A2-2},  ABORT  LANDING  SITE  REQUIREMENTS ).  This  insures  that  there  has  not  been  a 
change  in  weather  or  nav/lcmding  aid  status.  It  also  insures  that  anomalies  can  be  passed  to  the 
ground  support  team  and  that  the  runway  and  airspace  are  clear  for  a  safe  landing.  This  can  be 
accomplished  by  insuring  that  at  least  one  of  the  communications  capabilities  listed  above  are 
available.  ®[111094-1716A] 

@[051 697-6008A] 
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A3-53  MCC  POWER 

A.  BUILDING  3  0M  POWER  BUSES  @[061396  4006A] 

BUS  Al,  A2,  Bl,  B2  -  THREE  OF  FOUR  MANDATORY. 

All  mandatory  MCC  equipment  can  be  configured  to  operate  on  any  three  of  the  four  power  buses. 
Equipment  which  cannot  tolerate  a  20-second  power  outage  is  configured  on  bus  Al  or  A2.  These 
buses  are  supported  with  online  UPS  (uninterrupted  power  supply)  (critical  A  power )  during  ascent. 
Equipment  which  can  tolerate  a  20-second  power  outage  is  configured  on  bus  Bl  or  B2.  These  buses 
are  supported  with  backup  offline  (20-second  startup)  diesel  generators  (critical  B  power)  during 
ascent.  @[061396  4006A] 

B.  BUILDING  30S  POWER  BUSES 

1.  POWER  BUSES  AX1 ,  AX 2  -  ONE  OF  TWO  MANDATORY. 

(SEE  NOTE  #1) 

NOTE  #1:  IF  ONLY  ONE  POWER  BUS  IS  AVAILABLE,  IT  MUST  HAVE 
A  NON-INTERRUPTIBLE  POWER  SUPPLY  (EITHER  UPS  OR  A 
RUNNING  DIESEL)  FEED. 


2  . 

POWER 

BUSES 

BX1 , 

BX2 

-  ONE 

OF 

TWO 

MANDATORY . 

3. 

POWER 

BUSES 

CXI, 

CX2 

-  ONE 

OF 

TWO 

MANDATORY 

(SEE  NOTE  #2) 


NOTE  #2:  MANDATORY  FOR  FLIGHTS  WITH  POCC  WORKSTATION 

REQUIREMENTS  ONLY;  SEE  THE  FLIGHT  SPECIFIC  ANNEX. 

@[061 396-4006B] 

All  equipment  on  the  A  and  B  buses  can  be  configured  entirely  onto  either  single  bus,  with  each  capable 
of  carrying  the  en  tire  load.  The  AX1  and  AX2  buses  are  supported  with  UPS  (un  in  terrupted  power 
supply).  The  BX1  and  BX2  buses  are  backed  up  with  diesels  (20-second  startup). 

The  AX  buses  provide  power  for  most  mandatory  technical  equipment  and  emergency  lighting  in  the 
MCC.  The  BX  buses  provide  power  to  IPS  system,  utility  outlets,  AX1  and  AX2  uninterruptible  power 
supplies,  and  back-up  power  feed  to  the  AX  buses  in  case  of  a  UPS  failure.  The  CX  buses  provide  power 
to  the  third  floor  POCC  consoles. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A3-53  MCC  POWER  (CONTINUED) 

C.  BUILDING  3  OS  AIR  HANDLERS  ©[061396-4006A] 

1 .  SOFT  AIR  HANDLERS  -  ONE  OF  THREE  MANDATORY 

2 .  HARD  AIR  HANDLERS  -  ONE  OF  THREE  MANDATORY 

The  hard  air  handlers  provide  cooling  to  the  FCR,  SVO,  GOSR,  CDE  and  fifth  floor  areas  of  building 
30S.  The  soft  air  handlers  provide  cooling  to  all  other  areas  not  supplied  by  hard  air  handlers.  One  of 
each  type  air  handler  is  required  to  adequately  provide  cooling  for  mission  essential  hardware  and 
personnel.  @[061396  4006 A] 

A3-54  THROUGH  A3-100  RULES  ARE  RESERVED 
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45  SPW/GSFC/STDN  PRELAUNCH  REQUIREMENTS 


A3-101  GSFC 

A.  MESSAGE  SWITCHES  -  ONE  OF  TWO  MANDATORY  @[121593-1582] 

These  computers  route  mandatory  telemetry,  command,  tracking  and  configuration  data  between  MCC 
and  tracking  stations.  Each  message  switcher  can  handle  the  total  traffic  rate. 

B.  NETWORK  CONTROL  CENTER  (NCC)  COMPUTERS  -  ONE  OF  TWO  MANDATORY 

®[1 21 593-1 582  ]  @[051 697-6008A] 

For  TDRSS  to  support  TAL  aborts,  acquisition  data  must  be  generated  and  sent  to  WSGT for  TDRS 
pointing.  The  NCC  computers  and  associated  equipment  manage  this  acquisition  message  data  for 
forwarding  to  WSGT. 
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A3-102 


INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX 


ASCENT  AND  INTACT  ABORT  LANDINGS  AT  KSC 

SITE 

STATIO 

N  ID 

TYPE 

RQMNT 

ASCENT/RTLS 

TAL 

(POST 
LAUNCH) 
KSC  AOA  & 

1  ST  DAY  PLS 

28.5  INC 

HIGHER 

INC 

JONATHAN 
DICKINSON  MISSILE 
TRACKING  ANNEX 
(JDMTA) 

JDIS 

S-BD 

TLM 

D/L  VOICE 

1  OF  2  M 

1  OF  2  M 

PONCE  DE 

LEON 

PDL 

S-BD  14 

CMD 

U/L  VOICE 

1  OF  2  HD 
[1] 

1  OF2M 
[2] 

FIXED 

DIPOLE 

UHF 

VOICE 

MILA 

MILS 

S-BD  30-1 

CMD 

TLM 

VOICE 

1  OF2M 

1  OF2M 

1  OF  2  HD 

MLXS 

S-BD  30-2 

TELTRAC 

UHF 

VOICE 

1  OF  2  M 

1  OF  2  M 

1  OF  2  HD 

QUAD 

HELIX 

TDRSS 

WSC 

S-BD 

CMD 

TLM 

VOICE 

M  [3] 

M  [3] 

M 

M  [6] 

TRK 

HD 

HD 

M  [5] 

WALLOPS 

WLPS 

S-BD  30 

CMD 

TLM 

VOICE 

HD 

QUAD 

HELIX 

UHF 

VOICE 

1  OF  1  HD 

MERRITT 

ISLAND 

MLAC 

MLMC 

FPQ-14 

MCB-17 

RADAR  TRK 

2  0F7HD 

2  OF  7  HD 

NOT 

SCHEDULED 

ACCEPT 

BEST 

EFFORT 

CALLUP 

PATRICK 

PATC 

FPQ-14 

RADAR  TRK 

CANAVERAL 

CNVC 

CMTC 

FPS-16 

MOTR 

RADAR  TRK 

JONATHAN 

DICKINSON 

JDIC 

FPQ-14 

RADAR  TRK 

MILA 

MILS 

OR 

MLXS 

S-BD 

RANGING 

TRK 

WALLOPS 

WLPC 

WLRC 

WLIC 

WLMC 

FPQ-6 

FPS-16 

FPS-16 

RIR-778 

RADAR  TRK 

2  OF  4  HD 
[4] 

@[072795-1722]  ®[ED 


]  @[121 296-41 77D]  ® 


072398-6565A]  @[021199-6817  ]  @[070899-6882  ]  ©[062702-5502C] 
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A3-102  INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX 

(CONTINUED) 


|  INTACT  ABORT  LANDINGS  AT  EDWARDS  OR  NORTHRUP  STRIP  I 

SITE 

STATION  ID 

TYPE 

RQMNT 

(POST 

LAUNCH) 

EDW 

AOA  &  1ST 
DAY  PLS 

(POST 

LAUNCH) 

NOR 

AOA  &  1  ST 
DAY  PLS 

ATF1 

S-BD-21 

TLM 

1  OF  2  HD 

DRYDEN 

ATF2 

CMD 

VOICE 

PARABOLIC 

DISH 

UHF 

VOICE 

1  OF  3  HD 

CMD 

TDRSS 

WSC 

S-BD 

TLM 

VOICE 

TRK 

M  [5],  [6] 

M  [5],  [6] 

NORTHRUP 

STRIP 

SAL 

UHF  OMNI 

NORTHRUP 

STRIP 

UHF  OMNI 

VOICE 

2  OF  2  HD  [9] 

PT.  PILLAR 

PPMC 

MPS-36 

RADAR  TRK 

PTPC 

FPQ-6 

VDHC 

FPQ-14 

VANDENBURG 

VDBC 

TPQ-18 

RADAR  TRK 

NOT 

VDSC 

FPS-16 

SCHEDULED 
ACCEPT  BEST 

VDMC 

MOTR 

EFFORT 

CALLUP 

FRCC 

RIR-716 

[10] 

EDWARDS/ 

FDRC 

RIR-716 

RADAR  TRK 

DRYDEN 

FRFC 

FPS-16 

EFFC 

FPS-16 

HOLC 

FPS-16 

NOT 

WHITE  SANDS 
MISSILE  RANGE 

WHSC 

FPS-16 

RADAR  TRK 

SCHEDULED 
ACCEPT  BEST 
EFFORT 

WSSC 

FPS-16 

WSMC 

MOTR 

CALLUP 

@[072795-1722]  @[061396-3198]  ©[072398-6565A]  ©[062702-5502C] 
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A3-102  INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX 

(CONTINUED) 


END  OF  MISSION  -  2ND  DAY  PLS  THROUGH  NOMINAL  EOM 


SITE 

STATION  ID 

TYPE 

RQMT 

KSC 

EDWARDS 

NORTHRUP 

STRIP 

TDRSS 

WEST 

S-BD 

TLM 

CMD 

VOICE 

M 

M 

M 

EAST 

M 

ANY 

TRK 

M 

M 

M 

MILA 

RANGING 

TRK 

HD 

MILS 

S-BD  30-1 

TLM 

CMD 

VOICE 

1  OF  2  HD 
[7] 

MLXS 

S-BD  30-2 

TELTRAC 

UHF 

VOICE 

1  OF  2  HD 

QUAD  HELIX 

MERRITT 

ISLAND 

MLAC 

FPQ-14 

RADAR 

TRK 

2  OF  5  HD 

MLMC 

MCB-17 

PATRICK 

PATC 

FPQ-14 

CANAVERAL 

CNVC 

FPS-16 

CMTC 

MOTR 

DRYDEN 

ATF1 

S-BD  12 

TLM 

CMD 

VOICE 

1  OF  2  HD  [8] 

ATF2 

PARABOLIC 

DISH 

UHF 

VOICE 

1  OF  3  HD 

PT.  PILLAR 

PPMC 

MPS-36 

RADAR 

TRK 

ANY  2 
RADARS 
FROM 

PT.  PILLAR 
VANDENBURG 
EDWARDS 

OR 

DRYDEN 

HD 

[10] 

PTPC 

FPQ-6 

VANDENBURG 

VDHC 

FPQ-14 

RADAR 

TRK 

VDBC 

TPQ-18 

VDSC 

FPS-16 

VDMC 

MOTR 

EDWARDS/ 

DRYDEN 

FRCC 

RIR-716 

RADAR 

TRK 

FDRC 

RIR-716 

FRFC 

FPS-16 

EFFC 

FPS-16 

NORTHRUP 

STRIP 

SAL 

UHF 

VOICE 

2  OF  2  HD  [9] 

NORTHRUP 

STRIP 

UHF  OMNI 

WHITE  SANDS 
MISSILE  RANGE 

HOLC 

FPS-16 

RADAR 

TRK 

2  OF  4  HD 

WHSC 

FPS-16 

WSSC 

FPS-16 

WSMC 

MOTR 

@[121593-1590]  @[072795-1772]  @[121 296-41 77D] 
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A3-102  INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX 

(CONTINUED) 


NOTES: 

[1]  FOR  MISSIONS  WITH  AN  INCLINATION  OF  28.5  DEG,  PDL  S-BAND  AND  UHF  UPLINK  IS  HIGHLY  DESIRABLE. 
©[062702-5502C] 

[2]  FOR  MISSIONS  WITH  AN  INCLINATION  GREATER  THAN  28.5  DEG,  PDL  CMD  OR  UHF  UPLINK  IS  REQUIRED  SINCE 
MIL  UHF  IS  BLOCKED  BY  THE  SRB  PLUME. 

[3]  ANY  TDRS  EAST  IS  MANDATORY. 

[4]  WLPC  AND  WLRC  ARE  SCHEDULED  FOR  ALL  MISSIONS  GREATER  THAN  28.5  DEG.  WLIC  OR  WLMC  ONLY 
SCHEDULED  FOR  57-DEG  MISSIONS  OR  WHEN  WLPC  OR  WLRC  ARE  UNAVAILABLE. 

[5]  ONE  TDRS  REQUIRED  TO  ENSURE  PRE-BURN  STATE  VECTOR  ACCURACY  FOR  1ST  DAY  PLS  DEORBIT  IF 
ONBOARD  GPS  IS  FAILED. 

[6]  ANY  TDRS  WEST  IS  MANDATORY  FOR  AOA  AND  1  ST  DAY  PLS. 

[7]  ANY  TDRS  EAST  OR  MILA  IS  MANDATORY  TO  COVER  THE  LAST  PHASE  OF  KSC  LANDING  AND  POST  LANDING 
SUPPORT  UNTIL  VEHICLE  IS  HANDED  OVER  TO  GOM. 

[8]  ANY  TDRS  WEST  OR  DFRC  IS  MANDATORY  TO  COVER  THE  LAST  PHASE  OF  EDW  LANDING  AND  POST  LANDING 
SUPPORT  UNTIL  VEHICLE  IS  HANDED  OVER  TO  GOM. 

[9]  FOR  A  LANDING  AT  NORTHRUP  STRIP  (WSSH),  THE  UHF  SYSTEMS  DO  NOT  PROVIDE  REDUNDANT  COVERAGE 
FROM  AOS  THROUGH  WHEELSTOP,  SO  BOTH  SYSTEMS  ARE  REQUIRED. 

[1 0]  POINT  PILLAR  RADAR  MAY  BE  SCHEDULED  IN  PLACE  OF  VANDENBURG  RADAR  WHEN  EXPECTED  MAXIMUM 
ELEVATION  IS  GREATER  THAN  5  DEGREES.  ®[062702-5502C] 
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A3-103 


CRITICAL  LAUNCH  SYSTEMS  RECOVERY  TIMES 


SYSTEM 

SERVICE 

DESCRIPTION  OF 
EQUIPMENT 

QUANTITY  OF 
EQUIPMENT 
REQUIRED/ 
SCHEDULED/ 
TOTAL 

AVERAGE 

SELECTOVER 

TIME 

(AUTO  OR 
MAN) 

AVERAGE 

TIME  TO 
RESTORE 
REDUNDANCY 
FOLLOWING 
REPAIR 

CCF 

CMD  &  A/G  VOICE 

FEP  -  UPLINK 

1  OF  2/3 

30  SEC  (M) 

10  MIN 

FEP  RESTORI 

CONSOLIDATED 

TLM  &  A/G  VOICE 

FEP  -  DOWNLINK/ 

1  OF  2/3 

30  SEC  (M) 

10  MIN 

AND  REBOOT 

COMMUNICATION 

REALTIME 

CONSISTS  OF 

FACILITY 

TRK  DATA 

FEP-GROUND-TO- 

1  OF  2/2 

20  SEC  (M) 

10  MIN 

GROUND 

ALL 

CDSS 

BUILT  IN 

N/A 

BUILT  IN 

CDSS  CRITIC/ 

PROCESSES  AND 

REDUNDANCY 

REDUNDANCY 

ROUTING.  RE 

ROUTES  ALL 

ALL 

NASCOM  IP 

1  OF  2/2 

30  SEC  (M) 

15  MIN 

LAUNCH. 

DATA  COMING  IN 

EQUIP. 

AND  OUT  OF  THE 

MCC 

ALL 

NASCOM  IP 

MULTIPLE 

1  SEC  (A) 

SEE  NOTE  1 

NOTE  1  -  30  M 

CIRCUITS 

REPAIR  FOR  E 

SERVICE  MAY 

UPLINKS. 

MDM 

1  OF  2/2 

30  SEC  (M) 

10  MIN 

DOWNLINK 

GIGASWITCH 

1  OF  2/2 

30  SEC  (A) 

REBOOT  1  MIN 

TLM  8.  CMD  LAN  l/F 

CEM  (CCF 

1  OF  2/2 

4  MIN  (M) 

REBOOT  6  MIN 

FAILURE  OF  C 

ELEMENT 

AND  CONTRO 

MANAGER) 

CONFIGURAT 

VOICE 

S-BAND  A/G  VOICE 

AGVE 

1  OF  2/3 

5  SEC  (M) 

HARDWARE 

ASSUMES  ALL 

ALL  VOICE 

REPAIR 

COMMUNICATION 

UHF  A/G  VOICE 

UHF 

1  OF  2 

1  MIN  (M) 

S  IN/OUT  OF  MCC 

ALL  VOICE 

DVIS 

BUILT  IN 

BUILT  IN 

HARDWARE 

REDUNDANCY 

REDUNDANCY 

REPAIR 

BUILT  IN 

DVIS  CPU  FAII 

REDUNDANCY 

AND  RECONF 

LAUNCH. 

©[062702-5502C] 
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A3-103  CRITICAL  LAUNCH  SYSTEMS  RECOVERY  TIMES  (CONTINUED) 


SYSTEM 

SERVICE 

DESCRIPTION  OF 
EQUIPMENT 

QUANTITY 

OF 

EQUIPMENT 

REQUIRED/ 

SCHEDULED/ 

TOTAL 

AVERAGE 

SELECTOVER 

TIME 

(AUTO  OR 
MAN) 

AVERAGE 

TIME  TO 
RESTORE 
REDUNDANCY 
FOLLOWING 
REPAIR 

LANS 

DATA 

COMMUNICATION 
TRANSFER  FOR 
W/S’S 

BRIDGES 

CONCENTRATORS 

1  OF  2/2 

1  OF  2/2 

30  SEC  (A) 

1  SEC  (A) 

REBOOT:  1  MIN 

REBOOT:  1  MIN 

BRIDGES  AUT 

WS’S  FAILOV1 
IMMEDIATELY 
CARD  FAILUR 
TOTAL  LAN  SI 
LOW,  1  IN  200 
LESS  THAN  1 

TRAJECTORY 
SERVER 
-  PROVIDES 
TRAJECTORY 
PROCESSING 

TRAJECTORY 

PROCESSING 

TRAJECTORY 

SERVER 

-  HARDWARE/OS 
TRAJECTORY 
SOFTWARE 
APPLICATION - 
SOFTWARE 

1  OF  2/3 

1  SEC  (M) 

REBOOT:  5  MIN 

TRAJECTORY 
REDUNDANC 
REBOOT  AND 
THE  FAILED  S 

PLATFORM 

SERVERS 

MCC  NETWORK 

USER  SERVICES 

CM  SERVERS - 

PLATFORM 

SERVICES 

1  OF  2/2 

45  SEC  (A) 

REBOOT:  25  MIN 

CM  SERVER  F 
SECONDS. 

CMD,  TRAJECTORY 
&  TLM  PROCESSING 
DELAYS 

HA  SERVERS 
(READ/WRITE) 

1  OF  1/2 

50  MIN  (A) 

REBOOT:  15  MIN 

SERVER  FAIL 
USERSERVIC 
MINUTES  FOF 

NETWORK 

REGISTRATION 

NAME  SERVERS 

(NETWORK 

SERVICES) 

1  OF  2/2 

1  MIN  (A) 

REBOOT:  5  MIN 

CLOCK  &  GROUP 
DISPLAYS 

VTS SERVER 

1  OF  2/4 

30  SEC  (A) 

REBOOT:  5  MIN 

©[062702-5502C] 
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A3-103  CRITICAL  LAUNCH  SYSTEMS  RECOVERY  TIMES  (CONTINUED) 


SYSTEM 

SERVICE 

DESCRIPTION  OF 
EQUIPMENT 

QUANTITY  OF 
EQUIPMENT 
REQUIRED/ 
SCHEDULED/ 
TOTAL 

AVERAGE 

SELECTOVER 

TIME 

(AUTO  OR 
MAN) 

AVERAGE 

TIME  TO 
RESTORE 
REDUNDANCY 
FOLLOWING 
REPAIR 

COMMAND 

COMMAND 

PROCESSING 

COMMAND 

SERVERS 

1  OF  1/5 

1  MIN  (A) 

REBOOT:  5  MIN 

FOLLOWING  1 
COMMAND  SE 
ESTIMATED  A 

W/S’S 

USER  l/F  DEVICE 

USER 

WORKSTATION 

DEC  ALPHA 
STATIONS 

MULTIPLE 

GO  TO  B/U 
POSITION  (M) 

REBOOT:  15  MIN 

RIS  DL:  30  MIN 

REPLACE  UNIT 

USER  REBOO 
RESTARTS  AC 
OPERATING  S 
REBOOT 

W/S  HARDWA 
REQUIRE  ~  1  1 

DOLILU 

DAY  OF  LAUNCH 
ILOAD  UPDATE 

DOLILU  PROCESSING 

IPS  W/S’S  &  FILE 
SERVERS, 

COMM  MUX,  FSH 
&  MOC, 

NASCOM  2000 

1  OF  2/2 

6  MIN  (M) 

6  MIN 

ILOAD  COMPL 

EQUIPMENT  AIR 
HANDLERS 

BUILDING  30S 

CRITICAL 

EQUIPMENT 

4  OF  6/6 

AUTOMATIC 

AIR  HANDLERS 

WITHOUT  COi 
DOWN  WITHII 

DVIS  UNDER  FLOOR 

DVIS  UNDER 

FLOOR 

1  OF  2/2 

AUTOMATIC 

HARDWARE 

REPAIR 

WITHOUT  COi 
SHUT  DOWN  ' 

DVIS  OVERHEAD 

DVIS  OVERHEAD 

1  OR  2/2 

AUTOMATIC 

HOURS 

SHUT  DOWN  1 
PERMANENT 

EQUIPMENT 

POWER 

CRITICAL 

EQUIPMENT 

BUILDING  30S  AX 
BUS 

1  OF  2/2 

AUTOMATIC 

AUTOMATIC 

AUTOMATIC  F 
BACKUP,  GEN 

CRITICAL 

EQUIPMENT 

BUILDING  30S  A 
BUS 

1  OF  2/2 

AUTOMATIC 

AUTOMATIC 

BLACK  STAR! 
POWER  IS  LO 

HIGHLY  DESIRABLE 

BUILDING  30S  BX 
BUS 

1  OF  2/2 

MANUAL 

30  MIN 

MANUAL  GEN 
TRANSFER  IF 

HIGHLY  DESIRABLE 

BUILDING  30S  B 
BUS 

1  OF  2/2 

MANUAL 

30  MIN 

LOST. 

®[062702-5502C] 


NOTE:  RECOVERY  TIMES  DO  NOT  INCLUDE  FAULT  ISOLATION,  HARDWARE,  AND  SOFTWARE  REPAIR  TIME.  ®[062702-5502C] 


A3-104  THROUGH  A3-150  RULES  ARE  RESERVED  ©[062702-5502C] 
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MCC  EXTERNAL  INTERFACE  (VOICE  DATA)  PRELAUNCH  REQUIREMENTS 


A3-151  MCC/KSC/45  SPW  INTERFACE 

A.  7.2-KB  LAUNCH /LANDING  RADAR  CIRCUIT  -  ONE  OF  TWO  HIGHLY 
DESIRABLE.  ®[061 297-6004  ] 

These  circuits  provide  launch/landing  C-band  tracking  data  from  45  SPW/CCC  to  the  MCC.  These  are 
redundant  circuits  providing  backup  capability;  each  one  capable  of  carrying  the  total  traffic.  @[061297-6004  ] 

B.  9.6  KB  WIND  DATA  CIRCUIT  -  ONE  OF  TWO  MANDATORY.  ®[ED  ] 

NOTE:  CHANGES  TO  HD  AFTER  STRUCTURAL  GO/NO-GO  DECISION  IS  MADE. 

®[ED  ] 

These  circuits  support  processing  of  ascent  structural  loads.  There  are  two  redundant  circuits  providing 
backup  capability;  each  one  capable  of  carrying  the  total  traffic. 

C.  9.6  KB  FCO  ABORT  SWITCH  INTERFACE  CIRCUITS  -  ONE  OF  TWO 
MANDATORY  @[101096-4551]  @[110900-3701] 

Removal  of  the  ET  Range  Safety  Flight  Termination  System  resulted  in  additional  flightcrew 
responsibility  as  agents  of  the  45th  Space  Wing  Commander  for  public  safety  during  second  stage  flight. 
During  this  timeframe,  crew-initiated  manual  MECO  replaces  range  safety  command  destruct  capability. 

One  of  the  elements  agreed  upon  to  satisfy  this  requirement  is  to  provide  the  FCO  with  the  ability  to 
illuminate  the  orbiter  cockpit  abort  light  via  pushbutton  as  an  independent  method  for  the  FCO  to 
communicate  a  manual  MECO  requirement  to  the  crew. 

The  Launch  Commit  Criteria  states  that  at  least  one  of  two  FCO  abort  light  command  paths  must  be 
available  until  T-10  seconds.  A  path  consists  of  one  abort  switch  circuit  connected  to  one  of  three  MCC 
workstations  (FD  WFCR-28,  FDO  WFCR-10,  and  SVO-9)  to  enable  FCO  abort  light  conmianding  through 
the  MCC  Command  System.  Ref.  Rule  {A3-2J,  GROUND  AND  NETWORK  OVERALL  PHILOSOPHY. 

The  two  external  FCO  abort  circuits  and  the  MCC-internal  lines  to  the  three  workstations  go  to  a  patch 
panel  to  allow  any  combination  of  one  abort  circuit  and  one  workstation  to  complete  an  FCO  abort  light 
path.  @[110900-3701]  ®[ED  ] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A3— 151  MCC/KSC/45  SPW  INTERFACE  (CONTINUED) 

D.  FCO  INTERFACES: 

1.  VOICE  INTERFACE  -  TWO  OF  FOUR  MANDATORY: 

a.  FDO/FCO  PRIVATE  LINE 

b.  FCO  PRIME  LOOP 
C.  FD  LOOP 

d.  OTHER  LOOP  PATCHING  TO  FCO  LONG  LINE 

2.  CONTROLLABILITY  VERIFICATION  -  TWO  OF  FIVE  MANDATORY: 

a.  45  SPW  RANGE  SAFETY  TELEMETRY  DISPLAY  SYSTEM  (RTDS ) 

b.  CONTROLLABILITY  LIGHT  (GNC  CONSOLE  TO  FCO) 

c.  FCO  PRIME  LOOP 

d.  FDO/FCO  PRIVATE  LINE 

e.  FD  LOOP 

During  second  stage  flight,  removal  of  the  ET  Range  Safety  Flight  Termination  System  resulted  in 
additional  flightcrew  responsibility  as  agents  of  the  45  th  Space  Wing  Commander  for  public  safety, 
with  crew-initiated  manual  MECO  replacing  range  safety  command  destruct  capability.  Redundant 
FCO/MCC  communications  are  therefore  mandatory  to  provide  the  interaction  and  situational 
awareness  necessary  to  implement  this  requirement.  <@[101096-4551  ] 

During  first  stage,  range  safety  mission  rules  outline  flight  termination  criteria  and  provide  the  FCO 
with  the  ability  to  determine  shuttle  controllability  status  in  the  event  of  complete  loss  of  communication 
with  MCC.  For  purposes  of  making  the  con  trollability  determination  ,  range  safety  launch  commit 
criteria  require  at  least  two  pathways  by  which  vehicle  control  status  may  be  confirmed.  The  available 
sources  include  the  items  listed  under  paragraph  D.2  of  this  rule.  <@[101096-4551  ] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A3— 151  MCC/KSC/45  SPW  INTERFACE  (CONTINUED) 

E.  KSC  TEST  DIRECTORS  VOICE  INTERFACE  -  ONE  OF  THREE  MANDATORY: 

1.  OIS  131 

2.  OIS  232/212 

3 .  FD 

NOTE:  OIS  232  IS  USED  PRIOR  TO  T  MINUS  20  MINUTES  AND  OIS  212 
IS  USED  AFTER  T  MINUS  20  MINUTES  AS  THE  PRIMARY  VOICE 
COMMAND  CHANNEL. 

Same  rationale  as  Rule  (A3 -52 },  MCC  INTERNAL  VOICE. 


VOLUME  A  11/21/02  FINAL,  PCN-1  GROUND  INSTRUMENTATION  3-28 

REQUIREMENTS 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A3-152  GSFC/STDN  INTERFACE 

A.  SITE  TO  GSFC : 

1.  MIL/PDL  ONLY  224-KB  CIRCUIT  -  ONE  OF  TWO  MANDATORY. 

©[072398-6565A] 

One  of  two  redundant  circuits  is  required  to  support  mandatory  telemetry  from  MIL/PDL. 
Reference  Rule  { Ad-102  },  INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX ,  for 
mandatory  site  requirements  and  Rules  {A3-lA}.l.b  and  (A3-1AJ.2,  GROUND  AND  NETWORK 
DEFINITIONS,  for  HDR/LDR  telemetry  requirements.  ®[ED  ] 

2.  MIL  9.6-KB  S-BAND  HIGH  SPEED  TRACKING  DATA  CIRCUIT  - 
HIGHLY  DESIRABLE.  ®[061 297-6004  ]  ®[072398-6565A] 


This  circuit  supports  high  speed  S-band  tracking  data  from  MIL. 

3.  22  4-KB  CIRCUITS:  ®[06i 396-31 98] 

DFRF  -  ONE  OF  ONE  MANDATORY .  ®[092398-6565A]  ®[ED  ] 

NOTE:  MANDATORY  ONLY  WHEN  THE  SITE  IS  THE  ONLY  SOURCE  FOR 

LANDING  TELEMETRY  (REF.  RULE  {A3-102},  INTEGRATED  NETWORK 
FAILURE  DECISION  MATRIX)  .  ®[ED  ] 

One  circuit  is  required  from  each  site  which  is  mandatory  for  telemetry. 

B.  GSFC  TO  SITE: 

1.  22  4-KB/ 5  6 -KB  VOICE/COMMAND  CIRCUITS,  MIL/PDL  ONLY  -  ONE 
OF  TWO  MANDATORY.  @[061396-3198]  ®[072398-6565A] 

The  prime  voice  command  circuit  from  GSFC  to  MIL/PDL  is  a  224-kb  line,  with  a  56-kb  circu  it  as 
backup.  The  circuit  is  required  to  provide  uplink  command  and  voice. 

2.  UHF  ANALOG  A/G  VOICE  CIRCUITS:  @[061396-3198] 

MIL  -  ONE  MANDATORY 


MIL  is  the  only  site  which  UHF  A/G  and  S-band  A/G  are  both  mandatory  (ref.  Rule  (A3 -102}, 
INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX).  The  UHF  A/G  must  be  sent  to  GSFC/STDN 
via  analog  circuits.  ©[072398-6565A]  ®[ED  ] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A3-152  GSFC/STDN  INTERFACE  (CONTINUED) 

3.  DFRF  224 -KB  COMMAND/VOICE  CIRCUIT  -  ONE  OF  TWO  MANDATORY. 
©[072398-6565A]  ®[ED  ] 

NOTE:  MANDATORY  ONLY  WHEN  DFRF  IS  THE  ONLY  SOURCE  FOR 

LANDING  COMMAND  OR  S-BAND  VOICE  (REF.  RULE  {A3-102}, 
INTEGRATED  NETWORK  FAILURE  DECISION  MATRIX)  .  ®[ED  ] 

This  circuit  provides  the  data  path  for  command  and  S-band  voice  from  GSFC  to  DFRF. 

4.  WLPS  224  -  KB  CIRCUIT  @[061396-3198]  ®[072398-6565A] 

WLPS  TLM/CMD/VOICE  MANDATORY  PER  RULE  {A3-102},  INTEGRATED 
NETWORK  FAILURE  DECISION  MATRIX.  @[121593-1579]  ®[ED  ] 

A3-153  45  SPW/VAFB  INTERFACE 

9.6-KB  LANDING  RADAR  CIRCUIT  -  ONE  OF  TWO  HIGHLY  DESIRABLE. 

@[061297-6004]  ®[ED  ] 

NOTE:  ONLY  USED  FOR  EDW  AOA/PLS .  ®[ED  ] 

This  circuit  supports  high  speed  tracking  data  from  the  west  coast  for  EDW  AOA/PLS.  @[061297-6004  ] 


A3-154  45  SPW/WSMR  INTERFACE 

2.4-KB  LANDING  RADAR  CIRCUIT  -  ONE  OF  TWO  HIGHLY  DESIRABLE. 

@[061297-6004]  ®[ED  ] 

NOTE:  ONLY  USED  FOR  NOR  AOA/PLS.  ®[ED  ] 

This  circuit  supports  high  speed  tracking  data  from  WSMRfor  NOR  AO  A  or  daily  prime  opportunity. 
@[061297-6004], 
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A3-155  MCC/GSFC/NGT  INTERFACE 

WB  MDM  NETWORK  (BROADCAST  MODE)  -  ONE  OF  TWO  MANDATORY. 

The  MCC/GSFC  and  MCC/NGT  satellite  data  links  (WB  MDM  networks)  provide  the  data  interface  for 
the  GSTDN  and  TDRSS  networks,  respectively.  Mandatory  telemetry,  command,  S-band  track,  and 
S-band  voice  are  routed  via  these  links.  There  are  two  completely  redundant  MDM  systems  to  provide 
backup  capability.  One  of  two  is  required  to  provide  mandatory  data. 

A3-156  MCC/ASCENT  ABORT  SITE  INTERFACE 

COMMUNICATIONS  CAPABILITY  WITH  REQUIRED  ASCENT  ABORT  SITES  -  ONE 
OF  THREE  MANDATORY:  ®[1 11094-1 71 6A] 

A.  LONGLINE  (LFP1) 

B.  INMARSAT 

C.  COMMERCIAL  TELEPHONE 

Prelaunch,  the  MCC  must  be  able  to  communicate  with  the  required  ascent  abort  landing  site,  (ref. 

Rule  {A2-2J,  ABORT  LANDING  SITE  REQUIREMENTS).  This  insures  that  there  has  not  been  a  change 
in  weather  or  nav/landing  aid  status.  It  also  insures  that  anomalies  can  be  passed  to  the  ground  support 
team  and  that  the  runway  and  airspace  are  clear  for  a  safe  landing.  This  can  be  accomplished  by 
insuring  that  at  least  one  of  the  communications  capabilities  listed  above  are  available.  ®[1 1 1094-1 71 6A  ] 

A3-157  THROUGH  A3-200  RULES  ARE  RESERVED 
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A3-201  TACAN  REDUNDANCY  REQUIREMENTS  AND  ALTERNATE  TACAN 

SELECTION  PHILOSOPHY 

A.  REDUNDANCY  REQUIREMENTS  ®[0201 96-1 807B] 

1.  REDUNDANT  TACAN  TRANSPONDER  CAPABILITY  IS  MANDATORY  FOR 
LAUNCH  COMMIT  AT  THE  FOLLOWING  SITES: 

a.  RTLS 

b.  PRIMARY  TAL  IF  REQUIRED 
C.  AOA  IF  REQUIRED 

d.  FIRST  DAY  PLS  IF  REQUIRED  (ETRO  FOR  EQUIPMENT  OUTAGE 
MUST  BE  PRIOR  TO  DEORBIT  DECISION) 

NOTE:  REF  RULE  {A2-2} ,  ABORT  LANDING  SITE  REQUIREMENTS 

FOR  ABORT  SITE  LAUNCH  COMMIT  REQUIREMENTS. 

2.  REDUNDANT  TACAN  TRANSPONDER  CAPABILITY  IS  MANDATORY  FOR 
PLS  (OTHER  THAN  FIRST  DAY  PLS),  MDF ,  AND  END  OF  MISSION 
DEORBIT  COMMIT  (REF  RULE  {A4-107},  PLS/EOM  LANDING 
OPPORTUNITY  REQUIREMENTS) . 

3 .  THE  REDUNDANT  TACAN  TRANSPONDER  REQUIREMENT  CAN  BE 

SATISFIED  BY  ONE  GROUND  STATION  WITH  DUAL  STRING  (DS) 
TRANSPONDERS,  BY  TWO  STATIONS  WITH  SINGLE-STRING  (SS) 
TRANSPONDER  CAPABILITY,  OR  BY  ONE  GROUND  STATION  WITH 
SINGLE-STRING  (SS)  TRANSPONDER  CAPABILITY  AND  A  GPS  LRU 
FUNCTIONING  PROPERLY  (REF.  RULE  {A8-115},  GPS  SYSTEM 
MANAGEMENT)  .  @[0201 96-1 807B]  @[092602  5642] 

Rules  {A2-2},  ABORT  LANDING  SITE  REQUIREMENTS ,  and  (A2-1FJ.3,  PRELAUNCH  GO/NO-GO 
REQUIREMENTS,  reference  this  rule.  ®[i  21593-1 590  ] 

Landing  site  selection  will  be  based  on  priorities  specified  in  Rule  {A2-207j,  LANDING  SITE 
SELECTION.  @[022201  -3857  ] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A3— 201  TACAN  REDUNDANCY  REQUIREMENTS  AND  ALTERNATE  TACAN 

SELECTION  PHILOSOPHY  (CONTINUED) 

GPS  provides  acceptable  redundancy  to  a  TACAN  ground  station  that  has  only  a  single-string 
transponder.  In  the  event  that  the  single-string  transponder  becomes  unavailable,  the  onboard  GPS 
LRU  will  provide  a  means  to  keep  the  onboard  state  vector  within  the  Guidance  constraints.  This  is 
con  tingen  t  upon  GPS  functioning  properly  ( ref.  Rule  {A8-115},  GPS  SYSTEM  MANAGEMENT). 

@092602-5642  ] 

Landing  sites  and  TACAN’s  are  loaded  in  the  onboard  software  and  can  be  changed  in  OPS  1/6/3. 
Uplink  of  an  acceptable  alternate  TACAN  may  be  performed  to  meet  redundancy  requirements  for 
OPS  6/3  en  tries.  TACAN  requiremen  ts  for  EOM  and  other  landing  opportunities  are  not  considered 
in  the  decision  to  launch.  @[0201 96-1 807B]  @[022201-3857] 

RTLS 


TACAN  processing  is  required  to  protect  the  guidance-imposed  navigation  entry  constrain  ts  for 
an  RTLS.  An  offline  analysis  that  assumed  a  launch  on  time  using  IMU’s  and  ADTA  with  nominal 
performance  characteristics  and  random  noise  showed  that  3-sigma  navigation  performance  violated  the 
entry  guidance  constraints  of  downtrack  and  crosstrack  at  altitudes  of  85k  feet  and  40k  feet,  respectively. 

TAL  (IF  REQ  UIRED )  ®[i  21 593-1 590  ] 

TACAN  is  required  to  protect  against  navigation  dispersions  for  TAL  because  neither  delta  state  nor 
GCA  is  available  without  ground  tracking.  TACAN  is  the  primary  source  to  correct  downtrack  and 
crosstrack  errors  in  the  navigation  state.  ®[020i  96-1 807B] 

Redundant  TACAN  transponder  capability  near  the  selected  TAL  site  is  mandatory  for  launch  to  provide 
adequate  navigation.  If  weather  conditions  are  unacceptable  at  the  primary  TAL  site,  then  redundant 
TACAN  transponder  capability  becomes  mandatory  near  the  secondary  site. 

AOA/FIRST DAY PLS  (IF REQUIRED) 

Although  an  AO  A  landing  site  is  not  normally  required  for  launch  commit  ( ref.  Rule  (A2-2),  ABORT 
LANDING  SITE  REQUIREMENTS),  the  TACAN  requirements  are  shown  in  the  event  that  an  AO  A  site  is 
required.  Redundant  TACAN  transponder  capability  is  required  for  the  primary  AO  A  landing  site  only. 

The  navigation  state  conditions  are  worse  for  AO  A  compared  to  RTLS  or  TAL  because  the  vector  is  1 
hour  older  and  the  vehicle  requires  one  or  two  OMS  burns.  For  a  first  day  PLS,  the  site  may  be 
con  sidered  go  if  equipmen  t  ou  tage  resu  lting  in  less  than  single-fault  tolerance  has  an  ETRO  prior  to 
deorbit  decision  time.  ®[1 21 593-1 590  ]  @[0201 96-1 807B] 

B.  IN  GENERAL,  PROGRAM  APPROVED  TACAN' S  (LISTED  BELOW  FOR  END  OF 
MISSION  AND  INTACT  ABORT  SITES;  NOT  IN  ORDER  OF  PRIORITY)  THAT 
MEET  THE  CRITERIA  IN  PARAGRAPH  C  WILL  BE  USED  TO  MEET  THE 
REDUNDANCY  REQUIREMENTS.  CONSIDERATION  WILL  BE  GIVEN  TO  OTHER 
TACAN' S  THAT  MEET  THE  CRITERIA  IN  PARAGRAPH  C  IF  THEY  PROVIDE 
A  NAVIGATION  IMPROVEMENT  OVER  AN  APPROVED  TACAN.  @[0201 96-1 807B] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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VOLUME  A 


_ FLIGHT  RULES _ 

TACAN  REDUNDANCY  REQUIREMENTS  AND  ALTERNATE  TACAN 
SELECTION  PHILOSOPHY  (CONTINUED) 

KENNEDY  SPACE  CENTER: 

TITUSVILLE,  TTS  (DS) 

PATRICK,  COF  (SS) 

ORMOND  BEACH,  OMN  (SS) 

LAKELAND,  LAL  (SS)  ®[0201 96-1 807B] 

ORLANDO,  ORL  (SS)  ®[0201 96-1 807B]  @[022201-3857] 

EDWARDS  AFB : 

EDWARDS,  EDW  (SS) 

LAKE  HUGHES,  LHS  (SS) 

CHINA  LAKE,  NID  (DS) 

GORMAN,  GMN  (SS) 

PALMDALE,  PMD  (SS) 

POMONA,  POM  (SS) 

NORTHRUP : 

WHITE  SANDS  SPACE  HARBOR,  SNG  (SS) 

HOLLOMAN  AFB,  HMN  (SS) 

TRUTH  OR  CONSEQUENCES,  TCS  (SS) 

BANJUL : 

YUNDUM  INTL ,  BYD  (DS)  @[0201 96-1 807B] 
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A3— 201  TACAN  REDUNDANCY  REQUIREMENTS  AND  ALTERNATE  TACAN 

SELECTION  PHILOSOPHY  (CONTINUED) 

5.  BEN  GUERIR: 

BEN  GUERIR,  BEN  (DS) 

6 .  MORON 

MORON,  MRN  (SS) 

ROTA,  AOG  (DS)  ®[0201 96-1 807B] 

7.  ZARAGOZA:  ®[0201 96-1 807B] 

ZARAGOZA,  ZZA  (DS) 


Program  approved  TACAN’ s  refer  to  those  TACAN’ s  listed  in  NSTS  07700,  Volume  X,  Book  3, 
controlled  by  the  PRCB,  approved  by  the  SASCB  for  use  in  the  onboard  I-loads,  or  contained  in  this 
flight  rule.  When  selecting  an  alternate  TACAN  station  to  meet  redundancy  requirements,  priority  will 
generally  be  given  to  program  approved  TACAN’s  that  meet  the  criteria  in  paragraph  C.  If  no  program 
approved  TACAN’s  meet  the  criteria  or  other  TACAN’s  that  meet  the  criteria  provide  a  navigation 
improvement,  non-program  approved  TACAN’s  may  be  used  to  meet  the  redundancy  requirements.  Note 
that  in  most  cases,  there  will  be  no  program  approved  alternate  TACAN  station  since  both  NSTS  07700 
and  the  onboard  I-locids  only  include  a  primary  and  secondary  TACAN  for  each  site.  @[022201-3857  ] 

C.  ALTERNATE  TACAN' S  THAT  SATISFY  THE  FOLLOWING  CRITERIA  (NOT  IN 

PRIORITY  ORDER)  MAY  BE  UPLINKED  IN  OPS  1/3  TO  MEET  THE 

REDUNDANCY  REQUIREMENTS  IN  PART  A.  @[022201-3857] 

NOTE:  THESE  CRITERIA  APPLY  TO  GROUND  STATIONS  REQUIRED  FOR 

LAUNCH  COMMIT  AND  COMMIT  TO  DEORBIT.  REFER  TO  RULE 
{ A2 -2  64 } ,  EMERGENCY  LANDING  FACILITY  CRITERIA,  FOR 
ELS  MINIMUM  REQUIREMENTS. 

1.  NO  COCHANNEL  INTERFERENCE  PREDICTED  BELOW  130K  FT 
ALTITUDE . 

NOTE:  IN  SOME  CASES,  COCHANNEL  INTERFERENCE  MAY  BE 

ELIMINATED  BY  POWERING  OFF  THE  INTERFERING  STATION (S) 
FOR  THE  PERIOD  OF  SHUTTLE  OPERATIONS. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A3— 201  TACAN  REDUNDANCY  REQUIREMENTS  AND  ALTERNATE  TACAN 

SELECTION  PHILOSOPHY  (CONTINUED) 

2.  TACAN  MUST  BE  OPERATING  PRIOR  TO  LAUNCH  OR  DEORBIT  COMMIT 
AS  APPLICABLE  PER  PARAGRAPH  A 

3.  WITHIN  50  NM  OF  THE  RUNWAY. 

4.  POWER  LEVEL  ?  1 . 5K  WATTS.  ®[0201 96-1 807B] 

5.  NIMA  OR  FAA  TACAN  DATABASE  COORDINATES  MUST  BE  AVAILABLE 
AS  A  MINIMUM.  SURVEY  DATA  IS  HIGHLY  DESIRABLE,  BUT  NOT 
MANDATORY.  ®[0201 96-1 807B]  @[022201-3857] 

6.  NASA  OR  FAA  CERTIFIED  AND  ACCURATE  WITHIN  0 . 3  NM  AND  1.0 
DEGREE  (REF  RULE  {A8-52},  SENSOR  FAILURES). 

CONSIDERATION  WILL  BE  GIVEN  TO  THE  USE  OF  A  TACAN  WHICH 
HAS  BEEN  EVALUATED  VIA  GPS  EQUIPPED  STA  BUT  WHICH  HAS  NOT 
BEEN  COMPLETELY  CERTIFIED.  ®[ED  ] 

Alternate  TACAN’s  may  be  uplinked  in  OPS  1/3  to  satisfy  the  redundancy  requiremen  ts  for  OPS  6/3 
entries.  The  process  of  selecting  an  alternate  TACAN  begins  with  the  TACAN  Cochannel  Interference 
Document  (NAV-98-4237-032)  which  includes  several  potential  TACAN  stations  for  space  shuttle 
landing  sites.  This  document  contains  cochannel  interference  data  which  is  generated  assuming  a 
nominal  range-altitude  profile,  constant  power  level  of  3.5  KW,  and  an  approximation  for  the  shape  of 
the  parabolic  TACAN  signed  propagation.  This  interference  data  along  with  the  expected  groundtrack 
can  be  used  to  approximate  the  altitude  below  which  a  given  TACAN  station  is  clear  of  interference  and 
to  determine  which  TACAN  stations  must  be  powered  off  to  reduce  or  eliminate  in  terference.  In  addition 
to  the  cochannel  in  terference  data,  the  TACAN  Cochannel  In  terference  Documen  t  lists  the  type  of  station 
{TACAN,  VORTAC,  VORDME,  or  DME),  data  source  (survey  or  NIMA/FAA  database),  and  the  distance 
and  direction  from  the  runway. 

Once  an  acceptable  TACAN  or  VORTAC  is  identified  based  on  runway  proximity  and  cochannel 
in  terference,  the  operating  hours  and  power  level  are  verified  to  ensure  the  TACAN  will  be  available 
during  entry.  TACAN’s  used  to  meet  the  redundancy  requirements  must  be  operational  prior  to  launch 
commit  for  RTLS,  TAL  (if  required),  and  AO  A  (if  required).  If  first  day  PLS  is  required,  the  TACAN(s) 
must  have  an  ETRO  prior  to  deorbit  decision  time.  For  PLS,  MDF,  and  end  of  mission,  the  TACAN(s) 
used  to  meet  the  redundancy  requirements  must  be  operating  prior  to  deorbit  commit  and  until 
touchdown.  The  TACAN(s)  must  be  available  throughout  entry  to  touchdown  to  ensure  continuous 
TACAN  processing. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A  maximum  distance  of  50  nmfrom  the  TACAN  to  the  runway  is  required  to  ensure  TACAN  lock-on  until 
MLS  acquisition.  The  groundtrack  proximity  may  also  be  considered  in  the  alternate  TACAN  selection 
process.  The  minimum  power  level  of  1.5 K  watts  and  cochannel  interference  requirements  were  chosen 
to  obtain  TACAN  lock-on  by  130K  ft,  which  is  the  altitude  where  3  sigma  downtrack  error  will  exceed  the 
guidance  constraints  if  TACAN  data  is  not  processed.  Interfering  TACAN’ s  may  be  powered  off  if 
possible  to  eliminate  predicted  interference  below  130Kft. 

Although  survey  data  is  preferred,  it  is  not  required,  provided  data  is  available  from  the  NIMA/FAA 
TACAN  database.  Non-survey  coordinates  provided  by  NIMA/FAA  are  accurate  within  about  1000ft. 

Past  TACAN  measurement  data  quality  observed  during  shuttle  missions  and  flight  tests  may  also  be 
considered  in  the  alternate  TACAN  selection  process.  ®[0201 96-1 807B]  @[022201-3857] 

The  FAA  or  NASA  certification  requirements  are  contained  in  NSTS  07700,  Volume  X,  Book  3.  The 
FAA  accuracy  requirements  are  outside  those  required  by  space  shuttle  navigation.  Therefore,  cm 
FAA  controlled  TACAN  must  also  meet  the  0.3  nm  and  1.0  degree  accuracy  requirements  contained 
in  Rule  {A8-52},  SENSOR  FAILURES.  ©[020196-1807B]  @[022201 -3857  ] 

D.  IF  A  TACAN  GROUND  STATION  FAILS  AFTER  LAUNCH  OR  DEORBIT  AND  A 
TACAN  THAT  MEETS  THE  CRITERIA  IN  PARAGRAPH  C  DOES  NOT  EXIST, 
OTHER  ALTERNATES  (DME'S  INCLUDED)  MAY  BE  CONSIDERED  FOR 
UPLINK  TO  PROVIDE  SOME  FORM  OF  BACKUP  CAPABILITY. 

The  criteria  in  paragraph  C  is  provided  to  ensure  an  acceptable  TACAN  is  used  to  meet  the  redundancy 
requirements  for  commit  to  launch  or  commit  to  deorbit.  However,  if  a  TACAN  fails  after  launch  or 
deorbit  and  a  TACAN  that  meets  the  criteria  in  paragraph  C  does  not  exist,  the  best  alternate  including 
DME’s  may  be  uplinked.  Although  this  alternate  may  not  protect  3  sigma  navigation  performance,  it 
provides  some  form  of  backup  capability.  @[0201 96-1 807B] 


VOLUME  A  11/21/02  FINAL,  PCN-1  GROUND  INSTRUMENTATION  3-37 

REQUIREMENTS 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A3-202  MLS 


REDUNDANT  MLS  CAPABILITY,  INCLUDING  AZIMUTH,  ELEVATION,  AND  RANGE 
DATA,  IS  REQUIRED  FOR  THE  FOLLOWING:  ®[070899-6872A] 

A.  REDUCED  CEILING,  VISIBILITY,  OR  INCREASED  RTLS  CROSSWIND 
LIMITS  (REF.  RULE  {A2-6},  LANDING  SITE  WEATHER  CRITERIA  [HC] ) 
FOR  DAYLIGHT,  CONCRETE  RUNWAY  LANDINGS.  ®[1 11 094-1 622B]  ®[041 196-1 81 7B] 

Because  MLS  provides  improved  navigation  and  position  accuracy  with  respect  to  the  runway,  a 
reduction  in  ceiling,  visibility  or  an  increase  in  RTLS  crosswind  requirements  is  allowed.  However, 
because  of  the  dependence  on  MLS  during  the  critical  landing  phase  with  reduced  ceilings/  visibility, 
combined  with  the  more  stringent  navigation  requirements  for  concrete  runways,  single-fault  tolerant 
capability  must  exist  to  guarantee  MLS  availability.  Redundant  MLS  capability  can  be  either  the 
standard  primary /backup  MLS  ground  station  or  two  collocated  single-string  MLS  Jr.  stations.  The 
relatively  less  stringent  navigation  requirements  for  lakebed  runways  make  it  possible  to  relax  the 
redundancy  requirement  to  zero-fault  tolerant.  One-sigma  onboard  navigation  position  errors  improve 
from  approximately  400 feet  without  MLS  to  approximately  85  feet  after  the  first  MLS  measurement, 
decreasing  to  just  over  50  feet  1-sigma  by  touchdown.  Azimuth  and  range  measurements  are  required  to 
allow  MLS  processing,  and  elevation  is  required  to  correct  altitude  errors.  Detailed  definitions  of 
ceiling,  visibility  and  RTLS  crosswinds  are  covered  in  Rule  [A2-6J,  LANDING  SITE  WEATHER 
CRITERIA  [HC],  ®[111094-1622B]  ®[041 196-1 81 7B] 

B.  NIGHT  LANDINGS  ON  ALL  CONCRETE  RUNWAYS  OR  NIGHT  LANDINGS  ON 
LAKEBED  RUNWAYS  WITH  CEILINGS  LESS  THAN  THOSE  SPECIFIED  IN 
RULE  {  A2 - 6  }  ,  LANDING  SITE  WEATHER  CRITERIA  [ HC  ].  ®[1 11 094-1 622B] 

MLS  is  required  due  to  the  loss  of  visual  cues  and  the  related  degradation  of  the  crew’s  ability  to 
visually  compensate  for  navigation  dispersions  during  night  landing  operations.  Because  of  this 
requirement,  single-fault  tolerant  capability  must  exist  to  guarantee  MLS  availability  (ref.  paragraph  A 
rationale)  for  landings  on  concrete  runways  where  large  lateral  dispersions  at  touchdown  are  less 
tolerable  than  for  lakebed  runways. 

For  lakebed  landings  only,  single-string  MLS  is  acceptable  if  the  lowest  ceiling  is  at  or  above  those 
specified  in  the  Rule  {A2-6j,  LANDING  SITE  WEATHER  CRITERIA  [HC].  The  increased  ceiling 
provides  additional  time  for  the  crew  to  compensate  for  navigation  dispersions  using  visual  cues.  In 
addition,  the  larger  area  provided  by  the  lakebed  environment  makes  navigation  dispersions  resulting 
from  the  possible  failure  of  the  single-string  MLS  more  tolerable.  ®[111 094-1 622B] 

Rules  (A2-1FJ.3,  PRELAUNCH  GO/NO-GO  REQUIREMENTS;  [A2-2j.  ABORT  LANDING  SITE 
REQUIREMENTS;  {A3-203},  LANDING  AID  REQUIREMENTS;  and  [ A8-1001 },  GNC  GO/NO-GO 
CRITERIA,  reference  this  rule.  ®[111 094-1 622B]  ®[070899-6872A] 
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LANDING  AIDS  ( CONCRETE / LAKEBED  )  @[070899-6881] 


PAPI 

LIGHTS 

AIMPOINT 

BALLBAR  [1] 

XENON 

LIGHTS 

EDGE  LIGHTS/ 

REFLECTORS 

ALS 

CENTER 

LINE 

LIGHTS 

RUNWAY 

REMAINING 

MARKERS 

CDR  HUD 
W/MLS 

1  OF  2  HD 

HD 

RUNWAY  LIGHTS  AND  MARKERS 

NOT  REQUIRED  FOR 

DAYLIGHT  LANDINGS 

CDR  HUD 
W/NO  MLS 

1  OF2M 

M 

NO  CDR  HUD 

M 

HD 

M 

NIGHT 

LANDING 

M 

N/R 

M 

M 

M 

HD 

HD 

M  [2] 

@[102402-5786] 


[1]  BALLBAR  IS  MANDATORY  FOR  TAL. 

[2]  RUNWAY  REMAINING  MARKERS  (RRM'S)  ARE  MANDATORY  FOR  NIGHT  LANDINGS  ON  CONCRETE  ONLY. 

PAPI  lights  are  required  at  the  proper  aimpoint  position  (nominal  or  close  in  as  recommended)  for  all 
lighting  and  surface  conditions.  The  exceptions  are  daylight  landings  where  the  use  of  an  aimpoint  and 
a  HUD  will  substitute  for  a  PAPI,  or  when  the  CDR  HUD  and  MLS  are  available.  PAPI  lights  allow  the 
pilot  to  visually  acquire  the  proper  outer  glide  slope  with  a  good  degree  of  accuracy.  In  daylight,  the  use 
of  an  aimpoint  and  a  HUD  (visual  glide  slope  information  provided  by  onboard  navigation )  will  provide 
the  crew  with  similar  cues  to  the  outer  glide  slope.  The  combination  of  the  HUD  and  MLS  can  also 
provide  the  necessary  cues  for  flying  the  outer  glide  slope  in  daylight.  In  this  case,  either  the  PAPI  lights 
or  aimpoint  are  only  highly  desirable.  For  purposes  of  this  rule,  the  MLS  capability  is  required.  For 
specific  MLS  ground  station  redundancy  and  LRU  requirements  reference  Rules  {A3 -202},  MLS,  and 
{ A8-18 },  LANDING  SYSTEMS  REQUIREMENTS.  If  MLS  is  not  available,  then  either  the  PAPI  lights  or 
aimpoint  are  mandatory  (PAPI  lights  preferred).  Without  MLS,  navigation  accuracy  may  not  be  good 
enough  to  provide  a  reliable  crosscheck  of  the  HUD  runway  overlay  for  confirming  and  flying  the  outer 
glide  slope.  PAPI  lights  are  mandatory  for  night  landings  or  landings  without  the  CDR  HUD  to  help 
offset  the  loss  of  visual  cues  and  references  and  the  degraded  ability  to  compensate  for  navigation 
errors.  @[070899-6881  ] 

Ball  bars  are  mandatory  for  TAL  sites  because  of  the  reduced  runway  length  and  width  ( <  300 feet)  as 
compared  to  CONUS  runways.  Without  the  ball  bar,  the  reduced  width  of  the  runway  can  result  in  a 
false  visual  perception  of  being  too  high  above  the  glide  slope  which  can  lead  to  descending  through 
the  inner  glide  slope  and  landing  short  of  the  run  way. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A3-203  LANDING  AID  REQUIREMENTS  (CONTINUED) 

For  daylight  CONUS  landings  where  the  visual  scene  is  “as  trained  to,  ”  a  ball  bar  is  only  highly 
desirable  when  both  the  CDR  HUD  and  MLS  are  available.  MLS  plus  the  CDR  HUD  provides 
sufficient  cues  to  allow  an  accurate  transition  to  the  inner  glide  slope.  For  purposes  of  this  rule  the 
MLS  capability  is  required.  For  specific  MLS  ground  station  redundancy  and  LRU  requirements, 
reference  Rules  {A3-202J,  MLS,  and  {A8-18J,  LANDING  SYSTEMS  REQUIREMENTS.  Without  MLS, 
the  navigation  accuracy  (primarily  the  HUD  velocity  vector)  may  not  be  good  enough  to  guide  the  pilot 
on  the  H/Hdot  profile  required  to  capture  ( Pre-Flare )  and  fly  the  inner  glide  slope  through  threshold 
crossing;  therefore,  a  ball  bar  is  mandatory.  Ball  bars  are  mandatory  for  night  landings  or  landings 
without  the  CDR  HUD  to  help  offset  the  loss  of  visual  cues  and  references  and  the  degraded  ability  to 
compensate  for  navigation  errors.  @[070899-6881  ] 

Runway  remaining  markers  (RRM’s)  are  only  mandatory  for  night  concrete  landings.  The  length  of 
concrete  runways  and  night  conditions  necessitate  the  need  for  RRM’s  due  to  the  reduced  margin  of 
error  in  determining  runway  remaining.  These  markers  give  the  pilot  a  visual  cue  to  the  rollout  distance 
remaining  and  the  brake  profile  required  to  stop  on  the  field. 

Runway  lighting  is  required  for  night  landings  in  order  for  the  pilot  to  see  the  runway  on  approach, 
touchdown,  and  rollout.  The  Xenon  lights  are  considered  mandatory,  as  they  provide  the  primary 
means  for  lighting  the  immediate  runway  area  (approach  path,  threshold,  and  touchdown  point). 

Runway  edge  lights/reflectors  are  mandatory  as  they  provide  the  primary  visual  cue  for  lateral  margin 
during  touchdown  and  rollout.  Approach  Lighting  System  (ALS)  lights  are  not  mandatory  because  the 
Xenon  lights,  edge  lights/reflectors,  and  PAPI/ball  bar  requirements  suffice  for  centerline/threshold 
lighting  and  targeting  cues.  Centerline  lights  are  available  as  a  secondary  cue  at  the  KSC  SLF  and  are 
only  highly  desirable.  @[102402-5786  ] 

Reference  Ascent/Entry  Flight  Techniques  Panel,  April  16,  1999.  @[070899-6881  ] 

Rules  { A2-1} ,  PRELAUNCH  GO/NO-GO  REQUIREMENTS;  and  (A2-2J,  ABORT  LANDING  SITE 
REQUIREMENTS,  reference  this  rule.  ®[i 21593-1 590  ] 
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SECTION  4  -  TRAJECTORY  AND  GUIDANCE 


PRE LAUNCH 


A4-1  PERFORMANCE  ANALYSES 

LAUNCH  WILL  NOT  BE  ATTEMPTED  IF: 

A.  THE  PREDICTED  USABLE  MPS  RESIDUALS  AT  NOMINAL  MECO  ARE  LESS 
THAN  2  SIGMA  PLUS  THE  MEAN  IN-FLIGHT  MPS  FLIGHT  PERFORMANCE 
RESERVE  (FPR) . 

B.  THE  PREDICTED  USABLE  MPS  RESIDUALS  PLUS  MPS-EQUI VALENT  OMS 
AND  RCS  ABOVE  THE  MISSION-SPECIFIC  REQUIREMENTS,  AS  SPECIFIED 
IN  THE  FLIGHT-SPECIFIC  ANNEX,  ARE  LESS  THAN  3  SIGMA  PLUS  THE 
MEAN  IN-FLIGHT  MPS  FPR. 

THE  PREDICTED  USABLE  MPS  RESIDUALS  PLUS  MPS-EQUIVALENT  OMS 
AND  RCS  ABOVE  THE  MISSION-SPECIFIC  REQUIREMENTS,  AS  SPECIFIED 
IN  THE  FLIGHT-SPECIFIC  ANNEX,  ARE  LESS  THAN  3  SIGMA  PLUS  THE 
MEAN  IN-FLIGHT  MPS  FPR. 

NOTE:  FOR  DIRECT  INSERTION  FLIGHTS  WHERE  ALL  OF  THE  PRIMARY 
MISSION  OBJECTIVES  (AS  DEFINED  IN  THE  FLIGHT-SPECIFIC 
ANNEX)  CAN  BE  ACHIEVED  FROM  A  1-SIGMA  MECO  UNDERSPEED 
WITHOUT  RAISING  THE  ORBIT,  ONLY  PARAGRAPH  A  ABOVE  APPLIES. 

NOTE:  IF  THE  PRIMARY  MISSION  OBJECTIVES  CANNOT  BE  ACHIEVED 
FROM  A  1-SIGMA  MECO  UNDERSPEED  WITHOUT  RAISING  THE 
ORBIT,  RCS  (BOTH  FORWARD  AND  AFT)  MARGINS  MAY  BE 
COMMITTED  ALONG  WITH  THE  OMS  MARGIN  TO  RAISE  THE 
ORBIT.  IF  THIS  IS  DONE,  THE  PRIMARY  MISSION 
OBJECTIVES  MAY  BE  DELAYED  TO  FLIGHT  DAY  2  OR  LATER. 

THIS  WILL  BE  EVALUATED  ON  A  FLIGHT-SPECIFIC  BASIS  AND 
DOCUMENTED  IN  THE  FLIGHT-SPECIFIC  ANNEX. 
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A4-1  PERFORMANCE  ANALYSES  (CONTINUED) 

C.  THE  ET  IP  CONSTRAINTS  AS  DEFINED  IN  RULE  {A2-62A},  ET 
FOOTPRINT  CRITERIA,  ARE  NOT  SATISFIED. 

Trajectory  analysis,  using  day  of  launch  winds  and  ET  loading  estimates,  provides  performance  margins 
and  launch  hold  capability  after  the  initiation  ofLOX  drawback.  To  be  GO  for  launch,  considering  the 
hold  capability,  this  trajectory  analysis  must  not  predict  use  of  any  of  the  mean  plus  2  sigma  in-flight 
MPS  flight  performance  reserve  (FPR).  The  use  ofMPS  equivalent  OMS  propellant  above  that  required 
to  accomplish  the  specific  mission  will  be  allowed  to  cover  up  to  1  sigma  of  the  required  3  sigma  MPS 
margin.  If  the  predicted  MPS  equivalen  t  OMS  available  plus  the  MPS  residuals  at  MECO  are  still  less 
than  3  sigma  plus  the  mean  in-flight  MPS  FPR,  launch  will  be  NO-GO.  The  sigma  level  (2  or  3  as 
applicable )  plus  mean  FPR  is  a  propellant  level  that  reflects  potential  uncertainties  in  all  ascent 
subsystems  at  the  specified  sigma  level.  We  are  willing  to  launch  with  a  slightly  increased  possibility  of 
low  level  cutoff  (2  sigma  vs.  3  sigma)  provided  the  extra  sigma  is  covered  in  excess  OMS  such  that  the 
nominal  mission  is  protected  by  3  sigma,  but  we  are  not  willing  to  launch  with  a  guided  MECO 
protection  level  of  less  than  2  sigma.  On  direct  insertion  flights,  should  a  2-sigma  day  occur,  OMS 
propellant  cannot  be  used  to  make  up  for  the  1 -sigma. 

MPS  shortfall  at  MECO  without  scheduling  at  least  one  additional  OMS  burn  after  OMS-2,  with  its 
associated  mission  objective  timeline  and  tracking  impacts.  Therefore,  as  long  as  the  mission  objectives 
can  be  accomplished  from  the  resulting  lower  orbit,  only  2-sigmci  MPS  plus  the  mean  inflight  MPS  FPR 
(reference  paragraph  { A4-1AJ ,  PERFORMANCE  ANALYSES)  need  be  protected. 

If  the  primary  mission  objective  cannot  be  achieved  without  raising  the  orbit,  one  or  more  maneuvers 
will  be  required.  OMS  and  RCS  margins  may  be  used  to  raise  the  orbit.  The  addition  ofRCS  increases 
the  hold  time  available  inside  of  drawback.  However,  commitment  ofRCS  to  making  up  part  of  the  1 
sigma  may  require  several  maneuvers  to  be  executed  and  may  cause  the  primary  mission  objective  to  be 
delayed  past  flight  day  1.  Therefore,  a  flight-specific  assessment  must  be  done  preflight  to  determine 
whether  the  impact  of  committing  the  RCS  margins  is  acceptable.  The  commitment  ofRCS  may  be  the 
difference  between  being  able  to  launch  and  a  launch  scrub.  It  is  acceptable  to  commit  RCS  prelaunch 
because  the  probability  of  actually  having  to  use  it  are  very  small  (i.e.,  requires  greater  than  2  sigma 
bad  day).  Margins  are  defined  as  the  quantities  in  excess  of  the  mission  completion  redlines  (ref.  Rules 
/A6-303},  OMS  REDLINES  [CIL];  { A6-304 },  FORWARD  RCS  REDLINES;  and  { A6-305 },  AFT  RCS 
REDLINES)  plus  lower  priority  flight  activities  as  defined  in  the  Flight  Specific  Rule  Annex. 

Independen  t  of  the  capability  to  support  the  designed  mission,  ET  protection  must  be  maintained  off  land 
as  prescribed  by  Rule  {A2-62AJ,  ET  FOOTPRINT  CRITERIA.  As  MPS  performance  capability  is 
degraded  through  day-of-launch  loadings/winds,  holds  within  drawback,  and/or  late  mass  property 
updates,  the  designed  ET  footprint  will  move  up  range. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A4-1  PERFORMANCE  ANALYSES  (CONTINUED) 

D.  ANY  SINGLE-ENGINE-OUT  INTACT  ABORT  GAP  IS  PREDICTED  TO  EXIST 
BASED  ON  LAUNCH  DAY  WINDS  AND  PERFORMANCE  ASSESSMENTS.  GAP 
CLOSURE  METHODS  AS  OUTLINED  IN  RULE  {A4-56I},  PERFORMANCE 
BOUNDARIES,  SHALL  NOT  BE  EMPLOYED  PRELAUNCH  TO  CLOSE  AN 
EXPECTED  GAP  .  ®[ED  ] 

The  launch  will  not  be  attempted  with  a  known  abort  gap.  If  launch  is  allowed  to  proceed  with  a  known  gap 
during  intact  abort  coverage,  there  will  be  a  period  of  time  during  which  no  intact  abort  mode  will  be 
available.  Should  an  engine  fail  during  this  time,  loss  of  mission,  vehicle,  and  crew  may  result.  Options 
exist  for  closing  an  abort  gap,  such  as  commitment  to  AO  A  shallow,  maximum  SSME  throttles,  and  relaxing 
dispersion  tolerances.  These  options  are  in  tended  only  to  close  a  gap  that  arises  post-lift-off  due  to  some 
unanticipated  performance  difficulty.  They  should  not  be  used  to  allow  a  launch  to  proceed  since  a  safety 
compromise  arises  from  each  option. 

Rules  (A2-1CJ,  PRELAUNCH  GO/NO-GO  REQUIREMENTS,  and  { A2-2} ,  ABORT  LANDING  SITE 
REQUIREMENTS,  reference  this  rule.  ®[i 21 593-1 590  ] 
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A4-2  LANDING  SITE  CONDITIONS 

LAUNCH  WILL  NOT  BE  ATTEMPTED  IF  ANY  REQUIRED  ASCENT  ABORT  LANDING 
SITE  (REF.  RULE  {A2-2},  ABORT  LANDING  SITE  REQUIREMENTS)  RUNWAY  AND 
LANDING  CONDITIONS  ARE  NOT  SATISFACTORY.  THE  LANDING  CONDITIONS 
REQUIRED  ARE  DEFINED  IN  RULE  {A2-6},  LANDING  SITE  WEATHER  CRITERIA 
[HC],  AND  { A4-107A} ,  PLS/EOM  LANDING  OPPORTUNITY  REQUIREMENTS. 
REDESIGNA-TION  TO  ALTERNATE  SITES,  IF  ANY,  MAY  BE  USED  TO  SATISFY 
RUNWAY  AND  LANDING  CONDITIONS.  @[121593-1590]  @[111 094-1 622B] 

NOTE:  TAL,  AOA,  AND  FIRST  DAY  PLS  SITES  MAY  NOT  BE  REQUIRED  FOR 

LAUNCH  COMMIT  (REF.  RULE  {A2-2},  ABORT  LANDING  SITE 
REQUIREMENTS) .  SHOULD  ALL  AOA  SITES  BE  NO-GO,  PRESS 
BOUNDARIES  WILL  BE  BASED  UPON  ATO/MINIMUM  fjb/FDl  SHALLOW 
DEORBIT  USING  AFT  RCS  TO  THE  FD1  AFT  RCS  SHALLOW  PRESS 
QUANTITY  (REF.  RULE  {A6-305G},  AFT  RCS  REDLINES) .  IF  A  FIRST 
DAY  PLS  LANDING  SITE  IS  UNAVAILABLE,  THEN  THE  PRESS  BOUNDARY 
WILL  BE  BASED  UPON  ATO/MINIMUM  HP/FD2  SHALLOW  DEORBIT  USING 
AFT  RCS  TO  THE  FD2  AFT  RCS  SHALLOW  PRESS  QUANTITY  (REF.  RULE 
{A6-305G},  AFT  RCS  REDLINES),  AND  FWD  RCS  IN  OPS  2  TO  THE  FD2 
FWD  RCS  PRESS  QUANTITY  (REF.  RULES  {A2-53},  FORWARD  RCS  USAGE 
GUIDELINES,  AND  {A6-304D},  FORWARD  RCS  REDLINES).  ANY 
SYSTEMS  ABORT  WILL  USE  EXISTING  TAL/ABORT  FROM  ORBIT  (AFO) 
CAPABILITY.  ®[01 2402-51 12B] 


Continuous  single  engine  out  intact  abort  landing  sites  must  be  available  to  support  an  abort  condition 
during  ascent.  Without  these  sites,  the  payload,  orbiter  and  crew  may  be  lost  in  an  abort  situation.  The 
redesignation  provision  documents  the  capability  to  employ  weather  alternate  landing  sites  as  a  means  of 
satisfying  weather,  runway,  and  equipment  requirements. 

The  press  boundaries  are  based  on  AOA,  first  day,  or  second  day  PLS  depending  on  the  availability  of 
landing  sites.  It  is  assumed  that  weather  would  not  prevent  a  second  day  PLS  since  all  three  CONUS 
sites  would  be  available.  Systems  failures  requiring  early  flight  termination  will  be  supported  by  TAL 
and  AFO  sites.  In  some  cases,  systems  failures  involving  loss  of  redundancy  normally  requiring  first 
day  PLS  will  result  in  second  day  PLS  landings  incurring  additional  risk  of  failure  of  the  last  entry 
critical  system.  Rule  {A2-lFj.l,  PRELAUNCH  GO/NO-GO  REQUIREMENTS,  references  this  rule. 
@[121593-1590]  @[012402-51 1 2B] 


VOLUME  A  06/20/02  FINAL  TRAJECTORY  AND  GUIDANCE  4-4 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A4-3  ORBIT  CONJUNCTIONS /CONFLICTS 

IF  U.S.  SPACE  COMMAND  PRELAUNCH  COMPUTATION  OF  MISSES  BETWEEN 
ORBITS  (COMBO)  ANALYSIS  PREDICTS  AN  ON-ORBIT  CONJUNCTION  WITHIN 
5  KM  IN  THE  RADIAL  AND  OUT-OF-PLANE  DIRECTIONS  AND  15  KM  IN  THE 
DOWNTRACK  DIRECTION  DURING  THE  FIRST  2  HOURS  OF  THE  NOMINAL 
MISSION,  LAUNCH  WILL  BE  HELD  UNTIL  THE  NEXT  EVEN  MINUTE  TO 
ASSURE  CLEARANCE.  FOR  LAUNCH  SLIPS,  ADDITIONAL  COMBO  ANALYSIS 
WILL  BE  REQUESTED  AND  FURTHER  HOLDS  WILL  BE  SCHEDULED  IN 
ACCORDANCE  WITH  THIS  FLIGHT  RULE.  LAUNCH  WILL  ONLY  BE  HELD  IF 
RESULTS  ARE  AVAILABLE  PRIOR  TO  5  MINUTES  BEFORE  THE  L- 9-MINUTE 
RESUMPTION  OF  THE  COUNT. 

The  launch  will  not  be  conducted  into  known  conditions  of  potential  conflict  with  an  orbiting  object. 

If  such  conditions  are  predicted  to  occur  prior  to  2  hours  MET  for  the  nominal  orbit,  it  is  prudent  to 
delay  the  lift-off  to  the  next  even  minute  to  assure  sufficient  clearance  from  the  object.  This  action 
minimizes  risk  at  a  minimal  cost  prior  to  picking  up  the  count  at  L-9  minutes.  After  that,  holding 
launch  for  such  a  low  probability  event  would  not  be  prudent.  The  5-minute  pad  is  to  allow  the 
conjunction  information  to  be  evaluated,  passed  on  to  the  FD,  and  a  hold  requested  if  required. 

Notification  of  potential  conflicts  can  come  as  early  as  L-l  day.  Additional  tracking  is  taken  on  the 
object(s),  and  subsequent  COMBO  runs  are  made  to  determine  if  the  risk  persists.  If  the  risk  does 
persist,  a  launch  slip  to  the  next  even  minute  will  eliminate  that  risk. 

Providing  COMBO  analysis  through  2  hours  MET  and  slipping  launch  for  the  predicted  misses  as 
specified  in  the  rule  are  based  on  orbiter  insertion  errors  and  trajectory  dispersions.  The  orbiter  state 
errors  beyond  that  time  are  so  large  (until  sufficient  tracking  can  be  taken )  that  it  makes  no  sense  to 
perform  the  analysis.  Also,  2  hours  was  chosen  because  any  potential  conjunctions  after  that  would  be 
computed  with  an  actual  post  OMS-2  state  vector  that  the  MCC provides  U.S.  Space  Command.  The 
results  of  the  post  OMS-2  COMBO  analysis  would  be  available  by  1:30  MET,  allowing  at  least  1/2  hour 
to  plan  a  maneuver  if  required. 

Rule  { A2-1G },  PRELAUNCH  GO/NO-GO  REQUIREMENTS,  references  this  rule.  ( Reference 
Ascent/Entry  Flight  Techniques  Panel  Meeting  #101,  6/18/93).  @[051194-1605  ] 


VOLUME  A  06/20/02  FINAL  TRAJECTORY  AND  GUIDANCE  4-5 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A4-4  DOLILU  OPERATIONS 

THE  DAY  OF  LAUNCH  I-LOAD  UPDATE  (DOLILU)  OPERATIONS  AND  STRUCTURAL 
LOADS  EVALUATION  WILL  BE  PERFORMED  BY  THE  MCC-H  WITH  VERIFICATION 
FROM  USA/SYSTEMS  INTEGRATION.  THE  LOADS  AND  DOLILU  OFFICER  (LDO) 
HAS  PRIMARY  RESPONSIBILITY  TO  REPORT  FACILITY  AND  PROCESSOR  STATUS 
AS  WELL  AS  GO/NO-GO  EVALUATION  TO  THE  FD  AND  MOD  WHO  PROVIDE  THAT 
INFORMATION  TO  THE  NTD  OR  MMT  AS  APPROPRIATE.  ®[091 098-6622C] 

TO  BE  GO  FOR  LAUNCH,  THE  DOLILU  COMMAND  LOADS  MUST  BE  BUILT  FROM 
DAY  OF  LAUNCH  JIMSPHERE  MEASURED  WIND  INFORMATION,  UPLINKED  AND 
VERIFIED  ONBOARD  PRIOR  TO  LAUNCH,  AND  THE  FINAL  LAUNCH  WIND 
ANALYSIS  PERFORMED  PRIOR  TO  LAUNCH  MUST  SHOW  THAT  THE  LOADS  AND 
ASCENT  TRAJECTORY  PARAMETERS  ARE  WITHIN  ESTABLISHED  LIMITS. 

VALID  CORRELATION  OF  MCC-H  AND  USA/SYSTEMS  INTEGRATION  RESULTS 
IS  REQUIRED.  IT  IS  HIGHLY  DESIRABLE  TO  HAVE  GO  EVALUATIONS  FROM 
BOTH  MCC-H  AND  USA/SYSTEMS  INTEGRATION  FOR  ALL  WIND  ANALYSES, 

BUT  EXCEPTIONS  ARE  LISTED  BELOW: 

A.  DISCREPANCIES  IN  PROCESSOR  INTEGRITY  RULES  OR  EXPERIENCE 
RULES  WILL  BE  RESOLVED  BY  THE  FLIGHT  CONTROL  TEAM  IF 
POSSIBLE.  NOTIFICATION  WILL  BE  MADE  TO  THE  MMT.  UNRESOLVED 
DISCREPANCIES  IN  THESE  RULES  REQUIRE  A  LAUNCH  NO-GO. 

B.  VIOLATION  OF  THE  SYSTEMS  CONSTRAINT  RULES  IS  A  LAUNCH  NO-GO 
UNLESS  RESOLVED  BY  THE  APPLICABLE  PROGRAM  ELEMENTS  AT  THE  MMT 
LEVEL. 

C.  DISCREPANCIES  BETWEEN  THE  RESULTS  FROM  THE  MCC-H  PROCESSES 
AND  THE  USA/SYSTEMS  INTEGRATION  PROCESSES  WILL  BE  RESOLVED  AS 
FOLLOWS : 

1.  FOR  ALL  DISCREPANCIES  THAT  FALL  WITHIN  COMPARISON 

CRITERIA,  MCC-H  RESULTS  ARE  CONSIDERED  PRIME  FOR  MAKING 
THE  GO/NO-GO  EVALUATION.  ®[091 098-6622C] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A4-4  DOLILU  OPERATIONS  (CONTINUED) 

2.  IF  THE  DISCREPANCY  FAILS  COMPARISON  CRITERIA  AND  IS  CAUSED 
BY  A  WIND  FEATURE,  A  SUBSEQUENT  WIND  ASSESSMENT  SHALL  BE 
USED  TO  CLEAR  THE  DISCREPANCY.  THE  FINAL  WIND  ASSESSMENT 
SHALL  BE  REQUIRED  TO  PASS  COMPARISON  CRITERIA  PRIOR  TO 
CLEARING  THE  VEHICLE  FOR  LAUNCH.  ®[091 098-6622C] 

3.  IF  THE  DISCREPANCY  FAILS  COMPARISON  CRITERIA  AND  IS  CAUSED 
BY  AN  ERROR  FROM  EITHER  THE  JSC  OR  USA/SYSTEM  INTEGRATION 
DOLILU  SUPPORT  ELEMENT,  THEN  THE  GO/NO-GO  EVALUATION  SHALL 
BE  BASED  ON  THE  CORRESPONDING  NON-FAILED  ELEMENT. 

4.  IF  THE  CAUSE  FOR  THE  MISCOMPARE  IS  UNRESOLVED,  THE  LAUNCH 
IS  NO-GO  REGARDLESS  OF  EITHER  SYSTEM'S  GO/NO-GO  EVALUATION 
RESULTS . 

D.  FOR  FAILURE  OF  MCC-H  PROCESSOR  AFTER  THE  DOLILU  I-LOAD  HAS 
BEEN  TRANSFERRED  TO  THE  MCC  COMMAND  SYSTEM,  LAUNCH  MAY  PROCEED 
IF  USA/SYSTEMS  INTEGRATION  IS  ABLE  TO  PROVIDE  RESULTS  AND  THEY 
ARE  GO. 

E.  FOR  FAILURE  OF  USA/SYSTEMS  INTEGRATION  PROCESSOR  AFTER  THE 
L- 6 : 1 5  HR  COMPARE  WITH  MCC-H  IS  COMPLETE,  LAUNCH  MAY 
PROCEED  IF  THE  MCC-H  CONTINUES  TO  BE  ABLE  TO  PROVIDE 
RESULTS  AND  THEY  ARE  GO. 


To  be  GO  for  launch,  the  DOLILU  I-loads  and  trajectory  must  pass  all  structural  loads  and  trajectory 
constraints.  These  constraints  are  based  on  SSP  vehicle  constraints,  and  there  are  no  means  available  for 
the  DOLILU  process  to  clear  these  violations.  Therefore,  any  systems  constraint  rule  or  structural  loads 
violation  is  reported  to  the  MMT  as  a  NO-GO,  requiring  an  MMT  weaver  for  launch  to  proceed. 

Trajectory  experience  rules  are  parameter  envelopes  and  are  based  on  the  DOLILU -II  certification 
database.  Launch  day  upper  wind  conditions  may  cause  cm  experience  envelope  exceedance.  If  the  reason 
for  the  exceedance  is  identified  and  acceptable  to  the  flight  control  team,  then  rationale  to  launch  may  be 
written  by  the  LDO  as  a  DOLILU  exception  and  processing  may  proceed.  ®[09i  098-6622C] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A4-4  DOLILU  OPERATIONS  (CONTINUED) 

At  JSC  only,  processor  integrity  rules  evaluate  the  DOLILU  I-load  generation  processor  for  convergence 
and  comparison  with  the  trajectory  simulation.  Singularities  inherent  in  the  numerical  iteration  scheme 
used  to  generate  the  I-loads  may  result  in  processor  non-convergence  and  are  the  result  of  random  wind 
conditions.  If  a  processor  integrity  rule  fails,  DOLILU  processing  may  proceed  using  an  I-load 
generated  from  another  launch  day  balloon  ( L-6:15  or  L-3:25)  if  the  reason  for  the  rule  failure  is 
understood  and  no  additional  processor  rule  failure  occurs  ( ref.  NSTS-08329,  Vol.  VIII,  DOLILU 
Operations  Support  Plan  ( DOSP) ).  ®[091 098-6622C] 

A  miscompare  of  USA/Systems  Integration  and  JSC  may  indicate  that  there  is  an  error  in  one  of  the 
two  processes  or  that  the  environment  ( wind  measurement )  is  not  sufficiently  stable  to  allow  a  valid 
constraint  evaluation  to  be  made.  The  source  of  the  miscompare  must  be  understood  prior  to  launch. 

The  DOLILU  process  uses  independent  verification  (JSC  and  USA/Systems  Integration)  of  the  trajectory 
and  structural  loads  as  one  means  to  control  the  risks  associated  with  DOLILU  operations  (ref. 
Integration  Hazard  Report  INTG-180E).  However,  a  successful  launch  day  comparison  between  the 
two  for  the  L-6.15  balloon  is  sufficient  for  processing  to  proceed  with  only  one  location’s  evaluation. 

This  comparison  as  well  as  the  system  verification  check-outs  that  have  occurred  prior  to  day  of  launch 
are  adequate  to  insure  verification  integrity.  An  additional  requirement  is  for  JSC  to  have  generated 
and  transferred  a  DOLILU  I-load  to  the  MCC  for  uplink.  ®[091 098-6622C] 

A4-5  THROUGH  A4-50  RULES  ARE  RESERVED 
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A4-51  KALMAN  FILTER  SOLUTION 

FOR  PURPOSES  OF  IMPLEMENTING  THE  LAUNCH  -  POWERED  FLIGHT  ONLY  - 
AND  LANDING  FLIGHT  RULES,  THE  KALMAN  FILTER  SOLUTION  IS 
CONSIDERED  TO  BE  VALID  IF: 

The  purpose  of  this  rule  is  to  establish  quantitative  criteria  for  declaring  the  Kalman  filter  solution  a 
valid  source  for  comparing  and  evaluating  the  onboard  state  vector. 

A.  AT  LEAST  TWO  AGREEING  RADAR  SOURCES  ARE  BEING  PROCESSED,  OR 
ONE  RADAR  HAS  BEEN  CONFIRMED  PRIOR  TO  THE  DUAL  SOURCE  LOSS. 

The  Kalman  filter  processor  is  designed  for  multiple  radar  data  processing  to  achieve  accuracy 
requirements.  Since  the  ground  solution  is  considered  the  valid  source  when  disagreement  occurs 
between  the  ground  and  the  onboard,  confirmation  of  data  being  processed  is  necessary  for  confidence  in 
the  ground  solution. 

B.  LESS  THAN  20  PERCENT  OF  THE  DATA  IS  BEING  EDITED  FROM  EITHER 
SOURCE . 

Editing  of  incoming  radar  data  is  indicative  of  noisy  or  invalid  data.  The  20  percent  criterion  was 
selected  by  navigation  analysts  as  a  conservative  editing  limit  based  on  preflight  analysis  and  postflight 
evaluation  for  purposes  of  maintaining  the  integrity  of  the  ground  state  solution. 

C.  THE  STANDARD  DEVIATIONS  OF  ANGLE  AND  RANGE  RESIDUALS  ARE  LESS 
THAN  THE  2-SIGMA  EXPECTED  VALUES. 

Data  statistics  are  computed  in  the  Kalman  processor  based  upon  a  prior  knowledge  about  the  data 
sources.  The  rule  criterion  was  selected  by  navigation  analysts  as  a  conservative  standard  for  solution 
validity  evaluation  based  on  preflight  analysis  and  postflight  evaluation. 

D.  THE  ESTIMATED  BIAS  IS  LESS  THAN  300  FEET  FOR  RANGE  AND 
0.5  MILL I -RAD IAN  FOR  ANGLES. 

Rationale  is  the  same  as  for  paragraph  C  above. 
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A4-52  ARP  THRUST  UPDATE  CRITERIA  AND  FPR 

A.  AN  UPDATE  TO  THE  ARD  NOMINAL  MAIN  ENGINE  THRUST  VALUE  WILL  BE 
PERFORMED  BY  4:00  MET  IF  THE  ARD  ACTUAL  MODE  NOMINAL  MARGIN 
TREND  RATE  EARLY  IN  SECOND  STAGE  EXCEEDS  A  REAL-TIME,  ARD- 
COMPUTED  DEADBAND.  FOLLOWING  A  THRUST  UPDATE,  PROTECTION 
WILL  BE  MAINTAINED  FOR  STATISTICAL  DISPERSIONS  IN  ALL  ARD 
FLIGHT  PERFORMANCE  RESERVE  (FPR)  COMPONENTS,  AS  DETAILED  IN 
PARAGRAPH  C  BELOW.  ®[050495-1729D] 

When  properly  modeling  vehicle  performance,  the  ARD  prediction  of  curren  t  nominal  capability 
(nominal  delta  V  margin)  does  not  vary  with  time.  However,  when  SSME  characteristics  and/or 
vehicle  mass  properties  are  mismodeled  ( i.  e. ,  when  systems  dispersions  are  present),  the  nominal 
margin  will  trend  up  or  down  with  time.  Analysis  shows  that  at  the  flight-derived  2  sigma  level,  an 
SSME  thrust  dispersion  results  in  a  trend  which  is  significantly  larger  than  the  trend  due  to  all  other 
performance-related  variables  combined.  Therefore,  it  is  probable  that  a  trend  outside  this 
“deadband”  is  caused  by  improper  SSME  thrust  modeling.  Abort  mode  boundary  accuracy  is  heavily 
dependent  on  accurate  systems  modeling  and;  therefore,  the  ARD  thrust  value  will  be  updated  in  real 
time,  using  an  empirical  relationship  between  thrust  error  and  trend  rate.  The  deadband  is  derived 
from  the  delta  V  margin  trend  due  to  the  root  sum  square  (RSS)  of  2  sigma  inert  weight  error,  2  sigma 
ET LH2  loading  error,  and  the  thrust  error  which  could  be  “masked”  by  the  other  dispersions.  The 
update  does  not  eliminate  the  trend;  it  merely  reduces  it  to  the  region  where  the  remaining  trend 
could  be  due  to  other  factors  for  which  protection  is  main  tained  via  the  ARD  FPR.  Reference 
paragraph  C  of  this  rule  and  its  associated  rationale  for  thrust  sigma-level  and  deadband  values. 
Implementation  details  are  documented  in  the  Ascent  FDO  Console  handbook  ( JSC-23255,  volume  V) 
and  the  ARD  Support  Console  Handbook  (JSC-24541 ). 

B.  THE  ARD  SOLUTION  WILL  BE  CONSIDERED  INVALID  IF  THRUST  UPDATE 
REQUIREMENTS  EXCEED  THE  3-SIGMA  SPECIFICATION  THRUST 
DISPERSION  LEVEL  (10,392  LB  CLUSTER,  OR  0.74  PERCENT  PER 
SSME)  AS  DEFINED  IN  NSTS  07700,  VOL  X,  WITHOUT  A  CONFIRMING 
INDICATION.  IN  THIS  CASE,  THE  ARD  WILL  BE  DECLARED  NO-GO  AND 
THE  PREMISSION  CUE  CARD  VELOCITIES  WILL  BE  USED  FOR  MODE 
BOUNDARY  DETERMINATION,  BASED  UPON  THE  BEST  AVAILABLE  STATE 
VECTOR  SOURCE . 

Use  of  this  update  procedure  will  generally  result  in  the  highest-accuracy  ARD  solution  possible. 

However,  dispersions  outside  the  SSME  system  specification  thrust  limit  (26,000  Ibs/eng  RSS,  or 
10,392  lbs  for  the  cluster)  without  a  secondary  cue  are  highly  unlikely.  It  then  becomes  probable  that 
the  mis-modeling  seen  in  the  ARD  is  due  to  a  ground  configuration  problem.  If  this  occurs,  the  ARD 
solution  will  be  bypassed  in  favor  of  abort  mode  boundaries  based  on  pre-mission-computed  inertial 
velocities.  Poten  tial  secondary  cues  include:  Off-nominal  onboard  thrust  factor,  differences  between 
the  onboard-computed  and  the  prelaunch-expected  MECO  times  (provided  the  ARD  solution  agrees 
with  the  prelaunch  value),  SSME  system  status  and  failure  conditions  reported  by  the  Booster  Systems 
Engineer,  etc.  ©[050495-1729D] 
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A4-52  ARP  THRUST  UPDATE  CRITERIA  AND  FPR  (CONTINUED) 

C.  THE  ARD  FPR  IS  CONFIGURED  TO  PROTECT  FOR  SYSTEM  DISPERSIONS 
THAT  ADVERSELY  AFFECT  ARD  MODELING  OF  VEHICLE  PERFORMANCE. 
PROTECTION  IS  PROVIDED  FOR  ITEMS  LISTED  BELOW  AT  THE  SPECIFIED 
STATISTICAL  DISPERSION  LEVELS.  SYSTEM  DISPERSIONS  ARE  OBTAINED 
FROM  A  HISTORICAL  DATABASE  OF  FLIGHT-DERIVED  DISPERSIONS 
MAINTAINED  IN  TABLE  8 . 1  OF  THE  SHUTTLE  PERFORMANCE  ASSESSMENT 
DATABASE  (SPAD,  NSTS-0820  9,  VOL  I)  .  @[050495-1 729D] 


ARD  FPR  COMPONENT 

PROTECTION  LEVEL 
(MEAN  PLUS) 

TYPICAL 

CONTRIBUTION 

ET  LOAD  ERROR,  VAPOR  PRESSURE, 

SSME  MIXTURE  RATIO 

2  SIGMA 

29  PERCENT 

ORBITER  AND  ET  INERT  WEIGHT 

2  SIGMA 

42  PERCENT 

SSME  SPECIFIC  IMPULSE 

2  SIGMA 

23  PERCENT 

SSME  THRUST 

2  SIGMA  UNTIL 

4:00  MET; 

THEN  APPROX  1  SIGMA* 

7  PERCENT 

SSME  THRUST  SHAPE 

2  SIGMA 

<  1  PERCENT 

*  COMPUTED  VIA  FLIGHT  DESIGN/MCC  ARD  RECONFIGURATION  PROCESS  @[080896-4209] 


EACH  ARD  FPR  COMPONENT  IS  COMPUTED  INDEPENDENTLY  FOR  AN 
ENGINE-OUT  AT  THE  PRESS-TO-ATO  BOUNDARY  ( "AOA  FPR"),  WITH  THE 
TOTAL  AMOUNT  DETERMINED  BY  ROOT-SUM-SQUARING  THE  SIGMA 
COMPONENTS  AND  ADDING  THE  MEANS.  OTHER  ABORT  BOUNDARIES 
REQUIRING  A  SIGNIFICANTLY  DIFFERENT  FPR  QUANTITY  (E.G., 
NEGATIVE  RETURN,  SINGLE-ENGINE  PRESS,  AND  THE  PERFORMANCE 
CALL)  ARE  ADJUSTED  VIA  ARD  BIASES. 

ARD  FPR  differs  from  TDDP  FPR,  used  for  pre-flight  performance  assessment,  for  severed  reasons. 
Pre-flight  FPR  protects  for  the  total  performance  impact,  from  liftoff  to  MECO,  of  system 
dispersions  that  adversely  affect  the  trajectory.  ARD  FPR,  on  the  other  hand,  protects  for  ARD  real¬ 
time  performance  prediction  errors  caused  by  system  dispersions.  For  each  ARD  execution  cycle  (2 
sec),  the  ARD  FPR  must  protect  for  future  performance  degradation  due  to  a  dispersion,  as  well  as 
any  MPS  propellant  mass  track  errors  induced  by  a  dispersion  up  to  the  current  time.  This  causes 
ARD  FPR  to  be  a  function  of  MET.  Sigma  components  are  RSS’ed  and  the  means  are  added  for  the 
total  FPR  quantity  versus  time.  The  FPR  at  predicted  press-to-ATO  MET  is  loaded  into  the  ARD. 

This  closely  matches  the  FPR  quantity  for  two-engine  TAL  and  press-to-MECO  boundaries. 

Adjustments  to  ARD  biases  ( Flight  Design  Product  ASAB-25)  for  negative  return,  single-engine 
press,  performance  low/nominal,  and  other  calls  are  required  since  the  FPR  quantity  and/or  sigma 
protection  levels  are  different  for  these  calls.  Typical  values  for  ARD  and  TDDP  FPR  are 
approximately  2,400  lbs  and  3,800  lbs,  respectively.  @[050495-1 729D] 
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A4-52  ARP  THRUST  UPDATE  CRITERIA  AND  FPR  (CONTINUED) 

The  SPAD  lists  flight-derived  dispersions  that  degrade  ascent  performance  in  Table  8.1  ofVol  1.  These 
statistics  are  obtained  from  post-flight  reconstruction  analysis  of  actual  systems  performance  (e.g., 

SSME  thrust ,  vehicle  weight ,  SRB  burnrate,  etc.).  Pre-flight  prediction  is  compared  to  post-flight 
reconstructed  performance  over  multiple  flights  to  obtain  dispersion  statistics  that  are  used  in  FPR 
calculations.  The  following  dispersions  listed  in  SPAD  Table  8.1  are  not  included  in  ARD  FPR  since 
they  take  place  in  first  stage  (i.e.,  the  effects  of  the  dispersions  are  visible  to  the  ARD  through  the  post- 
staging  state  vector  ):  SRB  burnrate ,  SRB  Isp,  and  collectors  (forces  and  moments  used  to  closely  match 
first  stage  reconstructed  trajectory  to  the  best  estimated  trajectory  (BET)).  The  remaining  dispersions 
are  included  in  ARD  FPR.  and  the  effects  of  each  on  ARD  performance  prediction  are  described  below: 
@[050495-1 729D] 

ET  load,  vapor  pressure  &  SSME  mixture  ratio:  This  FPR  component  is  identical  to  pre-flight  ET  load, 
vapor  pressure,  and  mixture  ratio  protection  used  in  generating  TDDP  FPR.  This  specifies  the  total 
performance  impact  of  a  2  sigma  plus  mean  combination  of  these  dispersions.  Therefore,  it  is  not  a 
function  of  mission  elapsed  time.  The  exact  value  used  is  a  function  of  fuel  bias  at  MECO,  as  predicted 
from  pre-launch  reported  load  or  ARD  real-time  propellant  imbalance  computations  during  an  SSME 
performance  case. 

Orbiter  &  ET  inert  weight:  This  component  is  calculated  by  determining  the  effect  of  a  2  Sigma  plus 
mean  inert  weight  error  on  delta  V  available.  This  is  specified  by  the  rocket  equation  and  is  a  function  of 
MET  (i.e.,  ET  propellant  remaining).  When  calculated  in  this  manner,  this  component  protects  for  future 
performance  degradation  caused  by  the  dispersion.  The  past  performance  impact  of  this  dispersion  is 
reflected  in  the  state  vector  used  by  the  ARD  each  cycle. 

SSME  specific  impulse  (Isp):  This  item  protects  for  ARD  delta  V  available  and  exhaust  velocity  (Vex) 
errors  caused  by  a  2  sigma  plus  mean  Isp  dispersion.  The  rocket  equation  is  used  to  calculate  the  delta 
V  available  error  caused  by  the  flowrate  difference  up  to  curren  t  time.  Also,  the  effects  of  Vex  error  (a 
function  of  Isp  dispersion)  in  the  rocket  equation  are  determined.  The  sum  of  these  composes  the  ARD 
Isp  protection,  and  is  a  function  of  MET. 

SSME  thrust:  This  item  protects  for  ARD  delta  V  available  errors  (caused  by  flowrate  error)  computed 
from  the  rocket  equation  as  a  function  of  time.  Prior  to  4:00  MET,  2  sigma  plus  mean  protection  is 
required.  After  this  time,  a  thrust  update  is  performed  for  thrust  errors  beyond  a  magnitude  specified  by 
the  thrust  update  deadband  (approx  4fps/min).  Since  thrust  errors  beyond  the  deadband  are  modeled 
after  this  point,  no  FPR  protection  beyond  the  deadband  is  required.  A  study  was  conducted  to 
determine  the  maximum  thrust  error  that  could  be  hidden  within  the  deadband.  Other  dispersions 
masking  the  thrust  errors  were  considered  also,  but  only  those  causing  early  ARD  boundary  errors  (i.e., 
FPR  consumption  scenarios)  were  analyzed.  The  maximum  combination  is  determined  each  time  FPR 
dispersion  levels  are  re-derived  and  is  converted  to  a  thrust  sigma  level  ( approximately  1  sigma;  past 
@[050495-1 729D]  @[080896-4209] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  TRAJECTORY  AND  GUIDANCE  4-12 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A4-52  ARP  THRUST  UPDATE  CRITERIA  AND  FPR  (CONTINUED) 

values  have  ranged  from  0.88  to  1.24)  which  is  used  in  the  ADR  FPR  computation  from  4:00  MET  to 
MECO.  The  actual  sigma  level  is  documented  in  Flight  Design  product  ASCT-22A,  ARD  MCC 
Trajectory  Inputs  and  Support  Tables,  and  ASCT-47,  Final  MCC  Trajectory  Inputs  (the  day-of-launch 
version  of  ASCT-22A).  The  Ascent  FDO’s  will  informally  keep  the  Flight  Director  Office  aware  of  any 
change  in  this  value  in  the  course  of  standard  pre-mission  preparation.  ©[050495-1729D]  @[080896-4209  ] 

SSME  thrust  shape:  This  item  is  specified  in  the  SPADfor  a  nominal  mission  profile  only  (i.e.,  no 
engine  out).  It  accoun  ts  for  differences  between  predicted  (cubic  polynomial)  and  recon  structed 
thrust  magnitude  in  the  throttle  bucket  and  during  3g  throttling  and  fine  countdown.  Since  it  is 
calculated  for  pre-flight  FPR,  it  specifies  the  total  performance  impact  of  this  dispersion  and  is  not  a 
function  of  MET.  Since  no  3g  throttle  phase  occurs  on  an  engine-out  trajectory  (for  which  ARD  FPR 
is  designed),  the  quantity  specified  in  the  SPAD  is  multiplied  by  1/3  to  account  for  the  approximate 
time  that  this  dispersion  is  present  (i.e.,  the  throttle  bucket),  since  the  3g  throttling/fine  countdown 
time  is  approximately  60  sec  in  duration,  and  the  throttle  bucket  is  about  30  sec  long.  SSME  thrust 
shape  is  the  smallest  component  of  ARD  FPR.  @[051 045-1 729D] 

Reference:  5/29/91  card  6/25/91  FOIG,  6/27/91  Level  II PRCB,  and  Ascent/Entry  Flight  Techniques 
Panel  Meeting  #80,  7/19/91,  #87  2/21/92,  and  #95  1 1/20/92.  ©[050495-1729D]  ©[080896-4209A] 
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A4-53  USE  OF  MAXIMUM  THROTTLES 

MAXIMUM  THROTTLES  WILL  BE  ENABLED  (SPEC  51  ITEM  4)  FOR  THE 
FOLLOWING  CONDITIONS:  ©[092195-1770A] 

A.  IF  AN  ENGINE-OUT  OCCURS  DURING  FIRST  STAGE  BUT  AFTER  THROTTLE 
UP,  WITH  THE  THROTTLE  OF  ONE  REMAINING  SSME  STUCK  IN  THE 
THRUST  BUCKET,  MAX  THROTTLE  WILL  BE  ENABLED  ASAP  PROVIDED 
RTLS  CAPABILITY  WILL  EXIST  AFTER  MAX  THROTTLE  ENABLING. 
®[092195-1770A] 

For  an  SSME-out  during  first  stage  and  a  remaining  engine  stuck  in  the  bucket,  the  resulting  trajectory 
will  be  depressed  and  performance  will  be  much  lower  than  normal.  To  avoid  PEG  guidance  convergence 
difficulties  in  the  RTLS  flyback  solution,  max  throttles  should  be  enabled  ASAP.  If  max  throttles  are  not 
enabled,  the  low  altitude  drag  effects  can  produce  an  early  RTLS  flyback,  an  extended  period  of 
nonconverged  steering,  and/or  unstable  throttle  commands  during  flyback.  Enabling  max  throttles 
increases  the  altitude  at  RTLS  selection,  thus  reducing  the  flyback  guidance  problems.  Additionally,  the 
higher  altitude  and  H-dot  reduces  the  SSME  plume  heating  on  the  aft  end  of  the  vehicle.  ®[092195-1770A] 

B.  IF  AN  ENGINE-OUT  OCCURS  DURING  FIRST  STAGE,  MAX  THROTTLE 
WILL  BE  ENABLED  PRIOR  TO  RTLS  SELECTION  IF  THE  H-DOT  AT 
SRB  STAGING  IS  LESS  THAN  THE  PRTLS  MINIMUM  PERFORMANCE 
CONSTRAINT  (SEE  H-DOT  VS.  VREL  PLOT).  MAX  THROTTLE  IS 
REQUIRED  TO  AVOID  TOTAL  PRESSURE  (Ptotal)  PROBLEMS  FOR 
DEPRESSED  STAGING  CONDITIONS. 


RTLS  H-DOT  LIMIT  AT  SRB  SEP 
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A4-53  USE  OF  MAXIMUM  THROTTLES  (CONTINUED) 

Initiation  of  a  two-SSME  RTLS  from  a  depressed  trajectory  with  low  vehicle  acceleration  requires  a 
large  velocity  to  be  gained  to  satisfy  the  target  MECO  conditions.  The  resultant  trajectory  drops  to  low 
altitudes  du  ring  flyback  phase.  The  low  altitude  leads  to  cm  increase  in  dynamic  pressure  and  resu  ltan  t 
Ptotcd  deflecting  the  SSME  plume,  which  causes  heating  problems  on  the  aft  end  of  the  vehicle.  An 
analysis  has  been  performed  to  determine  altitude  rates  at  SRB  jettison  which  represent  the  minimal 
depressed  trajectories  that  would  cause  PRTLS  flyback  heating  problems  on  the  aft  end  of  the  orbiter. 

The  H-dot  versus  Vrel  plot  shows  this  region  over  the  range  of  possible  velocities,  and  is  applicable  to 
all  flights.  This  altitude  rate  is  called  the  PRTLS  minimum  performance  constraint  and  is  based  on  20 
psfPtotal  during  flyback. 

The  20  psf  criteria  applies  only  to  off-nomincd  contingency  situations  where  engine-out  staging 
conditions  are  outside  the  one-sigma  systems  dispersion  boundaries.  Single  engine-out/one-sigma 
systems  dispersion  cases  are  protected  to  the  dispersed  P total  Ihnit  (4  psf),  which  provides  additional 
thermal  protection  for  vehicle  reusability.  The  20  psf  criteria  was  baselined  for  contingency  RTLS 
aborts  in  1982  at  Ascent  Flight  Techniques  #5  and  approved  again  at  the  June  1987  SIR.  The  abort 
panel  examined  contingency  RTLS  heating  concerns  during  1989  and  found  ET  umbilical  tray  heating 
constraints  were  violated.  However,  no  ET  critical  1  failures  were  identified  with  a  20  psf  P total-  The 
Orbiter  Project  Office  has  not  yet  assessed  orbiter  heating  with  a  P total  Sreater  than  the  dispersed 
( non-contingency )  limit.  The  October  4,  1989,  PRCB  recommended  remaining  with  the  20  psf  P toted 
limit  rather  than  the  dispersed  limit  primarily  to  reduce  the  need  for  throttling  up  to  109  percent  during 
contingency  cases. 

Thus,  if  an  SSME  failure  occurs  during  first  stage  and  the  observed  altitude  rate  at  SRB  staging  is 
less  than  the  minimum  performance  constraint,  maximum  throttle  will  be  enabled  by  item  entry  prior 
to  selection  of  RTLS  abort.  An  increase  in  vehicle  acceleration  decreases  the  flyback  in  terval  thereby 
reducing  the  gravitational  losses  which  allows  more  effective  thrust  to  satisfy  the  target  conditions. 

The  heating  concerns  are  reduced  by  increasing  the  altitude  prior  to  flyback. 

Rule  { A2-52C },  ASCENT  MODE  PRIORITIES  FOR  PERFORMANCE  CASES,  references  this  rule. 

C.  ABORT  GAP  CLOSURE  ®[092195-1770A] 

Maximum  throttles  may  be  used  to  eliminate  or  reduce  gaps  in  “intact  abort”  capability.  Ref.  rule 
{A4-56H},  PERFORMANCE  BOUNDARIES,  for  maximum  throttle  priority  for  the  specific  gap  to 
be  closed. 

D.  TO  AVOID  POST  TAL  SELECTION  SITE  REDESIGNATION  WHEN  OPERATING 
ON  A  SINGLE  SSME 

Maximum  throttles  may  be  used  to  cdlow  the  earliest  opportunity  to  continue  to  the  prime  TAL  site, 
rather  than  redesignating  to  cm  inplane  ACLS,  following  the  loss  of  a  second  main  engine.  Ref  rules 
[A4-56F}.2.e,  PERFORMANCE  BOUNDARIES,  and  {A2-52C},  ASCENT  MODE  PRIORITIES  FOR 
PERFORMANCE  CASES,  for  additional  rationale. 
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A4-53  USE  OF  MAXIMUM  THROTTLES  (CONTINUED) 

E.  TO  MINIMIZE  EXPOSURE  TO  A  CONTINGENCY  ABORT  OR  CREW  BAILOUT 
SITUATION:  @[0921 95-1 770A] 

For  the  following  cases,  the  additional  risk  associated  with  operating  the  mean  engines  at  109  percent 
power  level  is  acceptable  in  order  to  provide  the  crew  and  vehicle  a  chance  to  reach  a  runway  (i.e.,  SE 
LIMITS  or  RTLS  SE  PRESS ).  Operationally,  the  increased  interned  engine  pressures  and  temperatures 
at  109  percen  t  do  increase  the  likelihood  of  having  an  SSME  failure  (ref  AEFTP  #108  charts,  12/17/93; 
AEFTP  # 124  charts,  06/02/95;  and  AEFTP  # 125  charts,  08/04/95).  However,  commanding  the  engines 
to  109  percent  power  level  while  the  vehicle  is  in  an  abort  gap  is  considered  less  risky  than  a  contingency 
abort  or  crew  bailout. 

1.  DURING  A  TWO  ENGINE  RTLS  OR  TAL  ABORT  WITH  A  NON- I SOLATABLE 
MPS  HELIUM  LEAK  PER  RULE  {A5-152},  PRE-MECO  MPS  HELIUM 
SYSTEM  INTERCONNECTS  [CIL] . 

When  one  engine  has  failed  and  another  is  suspect,  maximum  throttles  may  be  enabled  to  reduce  the  time 
to  MECO  and  minimize  exposure  to  a  contingency  abort.  In  this  case,  the  risk  of  the  suspect  engine 
failing  prior  to  single  engine  capability  outweighs  the  increased  likelihood  of  having  an  SSME  failure 
due  to  the  increased  pressures  and  temperatures  associated  with  operating  the  engines  at  109  percent 
power  level.  @[0921 95-1 770A] 

2.  ECAL,  BDA,  AND  DROOP  CONTINGENCY  ABORTS 

Maximum  throttles  will  be  used  in  contingency  abort  scenarios  to  increase  the  probability  of  reaching  a 
landing  site.  The  risk  of  crew  bailout  outweighs  the  risk  of  operating  the  remaining  engine  at  109 
percen  t  power  level. 

3.  IF  THE  ENGINES  ARE  COMMANDED  TO  104  PERCENT  POWER  LEVEL 
DURING  RTLS  FLYBACK 

Once  powered  pitcharound  is  complete,  the  throttle  command  is  initialized  to  100  percent  for  a  two 
engine  RTLS  and  72  percen  t  for  a  three  engine  RTLS.  These  values  are  in  itial  settings  only  and  are 
adjusted  during  flyback  phase  to  achieve  the  desired  amount  of  propellant  remaining  at  MECO.  If  it 
appears  that  there  will  be  too  much  propellant  remaining,  the  throttle  command  will  be  reduced. 

Con  versely,  if  it  appears  that  there  will  be  too  little  propellan  t  remaining,  the  throttle  command  will  be 
increased  but  limited  to  104  percent.  If  the  throttle  command  is  at  the  limit  of  104  percent,  maximum 
throttles  will  be  enabled  to  allow  guidance  to  command  a  power  level  up  to  109  percent.  It  should  be 
noted  that  guidance  will  only  command  the  level  required  to  reach  the  mass  target  and  may  not  throttle 
up  to  the  new  limit  of  109  percent.  @[0921 95-1 770A] 
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A4-54  ABORT  MODE  RESPONSIBILITY 

THE  GROUND  IS  PRIME  FOR  ABORT  MODE  DETERMINATION. 

Until  such  time  that  the  orbiter  GPC’s  have  the  memory  capability  to  contain  a  completely  autonomous 
version  of  the  ARD  program  and  autonomous  navigation,  the  MCC  ARD  will  remain  the  prime  tool  for 
determining  abort  capabilities.  Current  onboard  abort  mode  determination  capabilities  are  based  on 
premission  flight  design  data  for  predicted  ascen  t  performance  and  groundrule  flight  performance 
reserves.  The  crew  is  only  provided  with  cue  card  values  of  inertial  velocity  that  define  designed  mode 
boundaries  and  two  tick  marks  on  the  ascent  traj  display  that  define  negative  return  and  two-engine 
press-to-MECO;  all  of  which  are  intended  for  use  only  in  no-communication  situations. 

The  real-tune  MCC  ARD  program  was  defined  and  implemented  with  the  flexibility  to  handle  all 
performance-related  ascent  abort  situations.  Those  situations  include: 

a.  Complete  failure  of  one  or  more  SSME  at  any  time. 

b.  Performance  dispersions  visible  in  the  vehicle  state  ( e.  g. ,  dispersions  in  aerodynamics, 
atmospherics,  SRB,  performance,  winds  aloft,  time-variant  ISP,  guidance/navigation/control,  and 
mass  track). 

c.  Performance  dispersions  not  visible  in  the  vehicle  state  ( e. g. ,  SSME  performance  dispersions, 
OMS/RCS  propellant  leaks  contained  onboard ). 

The  MCC  ARD  can  define  multiple  or  single  SSME  abort  capabilities  throughout  ascent  for  any 
combination  of  the  above-mentioned  situations,  utilizing  either  the  HSTD  filter  or  telemetry  for  the 
current  vehicle  state.  The  MCC  ARD  can  also  predict  downmode  abort  capabilities  through  powered 
flight. 

By  virtue  of  the  MCC  ARD’ s  flexibility  in  assessing  in  real  time  the  orbiter’ s  abort  capabilities,  the 
independent  ground  radar  tracking,  and  the  current  lack  of  an  equivalent  autonomous  onboard  version 
of  the  ARD,  the  ground  is  therefore  prime  for  all  abort  mode  determinations. 

Rule  { A2-67 },  ARD  UPDATE  CRITERIA,  references  this  rule. 
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A4-55  DESIGN  AND  CRITICAL  MECO  UNDERSPEED  DEFINITIONS 

A.  PERFORMANCE  ASSESSMENTS  THAT  INDICATE  ORBITAL  CAPABILITY 

SHALL  BE  BASED  ON  THE  ABILITY  TO  ACHIEVE  EITHER  THE  DESIGN 
MECO  UNDERSPEED  OR  THE  CRITICAL  MECO  UNDERSPEED.  THE 
FOLLOWING  CONSTRAINTS  DEFINE  THE  DESIGN  MECO  UNDERSPEED: 

1.  ET  IMPACT  CONSTRAINTS  -  CRITICAL  LAND  MASSES  SHALL  BE 
PROTECTED  FROM  THE  3-SIGMA  ET  IP  FOOTPRINT  (REF.  RULE 
{ A2 - 62 } ,  ET  FOOTPRINT  CRITERIA). 

2.  MINIMUM  PERFORMANCE  CAPABILITY  -  THE  MAXIMUM  UNDERSPEED 
WHICH  WILL  SUPPORT  THE  EARLIEST  PRESS  TIME  WITH  EITHER: 

a.  AN  AOA  WITH  STEEP  TARGETS  USING  AFT  RCS  TO  THE  AOA 
AFT  RCS  STEEP  PRESS  QUANTITY  @[012402-51 12B] 

OR 

b.  AN  ATO/MINIMUM  HP  WITH  SHALLOW  DEORBIT  ON  FD  1  USING 
AFT  RCS  TO  THE  FD1  AFT  RCS  SHALLOW  PRESS  QUANTITY 
(REF.  RULE  {A6-305G},  AFT  RCS  REDLINES )  .  @[121593-1590] 

OR 

C.  AN  ATO/MINIMUM  HP  WITH  SHALLOW  DEORBIT  ON  FD2  USING 
AFT  RCS  TO  THE  FD2  AFT  RCS  SHALLOW  PRESS  QUANTITY 
(REF.  RULE  {A6-305G},  AFT  RCS  REDLINES)  AND  FWD  RCS 
IN  OPS  2  TO  THE  FD2  FWD  RCS  PRESS  QUANTITY  (REF. 

RULES  { A6-304D } ,  FORWARD  RCS  REDLINES,  AND  {A2-53}, 
FORWARD  RCS  USAGE  GUIDELINES).  NOTE:  THIS  OPTION 
WILL  ONLY  BE  UTILIZED  REAL  TIME  FOR  LOSS  OF  BOTH  AOA 
AND  FD1  LANDING  SITES,  AND  THE  PRESS  TIME  WILL  NOT  BE 
EARLIER  THAN  THE  AOA  OR  FD  1  "DESIGN."  @[012402-51 12B] 

NOTE:  REF.  RULE  {A2-2},  ABORT  LANDING  SITE  REQUIREMENTS,  TO 

DETERMINE  THE  BASIS  FOR  DESIGN  UNDERSPEED. 

ALL  OPTIONS  WILL  PROTECT  THE  CG  TO  THE  CONTINGENCY  CG 
ENVELOPE.  IF  AOA  DEFINES  THE  PRESS  BOUNDARY,  THE  LANDING 
SITE  THAT  PROVIDES  THE  EARLIEST  PRESS  TIME  (PROVIDED  IT  IS 
"GO")  WILL  BE  ASSUMED  REGARDLESS  OF  THE  LANDING  SITE 
PRIORITIES.  @[121593-1590] 
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A4-55  DESIGN  AND  CRITICAL  MECO  UNDERSPEED  DEFINITIONS 

(CONTINUED) 

3.  MINIMUM  ALTITUDE  CONSTRAINT  -  THE  MAXIMUM  UNDERSPEED 
SHALL  BE  LIMITED  TO  A  VALUE  WHICH  PROTECTS  AGAINST  LOW- 
ALTITUDE  (<  55  NM)  TRAJECTORY  CONDITIONS  BETWEEN  OMS-1 
CUTOFF  AND  OMS-2  TIG.  ®[01 2402-51 12B] 

4.  MINIMUM  SSME  NPSP  CONSTRAINTS  -  THE  MAXIMUM  UNDERSPEED 
SHALL  BE  LIMITED  TO  A  VALUE  WHICH  PROTECTS  AGAINST 
VIOLATION  OF  SSME  NPSP  REQUIREMENTS  DURING  THE  MECO 
SHUTDOWN  SEQUENCE. 

NOTE:  MANUAL  THROTTLING  MAY  BE  USED  TO  SATISFY  NPSP  LIMITS 

IF  THE  RESULTING  ADDITIONAL  UNDERSPEED  CAPABILITY 
MAINTAINS  ALL  OTHER  REQUIRED  PROTECTION.  REF.  RULE 
{A4-59F}  AND  G,  MANUAL  THROTTLE  SELECTION,  FOR  MANUAL 
THROTTLE  CRITERIA. 

5.  CG  PROTECTION  -  THE  SPECIFICATION  CG  ENVELOPE,  RULE 
{ A4-153 } ,  CG  PLANNING,  WILL  BE  RELAXED  TO  THE 
CONTINGENCY  ENVELOPE  IN  ORDER  TO  CONTINUE  TO  ORBIT. 

B.  CRITICAL  UNDERSPEED  IS  DEFINED  AS  MAXIMUM  UNDERSPEED 

CAPABILITY  WITHOUT  REGARD  TO  ET  IMPACT  PROTECTION  OR  FLIGHT 
SOFTWARE  MECO  PREP  THROTTLING  FOR  NPSP  (I.E.,  ALLOWS  MANUAL 
THROTTLING) .  CRITICAL  UNDERSPEED  IS  UNRELATED  TO  AND  DOES 
NOT  PROTECT  CRITICAL  LAND  MASSES. 

REFERENCE  THE  ANNEX  FLIGHT  RULE,  SHUTTLE  TRAJECTORY  AND 
GUIDANCE  PARAMETERS,  FOR  THE  FLIGHT-SPECIFIC  DESIGN  AND 
CRITICAL  MECO  UNDERSPEEDS.  ®[ED  ] 
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A4-55  DESIGN  AND  CRITICAL  MECO  UNDERSPEED  DEFINITIONS 

(CONTINUED) 


The  design  MECO  underspeed  is  usually  based  on  ATO/Min  Hp/FD  1  shallow  deorbit.  In  some  cases, 
the  design  underspeed  is  based  on  AO  A  steep  capability.  In  either  case,  flight  design  techniques 
minimize  the  time  difference  between  these  two  boundaries  so  the  loss  of  an  AO  A  site  is  not  a  significant 
performance  risk.  The  loss  of  a  first  day  PLS  site  may  require  pressing  on  FD2,  but  this  is  a  real-time 
option  only  and  is  never  part  of  the  “design.  ”  Analysis  has  shown  that  there  is  no  delay  between  the 
FD2  press  boundary  and  the  “design  ”  due  to  being  able  to  commit  the  Fwd  RCS  (ref.  Rule  (A2-53{, 
FORWARD  RCS  USAGE  GUIDELINES ).  However,  utilizing  all  of  the  Fwd  RCS  above  the  FD2  Fwd 
RCS  press  quantity  can  result  in  an  earlier  press  time  than  the  “design.  ”  In  order  to  presence  a  FD1 
PLS  option,  the  press  time  will  not  be  earlier  than  the  “ design  ”  ( reference  A/E  Flight  Techniques  # 1 78 ). 
This  modified  two  engine  press  boundary  would  be  based  on  ATO/minimum  Hp/FD2  shallow  capability, 
using  the  Fwd  RCS  to  provide  adequate  lifetime  by  raising  perigee  in  OPS  2.  RCS  press  quantities  are 
also  modified  to  include  usage  to  FD2  deorbit.  Systems  failures  requiring  early  flight  termination  will  be 
supported  by  TAL  and  AFO  sites.  Reference  Rule  (A2-2j,  ABORT  LANDING  SITE  REQUIREMENTS. 

@[121593-1590  ]  ®[01 2402-51 12B] 

The  landing  site  that  provides  the  earliest  press  time  is  assumed  in  the  minimum  performance  capability, 
assuming  that  the  landing  site  meets  all  constraints  to  make  it  GO.  This  is  done  regardless  of  the 
landing  site  priority  in  order  to  yield  the  earliest  press  time.  Since  the  press  calls  protect  for  two-sigmci 
low  ascent  performance,  there  is  statistically  a  low  probability  that  an  AOA  would  be  required  for  an 
SSME-out  at  the  press  boundary.  Therefore,  the  Ascent/Entry  Flight  Techniques  Panel  determined  it 
appropriate  to  use  the  landing  site  that  provides  the  earliest  press  time  in  the  assumptions  for  the  press 
calls,  even  though  it  may  not  be  the  prime  AOA  site. 

Design  underspeed  protection  of  auto  MECO  prep  throttling  is  provided  to  satisfy  SSME  NPSP 
requirements  without  any  action  by  the  crew.  It  was  determined  early  in  the  STS  program  that,  for 
single-engine-out  operation,  this  underspeed  limit  is  500 fps,  driven  by  flight  software  I-  and  K-loads 
which  determine  when  the  SSME’s  are  commanded  to  minimum  power  level.  Nominal  flight  design  will 
protect  this  constraint  in  the  two-engine  press  boundaries  and  associated  OMS  dump  design. 

However,  if  a  failure  scenario  arises  in  which  the  500 fps  limit  will  be  exceeded,  yet  it  is  still  possible  to 
meet  the  other  uphill  capability  constrain  ts  (generally,  this  requires  multiple  failures),  then  manual 
throttling  to  minimum  power  level  may  be  used  to  assure  that  NPSP  limits  are  satisfied.  This,  in  turn, 
avoids  a  TAL  or  RTLS  abort  and  may  even  provide  a  minimum  mission  capability.  Flights  where  this 
technique  is  available  typically  involve  either  high  MECO  velocity  targets  or  high  OMS  loads,  or  both. 

Rules  (A2-1J,  PRELAUNCH  GO/NO-GO  REQUIREMENTS;  (A2-2J,  ABORT  LANDING  SITE 
REQUIREMENTS;  {A2-52B},  ASCENT  MODE  PRIORITIES  FOR  PERFORMANCE  CASES;  and 
{A4-56},  PERFORMANCE  BOUNDARIES,  reference  this  rule.  ®[i  21593-1 590  ]  ®[ED  ] 
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A4-56  PERFORMANCE  BOUNDARIES 

A.  PERFORMANCE  NOMINAL/LOW 

NOMINAL  PERFORMANCE  IS  DEFINED  AS  HAVING  AN  ARD  PREDICTED 
NOMINAL  DELTA  VELOCITY  MARGIN  WHICH  ENSURES  A  GUIDED  MECO 
(NO  LOW  LEVEL  CUTOFF)  WITH  A  3-SIGMA  LEVEL  OF  CONFIDENCE. 

LOW  PERFORMANCE  INDICATES  LESS  THAN  A  3-SIGMA  GUIDED  MECO 
PROBABILITY . 

This  assessment  is  performed  in  order  to  determine  whether  an  SSME  with  a  locked  throttle  (hydraulic  or 
electric )  must  be  manually  shut  down  prior  to  MECO  in  order  to  avoid  potential  violation  ofNPSP 
requirements.  If  the  ARD  predicts  an  underspeed  for  the  current  nominal  mission  mode,  then  a  guided 
MECO  is  not  assured,  and  a  low-level  cutoff  is  possible.  Since  the  software  low-level  cutoff  timers 
assume  all  engines  are  at  the  cutoff  power  level,  an  engine  stuck  at  a  higher  level  will  consume  more 
propellant  than  the  timers  protect  and  may  deplete  before  safe  shutdown  is  achieved.  Therefore,  if 
performance  is  low  per  this  rule,  the  stuck  engine  will  be  manually  shut  down  early,  well  prior  to  any 
depletion  possibility.  The  remaining  engines  can  then  be  shut  down  safely  from  the  two-engine  cutoff 
power  level.  The  performance  assessmen  t  is  protected  at  the  3 -sigma  level  ( vs.  2-sigma  for  most 
performance  boundaries)  due  to  the  potentially  catastrophic  nature  of  a  depletion  cutoff. 

B.  TWO-ENGINE  (PRIME  TAL)  (I.E.,  TWO-ENGINE  BEN  GUERIR) 

THIS  BOUNDARY  REPRESENTS  THE  EARLIEST  TIME  AFTER  WHICH  AUTO 
GUIDANCE  WILL  ACHIEVE  THE  DESIRED  PRIME  TAL  RANGE-VELOCITY 
TARGETS  WITHIN  CROSSRANGE  LIMITATIONS  AT  MECO.  ASSUMPTIONS: 
SINGLE  ENGINE  OUT,  PROTECTION  OF  2-SIGMA  MPS  FPR,  PROTECTION 
OF  3-SIGMA  ENTRY  DISPERSIONS,  ABORT  THROTTLES,  AND  15-SECOND 
ABORT  DECISION  DELAY. 

The  first  TAL  boundary  protects  2-sigma  FPR  as  a  trade  between  assurance  of  a  guided  MECO  and 
increased  exposure  to  RTLS,  which  is  lower  in  abort  priority.  The  likelihood  of  an  underspeed  is  only 
increased  a  small  amount  in  backing  from  3-sigma  to  2-sigma,  and  the  3-sigma  entry  protection  maintained 
implicitly  in  the  R-V  line  can  easily  accommodate  the  additional  underspeed  should  a  3-sigma  low  ascent  day 
actually  occur. 
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A4-56  PERFORMANCE  BOUNDARIES  (CONTINUED) 

C.  RTLS  BOUNDARIES: 

1.  NEGATIVE  RETURN 

THIS  BOUNDARY  REPRESENTS  THE  LAST  OPPORTUNITY  TO  ABORT 
RTLS  AND  STILL  ACHIEVE  THE  DESIRED  MECO  RANGE-VELOC I T Y 
TARGETS.  ASSUMPTIONS:  SINGLE  ENGINE  OUT,  PROTECTION  OF 
3-SIGMA  MPS  FPR,  PROTECTION  OF  3-SIGMA  ENTRY  DISPERSIONS, 
ABORT  THROTTLES,  AND  15-SECOND  ABORT  DECISION  DELAY. 

The  negative  return  boundary  protects  3-sigma  MPS  FPR  in  order  to  ensure  that  an  underspeed  is  not 
incurred  during  an  RTLS  abort.  An  underspeed  during  RTLS  can  adversely  affect  the  ET  separation 
conditions  so  severely  that  this  protection  is  warranted.  The  single-engine-out,  3-sigma  entry 
dispersions,  abort  throttles,  and  15-second  decision  delay  are  self-explanatory  and  are  consistent  with 
other  abort  mode  boundary  calls. 

2.  IF  AN  ENGINE  FAILS  PRIOR  TO  THE  TWO-ENGINE  TAL  CALL, 

AN  RTLS  ABORT  WILL  BE  SELECTED  AT  THE  LATER  OF  THE 
FOLLOWING: 

a.  2:30  MET . 

b.  ASAP  AFTER  THE  MCC  HAS  CONFIRMED  THAT  TWO-ENGINE  TAL 
CAPABILITY  DOES  NOT  EXIST  (IF  THE  ENGINE  FAILED  CLOSE 
TO  THE  PREMISSION  TWO-ENGINE  TAL  TIME)  BUT  NOT  LATER 
THAN  3:40  MET. 

Onboard  software  will  not  initiate  RTLS  aborts  prior  to  the  SRB  separation  command  at  approximately 
2:05  MET.  Initiation  of  RTLS  aborts  prior  to  2:30  MET  causes  guidance  to  fly  at  a  flight  control  limit 
until  alpha  and  beta  constrain  ts  for  ET  heating  control  are  released  at  that  time.  Because  of  these  limits, 
the  only  apparen  t  changes  seen  by  the  crew  are  the  CRT  display  titles,  which  change  from  ASCENT  to 
RTLS.  Delaying  selection  until  2:30  MET  gives  the  ground  time  to  confirm  the  engine-out,  allows  time 
for  transients  due  to  separation  to  damp  out  and  for  second  stage  guidance  to  stabilize,  and  allows 
sufficient  time  for  completion  of  the  RTLS  fuel  dissipation  phase.  If  RTLS  is  clearly  the  only  abort  mode 
available,  selection  at  2:30  MET  (or  the  engine-out  time,  if  after  2:30  MET)  also  maximizes  RTLS 
performance  capability  by  lofting  the  vehicle  as  soon  as  possible  following  the  engine  failure. 

Some  missions  are  designed  such  that  two-engine  TAL  capability  is  reached  in  first  stage  or  very  early  in 
second  stage  ( before  2:30  MET).  In  these  cases,  it  is  desirable  to  wait  until  after  a  good  second-stage 
ARD  solution  can  be  obtained  to  evaluate  two-engine  TAL  capability  before  committing  to  an  RTLS, 
because  ARD  margins  in  first  stage  may  not  be  indicative  of  true  performance  capability  due  to  the  open- 
loop  nature  of  first  stage  guidance.  3:40  MET  was  chosen  since  it  is  at  this  time  that  RTLS  aborts  are 
initiated  following  an  engine-out  after  the  two-engine  TAL  call  (ref.  paragraph  C.3  above).  In  most 
cases,  however,  the  ARD  should  be  computing  a  good  solution  by  2:30  MET. 
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A4-56  PERFORMANCE  BOUNDARIES  (CONTINUED) 

3.  FOR  RTLS  ABORTS  AFTER  THE  TWO-ENGINE  TAL  CALL,  RTLS 
SELECTION  WILL  OCCUR  AT  3:40  MET. 


For  any  RTLS  abort  (three-engine  or  two-engine)  after  the  two-engine  TAL  call,  the  RTLS  abort  will  be 
delayed  allowing  for  any  systems  problems  that  may  dictate  TAL  over  RTLS.  The  RTLS  selection  should 
be  made  at  least  10  seconds  prior  to  negative  return  in  order  to  preserve  the  two-engine  RTLS  capability 
as  well  as  keep  the  TAL  option  as  long  as  possible.  As  most  all  shuttle  flights  have  negative  return 
occurring  from  approximately  3:50  to  4:05  MET.  the  3:40  MET  RTLS  abort  initiation  will  preserve  the 
two-engine  case  and  provide  a  standard  time  for  late  RTLS  selection. 

Note:  During  the  RTLS/TAL  overlap  region,  the  RTLS  abort  will  be  performed  for  systems  failures 
requiring  quick  return  to  ground.  The  TAL  abort  will  be  initiated  for  performance  cases. 

4.  RTLS  AND  TAL  CAPABILITY. 

FOR  A  FAILURE  REQUIRING  AN  ABORT  IN  THE  REGION  WHERE  RTLS 
AND  TAL  CAPABILITY  OVERLAP,  THE  TAL  PREFERENCE  OVER  RTLS 
MAY  BE  REVERSED  FOR  SPECIFIC  SYSTEM  FAILURES  (REF.  RULE 
{ A2-54 } ,  RTLS,  TAL,  AND  AOA  ABORTS  FOR  SYSTEMS  FAILURES 
[CIL] ) . 

There  is  normally  an  overlap  between  first  two-engine  TAL  and  last  RTLS  capabilities.  Preference  of 
one  abort  over  the  other  is  dictated  by  Rule  {A2-52},  ASCENT  MODE  PRIORITIES  FOR 
PERFORMANCE  CASES,  which  is  written  from  a  performance  standpoint.  However,  certain  failures  in 
orbiter  systems  may  make  one  mode  preferable  over  the  other  due  to  considerations  beyond  simple 
performance  capability.  In  these  cases,  if  there  is  a  conflict  between  the  preferred  systems  abort  and  the 
abort  priorities  rule,  the  systems  abort  may  be  selected  since  the  ability  to  support  the  performance  abort 
from  a  systems  standpoint  may  not  exist. 

5.  SINGLE  ENGINE  PRESS  (RTLS). 

THIS  BOUNDARY  REPRESENTS  THE  EARLIEST  TIME  THAT  SINGLE 
ENGINE  COMPLETION  OF  AN  RTLS  ABORT  CAN  BE  FLOWN  VIA  AUTO 
CONTINGENCY  ABORT  SOFTWARE.  THIS  BOUNDARY  OCCURS  WHEN 
THE  VEHICLE  H-DOT  OF  +100  FPS  IS  REACHED,  ASSUMING  AN 
UPRANGE  VELOCITY. 

The  100-fps  positive  H-dot  is  an  empirically  derived  value  which  protects  the  orbiter’ s  capability  to 
main  tain  a  positive  flight  path  angle,  following  a  second  engine  out,  such  that  powered  pitchdown  and 
ET  separation  can  be  accomplished  before  dynamic  pressure  builds  up  to  a  point  that  recontact  with  the 
ET  would  occur  after  separation. 
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A4-56  PERFORMANCE  BOUNDARIES  (CONTINUED) 

D.  PRESS-TO-ATO. 

THIS  BOUNDARY  REPRESENTS  THE  EARLIEST  TIME  AFTER  WHICH 
AUTO  GUIDANCE  WILL  ACHIEVE  THE  DESIGN  UNDERSPEED  (REF. 

RULE  { A4-55 } ,  DESIGN  AND  CRITICAL  MECO  UNDERSPEED 
DEFINITIONS)  AT  MECO.  ASSUMPTIONS:  SINGLE  ENGINE  OUT, 
PROTECTION  OF  2-SIGMA  MPS  FPR,  ABORT  THROTTLES,  PRE-MECO 
ATO  SELECTION  (MAY  INVOKE  A  PRE-MECO  OMS  DUMP,  ABORT  MECO 
TARGETS,  AND/OR  VARIABLE  IY  STEERING),  AND  15-SECOND 
ABORT  DECISION  DELAY. 

The  design  underspeed  is  used  as  the  criteria  that  must  be  met  for  single  engine  out  cases  to  “press” 
uphill.  This  underspeed  protects  critical  land  masses  from  ET  impact  per  NASA  and  ESMC  agreements. 
Reference  Rule  {A2-62J,  ET  FOOTPRINT  CRITERIA,  for  ET  impact  constraints. 

The  MPS  FPR  assumed  is  2  sigma.  For  most  flights,  the  design  underspeed  is  based  on  the  largest 
underspeed  that  can  support  either  AO  A  steep  or  ATO /Min  Hp  with  a  FD  1  shallow  deorbit.  Protecting 
only  1-sigmci  FPR  would  not  be  conservative  enough  because  it  would  significantly  increase  the 
probability  of  getting  cm  underspeed  larger  than  the  design  underspeed.  @[121593-1590  ]  ®[01 2402-51 12B] 

If  the  MECO  underspeed  is  larger  than  the  design  underspeed,  cm  AO  A  shallow  may  be  required.  As  of 
March  1990,  AO  A  shallow  was  still  not  a  certified  abort  mode.  Protecting  3 -sigma  FPR  would  be  too 
conservative  and  would  significantly  delay  picking  up  “press”  capability  with  only  a  slight  statistical 
improvemen  t  in  the  likelihood  of  meeting  the  design  underspeed. 

The  press-to-ATO  boundary  is  assessed  only  when  flight  design  has  baselined  a  pre-MECO  ATO 
OMS  dump.  The  I-locids  must  be  in  the  flight  software  to  allow  the  ATO  dump  to  occur.  The  addition 
of  cm  ATO  dump  allows  earlier  “press”  capability.  Therefore,  most  flights  now  have  cm  ATO  clump 
baselined.  ®[1 21593-1 590  ]  ®[01 2402-51 12B] 

E.  PRESS-TO-MECO . 

THIS  BOUNDARY  REPRESENTS  THE  EARLIEST  TIME  AFTER  WHICH 
AUTO  GUIDANCE  WILL  ACHIEVE  THE  DESIGN  UNDERSPEED,  (REF. 

RULE  { A4-55 } ,  DESIGN  AND  CRITICAL  MECO  UNDERSPEED 
DEFINITIONS)  AT  MECO.  ASSUMPTIONS:  SINGLE  ENGINE  OUT, 
PROTECTION  OF  2-SIGMA  MPS  FPR,  ABORT  THROTTLES. 

Reference  the  rationale  for  paragraph  D  for  cm  explanation  of  why  the  design  underspeed  is  used  and 
why  2-sigmci  MPS  FPR  is  protected.  The  difference  between  these  two  boundaries  in  most  cases  is  the 
ATO  OMS  dump. 
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A4-56  PERFORMANCE  BOUNDARIES  (CONTINUED) 

F.  SINGLE  ENGINE  TAL  BOUNDARIES 

NOTE:  IN  ALL  THE  TAL  ABORT  BOUNDARY  DEFINITIONS,  AN  ELS  MAY 

BE  REPLACED  BY  AN  ACLS  OR  PRIME  TAL  SITE  AND  AN  ACLS 
MAY  BE  REPLACED  BY  A  PRIME  TAL  SITE. 

1.  IF  NO  PRIOR  TAL  ABORT  DECLARED  OR  TAL  SELECTED  TO  AN 
IN-PLANE  SITE: 

a.  DROOP  (PRIME  TAL  OR  ACLS  -  109) : 

THE  DROOP  BOUNDARY  REPRESENTS  THE  EARLIEST  TIME  AFTER 
WHICH  A  TWO-SSME-OUT  TRAJECTORY  WILL  NOT  FALL  BELOW 
265,000  FEET  AND  TAL  GUIDANCE  WILL  CONVERGE  TO  THE 
SELECTED/REDESIGNATED  SITE'S  MECO  TARGETS  PRIOR  TO 
THE  DESIRED  MECO  TIME.  THIS  BOUNDARY  ASSUMES  TWO 
SSME'S  OUT,  MAX  THROTTLE,  AND  15-SECOND  ABORT 
DECISION  DELAY.  THE  WEATHER  AT  THE  SITE  WILL  NOT  BE 
A  CONSIDERATION  WHEN  ASSESSING  THIS  BOUNDARY. 


This  boundary  is  the  earliest  time  that  TAL  guidance  can  be  used  on  a  two-engine-out  trajectory.  It 
ensures  that  the  minimum  droop  altitude  will  not  be  violated.  Analysis  has  shown  that  trajectories  that 
droop  below  265,000 feet  could  result  in  ET  rupture  due  to  aerodynamic  heating.  If,  upon  TAL  droop 
declaration,  guidance  is  unconverged,  the  crew’s  procedures  call  for  flying  manually  until  guidance 
does  converge.  (The  likelihood  of  unconverged  guidance  in  this  region  was  significantly  reduced  by 
incorporation  of  the  01-21  low-thrust-to-weight  guidance  CR.)  This  boundary  does  not  ensure  the 
capability  to  reach  a  runway.  Therefore,  the  weather  at  the  targeted  site  is  not  considered  when 
evaluating  this  boundary. 

b.  SINGLE  ENGINE  LIMITS: 

THIS  BOUNDARY  REPRESENTS  THE  EARLIEST  TIME 
AFTER  WHICH  THE  DESIRED  ACLS  OR  TAL  SITE  CAN  BE 
ACHIEVED.  ASSUMPTIONS:  MAX  THROTTLE,  A  15-SECOND 
ABORT  DECIS IONDELAY,  MAX  RANGING  USING  LOW  ENERGY 
GUIDANCE  (REFERENCE  RULE  {A2-55},  USE  OF  LOW 
ENERGY  GUIDANCE)  AND  2-SIGMA  ASCENT  PERFORMANCE, 

AND  UNDISPERSED  ENTRY  PERFORMANCE.  THIS  BOUNDARY 
IS  CONTINGENT  UPON  THE  WEATHER/NAVAID  STATUS  AT 
THE  SITE  AS  PER  RULE  {A2-6},  LANDING  SITE  WEATHER 
CRITERIA  [HC]  .  @[120894-1663] 

Self-explanatory. 
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A4-56  PERFORMANCE  BOUNDARIES  (CONTINUED) 

c.  SINGLE  ENGINE  (PRIME  TAL  OR  ACLS  -  104)  (e .  g .  ,  SINGLE 
BANJUL  -  104)  : 

THIS  BOUNDARY  REPRESENTS  THE  EARLIEST  TIME  AFTER 
WHICH  AUTO  GUIDANCE  WILL  ACHIEVE  THE  DESIRED  SITE 
RANGE-VELOCITY  TARGETS  WITHIN  CROSSRANGE  LIMITATIONS 
AT  MECO.  (THE  DESIRED  SITE  IS  THE  ONE  THAT  PROVIDES 
THE  EARLIEST  SINGLE-ENGINE  CAPABILITY.)  ASSUMPTIONS: 
PROTECTION  OF  2-SIGMA  MPS  FPR,  PROTECTION  OF  AT  LEAST 
ZERO-SIGMA  ENTRY  DISPERSIONS,  ABORT  THROTTLE,  AND  A 
15-SECOND  ABORT  DECISION  DELAY.  THE  WEATHER  AT  THE 
SITE  WILL  NOT  BE  A  CONSIDERATION  WHEN  ASSESSING  THIS 
BOUNDARY . 


Self-explanatory.  These  cases,  by  definition,  reach  the  range-velocity  (R-V)  target  line,  however  they  do  so 
at  a  lower  velocity  than  the  design  point.  For  this  reason,  entry  dispersions  are  not  explicitly  protected, 
although  for  any  given  mission  the  protection  level  for  these  constraints  (first  roll  reversal  velocity, 
constant  drag  phase  length,  and  equilibrium  glide  boundary  margin)  may  vary  from  less  than  1-sigma  to 
more  than  3 -sigma  (reference  5/18/94  Abort  Panel  Splinter  Meeting).  @[120894-1741  ] 

d.  NEGATIVE  (PRIME  TAL)  (e.g.,  NEGATIVE  BEN  GUERIR) : 

THIS  BOUNDARY  REPRESENTS  THE  LAST  OPPORTUNITY  TO 
ABORT  TO  THE  PRIME  TAL  SITE  AND  STILL  ACHIEVE  THE 
DESIRED  MECO  RANGE-VELOCITY  TARGETS  WITHIN  CROSSRANGE 
LIMITATIONS.  ASSUMPTIONS:  TWO  SSME' S  AT  ABORT 
THROTTLE,  PROTECTION  OF  2-SIGMA  MPS  FPR,  PROTECTION 
OF  3-SIGMA  ENTRY  DISPERSIONS,  AND  A  15-SECOND  ABORT 
DEC I S ION /TAL  RESELECTION  DELAY. 

Self-explanatory. 

2.  IF  TAL  ABORT  PREVIOUSLY  DECLARED  TO  AN  OUT-OF-PLANE  SITE: 

a.  DROOP  (PRIME  TAL  OR  ACLS  -  10  9)  (e.g.,  DROOP  BANJUL  - 

109)  : 

THIS  BOUNDARY  IS  THE  SAME  AS  IN  PARAGRAPH  F.l  ABOVE. 

b.  SINGLE  ENGINE  LIMITS: 

THIS  BOUNDARY  IS  THE  SAME  AS  IN  PARAGRAPH  F.l  ABOVE. 
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c.  SINGLE  ENGINE  (PRIME  TAL  OR  ACLS  -  104)  (E.G.,  SINGLE 

ENGINE  BANJUL  -  104) : 

THIS  BOUNDARY  IS  THE  SAME  AS  IN  PARAGRAPH  F.l  ABOVE. 

d.  NEGATIVE  (ACLS)  (E.G.,  NEGATIVE  BANJUL): 

THIS  BOUNDARY  REPRESENTS  THE  LAST  OPPORTUNITY  TO 
ABORT  TO  THE  ACLS  AND  STILL  ACHIEVE  THE  ACLS  WITHIN 
CROSSRANGE  LIMITATIONS  USING  LOW-ENERGY  GUIDANCE. 
ASSUMPTIONS:  PROTECTION  OF  0-SIGMA  MPS  FPR, 

PROTECTION  OF  0-SIGMA  ENTRY  DISPERSIONS,  MAX 
THROTTLE,  AND  A  15-SECOND  RESELECTION/  DECISION 
DELAY.  @[120894-1663] 


This  boundary  assumes  0  sigma  for  both  MPS  FPR  and  entry  dispersions  in  order  to  allow  the  latest 
capability  to  redesignate  to  make  it  to  an  ACLS.  Not  doing  this  would  possibly  create  a  second  engine 
out  gap.  This  boundary  will  not  be  assessed  if  the  SINGLE  ENGINE  TAL  -  109  boundary  has  been 
reached. 


e.  SINGLE  ENGINE  (PRIME  TAL  -  109)  (E.G.,  SINGLE  ENGINE 

BEN  GUERIR  -  109) : 

THIS  BOUNDARY  REPRESENTS  THE  EARLIEST  TIME  AFTER 
WHICH  AUTO  GUIDANCE  WILL  ACHIEVE  THE  RANGE-VELOCITY 
TARGETS  AT  MECO  FOR  THE  PRIME  SITE.  ASSUMPTIONS: 
PROTECTS  2-SIGMA  MPS  FPR,  PROTECTS  AT  LEAST  ZERO- 
SIGMA  ENTRY  DISPERSIONS,  AND  MAX  THROTTLE  .  @[120894-1741  ] 

This  boundary  is  different  from  the  single  engine  TAL  boundaries  for  the  in-plane  cases  because  it 
assumes  max  throttles  versus  nominal  throttles.  Using  max  throttles  allows  the  earliest  opportunity  to 
continue  to  the  prime  TAL  site  and  not  have  to  risk  possible  control  problems  caused  by  a  large  yaw 
maneuver  required  to  head  to  the  ACLS.  Reference  Flight  Rule  {A2-52CJ,  ASCENT  MODE  PRIORITIES 
FOR  PERFORMANCE  CASES,  for  more  details  on  using  max  throttles  for  this  case.  If  this  boundary 
has  not  been  reached  yet  and  the  NEGATIVE  ACLS  boundary  has  been  crossed,  this  call  will  be  made  on 
0  sigma  MPS  to  close  the  gap.  These  cases,  by  definition,  reach  the  range-velocity  (R-V)  target  line; 
however,  they  do  so  at  a  lower  velocity  than  the  design  point.  For  this  reason,  entry  dispersions  are  not 
explicitly  protected,  although  for  any  given  mission,  the  protection  level  for  these  constrain  ts  (first  roll 
reversal  velocity,  constant  drag  phase  length,  and  equilibrium  glide  boundary  margin)  may  vary  from 
less  than  1-sigma  to  more  than  3-sigma  (reference  5/18/94  Abort  Panel  splinter  meeting).  @[120894-1741  ] 
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LAST  AUTO  TAL: 

THIS  BOUNDARY  REPRESENTS  THE  LAST  OPPORTUNITY  TO  ABORT  TO 
AN  ACLS/PRIME  TAL  SITE,  REMAIN  IN  AUTO,  AND  STILL  ACHIEVE 
THE  DESIRED  MECO  RANGE-VELOCITY  TAL  TARGETS  (WITHIN 
CROSSRANGE  LIMITATIONS  IF  APPLICABLE).  ASSUMPTIONS:  ONE 
SSME  AT  ABORT  THROTTLE;  TWO  OR  THREE  SSME'S  AT  65  PERCENT 
THROTTLE,  PROTECTION  OF  3-SIGMA  ENTRY  DISPERSIONS,  15 
SECOND  ABORT  DECISION  DELAY,  AND  PROTECTION  OF  THE 
CONTINGENCY  CG  BOX. 

LAST  LATE  TAL: 

THIS  BOUNDARY  REPRESENTS  THE  LAST  OPPORTUNITY  TO  MANUALLY 
MECO  AT  A  VELOCITY  WHICH  WILL  ALLOW  FOR  AN  ENTRY  TO  AN 
ELS/ACLS.  ASSUMPTIONS:  MANUAL  MECO,  PROTECTION  OF  THE 
CONTINGENCY  CG  BOX,  AND  POST-MECO  ROLL  TO  HEADS-UP. 

G.  SINGLE  ENGINE  OPS  3:  ®[1 20894-1 743A ] 

THIS  BOUNDARY  REPRESENTS  THE  EARLIEST  TIME  THAT  THE  CREW  WILL 
PERFORM  THE  2  ENGINE  OUT  DROOP  PROCEDURE  FOLLOWING  A  SECOND 
SSME  FAILURE. 

1.  IF  LAST  ECAL/BDA  CAPABILITY  OCCURS  AFTER  THE  DROOP 

BOUNDARY  (REF.  PARAGRAPH  F.l.a),  THE  SINGLE  ENGINE  OPS  3 
BOUNDARY  WILL  BE  BASED  ON  THE  EARLIEST  OF  THE  FOLLOWING: 

a.  LAST  ECAL/BDA  CAPABILITY  (WITHOUT  REGARD  TO  WEATHER) 

b.  THE  SINGLE  ENGINE  LIMITS  BOUNDARY  (REF.  PARAGRAPH 
F  .  1 .b) 

C.  FIRST  DOWNRANGE  ELS  LOW  ENERGY  CAPABILITY.  THIS  ELS 
CAPABILITY  ASSUMES  THE  FOLLOWING: 

(1)  MAXIMUM  THROTTLES, 

(2)  2  SIGMA  LOW  MPS  PERFORMANCE, 

(3)  USE  OF  AUTO  LOW  ENERGY  GUIDANCE  FOR  ENTRY  (REF. 
RULE  { A2-55 }  FOR  LOW  ENERGY  GUIDANCE), 
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(4)  THE  ELS  MEETS  MINIMUM  EMERGENCY  LANDING  FACILITY 
CRITERIA  (REF.  RULE  {A2-264},  EMERGENCY  LANDING 
FACILITY  CRITERIA.  ®[1 20894-1 743A  ] 

2.  IF  LAST  ECAL/BDA  CAPABILITY  OCCURS  BEFORE  THE  DROOP 

BOUNDARY,  THE  SINGLE  ENGINE  OPS  3  BOUNDARY  WILL  BE  BASED 
ON  DROOP  .  ®[1 20894-1 743A] 

This  boundary  allows  the  use  ofECAL  capability  past  the  point  where  droop  capability  begins,  and 
reflects  the  priority  ofECAL  over  droop/bailout  as  set  by  the  A/E  FTP  in  July  1994.  This  delays  the 
point  where  the  two  engine  out  second  stage  procedure  ends.  This  option  allows  the  crew  to  use  the 
ECAL  procedures  and  attempt  a  landing  versus  doing  the  two  engine  out  droop  procedure  which  results 
in  a  bailout.  This  option  on  a  high  inclination  mission  is  much  preferred  over  bailout  in  the  North 
Atlantic  Ocean.  Another  consideration  in  this  boundary  is  the  first  ELS  capability  with  “stretch  ”  (use  of 
low  energy  guidance).  However,  if  the  ELS  weather  does  not  meet  the  minimum  weather  criteria  for  cm 
ELS,  it  is  unusable  as  an  ELS  and  the  ELS  capability  will  not  be  considered  in  the  determination  of  the 
boundary.  A  landing  at  an  ELS  is  considered  preferable  over  landing  at  ECAL/BDA  because  of  the 
automated  entry  procedures  and  the  slightly  more  benign  entry  conditions.  The  Single  Engine  Limits 
boundary  is  the  first  capability  to  a  TAL  orACLS  using  “stretch  ”  (use  of  low  energy  guidance).  This 
has  a  higher  priority  over  cm  ECAL. 

If  ECAL/BDA  capability  ends  prior  to  droop  then  this  call  will  be  based  on  droop  capability. 

®[1 20894-1 743A] 

H.  SINGLE  ENGINE  PRESS-TO-MECO  :  ®[1 20894-1 743A] 

THIS  BOUNDARY  REPRESENTS  THE  EARLIEST  TIME  AFTER  WHICH 
AUTO  GUIDANCE  WILL  ACHIEVE  THE  CRITICAL  UNDERSPEED  (REF. 

RULE  { A4 -5 5 } ,  DESIGN  AND  CRITICAL  MECO  UNDERSPEED 
DEFINITIONS)  AT  MECO.  ASSUMPTIONS:  TWO  ENGINES  OUT, 
PROTECTION  OF  2-SIGMA  MPS  FPR,  AND  ABORT  THROTTLE. 

The  single-engine  press-to-MECO  (SEPTM)  boundary  is  based  on  critical,  rather  than  design, 
underspeed  since  ET  impact  constraints  protected  in  the  design  underspeed  do  not  apply  to  multiple- 
engine-out  scenarios  (ref.  Rule  (A2-62E),  ET  FOOTPRINT  CRITERIA).  Abort  throttles  are  assumed 
since  Rule  (A2-52C),  ASCENT  MODE  PRIORITIES  FOR  PERFORMANCE  CASES,  implies  that  we  will 
not  use  max  throttle  to  avoid  a  TAL  downmode  as  long  as  cruto  TAL  is  available,  and  normally  SEPTM 
occurs  well  prior  to  the  last  TAL.  2-sigmct  FPR  is  protected  per  the  rationale  for  the  other  uphill 
boundaries. 
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I.  PERFORMANCE  DISPERSIONS/GAPS:  ®[1 20894-1 743A ] 

1.  UPHILL  CAPABILITY  CONSISTS  OF  HAVING  AN  ARD-PRED ICTED 
UNDERSPEED  WHICH  IS  LESS  THAN  EITHER  THE  DESIGN  OR 
CRITICAL  UNDERSPEED,  WHICHEVER  APPLIES  TO  THE  GIVEN  CASE 
AS  PROVIDED  BY  RULE  {A2-62E},  ET  FOOTPRINT  CRITERIA. 
ASSESSMENT  ASSUMES  ABORT  THROTTLES,  PROTECTION  OF  2-SIGMA 
MPS  FPR,  AND  MAY  INCLUDE  A  PRE-MECO  ATO  ABORT  IF 
APPLICABLE . 


Uphill  capability  as  defined  will  guarantee  AO  A  steep  or  ATO  day  1  or  day  2  shallow  D/O  capability  as 
well  as  the  other  items  listed  in  Rule  {A4-55},  DESIGN  AND  CRITICAL  MECO  UNDERSPEED 
DEFINITIONS,  and  will  keep  the  ET  from  impacting  on  critical  land  masses  as  defined  in  Rule  (A2-62DJ, 

ET  FOOTPRINT  CRITERIA.  An  RTLS  or  TAL  abort  will  be  required  if  the  ARD  predicted  unclerspeed  is 
greater  than  that  which  protects  critical  land  masses  or  the  critical  underspeed,  whichever  is  most 
constraining.  As  in  the  press  boundaries  (ref.  paragraphs  D,  E,  and  G),  protection  of  2-sigmci  MPS  FPR  is 
required  in  order  to  account  for  possible  ascent  performance  dispersions.  @[121593-1590  ] 

2.  TAL/RTLS  GAP  MANAGEMENT  FOR  LOSS  OF  UPHILL  CAPABILITY 
WITH  THREE  ENGINES  OPERATING: 

a.  IF  AN  ENGINE  IS  STUCK  IN  THE  THROTTLE  BUCKET  OR  IF 
MORE  THAN  ONE  ENGINE  IS  SUSPECT,  A  TAL  ABORT  TO  THE 
PRIME  SITE  WILL  BE  INITIATED  UPON  REACHING  THE 
EARLIER  OF  THE  FOLLOWING: 

(1)  TWO-ENGINE  PRIME  TAL  CAPABILITY  (TWO  AT  104 

PERCENT)  PLUS  EITHER  OF  THE  FOLLOWING: 

(a)  TWO-ENGINE  ACLS  TAL  CAPABILITY,  EVALUATED  FOR 
A  GOOD  ENGINE  OUT  (ASSUMPTIONS:  2-SIGMA  MPS 
FPR,  MAX  THROTTLES,  MAX  RANGING  USING  LOW 
ENERGY  GUIDANCE.  @[120894-1663] 

(b)  TWO-ENGINE  NEGATIVE  RETURN,  EVALUATED  FOR  A  GOOD 
ENGINE  OUT  (ASSUMPTIONS:  3-SIGMA  MPS  FPR,  MAX 
THROTTLES,  MAX  UNDERSPEED  TO  THE  R/V  LINE) 

OR 
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(2)  NEGATIVE  RETURN  MINUS  10  SECONDS  (TWO  AT  104  PERCENT) 

NOTE:  EVALUATION  OF  THE  CAPABILITY  TO  THE  ACLS  WILL  BE 

INDEPENDENT  OF  THE  ACLS  GO/NO-GO  STATUS. 

A  TAL  or  RTLS  abort  will  be  required  for  loss  of  uphill  capability.  In  the  TAL/RTLS  overlap  region 
either  of  the  two  abort  modes  may  be  utilized.  If  more  than  one  engine  is  suspect,  there  is  considerable 
risk  of  mu  ltiple  engine  failures.  Therefore,  TAL  is  the  preferred  abort  mode  because  of  reduced  powered 
flight  time  and  earlier  single  engine  completion  capability. 

For  cases  with  an  engine  stuck  in  the  throttle  bucket,  an  RTLS  is  undesirable  for  severed  reasons.  With  three 
engines  operating,  the  RTLS  fuel  dissipation  attitude  is  not  readjusted  for  subsequent  engine  failures,  and  the 
resulting  altitude  versus  range  profile  and  time  of  powered  pitcharound  may  be  incorrect,  with  the  most 
significant  con  tribu  tor  being  the  impact  on  the  altitude  profile  during  fuel  dissipation  phase.  Therefore,  the 
failure  of  a  healthy  engine  during  the  RTLS  fuel  dissipation  phase  may  result  in  a  MECO  unclerspeed.  For  the 
failure  of  a  healthy  engine  after  powered  pitcharound,  sufficient  performance  may  not  be  available  on  the 
remaining  1-2/3  engines,  again  resulting  in  a  MECO  underspeed.  For  example,  analysis  showed  that  late  in 
the  STS-26  RTLS  profile  (at  approximately  9  minutes  MET)  there  existed  only  a  10-  to  20-second  window 
where  a  single  engine  failure  would  result  in  acceptable  MECO  conditions. 

For  these  reasons,  a  TAL  abort  will  be  performed.  RTLS  capability  will  be  maintained  as  long  as 
operationally  practical,  without  affecting  subsequent  TAL  performance,  by  delaying  TAL  selection  until 
both  1-2/3  engine  ACLS  TAL  capability  and  2  good  engine  prime  TAL  capability  are  available. 

The  ACLS  evaluation  will  be  made  assuming  maximum  throttles  and  low-energy  guidance  in  order  to 
allow  TAL  selection,  and  therefore  avoid  an  RTLS,  at  the  earliest  possible  time  while  still  protecting  for 
any  one  engine  failure.  The  low-energy  guidance  capability  correlates  directly  to  a  specific  underspeed 
for  each  TAL  site  and  inclination.  Two-sigma  MPS  performance  will  be  protected  to  provide  a  level  of 
confidence  that  cm  acceptable  underspeed  will  result.  @[120894-1663  ] 

If  1-2/3  engine  negative  return  occurs  prior  to  1-2/3  engine  ACLS  TAL  capability,  the  TAL  abort  call  will 
be  based  on  that  time  since  a  con  tingency  abort  is  then  the  only  option  should  a  good  engine  fail.  This 
evaluation  is  made  using  maximum  throttles  and  the  maximum  allowable  underspeed  to  the  R/V  line  in 
order  to  extend  1-2/3  engine  RTLS  capability  as  long  as  possible  prior  to  entering  the  single-engine-out 
abort  gap.  This  underspeed,  300 fps,  correlates  to  the  min  imum  time  constrain  t  of  12  seconds  from 
powered  pitchdown  to  MECO,  ensuring  acceptable  ET  SEP  conditions.  Three-sigma  MPS  FPR  is 
protected  to  provide  confidence  that  this  underspeed  will  not  be  exceeded,  since  the  data  used  to 
determine  this  boundary  is  produced  du  ring  the  design  cycle  and  does  not  accoun  t  for  day-of-launch 
conditions.  The  consequences  of  violating  RTLS  ET  SEP  constraints  can  be  catastrophic. 

When  an  abort  gap  exists  between  negative  return  and  two-engine  prime  TAL  capability,  the  TAL  abort 
is  still  preferred  and  the  gap  will  be  accepted  since  the  RTLS  would  result  in  an  abort  gap  a  few  seconds 
after  initiation,  as  explained  above. 
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This  rule  is  only  applicable  during  powered  flight;  therefore,  the  GO/NO-GO  status  of  the  ACLS  is  not  a 
factor  since  pre-MECO  selection  of  this  site  senses  only  to  minimize  exposure  to  a  pre-MECO  contingency 
abort  (similar  to  the  droop  criteria).  The  actual  landing  site  will  be  selected  post-MECO. 

b.  FOR  ALL  OTHER  CASES,  IF  A  TAL/RTLS  ABORT  GAP 

EXISTS  (TWO-SSME  CAPABILITY)  AT  NEGATIVE  RETURN 
MINUS  10  SECONDS,  AN  RTLS  ABORT  WILL  BE  EXECUTED 
AT  THAT  TIME.  OTHERWISE,  A  TAL  ABORT  WILL  BE 
INITIATED  AT  TWO-ENGINE  TAL  CAPABILITY. 

An  RTLS  abort  will  be  required  for  single  engine  failures  which  occur  prior  to  two-engine  TAL 
capability  as  the  performance  loss  will  not  support  any  other  intact  abort  mode.  With  the  loss  of  uphill 
capability,  an  RTLS  or  TAL  abort  will  have  to  be  performed.  If  two-engine  prime  TAL  capability  is  not 
achieved  prior  to  negative  return,  an  RTLS  abort  is  executed  in  order  to  avoid  flying  a  single-engine-out 
in  tact  abort  gap.  Without  stuck  throttles  or  suspect  engines,  the  RTLS  profile  is  flown  without  the 
problems  outlined  in  paragraphs  H.2a.  A  post-RTLS  abort  engine  failure  will  be  handled  by  guidance 
successfully  with  no  single-engine-out  intact  abort  gaps.  The  abort  decision  is  made  10  seconds  prior  to 
negative  return  in  order  to  provide  time  for  the  TAL  capability  evaluation  to  be  made.  With  two-engine 
TAL  capability,  the  TAL  abort  will  be  executed  at  the  two-engine  TAL  boundary.  In  this  case,  the 
systems  RTLS  capability  is  traded  away  in  order  to  provide  earliest  two-engine-out  capability. 

Reference  Ascent  FTP  #  42,  March  1988. 

3.  GAP  MANAGEMENT  FOR  POSITIVE  UPHILL  CAPABILITY: 

NOTE:  IF  APPLICATION  OF  THE  FOLLOWING  MEASURES  FAILS  TO 

CLOSE  THE  GAP,  IT  WILL  STILL  BE  FLOWN  THROUGH 
PROVIDED  UPHILL  CAPABILITY  REMAINS  ON  THE  CURRENT 
ENGINE  CONFIGURATION.  SHOULD  AN  ENGINE (S) 
SUBSEQUENTLY  FAIL  IN  THE  GAP,  A  CONTINGENCY 
PROCEDURE  WILL  BE  REQUIRED  SUCH  AS  ACCEPTING  PLS 
LANDING  AT  A  NO-GO  SITE,  AN  AUTO  TAL  TO  ANY 
AVAILABLE  SITE  EVEN  IF  THE  SITE  HAS  BEEN  DECLARED 
NO-GO  FOR  INTACT  ABORT  PURPOSES,  ACCEPTING 
TAL/LATE  TAL  TO  AN  ELS,  ATTEMPTING  AN  ABORT  TO  AN 
EAST  COAST  SITE  OR  BERMUDA  ISLAND,  OR  BAILOUT. 
@[121593-1590] 
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HYPOTHETICAL 

SSME 

CONFIGURATION 

GAP 

BEING  CLOSED 

ACLS 

STATUS 

PRIORITIES 

[1] 

LAST  RTLS 

1. 

MAX  THROTTLES  [2] 

TO 

DOWN 

2. 

MAX  RANGING  USING  LOW  ENERGY 
GUIDANCE  TO  PRIME  TAL  SITE 

1ST  PRIME  TAL 

3. 

NOMINAL  PERFORMANCE 

1. 

ACLS  AT  ABORT  THROTTLES  [2] 

2. 

MAX  THROTTLES  [2] 

UP 

3. 

MAX  RANGING  USING  LOW  ENERGY 
GUIDANCE 

4. 

NOMINAL  PERFORMANCE 

O 

N 

1. 

ACCEPT  CRITICAL  USPD 

E 

2. 

COMMIT  OMS  BALLAST  TO  CONTINGENCY 

E 

LATER  OF: 

CG  LIMIT 

N 

3. 

ACCEPT  AOA/PLS  TO  NO-GO  SITE 

G 

LAST  RTLS 

4. 

MAX  THROTTLES  [2] 

N 

OR 

DOWN 

5. 

ACCEPT  UNDERSPEED  TO  AOA  SHALLOW 

E 

D 

O 

LAST  PRIME  TAL 

6. 

LIMIT 

MAX  RANGING  USING  LOW  ENERGY 

TO 

GUIDANCE  TO  PRIME  TAL  SITE 

W 

N 

1ST  PRESS 

7. 

NOMINAL  PERFORMANCE 

1. 

ACCEPT  CRITICAL  USPD 

2. 

COMMIT  OMS  BALLAST  TO  CONTINGENCY 

CG  LIMIT 

3. 

ACCEPT  AOA/PLS  TO  NO-GO  SITE 

4. 

ACCEPT  ACLS  TO  EXTEND  INTACT  TAL 
COVERAGE  [2] 

UP 

5. 

MAX  THROTTLES  [2] 

6. 

ACCEPT  UNDERSPEED  TO  AOA  SHALLOW 
LIMIT 

7. 

MAX  RANGING  USING  LOW  ENERGY 
GUIDANCE  TO  ACLS  OR  PRIME 

8. 

NOMINAL  PERFORMANCE 

®[1 21 593-1 590  ]  ®[1 20894-1 663  ] 
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A4-56  PERFORMANCE  BOUNDARIES  (CONTINUED) 


GAP  ACLS 

BEING  CLOSED  STATUS 


DOWN 


LAST  AUTO  TAL 
(PRIME  OR  ACLS) 
TO 

1ST  SINGLE 
ENGINE  PRESS 


UP 


@[121593-1590] 

NOTES: 

[1]  IN  ALL  CASES,  IT  IS  PRESUMED  THAT  SSME  SHUTDOWN  NPSP  CONSTRAINTS  WILL  BE  PROTECTED  VIA  EITHER 
THE  FLIGHT  SOFTWARE  MECO  PREPARATION  THROTTLING  OR  THE  PRE-MECO  MANUAL  THROTTLEDOWN 
PROCEDURE. 

[2]  THESE  OPTIONS  WILL  BE  EXECUTED  PRE-MECO,  ALL  OTHERS  WILL  BE  SELECTED  BASED  ON  POST-MECO 
EVALUATION. 

[3]  FOR  THE  TWO-ENGINE-OUT  CASE,  CRITICAL  UNDERSPEED  IS  ALREADY  COMMITTED  IN  THE  SINGLE-ENGINE 
PRESS  BOUNDARY  PER  PARAGRAPH  {A4-56H},  PERFORMANCE  BOUNDARIES,  AND,  HENCE,  DOES  NOT 
CONTRIBUTE  TO  SINGLE-ENGINE  GAP  CLOSURE  PRIORITIES.  ®[ED  ] 

Gap  closure  priorities  are  established  to  balance  exposure  to  contingency  abort  against  acceptance  of 
flight  conditions  which  otherwise  are  undesirable  for  a  variety  of  individual  reasons.  Gaps  in  intact 
abort  capability  may  arise  during  powered  flight  due  to  a  number  of  possible  systems  or  environmental 
problems  including  stuck  throttles ,  degraded  SSME  performance  ( i.  e. ,  Pc  sensor  shift),  low-performing 
SRB’s,  unacceptable  TAL  weather,  etc.  In  such  cases,  options  which  increase  available  delta  V  are 
brought  into  play  in  order  to  either  close  or  minimize  the  gap.  These  options  include  both  pre-MECO 
and  post-MECO  commitments.  In  general,  the  post-MECO  options  and  pre-MECO  “theoretical” 
options  (those  whose  effects  cannot  be  directly  measured  pre-MECO  but  are  related  to  assumed 
capabilities )  are  preserved  as  long  as  some  other  directly-measurable  option  exists  such  as  use  of 
maximum  throttles,  commitment  of  OMS  ballast,  or  acceptance  of  larger  MECO  underspeed;  otherwise, 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  TRAJECTORY  AND  GUIDANCE  4-34 

Verify  that  this  is  the  correct  version  before  use. 


PRIORITIES 

1.  COMMIT  OMS  BALLAST  TO  CONTINGENCY 
CG  LIMIT 

2.  ACCEPT  AOA/PLS  TO  NO-GO  SITE 

3.  MAX  THROTTLE  [2] 

4.  ACCEPT  UNDERSPEED  TO  AOA  SHALLOW 
LIMIT 

5.  NOMINAL  PERFORMANCE 

1.  COMMIT  OMS  BALLAST  TO  CONTINGENCY 
CG  LIMIT 

2.  ACCEPT  AOA/PLS  TO  NO-GO  SITE 

3.  MAX  THROTTLE  [2] 

4.  ACCEPT  LATE  TAL  OUT  TO  LAST  LATE  TAL 
VI  [2] 

5.  ACCEPT  UNDERSPEED  TO  AOA  SHALLOW 
LIMIT 

6.  NOMINAL  PERFORMANCE 


HYPOTHETICAL 

SSME 

CONFIGURATION 
[1]  [3] 
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A4-56  PERFORMANCE  BOUNDARIES  (CONTINUED) 

we  would  be  relying  on  capabilities  that  are  not  certain  to  exist  until  the  true  MECO  state  is  determined. 

This  general  rule  is  traded  against  factors  such  as  weather,  program-approved  abort  site  usage,  and  risk 

to  vehicle  and  crew  in  order  to  establish  the  precise  priorities  for  the  individual  gap  closu  re  scenarios. 

Specifically, 

a.  Auto  TAL  to  the  ACLS  ( if  available  per  rules  and  performance)  may  be  utilized  to  close  any  intact 
abort  gap  before  committing  to  maximum  throttles  {per  Program  Office  agreement  that  we  will  not 
use  maximum  throttles  to  avoid  the  ACLS).  Otherwise,  if  the  ACLS  is  down,  it  reverts  to  ELS  status 
and  becomes  the  lowest-priority  option. 

b.  ET  footprint  encroachment  on  critical  land  masses  will  be  accepted  before  any  other  direct  gap 
closure  action  is  taken  (such  as  use  of  max  throttles  or  commitment  ofOMS  ballast);  however,  if  a 
TAL  option  exists  to  a  Space  Shuttle  Program-recognized  TAL  site,  TAL  will  be  accepted  before 
allowing  the  ET  footprint  to  impact  critical  areas.  The  additional  stress  placed  on  the  SSME’s  by 
operation  at  maximum  throttle  is  considered  more  hazardous  than  the  concerns  associated  with 
possible  ET  impact  on  critical  land  masses. 

Note  that  waiving  ET  constraints  is  a  no-impcict  decision  in  terms  of  risk  to  the  shuttle  vehicle  itself; 
therefore,  when  applicable,  this  is  the  first  option  used. 

c.  OMS  ballast  may  be  committed  after  ET  impact  limits  are  waived  but  prior  to  use  of  maximum 
throttle.  Use  of  OMS  ballast  can  result  in  a  vehicle  CG  outside  the  nominal  envelope  limits  to 
which  operation  is  certified,  but  keeps  it  within  the  contingency  envelope  which  preserves  adequate 
thermal  and  control  margins.  Thus,  this  mode  is  considered  safer  than  maximum  throttle  operation. 
It  is,  however,  an  action  that  directly  affects  the  shuttle  itself  (albeit  a  relatively  benign  effect); 
therefore,  it  is  prioritized  after  waiver  ofET  impact  constraints. 

d.  Accept  press  to  a  less  than  fully  GO  AO  A  or  PLS  site.  @[121593-1590  ] 

e.  Maximum  throttle  is  the  last  pre-MECO  directly-measurable  option  in  terms  of  recovery  of 
programmatic  “intact  abort”  capability.  Since  other  options  involve  post-MECO  commitments, 
revert  to  contingency  (non-intact  abort)  operations  and/or  trade  off  probability  of  success.  Use  of 
maximum  throttle  is  allowed  at  this  point  to  minimize  exposure  to  these  other  regimes.  This  is 
consistent  with  the  groundrule  that  maximum  throttles  will  only  be  utilized  to  regain  intact 
capability  or  to  avoid  a  post-TAL-selection  site  redesignation. 

f.  Since  the  remaining  options  all  involve  only  post-MECO  commitments  (with  the  exception  of  Late 
TAL  execu  tion),  their  priority  regarding  pre-MECO  gap  closure  is  fairly  mean  ingless  -  in  reality, 
no  commitmen  t  of  any  kind  is  made  until  the  true  MECO  condition  is  evaluated.  Therefore, 
operationally,  the  total  delta-V  effect  of  the  remaining  priorities  will  be  committed  all  at  once  if  it 
becomes  necessary  to  further  close  a  gap.  However,  to  determine  the  toted  gap  closure  delta  V 
available,  the  individual  items  considered  are  as  follows,  in  the  order  in  which  we  would  prefer  to 
have  to  utilize  them: 
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A4-56  PERFORMANCE  BOUNDARIES  (CONTINUED) 

(1)  Late  TAL  capability  to  either  a  prime  TAL  site  or  ACLS  will  be  utilized  to  close  a  gap  between 
last  Auto  TAL  and  earliest  steep  AO  At  i.  e. ,  prior  to  commitment  to  AOA-Shallow.  Therefore,  if 
AOA-Shallow  and  Late  TAL  capabilities  overlap,  the  “press”  boundary  will  be  based  on 
reaching  the  end  of  the  Late  TAL  window.  The  Late  TAL  will  not,  of  course,  be  actually 
executed  unless  the  assumed  performance  loss  occurs. 

(2)  When  applicable,  allowable  MECO  underspeed  will  be  increased  to  the  AOA-Shallow  limit. 
AOA-Shallow  is  highly  undesirable  due  to  the  more  severe  entry  thermal  environment  and 
the  sensitivity  to  navigation  dispersions  ( target  line  is  close  to  skipout  boundary  and  ranging 
becomes  highly  sensitive  to  flight  path  angle).  While  it  nominally  results  in  recovery  of 
vehicle  and  crew,  AOA-Shallow  is  not  considered  a  certified  intact  abort  from  a 
programmatic  point  of  view. 

(3)  Low  energy  guidance  extends  TAL  capability  to  MECO  underspeed  conditions  off  the  R-V 
line.  AOA-Shallow  is  considered  higher  priority  than  low  energy  guidance  because  AOA- 
Shallow  has  been  subjected  to  much  more  thorough  engineering  analysis,  is  less  stressful 
thermally,  provides  for  help  from  the  MCC  in  dealing  with  entry  navigation  dispersions,  and 
the  AOA-Shallow  boundary  is  more  clearly  defined.  ®[1 20894-1 663  ] 

(4)  All  MPS  performance  reserves  will  be  assumed  available  for  delta-V  purposes  (“nominal 
performance” ).  To  this  point,  performance  boundaries  have  been  predicated  on  protection 
of  2-sigma  reserves,  thus  providing  a  high  confidence  that  we  do  not  commit  to  a  mode 
which  statistically  probable  systems  and  performance  dispersions  will  not  allow  to  be 
successfully  completed.  Committing  to  boundaries  on  nominal  performance  assures  only  a 
50  percent  chance  of  being  correct;  thus  it  forms  the  lowest-priority  option. 

Rules  {A2-6j,  LANDING  SITE  WEATHER  CRITERIA  [HC];  { A2-52CJ ,  ASCENT  MODE 
PRIORITIES  FOR  PERFORMANCE  CASES;  {A2-55},  USE  OF  LOW-ENERGY  GUIDANCE;  {A2- 
56 j,  ABORT  GAP;  j A2-57 },  CONTINGENCY  ASCENTS/ ABORTS;  {A4-1B},  PERFORMANCE 
ANALYSES;  {A4-2J,  LANDING  SITE  CONDITIONS;  {A4-53J,  USE  OF  MAXIMUM  THROTTLES; 
{A5-103},  LIMIT  SHUTDOWN  CONTROL;  and  {A5-1 57},  ET  LOW  LEVEL  CUTOFF  SENSOR 
FAILED  DRY,  reference  this  rule.  @[120894-1663]  ®[111 094-1 622B] 

Rule  {A5-155},  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR  LOW  LH2  NPSP, 
references  this  rule.  @[071 494-1 646A] 
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A4-57  NAVIGATION  UPDATES 

A.  ASCENT  PRE-MECO 

WHEN  AN  INDEPENDENT  NAVIGATION  SOURCE  IS  AVAILABLE,  A 
NAVIGATION  UPDATE  WILL  BE  EXECUTED  TO  ALLOW  ITS  INCORPORATION 
PRIOR  TO  MECO  MINUS  30  SECONDS  TO  PRESERVE  MECO  CONDITIONS 
NECESSARY  FOR  A  NOMINAL  FLIGHT.  DELTA  STATE  UPDATES  WILL  BE 
INITIATED  FOR  THE  FOLLOWING  GROUND  MINUS  ONBOARD  VELOCITY 
DIFFERENCES:  ®[1 21 296-41 77D] 

1.  DELTA  U  DOT  >  50  FPS  3.  DELTA  V  DOT  >  40  FPS 

2.  DELTA  U  DOT  <  -50  FPS  4.  DELTA  V  DOT  <  -NOMINAL 

(REF.  THE  ANNEX  FLIGHT 
RULE,  TRAJECTORY  AND 
GUIDANCE  PARAMETERS) 

®[ED  ] 

To  the  extent  possible,  it  is  desirable  to  maintain  the  onboard  navigated  state  to  provide  MECO 
conditions  acceptable  for  nominal  flight  execution.  However,  it  is  undesirable  to  update  the 
onboard  navigation  with  a  reasonable  probability  of  degrading  the  onboard  state.  The  onboard 
powered  flight  navigation  evaluation  is  performed  by  the  delta  state  processor  which  determines 
the  ground  filter  minus  onboard  state  differences.  Preflight  analysis  has  established  a  3 -sigma 
uncertainty  in  the  delta  state  velocity  differences  of  30  fps  per  axis.  Estimated  onboard  velocity 
error  at  MECO  resulting  from  a  3-sigma  IMU  performance  is  20  fps  worst  axis.  Definition  of 
update  limits  equal  to  the  sum  of  the  3 -sigma  delta  state  and  IMU  uncertainties  provides 
reasonable  assurance  that  an  update  will  improve  the  onboard  state.  Because  of  the  OMS  budget 
limitation,  nominal  flight  execution  is  most  sensitive  to  downtrack  velocity  errors  (i.e.,  underspeed 
MECO).  To  reduce  the  probability  of  ascent  downmoding,  the  downtrack  velocity  update  limit  is 
defined  by  the  RSS  of  the  3 -sigma  delta  state  and  IMU  uncertainties.  For  ascen  t  performance 
critical  missions,  the  downtrack  velocity  update  limit  is  defined  by  the  underspeed  magnitude  at 
MECO  which  would  allow  con  tinuation  of  a  nominal  orbit  insertion.  Nominal  flight  execution  is 
relatively  insensitive  to  crosstrack  errors,  requiring  no  update  limit.  Thus,  a  delta  state  update 
will  be  initiated  for  apparent  radial  velocity  errors  exceeding  ±50  fps  or  downtrack  velocity  errors 
exceeding  +40  fps  or  -Xfps  where  X  represents  the  allowable  underspeed  magnitude  for  nominal 
insertion  with  a  maximum  value  of  -40  fps.  The  update  will  be  incorporated  at  least  30  seconds 
prior  to  MECO  to  allow  the  second  stage  guidance  to  adjust  the  steering  solution  to  regain  the 
desired  target  conditions. 

Rule  { A2-60J ,  NAVIGATION  UPDATE  CRITERIA,  references  this  rule. 
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A4-57  NAVIGATION  UPDATES  (CONTINUED) 

B.  ASCENT  POST-MECO  AND  PRE-OMS-1 

WHEN  AN  INDEPENDENT  NAVIGATION  SOURCE  IS  AVAILABLE,  A  PRE- 
OMS-1  NAVIGATION  UPDATE  WILL  BE  PERFORMED  IF  THE  GROUND 
EVALUATION  OF  THE  MANEUVER  DELTA  V  REQUIRED  TO  ACHIEVE  THE 
SELECTED  ASCENT  MODE  UTILIZING  CURRENT  ONBOARD  NAVIGATION 
EXCEEDS  DELTA  V  AVAILABLE.  ®[1 21 296-41 77D] 

In  the  AME  evaluation  of  the  desired  ascen  t  mode  for  OMS-1,  the  initial  cycle  assumes  OMS-1  and  -2 
execution  utilizing  the  current  onboard  navigated  state.  If  the  delta  velocity  requirement  exceeds  that 
available,  then  the  AME  automatically  recycles  to  determine  the  delta  velocity  requirement  assuming  the 
OMS-1  and  -2  execution  utilizing  the  ground  filter  state.  If  the  required  delta  velocity  on  the  recycle  is 
less  than  that  available,  then  a  pre-OMS-1  update  is  performed  to  prevent  ascent  downmoding. 

C.  PRTLS 

WHEN  AN  INDEPENDENT  NAVIGATION  SOURCE  IS  AVAILABLE,  A 
NAVIGATION  UPDATE  WILL  BE  EXECUTED  PRIOR  TO  POWERED  PITCHDOWN 
(MINUS  20  SECONDS)  TO  PRESERVE  MECO  CONDITIONS  NECESSARY  FOR 
ET  SEPARATION  AND  GLIDE  RETURN  TO  LAUNCH  SITE.  A  DELTA  STATE 
UPDATE  WILL  BE  INITIATED  FOR  ANY  OF  THE  FOLLOWING  GROUND 
MINUS  ONBOARD  POSITION  AND  VELOCITY  DIFFERENCES:  ®[1 21 296-41 77D] 


1 . 

DELTA 

U 

>  +11, 000 

FT 

2  . 

DELTA 

U 

<  -7000  FT 

3. 

DELTA 

U 

DOT  <  +100 

FPS 

4  . 

DELTA 

U 

DOT  >  -50 

FPS 

5  . 

DELTA 

V 

>  +27,000 

FT 

6. 

DELTA 

V 

<  -7000  FT 

7  . 

DELTA 

V 

DOT  >  +100 

FPS 

8  . 

DELTA 

V 

DOT  <  -40 

FPS 
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A4-57  NAVIGATION  UPDATES  (CONTINUED) 

The  powered  flight  phase  of  an  RTLS  must  deliver  the  vehicle  to  a  state  from  which  the  glide  phase  can 
be  successfully  performed  to  return  to  the  runway  and  land.  Thus,  during  flyback  phase  of  an  RTLS,  the 
onboard  navigation  must  be  maintained  to  preserve  an  acceptable  energy  condition  at  MECO. 

Analytical  studies  have  been  performed  to  determine  the  maximum  position  and  velocity  errors  allowable 
to  obtain  cutoff  within  the  3 -sigma  energy  boundaries  of  the  target  range/velocity  line.  The  energy 
boundaries  allow  for  wind  and  aero  dispersions  during  the  glide  return.  Deviation  of  the  allowable 
navigation  errors  are  documented  in  MDTSCO  Transmittal  Memo  1.4-TM-D1332-152,  dated  June  16, 
1980.  The  resulting  error  envelope  is  defined  by  limits  in  radial  and  downtrack  position  and  velocity. 

The  position  error  limits  are  +11, 000/ -7, 000 feet  in  the  radial  axis  and  +27,0007-7,000 feet  in  the 
downtrack  axis.  The  velocity  error  limits  are  +100/-50 fps  in  the  radial  axis  and  +100/-40 fps  in  the 
down  track  axis.  If  any  ground  minus  onboard  position  or  velocity  difference  exceeds  the  corresponding 
limit,  a  delta  state  update  will  be  executed  at  least  20  seconds  prior  to  powered  pitchdown  to  allow 
adjustment  of  the  steering  solution  to  satisfy  target  conditions  at  pitchdown  initiation. 

D .  BFS 

A  BFS  NAVIGATION  UPDATE  WILL  BE  PERFORMED  BY  VECTOR  TRANSFER 
AFTER  EACH  PASS  UPDATE  TO  ENSURE  ACCEPTABLE  NAVIGATION  STATUS 
RELATIVE  TO  THE  PASS. 

During  powered  ascent,  the  PASS  and  BFS  independently  navigate  the  current  vehicle  state.  Because 
of  differences  in  IMU  selection  logic,  the  resultant  states  may  not  agree.  Thus,  if  a  PASS  update  is 
required,  the  uplin  ked  deltas  may  not  be  appropriate  for  correcting  the  BFS  state.  To  properly  correct 
the  BFS  via  uplink  would  require  switching  the  telemetry  input  to  the  delta  state  processor,  a  minimum 
delay  of  20  seconds  to  allow  the  back  difference  logic  to  determine  the  BFS  velocity  deltas,  and  an 
additional  delay  of  15  to  20  seconds  for  command  generation  and  uplink  execution.  Should  a  BFS 
engage  be  required  during  this  time,  vehicle  transien  ts  would  likely  occur.  To  avoid  disruption  of  the 
PASS  monitoring  and  reduce  the  exposure  to  potential  vehicle  transients,  it  is  desirable  to  perform  a 
vector  transfer  to  the  BFS  after  each  PASS  update. 

E.  POST-MECO  PRIOR  TO  A  COMMIT  TO  ORBIT: 

FOR  A  DECLARED  OR  PROBABLE  AO A,  A  NAVIGATION  UPDATE  WILL  BE 
PERFORMED  PRE-OMS-2  IF  THE  ONBOARD  AND  GROUND  FILTER 
SOLUTIONS  FOR  SEMI-MAJOR  AXIS  DIFFER  BY  MORE  THAN  12,000  FEET 
AT  MECO  PLUS  12  MINUTES  AND  ONE  OF  THE  FOLLOWING  IS 
SATISFIED:  @[072601-4528] 
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A4-57  NAVIGATION  UPDATES  (CONTINUED) 

1.  ONBOARD  ERROR  INDICATED  BY  A  CHANGE  IN  THE  ONBOARD /GROUND 
FILTER  SEMI-MAJOR  AXIS  COMPARISON  BETWEEN  MECO  AND  MECO 
PLUS  12  MINUTES  WHICH  EXCEEDS  6000  FEET. 

2.  HIGH  SPEED  TRAJECTORY  SOLUTION  DEVIATION  FROM  THE  ONBOARD 
DURING  ASCENT. 

THE  MCC  SHALL  DETERMINE  THE  STATE  VECTOR  SOURCE  TO  BE 
USED  FOR  THE  NAVIGATION  UPDATE  (EITHER  GROUND  FILTER  OR 
GPS)  .  @[072601-4528] 

A  navigation  update  will  be  performed  prior  to  OMS-2  for  a  declared  or  probable  AO  A  to  protect  an 
onboard  downtrack  error  exceeding  20  nm  at  entry  interface.  The  primary  monitoring  parameter  is 
the  difference  in  the  onboard  and  ground  knowledge  of  orbital  semi-major  axis,  delta  alpha.  At 
MECO  +12  minutes,  a  12,000 feet  delta  alpha  uncertainty  indicates  a  20  nm  downtrack  uncertainty 
will  exist  at  entry  interface.  The  allowable  threshold  should  be  reduced  by  the  ground  solution 
uncertainty  to  establish  a  delta  alpha  update  limit.  The  ground  solution  at  MECO  +12  minutes  is 
based  on  the  resultant  ascent  high  speed  filter  output  plus  OMS-1  maneuver  confirmation.  Assuming 
3 -sigma  IMU  for  maneuver  confirmation,  the  ground  solution  uncertainty  is  9,600 feet.  As  a  result, 
the  update  limit  for  delta  alpha  should  be  2,400 feet.  However,  a  limit  value  this  tight  would  result  in 
a  90  percent  probability  of  performing  cm  uplink  and  a  40  percent  chance  of  degrading  the  onboard 
state.  To  reduce  the  probability  of  having  to  do  an  uplink,  the  limit  value  is  specified  as  12,000 feet. 

To  decrease  the  chance  of  degrading  the  onboard  state,  secondary  cues  will  be  used  to  confirm  a  delta 
alpha  difference  is  due  to  cm  onboard  error.  Thus,  for  a  declared  or  potential  AO  A,  a  navigation 
update  will  be  performed  before  OMS-2  if  the  ground  and  onboard  difference  in  delta  alpha  exceeds 
12,000 feet  at  MECO  +12  minutes  and  an  onboard  error  is  indicated  by  one  of  the  following 
conditions:  @[072601-4528  ] 

a.  The  delta  alpha  comparison  changes  by  more  than  6,000 feet  between  MECO  and  MECO 
+  12  minutes. 

b.  Onboard  trajectory  deviation  from  the  high  speed  tracking  solution  during  powered  ascen  t. 

GPS  provides  additional  insight  into  ground  and  onboard  navigation  errors.  GPS  state  vectors  will  be 
more  accurate  them  the  ground  solution  if  off-nominal  IMU  data  is  used  for  maneuver  confirmations. 
TDRS  tracking  data  residuals  can  be  utilized  to  confirm  what  is  the  most  accurate  semi-major  axis 
source  after  the  OMS-1  maneuver.  GPS  provides  several  navigation  solutions  between  OMS-1  and 
OMS-2  as  long  as  it  is  verified  to  be  functioning  properly  (no  hardware  problems  or  commfaults,  no 
extended  periods  of  high  FOM,  and  no  extended  periods  of  less  than  four  satellites  tracking).  The  GPS 
navigation  update  can  be  performed  by  a  ground  vector  uplink  or  crew  item  entry  once  in  OPS  3  for 
the  AO  A  abort.  Caution  should  be  taken  when  using  GPS  state  vectors  with  FOM’s  >5  (650 feet 
position  error  one  sigma)  since  the  estimated  position  error  increases  rapidly  with  higher  FOM  values. 
@[072601-4528] 
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A4-57  NAVIGATION  UPDATES  (CONTINUED) 

F.  FOR  RENDEZVOUS  MISSIONS,  A  STATE  VECTOR  UPDATE  WILL  ONLY  BE 
PERFORMED  PRE-OMS-2  FOR  MECO  CROSSTRACK  VELOCITY  (WDOT) 
DIFFERENCES  BETWEEN  THE  GROUND  AND  ONBOARD  VECTORS  GREATER 
THAN  6  FT/SEC,  PROVIDED  THAT  THE  FOLLOWING  CRITERIA  ARE  MET: 

1.  DETERMINATION  OF  A  GOOD  GROUND  NAVIGATION  STATE  VECTOR, 
BASED  UPON  A  MINIMUM  OF  30  SECONDS  OF  GOOD  QUALITY 
POST-MECO  TRACKING  DATA. 

2.  DETERMINATION  THAT  THE  STATE  VECTOR  UPDATE  WILL  DECREASE 
THE  NPC  DELTA  V  BY  6  FT/SEC  OR  MORE. 

For  rendezvous  missions,  the  OMS  propellant  budget  provides  for  a  nominal  plane  change  (NPC) 
maneuver  to  correct  out-of-plcme  dispersions.  Out-of-plane  dispersions  resulting  from  navigation  errors 
incurred  during  ascent  can  be  partially  corrected  by  OMS-2  steering,  resulting  in  a  savings  of  propellant 
required  for  the  NPC  maneu  ver.  In-plane  dispersions  are  far  less  costly  to  the  propellan  t  budget,  since 
they  can  be  corrected  with  later  phasing  maneuvers.  In  an  attempt  to  minimize  the  NPC  propellan  t 
requiremen  t  and  thus  increase  the  propellan  t  margins  for  rendezvous,  a  state  vector  update  may  be 
performed  prior  to  OMS-2. 

Flight  data  has  shown  the  post-MECO  ground  state  vector  accuracy  to  be  within  3  ft/sec  in  the 
crosstrack  velocity  component,  provided  that  no  anomaly  in  the  ground  tracking  or  the  ground 
navigation  processing  occurred  after  MECO.  The  standard  deviation  of  the  onboard  state  vector 
crosstrack  error  at  MECO  computed  from  flight  data  is  about  10  ft/sec.  If  telemetry  is  available  during 
powered  flight,  onboard  crosstrack  differences  in  both  position  and  velocity  can  be  observed  during 
ascen  t.  This,  together  with  the  confirmation  of  a  good  post-MECO  ground  state  vector,  provides  a  good 
assurance  that  the  state  vector  update  will  improve  the  onboard  state  vector  in  the  crosstrack  component. 

The  ground  navigation  HSTD  processor  requires  time  to  converge  to  a  good  state  vector  solution  after 
the  change  to  free  flight  processing  mode  following  MECO.  Sixty  seconds  of  tracking  data  processing 
is  desirable  to  provide  an  accurate  state  vector  for  onboard  uplink.  If  the  convergence  time  is  less  than 
30  seconds,  performing  a  state  vector  update  for  the  purpose  of  removing  out-of-plane  dispersions 
should  not  be  considered. 

FDO  procedures  performed  pre-OMS-2  include  the  determination  of  the  differences  in  the  NPC  delta  V 
between  using  the  onboard  and  ground  state  vector.  The  6  ft/sec  threshold  was  based  on  the  ground 
state  vector  accuracy.  ®[0i  2694-1 555  ] 
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A4-58  AUTO  GUIDANCE  NO-GO 

AUTO  GUIDANCE  WILL  BE  DECLARED  NO-GO  AND  BFS  ENGAGE  INITIATED  FOR 
CONDITION  A,  MANUAL  GUIDANCE/THROTTLE  WILL  BE  INITIATED  FOR 
CONDITIONS  IN  PARAGRAPHS  B  THROUGH  D: 

Within  ascent  guidance,  multiple  tasks  and  subtasks  are  executed  in  a  designed  sequence.  The  execution 
may  be  based  on  time,  sensed  trajectory  condition,  or  mission  event.  Some  tasks  have  an  internal  check 
to  ensure  the  logical  solution  is  reasonable  and  within  a  predefined  tolerance  of  desired  target 
conditions.  If  a  task  or  subtask  fails  to  get  executed  in  the  design  sequence,  the  ascent  guidance  function 
is  considered  unreliable.  Likewise,  if  a  task  fails  to  satisfy  an  internal  solution  check  for  an 
unreasonable  number  of  consecutive  cycles,  the  guidance  function  is  considered  failed. 

Rule  { A2-59 },  BFS  ENGAGE  CRITERIA,  references  this  rule. 

A.  ROLL  MANEUVER  NOT  INITIATED  AS  SCHEDULED. 

Initially  in  first  stage  flight,  the  boost  guidance  task  will  command  a  constant  pad  attitude.  The  constan  t 
command  is  maintained  until  the  relative  velocity  exceeds  the  I-load  value  for  PPOLY2.  The  termination 
of  vertical  rise  is  indicated  by  a  command  roll  maneuver  to  rotate  the  Orbiter  tail  downrange.  Failure  to 
initiate  the  roll  maneuver  at  the  corresponding  relative  velocity  indicates  incorrect  subtask  sequencing 
within  the  boost  guidance  task.  For  this  failu  re,  the  BFS  will  be  engaged  since  the  onboard  displays  are 
inadequate  for  the  crew  to  manually  execute  the  roll/pitch  profile  through  the  critical  high  Q-bar  regime. 

B.  GUIDANCE  NOT  CONVERGED  FOR  10  SECONDS  DURING  MM  103  AND  MM 
601  AFTER  INITIAL  CONVERGENCE. 

During  the  standard  ascent  mode  (MM  103 )  and  the  return-to-launch  site  mode  (MM  601 ),  internal 
checks  are  made  with  the  PEG  task  to  ensure  the  current  steering  solution  and  resultant  predicted 
burnout  state  are  converged  within  an  acceptable  envelope  of  the  desired  target  conditions.  At  the 
initiation  of  each  mode,  the  convergence  checks  are  nominally  passed  within  two  or  three  guidance 
cycles  (4  to  6  seconds ).  After  initial  convergence,  a  sudden  change  in  the  actual  acceleration  (engine 
failure)  will  cause  the  convergence  checks  to  nominally  fail  for  one  guidance  cycle.  Allowing  two 
guidance  cycles  as  pad,  10  seconds  is  the  longest  reasonable  in  terval  for  PEG  to  fail  convergence. 

Failure  to  achieve  convergence  for  more  than  10  seconds  indicates  an  internal  problem  which  prevents 
the  PEG  solution  from  satisfying  the  target  conditions.  Manual  guidance/throttle  will  be  initiated  for 
this  failure. 

C.  THROTTLE  COMMAND  NOT  DECREASED  TO  MAINTAIN  3g  ACCELERATION. 

During  second  stage  guidance,  the  g-limiting  task  determines  the  average  acceleration  experienced  since 
the  previous  guidance  cycle.  If  the  sensed  acceleration  exceeds  an  I-load  limit  value  ALIM2,  g-limiting 
is  activated  to  decrease  the  throttle  command  proportional  to  the  acceleration  error.  The  throttle 
command  is  decremented  until  the  sensed  acceleration  decreases  below  another  I-load  limit,  ALIM1. 
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A4-58  AUTO  GUIDANCE  NO-GO  (CONTINUED) 

A  constant  throttle  command  with  acceleration  exceeding  ALIM2  indicates  the  g-limiting  task  is  not 
being  executed.  Manual  guidance/throttle  will  be  initiated  for  this  failure. 

Rules  (A2-64CJ,  MANUAL  THROTTLE  CRITERIA,  and  (A4-59J,  MANUAL  THROTTLE  SELECTION, 
reference  this  rule.  @[0921 95-1 770A] 

D.  STATIC  OR  INCREASING  Tqq  FOR  10  SECONDS  DURING  MM  104  AND 
MM  1 0  5 . 

Du  ring  the  orbit  insertion  guidance,  there  is  no  direct  onboard  indication  of  a  PEG  convergence 
problem.  If  the  PEG  solution  is  not  obtaining  the  desired  target  conditions,  the  solution  is  modified  to 
determine  a  new  required  velocity  change.  An  increasing  time-to-go  (  TGO)  for  five  guidance  cycles 
indicates  unreasonable  modifications  within  the  PEG  solution.  A  static  TGO  for  10  seconds  indicates 
the  PEG  task  has  not  been  executed  for  five  guidance  cycles.  Manual  guidance  will  be  initiated  for  this 
failure. 

Rule  {A2-64A},  MANUAL  THROTTLE  CRITERIA,  references  this  rule. 

A4-59  MANUAL  THROTTLE  SELECTION 

MANUAL  THROTTLE  WILL  BE  INITIATED  FOR  THE  FOLLOWING  CONDITIONS: 

A.  FAILURE  TO  INITIATE/TERMINATE  THRUST  BUCKET  COMMANDS  FOR 
FIRST  STAGE  q  CONTROL. 

During  first  stage  flight,  the  boost  throttling  task  provides  an  open-loop  throttle  command  to  limit 
maximum  dynamic  pressure  and  gain  desired  performance.  When  the  relative  velocity  exceeds  an  I-load 
value  of  QPOLYJ,  the  throttle  command  is  set  to  an  I-load  value  of  THROTJ  ifSRB  performance  is 
nominal,  arid  the  segment  index  J  is  incremented  by  1.  For  off  nominal  SRB  performance,  adaptive 
guidance  throttling  adjusts  either  THROT2  or  THROT3  depending  on  whether  performance  is  high  or 
low.  IfSRB  performance  is  high,  the  THROT2  level  ( throttle  command  between  about  Mach  0.4  and  0.7 ) 
is  reduced  (approximately  21  percent  for  3  sigma  hot  SRB’s).  IfSRB  performance  is  low,  the  THROT3 
level  ( throttle  command  between  about  Mach  0.7  and  Mach  1.3)  is  increased  ( approximately  6  percent 
for  3  sigma  cold  SRB’s).  Since  there  is  no  crew  insight  onboard  into  SRB  performance,  manual  throttles 
should  not  be  invoked  at  QPOLY2  or  QPOLY3  simply  to  match  the  nominal  throttle  bucket  based  on  the 
THROTJ  I-loads.  @[0921 95-1 770A] 

Manual  throttles  shall  only  be  invoked  if  guidance  fails  to  throttle  back  at  QPOLY3  or  fails  to  throttle  up 
to  maximum  power  level  at  QPOLY4.  If  manual  throttles  are  invoked  during  the  throttle  bucket,  throttles 
shall  remain  under  manual  control  until  second  stage  guidance  has  been  evaluated  and  declared  “GO”. 
@[0921 95-1 770A] 
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A4-59  MANUAL  THROTTLE  SELECTION  (CONTINUED) 

B.  FAILURE  TO  ACHIEVE  FUEL  DISSIPATION  THROTTLE  COMMAND  ON 
INITIATION  OF  RTLS . 

The  current  throttle  command  for  the  fuel  dissipation  phase  of  powered  RTLS  is  established  by  the 
SSME-out  safing  task  or  the  RTLS  initialization  task  depending  on  the  number  of  active  SSME’s.  If  a 
SSME  failure  has  previously  occurred,  the  throttle  command  should  have  been  set  to  an  Llocid  value 
KMAX  by  the  SSME-out  safing  task.  If  no  engine  failure  has  occurred,  the  RTLS  initialization  task  sets 
the  throttle  command  to  a  level  equal  to  two  thirds  of  KMAX.  Thus,  if  the  curren  t  throttle  command  in 
the  RTLS  fuel  dissipation  phase  is  not  equal  to  KMAX  (two  SSME’s  active)  or  two  thirds  KMAX  (three 
SSME’s  active),  then  the  SSME-out  safing  task  or  RTLS  initialization  task  was  not  properly  executed. 
®[092195-1770A] 

C.  INITIATION  OF  A  TWO-SSME  RTLS  WITH  ONE  SSME  THROTTLE  STUCK  IN 
THE  THRUST  BUCKET.  RETURN  TO  AUTO  THROTTLE  WILL  BE  INITIATED 
DURING  FLYBACK  PHASE  ON  GROUND  CALL  AFTER  CONFIRMATION  OF 
GUIDANCE  CONVERGENCE. 

During  the  fuel  dissipation  phase  of  cm  RTLS,  the  PEG  flyback  predictions  assumes  a  vehicle  thrust 
acceleration  equivalent  to  a  desired  throttle  command.  With  two  engines  active  with  one  throttle  stuck  at 
the  thrust  bucket  level,  the  actual  vehicle  acceleration  is  less  than  assumed.  After  the  powered 
pitcharound  (i.e.,  flyback  initiation),  the  PEG  guidance  senses  the  lower  acceleration  and  becomes 
unconverged  as  it  attempts  to  adjust  the  steering  solution.  During  this  interval,  it  is  possible  (although 
unlikely)  for  PEG  to  issue  cm  erroneous  MECO  command.  As  a  precaution  to  protect  against  cm 
inadvertent  shutdown,  manual  throttle  must  be  selected  prior  to  flyback  initiation.  Since  there  is  no 
direct  indication  of  when  flyback  initiation  will  occur,  manual  throttle  should  be  selected  at  initiation  of 
RTLS.  To  avoid  a  manual  MECO,  a  ground  call  for  return  to  AUTO  throttle  will  be  made  after  guidance 
has  reconverged  with  a  stable  solution. 

D.  INCORRECT  THROTTLE  COMMAND  FOR  TAL  OMS  DUMP  CONTROL. 

®[092195-1770A] 

Beginning  with  OI-8D,  flight  software  provides  for  cm  automatic  throttledown  following  TAL  abort 
selection  in  order  to  maximize  capability  to  complete  the  pre-MECO  OMS  dump.  This  throttling  action 
is  cued  by  two  site-specific  I-locids  that  define  the  threshold  throttledown  velocities  for  either  two-  or 
three-engine  operation.  If  the  appropriate  throttledown  command  is  not  issued,  the  software  is  not 
performing  correctly,  and  manual  throttle  will  be  exercised  to  perform  the  same  function.  Alternately, 
when  an  SSME  failure  is  not  recognized  by  guidance,  the  throttle-down  may  be  erroneously  commanded 
based  on  the  three-engine  throttle  down  velocity.  Manned  throttles  may  be  used  to  prevent  or  correct  this 
erroneous  throttle-down.  This  philosophy  is  consistent  with  paragraphs  A  and  B  above.  ®[092195-1770A] 
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A4-59  MANUAL  THROTTLE  SELECTION  (CONTINUED) 

E.  THROTTLE  COMMAND  NOT  DECREASED  TO  MAINTAIN  3-G  ACCELERATION. 

The  3-g  acceleration-limiting  logic  is  provided  to  assure  that  vehicle  loads  do  not  exceed  design  constraints. 
Therefore,  manual  throttle  will  be  invoked  to  protect  this  limit  if  the  flight  software  fails  to  do  so.  Reference 
the  rationale  for  Rule  { A4-58C },  AUTO  GUIDANCE  NO-GO,  for  further  background. 

F.  ANY  TIME  CSS  IS  SELECTED. 

As  a  conservative  guideline,  any  time  the  AUTO  guidance  is  unacceptable  for  vehicle  attitude  control,  it 
should  not  be  allowed  to  control  the  mean  engines.  If  the  vehicle  attitude  is  not  maintained  to  satisfy  the 
guidance  solution,  the  guidance  may  go  unconverged  and  potentially  could  issue  an  undesired  MECO 
command.  Thus,  to  avoid  cm  inadvertent  shutdown,  manned  throttle  should  be  selected  whenever  CSS 
takeover  is  initiated. 

Rule  { A2-64AJ ,  MANUAL  THROTTLE  CRITERIA,  references  this  rule. 

G.  THROTTLES  WILL  BE  MANUALLY  COMMANDED  TO  THE  MINIMUM  POWER 
LEVEL  AT  2  PERCENT  PROPELLANT  REMAINING  IF  THE  EXPECTED  MECO 
UNDERSPEED  EXCEEDS  THE  VALUE  ASSURING  EXECUTION  OF  FLIGHT 
SOFTWARE  MECO  PREP  THROTTLING: 


1 . 

TWO 

OR  THREE  ENGINES  ON: 

500 

FPS 

2  . 

ONE 

ENGINE  ON: 

250 

FPS  @[0921 95-1 770A] 

Flight  software  MECO  preparation  throttling  is  triggered  by  K-locided  timing  values.  When  the 
guidance-computed  TGO  becomes  less  than  TGO_FCD  K-load,  the  MPS  guidance  cutoff  task  begin  s 
cyclic  execution.  This  task  determines  when  to  command  the  SSME’s  to  the  cutoff  power  level,  and 
assumes  that  they  will  remain  at  that  setting  for  K-load  DT_MIN_K  seconds.  However,  the  software  also 
assumes  a  guided  MECO  will  result  and  has  no  way  of  compensating  for  cm  impending  early  (low-level) 
cutoff.  Therefore,  for  predicted  MECO  underspeeds  greater  than  a  threshold  value,  a  low-level 
shutdown  may  be  commanded  before  the  engines  reach  the  desired  cutoff  throttle  setting.  In  such 
instances,  the  throttles  will  be  manually  retarded  to  the  minimum  power  level  shortly  before  MECO  to 
provide  the  required  safe  shutdown  configuration. 

Under  most  circumstances,  the  onboard  propellant  remaining  computation  is  sufficiently  accurate  to  use 
as  a  throttledown  cue.  Ascent/Entry  Flight  Techniques  # 62  determined  in  January  1990  that  2  percent 
propellant  remaining  provided  a  generic  value  that  covered  both  the  pre-MECO  dump  and  no-dump 
cases.  However,  the  flight  software  computation  is  inaccurate  when  off-nominal  mixture  ratios  are 
in  volved,  due  to  the  buildup  of  unusable  LOX  or  LH2;  the  software  senses  the  extra  mass  but  does  not 
recognize  it  as  un  usable.  Likewise,  the  onboard  mass  estimation  algorithm  in  first  stage  assumes  all 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  TRAJECTORY  AND  GUIDANCE  4-45 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A4-59  MANUAL  THROTTLE  SELECTION  (CONTINUED) 

engines  are  operating  at  the  commanded  power  level;  therefore,  an  engine  locked  before  the  bucket  will 
consume  more  propellan  t  than  the  mass  tracking  function  accoun  ts  for.  This  leads  to  the  second  stage 
software  believing  it  has  more  propellant  than  is  actually  available. 

Although  the  resultant  mass  dispersions  are  a  function  of  the  size  and  direction  of  the  mixture  ratio  upset 
or  the  depth  and  length  of  the  bucket,  the  2  percent  propellant  remaining  cue  still  provides  sufficient  time 
to  throttle  down.  ( Reference  Flight  Rule  {A5-112J,  MANUAL  THROTTLEDOWN  FOR  L02  NPSP 
PROTECTION  AT  SHUTDOWN.)  ®[ED  ] 

H.  FOR  LOW  LH2  NPSP  PER  FLIGHT  RULE  {A5-155},  LIMIT  SHUTDOWN 
CONTROL  AND  MANUAL  THROTTLING  FOR  LOW  LH2  NPSP. 

Rule  {A5-155},  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR  LOW  LH2  NPSP, 
addresses  scenarios  requiring  manucd  throttles.  Maimed  throttles  will  be  maintained  and  a  manual 
MECO  required  for  the  flow  control  valve  anomaly  case.  Uphill  capability  will  be  evaluated  at  each 
throttle  setting.  Two-engine  and  single-engine  performance  boundaries  will  be  made  based  on  minimum 
power  level  as  time  permits.  Since  this  dynamic  throttle  profile  is  difficult  to  model,  two-engine  and 
single-engine  capability  may  not  be  evaluated  accurately  until  the  failure  actually  occurs. 

Manual  throttles  will  be  selected  prior  to  aborting  TAL  for  a  LH2  leak.  OI-8D  software  (STS-38 
and  subs)  automatically  throttles  the  engines  down  if  TAL  is  selected  above  an  I-locided  inertial 
velocity.  To  preven  t  the  software  from  throttling  the  engines  down  when  there  is  an  LH2  tank  leak, 
manucd  throttles  are  selected  prior  to  selecting  TAL.  Once  TAL  is  selected,  the  throttles  will  be 
returned  to  auto  where  they  will  stay  at  104  percent  until  3  g’s  are  reached.  Three-g  throttling  may 
cause  engine  failures  but  this  is  cm  accepted  risk  to  avoid  vehicle  structured  damage.  Operating  the 
SSME’s  at  104  percent  results  in  a  higher  inertial  velocity  at  MECO  than  if  the  SSME’s  had  been 
throttled  down  to  67  percent.  ®[092195-1770A] 

I.  A  TAL  UNDERSPEED  IS  PREDICTED  AND  CAN  BE  REDUCED  BY  FLYING 
AT  A  LOWER  THROTTLE  SETTING.  THROTTLES  WILL  BE  RETARDED  TO 
MINIMUM  POWER  LEVEL  WHEN  THE  PERFORMANCE  GAIN  IS  MAXIMIZED. 

The  slope  of  the  TAL  range-velocity  target  line  results  in  a  point  in  the  powered  flight  trajectory  where 
MPS  propellan  t  margins  may  be  increased  by  flying  at  a  reduced  throttle  setting.  As  the  throttle  is 
retarded,  the  powered  flight  time  is  extended  which  in  turn  results  in  a  MECO  position  which  is  farther 
downrange  than  would  have  occurred  at  a  higher  power  level.  The  farther  downrange  position  equates 
to  less  distance  to  the  TAL  site  at  MECO,  and  hence,  a  lower  MECO  target  velocity.  This  in  turn 
translates  to  increased  MPS  margin  since  less  delta  V  is  required  to  reach  the  smaller  target  velocity. 
Early  in  powered  flight,  gravity  losses  at  the  lower  throttle  are  large  and  offset  any  R-V  target  benefit; 
however,  eventually  sufficient  velocity  is  achieved  such  that  the  inverse  is  true;  i.e.,  the  smaller  target 
velocity  offsets  the  gravity  losses,  which  diminish  with  time  and  the  square  of  the  curren  t  velocity. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A4-59  MANUAL  THROTTLE  SELECTION  (CONTINUED) 

In  real  time,  the  MCC  ARD  can  determine  when  this  boundary  condition  is  reached,  and  subsequently 
when  the  performance  gain  is  maximized.  The  FDO  will  then  call  for  throttledown  to  minimize  the  R-V 
underspeed.  Improving  proximity  to  the  R-V  line  in  this  manner  reduces  the  likelihood  of  requiring  low- 
energy  guidance  during  entry,  and  is  especially  critical  for  out-of-plane  sites  where  high  crossrange 
severely  limits  underspeed  tolerance.  @[120894-1663  ] 

Note  that  this  procedure  will  not  be  utilized  unless  cm  underspeed  is  predicted  at  the  current  power  level. 

Rules  {A4-55},  DESIGN  AND  CRITICAL  MECO  UNDERSPEED  DEFINITIONS;  and  {A5-112}, 
MANUAL  THROTTLE  DOWN  FOR  L02  NPSP  PROTECTION  AT  SHUTDOWN,  reference  this  rule. 

®[ED  ] 

J.  THREE  ENGINES  RUNNING  AND  TWO  STUCK  THROTTLES  PRIOR  TO  TAL  OR 
RTLS  ABORT. 

1.  TAL:  SELECT  MANUAL  THROTTLES,  ABORT  TAL,  SELECT  AUTO 
THROTTLES . 

2.  RTLS:  SELECT  MANUAL  THROTTLES,  MINIMUM  THROTTLES,  WAIT 
10  SECONDS,  ABORT  RTLS,  SELECT  AUTO  THROTTLES. 

For  TAL,  it  is  undesirable  to  throttle  down  the  good  engine  due  to  the  guidance  transients  which  may 
occur  and  the  fact  that  little  time  would  be  gained  to  perform  the  abort  dump.  Therefore,  manual 
throttles  will  be  selected  to  prevent  an  automatic  throttledown  when  TAL  is  declared.  This  action  is  not 
required  if  TAL  is  declared  early  enough  that  automatic  throttling  will  not  occur  at  abort  selection. 
However,  since  there  is  no  disadvan  tage  to  selecting  manual  throttles  for  this  short  period  of  time, 
manual  throttles  will  always  be  selected  for  consistency.  AUTO  throttles  will  be  reselected  after  TAL  is 
declared. 

For  three-engine  RTLS  cases  with  two  stuck  throttles,  minimum  throttles  will  be  selected  prior  to  abort 
selection.  Doing  so  will  allow  guidance  to  converge  on  the  correct  average  thrust  level  and  will  reduce 
the  probability  of  cm  early  PPA.  For  guidance  to  have  enough  time  to  converge,  minimum  throttle  levels 
must  be  achieved  at  least  10  seconds  prior  to  RTLS  selection.  If  not,  an  early  PPA  may  occur,  resulting 
in  MECO  conditions  that  are  not  optimized.  AUTO  throttles  should  be  reselected  at  some  point  prior  to 
PPA,  but  are  not  mandatory  prior  to  RTLS  selection. 

Reference  Rules  {A5-109},  MANUAL  SHUTDOWN  FOR  TWO  STUCK  THROTTLES  (NOT  DUAL  APU 
FAILURES);  and  {. A8-61 },  SSME  SHUTDOWN  DUE  TO  HYDRAULIC  SYSTEM  FAILURES.  ®[ED  ] 
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A4-59  MANUAL  THROTTLE  SELECTION  (CONTINUED) 

K.  TO  MAINTAIN  THROTTLES  AT  109  PERCENT  POWER  LEVEL  DURING  THE 
FLYBACK  PHASE  OF  AN  RTLS  ABORT. 

When  maximum  throttles  are  enabled  (SPEC  51  Item  4),  guidance  replaces  the  maximum  power  level 
(KMAX)  of  104  percen  t  with  109  percen  t.  However ,  during  the  flyback  phase,  the  commanded  power 
level  (KCMD)  is  not  simply  set  to  KMAX  but  is  adjusted  to  achieve  the  desired  mass  conditions  at  MECO 
(assuming  CSS  or  manual  throttles  did  not  occur  anytime  during  flyback).  For  two  engines  running,  the 
typical  throttle  command  during  flyback  is  about  100  percen  t  and  is  unaffected  by  KMAX.  Therefore,  if 
109  percen  t  power  level  is  desired  du  ring  the  flyback  phase  of  cm  RTLS  abort,  man  ual  throttles  are 
required. 

Reference  Rule  {A4-53E.1},  USE  OF  MAXIMUM  THROTTLES;  and  Rule  {A5-151D.3},  PRE-MECO 
MPS  HELIUM  SYSTEM  LEAK  ISOLATION  [CIL ]. 

L.  IF  A  LOWER  SSME  POWER  LEVEL  IS  REQUIRED  SUBSEQUENT  TO 
ENABLING  MAXIMUM  THROTTLES. 

When  maximum  throttles  are  enabled  (SPEC  51  Item  4),  guidance  replaces  the  maximum  power  level 
(KMAX)  of  104  percent  with  109  percen  t.  If  throttle  selection  is  auto  and  3-g  throttling  is  not  active,  the 
commanded  power  level  (KCMD)  is  set  to  the  new  maximum  power  level  of  109  percent  (except  during 
RTLS  flyback  phase,  see  paragraph  K.  above).  If  a  lower  power  level  is  required  subsequent  to  enabling 
maximum  throttles,  manual  throttles  must  be  selected  and  the  lower  power  level  commanded  manually. 
(Note,  if  throttle  selection  is  auto,  the  fine  count  throttle  setting  will  be  commanded  regardless  if 
maximum  throttles  have  been  enabled).  A  second  SPEC  51  Item  4  will  not  reset  the  maximum  or 
commanded  power  level  to  104  percent.  Therefore,  the  lower  power  level  must  be  commanded  manually. 
Once  the  desired  power  level  is  reached,  throttles  can  be  returned  to  auto.  However,  a  subsequent 
engine  failure  with  auto  throttles  selected  will  result  in  the  commanded  power  level  being  reset  to  109 
percent. 

Rule  (A2-64AJ,  MANUAL  THROTTLE  CRITERIA,  references  this  rule. 
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A4-60  MANUAL  SHUTDOWN  CRITERIA 

IF  THE  ONBOARD  PREDICTED  MET  OF  MECO  IS  2  SECONDS  DIFFERENT  THAN 
THE  GROUND  PREDICTED  MET  OF  MECO  AND  IF  CONFIRMED  BY  OBSERVED 
NAVIGATION  VELOCITY  ERRORS,  A  MANUAL  SHUTDOWN  WILL  BE  INITIATED 
AT  THE  GROUND-COMPUTED  TIME. 

If  the  ground  predicted  MET  of  MECO  is  2  seconds  differen  t  than  the  on  board  predicted  MET  of  MECO, 
a  manual  shutdown  will  be  initiated  on  the  ground-computed  value  to  maintain  the  capability  to  achieve 
a  nominal  mission.  A  difference  in  the  onboard  and  ground  predicted  times  indicates  an  auto  MECO 
will  not  achieve  the  target  cutoff  conditions.  An  early  cutoff  may  require  downmoding  because  ofOMS 
performance  limitations.  A  late  cutoff  may  cause  the  desired  thrust  direction  for  OMS-1  to  be  radially 
downward  and/or  retrograde.  The  uncertainty  in  the  ground  prediction  is  estimated  to  be  ±0.9  second. 
This  value  is  the  RSS  of  the  computational  uncertainties  of  ±0.6  second  for  3 -sigma  ground  navigation 
accuracy,  and  ±  0.5  second  for  onboard  response  to  throttledown  commands.  Allowing  a  1-second  pad 
to  ensure  detection  of  a  true  onboard  error  and  rounding  to  a  whole  number,  a  2-second  tolerance  is 
enforced. 

Reference:  CA4-79,  Ascent  Flight  Techniques  Meeting  #35,  dated  March  27,  1979.  Rule  {A2-60J, 
NAVIGATION  UPDATE  CRITERIA,  references  this  rule. 

A4-61  THRUST  LIMITING,  HYDRAULIC,  OR  ELECTRICAL  LOCKUP 

A.  BASED  ON  RECOMMENDATION  FROM  THE  BOOSTER  SYSTEM  ENGINEER,  AN 
ABORT  REGION  DETERMINATOR  (ARD)  ADJUSTMENT  WILL  BE  MADE  FOR: 

1.  THRUST  LIMITING  FLAG  SET. 

2.  Pc  SENSOR  SHIFT. 

3.  ELECTRONIC  LOCKUP. 

4.  HYDRAULIC  LOCKUP. 

5.  HPOT  EFFICIENCY  LOSS. 

6.  LH2  FLOW  METER  SENSOR  SHIFT. 

7.  LPFT  DISCHARGE  TEMPERATURE  SHIFT. 

8.  NOZZLE  LEAKS. 

The  ARD  FPR  is  designed  to  cover  only  those  SSME  failures  that  are  not  detectable  with  engine 
instrumentation,  but  are  sufficient  to  cause  performance  degradation.  Therefore,  it  is  necessary  to 
model  in  the  ARD  those  failures  with  performance  impacts  that  exceed  FPR  coverage.  Reference  Rule 
{A5-110J,  SSME  PERFORMANCE  DISPERSION.  ®[ED  ] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A4-61  THRUST  LIMITING,  HYDRAULIC,  OR  ELECTRICAL  LOCKUP 

(CONTINUED) 


B.  A  PERFORMANCE-LIMITED  SSME  WILL  BE  SHUT  DOWN  EARLY,  OR  A  MAIN 
ENGINE  CONTROLLER  CHANNEL  TURNED  OFF,  BASED  ON  BOOSTER 
SYSTEMS  ENGINEER  (BSE)  CONFIRMATION  OF  THE  FAILURE  AND  ARD 
PERFORMANCE  EVALUATION  FOR  THE  FOLLOWING  CASES: 

1.  LOW  MIXTURE  RATIO: 

Preservation  of  the  ATO  region  by  early  shutdown  of  an  SSME  has  priority  over  a  possible  abort 
downmode  to  an  AO  A. 

IF  THE  FOLLOWING  CRITERIA  ARE  MET,  THE  AFFECTED  SSME  WILL 
BE  SHUT  DOWN  EARLY  TO  PROTECT  3-SIGMA  ATO  CAPABILITY  OR 
THE  DESIGN  UNDERSPEED,  WHICHEVER  IS  THE  MOST 
CONSTRAINING: 

a.  THE  ACTUAL  NOMINAL  MARGIN  INDICATES  LOSS  OF  ATO 
CAPABILITY. 


The  ARD’s  actual  mode  nominal  margin  is  a  prediction  ofMECO  underspeed  on  a  2-sigma  bad  day. 

This  prediction  can  be  used  to  determine  if  ATO  capability  exists.  This  rule  refers  to  the  design 
underspeed  as  a  criterion  for  pressing  uphill  with  a  performance-limited  SSME.  In  addition,  the 
dispersed-performance  protection  level  (3 -sigma)  is  stated  explicitly  for  uphill  capability  assessmen  t. 

b.  THE  HYPOTHETICAL  AOA  MARGIN  (REFLECTING  THE  SICK 
ENGINE  OUT)  IS  DECREASING. 

The  ARD’s  hypothetical  mode  AOA  margin  is  the  indicator  of  when  continued  sick  engine  operation  will 
degrade  performance.  A.v  long  as  the  margins  are  increasing,  the  three-engine  configuration  is 
improving  MECO  conditions.  When  the  margins  start  trailing  off,  the  sick  engine  is  degrading  uphill 
capability.  If  the  hypothetical  nominal  margin  is  greater  than  the  actual  nominal  value;  i.e.  it  is  better  to 
have  two  healthy  engines  than  two  healthy  and  one  sick,  the  bad  engine  will  be  shut  down. 

C.  THE  HYPOTHETICAL  NOMINAL  MARGIN  IS  GREATER  THAN  THE 
ACTUAL  NOMINAL  MARGIN. 

Rationale  is  the  same  as  for  paragraph  b  above. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A4-61  THRUST  LIMITING,  HYDRAULIC,  OR  ELECTRICAL  LOCKUP 

(CONTINUED) 

2.  Pc  SENSOR  SHIFT  (HIGH  OR  LOW) 

FOR  A  PC  SENSOR  SHIFT  THE  AFFECTED  MAIN  ENGINE  CONTROLLER 
CHANNEL  WILL  BE  TURNED  OFF  BY  THE  CREW  TO  PROTECT  3-SIGMA 
ATO  CAPABILITY  (i . e . ,  AVOID  AO A)  OR  THE  DESIGN 
UNDERSPEED,  WHICHEVER  IS  THE  MOST  CONSTRAINING.  THIS 
PROCEDURE  WILL  NOT  BE  IMPLEMENTED  IF  IT  WILL  CAUSE  ENGINE 
SHUTDOWN  OR  NOT  CORRECT  THE  PERFORMANCE  DISPERSION  (REF. 
RULE  {A5-110},  SSME  PERFORMANCE  DISPERSION,  FOR  CASES 
THAT  CAUSE  ENGINE  SHUTDOWN)  .  ®[ED  ] 

Large  Pc  shift  can  cause  mixture  ratio  excursions  that  will  result  in  a  LOX  or  LH2  depletion  prior  to 
ATO  capability.  Generally,  the  bad  Pc  sensor  can  be  isolated  and  turn  ed  off  with  the  other  sensor 
returning  the  mixture  ratio  to  a  nominal  value.  This  rule  refers  to  the  design  underspeed  as  a  criterion 
for  pressing  uphill  with  a  performance-limited  SSME.  In  addition,  the  dispersed-performance  protection 
level  (3 -sigma)  is  stated  explicitly  for  uphill  capability  assessment. 

3.  HYDRAULIC  OR  ELECTRICAL  LOCKUP 

AN  SSME  IN  HYDRAULIC  OR  ELECTRICAL  LOCKUP  WHEN  COUPLED 
WITH  LOW  VEHICLE  PERFORMANCE  MAY  BE  MANUALLY  SHUT  DOWN  TO 
PREVENT  A  VIOLATION  OF  THE  ENGINE  LC£  NET  POSITIVE 
SUCTION  PRESSURE  (NPSP)  REQUIREMENTS  NEAR  MECO .  IF  THE 
ARD  PREDICTED  DELTA  V  MARGIN  AFTER  SRB  SEPARATION 
INDICATES  LOW  PERFORMANCE,  THE  NONTHROTTLING  ENGINE  WILL 
BE  SHUT  DOWN  AT  Vj  >  23K  FPS  .  @[061297-4892] 

For  low  performance  in  first  stage  with  one  or  more  engines  in  hydraulic  or  electrical  lockup,  there  is 
potentially  insufficient  LOX  at  MECO  to  support  the  stuck  engine’s  shutdown  from  the  higher  throttle 
level.  This  results  in  a  LOX  depletion  and  subsequent  uncontained  engine  damage. 

C.  FOR  A  THREE-ENGINE  RTLS ,  AUTO  GUIDANCE  WILL  BE  PRESERVED  BY 
SHUTTING  DOWN  PERFORMANCE-LIMITED  SSME  WHEN  THE  PROBLEM  IS 
IDENTIFIED  BUT  NOT  LATER  THAN  POWERED  PITCHDOWN  (PPD)  MINUS  40 
SECONDS  TO  PROTECT  A  3-SIGMA  GUIDED  MECO  (RTLS  MARGIN  >  0  FPS) . 
CRITERIA  FOR  ET  SEPARATION  PROPELLANT  CONDITIONS  WILL  NOT  BE 
CONSIDERED  WHEN  DETERMINING  SSME  SHUTDOWN  REQUIREMENTS  DURING 
AN  RTLS. 


Manned  throttle,  maimed  guidance,  and  early  manual  turnaround  during  an  RTLS  is  more  risky  than 
shutdown  of  a  performance-limited  SSME.  There  is  no  real-time  determination  of  propellant  conditions 
at  ET  separation  currently  available.  It  is  highly  desirable  to  protect  a  3-sigma  guided  MECO.  This 
will  be  done  at  the  possible  expense  of  executing  an  RTLS  ET  separation  with  a  slightly  heavier  tank. 
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A4-62  QMS— 1 /QMS— 2  EXECUTION 

THE  OMS-1  AND/OR  OMS-2  TARGETS  AND  TIG  WILL  BE  SELECTED  TO 
ACHIEVE  THE  HIGHEST  PRIORITY  MISSION  MODE  POSSIBLE.  ALLOWABLE 
UNDERSPEEDS  FOR  EXECUTION  OF  NOMINAL  TARGETS  WILL  ENSURE 
ACCOMPLISHMENT  OF  HIGH  PRIORITY  MISSION  OBJECTIVES.  THE  AME  WILL 
BE  USED  TO  DETERMINE  THE  HIGHEST  PRIORITY  MISSION  MODE  THAT  CAN 
BE  ACHIEVED. 

For  standard  insertion  flights,  the  nominal  OMS-1  and  OMS-2  targets  are  designed  to  be  performance 
optimized.  The  nominal  targets  will  be  executed  and  the  nominal  flight  profile  flown  only  if  there  is 
stiff  cient  fuel  available  to  perform  the  required  on-orbit  burns  and  the  deorbit  burn.  Otherwise,  the 
highest  priority  mission  mode  that  can  be  supported  by  the  fuel  available  will  be  executed.  (Reference 
Rule  {A2-52D},  ASCENT  MODE  PRIORITIES  FOR  PERFORMANCE  CASES.  ) 

For  direct  insertion  flights,  a  range  of  underspeeds  will  result  in  no  OMS-1  being  required  but  the 
apogee  is  lower  than  nominal.  For  these  cases,  assuming  no  OMS  leaks  have  occurred,  it  is  desired  to 
circularize  at  the  resulting  pre-OMS-2  apogee  altitude  with  the  OMS-2  burn.  The  details  for  this  case 
with  and  without  OMS  propellant  problems  are  in  Flight  Rule  { A4-103J ,  OFF-NOMINAL  ORBITAL 
ALTITUDE  RECOVERY  PRIORITIES,  and  its  rationale. 

The  AME  will  be  used  in  real  time  to  determine  the  highest  priority  mission  mode  that  can  be  achieved. 
Actual  post-MECO  state  vectors  and  actual  OMS  quantities  are  used  by  the  AME.  Should  the  MOC  be 
unavailable,  the  backup  method  for  determining  the  correct  targets  is  the  crew  chart  in  the  Ascent 
Checklist. 


A4-63  THROUGH  A4-100  RULES  ARE  RESERVED 
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ORBIT 


A4-101  ONBOARD  NAVIGATION  MAINTENANCE 

ADEQUATE  NAVIGATION  AND  MANEUVER  DEFINITION  WILL  BE  MAINTAINED 
ONBOARD  TO  PROVIDE  RUNWAY  LANDING  CAPABILITY  AFTER  LOSS  OF 
COMMUNICATION. 

This  rule  reflects  a  management  decision  to  provide  for  safe  deorbit  and  landing  capability  in  the  event 
of  a  total  loss  of  communications  between  the  vehicle  and  the  ground.  The  on  -orbit  navigation  state 
must  be  maintained  within  the  defined  uncertainty.  The  maximum  acceptable  downtrack  error  is  20  nm, 
predicted  to  deorbit  TIG.  Twenty  nm  is  thought  to  be  the  maximum  safe  energy  error  that  can  be 
steered  out  after  130,000 feet  altitude  (see  rationale  for  Rule  {A4-151},  IMU  ALIGNMENT ').  The 
current  onboard  state  vector  is  propagated  to  the  next  day  prime  deorbit  TIG  to  determine  if  the 
resulting  state  is  within  limits.  Periodic  state  vector  updates  are  uplinked  to  the  vehicle  whenever  the 
propagated  downtrack  error  approaches  the  limit. 

A4-102  MINIMUM  ORBITAL  LIFETIME 

THE  DEORBIT  MANEUVER  WILL  BE  SCHEDULED  AT  LEAST  48  HOURS  PRIOR  TO 
ORBITAL  DECAY  TO  El  TO  PROVIDE  24-HOUR  WAVE-OFF  CAPABILITY.  THE 
ATTITUDE  PROFILE  WILL  BE  PLANNED  AND  ORBIT  ADJUST  MANEUVERS 
SCHEDULED,  AS  REQUIRED,  TO  MEET  THE  DESIRED  ORBITAL  LIFETIME. 

THE  PERIGEE  ALTITUDE  AT  DEORBIT  TIG  SHALL  NOT  BE  LESS  THAN  80  NM . 

Uncertainties  in  the  MCC  atmospheric  model  and  onboard  state  vector  integration  make  it  difficult  to 
model  orbital  decay  at  low  altitudes.  Planning  a  deorbit  within  24  hours  of  decay  to  El  is  considered 
unsafe  due  to  these  uncertainties.  Protecting  48  hours  beyond  the  deorbit  TIG  provides  a  1  day  wave-off 
capability  to  cover  potential  systems  problems  or  forecasted  bad  weather  at  the  time  of  the 
deorbit/landing. 

Although  perigee  altitudes  less  than  80  nm  may  be  acceptable  based  on  orbital  lifetime  if  the  apogee 
altitude  were  high  enough,  uncertainties  in  the  models  and  vector  integration  resulted  in  the 
determination  of  80  nm  as  the  lowest  acceptable  perigee  at  the  planned  tune  of  deorbit. 

When  a  time-critical  estimation  of  the  minimum  perigee  is  required,  the  determination  of  the  minimum 
perigee  will  be  made  utilizing  a  generic  Ha  versus  Hp  plot  using  the  following  “worst  case”  decay 
assumptions:  30  percent  drag  uncertainty,  200,000  lb  orbiter  weight,  2500 ffi  frontal  area,  28.5  degree 
inclination,  0  degree  argument  of  perigee,  and  240  by  10~22  watts/m? /hertz  solar  flux  (flO.7). 

If  time  permits,  a  real-time  assessment  of  the  minimum  perigee  altitude  will  be  performed  based  on  the 
actual  apogee,  orbiter  weight,  inclination,  planned  attitude  timeline,  solar  flux,  and  a  30  percent  drag 
uncertainty. 

(Ref.  Entry  Flight  Techniques  Panel  Minutes  #34.) 
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NOTE:  IF  THE  PROPELLANT  MARGINS  ALLOW  FOR  THE  COMPLETION  OF  THE 

RENDEZVOUS  PROFILE  FOLLOWING  INSERTION  TO  AN  OFF-NOMINAL 
ORBIT,  THEN  THIS  RULE  DOES  NOT  APPLY. 

A.  RECOVERY  OPTIONS  FROM  A  105  NM  CIRCULAR  ATO  ORBIT,  IN  ORDER 

OF  PRIORITY  ARE: 

1.  USE  OMS-3  AND  OMS-4  TO  OBTAIN  NOMINAL  ORBIT  IF  PROPELLANT 
IS  AVAILABLE.  STEEP  DEORBIT  CAPABILITY  MUST  BE  PROTECTED 
FROM  THE  NOMINAL  ORBIT. 

2.  CIRCULARIZE  AS  HIGH  AS  POSSIBLE  AT  AN  ORBITAL  ALTITUDE 
WHICH  PROTECTS  STEEP  DEORBITS  AND  SATISFIES  MISSION 
CONSTRAINTS.  REFERENCE  THE  FLIGHT  RULES  ANNEX  FOR 
FLIGHT-SPECIFIC  ALTITUDE  REQUIREMENTS. 

3.  RAISE  ORBIT  ELLIPTIC ALLY  ONLY  IF  MANDATORY  PAYLOAD 
CONSTRAINTS  HAVE  JUSTIFIED  PREFLIGHT  THAT  THIS  IS 
REQUIRED.  IN  THIS  CASE,  STEEP  DEORBIT  CAPABILITY  TO 
ALL  CONUS  OPPORTUNITIES  MUST  BE  PROTECTED  THROUGH  EOM 
PLUS  2  DAYS  AND  ELS  DEORBIT  OPPORTUNITY  GAPS  MUST  NOT 
EXCEED  4.5  HOURS. 

B.  RECOVERY  OPTIONS  FOR  DIRECT  INSERTION  INTO  LOWER  THAN  NOMINAL 

ORBITS : 

1.  IF  NO  PROPELLANT  PROBLEMS  EXIST,  CIRCULARIZE  AT  APOGEE 
ALTITUDE  WITH  OMS-2  (105  NM  MINIMUM) .  FOR  LARGER  MECO 
UNDERSPEEDS  WHICH  REQUIRE  AN  OMS-1,  CIRCULARIZE  AT  105  NM. 
USE  THE  PRIORITIES  IN  PARAGRAPH  A  TO  RECOVER  FROM  THE 
LOWER  ORBIT. 

2.  IF  PROPELLANT  PROBLEMS  DO  EXIST,  RAISE  PERIGEE  TO  THE 
MINIMUM  PERIGEE  WITH  OMS-2.  CONSIDERATION  WILL  BE  GIVEN 
TO  RAISING  PERIGEE  ABOVE  THE  MINIMUM,  DEPENDING  ON 
PROPELLANT  AVAILABILITY,  MISSION  REQUIREMENTS,  AND 
DEORBIT  REQUIREMENTS.  REFERENCE  THE  ANNEX  FLIGHT  RULE, 
TRAJECTORY  AND  GUIDANCE  PARAMETERS,  FOR  THE  FLIGHT- 
SPECIFIC  MINIMUM  HP.  ®[ED  ] 
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(CONTINUED) 


The  above  is  the  Space  Shuttle  Program  position  on  recovering  from  insertion  into  cm  ATO  orbit  and 
was  agreed  upon  at  the  On-orbit  Flight  Techniques  Meeting  #78.  It  is  much  more  desirable  from  the 
STS  operations  point  of  view  to  raise  the  orbit  to  a  circular  orbit.  This  eliminates  the  large  variations 
in  deorbit  delta  V  that  are  possible  from  an  elliptical  orbit.  It  is  quite  possible  not  to  have  the  delta  V 
available  to  deorbit  to  cm  emergency  landing  site  (ELS)  from  an  elliptical  orbit  which  has  been 
optimized  for  a  continental  United  States  (CONUS)  landing.  Also,  the  deorbit  delta  V  varies  from  one 
opportunity  to  the  next  as  well  as  one  day  to  the  next  clue  to  the  cipsidal  rotation.  The  deorbit  delta  V 
from  a  circular  orbit  is  fairly  constant  throughout  the  flight.  The  fairly  constant  deorbit  cost  makes  it 
much  easier  to  handle  propellant  budget  redlines  in  real  time.  For  relatively  small  MECO 
underspeeds  on  a  direct  insertion,  if  there  are  no  propellant  problems,  the  plan  to  circularize  at  the 
current  apogee  altitude  with  OMS-2  was  recommended  for  two  reasons.  First,  it  allows  us  to  execute 
the  STS  preference  of  going  into  a  circular  orbit.  Also,  it  is  more  efficient  to  circularize  at  the  apogee 
altitude  and  deorbit  from  there  than  it  is  to  fly  the  nominal  mission.  Therefore,  for  the  MECO 
underspeed  cases  with  apogee  greater  than  105  nm,  the  plan  to  use  OMS-2  to  circularize  at  the  apogee 
altitude  results  in  “creating”  more  OMS  propellant  for  on-orbit  activities.  If  propellant  problems  do 
exist,  the  rule  calls  for  raising  perigee  to  the  min  imum  perigee  (min  Hp)  in  order  to  minimize 
propellant  usage.  The  min  Hp  guarantees  orbit  stay  capability  up  through  the  flight  day  1  PLS 
opportunity.  If  the  perigee  is  only  raised  to  the  min  Hp,  it  may  have  to  be  raised  higher  at  a  later  time 
to  satisfy  Rule  { A4-102 },  MINIMUM  ORBITAL  LIFETIME. 

The  elliptical  orbit  constraints  were  reviewed  and  approved  at  the  Entry  Flight  Techniques  Panel 
Meeting  #40.  Because  of  the  large  amount  of  analysis  required  to  support  flying  in  cm  elliptical  orbit,  it 
was  recommended  that  this  be  done  only  in  cases  where  the  mandatory  payload  requirements  have 
justified  preflight  that  this  is  required.  It  was  determined  that  a  4. 5 -hour  gap  in  ELS  deorbit  capability 
was  an  acceptable  compromise  since  “anytime”  deorbit  capability  from  the  resulting  elliptical  orbit  may 
not  be  available.  Typical  gaps  in  ELS  deorbit  opportunities  from  a  circular  orbit  average  1  hour  long. 

It  was  felt  by  the  community  that,  for  mandatory  payload  requirements,  we  could  increase  the  exposure 
to  gaps  to  three  orbits  without  cm  ELS  deorbit  opportunity.  The  three  orbits  were  then  converted  to  time 
to  make  it  easier  to  implement.  It  was  agreed  that  we  should  protect  steep  deorbit  capability  to  all 
CONUS  sites  from  the  elliptical  orbits.  This  would  allow  the  standard  protection  desired  for  a  thermally 
safe  entry  and  protect  for  deorbit  to  one  of  the  other  CONUS  sites  should  weather  make  the  PLS  NO-GO. 
This  deorbit  capability  must  be  provided  for  all  the  possible  days  of  the  mission  to  allow  for  an  early  or 
delayed  landing. 

DOCUMENTATION :  Orbit  Flight  Techniques  Panel  Meeting  #78  and  Entry  Flight  Techniques  Panel 
Meeting  #40. 

Rule  {A4-62},  OMS-l/OMS-2  EXECUTION,  references  this  rule. 
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A.  FOR  THE  CASE  OF  AN  OMS  PROPELLANT  TANK  LEAK,  AN  OMS  BURN  TO 
DEPLETION  WILL  BE  EXECUTED  AS  FOLLOWS: 

1 .  IF  PROPELLANT  FROM  THE  GOOD  POD  CAN  SUPPORT  NEXT  PLS 
DEORBIT  WITH  STEEP  TARGETS  FROM  THE  CURRENT  ORBIT,  THE 
LEAKING  PROPELLANT  WILL  BE  BURNED  OUT  OF  PLANE 
IMMEDIATELY . 

2.  IF  PROPELLANT  FROM  THE  GOOD  POD  CAN  SUPPORT  AT  LEAST  ONE 
CONUS  DEORBIT  OPPORTUNITY  WITH  SHALLOW  TARGETS  BUT  NOT 
WITH  STEEP  TARGETS  FROM  THE  CURRENT  ORBIT,  A  PERIGEE 
ADJUST  MANEUVER  WILL  BE  PERFORMED  IMMEDIATELY  IF: 

a.  IT  WILL  REDUCE  THE  DEORBIT  DELTA  V  ON  THE  PRIME  AND 
BACKUP  (IF  AVAILABLE)  DEORBIT  OPPORTUNITIES  TO  THE 
PLS  WITHIN  THE  NEXT  48  HOURS  (MINIMUM  OF  ONE  PLS 
OPPORTUNITY  EACH  DAY  FOR  THE  NEXT  2  DAYS) ,  AND 

b.  THE  DEORBIT  DELTA  V  AFTER  THE  PERIGEE  ADJUST  MANEUVER 
IS  SUPPORTABLE  WITH  THE  NONLEAKING  OMS  PLUS  ARCS 
ABOVE  AFT  QUANTITY  1  (NO  FRCS) . 

OTHERWISE,  AN  OUT-OF-PLANE  MANEUVER  WILL  BE  PERFORMED 
IMMEDIATELY . 

3.  IF  THE  PROPELLANT  FROM  THE  GOOD  POD  CANNOT  SUPPORT  AT 
LEAST  ONE  CONUS  DEORBIT  OPPORTUNITY  WITH  SHALLOW  TARGETS 
FROM  THE  CURRENT  ORBIT,  A  PERIGEE  ADJUST  MANEUVER  WILL  BE 
PERFORMED  IMMEDIATELY  WITH  THE  FOLLOWING  EXCEPTION: 

IF  THE  LEAK  RATE  IS  EXTREMELY  SLOW  AND  BOTH  THE  LEAK  RATE 
AND  POD  THERMAL  ENVIRONMENT  ARE  STABLE,  PERFORM  PERIGEE 
ADJUST  AT  THE  OPTIMUM  PERIGEE  ADJUST  TIG.  HOWEVER,  ANY 
INCREASE  IN  LEAK  RATE  OR  CHANGE  IN  THERMAL  ENVIRONMENT 
INDICATIVE  OF  POD  FREEZEUP  REQUIRES  AN  IMMEDIATE  BURN. 

4.  THE  PROPELLANT  FROM  THE  GOOD  POD  INCLUDES  OMS  FROM  THE 
NON-LEAKING  SIDE  PLUS  ARCS  TO  OMS  TANK  FAIL  QUANTITY  FOR 
SHALLOW  OR  AFT  QUANTITY  1  FOR  STEEP  (PROTECTING  FOR 
48-HOUR  ON-ORBIT  STAY  ON  VRCS,  ONE  DEORBIT  PREPARATION, 
AND  TWO  15-SECOND  ULLAGE  BURNS),  PLUS  FRCS.  FRCS  WILL 
NOT  BE  CONSIDERED  FOR  USE  DURING  THE  DEORBIT  BURN,  BUT 
MAY  BE  USED  DURING  A  PERIGEE  ADJUST. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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QMS  LEAK/PERIGEE  ADJUST  (CONTINUED) 

FOR  THE  CASE  OF  AN  OMS  PROPELLANT  TANK  LEAK  WITHIN  FOUR 
ORBITS  OF  DEORBIT,  COMPLETION  OF  THE  PERIGEE  ADJUST  WITH 
THE  FRCS  WILL  BE  AN  MCC  CALL. 

FOR  THE  CASE  OF  AN  OMS  PROPELLANT  TANK  LEAK  WITHIN  TWO 
ORBITS  OF  DEORBIT,  IF  THE  MCC  IS  UNABLE  TO  CONFIRM  A 
VALID  ONBOARD  STATE  VECTOR  AFTER  THE  BURN  (FROM  EITHER 
IMU  DATA  OR  GPS) ,  DEORBIT  WILL  BE  DELAYED  UNTIL  THE 
GROUND  TRACKING  STATE  VECTOR  USED  FOR  THE  DEORBIT 
MANEUVER  COMPUTATION  INCLUDES  AT  LEAST  ONE  REPEAT  OF  ANY 
TRACKING  STATION.  @[072601-4529] 

FOR  THE  CASE  OF  AN  OMS  PROPELLANT  TANK  LEAK  DURING  THE 
TIMEFRAME  OF  A  PAYLOAD  DEPLOY,  THE  ACTIONS  FOR  THE 
DIFFERENT  UPPER  STAGES  ARE  LISTED  BELOW: 

IUS  DEPLOY: 

a.  IF  THE  LEAK  IS  DETECTED  PRE-UMBILICAL  RELEASE,  RESTOW 
AND  BURN  THE  LEAKING  SYSTEM  TO  DEPLETION  PRIOR  TO 
CONTINUING  DEPLOY  OPERATIONS.  PARAGRAPH  A  OF  THIS 
RULE  WILL  BE  USED  TO  DETERMINE  THE  REQUIRED  BURN. 

THE  DETERMINATION  OF  SHALLOW  DEORBIT  CAPABILITY  WILL 
ASSUME  THAT  THE  PAYLOAD  WILL  BE  DEPLOYED  PRIOR  TO 
DEORBIT . 

b.  IF  THE  LEAK  IS  DETECTED  POST-UMBILICAL  RELEASE, 
PERFORM  EMERGENCY  DEPLOY  PROCEDURES  UP  TO  EXECUTING 
THE  MANEUVER  TO  THE  SEPARATION  BURN  ATTITUDE.  THEN: 

(1)  IF  THE  GOOD  SYSTEM  WILL  SUPPORT  DEORBIT  TO 
SHALLOW  TARGETS  FROM  THE  POSTDEPLOY/MINIMUM 
SEPARATION  ORBIT,  PERFORM  MINIMUM  SEPARATION 
ASAP  FROM  THE  LEAKING  SYSTEM  (SEND  MASTER  SAFE 
IF  MINIMUM  SEPARATION  NOT  COMPLETED) .  THEN, 

BURN  LEAKING  SYSTEM  TO  DEPLETION  ASAP  OUT-OF- 
PLANE  . 

(2)  IF  THE  GOOD  SYSTEM  WILL  NOT  SUPPORT  DEORBIT  TO 
SHALLOW  TARGETS  FROM  THE  POSTDEPLOY/MINIMUM 
SEPARATION  ORBIT,  SEND  "MASTER  SAFE".  THEN 
PERFORM  "RECOVERY  FROM  MASTER  SAFE"  THROUGH  RCS 
ENABLE.  THEN: 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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(a)  IF  THE  LEAK  IS  EXTREMELY  SLOW  AND  THERE  ARE 
NO  POD  THERMAL  EFFECTS  BEING  SEEN  (BOTH  ARE 
MCC  CALLS) ,  REPLACE  THE  NOMINAL /MINIMUM 
SEPARATION  WITH  AN  ASAP  2  FPS  RETROGRADE 
MANEUVER.  THEN  PERFORM  PERIGEE  ADJUST  AT  THE 
OPTIMAL  PERIGEE  ADJUST  TIG. 

(b)  IF  THE  CREW  HAS  NO  CONTACT  WITH  MCC,  OR  IF 
MCC  DETERMINES  THE  LEAK  IS  FAST  OR  POD 
THERMAL  EFFECTS  ARE  SEEN,  PERFORM  PERIGEE 
ADJUST  ASAP. 

(C)  ASAP  FOLLOWING  THE  PERIGEE  ADJUST  (EITHER  AT 
OPTIMAL  TIG  OR  THE  ASAP  TIG) ,  IF  THE  PERIGEE 
ADJUST  WAS  ?  57  FPS,  MANEUVER  TO  IUS  VIEWING 
ATTITUDE  AND  COMPLETE  "RECOVERY  FROM  MASTER 
SAFE"  PROCEDURE  TO  RESTART  MISSION 
SEQUENCING.  IF  IN  CONTACT  WITH  MCC, 
CONSIDERATION  WILL  BE  GIVEN  TO  LOWERING 
PERIGEE  BELOW  95  NM  (90  NM  MINIMUM)  TO  OBTAIN 
57  FPS  FROM  THE  LEAKING  POD. 

(d)  IF  PERIGEE  ADJUST  DELTA  V  IS  <  57  FPS,  MASTER 
SAFE  RECOVERY  WILL  ONLY  BE  ON  MCC  CALL. 

PAM-D,  PAM-D2,  OR  FRISBEE  DEPLOY: 

a.  IF  THE  LEAK  IS  DETECTED  PREDEPLOY,  ABORT  THE  DEPLOY 
AND  PERFORM  OMS  BURN  TO  DEPLETION.  PARAGRAPH  A  WILL 
BE  USED  TO  DETERMINE  THE  REQUIRED  BURN.  THE 
DETERMINATION  OF  SHALLOW  DEORBIT  CAPABILITY  WILL 
ASSUME  THE  PAYLOAD  WILL  BE  DEPLOYED  PRIOR  TO  DEORBIT. 
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b.  IF  THE  LEAK  IS  DETECTED  POSTDEPLOY,  BURN  THE  LEAKING 
OMS  PROPELLANT  ACCORDING  TO  THE  FOLLOWING  GUIDELINES. 
PARAGRAPH  A  WILL  BE  USED  TO  DETERMINE  THE  REQUIRED 
BURN.  IF  THE  LEAKING  OMS  IS  TO  BE  BURNED  OUT  OF 
PLANE,  PERFORM  A  MINIMUM  SEPARATION  MANEUVER  ASAP 
AFTER  DEPLOY,  THEN  PROCEED  TO  BURN  THE  LEAKING 
PROPELLANT  OUT  OF  PLANE  IMMEDIATELY.  IF  THE  LEAK 
RATE  IS  FAST  AND  THE  LEAKING  OMS  PROPELLANT  IS  TO  BE 
BURNED  RETROGRADE,  TIG  CAN  BE  NO  EARLIER  THAN  DEPLOY 
PLUS  15  MINUTES  AND  A  MINIMUM  DELTA  V  OF  18  FPS  IS 
REQUIRED.  CONSIDERATION  WILL  BE  GIVEN  TO  LOWERING 
PERIGEE  BELOW  95  NM  (90  NM  MINIMUM)  TO  OBTAIN  18  FPS. 
IF  THE  LEAK  RATE  IS  EXTREMELY  SLOW  AND  THE  GOOD  POD 
CANNOT  SUPPORT  ANY  CONUS  DEORBIT  TO  SHALLOW  TARGETS, 
THE  FOLLOWING  ACTIONS  WILL  BE  PERFORMED: 

(1)  FOR  ASCENDING  NODE  DEPLOYMENTS,  REPLACE 
SEPARATION  MANEUVER  WITH  A  MINIMUM  SEPARATION 
MANEUVER,  GO  TO  WINDOW  PROTECTION  ATTITUDE 

( WP A) ,  AND  THEN  BURN  RETROGRADE  AT  THE  NEXT 
OPTIMUM  PERIGEE  ADJUST  TIG. 

(2)  FOR  DESCENDING  NODE  DEPLOYMENTS,  REPLACE 
SEPARATION  MANEUVER  WITH  A  PERIGEE  ADJUST 
MANEUVER  AT  THE  NEXT  OPTIMUM  PERIGEE  ADJUST  TIG 
(18  FPS  MINIMUM) . 

3.  RMS  DEPLOY:  TBD 

The  basic  philosophy  that  is  reflected  in  these  rules  is  that  the  safety  of  the  orbiter  and  the  crew  are  first 
priority.  Since  the  leak  rate  and  thermal  effects  of  an  OMS  propellan  t  tank  leak  cannot  be  reliably 
predicted,  the  leaking  propellant  must  be  dumped  ASAP.  Reliable  leak  rates  cannot  be  predicted  because 
of  the  inability  to  determine  or  predict  whether  helium  and/or  propellan  t  is  leaking  from  the  tank.  In 
addition,  if  the  propellant  tank  pressure  decays  to  below  the  tank  fail  limit  (fuel  =  216  psia,  oxidizer  = 

151  psia),  there  is  no  guarantee  ( regardless  of  the  leak  rate )  that  the  tank  can  be  repressurized  to  above 
these  limits.  If  the  repressurization  does  not  work,  the  tank  is  considered  failed  and  is  unusable  for  the 
perigee  adjust.  Since  thermal  effects  of  a  leak  cannot  be  predicted,  the  propellant  must  be  dumped  to 
prevent  the  pod  from  the  possibility  of  freezing,  thus  rendering  both  the  OMS  and  RCS  systems  unusable. 
The  rate  of  propellant  sublimation  varies  as  a  function  of  which  propellant  is  leaking,  the  location  of  the 
leak,  the  distribution  of  the  propellant  within  the  pod,  and  the  thermal  environment.  As  a  result,  the 
sublimation  rate  cannot  be  reliably  predicted.  Therefore,  if  the  pod  were  to  freeze  there  is  no  way  to 
determine  when  the  RCS  will  be  available  for  entry. 
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The  determination  of  steep  capability  includes  OMSfrom  the  nonleaking  side,  FRCS,  and  ARCS  to  AFT 
quantity  1.  Flight  Rule  {A2-108},  CONSUMABLES  MANAGEMENT ,  indicates  that  deorbit  will  be 
shallowed  to  protect  entry  usage.  Therefore,  for  steep  capability  to  exist,  the  full  entry  usage  must  be 
protected.  For  determination  of  shallow  deorbit  capability,  the  ARCS  may  be  used  to  the  OMS  tank  fail 
quantity.  OMS  tank  fail  quantity  does  not  protect  the  total  entry  requirements.  However,  this  propellant 
will  be  used  to  achieve  a  shallow  deorbit  to  CONUS,  if  required. 

If  the  good  pod  can  support  deorbit  to  a  CONUS  site  using  steep  targets,  the  leaking  OMS  should  always 
be  burned  out  of  plane  (OOP)  regardless  of  the  leak  rate  as  soon  as  possible.  This  will  result  in  having 
many  CONUS  deorbit  opportunities  available  that  can  be  supported  (to  steep  targets )  with  the  remaining 
propellant  after  the  leaking  OMS  burn. 

The  delta  V  of  the  perigee  adjust  maneuver  is  intended  to  obtain  Hp  =  95  run  and  to  reduce  the 
propellant  to  the  point  where  leakage  into  the  pod  will  be  minimized.  This  technique  will  usually  result 
in  one  of  two  cases:  (a)  propellant  not  depleted  at  targeted  Hp  or  (b)  depletion  of  propellant  and  engine 
cutoff  before  reaching  95  nm  If  the  fuel  is  depleted  before  the  perigee  reaches  95  nm,  the  FRCS  may  be 
used  to  attempt  to  achieve  the  target  perigee  altitude  at  a  later  time. 

If  fuel  remains  after  reaching  the  95  nm  target,  an  out-of-plane  burn  will  be  performed  to  reduce  the 
propellant  to  the  minimum  safe  quantity. 

If  the  propellant  available  in  the  “good  pod”  can  support  a  PLS  deorbit  with  shallow  targets  but  not 
steep  targets,  the  leaking  propellant  may  be  burned  either  out-of-plane  or  retrograde.  An  out-of-plane 
burn  everywhere  in  the  orbit  would  guarantee  at  least  shallow  deorbit  capability  to  the  PLS.  However,  if 
the  perigee  adjust  is  performed  in  the  right  portion  of  the  orbit,  the  deorbit  delta  V  can  be  decreased. 

This  would  then  allow  a  steeper  than  a  shallow  entry. 

Therefore,  a  retrograde  window  is  computed  by  determining  where  a  perigee  adjust  will  decrease  the 
deorbit  delta  V  to  the  PLS  on  the  prime  and  backup  opportunities.  This  window  is  also  constrained  by 
the  amount  of  propellant  available  in  the  nonleaking  OMS  and  the  ARCS  above  AFT  quantity  1  which 
will  be  used  to  support  the  deorbit.  FRCS  is  not  included  in  determining  the  window  because  it  would 
require  the  use  of  a  “fast  flip”  during  the  deorbit  burn  which  is  highly  undesirable.  The  inverse  of  the 
retrograde  window,  the  OOP  TIG  window,  is  what  is  actually  provided  to  the  crew  on  the  trajectory 
message.  If  the  “good  pod”  can  support  shallow  but  not  steep  deorbit  and  TIG  for  the  leaking  OMS 
burn  is  in  the  OOP  TIG  window,  the  crew  will  burn  out-of-plane. 

For  high  altitude  flights,  all  the  OMS  on  the  leaking  side  may  not  be  enough  to  get  perigee  down  to  95 
nm  In  these  cases,  the  maximum  delta  V  available  from  the  OMS  will  be  used  to  lower  perigee  as  much 
as  possible  and  this  value  will  be  used  in  determining  the  OOP  TIG  window. 
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However,  if  shallow  deorbit  capability  does  not  exist  from  the  good  OMS  pod,  it  is  imperative  that  a 
perigee  adjust  be  performed  from  the  leaking  pod.  The  perigee  adjust  burn  must  be  performed 
immediately  in  order  to  guarantee  deorbit  with  one  exception:  If  the  leak  rate  is  “slow”  enough  to 
guarantee  supporting  the  optimum  perigee  adjust  opportunity,  and  the  pod  thermal  environment  will  also 
support,  the  burn  will  be  performed  at  the  optimum  point  to  enhance  CONUS  landing  capability.  For 
this  case,  a  maneuver  to  cm  LVLH  retrograde  burn  attitude  will  be  performed  immediately  and 
maintained.  If  there  is  any  uncertainty  in  the  leak  rate  computations  or  pod  thermal  environmen  t  will  not 
support  the  opportunity,  the  perigee  adjust  will  be  performed  immediately  in  order  to  guarantee  deorbit 
to  a  landing  site.  Any  leaks  detected  by  the  crew  through  the  FDA  is  considered  a  fast  leak.  It  is 
possible  that  the  only  deorbit  capability  available  after  the  perigee  adjust  is  performed  is  to  a  southern 
hemisphere  ELS.  The  crew  will  be  informed  whether  shallow  deorbit  capability  currently  exists. 

The  ground  will  also  send  up  the  delta  times  from  the  ascending  node  for  the  opening  and  the  closing  of 
the  OOP  TIG  window.  The  crew  will  use  this  information  for  the  case  of  cm  OMS  leak  while  out  of 
communications  coverage  with  the  ground.  If  the  TIG  is  inside  the  OOP  TIG  window,  the  crew  will 
execute  the  OMS  burn  out  of  plane.  Otherwise,  the  OMS  burn  will  be  a  perigee  adjust  maneuver.  If  the 
OMS  burn  is  performed  out  of  plane,  the  FRCS  may  be  burned  retrograde  at  the  optimum  perigee  adjust 
TIG  on  a  later  orbit. 

If  the  engine  cu  toff  occurs  before  the  desired  perigee,  it  may  or  may  not  be  desirable  to  complete  the 
burn  with  the  FRCS  if  deorbit  will  occur  within  the  next  four  orbits.  This  is  dependen  t  upon  the  position 
in  the  orbit  where  the  perigee  adjust  is  executed.  If  perigee  is  in  the  wrong  place  in  the  orbit,  completing 
the  burn  with  the  FRCS  may  actually  increase  the  deorbit  delta  V.  However,  if  the  perigee  adjust  is 
executed  near  the  optimum  TIG,  it  will  be  better  to  complete  in  order  to  lower  the  deorbit  delta  V.  The 
FDO  will  have  to  determine  in  real  time  whether  completion  on  the  FRCS  is  required. 

If  the  orbiter  state  is  well  known  at  the  perigee  adjust  maneuver,  the  onboard  guidance  cmd  navigation 
will  properly  model  the  maneuver  with  sensed  velocity  changes  from  the  IMU’s.  A  confirmation  of  the 
maneuver  will  be  performed  by  the  MCC.  In  this  case,  onboard  GNC  is  believed  to  be  good  and  one 
orbit  of  tracking  is  not  required  to  obtain  a  state  vector  for  the  deorbit  maneuver  computation. 
@[072601-4529] 

GPS  provides  an  accurate  state  vector  shortly  after  cm  orbit  adjust  maneuver  as  long  as  it  is  verified  to 
be  functioning  properly  (no  hardware  problems  or  commfaults,  low  FOM,  tracking  4  satellites).  Caution 
should  be  taken  when  using  GPS  state  vectors  with  FOM’s  >5  (650 feet  position  error  one  sigma )  since 
the  estimated  position  error  increases  rapidly  with  higher  FOM  values.  Possible  deorbit  delays  due  to 
ground  navigation  requirements  can  be  avoided  by  using  GPS  for  the  post-burn  state  vector  confirmation 
and  deorbit  maneuver  computation.  @[072601-4529  ] 

Experience  has  shown  that  one  orbit  of  tracking  data  will  provide  a  state  vector  of  sufficien  t  quality 
upon  which  to  compute  a  deorbit  maneuver.  Therefore,  if  after  completion  of  the  perigee  adjust  burn 
insufficient  time  is  available  to  obtain  the  necessary  tracking,  the  deorbit  maneuver  will  be  slipped  to 
provide  enough  time  to  obtain  the  vector. 
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For  the  case  of  an  OMS  leak  during  the  timeframe  of  a  deploy,  the  most  expedient  means  of  dumping  the 
leaking  propellant  will  be  executed.  With  a  deployed  payload,  concern  is  not  only  with  the  actual 
perigee  adjust  maneuver  and  the  resulting  deorbit  considerations,  but  must  also  take  into  consideration 
the  separation  dynamics  between  the  payload  and  the  orbiter.  When  possible,  restowing  or  aborting  the 
deploy  eliminates  having  to  solve  critical  problems  simultaneously.  Therefore,  the  procedures  have  been 
written  to  use  the  most  conservative  approach  in  all  cases  to  optimize  the  chances  of  getting  the  orbiter 
ready  to  perform  the  OMS  burn  ASAP.  For  the  cases  where  the  deploy  is  aborted,  the  same  logic 
discussed  above  will  be  used  in  determining  whether  to  burn  out  of  plane  retrograde.  The  reason  for 
assuming  the  payload  will  be  deployed  prior  to  deorbit  is  that  it  is  not  justified  to  protect  for  multiple 
payload  failures  that  will  not  allow  for  deployment  or  jettison  while  working  an  OMS  leak.  Also,  the 
delta  V  available  increases  due  to  decreased  orbiter  weight.  This  serves  to  increase  the  chance  that 
shallow  deorbit  capability  will  exist  from  the  current  orbit  and  not  force  a  retrograde  burn.  A 
retrograde  burn  performed  in  the  wrong  phase  in  the  orbit  could  force  a  southern  hemisphere  landing. 
This  maximizes  the  chan  ce  for  a  deorbit  to  a  CONUS  site.  For  the  cases  where  the  payload  is  ready  for 
deploy,  it  was  determined  that  it  is  best  to  proceed  with  the  deploy  in  order  to  decrease  the  orbiter  weight 
and  therefore  increase  the  efficiency  of  the  remaining  propellant. 

For  the  IUS  cases,  once  the  payload  is  elevated  at  29  degrees,  restowing  the  IUS  uses  functions  that  have 
just  been  verified  to  operate  while  deploy  requires  the  additional  use  of  umbilical  release  and 
SUPER*ZIP functions.  Once  the  umbilicals  have  been  released,  however,  it  is  best  to  proceed  with  the 
deploy  since  the  payload  is  almost  ready  for  deploy.  Performing  the  perigee  adjust  postdeploy  places  the 
orbiter  in  front  of  and  below  the  IUS  at  SRM-1  TIG.  A  minimum  of  57  fps  is  required  from  the  perigee 
adjust  in  order  to  ensure  orbiter  safety.  This  minimum  delta  V  would  ensure  a  closest-point-of-approach 
(CPA)  distance  of  no  less  than  30  nm  between  the  orbiter  and  the  IUS  post-SRM-1.  This  assumes  a  worst 
case  poin  ting  error  at  SRM-1  of  1.8  degrees  for  the  IUS.  Failure  to  obtain  the  minimum  delta  V  would 
place  the  orbiter  closer  than  30  nm  to  the  IUS  at  CPA  and  would  require  the  IUS  to  be  master  scifed. 

When  an  OMS  leak  is  detected  postdeploy  for  a  spin  -stabilized  deployable  (PAM-D,  PAM-D2,  and 
Frisbee),  separation  dynamics  must  be  considered.  If  the  leaking  OMS  is  to  be  burned  out  of  plane, 
performing  a  minimum  separation  burn  (posigrade)  ASAP  after  the  deploy  will  provide  acceptable 
separation  dynamics.  The  leaking  OMS  can  then  be  burned  out  of  plane  with  no  consequences.  If  the 
leaking  OMS  is  to  be  burned  retrograde,  separation  dynamics  dictate  that  a  retrograde  burn  not  be 
performed  prior  to  deploy  plus  15  minutes.  If  the  leak  rate  is  fast,  the  separation  burn  is  replaced  with  a 
perigee  adjust  burn  of  at  least  18  fps  (to  protect  for  the  10X  tile  erosion  limit)  at  the  nominal  separation 
TIG.  If  the  leak  rate  is  extremely  slow,  the  perigee  adjust  should  be  burned  at  the  optimum  TIG  to 
enhance  the  CONUS  landing  capability.  For  a  descending  deploy,  this  can  be  accomplished  by 
replacing  the  nominal  separation  burn  with  a  perigee  adjust  (18  fps  minimum)  at  the  optimum  TIG.  For 
an  ascending  deploy,  the  optimum  perigee  adjust  TIG  is  after  PKM  ignition.  Therefore,  a  minimum 
separation  burn  must  be  performed  at  the  nominal  separation  TIG  to  protect  for  the  10X  tile  erosion 
limit,  and  a  perigee  adjust  can  be  performed  at  the  next  optimum  perigee  adjust  TIG. 
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If  executing  the  perigee  adjust  after  a  deploy  requires  less  than  the  above  stated  minimum  delta  V’s  to 
reach  95  nm,  consideration  will  be  given  in  real  time  to  taking  perigee  as  low  as  90  nm  using  delta  V 
from  the  leaking  pod  in  order  to  achieve  the  minimum  delta  V.  This  consideration  will  protect  for 
48-hour  orbit  lifetime  from  the  resulting  orbit  and  will  not  normally  be  exercised  if  it  jeopardizes  the 
ability  to  deorbit  to  a  CONUS  site  by  increasing  the  required  deorbit  delta  V. 

Rule  { A6-51P j,  OMS  FAILURE  MANAGEMENT  [CIL],  references  this  rule. 

A4-105  MINIMUM  TIME  OF  FREE  FALL 

TIME  BETWEEN  DEORBIT  MANEUVER  CUTOFF  AND  4  0  OK  FEET  MUST  BE ?  9 
MINUTES . 

The  minimum  time  required  for  execution  of  the  checklist  procedures  between  deorbit  burn  cutoff  and  El 
is  9  minutes.  These  procedures  include  maneuvering  to  the  El  minus  5  minute  attitude,  powering  down 
the  OMS  gimbals,  executing  the  FRCS  dump  ( when  required),  verifying  switch  positions,  and  starting  the 
remaining  APU’s. 
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DEBRIS  AVOIDANCE  CRITERIA  FOR  PREDICTED 
CONJUNCTIONS  (HC)  ®[070899-6888A]  @[022201-3911  A] 

A.  A  DEBRIS  AVOIDANCE  MANEUVER  MAY  BE  PERFORMED  IF  THE  RISK  OF 
COLLISION  IS  GREATER  THAN  THE  OPERATIONAL  IMPACT  OF 
PERFORMING  THE  MANEUVER.  THE  CRITERIA  FOR  DETERMINING  THE 
RELATIVE  RISK  OF  COLLISION  VERSUS  THE  OPERATIONAL  IMPACT  OF 


THE 

MANEUVER  IS  OUTLINED  BELOW: 

1  . 

YELLOW  THRESHOLD 

FOR  A  PROBABILITY  OF  COLLISION  (Pc)  GREATER  THAN  1 CT5  BUT 
LESS  THAN  1  CT4 : 

A  MANEUVER  WILL  BE  PERFORMED  UNLESS  IT  RESULTS  IN  MORE 

THAN  MINIMAL  IMPACTS  TO  OPERATIONS  OR  MISSION  OBJECTIVES. 
THE  REQUIREMENT  FOR  THE  MANEUVER  WILL  BE  BASED  ON  THE 
PROBABILITY  OF  COLLISION  VS  THE  IMPACT  OF  THE  MANEUVER. 

IF  COVARIANCE  DATA  IS  UNAVAILABLE,  THE  YELLOW  THRESHOLD 
WILL  BE  BASED  ON  A  PREDICTED  MISS  DISTANCE  BETWEEN ?1  KM  X 

? 7  KM  X  ? 7  KM  (? 0 . 5  NM  X  ?3.8  NM  X  ?3.8  NM)  AND  ?0.5  KM  X 

? 4  KM  X  ?4  KM  (?0 . 3  NM  X  ?2 . 2  NM  X  ?2 . 2  NM)  (DEFINED  IN 

UVW  COORDINATES  RELATIVE  TO  THE  SHUTTLE  AS  RADIAL  X  ALONG- 

TRACK  X  OUT-OF-PLANE) . 

2  . 

RED  THRESHOLD 

FOR  A  PROBABILITY  OF  COLLISION  GREATER  THAN  1  CT4 : 

A  MANEUVER  WILL  BE  PERFORMED  UNLESS  IT  RESULTS  IN  SHUTTLE 
REFLIGHT,  VEHICLE  HARDWARE  DAMAGE,  ADDITIONAL  EVA,  OR 
CREATES  ADDITIONAL  RISK  FOR  THE  CURRENT  OR  FUTURE  CREW  OR 
VEHICLE.  THE  REQUIREMENT  FOR  THE  MANEUVER  WILL  BE  BASED 

ON  PROBABILITY  OF  COLLISION  VS  THE  IMPACT  OF  THE 

MANEUVER.  ©[070899-6888A]  @[022201-391 1  A] 
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IF  COVARIANCE  DATA  IS  UNAVAILABLE,  THE  RED  THRESHOLD  WILL 
BE  BASED  ON  A  PREDICTED  MISS  DISTANCE  LESS  THAN?0.5  KM  X 
? 4  KM  X  ?4  KM  (?0 . 3  NM  X  ?2 . 2  NM  X  ?2 . 2  NM)  (DEFINED  IN 

UVW  COORDINATES  RELATIVE  TO  THE  SHUTTLE  AS  RADIAL  X 
ALONG-TRACK  X  OUT-OF-PLANE)  .  @[022201-391 1  A] 

USSPACECOM  predicts  close  conjunctions  between  the  shuttle  and  any  other  orbiting  object  that  can  be 
tracked  and  periodically  transfers  state  vector  and  at- conjunction  object  position  covariance  matrices  to 
JSC  for  those  conjunctions  within  an  “alert  box”  defined  by  a  2  km  radial  distance  from  the  shuttle ,  25 
km  along  track,  and  25  km  out-of-plane.  JSC  uses  this  data  along  with  the  shuttle  covariance  and  state 
vector  to  compu  te  the  probability  of  collision  (Pc).  ©[070899-6888A] 

A  Pc  between  10  5  and  10  4  is  considered  high  enough  commensurate  with  other  program  risks  that  a 
maneuver  will  be  performed  unless  the  operational  and  mission  impacts  are  more  than  minimal. 

Examples  of  minimal  operations  impacts  include  but  are  not  limited  to: 

a.  Minor  consumables  usage 

b.  Minor  rearrangemen  t  of  the  timeline 

c.  Interruption  ofpre-  or  post-sleep 

A  Pc  greater  than  10  4  is  considered  high  enough  that  a  maneuver  should  be  performed  unless  it  would 
result  in  the  loss  of  high  priority  objectives,  which  have  reflight  implications,  or  increase  the  overall  risk 
to  the  current  or  future  crew  or  vehicle.  Examples  of  potential  risk  increases,  which  should  be 
considered,  include  but  are  not  limited  to:  @[022201-391 1  A] 

a.  Loss  of  high  priority  objectives  as  defined  in  the  flight  specific  flight  rules  annex  which  may  have 
reflight  implications 

b.  Vehicle  hardware  damage  or  damage  to  payloads  that  may  require  reflight 

c.  Additional  EVA 

d.  Critical  consumables  usage 

e.  Interruption  of  crew  sleep  prior  to  EVA,  RNDZ,  entry  or  other  critical  activity  ©[070899-6888A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  TRAJECTORY  AND  GUIDANCE  4-65 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A4-106  DEBRIS  AVOIDANCE  CRITERIA  FOR  PREDICTED 

CONJUNCTIONS  (HC)  (CONTINUED) 


Note  that  because  collision  avoidance  maneuvers  are  small  in  magnitude,  typically  1  or  2  m/sec,  such  a 
maneuver  can  normally  be  included  in  the  plan  without  causing  loss  of  primary  objectives,  hardware 
damage,  additional  EVA,  or  excessive  use  of  consumables.  For  those  rare  instances  where  a  maneuver 
cannot  be  performed  without  significant  impact,  the  flight  control  team  must  trade  those  operational 
impacts  of  the  maneuver  versus  the  estimated  risk  of  collision.  Note  that  the  Pc  may  be  high  enough 
that  a  maneuver  will  be  performed  even  when  there  are  operational  impacts,  if  the  risk  of  collision  is 
deemed  higher  than  the  risk  associated  with  the  operational  impact.  This  means  that  an  EVA  could  be 
terminated  early,  consumables  margins  may  be  used,  or  crewmembers  awakened  if  the  risk  of  collision 
warrants  these  operational  impacts.  ®[070899-6888A]  @[022201-391 1  A] 

If  covariance  data  is  unavailable,  the  red  and  yellow  thresholds  will  be  based  on  predicted  miss  distance. 
For  a  predicted  miss  distance  of  1  km  x  7  km  x  7  km,  the  risk  of  collision  is  commensurate  to  the  yellow 
threshold.  For  a  predicted  miss  distance  of  0.5  km  x  4  km  x  4  km,  the  risk  of  collision  is  commensurate 
to  the  red  threshold.  When  using  miss  distance  as  the  collision  avoidance  criteria,  the  flight  control 
team  will  consider  trends  in  miss  distances,  shuttle  state  vector  updates,  and  object  state  vector  updates 
to  qualitatively  assess  the  uncertain  ty  in  the  miss  distances  at  the  time  of  the  conjunction.  The 
requirement  for  a  maneuver  will  be  based  on  the  magnitude  of  and  confidence  in  the  predicted  miss 
distances  compared  to  the  estimated  risk  associated  with  the  operational  impact  of  the  maneuver. 

B.  IF  A  DEBRIS  AVOIDANCE  MANEUVER  IS  PERFORMED,  THE  RESULTANT 

PROBABILITY  OF  COLLISION  WITH  THE  DEBRIS  OBJECT  BEING  AVOIDED 
WILL  BE  LESS  THAN  1CT7.  IF  COVARIANCE  DATA  IS  UNAVAILABLE,  THE 
DEBRIS  AVOIDANCE  MANEUVER  WILL  ENSURE  THAT  THE  MISS  DISTANCE 
WITH  THE  DEBRIS  OBJECT  LIES  OUTSIDE  OF  THE  YELLOW  THRESHOLD 
MANEUVER  BOX. 

Performing  a  debris  avoidance  maneuver  can  be  a  significant  impact  to  operations;  therefore,  when  one 
must  be  executed,  there  should  be  a  sufficient  assurance  that  another  will  not  be  necessary  immediately 
afterward.  When  calculating  the  post-debris-avoidance-maneuver  probability  of  collision  with  the  debris 
object,  only  the  change  in  miss  distance  should  be  incorporated.  The  increase  in  shuttle  uncertainty  due 
solely  to  the  debris  avoidance  maneuver  should  not  be  included  in  the  calculation.  If  the  change  in 
uncertainty  due  solely  to  the  debris  avoidance  maneuver  is  included  in  the  post  maneuver  calculation,  it  is 
possible  that  a  debris  avoidance  maneuver  could  be  accomplished  which  does  not  sufficiently  increase  the 
miss  distance  with  the  debris  object  even  though  the  probability  of  collision  is  less  than  10  ' . 

The  collision  avoidance  maneuver  may  be  performed  even  if  it  introduces  a  future  conjunction  with 
another  object.  A  future  conjunction,  although  undesirable,  does  not  diminish  the  need  to  avoid  the 
presen  t  conjunction.  @[022201  -391 1  A] 
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A4-107  PLS/EOM  LANDING  OPPORTUNITY  REQUIREMENTS 

A.  ALL  OF  THE  FOLLOWING  CRITERIA  ARE  REQUIRED  FOR  A  PLS  (OTHER 
THAN  FIRST  DAY  PLS,  REF.  RULE  {A2-1F},  PRELAUNCH  GO/NO-GO 
REQUIREMENTS)  MDF ,  OR  EOM  LANDING  OPPORTUNITY  (NOT  IN 
PRIORITY  ORDER) : 

1.  NASA  CONUS  SITE:  KSC,  EDW,  NOR.  FOR  NO-COMM  PLS 
PLANNING,  EDW  IS  PREFERRED. 


Only  the  three  prime  NASA  CONUS  sites  should  be  considered  for  PLS  or  EOM.  The  daily  PLS 
planning  results  in  a  crew  message  for  no-comm  execution  if  total  communications  are  lost;  ref  Rule 
{All-52},  LOSS  OF  BOTH  VOICE  AND  COMMAND.  In  the  case  of  other  problems,  ground  evaluation 
of  the  landing  site  can  be  made  very  shortly  before  deorbit  burn.  However,  for  the  no-comm  case,  the 
crew  may  be  required  to  execute  a  deorbit  to  a  site  that  was  picked  many  hours  previously.  Since  EDW 
weather  is  in  general  much  more  stable  than  KSC  and  additional  lateral  and  longitudinal  margins  are 
available  in  the  case  of  poor  navigation  (likely  for  a  no-comm  entry)  or  other  orbiter  systems  problems, 
EDW  is  the  preferred  no-comm  PLS  site  when  all  other  considerations  are  equal.  ®[ED  ] 

2.  WIND  AND  WEATHER  CONDITIONS  (REF.  RULE  {A2-6},  LANDING 

SITE  WEATHER  CRITERIA  [  HC  ]  )  ®[1 20894-1 622B] 

3.  ACCEPTABLE  ENTRY  ANALYSIS  INCLUDING: 

NOTE:  ENTRY  ANALYSIS  IS  NOT  PERFORMED  FOR  DAILY  NO-COMM 

PLS  SELECTION. 

a.  APPROACH  AND  LAND  TRANSITION  (REF.  RULE  {A4-156},  HAC 
SELECTION  CRITERIA) . 

b.  NORMALIZED  TOUCHDOWN  DISTANCE  (REF.  RULE  {A4-110}, 

AIMPOINT,  EVALUATION  VELOCITY,  AND  SHORT  FIELD 
SELECTION)  .  ®[072795-1 788A  ] 

C.  MAXIMUM  TIRE  SPEED,  ROLLOUT  MARGIN,  AND  BRAKE  ENERGY 
CONSTRAINTS  (REF.  RULE  {A4-108},  TIRE  SPEED,  BRAKING, 
AND  ROLLOUT  REQUIREMENTS) . 
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d.  NZ  AND  Q-BAR  CONSTRAINTS  (REF.  RULE  {A4-207},  ENTRY 
LIMITS)  .  ®[072795-1788A  ] 

Rule  { A4-112J ,  LOWER  LEVEL  MEASURED  WIND  AND  ATMOSPHERIC  DATA,  requires  accurate 
lower  level  atmospheric  data  that  is  used  for  analysis  of  the  entry  trajectory  to  ensure  safety.  The  main 
gear  tires  are  certified  to  225  knots  groundspeed.  This  constraint  may  limit  the  allowable  tailwind  based 
on  the  predicted  EAS  and  density  altitude.  Violation  of  brake  energy  and  rollout  constraints  may  result, 
in  dispersed  cases,  in  run  way  departure  or  excessive  braking  requiremen  ts  that  could  lead  to  tire  fires. 

Rule  {A2-6A},  LANDING  SITE  WEATHER  CRITERIA  [HC],  references  this  rule.  Since  the  no-comm 
PLS  landing  would  be  executed  many  hours  after  the  site  had  been  selected,  entry  analysis  using 
environmental  observations  are  not  relevant  and  therefore  will  not  be  performed.  ®[071 494-1 621  A] 

®[1 20894-1 622B]  ®[ED  ] 

4.  ENTRY  CROSSRANGE  LESS  THAN  DISPERSED  OR  THE  THERMAL 
CROSSRANGE  LIMIT,  WHICHEVER  IS  MORE  CONSTRAINING. 

The  dispersed  crossrange  limit  represen  ts  the  vehicle  capability  to  converge  to  nominal  conditions  by 
TAEM  in  terface  (Mach  2.5)  assuming  3 -sigma  combinations  of  navigation,  atmosphere,  energy,  and  winds. 
All  planned  and  acceptable  entries  must  have  a  crossrange  which  is  less  than  the  dispersed  crossrange 
limit.  Landing  sites  with  crossrange  between  the  dispersed  and  undispersecl  limits  should  not  be 
considered.  (Ref.  the  Annex  Flight  Rule,  TRAJECTORY  AND  GUIDANCE  PARAMETERS.)  ®[ED  ] 

The  flight  specific  thermal  crossrcmge  limit  protects  the  upper  surface  thermal  constraints  for  high 
crossrcmge  en  tries.  Du  ring  high  crossrcmge  en  tries,  the  orbiter  main  tains  a  roll  angle  for  a  long  period 
of  time  to  reduce  crossrcmge  prior  to  the  first  roll  reversed.  Heading  rates  incurred  by  non-zero  roll 
attitudes  will  be  sensed  by  the  FCS  pitch  rate  gyros  as  small  positive  pitch  rates.  As  a  result,  the  FCS 
will  main  tain  an  angle  of  attack  somewhat  less  than  that  desired  as  it  attempts  to  compensate  for  this 
pseudo  pitch  rate.  This  results  in  increased  heating  to  the  upper  surface,  which  may  result  in  excessive 
structural  temperatures.  The  actual  thermal  crossrcmge  limit  is  flight  specific.  (Ref.  the  Annex  Flight 
Rule,  TRAJECTORY  AND  GUIDANCE  PARAMETERS.)  ®[07i  494-1621  A]  ®[ED  ] 

5.  SUFFICIENT  GROUND  EQUIPMENT  SUPPORT  INCLUDING 
REDUNDANCY  MUST  BE  PROVIDED  TO  SATISFY  A/G  VOICE, 
TELEMETRY,  TRACKING,  AND  COMMAND  REQUIREMENTS  AND  FULL 
REDUNDANCY  TO  NAVIGATION  AIDS  AS  SPECIFIED  IN  SECTION 
3.  NOTE:  TRACKING  SUPPORT  IS  NOT  SCHEDULED  FOR  THE 
DAILY  PLS  OPPORTUNITY.  IF  A  PLS  IS  REQUIRED,  TRACKING 
SUPPORT  WILL  BE  ON  A  "BEST  EFFORT"  BASIS. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  TRAJECTORY  AND  GUIDANCE  4-68 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A4-107  PLS/EOM  LANDING  OPPORTUNITY  REQUIREMENTS 

(CONTINUED) 

6.  DAYLIGHT  LANDING  (SUNRISE  MINUS  15  MINUTES  TO  SUNSET  PLUS 
15  MINUTES)  UNLESS  THE  CREW  IS  SPECIFICALLY  TRAINED  FOR 
NIGHT  LANDING. 

All  crews  receive  pilot  pool  training  for  night  landing,  and  an  emergency  landing  at  an  augmen  ted 
landing  site  is  reasonably  assured  of  success.  However,  unless  the  crew  is  specifically  trained  for  night 
landing,  the  additional  risk  should  be  avoided. 

7.  CREW  SCHEDULING  CONSTRAINTS  MUST  BE  MET  FOR  PLS  PLANNING, 
AT  LEAST  7  HOURS  BUT  NOT  GREATER  THAN  16  HOURS,  BETWEEN 
THE  SCHEDULED  WAKE-UP  AND  LANDING  TIME  FOR  BOTH  SHIFTS  IF 
THE  FLIGHT  IS  DUAL  SHIFT.  FOR  DAILY  PLS  SELECTION,  THE 
CONSTRAINT  MAY  BE  RELAXED  TO  AT  LEAST  5  HOURS  BETWEEN 
SCHEDULED  WAKEUP  ( CDR  AND  PLT  ONLY)  AND  LANDING  TIME  IF 
THIS  GIVES  A  BACKUP  (ONE  ORBIT  LATE)  OPPORTUNITY. 

The  Crew  Scheduling  Constraints  Documen  t  (Appendix  K  of  the  Space  Shuttle  Crew  Procedures 
Management  Plan)  contains  the  7  to  16  hour  wakeup-to-landing  workday  limit.  That  same  document  also 
gives  limits  to  shifting  crew  sleep  times.  For  next  PLS  situations,  a  backup  opportunity  is  important  since 
the  use  of  the  PLS  will  be  driven  by  a  systems  failure  that  dictates  coming  out  of  orbit  that  day. 

Therefore,  the  orbit  late  increases  the  probability  of  landing  on  that  day,  allowing  a  wave-off  for  further 
systems  anomalies,  vehicle  configuration,  or  weather  violations.  The  minimum  of  5  hours  between 
scheduled  wakeup  and  landing  ensures  the  full  deorbit  preparation  tuneline  (4  hours )  plus  the  additional 
hour  between  deorbit  and  landing.  Other  activities,  such  as  cabin  stowage  and  postsleep  would  have  to 
overlap  with  the  deorbit  preparation  or  be  provided  by  a  shift  in  the  crew  sleep  period. 

B.  RULE  { A2 -2 0 7 } ,  LANDING  SITE  SELECTION,  WILL  BE  USED  TO  CHOOSE 
BETWEEN  SITES  THAT  MEET  ALL  REQUIREMENTS  IN  PART  A.  THE 
FOLLOWING  ADDITIONAL  CRITERIA  LISTED  BELOW,  IN  ORDER  OF 
PRIORITY,  WILL  BE  USED  TO  FURTHER  CHOOSE  BETWEEN  LANDING 
SITES/OPPORTUNITIES : 

1.  BACKUP  (ONE  ORBIT  LATE)  OPPORTUNITY  TO  ANY  CONUS  SITE. 

A  one-orbit  late  landing  opportunity  to  any  of  the  three  CONUS  landing  sites  is  particularly  important  in 
determining  the  daily  PLS  site  since  next  PLS  rules  are  driven  by  orbiter  system  failures  that  dictate 
coming  out  of  orbit  that  day. 

2.  BACKUP  OPPORTUNITY  TO  THE  PLS. 

A  backup  opportunity  to  the  PLS  is  desirable  since  all  of  the  ground  facilities  and  team  are  on  station 
and  prepared  for  the  landing  and  the  higher  priority  site  would  be  achieved  in  the  event  of  a  wave-off  for 
one  orbit. 
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3.  POSTLANDING  OPERATIONS. 

If  all  of  the  above  criteria  are  met  at  more  than  one  site,  the  site  will  be  selected  based  on  the  post- 
landing  convoy,  payloads,  and  vehicle  turnaround  support.  Also  note  that  many  orbiter  malfunctions  in 
entry  critical  systems  have  specific  landing  site  requirements  and  this  may  drive  the  landing  selection  at 
a  higher  priority  than  this  rule. 

4.  ENTRY  CROSSRANGE  <  DTO  CROSSRANGE  LIMIT. 

On  flights  which  have  entry  aerodynamic  DTO’s/PTI’s  manifested,  the  site  or  opportunity  that  will  allow 
these  tests  to  be  performed  is  desired.  The  DTO  crossrange  is  more  constraining  than  the  dispersed 
crossrange  limit  in  cm  attempt  to  account  for  the  dispersion  imposed  on  the  crossrcmge  due  to  guidance 
lockout  during  the  execution  of  the  PTI’s.  The  DTO  crossrange  limit  is  last  on  the  priority  list  due  to  the 
maturity  of  the  aerodynamic  data  base  resulting  from  a  long  history  of  successful  entry  DTO  flights. 
Reference  the  Annex  Flight  Rule,  TRAJECTORY  AND  GUIDANCE  PARAMETERS,  for  the  limit. 

®[ED  ] 

Rule  ( A2-6} ,  LANDING  SITE  WEATHER  CRITERIA  [HC],  references  this  rule.  ®[i 20894-1 622B] 

C.  FOR  DAILY  PLS  FOR  NO-COMM  DEORBIT  PLANNING,  TO  MAINTAIN  A 
CONUS  LANDING  SITE,  CONSIDERATION  MAY  BE  GIVEN  TO  THE 
FOLLOWING:  RELAXATION  OF  WEATHER  CRITERIA  TO  ACLS  CONDITIONS 
(REF.  RULE  { A2-6 } ,  LANDING  SITE  WEATHER  CRITERIA  [HC]), 
REASONABLE  MODIFICATIONS  TO  CREW  SCHEDULING  CONSTRAINTS, 
NIGHT  LANDING,  AND  SMALL  VIOLATIONS  OF  DISPERSED  CROSSRANGE. 

®[1 20894-1 622B] 

Relaxation  to  ACLS  weather  conditions,  small  variances  to  crew  sleep  scheduling,  acceptance  of  night 
landing,  and  small  exceedances  of  dispersed  crossrcmge  may  be  allowed  to  pick  a  CONUS  site  for  the 
no-comm  next  PLS  opportunity.  Since  the  weather-forecasts  are  for  several  hours  in  the  future,  there  is 
the  opportunity  for  improvement.  Landing  at  one  of  the  CONUS  sites  (ref.  Rule  {A2-207J,  LANDING 
SITE  SELECTION )  generally  provides  communications,  command,  tracking,  landing  aids,  and  ground 
site  support.  Also,  facilities  are  available  to  mate  the  orbiter  to  the  SCA,  thereby  minimizing  any  vehicle 
turnaround  and  scheduling  impacts.  Additionally,  CONUS  landings  avoid  the  political  and  logistical 
ramifications  of  landing  in  a  foreign  coun  try.  Somewhat  degraded  conditions  are  acceptable  for  daily 
PLS  planning  rather  than  picking  a  non-CONUS  site  even  including  the  ACLS  sites  such  as  Ben  Guerir, 
Hawaii,  or  Guam. 
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TIRE  SPEED,  BRAKE  ENERGY,  AND  ROLLOUT  MARGIN  CONSTRAINTS  ARE 
DEFINED  AS  FOLLOWS:  ®[072795-1 788B  ] 

Rollout  margin  and  brake  energy  limits  are  identified  in  order  to  ensure  that  the  orbiter  can  stop  within 
the  runway  limitations.  The  touchdown  tire  speed  limit,  in  combination  with  the  crosswind  limits  (ref. 

Rule  { A2-6J ,  LANDING  SITE  WEATHER  CRITERIA  [HC]),  provides  protection  against  tire  failure 
during  touchdown  and  rollout.  Rollout  margin  is  meant  to  account  for  the  environmental  and 
procedural  variations  that  can  directly  impact  the  vehicle  stopping  distance.  Brake  energy  limits  protect 
the  capability  of  the  brakes  to  stop  the  orbiter  ( ref.  Entry  FTP  Meeting  #35,  9/11/87).  ®[072795-l  788B  ] 

A.  CALCULATION  ASSUMPTIONS: 

1.  THE  PREDICTED  TOUCHDOWN  TIRE  SPEED  IS  COMPUTED  AT  THE 
EVALUATION  TOUCHDOWN  EAS  .  ®[072795-1 788B  ] 

2.  DRAG  CHUTE  IS  NOT  CONSIDERED.  ®[050495-1745D] 

3.  DEROTATION  IS  ASSUMED  AT  180  KEAS  AT  2 . 2  DEGREES/SEC,  REF 
RULE  {  A2  -2  0  6  }  ,  DEROTATION  SPEED  .  ®[050495-1745D] 

4.  BRAKING  INITIATION  IS  AFTER  MIDFIELD  AT  140  KGS  OR  AT 
5000  FEET  REMAINING,  WHICHEVER  IS  FIRST,  AT  A  MAXIMUM 
DECELERATION  OF  9  FT/SEC/SEC.  THE  FOLLOWING  EXCEPTIONS 
ARE  ALLOWED: 

a.  IF  BRAKE  ENERGY  IS  VIOLATED,  IT  IS  ACCEPTABLE  TO 
DELAY  BRAKE  APPLICATION  TO  120  KGS  AS  LONG  AS  ROLLOUT 
MARGIN  ALLOWS  AND  BRAKE  APPLICATION  IS  NOT  DELAYED 
PAST  5000  FT  REMAINING.  THIS  IS  PREFERRED  OVER 
RUNWAY  REDESIGNATION. 

b.  IF  ROLLOUT  MARGIN  IS  VIOLATED,  IT  IS  ACCEPTABLE 
TO  BEGIN  BRAKE  APPLICATION  AS  SOON  AS  NOSE  GEAR 
TOUCHDOWN  OCCURS  BUT  NOT  EARLIER  THAN  225  KGS, 

AND  AS  LONG  AS  BRAKE  ENERGY  IS  NOT  VIOLATED. 

®[050495-1745D] 
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B.  TIRE  SPEED  -  PREDICTED  GROUND  SPEED  NOT  TO  EXCEED  214  KGS 
AT  THE  EVALUATION  TOUCHDOWN  EAS .  (REF  RULE  {A4-110}, 

AIMPOINT,  EVALUATION  VELOCITY,  AND  SHORT  FIELD  SELECTION) . 
®[072795-1 788B  ] 

Rule  {A4-112},  UPPER  AND  LOWER  LEVEL  MEASURED  WIND  AND  ATMOSPHERIC  DATA,  requires 
accurate  lower  level  atmospheric  data  than  is  used  for  analysis  of  the  entry  trajectory  to  insure  safety.  The 
214  KGS  predicted  touchdown  speed  limit  is  based  on  providing  a  minimum  of  11  KTS  margin  from  the 
225  KGS  orbiter  tire  certification  limit  given  in  the  Orbiter  Vehicle  End  Item  Specification.  The  11  KTS 
margin  is  derived  from  the  RSS  of  air  data  system  (3  sigma),  winds  (3  sigma),  and  piloting  (<  1  sigma) 
dispersions.  The  short  field  speedbrake  logic  may  be  used  to  gain  tire  speed  margin  if  the  predicted  tire 
speed  with  nominal  speedbrake  logic  is  >  214  KGS,  but  ?  225  KGS  {ref.  Rule  {A4-110},  AIMPOINT, 
EVALUATION  VELOCITY,  AND  SHORT  FIELD  SELECTION).  The  probability  of  exceeding  the  225  KGS 
certification  limit  depends  on  the  landing  site,  touchdown  evaluation  velocity,  wind,  atmospheric 
conditions  and  persistence,  ADTA  errors/biases,  and  pilot-induced  dispersions.  Full  3  sigma  protection 
does  not  always  exist  for  this  limit,  nor  does  it  exist  for  tciilscrape.  The  214  KGS  operational  limit  and  the 
short  field  speedbrake  option  were  chosen  because  they  provide  a  good  balance  between  protecting  for 
high  speed  landings,  and  for  low  speed  tailscrape/derotation  concerns.  Using  the  short  field  option 
provides  an  additional  10  KTS  protection  against  high  speed  landings,  but  at  the  expense  of  reducing 
tciilscrape  margin  (ref.  AEFTP  #121,  1-20-95 ). 

During  tire  certification,  off-limits  testing  on  the  dynamometer  indicated  tire  margin  at  groundspeeds 
greater  than  225  KTS.  However,  the  dynamometer  is  not  a  good  predictor  of  tire  wear,  and  the  off-limits 
testing  was  not  sufficient  to  be  acceptable  for  certification  by  the  vendor.  Severe  damage  was  observed 
( loss  of  tread  prior  to  peak  load),  but  the  tire  held  air  after  multiple  landings.  Convair  990  tests  on  the 
modified  surface  at  KSC  and  the  cleaned  EDW  concrete  runway  have  also  demonstrated  some  minimal 
tire  wear  margin  at  certification  limits.  Av  expected,  there  is  very  significant  increase  in  tire  wear  with 
speed  beyond  the  certification  limit  and  with  higher  crosswind.  Results  of  several  “worst-on-worst” 
cases  at  225  KGS  with  20  KTS  steady  state  crosswind  on  the  Edwards  runway  were  mixed;  some  passed 
and  some  failed.  Additional  high  speed  tests  were  made  at  speeds  up  to  240  KGS,  and  15  KTS 
crosswind,  after  which  the  tire  continued  to  hold  air.  Engineering  analysis  indicates  these  test 
conditions  represent  the  absolute  tire  wear  limit.  The  tire  vendor  agrees  that  the  Convair  990  data  is  the 
best  available  for  predicting  tire  wear,  but  will  not  support  using  the  results  of  these  tests  to  increase  the 
certified  limit  for  this  tire  (ref.  SPRCB.  5-31-95).  @[072795-1 788B  ] 

C.  BRAKE  ENERGY  -  ALL  CASES  MUST  MEET  THE  BRAKE  ENERGY  LIMITS 

BELOW  (WORST  BRAKE)  :  ®[072795-1 788B] 

NOTE:  FOR  APPLICATION  OF  THIS  RULE,  ABORTS  INCLUDE  RTLS , 

TAL,  AND  AOA .  ®[050496-1774A]  ®[050495-1745D] 
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1.  OPERATIONAL  NWS  -  BOTH  CONSTRAINTS  BELOW  MUST  BE  SATISFIED 

a.  42M  FT-LB  WITH  NWS  (82M  FT-LB  FOR  ABORTS) . 

b.  70M  FT-LBS  WITHOUT  NWS  (ASSUMING  DIFFERENTIAL 
BRAKING)  ON  AT  LEAST  ONE  "GO"  RUNWAY  AT  THE  LANDING 
SITE  (82M  FT-LB  FOR  ABORTS) . 

2.  TOTAL  FAILURE  OF  NWS: 

a.  IF  PRE-DEORBIT  -  42M  FT-LB  ASSUMING  DIFFERENTIAL 
BRAKING. 

b.  IF  POST-COMMIT  TO  DEORBIT  AND  EXPECTED  BRAKE 
ENERGY  PREDICTED  TO  EXCEED  42M  FT-LB,  THEN  RUNWAY 
REDESIGNATION  (SAME  COMPLEX)  WILL  BE  CONSIDERED 
PRIOR  TO  MACH  6  IN  ORDER  TO  REDUCE  THE  CROSSWIND. 

To  be  conservative,  the  drag  chute  shall  not  be  used  in  the  brake  energy  calculations.  Engagement  of  the 
barrier  is  to  be  avoided,  if  possible.  Therefore,  in  the  calculation  of  brake  energy,  neither  of  these 
devices  is  considered.  ©[050495-1745D] 

Flight  experience  shows  a  potential  of  about  5  KEAS  delay  on  the  initiation  of  derotation  from  the 
desired  speed  of  185  KEAS  using  beep  trim.  Derotation  initiation  is  assumed  to  be  180  KEAS.  Desired 
commanded  rate  is  1.5  deg/sec,  but  actual  results  from  flight  data  show  that  2.2  deg/sec  average 
derotation  rate  results.  Together,  these  constants  define  the  earliest  nose  gear  touchdown  speed  and, 
thus,  the  earliest  speed  at  which  brakes  should  be  applied.  Failure  of  beep  trim  resulting  in  a  delayed 
manual  derotation  is  an  additional  failure  that  is  not  considered  in  this  analysis  but  is  thought  to  be  a 
small  effect  in  any  case  that  can  be  covered  by  either  drag  chute  or  other  dispersions.  ©[050495-1745D] 

Brake  energy  must  not  exceed  limits  for  the  same  cases  that  the  rollout  margin  has  been  met.  Flight 
experience  on  STS-39  demonstrated  an  average  maximum  deceleration  rate  of  9.5  ft/sec~  with  the 
carbon-carbon  brakes.  The  9.0  ft/sec2  assumption  is  conservative  to  allow  for  systems  variations. 

Crews  train  for  braking  initiation  at  140  knots  or  midfield,  whichever  is  later.  Exceptions  to  this  is 
when  braking  has  not  begun  and  the  vehicle  reaches  the  5k  feet  remaining  marker.  The  crew  will 
always  begin  braking  at  the  5k-foot  marker,  regardless  of  groundspeed.  From  flight  experience,  it  has 
been  demonstrated  that  the  crew  can  safely  delay  braking  initiation  until  120  knots  groundspeed.  Also, 
the  orbiter  brakes  and  associated  equipment  ( cinti-skid )  are  certified  to  225  (ref.  CR  26-621-0055)  kgs 
so  under  extreme  circumstances  braking  may  be  allowed  up  to  that  speed  provided  the  nose  gear  is 
down.  ®[050495-1745D] 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  TRAJECTORY  AND  GUIDANCE  4-73 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A4-108  TIRE  SPEED,  BRAKING,  AND  ROLLOUT  REQUIREMENTS 

(CONTINUED) 


The  42M  ft-lb  limit  for  EOM  was  determined  to  protect  against  tire  blowout  plug  deflating  the  tire 
shortly  after  wheel  stop  (ref.  BF  Goodrich  Engineering  Report  ER-5448,  FSC  97153).  The  82M  ft-lb 
limit  for  aborts  allows  for  the  generally  heavier  weight  of  payload  return  and  shorter  abort  runways 
(ref.  Specification  -  Structural  Carbon  Brake  Assembly,  MEG,  Orbiter  MC62 1-0075).  This  higher 
limit  is  also  allowed  for  a  contingency  return  on  FD  1  with  the  typically  heavyweight  vehicle.  The  risk 
of  a  tire  fire  is  incurred  for  brake  energies  above  7 OM  ft-lb  (ref.  Carbon  Brake  Development  Test 
Summary  -  Engineering  Report  6055,  8/21/87).  This  limit  will  be  used  for  the  non-abort  case  where  a 
late  failure  takes  away  nosewheel  steering  capability.  Brake  energy  capability  of  82M  ft-lb  has  been 
demonstrated  in  testing. 

Crosswinds  directly  increase  the  brake  energy  when  differential  braking  is  used  for  lateral  control 
during  rollout.  Also,  for  loss  of  NWS,  brake  application  at  speeds  above  140  knots  will  be  required  for 
lateral  control  which  also  adds  to  the  brake  energy. 

After  commitmen  t  to  the  deorbit  burn,  the  options  available  for  reducing  the  brake  energy  are  limited. 
Should  the  NWS  fail  after  this  commitment,  runway  redesignation  will  be  considered  prior  to  Mach  6. 
Redesignation  will  not  be  considered  if  the  brake  energy  reduction  is  not  significant  or  if  the  alternate 
runway  is  less  desirable  for  other  reasons  (no  landing  aids,  runway  conditions,  etc.).  Runway 
redesignation  will  not  be  recommended  later  than  Mach  6  in  order  to  protect  against  inducing  a 
trajectory  energy  error  which  is  not  corrected  by  TAEM  interface. 

D.  ROLLOUT  MARGIN  ®[0 72795-1 788B] 

THE  MINIMUM  REQUIRED  ROLLOUT  MARGIN  FOR  A  SITE  TO  BE  "GO"  ARE 
AS  FOLLOWS: 

NOTE:  FOR  ROLLOUT  MARGIN  VIOLATIONS,  SHORT  FIELD  SPEED 

BRAKE  SHOULD  BE  USED  IF  IT  WILL  MAKE  A  RUNWAY  GO  FOR 
ROLLOUT  MARGIN,  AND  IT  REMAINS  GO  FROM  THE  BRAKE 
ENERGY,  TOUCHDOWN  MARGIN,  AND  TOUCHDOWN  SPEED 
REQUIREMENTS.  @[050495-1 745D] 

1.  FOR  RUNWAYS  WITHOUT  A  BARRIER: 

PREDICTED  ROLLOUT  MARGIN  ?  2000  FEET  MEASURED  FROM  THE 
END  OF  THE  USABLE  OVERRUN 
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2.  RUNWAY  WITH  A  BARRIER: 

PREDICTED  ROLLOUT  MARGIN  ?  0  FEET  FROM  THE  BARRIER 

NOTE:  THE  USE  OF  THE  SHORTFIELD  SPEEDBRAKE  SHOULD  BE 

CONSIDERED  IF  THE  ROLLOUT  MARGIN  IS  LESS  THAN 
600  FEET  USING  THE  NOMINAL  SPEEDBRAKE  RETRACT 
OPTION.  ®[050495-1 745D] 

Monte  Carlo  analysis  in  April  1992  and  reconfirmed  in  October  1994  determined  that  less  than  1000 feet 
(600 feet)  are  required  to  protect  for  the  environmental  and  procedural  variations  in  order  to  prevent 
crossing  the  end  of  the  defined  runway.  This  analysis  accounted  for  landing  gear  deploy  altitude 
variations,  trajectory  errors  at  preflare,  3-sigma  ADTA  errors,  density  altitude  variations,  surface  wind 
changes,  and  variations  in  the  design  hecid/tail  upper  level  wind  profile.  Also  assumed  was  perfect 
execution  of  the  braking  procedures  as  described  in  paragraph  A.  However,  the  1000-foot  margin  was 
chosen  to  provide  additional  protection  for  other  procedural  variations  and  dispersions  outside  those 
used  in  the  Monte  Carlo  analysis.  ©[050495-1745D] 

For  run  ways  without  a  barrier,  an  equivalen  t  overrun  of  1000 feet  is  protected.  This  overrun  protects  for 
loss/decreased  braking  or  stopping  capability  or  significant  dispersions  which  result  in  a  longer  rollout. 
Therefore,  a  2000-foot  margin  is  required  from  the  end  of  the  usable  overrun  (load-bearing  surface).  At 
Ben  Guerir,  consideration  will  be  given  to  use  of  the  1500 feet  of  packed  dirt  when  it  is  dry  and  load 
bearing. 

Engaging  the  barrier  is  undesirable  because  it  can  possibly  result  in  damage  to  the  main  gear  doors,  air 
data  probes,  and  a  limited  number  of  tiles.  However,  barrier  engagemen  t  is  safe  at  speeds  up  to  100  kgs. 
This  rule  would,  on  a  nominal  day  with  no  dispersions  and  nominal  drag  chute  deployment,  result  in  cm 
orbiter  stopping  more  than  1400 feet  from  the  barrier.  On  a  nondispersed  day  when  the  drag  chute 
fails,  this  rule  would  allow  cm  orbiter  stop  at  the  barrier  (no  engagement).  Barrier  engagement  would 
occur  only  on  a  day  when  the  drag  chute  fails  and  dispersions  result  in  a  long  rollout.  Since  barriers  are 
only  present  at  TAL  sites,  and  the  resultant  damage  to  orbiter  tiles,  gear  doors,  ADTA,  etc.  is  only  a 
turnaround  issue,  the  risk  of  barrier  engagemen  t  is  considered  acceptable  in  order  to  launch  on  a  given 
day. 

Rules  (A2-1J,  PRELAUNCH  GO/NO-GO  REQUIREMENTS;  { A4-107J ,  PLS/EOM  LANDING 
OPPORTUNITY  REQUIREMENTS;  {A10-23A},  APU  ENTRY  START  TIME;  and  {A10-71 j, 

HYDRAULIC  SYSTEM  CONFIGURATION,  reference  this  rule.  ®[050495-i745D]  ©[072795-1788B  ] 
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FORECAST  VIOLATIONS  (REF.  RULE  {A2-6},  LANDING  SITE  WEATHER 
CRITERIA  [HC] )  AT  THE  NOMINAL  EOM  TIME  WILL  RESULT  IN  SELECTION 
OF  ONE  OF  THE  FOLLOWING  OPTIONS  LISTED  IN  ORDER  OF  PRIORITY: 

®[1 20894-1 622B] 

A.  DEORBIT  TO  PLS  AT  NOMINAL  EOM  TIME  OR  ONE  OR  MORE  ORBITS  LATE 
TO  ALTERNATE  RUNWAYS  (IF  REQUIRED  FOR  WINDS,  SUN  ANGLE,  OR 
ISOLATED  CLOUD  COVERAGE) . 

B.  DEORBIT  TO  PLS  EARLY  ON  EOM  DAY. 

C.  DEORBIT  TO  PLS  24  HOURS  LATE. 

D.  DEORBIT  TO  PLS  DAILY  OPPORTUNITY  PRIOR  TO  NOMINAL  EOM  DAY. 

E.  DEORBIT  TO  SLS . 

F.  RELAX  WEATHER  CRITERIA. 


Deorbit  to  the  primary  landing  site  is  always  desirable  due  to  convoy/ground  operations  support  and 
crew  familiarity.  Options  A  through  D  provide  a  priority  list  of  options  to  deorbit  to  the  primary  landing 
site.  Should  it  not  be  possible  to  deorbit  to  the  primary  site,  the  secondary  landing  site  will  be  utilized 
(option  E).  Weather  criteria  will  be  relaxed  real  time  should  both  the  primary  and  secondary  landing 
sites  be  unacceptable. 

Rule  (A2-207J,  LANDING  SITE  SELECTION,  and  Rule  {A2-301 },  CONTINGENCY  ACTION 
SUMMARY,  reference  this  rule. 
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A.  AIMPOINT  SELECTION  -  AIMPOINT  EVALUATION  WILL  ASSUME  AUTO 

SPEEDBRAKE  AND  WILL  NOT  MODEL  ANY  MANUAL  PROCEDURES  DESIGNED 

TO  INCREASE  TOUCHDOWN  DISTANCE.  @[072795-1 788B] 

1.  IF  THE  PREDICTED  TOUCHDOWN  POINT  USING  THE  NOMINAL 
AIMPOINT  IS  <  1000  FEET  PAST  THE  RUNWAY  THRESHOLD,  THEN 
THE  CLOSE-IN  AIMPOINT  WILL  BE  SELECTED. 

2.  IF  THE  PREDICTED  TOUCHDOWN  POINT  IS  <  1000  FEET  PAST  THE 
RUNWAY  THRESHOLD  FOR  BOTH  THE  NOMINAL  AND  CLOSE-IN 
AIMPOINTS,  THE  RUNWAY  IS  NO-GO.  FOR  DAYLIGHT  LAKEBED 
LANDINGS  ONLY,  IF  AFTER  APPLYING  ALL  TECHNIQUES  (CLOSE-IN 
AIMPOINT,  ALTERNATE  RUNWAY)  THE  PREDICTED  TOUCHDOWN  POINT 
IS  STILL  <  1000  FEET,  CONSIDERATION  SHALL  BE  GIVEN  TO 
RELAXING  THE  1000-FOOT  CONSTRAINT  RATHER  THAN  DELAYING 
DEORBIT  OR  SELECTING  AN  ALTERNATE  LANDING  SITE. 

3.  FOR  RTLS  WITH  LIGHT  RAIN  SHOWERS  IN  THE  APPROACH  CORRIDOR 
(RULE  { A2-1C}  .  4 ,  PRELAUNCH  GO/NO-GO  REQUIREMENTS),  IF  THE 
PREDICTED  TOUCHDOWN  POINT  IS  <  2000  FEET  PAST  THE  RUNWAY 
THRESHOLD  FOR  BOTH  NOMINAL  AND  CLOSE-IN  AIMPOINTS,  THE 
RUNWAY  IS  NO-GO.  ®[ED  ] 

NOTE:  MANUAL  SPEEDBRAKE  RETRACTION  AT  3000  FEET  AGL  MAY  BE 

CONSIDERED  TO  ACHIEVE  THE  2000-FOOT  MINIMUM  TOUCHDOWN  ENERGY. 

@[0201 96-1 808A] 

This  rule  is  designed  as  a  planning  guide  and  represents  crew  and  flight  controller  inputs  developed  over 
many  flights.  All  of  these  criteria  were  discussed  at  Flight  Techniques  and  other  meetings. 

A  TD  point  1000 feet  from  the  runway  threshold  was  selected  to  accommodate  variations  in  actual  TD 
point  from  prelanding  predictions  due  to  off-nominal  EAS,  landing  gear  deploy  altitude,  and  deviations 
from  the  forecast  wind  profile.  With  the  increased  margins  available  on  a  lakebed  runway,  the  risks  of 
landing  closer  to  the  threshold  are  significan  tly  reduced.  Therefore,  engineering  judgmen  t  may  be  used 
to  accept  a  TD  point  of  less  than  1000 feet  in  order  to  avoid  an  otherwise  NO-GO  situation  on  a  lakebed 
runway  if  no  increased  risk  is  identified.  Factors  involved  in  making  this  assessment  include  visibility 
restrictions,  underrun  characteristics  (hardness,  surface  conditions,  obstructions,  etc.),  the  availability 
of  landing  aids,  wind  persistence  predictions,  and  pilot  (e.g.,  ST  A)  judgment  and  recommendations.  Due 
to  visibility  restrictions  at  night,  however,  the  1000-foot  criterion  always  applies  to  night  landings  on 
lakebed  runways. 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  TRAJECTORY  AND  GUIDANCE  4-77 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A4-110  AIMPOINT,  EVALUATION  VELOCITY,  AND  SHORT  FIELD 

SELECTION  (CONTINUED) 


There  are  two  aimpoints  used  to  locate  the  base  of  the  outer  glide  slope,  one  at  7500 feet  from  the 
threshold  (nominal)  and  one  at  6500 feet  from  the  threshold  (close-in).  Aimpoint  selection  is  based  on 
an  evaluation  of  the  predicted  TD  point  and  speedbrake  setting  using  current  and  forecast  winds,  density 
altitude,  and  orbiter  weight.  The  descent  design  sy stern  (DDS)  and  the  Approach  and  Landing  Plan 
(ALP)  processor  are  used  to  compute  these  parameters.  ©[072795-1788B] 

Tile  damage  due  to  showers  encoun  tered  during  fly  back  could  result  in  a  loss  of  up  to  1000 feet  of 
touchdown  distance.  Typical  touchdown  distances  carry  adequate  margin  to  protect  this  type  of  energy 
loss.  A  dispersed  entry  that  is  flown  through  a  shower  on  a  day  that  predicted  touchdown  conditions  are 
at  the  limits  specified  in  Rule  {A4-110},  AIMPOINT  EVALUATION  VELOCITY,  AND  SHORT  FIELD 
SELECTION,  could  result  in  a  vehicle  touchdown  on  the  edge  of  the  underrun.  The  touchdown  distance 
is  increased  for  RTLS  to  handle  the  tile  damage  combined  with  the  other  dispersions.  ®[0201 96-1 808A] 
@[062801 -4307C] 

4.  IF  THE  PREDICTED  SPEEDBRAKE  RETRACT  CALCULATION 

INDICATES  THAT  THE  SPEEDBRAKE  WILL  BE  COMMANDED  CLOSED 
(15  PERCENT)  AT  BOTH  3000  FEET  AGL  AND  500  FEET  AGL 
USING  THE  NOMINAL  AIMPOINT,  THEN  THE  CLOSE-IN  AIMPOINT 
MAY  BE  SELECTED  TO  ACHIEVE  A  PREDICTED  TOUCHDOWN  POINT 
CLOSER  TO  THE  GUIDANCE  TARGET  (NOMINALLY  2500  FEET)  AND 
POSSIBLY  GAIN  ADDITIONAL  SPEEDBRAKE,  PROVIDED  THAT 
ROLLOUT  MARGIN  AND  BRAKE  ENERGY  CONSTRAINTS  (REF.  RULE 
{ A4 -1 0  8 } ,  TIRE  SPEED,  BRAKING,  AND  ROLLOUT  REQUIREMENTS) 
ARE  STILL  SATISFIED.  @[072795-1 788B]  @[0201 96-1 808A]  @[101096-4210] 

Approach  and  landing  guidance  was  designed  to  control  the  orbiter’ s  TD  energy  state  by  modulating 
the  speedbrake.  Using  the  speedbrake  retract  I-loads,  guidance  will  command  a  speedbrake  position 
that  should  result  in  a  targeted  energy  state  at  TD  of  195  knots  EAS  (205  KEAS  heavyweight)  at  2500 
feet  past  the  runway  threshold.  At  3000 feet  AGL,  if  guidance  predicts  that  the  TD  energy  state  will  be 
less  than  that  targeted,  the  speedbrake  will  be  commanded  fully  closed.  In  this  case,  selecting  the  close- 
in  aimpoin  t  will  provide  an  additional  1000 feet  of  energy  margin  at  TD  and  may  result  in  carrying  a 
small  amoun  t  of  speedbrake  for  energy  con  trol.  The  preference  for  open  speedbrake  and  touchdown  as 
close  as  possible  to  the  2500 foot  guidance  target  does  not  preclude  considering  either  aimpoint  for 
other  reasons,  such  as  conditions  which  result  in  a  different  aimpoint  recommendation  from  the  STA. 
Rollout  margin  and  brake  energy  requirements,  as  specified  in  Rule  {A4-108},  TIRE  SPEED, 

BRAKING,  AND  ROLLOUT  REQUIREMENTS,  must  still  be  satisfied  after  selection  of  the  close-in 
aimpoint.  If  selection  of  the  close-in  aimpoin  t  results  in  violation  of  these  criteria,  the  nominal 
aimpoint  will  be  used.  @[101096-4210  ] 
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5.  IF  THE  PREDICTED  DYNAMIC  PRESSURE  BELOW  3000  FEET  AGL 
EXCEEDS  THE  ALLOWABLE  LIMIT  (REF.  RULE  {A4-207},  ENTRY 
LIMITS),  THEN  THE  CLOSE-IN  AIMPOINT  MAY  BE  SELECTED  IN 
CONJUNCTION  WITH  THE  NOMINAL  SPEEDBRAKE  RETRACT  OPTION  TO 
REDUCE  THE  DYNAMIC  PRESSURE  TO  WITHIN  ALLOWABLE  LIMITS. 

AS  A  LOWER  PRIORITY  OPTION,  CONSIDERATION  WILL  BE  GIVEN 
TO  SELECTING  THE  CLOSE-IN  AIMPOINT  IN  CONJUNCTION  WITH 
THE  SHORT  FIELD  SPEEDBRAKE  RETRACT  OPTION  IF  IT  IS 
REQUIRED  TO  REDUCE  DYNAMIC  PRESSURE  TO  WITHIN  ALLOWABLE 
LIMITS.  FOR  EITHER  CASE,  THE  TOUCHDOWN  POINT,  ROLLOUT 
MARGIN,  AND  BRAKE  ENERGY  CONSTRAINTS  MUST  BE  SATISFIED. 
@[062801 -4307C] 

Selection  of  the  close-in  aimpoint  may  be  used  as  a  method  for  reducing  the  maximum  dynamic  pressure 
( q-bar )  under  3000ft  AGL.  When  the  speedbrake  retracts  and  adjusts  at  3000 ft/500 ft  AGL 
respectively,  it  is  possible  for  the  maximum  dynamic  pressure  to  increase  above  limits  specified  in  Rule 
{A4-207},  ENTRY  LIMITS,  under  unique  wind  conditions.  A  reduction  in  the  peak  q-bar  may  be 
achieved  by  inducing  a  lower  equivalen  t  airspeed  profile  with  larger  speedbrake  settings  from  the 
selection  of  the  close-in  aimpoint.  If  the  close-in  aimpoint  alone  does  not  reduce  the  peak  q-bar  below 
the  limit,  then  the  short  field  speedbrake  may  be  selected  in  conjunction  with  the  close-in  aimpoin  t  to 
further  increase  the  speedbrake  setting  to  meet  the  q-bar  constraint  provided  that  doing  so  does  not 
make  a  NO-GO  runway  GO  based  on  touchdown  margin.  The  short  field  option  cannot  be  used  to 
improve  touchdown  conditions  since  it  removes  touchdown  energy.  Since  the  short  field  option  removes 
touchdown  energy,  the  close-in  aimpoint/nominal  speedbrake  option  is  preferred  over  the  close-in 
aimpoint/ short  field  option  to  clear  a  q-bar  violation.  If  selection  of  the  close-in  aimpoint  with  either 
the  nominal  or  short  field  option  results  in  any  rollout  margin  violation  or  brake  energy  constraint 
violation  as  specified  in  Rule  {A4-108},  TIRE  SPEED,  BRAKING,  AND  ROLLOUT  REQUIREMENTS, 
the  runway  will  be  NO-GO.  @[062801 -4307C] 
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B.  EVALUATION  VELOCITY  AND  SHORT  FIELD  SELECTION  -  THE  THREE 
EVALUATION  TOUCHDOWN  VELOCITIES  ASSOCIATED  WITH  THE  TWO 
SPEEDBRAKE  RETRACT  OPTIONS  ARE  DEFINED  IN  THE  FOLLOWING  TABLE: 

TABLE  A4-110-I  -  EVALUATION  TD  EAS  AND  SHORT  FIELD  SELECTION 


SPDBRK 

RETRACT 

OPTION 

CONDITIONS/SELECTION  CRITERIA 

EVALUATION  TD  EAS-KTS 

l-LOAD  SET: 

-20°OGS  (LIGHTWEIGHT) 

-1 8°OGS  (HEAVYWEIGHT) 

LANDING  WEIGHT  -  KLB: 

WT<200 

200?  WT?  220  [3] 

220  [3]<WT<245 

WT  ?  245 

NOMINAL 

NOMINAL  EVALUATION  TD  EAS 

195  [1] 

205  [1] 

IF  THE  TD  POINT  AT  195  KEAS 

<1 000  FT  FOR  BOTH  NOMINAL  AND 

CLOSE-IN  AIMPOINTS 

185 

N/A 

N/A 

IF  ASCENT  INTACT  ABORT  SITE 

TD  MARGIN  IS  THE  ONLY  FACTOR 

CONSTRAINING  LAUNCH 

N/A 

195 

N/A 

SHORT 

FIELD 

WILL  BE  SELECTED  TO  ACHIEVE 

THE  NECESSARY  ROLLOUT  MARGIN, 

BRAKE  ENERGY,  TIRE  SPEED 

LIMITS,  OR  Q-BAR  LIMITS  (MAY  BE 

USED  WITH  Cl  AIMPT  FOR  Q-BAR 
VIOLATION). 

185  [1] 

195  [1] 

205  [2] 

@[062801 -4307C] 


[1]  GUIDANCE  TARGETS  FOR  2500  FT  DOWNRANGE. 

[2]  THIS  OPTION  CANNOT  BE  USED  FOR  TIRE  SPEED  MARGIN,  BUT  MAY  BE  USED  FOR  ROLLOUT  MARGIN,  DYNAMIC 
PRESSURE  MARGIN,  OR  BRAKE  ENERGY.  FOR  THIS  WEIGHT  ONLY,  THE  TOUCHDOWN  TARGET  IS  1 500  FEET 
DOWNRANGE. 

[3]  GLIDESLOPE  IS  BASED  ON  THE  WEIGHT  SWITCHPOINT  l-LOAD  WHICH  IS  NOMINALLY  220  KLBS,  BUT  MAY  BE 
SLIGHTLY  MORE  OR  LESS  ON  A  FLIGHT-SPECIFIC  BASIS.  REF  THIS  RATIONALE.  @[072795-1 788B] 

The  intent  of  modeling  the  TD  prediction  so  that  it  assumes  auto  speedbrake  and  does  not  model  manual 
procedures  such  as  high  EAS  on  the  outer  glide  slope  is  to  ensure  that  nonstandard  procedures  are  not 
used  in  order  to  make  the  touchdown  conditions  GO.  @[072795-1 788B] 

There  are  also  two  speedbrake  retract  options,  nominal  and  short  field,  which  are  used  to  control 
touchdown  tire  speed,  rollout  margin,  brake  energy,  and  maximum  dynamic  pressure  under  3000ft  AGL. 
The  short  field  logic  dissipates  1000 feet  of  touchdown  energy,  which  can  be  equated  to  a  reduction  of  10 
knots  in  touchdown  speed.  The  rollout  margin,  brake  energy,  maximum  dynamic  pressure,  and  tire  speed 
parameters  are  also  computed  by  DDS  and  ALP  during  real-time  approach  and  landing  analysis. 

@[062801 -4307C] 
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The  touchdown  speed  prediction  is  a  function  of  which  1-load  set  (heavyweight  or  lightweight)  onboard 
guidance  has  selected,  and  the  speedbrake  retract  option  (nominal  or  short  field).  The  weight  switch 
point  I-locid  which  distinguishes  a  lightweight  vehicle  from  a  heavyweight  vehicle  is  normally  220,000 
lbs.  During  pre-flight  design,  when  the  predicted  weight  is  near  220,000  lbs,  the  switch  point  I-load  may 
be  either  222,000  or  218,000  lbs  to  make  the  flight-day  1-locid  more  predictable.  With  the  normal 
speedbrake  retract  option  selected,  guidance  will  target  all  lightweight  vehicles  to  touch  down  at  195  kts, 
and  all  heavyweight  vehicles  to  touch  down  at  205  kts.  With  the  short  field  speedbrake  retract  option 
selected,  guidance  will  target  lightweight  TD  at  185  KEAS  and  heavyweight  at  195  KEAS.  The  intent  is 
to  use  the  same  flight  rule  evaluation  touchdown  speed  in  approach  and  landing  analysis  as  is  used  in 
onboard  guidance.  The  touchdown  speed  design  targets  provide  cm  energy  reserve  which  takes  into 
account  such  factors  as  tailscrape,  nose  gear  slcipdown  limits,  atmospheric  effects,  manual  procedures, 
and  orbiter  center-of -gravity.  Evaluation  speeds  may  vary  from  the  guidance  target  for  very  light  or  very 
heavy  vehicles,  and  for  other  operational  concerns  as  discussed  below. 

The  short  field  speedbrake  retract  logic  was  designed  to  permit  landing  and  stopping  safely  on  the 
shorter  TAL  runways.  It  may  also  be  selected  on  any  landing  opportunity  to  provide  additional  tire 
speed  margin  on  hot  or  tailwind  days.  When  the  short  field  option  is  selected,  guidance  will  decrease  the 
targeted  TD  energy  by  1000 ft,  which  is  equivalent  to  landing  10  kts  slower  at  the  nominal  2500ft 
downrange  TD  distance.  For  operational  and  training  reasons,  selecting  the  short  field  option  for  any 
reason  should  cue  the  CDR  to  target  TD  speed  at  185  KEAS  for  lightweight  landings,  or  195  KEAS  for 
heavyweight  landings  (provided  that  the  weight  is  <  245,000  lbs). 

Because  of  the  reduced  nose  gear  slcipdown  loads  with  weights  less  than  200,000  lbs,  it  is  acceptable  to 
plan  for  a  touchdown  of  185  kts  rather  than  195  kts.  However,  operationally,  it  is  desirable  to  land  at 
195  knots  rather  than  185  knots  for  lightweight  cases  to  reduce  the  n  umber  of  landing  speeds  that  crews 
must  train  for.  For  this  reason,  with  an  orbiter  weight  less  than  200k  lbs,  both  the  nominal  and  close-in 
aimpoints  will  be  evaluated  at  195  knots  prior  to  evaluation  of  185  knots  as  the  targeted  TD  EAS.  Use  of 
185  knots  is  preferable  to  delaying  cleorbit  (Ascent/Entry  Splinter  Flight  Techniques  Panel, 
Landing/Rollout  HI,  June  20,  1990).  ©[072795-1788B] 
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For  the  heavyweight  case,  it  may  be  preferable  to  evaluate  touchdown  at  195  knots  if  inadequate  TD 
margin  is  achieved  at  205  knots  at  the  intact  abort  site,  rather  than  delay  a  launch.  For  landing 
weights  ?  245k  lbs,  TD  evaluations  should  use  a  touchdown  speed  of 205  keas  due  to  orbiter  tailscrape 
restrictions.  ®[072795-l  788B] 

Under  unique  wind  conditions,  the  short  field  speedbrcike  logic  may  be  selected  in  conjunction  with  the 
close-in  aimpoint  to  clear  dynamic  pressure  violations  above  the  limits  specified  in  Rule  {A4-207}, 
ENTRY  LIMITS,  provided  that  an  adequate  touchdown  margin  is  maintained.  The  reduction  of  the 
maximum  dynamic  pressure  is  a  byproduct  of  the  larger  speedbrcike  retract  commands  that  result  from 
the  selection  of  the  short  field  speedbrcike  option  with  the  close-in  aimpoint.  Selecting  the  short  field 
option  with  the  close-in  aimpoint  is  preferable  over  manual  speedbrcike  techniques.  @[062801 -4307C] 

The  short  field  logic  should  only  be  selected  to  achieve  the  necessary  tire  speed  margin,  rollout  margin, 
dynamic  pressure  margin,  or  brake  energy  limits,  and  not  to  improve  TD  margin.  Using  short  field  to 
improve  touchdown  conditions  essentially  reduce  the  touchdown  energy,  which  is  in  conflict  with  the 
decisions  of  the  1991  landing  performance  panel.  @[062801 -4307C] 

If  entry  analysis  shows  TD  ground  speed  >  214  kts  using  the  short  field  option,  that  runway  will  be  NO- 
GO  for  landing.  When  the  short  field  logic  is  selected  for  tire  speed  margin,  the  crew  will  be  notified  of 
the  10  kt  slower  target/evaluation  TD  EAS. 

Reference  Rule  {A4-108},  TIRE  SPEED,  BRAKING,  AND  ROLLOUT  REQUIREMENTS.  Rule  (A2-6J, 
LANDING  SITE  WEATHER  CRITERIA  [HC],  references  this  rule.  @[072795-1 788B] 
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A.  THE  FOLLOWING  CONDITIONS  WILL  NO-GO  USE  OF  ANY  EOM  OR  INTACT 
ABORT  RUNWAY  TO  WHICH  THEY  APPLY.  CONDITIONS  ARE  ASSESSED 
OVER  THE  ENTIRE  SURFACE  OF  THE  RUNWAY.  ®[1 11 094-1 622B]  @[062702-51 49C] 

1.  ALL  RUNWAYS  (GROOVED,  UNGROOVED,  LAKEBED) : 

STRUCTURAL  FAILURES  (BREAKTHROUGH,  POTHOLE,  FISSURE), 
STANDING  WATER,  SNOW,  OR  ICE 

2 .  UNGROOVED  RUNWAYS : 

VISIBLE  MOISTURE 

3.  LAKEBEDS: 

WET  OR  SLUSHY  SURFACE  MATERIAL 

THE  FOLLOWING  CHART  CATEGORIZES  THE  APPROVED  EOM  AND  INTACT  ABORT 
RUNWAYS : 


RUNWAY 

SURFACE 

KSC 

GROOVED 

EDW22/04 

UNGROOVED 

MRN 

UNGROOVED 

BEN 

UNGROOVED 

ZZA 

GROOVED 

NOR 

LAKEBED 

@[062702-51 49C]  ®[ED  ] 
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a.  Due  to  the  large  load  bearing  requirements  of  the  orbiter,  structural  failures  are  not  acceptable  on 
any  runway  surface.  Fissures  or  cracks,  which  may  lead  to  or  be  evidence  of  structural  failures,  are 
not  allowable.  Potholes  are  not  acceptable  owing  to  the  possibility  of  tire  or  strut  damage  caused 
by  impact.  Standing  water,  snow  or  ice  on  any  runway  surface  may  result  in  hydroplaning,  loss  of 
traction,  and  loss  of  brake  effectiveness.  @[062702-51 49C] 

Grooves  on  a  runway  are  designed  to  provide  drainage  of  water  from  the  runway  surface.  Flooding 
occurs  when  the  water  cannot  be  shed  quickly  enough  and  the  grooves  fill.  Any  depth  of  water 
above  this  point  is  defined  as  standing  water  (depth  of  water  above  the  run  way  surface,  not 
including  groove  depth).  The  Shuttle  Landing  Facility  at  KSC  is  considered  grooved  although  the 
3500 feet  at  each  end  of  the  runway  are  ungrooved  and  treated  with  a  Skidabrader™  Shotpeening 
Process.  The  A/E  FTP#  176  members  concluded  that  the  effects  of  landing  in  the  ungrooved  region 
and/or  rolling  across  the  grooved/ungrooved  transition  zones  on  a  wet  KSC  runway  (grooves  not 
flooded )  were  not  significant  enough  to  alter  the  desired  landing  profile.  These  conclusions  were 
based  on  LRC  tire  track  testing,  SES  evaluations,  and  the  assumption  that  significant  lateral 
excursions  could  not  occur  since  the  time  spent  in  the  ungrooved  region  at  high  speeds  was  of  a  very 
short  duration  and  occurred  with  light  main  gear  loading. 

b.  Visible  moisture  on  an  ungrooved  concrete  runway  may  also  result  in  a  loss  of  lateral  directional 
control.  The  orbiter  MEG  tires  can  lose  up  to  75  percent  of  the  dry  friction  value  at  high  speeds  on 
a  wet  ungrooved  runway.  Ref  A/E  FTP  # 1 76. 

c.  Wet,  slushy  Icikebed  surface  materials  thrown  up  during  landing  and  roll  out  can  result  in  orbiter 
damage.  Reference  Entry  FTP  #42  and  A/E  FTP  #1 76. 

B.  FOR  EMERGENCY  LANDINGS,  THE  CONDITIONS  IN  PARAGRAPH  A  WILL  BE 
CONSIDERED  IN  RUNWAY  SELECTION  IF  MORE  THAN  ONE  SITE  IS 
AVAILABLE . 

Con  tingen  cy  aborts  (e.g.,  ECAL,  emergency  deorbit )  do  not  require  the  same  level  of  dispersion 
protection  as  NEOM  or  Intact  Abort  landings.  In  addition,  emergency  landings  typically  only  have 
capability  to  one  site,  so  runway  NO-GO  criteria  are  not  appropriate.  In  the  event  overlapping  coverage 
does  exist  (e.g.,  ECAL),  runway  condition  should  be  considered  when  selecting  the  landing  site. 
Emergency  landings  include,  but  are  not  limited  to,  ACLS,  ECAL,  and  ELS  sites.  Ref  A/E  FTP  #176. 
@[062702-51 49C]  ®[1 02402-5804C] 

Rules  (A2-1J,  PRELAUNCH  GO/NO-GO  REQUIREMENTS;  (A2-2J,  ABORT  LANDING  SITE 
REQUIREMENTS;  {A2-103},  EXTENSION  DAY  REQUIREMENTS;  and  {A4-107},  PLS/EOM 
LANDING  OPPORTUNITY  REQUIREMENTS,  reference  this  rule.  ®[111094-1622B] 
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A4-112  UPPER  AND  LOWER  LEVEL  MEASURED  WIND  AND 

ATMOSPHERIC  DATA  @[062801-4423] 

A.  UPPER  LEVEL  WINDS 

UPPER  LEVEL  MEASURED  WINDS  (HAC  ACQUISITION  TO  10K  FEET)  ARE 
USED  TO  ASSESS  HAC  SELECTION  OPTIONS  AND  TRANSITION  TO 
APPROACH  AND  LANDING  GUIDANCE. 

PREDEORBIT:  A  SOURCE  FOR  ACCURATE  UPPER  LEVEL  MEASURED 
WINDS  IS  HIGHLY  DESIRABLE  FOR  EOM .  IT  IS  HIGHLY 
DESIRABLE  THAT  THE  SOURCE  ENCOMPASS  ALTITUDES  FROM  HAC 
ACQUISITION  AND  BELOW  FOR  THE  HAC  SELECTION  ASSESSMENT 
AND  IT  IS  OBTAINED  NO  MORE  THAN  6.5  HOURS  FROM  TOUCHDOWN. 

B.  LOW  LEVEL  WINDS  @[111 094-1 622B] 

LOWER  LEVEL  MEASURED  WINDS  (0  TO  10K  FEET)  ARE  USED  TO  ASSESS 
TOUCHDOWN,  ROLL  OUT,  AND  BRAKE  ENERGY  CONDITIONS  IN  ORDER  TO 
SUPPORT  COMMIT  TO  LAUNCH  OR  DEORBIT  DECISIONS. 

1.  PRELAUNCH:  A  SOURCE  FOR  ACCURATE  LOWER  LEVEL  MEASURED 
WINDS  IS  MANDATORY  FOR  RTLS ,  TAL  AND  AOA(IF  REQUIRED) 

WITH  THE  FOLLOWING  EXCEPTIONS:  @[0201 96-1 799A] 

IF  A  SOURCE  FOR  LOWER  LEVEL  WINDS  IS  NOT  AVAILABLE  AT 
BEN  GUERIR,  BEN  36  WITH  CLOSE-IN  AIMPOINT  WILL  BE  USED 
UNLESS  UNUSUAL  WIND  CONDITIONS  ARE  SUSPECTED. 

2.  PREDEORBIT:  A  SOURCE  FOR  ACCURATE  LOW  LEVEL  MEASURED 
WINDS  IS  MANDATORY  FOR  FD1  OR  FD2  PLS,  NEXT  PLS,  AND  EOM. 
IT  IS  HIGHLY  DESIRABLE  THAT  THE  SOURCE  FOR  LOWER  LEVEL 
WINDS  IS  OBTAINED  NO  MORE  THAN  4.5  HOURS  FROM  TOUCHDOWN. 

NOTE:  FOR  AOA  OR  FD1  PLS  TO  NORTHRUP,  STANDARD  BALLOON  DATA  IS 

NOT  AVAILABLE.  FOR  THESE  CASES,  THE  WIND  PROFILERS  DATA 
(IF  AVAILABLE)  AND  FORECAST  WINDS  WITH  THE  62  STANDARD 
ATMOSPHERE  WILL  BE  USED  FOR  TOUCHDOWN  AND  ROLLOUT 
ANALYSIS.  @[0201 96-1 799A] 

C.  ATMOSPHERIC  CONDITIONS  @[062801-4423] 
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ATMOSPHERIC  DATA  (CONTINUED) 

A  SOURCE  FOR  ACCURATELY  MEASURING  ATMOSPHERIC  CONDITIONS  FROM 
0  TO  10K  FEET  IS  MANDATORY  WHEN  INVERSIONS  ARE  SUSPECTED  IN 
ORDER  TO  OBTAIN  A  MORE  DETAILED  AND  RELIABLE  FORECAST  NEEDED 
TO  SUPPORT  COMMIT  TO  LAUNCH  AND  DEORBIT  DECISIONS  FOR  EOM  AND 
INTACT  ABORT  SITES. 

A  source  of  accurately  measured  upper  level  wind  conditions  at  the  landing  site  is  highly  desirable  to 
support  detailed  landing  analysis  of  the  dynamics  that  can  be  expected  while  flying  the  HAC  and  the 
expected  transition  altitude  from  TAEM  guidance  to  Approach  and  Landing  guidance.  Sources  that  can 
provide  this  type  of  detailed  wind  measuremen  ts  include  radio  theodolites,  rawinsondes,  and  jimspheres. 
Other  resources,  such  as  the  STA,  T-38,  and  balloon  releases  from  surrounding  areas,  may  be  used  to 
confirm  the  detailed  wind  measurements.  It  is  highly  desirable  that  the  measured  wind  data  encompass 
altitudes  from  HAC  acquisition  and  below  to  analyze  the  expected  guidance  transition  altitude,  the 
expected  maximum  dynamic  pressure  on  the  HAC,  and  the  expected  HAC  altitude  errors,  specificcdly  the 
Altitude  Error  Low  parameter.  Wind  measurements  taken  6.5  hours  prior  to  touchdown  are  not  expected 
to  change  beyond  the  wind  accuracies  that  assure  acceptable  TAEM  performance  and  acceptable 
guidance  transition.  TAEM  wind  accuracy  requirement  studies  have  shown  wind  measurement  errors  of 
approximately  35  knots  at  HAC  altitudes  can  be  tolerated.  Under  all  circumstances,  wind  measurement 
accuracies  and  the  applicability  of  wind  measurements  taken  up  to  6.5  hours  from  touchdown  will 
remain  an  SMG  decision.  @[062801-4423  ] 

A  source  of  accurately  measured  lower  level  wind  conditions  at  the  landing  site  is  necessary  to  support 
detailed  landing  analysis  of  touchdown,  roll  out,  and  brake  energy  conditions  as  part  of  the  prelaunch 
GO/NO-GO  decision  process.  The  measured  wind  data  at  the  landing  site  is  also  crucial  to  support  an 
accurate  and  detailed  forecast  of  the  low-level  altitude  winds  (0  to  lOKfeet).  Sources  that  can  provide 
this  type  of  detailed  wind  measurements  include  radio  theodolites,  rawinsondes,  and  jimspheres.  Since 
wind  persistence  is  a  function  of  the  dynamics  of  the  atmosphere,  the  number  of  wind  measuremen  ts 
required  will  remain  an  SMG  decision.  When  temperature  inversions  or  wind  shears  are  suspected,  a 
source  for  accurately  measuring  atmospheric  conditions  is  needed  to  support  a  more  detailed  forecast. 
Without  measured  atmospheric  data,  but  with  low-level  local  wind  measurements,  a  wind  shear  could  be 
detected  and/or  possibly  be  forecast  based  on  previous  measuremen  ts  and  other  weather  obsen’cition 
equipment. 

A  statistical  analysis  of  postflight  data  from  STS-26  to  STS-103  shows  that  touchdown  energy  predictions 
from  the  touchdown-4.5  hour  balloon  are  representative  of  the  actual  touchdown  conditions.  The  change 
in  the  3 -sigma  dispersions  that  can  be  expected  from  the  touchdown-4.5  hour  balloon  to  the  touchdown- 1 
hour  balloon  is  less  than  150  ft.  The  statistics  from  these  flights  were  taken  on  day  of  landing  where 
meteorological  conditions  were  benign  enough  to  allow  deorbit.  To  invoke  the  minimum  wind 
measuremen  t  requirements  in  this  rule  implies  that  trajectory  and  touchdown  predictions  from  the  last 
available  balloon  are  benign  and  sufficient  touchdown  margins  exist.  Other  resources,  such  as  the  STA, 
may  be  used  to  confirm  the  last  available  trajectory  and  touchdown  predictions.  @[062801-4423  ] 
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ATMOSPHERIC  DATA  (CONTINUED) 

The  detailed  landing  analysis  of  both  forecast  and  current  conditions  is  critical  for  short  runways  such 
as  TAL  sites.  If  weather  conditions  are  favorable  in  that  no  low-level  shears  are  suspect,  the  requiremen  t 
for  measured  atmospheric  data  is  waived,  but  detailed  wind  measurements  are  still  required  to  support 
the  landing  analysis.  The  Ben  Guerir  exception  minimizes  the  use  of  the  Moron  TAL  site,  which  has  a 
shorter  runway  and  smaller  ascent  abort  window.  Although  low-level  wind  data  are  mandatory  to 
determine  speedbrake  setting,  touchdown  location,  brake  energy,  aimpoint  selection,  etc.,  the  special 
Flight  Rules  FRCB  (September  6,  1988)  determined  that  these  data  are  not  mandatory  for  BEN  36 
because  of  the  extensive  overrun  available  on  this  end  of  the  runway.  ®[111094-1622B] 

In  order  to  save  money,  the  Program  agreed  not  to  release  balloons  at  Northrup  in  the  prelaunch 
timeframe.  If  Northrup  is  the  prime  AO  A  site,  touchdown  and  rollout  analysis  will  be  based  on  the 
forecast  winds  aloft  which  are  made  from  the  balloon  data  from  the  semi-daily  releases  from  Holloman 
AFB.  If  the  White  Sands  wind  profilers  data  are  available,  it  will  be  used  for  the  touchdown  and  rollout 
analysis.  Furthermore,  analysis  showed  that  the  62  standard  and  the  monthly  mean  atmosphere  showed 
only  slight  differences  in  the  touchdown  and  rollout  constraints.  Therefore,  for  procedural  simplicity,  it 
was  decided  that  the  62  standard  atmosphere  would  be  used.  ©[020196-1799A] 

Rules  (A2-1J,  PRELAUNCH  GO/NO-GO  REQUIREMENTS;  {A2-2j,  ABORT  LANDING  SITE 
REQUIREMENTS;  and  {A4-107J,  PLS/EOM  LANDING  OPPORTUNITY  REQUIREMENTS  reference 
this  rule.  ®[1 1 1 094-1 622B] 

A4-113  QMS— 2  TARGETING 

FOR  GROUND  UP  RENDEZVOUS  MISSIONS,  OMS-2  TARGET  PERIGEE  WILL  BE 
USED  TO  OPTIMIZE  RENDEZVOUS  PHASING.  OMS-2  PERIGEE  MAY  BE  AS  LOW 
AS  105  NM  (OR  85  NM  WITH  SSP  APPROVAL)  .  @[022201-3801] 

OMS-2  is  used  for  orbital  insertion  as  well  as  the  first  rendezvous  phasing  maneuver.  In  order  to 
accomplish  this,  orbital  perigee  post  OMS-2  can  range  from  105  nm  to  307  nm.  OMS-2  can  also 
compensate  for  small  MECO  underspeeds  and  still  preserve  the  rendezvous.  With  Space  Shuttle 
Program  approval,  post  OMS-2  perigee  can  go  as  low  as  85  nm  in  order  to  improve  launch  window 
duration,  but  with  a  propellant  penalty  due  to  drag.  @[022201-3801  ] 

A4-114  THROUGH  A4-150  RULES  ARE  RESERVED 
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A4-151  I MU  ALIGNMENT 

DEORBIT  WILL  NOT  BE  ATTEMPTED  IF  THE  IMU  ATTITUDE  ERROR  AT 
ENTRY  INTERFACE  IS  PREDICTED  TO  BE  GREATER  THAN  0.5  DEGREE 
FOR  NOMINAL  DEORBIT,  DEORBIT  WILL  BE  DELAYED  IF  THE  ERROR  IS 
>  0.25  DEGREE,  IN  ORDER  TO  PERFORM  AN  IMU  ALIGNMENT  TO 
CORRECT  ERRORS  TO  <  0.25  DEGREE.  FOR  CONTINGENCY  SITUATIONS, 
ERRORS  BETWEEN  0.25  DEGREE  AND  0.5  DEGREE  ARE  ACCEPTABLE. 

Acceptable  IMU  attitude  errors  for  entry  were  derived  based  on  two  factors,  the  post-blackout  navigation 
downtrack  error  and  the  angle  of  attack  errors. 

a.  Navigation  downtrack  error  -  An  analysis  presented  at  Entry  Flight  Techniques  Panel  Meeting  # 6 
on  11/9/77  established  IMU  alignment  error  limits  as  follows: 

(1)  For  a  contingency  in  which  exceeding  system  performance  margins  is  necessary  during 
entry,  the  maximum  IMU  RSS  misalignment  allowed  at  El  is  0.5  degree  (flight  safety  limit; 
STS-4,  EFTP  3).  A  misalignment  at  El  of  0.5  degree  would  result  in  navigation  errors  that, 
although  corrected  at  TACAN  acquisition  (~M7),  would  result  in  adjustments  to  the  entry 
trajectory  that  could  exceed  the  venting  control  limit  of 300  psfin  the  transonic  region  (ref. 
Rule  (A4-207AJ.2,  ENTRY  LIMITS).  Errors  greater  than  0.5  degree  will  violate  the  342  psf 
flight  control  design  limit  for  dynamic  pressure  in  the  M5  to  M3  region.  The  0.5  degree 
misalignment  corresponds  to  a  downrange  error  of  10  nm  at  an  altitude  of  130,000 feet, 
which  violates  the  delta  state  update  limits  (ref.  Rule  {A4-204BJ,  DELTA  STATE  POSITION 
UPDATES ),  but  is  within  the  TACAN  capability  to  correct.  ®[ED  ] 

(2)  The  0.25  degree  RSS  limit  is  intended  to  protect  system  performance  margins  during  entry.  A 
maximum  misalignment  at  El  of  0.25  degree  under  worst  case  conditions  protects  the  limiting 
parameter,  a  dynamic  pressure  of 300  psf,  that  conforms  to  compartment  venting  constraints 
in  the  transonic  region.  The  0.25  degree  misalignment  corresponds  to  a  downrange  error  of 
approximately  6  nm  at  an  altitude  of  130,000 feet,  which  is  within  TACAN  capability  to 
correct  and  does  not  violate  the  delta  state  update  criteria. 

b.  Angle  of  attack  errors  -  Another  consideration  was  angle  of  attack  error.  An  extensive  series  of 
runs  was  made  on  the  SPS  ?  1  and  FSL  to  define  the  loss  of  control  boundary  as  a  function  of  angle 
of  attack  errors.  Results  of  these  studies  were  presented  at  Flight  Techn  iques.  Angle  of  attack 
errors  can  come  from  IMU  alignment  errors  and  winds.  Tolerance  to  angle  of  attack  errors  is  a 
function  of  aerodynamic  variations,  FCS  response,  and  RCS  jet  authority/availability.  With  worst 
case  winds,  three-sigma  AERO  variations,  and  two  yaw  RCS  jet  failures,  simulation  runs  indicated  a 
potential  loss  of  control.  Therefore,  it  was  required  to  minimize  the  IMU  contribution  to  angle  of 
attack  error,  0.5  degree  was  deemed  to  be  the  maximum  allowable  with  0.25  degree  highly 
desirable. 
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Rules  (A4-101J,  ONBOARD  NAVIGATION  MAINTENANCE;  {A4-154},  DOWNTRACK  ERROR;  (A8- 
12},  HEADSUP  DISPLAY  AND  CREW  OPTICAL  ALIGNMENT  SIGHT  (COAS)  ALIGNMENT;  {A8- 
108E },  HUD/COAS  SYSTEM  MANAGEMENT;  and  {A8-110}  B,  E,  G,  H,  I,  and  J,  IMU  SYSTEM 
MANAGEMENT,  reference  this  rule. 


A4-152  DEORBIT  BURN  TARGETING  PRIORITIES 

A.  THE  DEORBIT  BURN  WILL  BE  TARGETED  TO  MEET  AS  MANY  OF  THE 
FOLLOWING  OBJECTIVES  AS  POSSIBLE,  IN  ORDER  OF  PRIORITY  FROM 
HIGHEST  TO  LOWEST,  USING  THE  AVAILABLE  OMS  PROPELLANT,  AS 
DEFINED  BY  RULE  {A6-356},  DEORBIT  PLANNING  CRITERIA,  WHILE 
KEEPING  THE  CG  IN  THE  NOMINAL  BOX  AS  DEFINED  BY  RULE  {A4-153}, 
CG  PLANNING.  ®[081 497-41 78B] 

1.  STEEP  TARGETS  WITH  3-SIGMA  N-CYCLES 

2.  OMS  TANK  LANDING  CONSTRAINTS  (<  21.2  PERCENT  OX, 

21.1  PERCENT  FU) 

3.  LANDING  WEIGHT  ?  FLIGHT  RULE  LIMIT 

4.  RCS  COMPLETION  AT  SAFE  HP 

5.  TWO  MIN  TIG  SLIP  FOR  NO-FAIL  DEORBIT 

6.  OMS  TANK  FAIL  HPS  ?  SAFE  HP 

7.  ONE  DOWNMODE  OPTION  FROM  TIG  THROUGH  CUTOFF 

8.  MAXIMIZE  TIG  SLIP  UP  TO  5  MIN  FOR  ONE  ENGINE  FAIL  CASE 

9.  AOS  DURING  THE  BURN 

B.  IF  STEEP  TARGETS  CANNOT  BE  ACHIEVED  WITH  THE  AVAILABLE  OMS, 

THE  FOLLOWING  ACTIONS  WILL  BE  TAKEN  IN  ORDER  OF  PRIORITY  TO 
ACHIEVE  STEEP  TARGETS  WITH  3-SIGMA  N-CYCLES. 

1.  TARGET  USING  MAXIMUM  POSSIBLE  OMS,  DOWN  TO  ZERO  USABLE 
OMS  (AS  DEFINED  IN  RULE  {A6-301},  OMS  USABLE  PROPELLANT) 

IN  THE  CRITICAL  OMS  SYSTEM.  ®[081 497-41 78B] 
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2.  CG  MANAGEMENT  TECHNIQUES  SHOULD  BE  UTILIZED  TO  MAXIMIZE 
THE  AVAILABLE  PROPELLANT  WHILE  MAINTAINING  THE  CG  WITHIN 
NOMINAL  LIMITS  (REF  RULE  {A4-153},  CG  PLANNING).  ®[081 497-41 78B] 

3.  PERFORM  A  MULTI-STAGE  DEORBIT  BY  EXECUTING  AN  FRCS 
AND/OR  ARCS  PERIGEE  ADJUST  WITH  PROPELLANT  ABOVE  THE 
MCR  PER  RULE  {A6-355},  OMS  PROPELLANT  DEFICIENCY  FOR 
DEORBIT.  IT  IS  HIGHLY  DESIRABLE  THAT  THIS  MANEUVER (S) 
OCCUR  AT  LEAST  TWO  ORBITS  PRIOR  TO  DEORBIT  TIG.  IT  MAY 
BE  PERFORMED  <  TWO  ORBITS  BEFORE  DEORBIT  IF  TELEMETRY 
COVERAGE  WILL  PROVIDE  FOR  MANEUVER  CONFIRMATION. 

4.  IF  IT  IS  NOT  POSSIBLE  TO  PERFORM  A  PERIGEE  ADJUST  PRIOR 
TO  DEORBIT,  COMPLETE  THE  BURN  WITH  AFT  RCS  DOWN  TO  AFT 
QTY  1  AND,  IF  REQUIRED,  ALL  FRCS  REMAINING  POST  BURN. 
OPERATIONALLY,  THE  AFT  RCS  CAN  BE  BURNED  SIMULTANEOUSLY 
WITH  THE  OMS. 

C.  IF  STEEP  TARGETS  WERE  NOT  ACHIEVED  THROUGH  THE  ACTIONS  IN 

PARAGRAPH  B,  OTHER  CONUS  DEORBIT  OPPORTUNITIES  SHOULD  BE 

CONSIDERED  IF  THE  REQUIRED  DEORBIT  DELTA-V  WOULD  ALLOW  THE 

ACHIEVEMENT  OF  STEEP  TARGETS.  IF  STEEP  TARGETS  TO  A  CONUS 

SITE  CANNOT  BE  ACCOMPLISHED,  THE  FOLLOWING  ACTIONS  WILL  BE 

TAKEN  TO  ACHIEVE  SHALLOW  TARGETS. 

1.  TARGETED  PREBANK  UP  TO  90  DEGREES  WITH  3-SIGMA  N-CYCLES 

2.  TARGETED  PREBANK  OF  90  DEGREES  WITH  MINIMUM  N-CYCLES  TO 
PREVENT  SKIPOUT  (N-CYCLE  =  2) 

3.  INCREASE  THE  AMOUNT  OF  RCS  PROPELLANT  AVAILABLE  FOR  A 
PERIGEE  ADJUST  OR  ARCS  COMPLETION  SUCH  THAT  ONLY  TANK 
EXPULSION  EFFICIENCY  (RULE  {A6-305A},  AFT  RCS  REDLINES , 
ON-ORBIT  SINGLE  AFT  RCS  POD  QUANTITY  REDLINE )  IS 
PROTECTED  POST  DEORBIT. 

4.  IF  POSSIBLE,  INCREASE  THE  AVAILABLE  PROPELLANT  BY 
EXPANDING  THE  CG  LIMITS  TO  THE  CONTINGENCY  BOX. 

5.  BURN  THE  OMS  TANKS  TO  DEPLETION.  ®[081 497-41 78B] 
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A4-152  DEORBIT  BURN  TARGETING  PRIORITIES  (CONTINUED) 

6.  INCREASE  THE  AMOUNT  OF  RCS  PROPELLANT  AVAILABLE  FOR  A 

PERIGEE  ADJUST  OR  ARCS  COMPLETION  SUCH  THAT  ONLY  AFT  QTY 
2  (RULE  {A6-305D},  AFT  RCS  REDLINES ,  AFT  RCS  QUANTITY  1 
AND  2)  IS  PROTECTED  POST  DEORBIT.  ®[081 497-41 78B] 

D.  CONTINGENCIES  REQUIRING  RAPID  TARGETING  WILL  BE  TARGETED  TO 
THE  PRIMARY  THRUSTERS  OPTIMUM  SOLUTION,  OR  THE  2  OMS/1  OMS 
CROSSOVER  POINT  IF  2  OMS  ARE  AVAILABLE. 

This  rule  establishes  the  methods  that  will  be  used  to  target  the  deorbit  burn  in  order  to  achieve  an 
acceptable  entry.  The  order  has  been  established  to  minimize  the  impact  to  crew  safety  and  maximize 
vehicle  integrity. 

Paragraph  A: 

The  deorbit  maneuver  TIG  will  be  chosen  to  meet  as  many  of  the  objectives  listed  in  paragraph  A  as 
possible,  in  order  of  priority.  The  TIG  will  occur  no  earlier  than  RCS  optimum  minus  1  minute,  and  no 
later  than  the  two  OMS  optimum. 

All  targeting  in  paragraphs  A  and  B  uses  3-sigma  N-cycles.  An  N-cycle  is  defined  as  the  number  of 
guidance  cycles  after  the  initiation  of  closed  loop  guidance  before  the  first  non  -zero  roll  command.  Three 
sigma  N-cycles  are  flight  specific  since  the  inclination  arid  seasonal  effects  are  factors  used  to  define  the 
specific  N-cycle.  The  3-sigma  N-cycle  provides  protection  from  getting  zero  N-cycles  with  a  min  imum 
initial  bank  of  25  degrees  at  closed  loop  guidance  initiation,  in  the  presence  of  3-sigma  dispersions. 
Targeting  with  steep  targets  and  the  3-sigma  N-cycles  will  assure  nominal  entry  heating  levels,  correct 
con  vergence  onto  the  drag  profile,  and  protection  of  recovery  prebank  capability. 

OMS  propellant  quantities  at  landing  should  be  less  than  21.2  percent  oxidizer,  21.122  percent  fuel  to 
prevent  exceeding  OMS/RCS  pod  structural  loads.  {Ref.  SODB,  Volume  I,  Shuttle  Systems  Performance 
and  Constraints  Data,  Section  3. 4. 3. 3,  OMS  Constraints/Limitations.)  Violation  of  the  tank  landing 
weight  constraint  may  cause  structural  damage.  ®[081 497-41 78B] 
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A4-152  DEORBIT  BURN  TARGETING  PRIORITIES  (CONTINUED) 

Priority  A.4  protects  RCS  completion  at  Safe  Hp.  If  a  failure(s)  disabled  both  OMS  engines  below  Safe 
Hp,  the  burn  could  be  completed  with  the  remaining  propellant  through  the  RCS  jets.  If  a  failure(s) 
disabled  both  OMS  engines  prior  to  Safe  Hp,  the  shuttle  would  be  in  an  orbit  with  at  least  48  hours  of 
lifetime,  and  the  deorbit  burn  could  be  retargeted  to  optimize  for  the  RCS  engines.  ®[081 497-41 78B] 

Two  minutes  of  no-fail  TIG  slip  protects  for  a  case  like  a  switch  misconfiguration  where  no  actual 
failures  have  occurred. 

The  OMS  Tank  Fail  Hp ’s  are  the  altitudes  at  which  an  OMS  tank  can  fail  and  the  targets  can  still  be 
achieved  using  all  of  the  remaining  resources  (remaining  OMS,  recovery  prebank  to  the  2950  degree 
Fahrenheit  wing  leading  edge  temperature  limit,  ARCS  to  Aft  Qty  1,  and  FRCS).  If  the  tank  fail  Hp  is 
below  Safe  Hp,  there  is  a  window  where  the  orbiter  is  too  low  to  stop  the  burn  (Safe  Hp),  but  too  high  to 
complete  the  burn  using  the  remaining  propellant.  It  is  desirable  that  this  window  not  exist;  therefore. 
Tank  Fail  Hp  should  remain  above  Safe  Hp  if  possible. 

One  downmode  option  from  TIG  through  cutoff  means  that  the  burn  can  be  completed  in  the  event  that 
the  primary  engines  are  lost  (i.e.,  2  OMS  to  1  OMS,  or  1  OMS  to  RCS). 

The  most  efficient  place  to  burn  in  the  event  that  an  OMS  engine  is  lost  is  at  the  1  OMS  optimum  point. 
TIG  may  be  backed  up  from  this  point  to  gain  TIG  slip  or  comm  if  higher  priority  objectives  can  still  be 
accomplished. 

Paragraph  B: 

The  actions  in  paragraph  B  allow  steep  targets  to  be  achieved  while  still  protecting  the  nominal  RCS 
entry  propellant  redlines.  The  maximum  usable  OMS  as  defined  by  the  critical  system  will  be  used  for 
deorbit  in  order  to  protect  steep  targets.  The  burn  will  be  targeted  to  cutoff  when  the  0  lbs  usable 
quan  tity  has  been  reached  in  either  system,  thereby  protecting  the  tanks  from  being  depleted. 

CG  management  techniques  as  defined  in  Rule  {A4-153},  CG  PLANNING,  may  allow  more  propellant  to 
be  made  available  for  the  deorbit  burn.  For  planning  purposes,  the  CG  at  Mach  3.5  must  be  main  tained 
within  the  nominal  box.  @[091098-6717  ] 

The  ARCS  and/or  FRCS  perigee  adjust  at  least  two  orbits  prior  to  deorbit  cdlows  both  burn  confirmation 
and  collection  of  some  tracking  data  to  take  out  the  resulting  trajectory  dispersions.  The  RCS  perigee 
adjust  is  acceptable  within  two  orbits  of  deorbit  if  a  valid  burn  confirmation  can  be  performed.  Accurate 
ground  modeling  of  the  burn  is  achievable  with  this  confirmation,  assuring  valid  state  vector  confidence 
to  target  the  subsequent  deorbit  burn. 

If  a  perigee  adjust  could  not  be  performed  prior  to  deorbit,  ARCS  completion  with  propellant  down  to 
AFT  Quan  tity  1  and,  if  requ  ired,  a  fast  flip  to  burn  the  FRCS  to  depletion  is  preferred  over  targeting  a 
shallow  entry  because  it  presences  steep  targets  with  no  impact  to  vehicle  integrity.  @[081 497-41 78B] 
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Paragraph  C:  ®[081 497-41 78B] 

Prior  to  implementing  the  actions  in  paragraph  C,  it  may  be  best  to  deorbit  to  another  CONUS 
opportunity  if  steep  targets  can  be  achieved.  Wave  off  capability  and  orbital  geometry  will  be  the 
deciding  factors  in  whether  this  is  a  feasible  option.  The  actions  in  paragraph  C  allow  for  shallow 
targets  which  reduce  the  propellant  required  for  deorbit.  ®[081 497-41 78B] 

Targeted  prebank  up  to  90  degrees  shallows  the  targets  and  reduces  the  propellant  required  for  deorbit. 
This  targeting  priority  assures  drag  profile  convergence ,  but  results  in  higher  vehicle  heat  loads  and 
compromises  recovery  prebank  capability.  The  heat  load  induced  by  a  shallow  entry  increases  with 
crossrange;  therefore,  low  crossrange  opportunities  should  be  utilized  if  a  heat  load  analysis  cannot  be 
performed. 

In  a  time  critical  situation,  once  it  has  been  determined  that  some  amount  of  prebank  is  required, 
targeting  90  degrees  prebank  should  be  considered  because  pre-mission  products  are  already  available. 
If  a  prebank  other  than  90  degrees  is  selected,  then  recovery  prebank  tables  must  be  generated  in  real 
time,  using  a  time  consuming  and  rarely  exercised  procedure. 

The  use  of  minimum  N-cycle  in  conjunction  with  a  targeted  prebank  of  90  degrees  will  further  reduce  the 
deorbit  delta-V.  The  use  of  minimum  N-cycles  provides  protection  from  skipout,  which  is  defined  as  zero 
N-cycles  with  an  initial  bank  of  60  deg  at  closed  loop  guidance  initiation,  in  the  presence  of  3 -sigma 
dispersions.  The  resulting  entry  is  thermally  more  severe  and  converges  on  the  drag  profile  later  in  the 
entry  phase. 

The  aft  RCS  propellant  tanks  are  not  certified  for  use  below  20  percent  during  zero-G  operation.  If  used 
below  20  percent  prior  to  Nz  =  0.05  g,  there  is  a  risk  that  the  tanks  may  fail,  leaving  no  RCS  propellant 
available  for  entry  control. 

Expanding  the  CG  box  out  to  the  contingency  limits  may  allow  access  to  propellant  that  was  previously 
limited  by  the  Y  CG  limit.  The  contingency  box  may  allow  expansion  from  the  nominal  Y  CG  limit  but 
for  the  forward  end  of  the  X  CG  box,  the  nominal  and  contingency  limits  are  the  same. 

Burning  the  OMS  tanks  to  depletion  may  destroy  the  engines  and  will  only  be  performed  after  all  other 
targeting  options  have  been  exhausted. 

ARCS  completion  down  to  AFT  Quantity  2  only  protects  low  Q-bar  attitude  control  to  the  point  where 
no-yaw  jet  capability  is  possible  (Nz  =  0.05g). 

Paragraph  D: 

In  emergency  targeting  or  contingency  targeting  cases,  the  primary  thrusters  optimum  solution,  or  the  2 
OMS/1  OMS  crossover  solution,  will  be  used  because  it  can  be  quickly  executed  within  the  limitations  of 
the  current  deorbit  targeting  processor.  Time  may  not  be  available  for  a  detailed  analysis  of  the 
targeting.  ®[081 497-41 78B] 
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A4-153  CG  PLANNING 

A.  CG  ENVELOPE: 

1.  CONTINGENCY  CG  ENVELOPE. 

2.  NOMINAL  CG  ENVELOPE:  @[091098-6715] 


XCG  (inch) 

NOTES: 

[1]  VERIFIED  AERO  BOUNDARY. 

[2]  DESIGN  ENVELOPE  AFT  LIMIT. 

[3]  FORWARD  LIMIT  FOR  EOM,  ATO,  AND  AOA  (X=1 075.2  INCHES). 

[4]  FORWARD  LIMIT  FOR  GRTLS  FOR  ANGLE  OF  ATTACK  <  30  DEGREES  AND  FOR  TAL  (X=1 076.7  INCHES). 

[5]  FORWARD  LIMIT  FOR  GRTLS  FOR  ANGLE  OF  ATTACK  >  30  DEGREES  (X=1 079.0  INCHES). 

[6]  NOMINAL  CG  ENVELOPE  REFLECTS  A  1  -INCH  UNCERTAINTY  FOR  X  CG  AND  A  0.5-INCH  UNCERTAINTY 
FOR  Y  CG.  @[091098-6715] 

The  contingency  CG  envelope  represents  the  loss  of  control  CG  boundary  for  OMS  tank  fail  cases. 
Vehicle  control  beyond  the  nominal  CG  envelope,  yet  within  the  contingency  CG  boundary,  assumes  all 
four  yaw  jets  are  available.  Due  to  elevon  saturation,  there  must  be  no  jet  failures  to  ensure  vehicle 
control  within  the  contingency  envelope. 

No  structural  or  thermal  assessments  of  the  vehicle  have  been  made  for  CG  conditions  beyond  the 
nominal  envelope.  Entry  at  these  conditions  could  result  in  significant  damage  to  the  airframe  and/or 
thermal  protection  system  even  when  the  vehicle  is  within  limit  flight  conditions. 
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The  X  CG  values  which  correspond  to  the  Y  CG  values  of  3.5  inches  and  4.5  inches  represent  the 
breakpoin  ts  of  the  generic  elevon  schedules.  The  boundaries  of  the  con  tingency  CG  box  include  an 
uncertainty  of  ±1.0  inch  for  X  CG  at  the  forward  end  of  the  contingency  box.  The  uncertainty  for  the 
Y  CG  is  ±0.5  inch. 

The  contingency  CG  envelope  boundaries  were  derived  from  an  analysis  matrix  which  included:  fixed 
mass  properties;  light  and  heavyweight  vehicles;  0  and  30  percent  turbulence  models;  and  aero 
variations  of  nominal  LVAR  9,  LVAR  19,  bent  airframe,  and  pitching  moment. 

This  rule  also  contains  the  nominal  CG  envelope  that  was  developed  to  trade  off  the  X  vs.  Y  CG  location, 
when  required  during  real-time  operations,  in  conjunction  with  orbiter  CG  management  rules.  In 
addition,  the  CG  en  velope  is  used  preflight  to  evaluate  the  projected  end  of  mission  CG  location  and,  if 
required,  adjust  planning  to  assure  that  the  CG  is  within  the  given  boundaries.  The  nominal  CG 
en  velope  reflects  the  prelaunch  measuremen  t  errors  (±1  inch  for  X,  ±3.5  inch  for  Y). 

The  CG  boundaries,  as  they  exist  today,  have  evolved  since  prior  to  STS-1  and  are  a  result  of  many 
iterations  of  analyses  performed  by  both  the  JSC  and  Rockwell  In  ternational  Corporation  (RIC) 
aerodynamic  commun  ities,  and  of  numerous  Entry  Flight  Techniques  discussions.  The  shape  and 
dimensions  of  the  boundaries  have  changed  many  times  as  a  function  of  the  assumptions  made  and  the 
orbiter  aerodynamic  data  used  in  their  generation,  and  they  may  continue  to  change  and  expand  as  more 
is  learned  about  the  orbiter  capabilities. 

In  general,  the  Y  limits  plus  and  minus  are  constrained  by  lateral  trim  requirements.  The  forward  X 
limits  represent  lateral-directional  stability  constraints  and  the  aft  X  limits  represent  longitudinal  trim 
requirements  as  constrained  by  thermal  limits  on  the  body-flap  and  elevons.  The  lateral  trim  and 
stability  requiremen  ts  for  Y  CG  were  based  on  flight  con  trol  system  performan  ce  with  the  following 
aerodynamics  stress  case:  1.5  yaw  jets  for  trim,  3-sigmci  lateral  variation  set  19,  L/D  tolerance,  auto 
bodyflcip,  +0.00025  Clo  and  -0.00025  Cno  bent  airframe  coefficients,  3-degree  aileron  trim,  15-degree 
angle  of  attack,  and  275  psf  dynamic  pressure  at  Mach  3.5,  using  Flight  Assessment  AERO  Data  (FAD) 

14  from  STS  41-D.  ®[08i  497-41 78B] 

AERO/FCS  stress  testing  has  certified  the  CG  limits  to  ±2  inches  Y  CGforX  CG’sfrom  1075.7  to  1110 
inches  and  to  ±1.5  inches  Y  CGforX  CG’sfrom  1074.2  to  1075.7,  thus  exceeding  the  original  certified 
end  item  ( CEI )  CG  specification.  However,  because  of  mass  properties  uncertain  ties  of  approximately  ±1 
inch  in  X  CG  and  ±0.5  inch  in  Y  CG,  the  CG  boundaries  depicted  in  the  flight  rule  nominal  CG  envelope 
are  observed  at  Mach  3.5  for  planning  purposes;  that  is,  ±1.5  inches  Y  CGforX  CG’sfrom  1076.7  to  1109 
inches  and  ±1  inch  Y  CGforX  CG’sfrom  1075.2  to  1076.7.  ®[081 497-41 78B]  @[091098-6715] 

The  increase  to  the  forward  X  CG  limit  and  the  associated  Y  CG  limit  was  a  result  of  analysis  presented 
by  Boeing  North  American  Flight  Control  and  Loads  groups  at  the  145th  Ascent/Entry  Flight  Techniques 
on  December  19,  1997.  @[091098-6715] 
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A4-153  CG  PLANNING  (CONTINUED) 

B.  THE  PLANNED  ORBITER  CG  THROUGHOUT  THE  ENTRY  PROFILE  MUST  BE 
WITHIN  THE  CG  LIMITS.  THE  COMPUTATION  OF  THE  CG  ASSUMES 
NOMINAL  CONSUMABLE  USAGE,  ENTRY  MANEUVERS,  AND  A  FORWARD 
SHIFT  OF  OMS  PROPELLANT  DURING  ENTRY. 

For  real-time  and  preflight  planning  purposes,  this  rule  states  the  assumptions  involved  for  computation 
of  the  nominal  EOM  orbiter  CG’s  (SODB,  Volume  II,  section  3.0,  Constraints  and  Limitations).  The  CG 
is  to  be  calculated  using  a  typical  consumables  profile  which  reflects  the  most  realistic  entry  conditions. 

C.  EOM  PLANNING  -  ONLY  THE  CG  MANAGEMENT  TECHNIQUES  LISTED  IN 

PARAGRAPHS  D  THROUGH  F  WILL  BE  USED  TO  MANAGE  THE  EOM  CG 
WITHIN  THE  CONTINGENCY  CG  ENVELOPE  (REF.  PARAGRAPH  A) . 
CONSIDERATION  WILL  BE  GIVEN  TO  EXTENDING  THE  FLIGHT,  IF 
ADDITIONAL  MANAGEMENT  WILL  MINIMIZE  VIOLATION  OF  THE  NOMINAL 
CG  ENVELOPE  .  ®[081 497-41 79B] 

Paragraph  A  represents  the  certified  operational  envelope,  and  analysis  of  performance  beyond  this 
envelope  is  not  complete.  It  is  of  the  highest  priority  to  con  tain  the  entry  CG  within  the  orbiter  con  trol 
trim  capability.  All  CG  management  techniques  will  be  used  to  protect  this  constraint. 

Staying  in  orbit  longer  will  allow  use  of  orbit  managemen  t  techniques.  These  tools  include  generation  of 
extra  water  and  use  of  additional  ARCS  propellant. 

D.  X  CG  MANAGEMENT  TECHNIQUES  INCLUDE  THE  FOLLOWING: 

1.  RETAINING  OR  DUMPING  ADDITIONAL  POTABLE  WATER. 

Keeping/dumping  potable  water  can  move  the  X  CG  about  1  inch  for  every  375  lb  of  water  retained/dumped 
for  a  220,000-lb  orbiter.  Water  dumps  move  the  X  CG  further  aft. 

2.  OPTIMIZING  THE  CRYO  MANAGEMENT  PLAN  (REF.  RULE  {A9-256}, 
CRYO  02/H2  TANK  QUANTITY  BALANCING) 

The  cryo  management  plan  can  be  optimized  to  produce  a  more  aft  CG.  This  is  accomplished  by 
maintaining  mission  margin  in  the  center  manifold,  or  by  using  the  forward  tanks  earlier  than  planned. 

3.  RETAINING  OR  DUMPING  FRCS .  WHEN  CG  AND  LANDING  WEIGHT 
CONSTRAINTS  ARE  MET,  THE  FRCS  WILL  BE  DUMPED  TO  ZERO. 

®[081 497-41 79B] 

Since  the  FRCS  tanks  are  significantly  forward  of  the  vehicle  X  CG,  retain  ing/dumping  forward 
propellant  is  a  powerful  tool  for  control  of  the  X  CG.  For  a  220,000-lb  orbiter,  the  X  CG  can  be 
changed  by  about  1  inch  for  every  280  lb  of  FRCS  retained/dumped.  FRCS  dumps  move  the  X  CG  aft. 

If  an  FRCS  dump  does  not  cause  the  CG  envelope  to  be  violated,  then  the  dump  should  be  performed. 
Dumping  the  FRCS  to  zero  will  keep  landing  weight  to  a  minimum  and  aid  in  vehicle  processing  time. 
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A4-153  CG  PLANNING  (CONTINUED) 

4.  MANAGEMENT  OF  OMS  PROPELLANT  USAGE  IN  DEORBIT  TARGETING 
(REFERENCE  RULE  {A4-152},  DEORBIT  BURN  TARGETING 
PRIORITIES,  FOR  PRIORITIES)  :  ®[081 497-41 79B] 

a.  INCREASE  OMS  PROPELLANT  USAGE  TO  MOVE  THE  CG  FORWARD. 

Backing  up  TIG  from  the  optimum  one  OMS  or  two  OMS  TIG  will  use  extra  OMS  propellant  and  move 
the  X  CG  forward.  For  a  220,000-lb  orbiter,  620  lb  of  OMS  propellant  usage  will  move  the  X  CG 
forward  by  1  inch.  If  additional  propellant  usage  is  required  for  CG  control,  the  out-of-plane  wasting 
technique  can  also  be  used  to  increase  propellant  usage. 

b.  DECREASE  OMS  PROPELLANT  USAGE  TO  MOVE  THE  C.G.  AFT. 

OMS  propellant  can  be  retained  by  burning  at  the  optimum  OMS  time.  Burning  at  the  optimum  leaves 
most  OMS  available  in  the  aft,  short  of  targeting  with  a  prebcmk.  Targeted  prebcmk  can  be  used  to 
decrease  the  deorbit  propellant  usage  even  more.  For  a  220,000-lb  orbiter,  620  lb  of  OMS  propellant 
retention  moves  the  X  CG  aft  by  1  inch.  ( Reference  Rule  { A4-152 },  DEORBIT  BURN  TARGETING 
PRIORITIES,  for  priorities. )  ®[081 497-41 79B] 

5.  OMS  BALLAST  MANAGEMENT  -  OMS  BALLAST  WILL  BE  RETAINED  TO 
PROTECT  THE  FORWARD  LIMIT  OF  THE  CG  ENVELOPE  AT  ANY  POINT 
IN  THE  ENTRY  PROFILE.  THE  AMOUNT  OF  OMS  USED  FOR 
BALLASTING  WILL  BE  DETERMINED  ASSUMING: 

a.  OMS  PROPELLANT  USED  TO  THE  BALLAST  BASELINE  QUANTITY 
(REF  A/E  FLIGHT  TECHNIQUES  #67,  MAY  1990) . 

b.  ARCS  PROPELLANT  USED  TRAPPED  PLUS  GAUGE  ERROR  (REF 
RULE  {A6-305},  AFT  RCS  REDLINES ) . 

C.  FRCS  DUMPED  TO  ZERO,  UNLESS  THE  CAPABILITY  TO  PERFORM 
THE  DUMP  IS  LESS  THAN  SINGLE  FAULT  TOLERANT. 

OMS  bcdlcist  is  required  when  the  X  CG  violates  the  forward  end  of  the  CG  envelope.  The  OMS  ballast 
required  for  forward  X  CG  protection  may  not  be  used  for  the  deorbit  burn.  Usage  beyond  the  nominal 
profile  will  move  the  X  CG  forward.  Therefore,  the  forward  CG  limit  will  be  protected  for  the  full  entry 
redline.  The  OMS  ballast  is  nominally  computed  assuming  the  FRCS  is  dumped  to  zero.  Consideration 
should  be  given  to  depleting  the  FRCS  prior  to  the  deorbit  burn  if  the  post  burn  dump  has  been 
jeopardized  by  previous  failures.  ®[08i  497-41 79B] 
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A4-153  CG  PLANNING  (CONTINUED) 

E.  Y  CG  MANAGEMENT  TECHNIQUES  INCLUDE  THE  FOLLOWING: 

1.  MANAGING  THE  ARCS  PROPELLANT  BY  UTILIZING  THE  RCS 
CROSSFEED  CAPABILITY.  RCS  CROSSFEED  WILL  NOT  BE  USED 
TO  IMPROVE  THE  ORBITER  CG  DURING  DEORBIT  AND  ENTRY. 

Use  of  the  RCS  crossfeed  capability  is  effective  for  lateral  control  of  the  CG.  Propellant  from  one  aft 
pod  may  be  used  to  feed  the  thrusters  of  both  aft  pods.  RCS  crossfeed  is  also  used  to  balance  RCS 
propellants  or  null  the  Y  CG.  For  a  220,000-lb  orbiter,  225  lb  of  ARCS  can  change  the  Y  CG  by  0.1 
inch.  To  preclude  tying  OMS  and  RCS  tanks,  the  RCS  crossfeed  will  not  be  done  during  the  deorbit  burn 
and  entry  because  the  same  set  of  propellant  crossfeed  lines  would  need  to  be  used  in  the  case  of  OMS 
engine  failure  or  cm  RCS  downmode  during  the  deorbit  burn. 

2.  MANAGING  THE  OMS  PROPELLANT  BY  UTILIZING  THE  FOLLOWING 
PROCEDURES : 

a.  USING  OMS  CROSSFEED  DURING  SINGLE  OMS  ENGINE  BURNS. 

NOTE:  OMS  CROSSFEED  MAY  BE  USED  TO  MANAGE  OMS  PROPELLANT  WHEN 

DOWNMODING  FROM  A  TWO-ENGINE  BURN  TO  A  SINGLE  ENGINE  AS  A 
RESULT  OF  AN  ENGINE  FAILURE. 


Using  the  OMS  crossfeed  capability  allows  con  trol  of  the  Y  CG  at  a  rate  of  about  0.1  inch  for  every 
225  lb  of  OMS  for  an  orbiter  weighing  220,000  lb. 

b.  USING  OMS  MIXED  CROSSFEED  FOR  OMS  PROPELLANT  TANK 
FAILURES.  THIS  REQUIRES  MEMORY  READ/WRITE 
PROCEDURES . 

If  fuel  or  oxidizer  is  trapped  in  a  tank,  it  is  possible  to  control  the  Y  CG  by  using  fuel  or  oxidizer  from  a 
good  pod  with  fuel  or  oxidizer  from  the  failed  pod.  However,  a  memory  read/write  procedure  is  required 
to  properly  control  the  valves. 

C.  PERFORMING  A  PORTION  OF  A  TWO  ENGINE  BURN  FROM  A 
SINGLE  POD  FOR  A  SPECIFIED  DELTA  V. 

This  provides  a  powerful  means  of  CG  control,  and  procedurally,  the  crew  can  reconfigure  to  straight 
feed  for  the  remaining  portion  of  the  burn. 
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A4-153  CG  PLANNING  (CONTINUED) 

F.  COMBINATION  X  CG  AND  Y  CG  MANAGEMENT  TECHNIQUES  INCLUDE  THE 
FOLLOWING: 

1.  USING  THE  OMS  PROPELLANT  TO  ALTER  THE  CG' S  BY  MODIFYING 
THE  PROPELLANT  PLAN  OR  MAGNITUDE  OF  THE  SCHEDULED  OMS 
MANEUVERS . 

Changing  the  tanks  which  are  used  for  a  given  burn  controls  the  propellant  imbalance  and  lateral  CG, 
while  changing  the  magnitude  of  the  burn  alters  the  total  propellant  load.  For  an  orbiter  weighing 
220,000  lb,  each  225  lb  of  left-right  unbalance  causes  a  Y  CG  shift  of  about  0.1  inch.  Each  620  lb  of 
OMS  will  change  the  X  CG  by  about  1  inch.  ®[081 497-41 79B] 

2.  USING  THE  OMS/RCS  INTERCONNECT. 

The  left  and  right  pod  interconnect  schedule  can  be  modified  to  achieve  the  desired  Y  CG.  OMS 
imbalance  can  be  managed  by  feeding  OMS  to  RCS  to  minimize  the  Y  CG  imbalance.  Recall  that,  for  a 
220,000-lb  orbiter,  225  lb  of  OMS  retention  can  shift  the  Y  CG  by  about  0.1  inch.  X  CG  management  can 
be  affected  via  interconnect  of  RCS  with  OMS  for  attitude  control  maneuvers,  thus  controlling  the  X  CG 
using  nominal  mission  ops.  OMS  usage  affects  the  X  CG  more  than  the  RCS.  For  a  220,000-lb  orbiter, 
620  lb  of  OMS  interconnect  will  affect  the  X  CG  by  about  1  inch.  ®[120393-ED  ]  ®[081 497-41 79B] 

A4-154  DOWNTRACK  ERROR 

DEORBIT  WILL  NOT  BE  ATTEMPTED  WITH  ORBITER  STATE  VECTOR  DOWNTRACK 
ERRORS  IN  EXCESS  OF  20  NM. 

Prior  to  STS  -1,  analysis  was  performed  and  presented  to  Flight  Techniques  that  indicated  a  20  nm 
downtrack  error  was  the  maximum  that  could  be  steered  out  by  AUTO  guidance  between  130,000 feet 
and  TAEM  interface  in  the  presence  of  three-sigma  lift-to-drag  variations  and  worst  case  winds.  The 
requirement  to  recover  the  energy  error  between  130,000 feet  and  TAEM  interface  was  chosen  because 
neither  TACAN  acquisition  nor  delta  state  update  could  be  guaranteed  to  occur  above  130,000 feet  and 
because  of  large  uncertain  ties  in  energy  recovery  capability  (due  to  winds  and  lift-to-drag  variations) 
after  TAEM  interface.  This  rule  and  Rule  (A4-151),  IMU  ALIGNMENT,  are  correlated. 

Rule  {A8-1001J,  GNC  GO/NO-GO  CRITERIA,  and  Rule  {All-52},  LOSS  OF  BOTH  VOICE  AND 
COMMAND,  reference  this  rule.  ®[ED  ] 
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A4-155  SUN  ANGLE  LIMITS  AND  GLARE  CRITERIA  FOR  INNER  AND 

OUTER  GLIDE  SLOPES 

A.  SUN  ANGLE  LIMITS 

FOR  A  RUNWAY  TO  BE  GO,  SUN  POSITION  ON  FINAL  MUST  NOT  BE 
WITHIN  10  DEGREES  OF  CENTERLINE  IN  AZIMUTH  AND  FROM  0  TO 
20  DEGREES  ELEVATION. 

These  criteria  were  established  to  preclude  direct  sunlight  from  obstructing  the  crew’s  vision  on  final 
approach. 

B.  SUN  GLARE  CRITERIA 

FOR  INNER  AND  OUTER  GLIDESLOPES,  SUN  GLARE  PREDICTIONS  WILL 
BE  CONSIDERED  IN  RUNWAY  SELECTION  IF  MORE  THAN  ONE  ACCEPTABLE 
RUNWAY  IS  AVAILABLE.  THE  PRESENCE  OF  SUN  GLARE  DOES  NOT  MAKE 
A  RUNWAY  NO-GO. 

Sun  glare  occurs  when  the  film  of  dirt  from  SRB  separation  and  Sun  angle  on  cabin  windows  causes 
diffuse  forward  scattering  of  sunlight.  The  worst  scattering  occurs  when  the  Sun  is  at  an  angle  of  40 
degrees  from  the  normal  to  the  window.  Glare  drops  in  intensity  for  angles  greater  than  or  less  than 
this.  Sun  glare  is  predicted  if  the  Sun  position  on  final  approach  is  between  30  and  50  degrees  from  the 
normals  to  the  CDR’s  or  the  PLT’s  front  windows.  Flight  experience  indicates  that  glare  may  be  a 
problem,  and  it  may  in  some  cases  create  enough  of  a  nuisance  to  justify  trying  to  avoid  it,  assuming 
winds  and  weather  permit  and  navaids  and  landing  aids  criteria  are  met.  Sun  glare  should,  therefore, 
be  considered  in  runway  selection  when  more  than  one  choice  of  runway  is  available,  but  it  should  not 
have  the  weight  of  a  GO/NO-GO  criterion.  The  very  large  angular  exten  t  of  the  glare  zones  and  the 
impossibility  of  accurately  predicting  its  severity  would  restrict  landing  opportunities  if  Sun  glare  were 
a  GO/NO-GO  criterion. 
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A4-156  HAC  SELECTION  CRITERIA 

A.  FOR  THOSE  APPROACHES  THAT  TRANSITION  TO  APPROACH  AND 

LANDING  GUIDANCE  BY  9,000  FT  ALTITUDE,  THE  OVERHEAD  HAC 
APPROACH  IS  GENERALLY  PREFERRED  OVER  THE  STRAIGHT-IN  HAC 
APPROACH.  @[021998-6510] 

USE  TABLE  A4-156-I  BELOW  TO  DETERMINE  IF  OTHER  HAC  SELECTION 
OPTIONS  SHOULD  BE  CONSIDERED.  THE  6 -DEGREE -OF -FREEDOM  (DOF) 
SIMULATION  RESULTS  (WHEN  AVAILABLE)  WILL  TAKE  PRECEDENCE  OVER 
3-DOF  RESULTS. 

TABLE  A4-156-I  -  OVERHEAD  HAC  EVALUATION  CRITERIA 


3-DOF 

6-DOF 

HAC  SELECTION  OPTION 

MAX  HAC  ALT 
ERROR  LOW 
(FT) 

MAX 

QBAR 

(PSF) 

MAX  HAC  ALT 
ERROR  LOW 
(FT) 

MAX 

QBAR 

(PSF) 

?  3,700 

?  290  [1] 

?  4,500 

?  315  [1] 

OVERHEAD  HAC  NO-GO  [2] 

?  2,700 

N/A 

?  3,500 

N/A 

STRAIGHT-IN  HAC  PREFERRED  [3] 

?  1 ,700 

N/A 

?  2,500 

N/A 

DELAYED  CSS  PREFERRED  [4] 

?  1 ,700 

?  290  [1] 

?  2,500 

?  315  [1] 

NO  RESTRICTIONS 

NOTES: 

[1]  THE  QBAR  CRITERION  APPLIES  ONLY  TO  HAC’S  ?  300  DEG,  FROM  HAC  INITIATION  TO  20,000  FT  ALTITUDE  AGL. 

[2]  THE  OVERHEAD  HAC  IS  NO-GO  IF  EITHER  THE  ALTITUDE  ERROR  OR  QBAR  CRITERION  IS  VIOLATED. 

[3]  THE  STRAIGHT-IN  HAC  IS  PREFERRED  OVER  THE  OVERHEAD  HAC  TO  PROVIDE  A  MORE  BENIGN  TRAJECTORY. 
HOWEVER,  IF  THE  OVERHEAD  HAC  IS  SELECTED,  REFER  TO  [4]  BELOW. 

[4]  NOMINAL  CSS  ACTIVATION  SHOULD  BE  DELAYED  UNTIL  THE  ONBOARD  HAC  ALTITUDE  ERROR  LOW  IS  NO 
LONGER  DIVERGING  (APPROXIMATELY  1 80  DEG  HAC  TURN  REMAINING). 

The  approach  and  landing  guidance  transition  altitude  is  an  indication  of  the  ability  to  control  energy 
around  the  HAC  based  on  the  input  upper  level  winds  and  atmosphere.  Before  transitioning  to  approach 
and  landing  guidance,  four  constraints  must  be  satisfied.  These  constraints  are  altitude,  lateral  position, 
Qbar,  and  flight  path  angle  limits  referenced  to  the  outer  glideslope  profile.  The  earliest  altitude  to 
transition  is  10,000 ft,  and  9,000ft  is  considered  high  enough  to  preclude  significant  trajectory  deviations 
on  the  outer  glideslope.  The  evaluation  will  be  performed  by  Flight  Dynamics  Entry  Analysis  tools  using 
measured  and  forecasted  wind  data  and  AUTO  flight  control/ AUTO  speedbrake. 
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A4-156  HAC  SELECTION  CRITERIA  (CONTINUED) 

Overhead  HAC’s  are  generally  preferred  over  straight-in  HAC’s  because  they  provide  the  best  geometry 
for  allowing  clean-up  of  the  onboard  navigation  state  by  TACAN  and  because  they  provide  an  energy 
downmode  option.  However,  Table  A4-156-I  provides  special  considerations  for  HAC  selection  that 
provide  margin  to  compensate  for  the  severe  conditions  of  the  day.  These  conditions  and  corresponding 
criteria  were  presented  to  the  Ascent/Entry  Flight  Techniques  Panel  #137  on  February  27,  1997,  and 
were  developed  in  response  to  an  analysis  that  showed  TAEM  guidance  may  be  unable  to  limit  HAC  max 
Qbar  and/or  altitude  error  low  for  larger  HAC’s  (over  approximately  300  degrees)  due  to  Nz  limiting. 
@[021998-6510] 

The  Qbar  limit  for  HAC’s  ?  300  deg  specified  in  Table  A4-156-I  is  an  additional  constraint  to  the  Qbar 
limit  for  Mach  <  1  specified  in  Flight  Rule  {A4-207A}.2,  ENTRY  LIMITS.  These  constraints  provide  3- 
sigrnci  protection  against  violating  the  certified  structural  and  GN&C  Qbar  limit  of  375  psf(333  KEAS ) 
in  the  subsonic  region  as  defined  in  SODB  Volume  V.  For  smaller  HAC  turns  (under  300  degrees), 

Flight  Rule  { A4-207A}.2 ,  ENTRY  LIMITS,  provides  adequate  Qbar  protection  because  the  vehicle  will 
not  encounter  Nz  command  limiting,  and  Qbar  will  stay  within  the  guidance  I-locided  Qbar  limit  of  350 
psf  (321  KEAS). 

The  altitude  error  low  constrain  ts  defined  in  Table  A4-156-I  were  the  result  of  cm  analysis  done  using  a 
modified  Monte  Carlo  technique  that  varied  the  vehicle  navigation  state,  navigation  sensor  inputs  and 
atmosphere,  but  did  not  vary  the  winds.  The  6-DOF  50-cycle  Monte  Carlo  results  showed  that  at  a 
predicted  altitude  error  low  of 5,000 ft  or  more,  all  50  cases  experienced  a  HAC  shrink,  a  significant 
percentage  of  which  were  full  HAC  shrink,  and  some  cases  were  seen  where  the  HAC  phase  was  delayed. 
Although  many  of  the  cases  were  able  to  achieve  a  nominal  approach  and  landing  guidance  transition,  an 
altitude  error  low  of  5,000 ft  is  being  set  as  the  limit  of  entry  guidance  capability  due  to  the  extremely 
dynamic  nature  of  the  resulting  trajectory  and  its  sensitivity  to  additional  dispersions.  Exceeding  the 
4,500ft  (6-DOF)  maximum  altitude  error  low  criteria  results  in  greater  than  an  approximately  80  percent 
chance  of  triggering  a  HAC  shrink  at  KSC  15  (approximately  50  percent  at  EDW  04),  but  provides  500 ft 
of  protection  from  the  5,000ft  limit.  Exceeding  the  3,500 ft  (6-DOF)  maximum  altitude  error  low 
criterion  results  in  greater  than  35  percen  t  chance  (approximately  1 -sigma  protection)  of  triggering  a 
HAC  shrink,  but  provides  1,500ft  of  protection  from  the  5,000ft  limit.  These  backoffs  provide  margin  to 
protect  for  limitations  in  the  analysis  which  cannot  take  into  account  wind  persistence  or  the  full  range  of 
real-world  HAC  geometries,  runway  directions,  and  wind  direction  and  magnitudes.  The  3,700ft 
overhead  NO-GO  and  2,700ft  straight-in  preferred  3 -DOF  limits  from  Table  A4-156-I  are  based  on  an 
average  3-DOF  to  6-DOF  TAEM  simulation  bias  of 800 ft  determined  during  this  same  analysis. 

The  intent  of  delaying  nominal  CSS  activation  is  to  avoid  unnecessary  trajectory  perturbations  for  HAC’s 
that  are  predicted  to  be  dynamic  and/or  have  low  performance  margin.  Analysis  of  HAC  altitude  errors 
from  a  small  sample  of  flights  (four)  with  large  HAC’s  indicates  CSS  flight  results  in  trajectories  with 
maximum  HAC  altitude  errors  low  approximately  2,000ft  greater  than  3-DOF  real-time  predictions.  The 
1,700ft  limit  (3-DOF)  in  Table  A4-156-I  provides  2,000ft  of  CSS  dispersion  protection  against  exceeding 
the  3,700ft  maximum  altitude  error  low  limit  (3-DOF)  used  to  NO-GO  overhead  HAC’s.  @[021 998-651 0  ] 
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A4-156  HAC  SELECTION  CRITERIA  (CONTINUED) 

Predicted  altitude  errors  low  in  excess  of  2,500 ft  (6-DOF)  are  indicative  of  guidance  Nz  limiting  which 
results  in  a  nose-low  pitch  attitude.  Any  additional  nose-low  pitch  attitude  errors  beyond  the  guidance  Nz 
command  while  guidance  is  Nz  limited  will  likely  result  in  substantial  performance  degradation  (faster 
airspeed,  higher  Nz,  greater  altitude  rate,  more  roll,  steeper  flight  path  angle,  etc.).  The  most 
performance-critical  region  ofTAEM  is  HAC  initiation,  so  it  is  especially  prudent  to  minimize  deviations 
from  guidance  during  the  initial  portion  of  the  HAC.  Once  the  guidance  Nz  command  is  no  longer 
limited,  the  vehicle’s  pitch  attitude  will  get  shallower  and  the  HAC  altitude  error  will  stop  diverging  and 
soon  begin  to  converge.  However,  it  is  not  necessary  to  wait  until  the  HAC  altitude  error  is  converging 
to  engage  CSS,  since  substantial  performance  degradation  is  unlikely  after  the  vehicle’s  pitch  attitude 
has  shallowed.  The  best  tools  for  determining  if  the  altitude  is  diverging  from  its  reference  are  onboard, 
so  identifying  when  CSS  can  be  taken  is  best  performed  by  the  crew.  @[021998-6510  ] 

The  3 -DOF  evaluation  will  be  accomplished  with  the  Descent  Design  System  (DDS)  and  the  6-DOF 
evaluation  will  be  accomplished  with  the  Spacecraft  Trajectory  Analysis  and  Mission  Planning 
Simulation  (STAMPS).  In  the  event  that  there  is  a  conflict  in  meeting  the  criteria  in  Table  A4-156-I 
between  the  3 -DOF  and  6-DOF  evaluations,  the  results  of  the  6-DOF  evaluation  will  be  favored  due  to 
the  higher  fidelity  of  the  processor  (reference  STF  no.  DFD-97 -4235-016,  dated  March  12,  1997). 

Note:  Adjusting  for  the  nose-low  pitch  attitude  due  to  guidance  Nz  command  limiting  by  manually 

biasing  the  guidance  Nz  command  and  pitching  up  is  not  recommended  because  of  the  poten  tial 
for  violating  the  GN&C  upper  angle  of  attack  defined  in  the  SODB  Volume  V.  @[021998-6510  ] 

B.  IF  NONE  OF  THE  OPTIONS  IN  PARAGRAPH  A  ALLOWS  TRANSITION  TO 
APPROACH  AND  LANDING  GUIDANCE  BY  9,000  FEET  ALTITUDE,  THEN 
CONSIDER  A  24-HOUR  WAVE-OFF  AND/OR  USE  OF  THE  SECONDARY 
LANDING  SITE  TO  ACHIEVE  NOMINAL  APPROACH  AND  LANDING  GUIDANCE 
TRANSITION,  CONSISTENT  WITH  RULE  {A2-202},  EXTENSION  DAY 
GUIDELINES.  @[021998-6510] 

Delaying  1  day  increases  the  probability  of  going  to  the  PLS  and  of  having  acceptable  heading 
alignment  phase  guidance  capability. 

C.  IF  NONE  OF  THE  OPTIONS  IN  PARAGRAPH  A  OR  B  ALLOW  TRANSITION 
TO  APPROACH  AND  LANDING  GUIDANCE  BY  9,000  FEET  ALTITUDE, 

THEN  CONSIDER  USE  OF  THE  HIGHEST  PRIORITY  RUNWAY / HAC  OPTION 
THAT  MEETS  THE  TRANSITION  CRITERIA  BY  6,000  FEET  ALTITUDE. 
@[021998-6510] 

Transition  to  approach  and  landing  guidance  is  forced  at  5,000 feet  altitude,  whether  or  not  the  four 
transition  constraints  have  been  met.  A  6,000-foot  transition  altitude  indicates  the  AUTO  system 
satisfied  the  four  constraints  late  in  the  transition  period,  which  should  allow  for  acceptable  landing 
conditions  even  with  additional  dispersions.  @[061297-6006  ] 

Rule  {A2-202},  EXTENSION  DAY  GUIDELINES,  references  this  rule.  @[061297-6006  ] 
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A4-157  ENERGY  DOWNMODING 

THE  STRAIGHT-IN  OR  MINIMUM  ENERGY  POINT  (MEP)  OPTION  WILL  BE 
SELECTED  WHEN  A  VALID  KALMAN  FILTER  SOLUTION  OF  ENERGY  CROSSES 
THE  ENERGY  VERSUS  R-GO  DOWNMODE  CRITERIA.  THE  MEP  SHOULD  NOT  BE 
SELECTED  BETWEEN  HAC  INTERCEPTION  AND  REACHING  THE  180-DEGREE 
POINT  ON  THE  SPIRAL.  THE  ONBOARD  ALERT  WILL  BE  HONORED  IF  THE 
MCC  SOLUTION  IS  UNAVAILABLE. 


MEP  selection  is  an  energy  downmode  option  which  will  decrease  R-GO  by  approximately  6  miles.  This 
call  should  be  made  on  ly  when  the  ground  Kalman  filter  solution  is  valid.  The  ground  solu  tion  is  prime 
for  calling  the  straight-in  or  MEP  options.  If  MEP  is  selected  between  HAC  intercept  and  180-degree 
point  on  the  HAC,  guidance  may  add  360  degrees  to  the  HAC  causing  unexpected  approach  geometry 
and  more  energy  problems. 

A4-158  MANEUVER  EXECUTION  MATRIX 


MODE 

MNVR 

OVERBURN 

SHUTDOWN 

CRITERIA 

EARLY  C/O 
MNVR  COMP 
CRITERIA 

RCS  TRIM 

ALL  AXES 

MNVR  INHIBIT  OR 
TERMINATION 
CRITERIA  m 

MANUAL 
TAKEOVER 
CRITERIA  m 

NOM  & 

ATO 

OMS-1 

tGO  =  0 

ALWAYS 

COMPLETE 

?  2  FPS 

NONE 

IGN  ATTITUDE 
ERROR  >5  DEG 
OR 

5  DEG  DEVIATION 
DURING  MNVR 

OMS-2 

Hp>  MIN  Hp 

NONE 

AOA 

OMS-1 

lGO  =  0 

ALWAYS 

COMPLETE 

STEEP: 

?  2  FPS 

TGT 

PREBANK: 

?  0.5  FPS 

NONE 

IGN  ATTITUDE 
ERROR  >5  DEG 
OR 

5  DEG  DEVIATION 
DURING  MNVR 

OMS-2 

[2] 

lGO  =  0 

ORBITAL 

CRITICAL 

ALL 

tGO  =  0 

[3] 

COMPLETE 

?  0.2  FPS 

DELAY  UNTIL  IGN  ATT 
ERROR  <5  DEG  BUT 
BURN  NO  LATER  THAN 
END  OF  TIG  SLIP 
WINDOW 

IGN  ATTITUDE 
ERROR  >5  DEG 
OR 

5  DEG  DEVIATION 
DURING  MNVR 

ORBITAL 

NON¬ 

CRITICAL 

ALL 

tGO  =  0 

NONE 

?  2  FPS 

IGN  ATTITUDE  ERROR 
>5  DEG  OR  5  DEG 
DEVIATION  DURING 
MNVR 

NONE 

DEORBIT 

ALL 

[2] 

tGO  =  0 

ALWAYS 
COMPLETE  IF 
Hp<  SAFE  Hp 

STEEP: 

?  2  FPS 
TGT 

PREBANK: 

?  0.5  FPS 

IGN  ATTITUDE 
DEVIATION  >5° 

5  DEG  ATTITUDE 
DEVIATION 
DURING  MNVR 

@[011295-1691  ] 


NOTES: 

[1]  ENGINE  OUT  TRANSIENTS  NOT  INCLUDED. 

[2]  IF  ANY  IMU  ACCELEROMETER  FAILED,  SHUTDOWN: 

2  QMS  1  QMS 

BT  +  5  SECONDS  BT  + 10  SECONDS  @[011295-1691] 

[3]  FOR  PAYLOAD  SEPARATION  MANEUVERS,  ALWAYS  COMPLETE  TO  AT  LEAST  MINIMUM  SEPARATION  DELTA 
VELOCITY.  AFTER  MINIMUM  SEPARATION  DELTA  V  IS  ACHIEVED,  BURN  IS  NONCRITICAL. 
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A4-158  MANEUVER  EXECUTION  MATRIX  (CONTINUED) 

OVERBURN  SHUTDOWN  CRITERIA  -  December  1979  Flight  Techniques  determined  that  a  3- 
sigma  low  OMS  engine  performance  would  increase  a  nominal  deorbit  2-OMS  burn  duration  by 
approximately  3  seconds  (6  seconds  for  1-OMS)  and  that  a  2000  micro-G  accelerometer  error  would 
increase  the  maneuver  time  by  5  seconds  (10  seconds  for  1-OMS).  The  onboard  guidance  will 
accoun  t  for  off-nomincd  OMS  engine  performance  and  adjust  the  burn  time  as  necessary  to  achieve 
the  targeted  conditions  assuming  a  good  navigation  state.  However,  ifIMU  accelerometer  errors 
are  present,  the  velocity  to  be  gained  will  be  updated  incorrectly  such  that  the  targeted  conditions 
may  not  be  met.  If  the  accelerometer  error  is  in  the  direction  to  result  in  an  underburn,  the  burn  will 
be  completed  using  the  RCS  jets.  If  the  accelerometer  error  is  in  the  direction  to  result  in  an 
overburn,  a  manual  shutdown  will  be  performed  at  the  pre-bum  TGO  plus  5  seconds  for  2-OMS  (10 
seconds  for  1-OMS )  to  avoid  overburns  greater  than  20fps.  ®[oi  1295-1691  ] 

Terminating  at  Tqq  =0  is  sufficient  for  on-orbit  and  uphill  maneuvers.  If  the  maneuver  is  targeted  and 
cannot  be  overburned,  any  residuals  will  need  to  be  trimmed. 

EARLY  C/O  MNVR  COMP  CRITERIA  -  Nominal,  ATO,  and  AOA  OMS-1  maneuver  completion  is 
required  to  attain  a  safe  insertion  orbit.  Nominal  OMS-2  completion  to  a  perigee  of  Min  Hp  (ref.  the 
Annex  Flight  Rule,  TRAJECTORY  AND  GUIDANCE  PARAMETERS)  is  required  for  a  safe  orbital 
lifetime  of  24  hours,  assuming  OMS-1  apogee  of  150  nm  or,  3  orbits  assuming  OMS-1  apogee  of  105 
nm  An  AOA  OMS-2  is  a  deorbit  and,  since  perigee  is  already  less  than  Safe  Hp,  the  maneuver  must  be 
completed  to  attain  El  targets.  ®[ED  ] 

Any  orbital  maneuvers  considered  critical  should  be  completed  due  to  the  criticality.  Also,  based  on  the 
defin  ition  of  a  critical  maneuver,  it  cannot  be  rescheduled.  Therefore,  if  the  man  eu  ver  is  not  completed 
at  that  time,  severe  consequences  may  result.  A  payload  separation  maneuver  is  critical  for  crew  safety. 
Therefore,  the  maneuver  should  be  completed  to  at  least  a  minimum  separation  to  guarantee  less  than 
10X  tile  damage. 

A  noncritical  maneuver  should  not  be  completed  manually  since  it  can  be  rescheduled  if  necessary.  Also, 
this  allows  time  to  determine  the  failure  which  caused  the  maneuver  to  terminate  early. 

Deorbit  burns  that  cut  off  at  a  perigee  greater  than  Safe  Hp  will  be  retargeted  for  a  subsequent  deorbit 
one  orbit  later  or  up  to  24  hours  later  since  the  orbital  lifetime  allows  the  delay.  Deorbit  burns  that  cut 
off  at  perigee  less  than  Safe  Hp  should  be  completed  at  all  costs  to  attain  El  conditions  since  the  perigee 
is  unsafe  for  orbital  lifetimes  of  reasonable  lengths  to  retarget. 

RCS  TRIM  -  Ascent  and  deorbit  burns  are  large  and  all  uphill  and  El  targets  will  be  met  within 
allowable  tolerances  if  the  delta  V  imparted  is  within  2fps.  Specifically,  a  2  fps  underburn  for  deorbit 
equates  to  a  30  nm  energy  error  at  El,  which  is  an  acceptable  error,  well  within  guidance  capability  to 
converge  by  M  =  12.  Uphill  delta-V  accuracy  requirements  are  even  less  critical,  and  2  fps  is  deemed 
very  achievable. 
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A4-158  MANEUVER  EXECUTION  MATRIX  (CONTINUED) 

Critical  orbital  maneuvers  should  be  completed  to  0.2  fps  due  to  their  criticality  and  since  the  maneuver 
cannot  be  rescheduled  to  make  up  for  the  trim  errors.  Additionally,  it  is  importan  t  to  trim  payload 
separation  maneuvers  to  within  0.2  fps  of  the  design  limit  to  meet  tile  damage  limit  criteria. 

It  is  not  necessary  to  trim  noncritical  orbital  maneuvers  precisely.  Two  fps  was  selected  since  PEG-7 
guidance  can  achieve  this  for  an  OMS  burn  without  any  RCS  trimming. 

MANUAL  TAKEOVER,  MNVR  INHIBIT,  OR  TERMINATION  CRITERIA  -  A  5-degree  attitude  deadband 
is  the  largest  available,  and  an  ignition  attitude  error  or  deviation  greater  than  this  indicates  flight 
control  malfunction.  Nominal  ATO  and  AOA  OMS-1  and  -2  are  time-critical  burns  sequenced  such  that 
the  ignition  attitude  may  not  have  been  attained.  For  out-of-attitude  cases  or  attitude  deviations  during 
the  maneuver,  the  maneuver  should  still  be  performed  ( i.  e. ,  not  inhibited  or  terminated),  but  performed 
manually.  The  deorbit  burn  attitude  is  entered  in  a  controlled,  timely  manner,  and  the  maneuver  can  be 
postponed  for  an  unacceptable  attitude  error.  A  maneuver  inhibit  should  be  accomplished  for  attitude 
errors  greater  than  5  degrees.  If  ignition  has  occurred,  maneuver  completion  is  important,  and  a 
manual  takeover  should  be  performed  for  deviations  greater  than  5  degrees. 

Critical  maneuvers  should  be  completed  once  started.  Payload  separation  maneuvers  should  be 
completed  to  at  least  minimum  separation  delta-velocity.  This  is  due  to  the  definition  of  a  critical  burn. 
Critical  maneuvers  should  not  be  executed  until  the  vehicle  attitude  error  is  less  than  5  degrees  or  until 
the  end  of  the  TIG  slip  window,  whichever  occurs  first.  If  the  attitude  error  during  the  maneuver  drifts 
outside  5  degrees,  the  crew  should  take  over  and  manually  steer  the  vehicle  towards  the  correct  attitude. 

Noncritical  orbital  maneuvers  should  not  be  executed  if  the  vehicle  is  not  in  attitude.  Also,  if  the  vehicle 
drifts  out  of  attitude  during  the  maneuver,  the  maneuver  should  be  terminated.  A  later  maneuver  can  be 
scheduled  to  correct  errors  imparted  to  the  trajectory  if  necessary. 

A4-159  ORBITER  LANDING  WEIGHT 

A.  THE  FOLLOWING  CONDITIONS  ARE  ASSUMED  FOR  THE  CALCULATION  OF 
THE  ORBITER  EOM  LANDING  WEIGHT:  ®[081 497-41 79B] 

The  resulting  calculations  ofX  CG,  Y  CG,  and  landing  weight  are  reported  as  the  expected  EOM 
conditions.  The  X  CG  and  Y  CG  data  used  from  this  step  are  used  in  the  DEL  PAD. 

1.  THE  PLANNED  DEORBIT  BURN  IS  SUCCESSFUL  AND  THE  DESIRED 
OMS  BALLAST  REMAINS  ONBOARD  AS  THE  RESIDUAL. 

Assumes  a  nominal  deorbit  burn  and  entry  for  EOM  conditions.  ®[081 497-41 79B] 
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A4-159  ORBITER  LANDING  WEIGHT  (CONTINUED) 

2.  THE  NOMINAL  ARCS  QUANTITY  IS  USED  DURING  ENTRY .  ®[081 497-41 79B] 

The  nominal  ARCS  quan  tity  used  should  be  the  planned  usage  for  the  particular  mission  and  does  not 
necessarily  agree  with  the  redline  shown  in  Rule  {A6-305},  AFT  RCS  REDLINES. 

3.  A  SUCCESSFUL  FRCS  DUMP,  IF  PLANNED. 

Self-explanatory. 

4.  NOMINAL  EOM  NON-PROPELLANT  CONSUMABLES  USAGE. 

The  nominal  non-propellant  consumables  for  the  flight  is  shown  in  the  Fluids  Budget  of  the  SODB  flight 
specific  Amendment  Data  Submittal. 

B.  LANDING  WEIGHT  CONSTRAINTS: 

IF  THE  CALCULATED  LANDING  WEIGHT  EXCEEDS  THE  FOLLOWING 
LIMITS,  THE  ORBITER  WEIGHT  MUST  BE  BROUGHT  WITHIN  LIMITS  BY 
FRCS  DUMP  AND  REDUCTION  OF  OMS  REMAINING  (BUT  NOT  LESS  THAN 
THE  MINIMUM  TANK  CONSTRAINT)  .  ®[041 196-1 789B] 

1.  ASCENT  ABORT  AND  EOM  LANDING  WEIGHT  LIMITS: 


FLIGHT  PHASE: 

INCLIN 

IATION 

28.5? 

39.0? 

51.6? 

57.0? 

RTLS 

248K LBS 

248K LBS 

245K LBS 

242K LBS 

TAL 

248K LBS 

248K LBS 

244K  LBS 

241 K  LBS 

AOA 

248K LBS 

248K LBS 

233K LBS 

233K  LBS 

ATO  (DAY  1) 

240K LBS 

233K LBS 

230K LBS 

230K LBS 

NOMINAL  EOM 

233K LBS 

233K  LBS 

233K LBS 

233K  LBS 

®[1 01 096-421 1  A]  ®[081 497-41 79B] 
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ORBITER  LANDING  WEIGHT  (CONTINUED) 

UNPLANNED  PAYLOAD  RETURN  WEIGHT  MUST  BE  ?  ATO  LANDING 
WEIGHT,  AND  DEORBIT  OPPORTUNITIES  MUST  MEET  THE  ORBITER 
THERMAL  CRITERIA  FOR  NOMINAL  EOM  .  ®[041 1 96-1 789B]  ®[081 497-41 79B] 

FLIGHT  SPECIFIC  EXCEPTIONS  TO  ANY  OF  THE  ABORT  OR  END  OF 
MISSION  LANDING  WEIGHT  LIMITS  WILL  BE  DOCUMENTED  IN  THE 
FLIGHT  SPECIFIC  ANNEX  WITH  ASSOCIATED  SSP  WAIVERS 
OBTAINED,  AS  REQUIRED. 

NOTE:  THE  ATO  LANDING  WEIGHT  LIMITS  ARE  REDUCED  TO 

PROTECT  THE  ENTIRE  XCG  ENVELOPE  FOR  ALL  ATO 
OPPORTUNITIES  AND  ALL  SEASONS.  HEAVIER  LANDING 
WEIGHTS  MAY  BE  ACCEPTABLE  BUT  MUST  BE  EVALUATED 
ON  A  MISSION-SPECIFIC  BASIS.  @[101096-421 1  A] 

Any  flight  with  a  manifest  that  results  in  an  intact  abort  or  EOM  landing  weight  greater  than  currently 
certified  limits  must  have  a  waiver  specifying  the  limit  for  that  flight.  The  230  KLB  high  inclination 
ATO  weight  limit  protects  for  shallow  deorbit  on  the  most  thermally  stressful  ATO  deorbit  opportunities 
for  all  seasons  and  cdl  XCG’s.  ATO  deorbit  opportunities  may  exist  for  which  a  233  KLB  downweight 
would  be  acceptable,  but  to  exceed  the  230  KLB  limit,  these  opportunities  must  be  determined  by  pre¬ 
flight  analysis  and  be  documented  in  the  flight  rules  annex.  Flight-specific  exceptions  to  the  landing 
weight  limits  are  documented  in  Flight  Rules  Annex  rule,  TRAJECTORY  AND  GUIDANCE 
PARAMETERS.  When  OMS  ballast  techniques  are  requ  ired,  the  first  priority  is  protecting  the  forward 
X  CG  limit;  therefore,  the  OMS  ballast  required  for  protecting  forward  X  CG  may  not  be  reduced  to 
achieve  the  landing  weight  limit.  OMS  propellant  in  excess  of  the  ballast  may  be  used  to  reduce  the 
orbiter  landing  weight.  (Ref.  PRCB  S40522J.)  Early  mission  termination  may  result  in  a  landing 
weight  that  slightly  exceeds  the  unplanned  payload  return  limit  due  to  nonpropulsive  consumables  still 
onboard.  ®[1 01 096-421 1  A] 

The  thermal  cross  range  limit  for  end-of-mission  deorbit  opportunities  is  determined  preflight.  In  the 
event  of  early  mission  termination  and  unplanned  payload  return,  a  thermal  evaluation  will  be  conducted 
for  the  available  deorbit  opportunities,  if  time  permits  (i.e.,  next  PLS  or  MDF).  Deorbit  opportunities 
will  be  selected  for  crossrcmge  and  approach  geometry  which  result  in  thermally  acceptable  entries.  If 
none  of  the  available  deorbit  opportunities  are  within  thermal  limits,  the  opportunity  with  the  min  imum 
thermal  violation  will  be  selected.  The  landing  weight  capability  limits  are  defined  in  NSTS  07700, 
Volume  III  ( updated  by  PRCBD  NO.  S052638Q).  The  NSTS  07700,  Volume  X  landing  weight  limits, 
which  are  certification  requirements,  will  eventually  become  the  new  landing  weight  limits  once 
certification  and/or  the  orbiter  thermal  envelope  expansion  occurs.  The  orbiter  thermal  limits  are 
documented  in  SOD,  Volume  V  (NSTS  08934),  Orbiter  Flight  Capabilities  Envelopes.  @[041196  1789B] 
@[101096-4211  A] 

Rule  {A6-305},  AFT  RCS  REDLINES;  and  Rule  {A4-207},  ENTRY  LIMITS,  reference  this  rule. 

®[081 497-41 79B] 
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A4-201  DELTA-T  UPDATE  CRITERIA 

A  DOWNTRACK  CORRECTION  TO  THE  STATE  VECTOR  AND  A  BFS  NAVIGATION 
VECTOR  TRANSFER  WILL  BE  PERFORMED  BETWEEN  DEORBIT  AND  300,000 
FEET  IF  A  VALID  DELTA-T  SOLUTION  EXISTS,  NAVIGATION  SYSTEM 
ANOMALIES  INDICATE  A  HIGH  LIKELIHOOD  OF  NAVIGATION  ERRORS,  AND 
THE  INSTANTANEOUS  DOWNTRACK  ERROR  COMPUTED  BY  THE  DELTA-T 
PROCESSOR  IS  GREATER  THAN  8  NM.  FOR  ERRORS  LESS  THAN  8  NM,  NO 
UPDATE  WILL  BE  REQUIRED. 

An  entry  navigation  Monte  Carlo  analysis  performed  from  TIG  through  touchdown,  utilizing  the  Oracle 
entry  navigation  simulation,  indicated  that  there  is  no  onboard  navigation  requirement  for  delta-T 
update  for  navigation  downtrack  error  less  than  8  nm  (see  minutes  for  Ascent/Entry  Flight  Techniques 
Panel  Meeting  #71  held  September  21,  1990).  Eight  nm  is  the  expected  3-sigma  downrange  error 
resulting  from  the  sensor  error  models  and  initial  navigation  error  assumptions  selected  for  this  study. 
These  initial  conditions  have  been  used  consistently  for  Oracle  studies  since  before  STS-1.  The 
maximum  downtrack  error  obsen’ed  at  El  for  STS-1  through  STS-31  was  2  nm. 

Studies  performed  using  the  Entry  Navigation  Reconstruction  program  indicate  that,  due  to  unmodeled 
aerodynamic  accelerations,  the  incorporation  of  large  delta-T  corrections  several  minutes  after  initial 
IMU  processing  can  result  in  a  diverging  navigation  state.  This  study  indicated  that  300,000 feet 
represents  a  minimum  safe  altitude  for  incorporating  delta-T  updates. 

At  least  one  C-band  radar  is  required  for  the  generation  of  the  delta-T  downtrack  correction.  In  order 
for  the  computed  delta-T  to  be  considered  valid,  agreement  between  the  AOS  arid  LOS  computed  values 
is  required.  Data  processed  from  a  second  independent  C-band  source,  if  available,  can  be  used  to 
confirm  the  presence  of  a  large  onboard  state  error.  The  accuracy  of  the  delta-T  solution  is  degraded  by 
the  presence  of  large  radial  or  crosstrack  errors.  The  Ground  Navigation  Officer  will  analyze  the 
C-band  tracking  data  residuals  and  signature  to  determine  whether  the  delta-T  correction  will  be  valid. 

Large  onboard  navigation  state  errors  observed  during  the  delta-T  tracking  pass  can  be  caused  by 
an  inaccurate  onboard  navigation  state  vector  prior  to  deorbit,  multiple  IMU  failures,  poor  IMU 
performance,  or  the  erroneous  execution  of  navigation  related  crew  procedures.  The  presence  of  a 
large  onboard  navigation  state  error  should  be  presaged  by  such  a  problem. 
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A4-202  DEORBIT  BURN  COMPLETION 

THE  FOLLOWING  TECHNIQUES,  IN  ORDER  OF  PRIORITY,  WILL  BE  UTILIZED 
IN  THE  EVENT  OF  DELTA  V  DEFICIENCY  AT  OMS  CUTOFF  FOR  THE  DEORBIT 
MANEUVER . 

A.  TRIM  WITH  THE  ARCS,  NOT  TO  EXCEED  ARCS  QUANTITY  1. 

B.  TRIM  WITH  THE  FORWARD  RCS  TO  DEPLETION. 

C.  PREBANK  TO  THE  REDESIGNATION  CONTINGENCY  LIMIT  FOR  THE  PRIME 
LANDING  SITE  (PROTECTS  THERMAL  CONSTRAINT  OR  NO  GREATER  THAN 
135-DEGREE  PREBANK) . 

D.  REDESIGNATE  TO  THE  BACKUP  SITE  (IF  AVAILABLE)  WITH  PREBANK  TO 
THE  REDESIGNATION  CONTINGENCY  LIMIT  (NORTHRUP  FOR  EDWARDS 
PLS )  . 

E.  TRIM  WITH  THE  AFT  RCS,  NOT  TO  EXCEED  ARCS  QUANTITY  2. 

F.  PREBANK  AS  REQUIRED  UP  TO  180  DEGREES. 

This  rule  was  developed  in  various  working  group  meetings  to  define  the  procedures  for  completing  the 
deorbit  burn  after  all  OMS  downmode  options  have  been  exercised  and  ARCS  fuel  to  the  ARCS  entry 
redline  has  been  used.  The  deorbit  burn  completion  cue  cards  incorporate  the  techniques,  according  to 
the  defined  priorities. 

ARCS  propellant  is  budgeted,  including  entry  DTO’s,  PTI’s,  etc.,  in  option  A  for  burn  completion.  If  the 
targets  can  be  accomplished  using  the  fuel  down  to  ARCS  quantity  1,  the  vehicle  integrity  and  crew 
safety  have  not  been  compromised.  This  ARCS  option  is  preferred  to  the  FRCS  because  no  large  attitude 
change  is  required,  nor  is  the  execution  of  the  more  complicated  FRCS  burn  procedure  required. 

Option  B  is  trimming  with  the  FRCS.  This  propellant,  if  not  used  for  trimming  the  burn,  is  either 
dumped  prior  to  entry  or  maintained  for  ballast.  Use  of  the  FRCS  fuel  is  preferred  over  an  equivalent 
prebank.  The  thermal  effects  of  the  prebank  are  considered  more  severe  than  execution  of  the  FRCS  trim 
procedures. 

Options  C  and  D  incorporate  use  of  the  prebank  to  obtain  atmospheric  capture  while  maintaining  ARCS 
quantity  1  fuel.  Use  of  the  prebank  stresses  the  TPS.  Option  C  limits  the  prebank  to  the  redesignation  limit 
while  maintaining  the  capability  to  land  at  the  prime  site.  The  redesignation  limit  will  not  be  greater  than 
135  degrees  of  prebank,  or  exceedance  of  a  thermal  limit  based  on  35  mission  wing  leading  edge  reuse 
temperature  constraint  ( TBD  degrees  F).  Current  analysis  tools  use  a  simplified  thermal  model  which 
overpredicts  wing  leading  edge  temperature  by  150  degrees  F.  For  analysis  purposes,  the  wing  leading  edge 
thermal  limit  will  be  2950  degrees  F.  Option  D  calls  for  a  prebank  to  the  redesignation  limit  to  the  backup 
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A4-202  DEORBIT  BURN  COMPLETION  (CONTINUED) 

landing  site  (if  available).  Vehicle  turnaround  may  be  lengthened  due  to  the  lack  of  postlanding  support  at 
the  backup  landing  site.  The  computations  ofL  OMS  Hp,  R  OMS  Hp,  PRI  Hp,  and  B/U  Hp  will  assume  the 
delta  Hp  due  to  prebank  to  the  redesignation  limit,  regardless  of  whether  a  backup  site  is  available  or  not. 

Option  E  uses  fuel  below  the  ARCS  entry  redline,  down  to  ARCS  quantity  2.  This  provides  enough  fuel 
for  attitude  control  to  Q-bar  -  20  psf  After  Q-bar  =  20,  aerodynamic  control  is  possible  but  risky 
without  the  yaw  jets.  NO  YAW  JET  is  now  a  certified  entry  mode. 

The  last  option  calls  for  using  prebank  between  the  redesignation  limit  up  to  the  maximum  of  180  degrees. 
This  is  the  last  resort  since  the  use  of  maximum  prebank  and  no  yaw  jet  control  after  Q-bar  =  20  psf 
indicate  that  the  capability  to  reach  the  landing  site,  vehicle  stability,  TPS  integrity,  and  crew  safety  are 
being  compromised.  Preserving  this  prebank  ( from  the  redesignation  limit  to  180  degrees)  as  the  very  last 
option  also  provides  some  margin  in  case  the  FRCS  burn  does  not  provide  the  delta  V predicted. 


A4-203  ENTRY  NAVIGATION  UPDATE  PHILOSOPHY  @[072601 -4530B] 

A.  GPS  WILL  BE  USED  TO  CORRECT  ONBOARD  NAVIGATION  ERRORS  THAT 
EXCEED  FLIGHT  RULE  LIMITS  (REF  RULES  {A4-204},  DELTA  STATE 
POSITION  UPDATES,  AND  {A4-205},  DELTA  STATE  VELOCITY  UPDATES) 
WHEN  GPS  IS  VERIFIED  TO  BE  FUNCTIONING  PROPERLY  AND  THE 
FOLLOWING  CRITERIA  ARE  SATISFIED:  @[062702-5439] 

1.  GPS  VERSUS  GROUND  FILTER  UVW  POSITION  DIFFERENCES  ?  3000 
FEET  FOR  EACH  COMPONENT  ABOVE  130  KFT  ALTITUDE  AND  ?  1000 
FEET  FOR  EACH  COMPONENT  BELOW  130  KFT  ALTITUDE. 

2.  GPS  COMPUTED  VERSUS  ACTUAL  TACAN  RANGE  DIFFERENCES  ?  0.5 
NM  FOR  TACAN  STATIONS  OPERATING  WITHIN  ACCEPTABLE  LIMITS 
(REF  RULE  {A8-52B}.2,  SENSOR  FAILURES). 

THE  GROUND  DELTA  STATE  PROCESSOR  WILL  BE  USED  AS  A  SECOND 
PRIORITY  TO  CORRECT  ONBOARD  NAVIGATION  ERRORS.  @[062702-5439] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A4-203  ENTRY  NAVIGATION  UPDATE  PHILOSOPHY  (CONTINUED) 

A  GPS  update  or  a  delta  state  update  will  be  performed  to  correct  onboard  state  vector  errors  that 
exceed  flight  rule  limits.  The  ground  delta  state  update  process  assumes  the  following:  the  ground 
Kalman  filter  solution  is  valid  (reference  Rule  { A4-51J ,  KALMAN  FILTER  SOLUTION ),  state  vector 
errors  are  linear  with  time,  velocity  errors  are  constant,  ground  and  onboard  runways  agree,  and  the 
onboard  navigation  update  time  will  be  close  to  the  predicted  update  time.  Ncivaid  inhibits  are  required 
for  velocity  delta  state  updates  and  navigation  corrections  after  HAC  intercept.  After  a  delta  state 
update  is  performed,  it  is  possible  that  the  remaining  onboard  navigation  errors  would  have  to  be 
corrected  with  cm  additional  delta  state  update.  The  use  of  GPS  to  correct  onboard  navigation  errors  is 
preferred  over  the  delta  state  update  process  as  long  as  GPS  is  verified  to  be  functioning  properly  (no 
hardware  problems  or  commfaults,  low  FOM,  tracking  four  satellites).  Caution  should  be  taken  when 
using  GPS  state  vectors  with  FOM’s  >5  (650 feet  position  error  one  sigma )  since  the  estimated  position 
error  increases  rapidly  with  higher  FOM  values.  If  GPS  receiver  performance  has  been  good,  the 
decision  to  perform  a  GPS  update  instead  of  a  delta  state  update  is  made  based  on  state  vector- 
differences  between  GPS  and  the  ground  filter.  The  criteria  for  acceptable  UVW  position  differences 
were  discussed  at  the  AEFTP  # 182  on  February  15,  2002  and  were  established  based  on:  1 )  the  amount 
of  onboard  navigation  error  correction  and  associated  delta  state  update  accuracy,  2)  ground  filter- 
errors  at  initial  low  elevation  tracking  angles,  3)  onboard  Ncivaid  processing  and  guidance  capability 
after  a  biased  GPS  state  vector  update,  and  4)  the  desire  to  have  a  simple  two-tier  console  limit 
procedure  which  reflects  the  increased  accuracies  at  lower  altitudes.  Once  the  criteria  for  GPS  versus 
ground  filter  position  differences  have  been  satisfied,  a  direct  verification  that  GPS  is  acceptable  for  the 
update  has  been  performed.  This  is  the  primary  method  for  GPS  state  vector  confirmation.  Ground 
filter  velocity  output  is  very  noisy  throughou  t  the  entry  period  and  is  therefore  not  used  in  the  criteria  for- 
evaluating  the  GPS  vector.  Significant  errors  in  the  GPS  velocity  components  without  a  corresponding 
error  in  the  position  components  or  the  FOM  value  would  be  a  rare  condition.  @[062702-5439  ] 

Another  crosscheck  on  GPS  position  accuracy  is  the  difference  between  GPS  computed  and  actual 
TACAN  range  measurements.  The  MCC  has  a  ground  processor  that  computes  equivalent  TACAN 
measurements  based  on  downlisted  GPS  state  vectors.  If  the  TACAN  ground  station  is  confirmed  to  be 
within  acceptable  limits  (ref.  Rule  (A8-52B}.2,  SENSOR  FAILURES),  the  difference  between  the  GPS 
computed  and  actual  TACAN  range  measurements  should  not  be  more  than  0.5  nm.  The  0.5  nm  range 
check  accounts  for  small  spec  errors  in  the  GPS  vector  at  the  FOM  =  5  limit  (0.1  nm)  and  for  potential 
spec-level  calibration  errors  in  both  the  TACAN  LRU  (0.1  nm)  and  ground  station  hardware  (0.3  nm). 
Ncivaid  inhibits  are  not  required  before  a  GPS  navigation  update.  Once  GPS  state  vector  accuracy  has 
been  confirmed  with  ground  filter  solutions,  a  GPS  update  would  provide  a  more  accurate  onboard 
navigation  correction  in  a  timelier  manner  compared  to  the  delta  state  update  process.  @[072601 -4530B] 
@[062702-5439  ] 
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A4-203  ENTRY  NAVIGATION  UPDATE  PHILOSOPHY  (CONTINUED) 

B.  GPS  OR  VELOCITY  DELTA  STATE  UPDATES  WILL  REQUIRE  CSS  MODE  TO 
PREVENT  EXCESSIVE  TRANSIENT  MANEUVERS.  @[072601 -4530B] 

If  a  GPS  update  is  incorporated  with  metering  logic  overridden  or  a  total  delta  state  update  is 
incorporated,  the  velocity  corrections  put  a  step  function  into  the  flight  control  system.  The  transients 
caused  by  the  step  function  can  cause  large  maneuvers  which  could  overstress  the  vehicle  or  cause  loss 
of  control.  Going  CSS  when  a  GPS  (with  metering  overridden)  or  velocity  delta  state  update  is 
incorporated  allows  the  crew  to  manually  filter  transients. 

C.  POSITION  DELTA  STATE  UPDATES  OCCURRING  NEAR  TAEM  INTERFACE 
(M  =  5  TO  M  =  2.5  FOR  EOM  AND  AOA  AND  M  =  5  TO  M  =  3.2  FOR 
RTLS )  WILL  REQUIRE  CSS  TO  PREVENT  EXCESSIVE  TRANSIENT 
MANEUVERS . 

Entry  guidance  is  targeted  towards  a  specific  set  of  end  conditions  at  TAEM  in  terface.  For  any  given 
position  error,  the  correction  needed  to  satisfy  the  interface  conditions  grows  as  you  approach  TAEM. 
Going  CSS  for  a  delta  state  update  close  to  TAEM  interface  allows  the  crew  to  filter  the  guidance 
commands  to  keep  from  overstressing  the  vehicle. 

D.  DELTA  STATE  UPDATES  WILL  NORMALLY  NOT  BE  PERFORMED  AFTER  HAC 
ACQUISITION.  HOWEVER,  IF  VISUAL  CONTACT  WITH  THE  RUNWAY 
CANNOT  BE  MAINTAINED  BY  THE  CREW,  GPS  OR  DELTA  STATE  UPDATES 
WILL  BE  CONTINUED  AS  LONG  AS  THE  ONBOARD  STATE  VECTOR  CAN  BE 
IMPROVED . 

After  HAC  intercept,  a  delta  state  update  will  normally  not  be  performed  if  the  crew  has  visual  contact 
with  runway  because  transients  caused  by  a  delta  state  could  prove  distracting.  Also,  the  external  data 
sources  (TACAN,  BARO,  MLS)  would  need  to  be  deselected  in  order  to  allow  the  ground  processor  to 
compute  the  proper  corrections.  A  GPS  update  may  be  performed  after  HAC  intercept  to  cdlow  the  crew 
to  fly  good  guidance  commands.  @[072601 -4530B] 
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A4-204  DELTA  STATE  POSITION  UPDATES 

A.  FOR  POSITION  COMPONENT  EXCEEDANCE,  A  GPS  OR  THREE-COMPONENT 
(POSITION  ONLY)  UPDATE  WILL  BE  EXECUTED  (REF  RULE  {A4-203}, 
ENTRY  NAVIGATION  UPDATE  PHILOSOPHY).  @[072601-4531]  @[062702-5440] 

The  use  of  GPS  to  correct  onboard  navigation  errors  is  preferred  over  the  delta  state  update  process  as 
long  as  GPS  is  verified  to  be  functioning  properly  (no  hardware  problems  or  commfaults,  low  FOM, 
tracking  four  satellites).  Caution  should  be  taken  when  using  GPS  state  vectors  with  FOM’s  >5  (650 feet 
position  error  one  sigma)  since  the  estimated  position  error  increases  rapidly  with  higher  FOM  values. 

B.  POSITION  REQUIREMENTS: 


RTLS 

EOM 

DELTA  POSITION 
(FT) 

DELTA  POSITION 
(FT) 

X  Y  Z 

X  Y  Z 

H  >  100K  FT...  18K  18K  6K 

H  <  100K  FT...  6K  6K  3K 

H  >  130K  FT... 

H  <  130K  FT... 

H  <  90K  FT... 

48 K  48 K  12K 

6K  6K  6K 

6K  6K  3K 

This  rule  con  tains  the  criteria  for  performing  a  position  -only  delta  state  update  to  correct  the  onboard 
navigation  for  both  GRTLS  and  end  of  mission.  The  delta  state  processor  is  a  ground  processor  that 
compares  the  onboard  vector  to  time-correlated  radar  tracking  data  and  outputs  the  deltas  in  runway 
Cartesian  coordinates.  This  data  is  observed  on  the  ground  as  three  components  of  position  and  three 
components  of  velocity.  The  position  update  limits  were  set  in  order  to  meet  guidance  imposed 
navigation  accuracy  requirements  (ref.  STS  81-0366,  appendix  A,  Navigation  Performance 
Requirements).  These  accuracy  requirements  were  identified  to  ensure  auto  guidance  capability  to 
achieve  the  runway  after  correcting  the  onboard  navigation  state.  The  guidance  requirements  are  ramp 
functions  of  altitude,  but  in  order  for  a  ground  operator  to  obser\’e  six  error  components  on  a  constantly 
updating  digital  display  and  compare  them  to  variable  error  limits,  it  was  necessary  to  simplify  the 
update  criteria.  When  the  errors  observed  in  the  onboard  state  exceed  the  limits  defined  in  this  rule,  a 
GPS  or  delta  state  update  is  initiated  on  the  ground.  For  GRTLS,  the  two  tier  set  of  limits  was  chosen 
with  a  breakpoint  at  100,000 feet  altitude,  since  it  is  desired  to  remove  state  errors  before  TAEM 
in  itiation.  The  limits  above  100,000 feet  altitude  are  tighter  than  for  EOM,  since  there  is  little  ranging 
control  exercised  in  GRTLS  until  TAEM,  which  is  initiated  at  M=3.2  or  around  92,000 feet  altitude.  For 
EOM,  the  guidance  requirements  dictate  that  the  errors  be  under  control  and  decreasing  with  altitude  by 
around  130,000 feet,  the  point  at  which  TACAN’s  are  usually  incorporated  into  the  onboard  navigation 
state.  Therefore,  this  point  was  chosen  as  the  breakpoint  for  the  EOM  three-tier  update  criteria. 
@[072601-4531  ] 
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A4-204  DELTA  STATE  POSITION  UPDATES  (CONTINUED) 

The  third  tier  was  added  for  EOM  to  allow  a  further  breakdown  of  allowable  altitude  error.  Instead  of  a 
delta-Z  limit  of  3k  feet  at  an  altitude  of  130,000 feet,  a  6k-foot  error  is  permitted  between  130,000  and 
90,000 feet,  and  then  the  3k  limit  applies  below  90,000 feet  altitude.  This  additional  limit  may  preclude 
the  likelihood  of  an  unnecessary  delta  state  update  to  correct  a  delta-Z  error  that  could  be  reduced  by 
the  use  of  DRAG  processing  in  the  more  accurate  lower  region  of  the  onboard  altitude  atmospheric 
model.  TACAN processing  will  not  have  much  effect  on  the  altitude  error  unless  the  orbiter  passes  over 
the  TACAN  ground  station  so  that  the  majority  of  the  range  measurement  is  altitude  rather  than 
downtrack  and  crosstrack. 

Rule  { A4-151 },  IMU  ALIGNMENT,  and  Rule  {A4-206J,  NAVIGATION  FILTER  MANAGEMENT 
AUTO/INHIBIT/FORCE  (AIF),  reference  this  rule. 


A4-205  DELTA  STATE  VELOCITY  UPDATES 

DUE  TO  ONBOARD  DRAG  ALTITUDE  UPDATING,  THE  DELTA  STATE  VELOCITY 
COMPONENTS  ARE  NOT  SUFFICIENTLY  ACCURATE  TO  MONITOR  THE  ONBOARD 
VELOCITY  ERRORS;  THEREFORE,  THE  ONBOARD  VELOCITY  ERRORS  WILL  BE 
EVALUATED  USING  GPS  AND  THE  RADAR  HIGH  SPEED  FILTER  VELOCITY 
ERRORS.  AN  ONBOARD  VELOCITY  UPDATE  WILL  BE  PERFORMED  FOR  A 
VELOCITY  ERROR  >75  FPS  IN  ANY  COMPONENT.  RADAR  VELOCITY  3  SIGMA 
UNCERTAINTIES  OF  UP  TO  60  FPS  COULD  RESULT  IN  ONBOARD  VELOCITY 
ERRORS  OF  UP  TO  135  FPS  PRIOR  TO  A  GROUND  UPDATE.  IF  ADELTA 
STATE  VELOCITY  UPDATE  IS  REQUIRED,  DRAG  ALTITUDE  UPDATING  WILL  BE 
INHIBITED  TO  ASSURE  VALID  COMPUTATION  OF  PROPAGATED  VELOCITY 
ERRORS,  AND  A  SIX-COMPONENT  UPDATE  (POSITIONS  AND  VELOCITIES) 

WILL  BE  EXECUTED.  GPS  WILL  BE  USED  TO  CORRECT  ONBOARD  VELOCITY 
ERRORS  IF  GPS  IS  VERIFIED  TO  BE  FUNCTIONING  PROPERLY.  NAVAID 
INHIBITS  ARE  NOT  REQUIRED  FOR  A  GPS  UPDATE  (REF  RULE  {A4-203}, 
ENTRY  NAVIGATION  UPDATE  PHILOSOPHY).  @[072601-4532]  @[062702-5441  A] 
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An  update  of  onboard  velocity  will  be  performed  for  velocity  errors  >  75  fps  in  any  runway  component. 
This  number  was  chosen  to  meet  a  flight  control  system  requiremen  t  when  the  FCS  is  using  navigation- 
derived  air  data,  while  at  the  same  time,  considering  the  radar  3 -sigma  velocity  uncertainty  of  60  fps. 
Drag  altitude  updating  of  the  onboard  navigation  must  be  inhibited  prior  to  computing  a  velocity  delta 
state  since  it  corrupts  the  computation  of  velocity  errors  in  the  delta  state  processor.  Two  sets  of  state 
vector  errors  are  available  on  a  ground  display  in  runway  coordinates.  The  output  of  the  high  speed 
radar  filter  is  referred  to  as  local  deltas,  whereas,  the  output  of  the  delta  state  processor  is  referred  to  as 
propagated  deltas.  The  local  deltas  represent  the  current  state  errors.  The  propagated  deltas  represent 
the  expected  state  errors  at  some  time  in  the  future;  these  deltas  are  used  to  generate  a  delta  state 
update.  They  are  computed  assuming  that  the  state  errors  are  linear,  that  the  current  velocity  errors  are 
constant  over  some  short  period  of  time,  and  that  the  update  will  be  applied  at  the  end  of  that  time. 

Since  the  velocity  errors  are  computed  from  changes  in  position,  any  external  update,  such  as  drag 
altitude  updating,  will  mask  the  true  state  error  and  cause  the  velocity  delta  to  be  wrong.  Therefore, 
external  navigation  aids  have  to  be  inhibited  prior  to  computing  a  delta  state  update  involving  velocities. 
Any  time  a  velocity  update  is  required,  a  position  and  velocity  delta  update  will  be  executed,  since 
velocity  errors  will  also  cause  position  errors. 

The  use  of  GPS  to  correct  onboard  navigation  errors  is  preferred  over  the  delta  state  update  process  as 
long  as  GPS  is  verified  to  be  functioning  properly  (no  hardware  problems  or  commfaults,  low  FOM, 
tracking  four  satellites).  Caution  should  be  taken  when  using  GPS  state  vectors  with  FOM’s  >5  (650 feet 
position  error  one  sigma)  since  the  estimated  position  error  increases  rapidly  with  higher  FOM  values. 
The  three-sigma  velocity  accuracy  requirement  for  GPS  is  0.1  meters/sec  for  the  horizontal  and  vertical 
components  when  GPS  is  operating  in  the  Precise  Positioning  Sendee  (PPS)  mode  and  satisfying  the 
assumptions  for  Table  3.4. 1-1  of  the  System  Requiremen  ts  Documen  t  for  Orbiter  GPS  Navigation  System 
(SSD94D0096).  Postflight  analyses  have  confirmed  very  good  GPS  state  vector  accuracies  in  the 
TACAN  processing  region.  Radial,  downtrack,  and  crosstrack  position  and  velocity  differences  between 
GPS  and  the  USA  Navigation  Best  Estimated  Trajectory  (BET)  product  have  been  less  than  200 feet  and 
2  fps,  respectively  the  majority  of  the  time.  Navaid  inhibits  are  not  required  before  a  GPS  navigation 
update.  @[072601  -4532  ] 
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(AIF) 


This  rule  provides  direction  to  the  crew  and  ground  for  the  management  of  external  sensor  data 
incorporation  in  to  the  navigation  filter.  It  assumes  that  the  crew  AIF  switches  are  initially  in  INHIBIT 
for  TACAN  and  BARO  and  in  AUTO  for  drag  altitude  processing.  The  rule  is  presented  in  matrix  form 
to  facilitate  correlation  of  various  situations  to  the  action  to  be  taken  for  those  situations. 

A.  TACAN- INITIAL  PROCESSING  (INITIALLY  IN  INHIBIT) : 


RATIO  <1 

RATIO  >1 

1-LOCK 

BAD  TACAN  BAD  STATE 
VECTOR 

EARLY  NO  COMM 
(VrEL>6000  [1]  FPS 

H  >  130K  FT) 

REMAIN  IN 

INHIBIT 

REMAIN  IN  REMAIN  IN 

INHIBIT  INHIBIT 

REMAIN  IN 

INHIBIT 

COMM 

GROUND  CALL: 

AUTO  [3] 

GROUND  CALL:  GROUND  CALL; 

?  STATE  OR 

INHIBIT  FORCE 

IF  STATION,  SWITCH 

TO  B/U  CH 

IF  LRU,  RETURN  TO 

?  STATE  AUTO  WHEN 

UPDATE  RATIO  <1 

AS  REQD 

GROUND  CALL: 

DESELECT  MISSING 
TACAN’S 

(RESELECT  NON- 
FAILED  TACAN 

LRU’S  WHEN  2 

LOCK) 

LATE  NO  COMM 
(vrEL<6°00  FPS,  H< 
130K  FT) 

AUTO 

TROUBLESHOOT  TO  DETERMINE 
CAUSE  OF  EDITING 

A.  SWITCH  GROUND  STATIONS 

B.  CHECK  IMU  STATUS 

C.  OBSERVE  RESIDUAL,  RATIO 
BEHAVIOR 

D.  MONITOR  WITH  HSI 

WAIT  UNTIL  VREL 
<5500  FPS  [2] 

THEN 

DESELECT 

MISSING  TACAN’S 
(DO  NOT  FORCE) 

AUTO  FORCE 

NOTES: 

[1  ]  FOR  RTLS,  VREL  <  6500  FPS. 

[2]  FOR  RTLS,  VREL  <  4700  FPS. 

[3]  EVEN  THOUGH  THE  RATIO  IS  <  1 ,  TACAN  DATA  WILL  NOT  BE  ACCEPTED  IF  GROUND  RADAR  INDICATES 
THAT  INCORPORATION  OF  DATA  WILL  DEGRADE  THE  NAVIGATION  STATE.  (REFERENCE  RULE  {A8-52}, 
SENSOR  FAILURES.) 
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This  matrix  defines  the  actions  to  be  taken  for  initial  TACAN  processing.  For  a  nominal  entry,  the 
TACAN  AIF  switch  is  in  INHIBIT  and  the  TACAN  transceivers  are  turned  to  the  primary  site  TACAN 
channel  with  the  rotary  switch  in  the  GPC  position.  When  two  TACAN  LRU’s  have  locked  up,  RM 
passes  data  to  the  navigation  filter;  but,  because  the  AIF  control  is  in  INHIBIT,  the  data  will  not  be 
processed  by  navigation.  This  configuration  allows  the  ground  to  evaluate  the  TACAN  data  compared  to 
radar  tracking  data  and  to  give  the  crew  a  GO  to  mode  the  AIF  switch  to  AUTO,  so  that  navigation  may 
process  TACAN  if  it  is  acceptable.  This  plan  also  protects  the  validity  of  the  ground  delta  state 
computation  in  the  event  that  a  ground-  initiated  vector  update  is  required.  ( The  ground  delta  state 
processor  requires  that  external  data  not  be  taken  in  since  it  assumes  that  the  state  errors  are  linear). 

The  early  NO-COMM  row  of  the  rule  matrix  supports  this  mode  of  operation  by  having  the  crew  wait  for 
COMM  in  order  to  have  ground  assistance.  However,  there  is  a  limit  to  how  long  the  crew  should  wait 
before  they  try  to  independently  troubleshoot  the  lack  of  good  TACAN  data.  For  EOM,  this  limit  was 
chosen  to  be  about  130k  feet,  which  corresponds  to  a  Vrej  of  approximately  6000 fps.  At  this  altitude,  it 
is  becoming  more  urgen  t  to  correct  the  vehicle  state  since  the  footprin  t  is  shrinking  ( for  RTLS,  130k  feet 
altitude  corresponds  to  a  Vrej  of  approximately  6500 fps) 

In  the  COMM  row,  for  TACAN  data  that  agrees  with  the  navigation,  the  ratios  will  be  less  than  one. 

Upon  ground  evaluation  of  the  TACAN  data  and  of  the  onboard  vector  compared  to  tracking  data,  a  GO 
will  be  given  for  the  crew  to  go  to  AUTO.  However,  if  the  ground  evaluation  shows  that  incorporation  of 
the  TACAN  data  will  degrade  the  navigation  state,  the  TACAN  data  will  be  held  out  until  it  will  improve 
the  onboard  state.  Analysis  shows  that  ground  station  biases  greater  than  0.3  nm.  in  range  or  1  degree 
in  bearing  can  result  in  position  delta  state  limit  violations  (ref.  Rule  {A4-204J,  DELTA  STATE 
POSITION  UPDATES)  in  the  absence  ofcdl  other  navigation  error  sources.  If  the  ground  determines 
that  the  TACAN  data  compared  to  the  tracking  data  indicates  a  bias  on  all  three  LRU’s  greater  than  0.3 
nm  or  1  degree,  the  recommendation  will  be  to  try  another  ground  station.  If  at  the  TACAN  2 -LRU 
level,  the  average  LRU  measurement  error  (based  on  tracking)  is  greater  than  0.3  nm  or  1  degree  and 
RM  limits  are  not  exceeded,  the  larger  biased  LRU  will  be  deselected.  Multiple  LRU  biases  can  escape 
RM  detection  and  still  significantly  degrade  the  navigation  state.  LRU  deselection  will  be  performed 
only  if  that  action  will  reduce  the  bias  in  the  selected  measurement  to  less  than  0.3  nm  or  1  degree. 

One  of  two  failures  can  cause  the  ratios  to  be  greater  than  one.  Either  the  TACAN  or  the  state  vector 
could  be  at  fault.  If  the  ground-station-to-tracking  compares  are  good,  then  the  fault  lies  with  the 
onboard  system.  If  the  fault  lies  with  the  onboard  system  and  the  delta  state  update  criteria  are 
exceeded,  an  update  will  be  initiated.  If  the  ground  determines  that  the  vehicle  state  is  erroneous  and  the 
TACAN  residuals  indicate  that  forcing  the  data  will  correct  the  state  error,  then  the  crew  will  be  advised 
to  force  the  data  until  the  ratio  is  less  than  one  at  which  time  they  will  be  advised  to  return  to  AUTO. 
Otherwise,  a  delta  state  update  will  be  performed. 
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The  final  entry  in  the  COMM  row  deals  with  only  one  LRU  locking  up.  At  initial  acquisition,  the 
onboard  redundancy  management  requires  that  two  LRU’s  be  locked  on  before  data  is  passed  to 
navigation.  If  only  one  LRU  locks  on,  the  crew/ground  should  verify  that  the  data  is  good  for  that  LRU, 
and  the  crew  should  deselect  the  missing  LRU’s  to  override  the  two-lock  requirement.  Once  data  is 
processed  initially,  the  range  two-lock  restriction  is  satisfied,  but  two  LRU’s  are  still  required  to  be 
locked  on  prior  to  processing  bearing  data.  Therefore,  it  is  advisable  to  wait  until  two  LRU’s  are  locked 
on  prior  to  reselecting  non-failed  LRU’s.  This  provides  RM  protection  for  both  range  and  bearing. 
However,  if  the  ground  deems  it  necessary  to  process  data  from  one  LRU,  then  this  procedure  would  be 
used  and,  during  the  period  of  one  LRU  lock,  the  ground  would  carefully  monitor  the  quality  of  the  data 
from  the  single  LRU. 

In  the  NO-COMM  case,  the  crew  must  make  decisions  in  the  operations  of  the  AIF  con  trols 
independently  from  the  ground.  The  NO-COMM  case  may  be  assumed  by  the  crew  if  they  are  entering  to 
a  landing  site  that  has  no  COMM  with  the  ground  or  to  a  site  that  has  COMM,  but  COMM  has  not  been 
established  by  Vrej=6000 fps.  If  the  TACAN  deltas  on  the  HSD  look  good  and  the  ratios  are  less  than 
one,  then  the  crew  should  mode  the  AIF  switch  to  AUTO.  If  the  ratio  is  greater  than  one,  the  crew  must 
use  onboard  displays  to  determine  whether  the  TACAN  or  state  vector  is  bad.  The  following  procedures 
are  available  to  the  crew: 

a.  Switch  ground  stations  -  The  onboard  I-loadsfor  the  TACAN  table  are  such  that,  with  the  rotary 
switch  in  the  GPC  position,  the  landing  site  TACAN  should  be  acquired.  If  data  is  not  acquired  or 
if  the  ratio  is  greater  than  one,  the  crew  may  execute  item  5  on  GN:  SPEC  50  to  select  the  alternate 
or  backup  TACAN  and  evaluate  that  data.  If  the  ratios  for  the  alternate  station  are  less  than  one, 
then  the  problem  is  probably  with  the  prime  TACAN  ground  station.  If  the  ratios  are  greater  than 
one,  it  would  probably  indicate  a  bad  navigation  state,  although  there  is  a  very  small  probability 
that  two  or  more  LRU’s  would  fail  in  the  same  manner. 

b.  Check  IMU  status  -  If  the  IMU  mission  performance  has  been  nominal  and  a  good  IMU  alignment 
was  performed  pre-deorbit,  and  no  IMU  failures  have  occurred  during  entry,  it  is  unlikely  that  the 
navigation  state  could  be  in  error  by  a  sufficient  magnitude  to  cause  ratios  greater  than  one. 
Therefore,  the  TACAN  data  should  be  suspect.  However,  if  the  IMU’s  have  had  problems  or  an 
alignment  was  not  performed  pre-deorbit,  or  an  IMU  has  failed  RM  during  entry,  the  crew  should 
suspect  that  the  navigation  state  is  in  error. 

c.  Observe  residual/ratio  behavior  -  If  the  residuals/ratios  are  steady  or  show  a  constan  t  trend,  it  is 
likely  that  the  navigation  state  is  in  error.  If  the  residuals/ratios  are  erratic,  it  is  likely  that  the 
TACAN  data  is  erroneous. 

d.  Monitor  with  HSI  -  The  crew  can  select  raw  TACAN  data  to  drive  the  HSI  and  compare  the  range 
and  bearing  with  the  navigated  position  and  a  visual  estimate  of  the  real  position.  This  would  be  a 
difficult  procedure  since  the  values  on  the  HSI  will  be  continually  changing  and  the  magnitude  of 
the  errors  would  have  to  be  so  large  that  the  source  of  the  error  should  have  already  been  detected 
by  one  of  the  other  methods. 
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The  final  situation  in  the  NO-COMM  row  is  the  case  where  only  one  LRU  locks  on.  In  this  case,  the 
crew  should  wait  as  long  as  possible  before  the  footprin  t  shrinks  to  the  point  that  the  state  error  really 
has  to  be  removed  (5500 fps  for  EOM  and  4700 fps  for  GRTLS).  At  this  point,  the  nonlocked  on  LRU’s 
should  be  deselected  and  the  data  from  the  single  LRU  passed  to  navigation  by  moding  the  AIF  switch  to 
AUTO.  It  should  not  be  moded  to  FORCE  to  protect  the  navigation  from  bad  TACAN  data. 

B.  TACAN  -  POST  CONVERGENCE  (INITIALLY  IN  AUTO) : 


RATIO  >1 

RATIO  <1 

BAD  TACAN 

BAD  STATE 
VECTOR 

COMM 

GROUND  CALL; 

GROUND  CALL; 

REMAIN  IN 

AUTO 

INHIBIT 

AUTO 

IF  STATION,  SWITCH 

TO  B/U  CH 

IF  LRU, 

?  STATE  UPDATE 

IF  REQ’D.  (BACK 

TO  AUTO  IF 

RATIO  <1) 

PERFORM  A 
ZERO  ?  STATE 
UPDATE.  IF 
RATIO  STILL 
>1;  FORCE 

NO  COMM 

GROUND  CALL; 

AUTO 

TROUBLESHOOT  TO  DETERMINE 

CAUSE  OF  EDITING 

A.  OBSERVE  RESIDUAL,  RATIO  BEHAVIOR 

B.  CHECK  IMU  STATUS 

C.  MONITOR  WITH  HSI 

D.  SWITCH  TACAN  STATIONS 

REMAIN  IN 

REMAIN  IN 

AUTO 

AUTO 

PERFORM  A 
ZERO?  STATE 
UPDATE.  IF 
RATIO  STILL 
>1;  FORCE 

This  rule  shows  the  actions  to  be  taken  once  TACAN  data  has  been  processed  by  navigation.  For  a  nominal 
entry,  the  crew  action  would  be  to  remain  in  AUTO  for  either  COMM  or  NO-COMM  since  the  ratio  should 
not  grow  above  one.  If,  for  any  reason,  the  ratio  does  become  greater  than  one,  then  the  ground  or  the  crew 
can  utilize  the  same  techniques  to  isolate  the  problem  as  were  used  at  initial  acquisition.  If  the  problem  is 
bad  TACAN  data,  the  actions  are  the  same  as  at  initial  acquisition.  If  the  problem  is  the  navigation  state, 
the  procedures  change  slightly  in  that  a  zero  delta  state  update  is  performed  prior  to  applying  the  same 
procedure  used  for  the  initial  acquisition  case.  This  is  done  to  reinitialize  the  covariance  if  TACAN  data  has 
already  been  processed  and  it  is  required  to  force  TACAN  in  order  to  fix  the  navigation  state,  since  the 
processing  of  TACAN  data  might  have  converged  the  covariance  matrix  to  the  point  where  even  forcing  the 
TACAN  data  would  not  remove  the  state  errors. 
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C.  BARO  (INITIALLY  INHIBIT) : 


RATIO  <1 

RATIO  >1 

NOT  PASSING 
RM 

BAD  BARO 

BAD  STATE 
VECTOR 

COMM 

GROUND  CALL: 
AUTO  m 

GROUND  CALL: 
REMAIN  IN  INHIBIT 

GROUND  CALL: 
FORCE 

GROUND  CALL: 
PRIME  SELECT 

NO  COMM 

AUTO 

TACAN  OK: 

REMAIN  IN  INHIBIT 

NO  TACAN: 

IF  RATIO  STEADY,  FORCE 

IF  RATIO  ERRATIC,  AUTO 

WAIT  UNTIL 

M  <0.9,  THEN 

PRIME  SELECT 
(DO  NOT  FORCE) 

NOTE: 

[1]  EVEN  THOUGH  THE  RATIO  IS  <  1 ,  BARO  DATA  WILL  NOT  BE  ACCEPTED  IF  THE  GROUND  RADAR  INDICATES 
THAT  INCORPORATION  OF  THE  DATA  WILL  DEGRADE  THE  NAVIGATION  STATE. 


This  matrix  shows  the  actions  to  be  taken  to  manage  the  processing  ofbaro  altitude  data  in  the 
navigation.  Initially,  the  BARO  AIF  switch  will  be  in  INHIBIT.  The  ground  will  evaluate  the  bciro  data 
and,  if  the  ratio  is  less  than  one  and  the  data  will  improve  the  navigated  altitude  channel,  then  the  crew 
will  be  advised  to  mode  the  AIF  switch  to  AUTO.  If  comparison  to  radar  indicates  that  the  baro  data 
will  degrade  the  navigation  altitude  channel,  then  the  crew  will  be  asked  to  hold  off  incorporating  baro 
until  the  ground  determines  that  the  data  will  improve  the  navigation  state.  If  the  baro  data  is  bad  and 
the  ratio  is  >  I,  the  crew  will  be  advised  to  remain  in  INHIBIT  until  the  data  improves  or  the  delta  state 
limit  is  exceeded.  If  the  onboard  state  is  bad,  the  ground  will  obsen’e  the  error  and  baro  residual;  and, 
if  the  errors  are  such  that  forcing  the  data  will  improve  the  state,  the  crew  will  be  asked  to  mode  the  AIF 
switch  to  FORCE  until  the  ratio  becomes  less  than  one,  at  which  time  they  should  return  to  AUTO. 
Otherwise,  a  delta  state  update  will  be  initiated.  IfRM  is  not  passing  data  to  navigation,  the  ground  will 
assist  the  crew  in  deselecting  ADTA’s  if  required,  evaluate  the  data,  and  have  the  crew  mode  to  AUTO. 

In  the  NO-COMM  case,  the  crew  should  go  to  AUTO  around  M=2.5  when  the  ratio  is  <  1  and  onboard 
evaluation  indicates  valid  baro  data.  Going  to  AUTO  earlier  does  not  provide  any  benefit  to  navigation 
since  baro  data  is  not  processed  by  navigation  until  Vrej=2500 fps.  If  the  ratio  is  >  I  and  valid  TACAN 
data  is  being  processed,  then  the  AIF  switch  should  remain  in  INHIBIT.  If  TACAN  data  is  not  being 
processed,  the  requirement  for  baro  data  is  even  stronger,  but  the  only  method  of  crew  evaluation  is  to 
monitor  the  baro  residuals  on  the  horizontal  situation  display.  If  they  appear  steady  and  reasonable 
considering  past  navigation  performance,  the  crew  should  mode  the  AIF  control  to  FORCE  until  the  ratio 
becomes  <  1  and  then  return  to  AUTO.  If  they  are  erratic  or  unreasonable  based  on  past  navigation 
performance,  the  AIF  switch  should  be  left  in  AUTO.  The  final  situation  in  the  NO-COMM  row  is  the  case 
where  RM  is  not  passing  valid  data.  The  crew  should  evaluate  the  ADTA  ’s  and  prime  select  the  best  data 
source  when  subsonic.  The  AIF  switch  should  be  moded  to  AUTO  in  order  to  edit  the  data,  should  the 
ratio  become  greater  than  one. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  TRAJECTORY  AND  GUIDANCE  4-119 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A4-206  NAVIGATION  FILTER  MANAGEMENT  AUTO/INHIBIT/FORCE 

(AIF)  (CONTINUED) 

TACAN  and  BARO  data  will  be  incorporated  to  PASS  and  BFS  after  MCC  GO.  Processing  sensors  to 
both  systems  ensures  the  best  BFS  state  vector  should  cm  engage  be  required  and  eliminates  multiple 
state  vector  transfers  during  periods  of  high  crew  workload.  Analysis  shows  that,  if  the  BFS  is  engaged 
near  touchdown  with  the  BFS  NAV  errors  experienced  on  some  flights,  achieving  the  runway  may  not  be 
possible. 

Shuttle  flight  history  and  FAA  TACAN  reliability  data  assert  that  a  sudden  sensor  bias  or  failure  less 
than  RM  and  filter  edit  criteria  but  large  enough  to  degrade  NAV  is  unlikely,  especially  after  STA 
prelanding  checks  and  after  MCC  has  determined  the  data  good.  BARO  system  failures  are  more  likely 
to  occur  during  probe  deploy  before  data  is  available  for  ground  evaluation.  Additional  protection 
against  such  failures  is  provided  by  a  tight  postprocessing  covariance  matrix  which  preven  ts  errors  from 
growing  rapidly,  affording  sufficient  time  to  inhibit  the  bad  sensor  on  MCC  call. 

Analysis  has  shown  that,  even  while  processing  sensors  to  PASS  and  BFS,  two-level  IMU  diagnosing 
capability  is  retained.  If,  at  the  IMU  2  level  and  processing  sensors,  one  IMU’s  performance  is  worse 
than  the  other,  the  MCC  can  identify  the  worse-performing  IMU  by  evaluating  differences  between  the 
individual  PASS  (three-string  NAV)  states  and  radar  tracking.  The  difference  in  PASS  and  BFS  selection 
schemes  (averaging  versus  low-number-select )  allows  evaluation  by  obsen’cition  of  PASS  and  BFS  select 
states. 

If  radar  tracking  is  not  available  as  in  a  TAL,  ELS  or  ground  filter  NO-GO,  the  MCC  has  the  same  data 
available  to  the  crew.  The  ground  may  assist  to  the  best  of  its  ability,  but  sensor  incorporation  without 
radar  tracking  is  a  crew  call.  In  this  situation,  TACAN  and  BARO  will  be  incorporated  to  PASS  and 
BFS  since  no  advan  tage  can  be  gained  by  withholding  sensor  data  from  either  system. 
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A4-206  NAVIGATION  FILTER  MANAGEMENT  AUTO/INHIBIT/FORCE 

(AIF)  (CONTINUED) 

D.  DRAG  ALTITUDE  -  INCORPORATION  OF  DRAG  ALTITUDE  DATA  INTO 
NAVIGATION  IS  MANDATORY.  THE  DRAG  AIF  CONTROL  WILL  BE 
INITIATED  IN  THE  AUTO  MODE.  IF  REPETITIVE  DATA  EDITING 
OCCURS,  THE  AIF  CONTROL  WILL  BE  SWITCHED  TO  THE  FORCE  MODE. 
HOWEVER,  FOR  GRTLS  DATA  INCORPORATION  IS  NOT  MANDATORY.  THE 
AIF  CONTROL  WILL  BE  INITIATED  AND  LEFT  IN  AUTO  MODE. 

Incorporation  of  drag  altitude  into  navigation  is  mandatory.  Drag  updating  begins  during  blackout 
when  the  ground  can  offer  no  assistance  in  evaluating  the  data  or  aiding  the  crew  in  deciding  to  allow 
drag  altitude  to  update  the  navigation  state.  Since  the  drag  altitude  is  derived  from  IMU  data,  the 
validity  of  the  measuremen  t  is  dependen  t  on  the  quality  of  the  IMU  data.  Since  there  is  no  way  for  the 
crew  to  independently  evaluate  the  IMU  data,  it  was  decided  to  set  the  drag  AIF  switch  to  AUTO.  If  the 
combined  navigation/drag  updating  performance  is  within  8  sigma,  which  is  equivalent  to  about  80,000 
feet  altitude,  the  drag  will  pass  the  edit  criteria  and  will  be  incorporated  into  the  navigation  state  without 
incident.  If  the  performance  is  worse  than  8  sigma,  editing  will  occur  and  the  crew  procedure  will  be  to 
mode  the  AIF  switch  to  FORCE  to  incorporate  the  drag  altitude  and  thus  bound  the  altitude  error 
growth.  For  GRTLS,  drag  altitude  would  probably  never  be  edited,  since  the  IMU  performance  from  the 
time  of  lift-off  to  execution  of  the  GRTLS  would  not  degrade  to  the  point  to  cause  editing.  Further,  on  a 
GRTLS,  TACAN  data  is  acquired  very  high  in  the  trajectory  or  just  after  drag  processing  is  initiated; 
and,  since  TACAN  is  a  more  powerful  measurement  source,  it  would  correct  the  state  such  that  drag 
editing  should  not  occur.  Also,  tracking  data  should  be  available  and  any  error  that  would  cause  drag 
data  to  be  edited  would  result  in  a  violation  of  the  delta  state  update  criteria.  For  these  reasons,  it  was 
decided  to  leave  the  drag  AIF  switch  in  the  AUTO  mode. 
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A4-207  ENTRY  LIMITS 

A.  THE  FOLLOWING  LIMITS  ARE  APPLICABLE  TO  THE  ENTRY  AND  LANDING 
FLIGHT  PHASES.  THE  CG  MUST  BE  KEPT  WITHIN  NORMAL  LIMITS 
(REFERENCE  RULE  {A4-153},  CG  PLANNING).  THE  MCC  WILL 
MONITOR  THE  PARAMETERS  BELOW  AND  ADVISE  THE  CREW  TO  PREVENT 
EXCEEDENCES.  @[050495-1531 B] 

1.  NZ  LIMITS  (THE  MOST  CONSTRAINING  OF  THE  FOLLOWING): 

@[091 098-671 6A] 

a.  ORBITER  WEIGHT  ?  211  KLB :  THE  NZ  LIMIT  IS  2.5  G. 

b.  ORBITER  WEIGHT  >  211  KLB:  THE  NZ  LIMIT  IS  DETERMINED 
AS  FOLLOWS : 

NZMAX  =  4.563  -(9.778  X  10-6  X  WT) 

c.  1076.7  >  ORBITER  XCG  ?  1075.2,  QBAR  ?  325,  MACH  <  1, 
THE  NZ  LIMIT  IS  DETERMINED  AS  FOLLOWS: 

NZMAX  =  4.71  -  (0.0068  X  QBAR),  WHERE  QBAR  IS 

DETERMINED  FROM  PREDICTIONS  MADE  BY  6-DOF  STAMPS 
SIMULATION. 

NOTE:  FOR  PRE-DEORBIT  PLANNING  PURPOSES,  A  0.2  g 

LOAD  FACTOR  BIAS  IS  SUBTRACTED  FROM  THE  ABOVE 
STRUCTURAL  LIMITS  TO  PROTECT  FOR  DISPERSIONS 
AND  ASYMMETRY  DURING  A  ROLLING  MANEUVER. 

Orbiter  normal  load  factor  limits  are  defined  in  the  SODB  ( JSC-08934 )  Volume  V.  The  MCC  will 
evaluate  the  planned  entry  profile  to  ensure  these  load  factor  limits  are  not  exceeded.  When  in  the 
CSS,  the  crew  must  implement  active  load  factor  monitoring  and  avoidance  procedures  when  required. 
The  MCC  will  advise  the  crew  of  what  limits  to  protect.  To  protect  for  wind  dispersions  on  the  heading 
alignmen  t  cone  (HAC),  the  operational  Nz  limit  is  reduced  by  a  bias  for  planning  purposes.  The  value 
of  the  bias  is  derived  by  averaging  differences  between  flight  and  real-time  predicted  data. 


The  analysis  performed  by  Boeing  North  American  Flight  Control  and  Loads  groups  (presented  at  the 
145th  Ascent/En  try  Flight  Techniques  on  December  19,  1997)  to  expand  the  forward  X  CG  limit  resulted 
in  an  additional  constraint  on  orbiter  NZ  limit.  For  flights  predicted  to  be  in  this  region,  the  NZ  limit  is 
also  a  function  ofQbar.  The  operational  NZ  limit  will  be  the  most  constraining.  The  X  CG  is  evaluated 
at  Mach=3.5.  @[091 098-671 6A] 
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A4-207  ENTRY  LIMITS  (CONTINUED) 

ORBITER  NORMAL  LOAD  FACTOR  LIMITS 


211 


210  220  230  240  250 

ORBITER  LANDING  WEIGHT 

2.  Q-BAR  <  350  PSF  (321  KEAS )  FOR  MACH  <  1 

Q-BAR  <  330  PSF  (312  KEAS)  DURING  LANDING  GEAR  DEPLOYMENT 

The  Q-bar  restrictions  are  designed  to  protect  the  structural  integrity  of  the  orbiter  and  to  ensure 
flight  within  the  integrated  guidance,  navigation,  and  control  envelopes.  The  Q-bar  profile  gives  a 
good  indication  of  whether  or  not  the  guidance  is  being  stressed  in  trying  to  fly  the  reference 
profile.  For  real-time  evaluation  purposes,  evaluation  of  the  subsonic  region  is  important  because 
it  includes  the  dynamics  of  flying  the  FIAC  with  the  winds  of  the  day.  The  certified  Q-bar  limit  of 
375  psf  in  the  subsonic  region  is  documented  in  SODB  Volume  V.  The  TAEM  guidance  will  limit 
normal  acceleration  commands  to  stay  within  the  maximum  Q-bar  limit  which  is  I-loaded  to  350 
psf  This  provides  for  the  25  psfAir  Data  System  accuracy  listed  in  the  SODB.  The  350  psf  limit 
is  used  DOUDOE  because  it  indicates  a  stressed  trajectory,  protects  for  even  ts  not  being 
simulated  (CSS,  wind  persistence ),  and  it  protects  against  flying  a  trajectory  which  could  indicate 
an  airspeed  >  321  KEAS  (350  psf). 

During  approach  and  landing,  guidance  indirectly  controls  dynamic  pressure  by  controlling  the 
equivalent  airspeed,  which  is  related  to  dynamic  pressure.  The  330  psf  (312  KEAS)  limit  on  maximum 
dynamic  pressure  at  gear  deploy  is  covered  in  the  SODB  3.4.2. 1-6. 
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A4-207  ENTRY  LIMITS  (CONTINUED) 

Angle  of  Attack  Boundaries  -  MM304  Only 


TAEM  l/F  Mach  2.5 


0  5  10  15  20  25 


Mach  Number 


Angle  of  Attack  Boundaries  -  MM305  Only 


Mach  Number 
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A4-207  ENTRY  LIMITS  (CONTINUED) 

B.  THESE  ATTITUDE  CONSTRAINTS  WILL  NOT  BE  EXCEEDED  IN  AUTO  OR 
CSS  MODE.  THE  MCC  WILL  MONITOR  THESE  PARAMETERS  AND  ADVISE 
THE  CREW  TO  PREVENT  EXCEEDENCES. 

1.  ANGLE  OF  ATTACK  (ALPHA  DEG)  VERSUS  MACH  NUMBER. 

2.  IF  STEADY  STATE  SIDESLIP  EXCEEDS  2  DEGREES  AND  ONE  OR 
MORE  YAW  JETS  FIRE  CONTINUOUSLY  OR  IF  THE  SIDESLIP 
EXCEEDS  THE  TWO- JET  CAPABILITY  PER  THE  "BETA  ESTIMATOR" 
(SCALED  AY) ,  THE  CREW  WILL  MANUALLY  TRIM  TO  REDUCE  RCS 
JET  FIRING  (2  <  M  <  12)  . 


The  orbiter  must  be  operated  within  the  specified  angle  of  attack  constrain  ts  to  main  tain  control  in  pitch 
and  roll/yaw  axes,  to  meet  structural  requirements  during  ven  ting,  to  assure  hinge  momen  t  limits  for 
aerosurfaces  are  not  exceeded,  and  to  remain  within  guidance  limits  due  to  interaction  with  roll  angle  in 
solving  range  and  drag  equations. 

Large  steady  state  sideslip  can  lead  to  loss  of  control.  If  jets  are  required  to  maintain  vehicle  trim,  they 
will  have  reduced  effectiveness  during  dynamic  flight  phases  where  their  force  is  required;  reduced 
stability  margins  and  control  problems  may  result.  Also,  there  will  be  a  large  increase  in  RCS 
propellant  usage.  ®[050495-l  531 B] 

Rule  {A4-107},  PLS/EOM  LANDING  OPPORTUNITY  REQUIREMENTS,  references  this  rule. 
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A4-208 


ENTRY  TAKEOVER  RULES 


CONDITION 

ACTION 

CRITERIA  FOR  AUTO 
RE-ENGAGE  [11 

REMARKS 

A.  ROLLREF  <  ROLLREF  LIMIT  (?)  PRIOR  TO 
THE  FIRST  BANK  REVERSAL 

CSS  ROLL/YAW; 
INITIATE  FIRST 
BANK  REVERSAL 
WHEN  DELTA 
AZIMUTH  >5° 

FIRST  BANK  REVERSAL 
COMPLETION 

PROTECTS  AGAINST  TARGET 

MOVING  OUT  OF  THE  TOE  OF  THE 
FOOTPRINT  FOR  LOW  L/D  ENTRY 
(ONBOARD  CALL). 

B.  S-BAND  AOS  TO  M=2.5; 

1 .  NAV  ERRORS  RESULTING  IN 
TRAJECTORY  DISPERSIONS  WHICH 

ARE  UNCORRECTABLE  BY  AUTO 
GUIDANCE  BY  M=4  OR  RESULT  IN 
GREATER  THAN  10  NM  RANGE  ERROR 
AT  TAEM  INTERFACE. 

2.  TRAJECTORY  DISPERSIONS  WHICH 

ARE  UNCORRECTABLE  BY  AUTO 
GUIDANCE. 

CSS  PITCH, 
ROLL/YAW;  GCA; 
REDESIGNATE 
HAC/RUNWAY 

NAV  ERRORS  REDUCED 
TO  WITHIN  DELTA  STATE 
UPDATE  LIMITS  AND 
TRAJECTORY 

RETURNED  TO  WITHIN 
GUIDANCE  LIMITS 

ASSURES  TRAJECTORY  IS  WITHIN 

THE  TAEM  CAPABILITY  TO  ACHIEVE 

AN  ACCEPTABLE  RUNWAY  (GROUND 
CALL). 

C.  BETWEEN  M=2  AND  M=2.5  TRAJECTORY 
DISPERSIONS  WHICH,  IF  UNCORRECTED, 
WILL  RESULT  IN  INSUFFICIENT  ENERGY  TO 
REACH  THE  TARGETED  RUNWAY  OR 
EXCESS  ENERGY  IN  VIOLATION  OF  THE 
AUTO  GUIDANCE  S-TURN  CAPABILITY. 

CSS  PITCH, 
ROLL/YAW;  GCA; 
REDESIGNATE 
HAC/RUNWAY 

NAV  ERRORS  REDUCED 
TO  WITHIN  DELTA  STATE 
UPDATE  LIMITS  AND 
TRAJECTORY 

RETURNED  TO  WITHIN 
GUIDANCE  LIMITS 

TAKEOVER  IS  REQUIRED  TO 

MAINTAIN  TRAJECTORY  TO  ACHIEVE 
AN  ACCEPTABLE  RUNWAY.  THE 
CRITERIA  FOR  CHANGING  RUNWAYS 
WILL  BE  BASED  ON  LOSS  OF  MANUAL 
CAPABILITY  TO  ACHIEVE  THE 
TARGETED  RUNWAY  (~25  NM 
DISPERSION  AT  M=2.5)  (GROUND 
CALL). 

D.  M=2.5  TO  AUTOLAND  INTERFACE:  NAV 
ERRORS  THAT  EXCEED  THE  TAEM 
PERFORMANCE  FOOTPRINT  (TOTAL 
FOOTPRINT  MINUS  WIND  ALLOWANCE). 

CSS  ROLL/YAW; 
GCA  TO 

AUTOLAND 
INTERFACE  OR 
CREW  VISUAL 
TAKEOVER 

NAV  ERRORS  REDUCED 
TO  WITHIN  DELTA  STATE 
UPDATE  LIMITS  AND 
TRAJECTORY 

RETURNED  TO  WITHIN 
GUIDANCE  LIMITS 

MANUALLY  RETURNS  TRAJECTORY 

TO  AN  ACCEPTABLE  AUTOLAND 
INTERFACE  (GROUND  CALL). 

E.  FOUR  (4)  YAW  JETS  FAILED  (SAME  SIDE); 
AFTER  QBAR  >  10  AND  PRIOR  TO  MACH  1. 

CSS  ROLL/YAW 
(NO  YAW  JET 
MODE) 

RECOVERY  OF  A  YAW 

JET  AND  SELECTION  OF 
AUTO  ENTRY  ROLL 

MODE 

CSS  IS  FORCED  UPON  NO  YAW  JET 
ENTRY  ROLL  MODE  SELECTION; 

AUTO  NO  YAW  JET  IS  NOT  A 

CERTIFIED  FLIGHT  CONTROL 

MODE  AND  MAY  RESULT  IN  LOW- 
FREQUENCY  BANK  OSCILLATIONS. 

F.  PRIOR  TO: 

1 .  DELTA  STATE  UPDATES  INCLUDING 
VELOCITY  COMPONENTS  ANYTIME,  OR 
POSITION  ONLY  COMPONENTS  IF  M=5 
TO  TAEM 

2.  FORCED  AIR  DATA  TO  NAV 

3.  AIR  DATA  INCORPORATION  TO  GNC 
AFTER  M=2.5 

1.  CSS  PITCH, 
ROLL/YAW 

2.  CSS  PITCH, 
ROLL/YAW 

3.  CSS  PITCH 

COMPLETION  OF  EVENT 
AND  RECONVERGENCE 

OF  GUIDANCE  NEEDLES 

POTENTIAL  FOR  TRANSIENT  INTO 

FCS  WITH  IMPACT  TO  VEHICLE 
CONTROL 

G.  PRIOR  TO  MSBLS  ACQ  IF  MCC  HAS  TM  AND 
CONFIRMS  LATERAL  NAV  ERRORS  >  8000 

FT  OR  H  ERRORS  >  500  FT 

CSS  PITCH, 
ROLL/YAW 

INCORPORATION  OF 
MSBLS 

POTENTIAL  TRAJECTORY  TRANSIENT 

H.  FAILURE  OF  AUTOLAND  GUIDE  TO 

ENGAGE  PRIOR  TO  6000  FT  ALT 

CSS  PITCH, 
ROLL/YAW 

NONE 

MANUAL  LANDING  IS  PREFERRED 

1.  FOR  UNEXPLAINED  OR  UNCOMFORTABLE 
TRANSIENTS  OR  TRAJECTORY 

CONDITIONS 

CSS  PITCH, 
ROLL/YAW 

CREW  OPTION 

NONE 

®[021 998-651 3A] 


NOTE:  [1]  AUTO  RE-ENGAGE  IS  NOT  CONSIDERED  TO  BE  A  REQUIREMENT  AFTER  TAEM  INTERFACE  (M=2.5). 

The  rationale  for  each  condition  is  contained  in  the  rule  under  the  remarks. 
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A4-209  AERO  TEST  MANEUVERS 

AERO  TEST  MANEUVERS  WILL  NOT  BE  ATTEMPTED  IF  THE  CROSSRANGE  AT 
ENTRY  INTERFACE  IS  GREATER  THAN  THE  DTO  CROSSRANGE  LIMIT  (REF. 

THE  ANNEX  FLIGHT  RULE,  TRAJECTORY  AND  GUIDANCE  PARAMETERS)  UNTIL 
THE  FIRST  ROLL  REVERSAL  HAS  BEEN  COMPLETED  AND  THE  ORBITER  ENERGY 
STATE  AND  DRAG  PROFILE  ARE  NOMINAL.  VALID  TELEMETRY  IS  REQUIRED 
FOR  EVALUATION  OF  THE  ORBITER  ENERGY  STATE.  ®[ED  ] 

For  the  purposes  of  this  rule,  any  PTI  that  inhibits  entry  guidance  is  considered  an  aero  test  maneuver. 
Since  entry  guidance  is  locked  out,  there  is  no  attempt  to  follow  the  optimal  energy  profile  or  to  respond 
to  roll  reversals.  High  crossrange  at  entry  interface  requires  optimum  bank  angle  and  energy  control  to 
ensure  a  manageable  energy  state  at  TAEM  in  terface.  If  energy  is  nominal  and  the  orbiter  is  on  the 
nominal  drag  profile,  guidance  will  be  able  to  manage  energy  properly,  even  under  given  dispersions. 
Valid  telemetry  is  needed  to  verify  that  the  energy  and  drag  profiles  are  within  limits. 

Rule  {A2-261},  ENTRY  DTO/ AUTO  MODE/CROSSWIND  DTO  GO/NO-GO,  references  this  rule. 
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A4-210  EOM  ENTRY  DTP/ RUNWAY  SELECTION  PRIORITIES 

DTO  805,  CROSSWIND  LANDING  PERFORMANCE,  WILL  BE  EXECUTED  AS  A  DTO 
OF  OPPORTUNITY.  DTO  805  WILL  NOT  BE  A  CONSIDERATION  IN  SELECTING 
LANDING  SITES  OR  RUNWAYS.  IF  CROSSWINDS  ARE  OBSERVED  TO  BE  10 
KNOTS  OR  GREATER  AS  THE  ORBITER  APPROACHES  THE  HAC,  DRAG  CHUTE 
DEPLOY  WILL  BE  DELAYED  UNTIL  POST  NOSE  GEAR  TOUCHDOWN  TO 
ACCOMPLISH  DTO  805.  @[022201 -3801  ] 

No  drag  chute,  braking,  or  nose  wheel  DTO’s  are  scheduled.  Drag  chute  deploy  will  be  per  nominal 
flight  rules  (ref  Rules  {A10-143},  DRAG  CHUTE  DEPLOY  TECHNIQUES,  and  {A10-144},  DRAG 
CHUTE  DEPLOY  CONSTRAINTS),  unless  the  crosswind  DTO  is  likely  to  be  performed.  In  this  case, 
drag  chute  deploy  will  be  delayed  until  post  nose  gear  touchdown  to  allow  for  pilot  handling  evaluation 
of  the  orbiter  without  any  complications  that  drag  chute  dynamics  may  induce.  Nominal  touchdown 
speed  is  195  keas  with  derotation  performed  using  the  beep  trim  switch  at  185  keas,  or  manually  (if  beep 
trim  fails)  at  175  keas.  Drag  chute  nominal  deploy  is  immediately  prior  to  the  initiation  of  derotation. 
However,  the  drag  chute  DTO  program  has  cleared  drag  chute  deploy  as  early  as  15  keas  prior  to  the 
initiation  of  derotation.  ®[1 02402-5804C] 

All  ISS  rendezvous  flights  have  a  probability  of  a  night  landing  which  would  mean  that  the  crosswind 
limit  is  12  knots.  Therefore,  DTO  805,  Crosswind  Landing  Performance  Evaluation,  which  requires  a 
crosswind  of  10  knots  or  greater  at  touchdown,  is  not  likely  to  be  achieved.  With  this  small  window  of 
environmental  conditions,  it  is  not  prudent  to  change  landing  sites  (e.g.,  from  KSC  to  EDW)  to  attempt 
DTO  805.  Also,  programmatic  priorities  make  it  highly  desirable  to  land  at  KSC  to  avoid  the  cost  and 
risk  associated  with  ferry  operations.  Since  a  decision  to  change  from  KSC  to  EDW  would  have  to  be 
made  approximately  2  to  4  hours  before  landing,  it  is  unlikely  that  confidence  in  wind  forecasts  would  be 
such  that  landing  at  EDW  solely  to  achieve  DTO  805  is  prudent.  @[022201 -3801  ]  ®[i  02402-5804C] 

A4-211  THROUGH  A4-250  RULES  ARE  RESERVED 
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A4-251  SIGNATURE  SECTION 

THE  ENCLOSED  RANGE  SAFETY  FLIGHT  RULES  HAVE  BEEN  JOINTLY 
NEGOTIATED  AND  AGREED  TO  BY  NASA  AND  THE  EASTERN  RANGE.  ANY 
SUBSEQUENT  CHANGES  TO  THESE  RULES  WILL  REQUIRE  RE-EXECUTION  OF 
THIS  CONCURRENCE  PAGE.  @[053096  PRC  B-4001  ] 


@[081 497-6306A] 


*1 .  . 

COMMANDER,  4  5™  SPACE  .XING 

F.  RANDALL 

Brigadier  General,  USAF 
Commander 


DATE  ' 


DATE 
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A4-252  POLICY 

A.  MEMORANDUM  OF  AGREEMENT  (MOA)  15E-2-8,  BETWEEN  THE  45TH  SPACE 

WING  (45  SW)  AND  THE  JOHN  F.  KENNEDY  SPACE  CENTER  (KSC)  FOR 
MISSILE/SPACE  VEHICLE  SAFETY  ON  KSC  AND  THE  EASTERN  RANGE 
(ER) ,  EFFECTIVE  NOVEMBER  2,  1995,  DELINEATES  THE  AGENCY 

RESPONSIBLE  FOR  MISSILE/SPACE  VEHICLE  FLIGHT  AND  GROUND 
SAFETY  FOR  LAUNCHES  FROM  THE  ER  AND  KSC  AND  IDENTIFIES 
CERTAIN  RESPONSIBILITIES  ASSOCIATED  WITH  MISSILE/SPACE 
VEHICLE  MISHAPS.  RANGE  SAFETY  REQUIREMENTS  ARE  CONTAINED  IN 
EWR  12  7-1,  MARCH  31,  19  95.  @[053096  PRCB-4001] 

B.  RANGE  SAFETY  POLICIES  AND  PROCEDURES  ARE  SPECIFIED  IN  SECTION 
1  OF  EWR  127-1.  CONSISTENT  WITH  SECTION  1.4,  SPECIFICALLY 
PARAGRAPHS  1.4.1  AND  1.4. 1.3,  THE  45  SW  COMMANDER  HAS 
AUTHORIZED  REMOVAL  OF  THE  RANGE  SAFETY  SYSTEM  (RSS)  FROM  THE 
EXTERNAL  TANK  (ET)  FOR  PRESENTLY  DESCRIBED  STS  FLIGHT 
CONFIGURATIONS,  PAYLOADS,  AND  TRAJECTORIES,  BASED  ON  A  RISK 
ASSESSMENT  WHICH  ASSUMES  THE  VEHICLE  IMPACT  POINT  WILL  BE 
STOPPED  BEFORE  REACHING  WELL  DEFINED  LIMIT  LINES.  ANY  FUTURE 
STS  FLIGHT  VEHICLE  MODIFICATIONS  AND/OR  NEW  TRAJECTORIES  MUST 
BE  ANALYZED  TO  ENSURE  PUBLIC  RISKS  HAVE  NOT  INCREASED  BEYOND 
ACCEPTABLE  LEVELS.  IN  THE  EVENT  OF  AN  UNACCEPTABLE  PUBLIC 
RISK  INCREASE,  FLIGHT  DESIGN  MODIFICATIONS  OR  INSTALLATION  OF 
A  RANGE  SAFETY  FLIGHT  OR  THRUST  TERMINATION  SYSTEM  WILL  BE 
REQUIRED  TO  REDUCE  THE  RISK  TO  AN  ACCEPTABLE  LEVEL.  THE  45 
SW  COMMANDER  RETAINS  OVERALL  RESPONSIBILITY  FOR  PUBLIC  SAFETY 
IN  ACCORDANCE  WITH  EWR  127-1,  SECTION  1.3.1.  THE  FLIGHT  CREW 
COMMANDER  (CDR)  AND  PILOT  (PLT )  BECOME  AGENTS  OF  THE  45  SW 
COMMANDER  FOR  PUBLIC  SAFETY  DURING  THE  PORTION  OF  FLIGHT 
AFTER  SOLID  ROCKET  BOOSTER  SEPARATION  AND  PRIOR  TO  MAIN 
ENGINE  CUTOFF.  THIS  AGENT  RELATIONSHIP  NECESSITATES  THAT  ALL 
CDR'S  AND  PLT'S  RECEIVE  INITIAL  AND  RECURRING  TRAINING  THAT 
IS  APPROVED  BY  THE  45  SW  AND  DOCUMENTED  AS  PART  OF  THE  NASA 
CERTIFICATE  OF  FLIGHT  READINESS  (COFR)  PROCESS.  45  SW  RANGE 
SAFETY  FLIGHT  PLAN  APPROVAL  IS  CONTINGENT  UPON  APPROVED  AND 
DOCUMENTED  TRAINING  AS  EVIDENCED  IN  THE  COFR  PROCESS. 

C.  THE  FOLLOWING  MISSION  RULES  SUPPLEMENT  EWR  127-1  AND  THE 
RANGE  SAFETY  OPERATIONS  REQUIREMENTS  DOCUMENT  AND  OPERATIONS 
SUPPLEMENT.  THESE  RULES  IMPLEMENT  THE  U.S.  AIR  FORCE  (USAF) 
POLICY  OF  ADVANCING  THE  NATION'S  COMMITMENT  TO  LEADERSHIP  IN 
THE  EXPLORATION  AND  USE  OF  SPACE  AT  MINIMUM  RISK  TO  THE 
FLIGHT  CREWS,  GENERAL  PUBLIC,  AND  PROPERTY.  THEY  PROVIDE 
ACTION  GUIDANCE  TO  PERSONNEL  RESPONSIBLE  FOR  EXECUTING  THIS 
POLICY.  @[053096  PRCB-4001] 
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A4-253  DEFINITIONS  ©[081497-6306A] 

THIS  SECTION  CENTRALIZES  DEFINITIONS  RELATED  TO  THESE  FLIGHT 
RULES  TO  FACILITATE  CLARITY  IN  THE  RULES  THEMSELVES.  @[053096  PRCB-4001] 

A.  FLIGHT  TERMINATION  SYSTEM  (FTS ) :  THE  FTS  NEUTRALIZES  SOLID 
ROCKET  BOOSTER  ( SRB)  THRUST  WITH  A  SINGLE  LINEAR  SHAPED 
CHARGE  PER  SRB  WHICH  SPLITS  THE  SOLID  ROCKET  MOTOR  CASES. 
ANALYSIS  SHOWS  THAT  THIS  ACTION  ALSO  CAUSES  DISPERSAL  OF 
THE  EXTERNAL  TANK  (ET)  PROPELLANTS.  THE  FLIGHT  TERMINATION 
SYSTEM  IS  PROTECTED  FROM  UNAUTHORIZED  COMMANDS  BY  THE 
DIGITAL  RANGE  SAFETY  COMMAND  SYSTEM  (DRSCS) .  THE  DRSCS 
"ARM"  AND  "FIRE"  COMMANDS  ARE  FORMATTED  BY  CRYPTO  HARDWARE 
IN  THE  ER  RANGE  OPERATIONS  CONTROL  CENTER  (ROCC) .  THE 
COMMANDS  ARE  RECEIVED  AND  DECODED  BY  FLIGHT  INTEGRATED 
RECEIVER  DECODERS  (IRD'S)  IN  EACH  SRB.  THE  CODES  FOR  A 
PARTICULAR  FLIGHT  BECOME  UNCLASSIFIED  AT  SRB  SPLASHDOWN  OR 
UPON  TRANSMISSION  OF  COMMANDS  ANY  TIME  AFTER  SRB  IGNITION. 
THE  "ARM"  COMMAND,  WHICH  IS  PREPARATORY  TO  THE  "FIRE" 
COMMAND,  ACTIVATES  A  WARNING  LIGHT  IN  THE  ORBITER  AND 
IRREVERSIBLY  CHARGES  THE  PYROTECHNIC  INITIATOR  CONTROLLERS 
(PIC'S).  WHEN  FLIGHT  TERMINATION  ACTION  IS  REQUIRED,  THE 
FCO  WILL  TRANSMIT  THE  "FIRE"  COMMAND  IMMEDIATELY  AFTER  THE 
"ARM"  COMMAND . 

B.  VEHICLE  PERFORMANCE  DATA:  FOR  THE  PURPOSE  OF  THESE  RULES, 
VEHICLE  PERFORMANCE  DATA  ARE  DEFINED  AS  FOLLOWS: 

1.  VEHICLE  BEHAVIOR  DATA 

a.  PRIMARY  CUE:  REMOTE  TELEVISION  PRESENTATION  TO  FCO 

b.  SECONDARY  CUE:  RADAR  SKIN  TRACK  A-SCOPE  DISPLAY 
(MINIMUM  OF  TWO  CONFIRMING  SITES) ,  OR  VERBAL  BREAKUP 
REPORT  FROM  EITHER  THE  AIRBORNE  OR  GROUND  VISUAL 
OBSERVERS . 

C.  TERTIARY  CUES:  REAL-TIME  TELEMETRY  (HIGH  ATTITUDE 
RATES  OR  PREMATURE  SEPARATION  INDICATORS  FOR  SRB'S 
OR  ET) ,  THE  SOLID  ROCKET  BOOSTER  TRACKING  SYSTEM 
(INDICATIONS  OF  SEPARATION  RATES  BETWEEN  SRB'S  AS 
SHOWN  BY  TRAJECTORY  DETERMINATION  DATA) ,  OR 
SIMULTANEOUS  LOSS  OF  S-BAND  DOWNLINK  AND  AT  LEAST 
ONE  C-BAND  TRANSPONDER.  @[053096  PRCB-4001] 
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2.  TRAJECTORY  DETERMINATION  DATA:  TRAJECTORY  DETERMINATION 

WILL  BE  BASED  ON  RADAR  TRACKING,  OPTICAL  TRACKING,  AND 
TELEMETRY  (NAVIGATION  AND  GUIDANCE)  DATA  THAT  HAVE  BEEN 
SELECTED  BY  THE  ROCC  REAL-TIME  PROCESSORS.  @[053096  PRCB-4001] 

C.  CONTROLLABILITY  LIMITS:  THE  VEHICLE  IS  DEFINED  TO  BE 

UNCONTROLLABLE  IF  PITCH  OR  YAW  RATES  GREATER  THAN  FIVE 
DEGREES/SECOND  ARE  EXPERIENCED  FOR  FIVE  SECONDS. 

D.  CONTROLLABILITY  WARNING  LIGHT:  A  WARNING  LIGHT  ON  THE  FCO 
CONSOLE  ACTIVATED  BY  THE  JSC  GUIDANCE,  NAVIGATION  AND 
CONTROL  (GNC)  OFFICER  WHEN  THE  VEHICLE  IS  DETERMINED  TO  BE 
OUT  OF  CONTROL.  THE  LIGHT  SERVES  TO  MINIMIZE  FCO  RESPONSE 
TIME  IN  SITUATIONS  INVOLVING  AN  UNCONTROLLABLE  VEHICLE,  AND 
IS  APPLICABLE  ONLY  DURING  FIRST  STAGE. 

E.  ABORT  REQUEST  COMMAND:  THE  ABORT  REQUEST  SWITCH,  LOCATED  ON 
THE  FD,  FDO ,  AND  FCO  CONSOLES,  INITIATES  TRANSMISSION  OF 
COMMANDS  FROM  THE  MCC  COMMAND  SYSTEM  TO  ILLUMINATE  THE  ABORT 
LIGHT  IN  THE  ORBITER  COCKPIT. 

F.  ABORT  LIGHT:  A  WARNING  LIGHT  IN  THE  ORBITER  COCKPIT, 
ILLUMINATED  VIA  THE  ABORT  REQUEST  COMMAND,  WHICH  SERVES  AS 
A  CUE  FOR  THE  FLIGHT  CREW  TO  TAKE  SOME  ABORT  ACTION.  FOR 
IMMINENT  RANGE  SAFETY  MECO  LINE  VIOLATIONS,  THE  REQUIRED 
CREW  ACTION  IS  A  MANUAL  MECO  PER  THE  PROCEDURES  DESCRIBED 
IN  THESE  RULES. 

G.  FIRST  STAGE:  ORBITER  POWERED  FLIGHT  FROM  SRB  IGNITION 
THROUGH  SRB  SEPARATION. 

H.  SECOND  STAGE:  ORBITER  POWERED  FLIGHT  AFTER  SRB  SEPARATION. 

I.  AMBER  ZONE:  CALLED  BY  THE  FCO  WHEN  THE  TRAJECTORY  EXCEEDS 
THE  3-SIGMA  VERTICAL  OR  LATERAL  ENVELOPE  IN  FIRST  STAGE. 
INVOKES  THE  CONTROLLABILITY  RULE,  AND  IS  ONLY  APPLICABLE  IN 
FIRST  STAGE. 

J.  IIP:  INSTANTANEOUS,  VACUUM  IMPACT  POINT. 

K.  ILL:  IMPACT  LIMIT  LINE.  THE  PRIMARY  AND  SECONDARY  ILL'S 

PROTECT  THE  IMMEDIATE  LAUNCH  AREA  AND  OTHER  LAND  MASSES 
AGAINST  DEBRIS  FOOTPRINT  ENCROACHMENT  DURING  FIRST  STAGE. 
@[053096  PRCB-4001] 
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L.  SRB  NLE :  THAT  TIME  FROM  LIFTOFF  ON  A  NOMINAL  TRAJECTORY 
(i.e.,  WITHIN  THE  3-SIGMA  TRAJECTORY  ENVELOPE)  BEYOND  WHICH 
BREAKAWAY  SRB'S  CAN  "NO  LONGER  ENDANGER"  LAND  UNDER  ANY 
SUBSEQUENT  SRB  BEHAVIOR.  @[053096  PRCB-4001] 

M.  FCO :  FCO  IN  THESE  RULES  REFERS  TO  EITHER  THE  ER  FLIGHT 
CONTROL  OFFICER  (FCO)  OR  THE  SENIOR  FCO  (SFCO) .  WHERE 
APPLICABLE,  THE  SPECIFIC  INDIVIDUAL  POSITION  IS  IDENTIFIED  IN 
THESE  RULES. 

N.  MCC:  THE  MISSION  CONTROL  CENTER  AT  JSC.  AS  USED  IN  THESE 

RULES,  MCC  ALSO  REFERS  TO  THE  FLIGHT  DIRECTOR  (FD),  SPACECRAFT 
COMMUNICATOR  (CAPCOM) ,  AND/OR  FLIGHT  DYNAMICS  OFFICER  (FDO) 
PERSONNEL  LOCATED  IN  THE  MCC.  PRIMARY  COMMUNICATION  BETWEEN 
THE  FCO  AND  THE  MCC  IS  CARRIED  OUT  WITH  THE  FDO.  WHERE 
APPLICABLE,  THE  SPECIFIC  INDIVIDUAL  POSITION  IS  IDENTIFIED  IN 
THESE  RULES. 

O.  MECO  LINES  AND  GATES:  MECO  LINES,  WHICH  ARE  APPLICABLE  ONLY 
IN  SECOND  STAGE,  IDENTIFY  AREAS  UPON  WHICH  THE  VEHICLE'S  IIP 
MAY  NOT  ENCROACH.  THEY  ARE  REPRESENTED  AS  SOLID  LINES  ON  FCO 
AND  MCC  DISPLAYS.  SINCE  OVERFLIGHT  OF  SOME  LAND  MASS  IS 
ALWAYS  REQUIRED  FOR  THE  STS  VEHICLE  TO  ACHIEVE  ORBIT,  SOME 
MECO  LINES  WHICH  STRICTLY  PROTECT  ALL  AREAS  OF  THESE  LAND 
MASSES  ARE  PRESENTED  AS  DASHED  LINES  ON  THE  DISPLAYS  AND  ARE 
REFERRED  TO  AS  GATES.  FOR  STS  FLIGHTS,  THREE  GATES  ARE 
APPLICABLE,  AS  DESCRIBED  BELOW: 

1.  HATTERAS  GATE  (APPLICABLE  FOR  HIGH- INCLINAT ION  MISSIONS 

ONLY) :  THE  HATTERAS  GATE  PROTECTS  POPULATED  ISLANDS  AND 

EXTENSIVE  MARITIME  TRAFFIC  OFF  THE  COAST  OF  NORTH 
CAROLINA. 

2.  NEWFOUNDLAND  GATE  (APPLICABLE  FOR  HIGH-INCLINATION 
MISSIONS  ONLY) :  THE  NEWFOUNDLAND  GATE  PROTECTS  THIS  LOW 
POPULATION  CANADIAN  PROVINCE.  NOMINAL  OR  NEAR-NOMINAL 
FLIGHTS  WILL  ROUTINELY  PASS  THROUGH  THIS  GATE. 

3.  AFRICAN  GATE  (APPLICABLE  FOR  ALL  MISSIONS):  THE  AFRICAN 
GATE  PROTECTS  THE  LAND  MASSES  OF  AFRICA,  EUROPE,  AND 
SOUTH  AMERICA.  NOMINAL  OR  NEAR-NOMINAL  FLIGHTS  WILL 
ROUTINELY  PASS  THROUGH  THIS  GATE.  @[053096  PRCB-4001] 
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P.  DESTRUCT  LINES:  EQUIVALENT  TO  MECO  LINES,  BUT  APPLICABLE 
DURING  THE  SHORT  TIME  LATE  IN  FIRST  STAGE  (FROM  T+120  SEC 
TO  SRB  SEP)  WHEN  THE  FTS  IS  STILL  AVAILABLE  FOR  USE.  THESE 
LINES  ALSO  APPLY  IN  FIRST  STAGE  IF  VALID  FOOTPRINT  DATA  IS 
LOST  PER  RULE  {A4-258},  FLIGHT  TERMINATION/MANUAL  MECO 
CRITERIA,  PART  C.4.  @[053096  PRCB-4001] 

Q.  CODEWORDS:  THERE  ARE  THREE  STS-RELATED  CODEWORDS,  AS 
DESCRIBED  BELOW.  CODE  WORDS,  WHEN  USED,  ARE  EXCHANGED  OVER 
THE  FD  AND  FCO  PRIME  LOOPS. 

1.  UNCONTROLLABLE:  THIS  UNIQUE  CODE  WORD  WILL  BE  USED  BY  THE 
FD  TO  ADVISE  THE  FCO  THAT  THE  VEHICLE  IS  UNCONTROLLABLE. 

2.  MANUAL  MECO:  THIS  UNIQUE  CODE  WORD  WILL  BE  USED  BY  THE 

FCO  TO  ADVISE  THE  MCC  THAT  AN  IMMEDIATE  MANUAL  MECO  IS 
REQUIRED . 

3.  ARM/FIRE:  THIS  UNIQUE  CODE  WORD  WILL  BE  USED  BY  THE  FCO 
TO  ADVISE  THE  MCC  THAT  THE  FTS  HAS  BEEN  ACTIVATED. 

R.  COMMUNICATION  CIRCUITS:  THREE  PRIMARY  COMMUNICATION  CIRCUITS 
ARE  USED  BETWEEN  THE  FCO  AND  THE  MCC:  THE  FD  LOOP,  THE  FCO 
PRIME  LOOP,  AND  THE  FCO  PRIVATE  LINE.  WHERE  TWO  REDUNDANT 
LOOPS  ARE  LISTED  IN  THESE  RULES,  OTHER  LOOP/LONG  LINE  PATCHING 
MAY  BE  USED  TO  PROVIDE  THIS  REDUNDANCY  IF  NECESSARY.  ®[081 497-6306A] 

S.  VEHICLE  BREAKUP:  SEPARATION  OF  VEHICLE  PARTS  AS  DETERMINED 
VISUALLY  OR  BY  RADAR  TRACK  OF  MULTIPLE  TARGETS. 

T.  CATASTROPHIC  FAILURE:  VEHICLE  PITCHES  OVER  OR  BREAKS  UP,  AS 
SHOWN  BY  VEHICLE  PERFORMANCE  DATA. 

U.  VARIABLE  IY:  AN  ABORT-TO-ORBI T  (ATO)  TARGETING  METHOD  USED 
ON  SOME  MISSIONS  IN  WHICH  THE  VEHICLE  STEERS  TO  AN  ORBITAL 
PLANE/ INCLINATION  LOWER  THAN  THE  NOMINAL  TO  IMPROVE  DOWNRANGE 
PERFORMANCE.  IF  EXCURSION  TOWARD  A  RANGE  SAFETY  LIMIT  LINE 
OCCURS  DUE  TO  THE  ORBITAL  PLANE  TARGET  BEING  CORRUPTED,  AN 
ATO  ABORT  WHICH  INVOKES  VARIABLE  IY  CAN  POTENTIALLY  ELIMINATE 
THE  RANGE  SAFETY  PROBLEM. 

V.  CSS:  MANUAL  SHUTTLE  FLIGHT  CONTROL  (CONTROL  STICK  STEERING), 
AS  OPPOSED  TO  AUTO-GUIDANCE  FLIGHT  CONTROL. 
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W.  BFS  ENGAGE:  FLIGHT  CREW  ACTIVATION  OF  THE  BACKUP  FLIGHT 

SYSTEM  (BFS),  USED  FOR  TOTAL  FAILURE  OF  THE  QUAD-REDUNDANT 
PRIMARY  AVIONICS  SOFTWARE  SYSTEM  (PASS)  .  @[053096  PRCB-4001] 


A4-254 


FCO  TO  MCC  WARNING  NOTIFICATION 


THE  VEHICLE'S  FLIGHT  MAY  DEVIATE  SIGNIFICANTLY  FROM  NOMINAL  AND 
STILL  REMAIN  WITHIN  SAFE  LIMITS.  IF  THE  CRITERIA  BELOW  ARE 
EXCEEDED,  THE  FCO  WILL  WARN  THE  MCC,  AND  THE  MCC  WILL  RESPOND 
WITH  CALLS  OR  REQUESTED  CREW  ACTION.  VIOLATION  OF  THESE  CRITERIA 
INDICATES  THAT  THE  VEHICLE  IS  DEVIATING  SIGNIFICANTLY  FROM  ITS 
NOMINAL  TRAJECTORY.  @[053096  PRCB-4001] 

A.  TRAJECTORY  EXCEEDS  3-SIGMA  (LATERAL  OR  VERTICAL)  IN  FIRST 


STAGE : 


1 .  FCO  MAKES  AN  "AMBER  ZONE"  CALL  ON  BOTH  THE  FD  AND  FCO 
PRIME  LOOPS.  THE  CONTROLLABILITY  RULE  IS  INVOKED. 

2.  AFTER  AN  AMBER  ZONE  CALL,  A  PROMPT  CONTROL  STATUS 
RESPONSE  IS  REQUIRED  FROM  THE  FD  TO  THE  FCO  ON  THE 
FD  LOOP.  IF  THE  VEHICLE  IS  UNDER  CONTROL,  THE  FD 
WILL  RESPOND  "GOOD  CONTROL."  IF  THE  VEHICLE  IS 
UNCONTROLLABLE,  THE  FD  WILL  RESPOND  VIA  CODEWORD, 

AND  THE  JSC  GNC  OFFICER  WILL  RESPOND  WITH  THE 
CONTROLLABILITY  WARNING  LIGHT. 

B.  POST-SRB  SEP,  TRAJECTORY  EXCEEDS  3-SIGMA  LATERAL: 

1.  FCO  MAKES  TRAJECTORY  DEVIATION  CALLS  ON  THE  FCO  PRIME 
LOOP  . 

2.  FDO  RESPONDS  WITH  TRAJECTORY  ASSESSMENT  CALLS. 

3.  IF  THE  TRAJECTORY  CONTINUES  TO  DEVIATE  TOWARD  A  MECO 
LINE,  THE  PROXIMITY  TO  THE  LINE  WILL  BE  EVALUATED: 


a.  FCO  WILL  CALL  "HALFWAY  TO  THE  LINE"  WHEN  THE  IIP  IS 
APPROXIMATELY  HALFWAY  BETWEEN  THE  3-SIGMA  LEFT/RIGHT 
TRAJECTORY  AND  THE  NEAREST  MECO  LINE. 

b.  FREQUENT  ESTIMATES  OF  TIME  REMAINING  UNTIL  MECO  LINE 
VIOLATION  WILL  BE  PROVIDED  BY  FDO  ON  THE  FD  LOOP 
BASED  ON  MCC  PREDICTOR  BUG  SOFTWARE. 
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A4-254  FCO  TO  MCC  WARNING  NOTIFICATION  (CONTINUED) 

4.  IF  TRAJECTORY  DEVIATIONS  CONTINUE  AFTER  ACTION  BY  THE  MCC 
(REFERENCE  RULE  {A4-260},  RANGE  SAFETY  LIMIT  AVOIDANCE 
ACTIONS) ,  MANUAL  MECO  PROCEDURES  WILL  BE  INITIATED  BY  THE 
MCC  WHEN  THE  IIP  IS  3  0  SEC  FROM  THE  MECO  LINE.  @[053096  PRCB-4001] 
©[081497-6306A] 

5.  IF  MECO  HAS  NOT  YET  OCCURRED  UPON  IIP  CONTACT  WITH  A  MECO 
LINE,  FCO  WILL  INITIATE  THE  ABORT  REQUEST  COMMAND  (ABORT 
LIGHT)  AS  AN  INDICATION  TO  THE  CREW  THAT  AN  IMMEDIATE 
MANUAL  MECO  IS  REQUIRED.  THE  MANUAL  MECO  CODEWORD  WILL 
BE  VERBALLY  TRANSMITTED  TO  THE  MCC  SIMULTANEOUSLY  ON  THE 
FD  AND  FCO  PRIME  LOOPS.  @[053096  PRCB-4001] 

A4-255  MCC  TO  FCO  REPORTING 

THE  MCC  WILL  ADVISE  THE  FCO  OF  OFF-NOMINAL  VEHICLE  PERFORMANCE  OR 
OF  EVENTS  THAT  SIGNIFICANTLY  AFFECT  RANGE  SAFETY  AS  THEY  OCCUR. 

THE  INFORMATION  WILL  BE  PROVIDED  BY  THE  FDO  ON  THE  FCO  PRIME  LOOP 
WITH  THE  FCO  PRIVATE  LINE  AS  BACKUP,  EXCEPT  AS  SPECIFICALLY  NOTED 
BELOW: 

A.  CONTROLLABILITY  STATUS  (FIRST  STAGE  ONLY) :  MADE  BY  FD  ON  THE 
FD  LOOP,  USING  EITHER  THE  WORDS  "GOOD  CONTROL,"  IF  THE 
VEHICLE  IS  UNDER  CONTROL,  OR  USING  THE  CODEWORD  TO  INDICATE 
UNCONTROLLABLE.  IF  THE  VEHICLE  IS  UNCONTROLLABLE,  THE  JSC 
GNC  OFFICER  WILL  ALSO  RESPOND  WITH  THE  CONTROLLABILITY 
WARNING  LIGHT. 

B.  ANY  DECISION  TO  ABORT  THE  FLIGHT:  ATO,  TAL,  RTLS ,  ANY 
CONTINGENCY  ABORT,  FAST  SEPARATION,  ETC. 

C.  ANY  SSME  FAILURE. 

D.  ANY  CONDITIONS  WHICH  COULD  RESULT  IN  ET  LAND  IMPACT,  PLUS  A 
PREDICTED  IMPACT  LOCATION,  IN  AS  NEAR  REAL-TIME  AS  POSSIBLE. 

E.  WHEN  RANGE  SAFETY  LIMIT  AVOIDANCE  ACTIONS  ARE  BEING 
IMPLEMENTED  (RULE  {A4-260},  RANGE  SAFETY  LIMIT  AVOIDANCE 
ACTIONS) ,  FREQUENT  ESTIMATES  OF  TIME  TO  VIOLATION  WILL  BE 
PROVIDED  BY  THE  FDO  ON  THE  FD  LOOP.  WHEN  THE  IIP  IS  30  SEC 
FROM  THE  MECO  LINE,  MANUAL  MECO  PROCEDURES  WILL  BE  INITIATED. 

@[081 497-6306A] 

F.  ANY  OTHER  PERTINENT  INFORMATION.  @[053096  PRCB-4001] 
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A4-256  CONTROLLABILITY 

A.  THIS  RULE  APPLIES  ONLY  DURING  THE  SRB  THRUSTING  PERIOD,  AFTER 

LAUNCH  TOWER  CLEARANCE.  @[053096  PRCB-4001] 

B.  THE  USAF  AND  NASA,  IN  CONSIDERING  THE  NATIONAL  INTERESTS  IN 

THE  SHUTTLE  PROGRAM  AND  THE  CONSEQUENCES  OF  FLIGHT 

TERMINATION  ACTION,  HAVE  JOINTLY  AGREED  TO  THE  FOLLOWING 
(REFERENCE  MOA  15E-2-8) : 

1.  THE  NON-PUBLIC  RISKS  ASSOCIATED  WITH  CONTINUED  FLIGHT  OF 
A  CONTROLLABLE  VEHICLE  IF  THE  PRIMARY  IMPACT  LIMIT  LINE 
IS  VIOLATED  HAVE  BEEN  ASSESSED  BY  THE  USAF  AND  ACCEPTED 
BY  NASA  FOR  KSC,  AND  BY  THE  45  SW  FOR  CAPE  CANAVERAL  AIR 
STATION  (CCAS ) . 

2.  THE  PUBLIC  RISKS  ASSOCIATED  WITH  FLIGHT  BEYOND  THE 
SECONDARY  ILL  ARE  UNACCEPTABLE. 

3.  IF  THE  VEHICLE  IS  DECLARED  TO  BE  UNDER  CONTROL  AND  IS 
SUBSEQUENTLY  DECLARED  UNCONTROLLABLE,  THE  FCO  WILL  TAKE 
ACTION  WHEN  THE  APPLICABLE  FLIGHT  TERMINATION  LINE  IS 
VIOLATED  (PRIMARY  OR  SECONDARY) . 

C .  GENERAL 

1.  ALTHOUGH  THE  ACTUAL  TRAJECTORY  MAY  DEVIATE  SIGNIFICANTLY 
FROM  THE  NOMINAL  DURING  THE  SRB  THRUSTING  PERIOD,  THE 
VEHICLE  MAY  NOT  EXCEED  CONTROLLABILITY  LIMITS. 

2.  AS  LONG  AS  THE  MCC  CAN  CONFIRM  TO  THE  FCO  THAT  THE 
CONTROLLABILITY  LIMITS  HAVE  NOT  BEEN  EXCEEDED,  OR  IN  THE 
CASE  OF  LOSS  OF  COMMUNICATION  BETWEEN  THE  MCC  AND  THE 
FCO,  THE  FCO  CAN  DETERMINE  THAT  THESE  LIMITS  HAVE  NOT 
BEEN  EXCEEDED,  THE  FCO  WILL  ALLOW  THE  FLIGHT  TO  CONTINUE 
EVEN  IF  THE  PRIMARY  ILL  IS  VIOLATED. 

3.  IF  NEITHER  THE  MCC  NOR  THE  FCO  CAN  DETERMINE  THE  PITCH  OR 
YAW  RATES,  THE  FCO  WILL  ASSUME  THAT  THE  LIMITS  HAVE  NOT 
BEEN  EXCEEDED  AND  ALLOW  THE  FLIGHT  TO  CONTINUE  EVEN  IF 
THE  PRIMARY  ILL  IS  VIOLATED. 

4.  FLIGHT  TERMINATION  ACTION  WILL  BE  TAKEN  BY  THE  FCO  WHEN, 
BASED  ON  ASSESSMENT  OF  ALL  AVAILABLE  DATA,  THE  SECONDARY 
ILL  FLIGHT  TERMINATION  CRITERIA  ARE  VIOLATED,  REGARDLESS 
OF  THE  CONTROLLABILITY  STATUS.  @[053096  PRCB-4001] 
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A4-256  CONTROLLABILITY  (CONTINUED) 

D.  DECLARATION  OF  LOSS-OF-CONTROL :  THERE  ARE  TWO  EQUIVALENT 

METHODS  BY  WHICH  THE  MCC  CAN  COMMUNICATE  LOSS  OF  CONTROL  TO 

THE  FCO,  AS  FOLLOWS:  @[053096  PRCB-4001] 

1.  THE  CONTROLLABILITY  WARNING  LIGHT.  VERBAL  CONFIRMATION 
OF  LOSS-OF-CONTROL  WILL  ACCOMPANY  LIGHT  ACTIVATION. 

2.  VERBAL  NOTIFICATION  OF  LOSS-OF-CONTROL,  GIVEN  BY  THE  FD 
VIA  CODE  WORD  TO  THE  FCO  OVER  THE  FD  LOOP . 

E.  LOSS  OF  TWO  SSME'S:  UNDER  THE  FOLLOWING  CONDITIONS  THE  FCO 

WILL  USE  DISCRETION,  BIASED  TOWARDS  NO  ACTION: 

1.  LOSS  OF  TWO  SSME'S  IS  CONFIRMED  EARLY  IN  FLIGHT. 

2.  THE  VEHICLE  REMAINS  CONTROLLABLE. 

3.  THE  VEHICLE  STAYS  WITHIN  THE  MISSION-SPECIFIC  TWO-ENGINE- 
OUT  DELTA-AZIMUTH  ENVELOPE. 

4.  THE  VEHICLE  TRANSITIONS  THROUGH  THE  REGION  OF  MAXIMUM 
DYNAMIC  PRESSURE  (MAX  Q)  WITHOUT  BREAKUP. 

5.  THE  DEBRIS  FOOTPRINT  APPROACHES  OR  JUST  CROSSES  THE 
SECONDARY  ILL  LATE  IN  THE  SRB  BURN. 

6.  THE  FCO  CONFIRMS  THAT  THE  VEHICLE  IIP  IS  STILL  MOVING 
DOWN  RANGE.  @[053096  PRCB-4001] 
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A4-257  FLIGHT  TERMINATION /MANUAL  ME CO  EVALUATION 

A.  GENERAL  @[053096  PRCB-4001] 

1.  THE  FCO  WILL  EVALUATE  ALL  DATA  SOURCES  (E.G.,  RADARS, 
TELEMETRY,  OPTICAL  TRACKERS,  FORWARD  OBSERVER,  TV,  ETC.) 
PLUS  INFORMATION  RECEIVED  FROM  THE  MCC  TO  DETERMINE  THE 
REQUIRED  ACTION. 

2.  TIME  PERMITTING,  A  DECISION  TO  INITIATE  FLIGHT 
TERMINATION  WILL  BE  REACHED  AFTER  COORDINATION  BETWEEN 
THE  FCO  AND  THE  SFCO. 

3.  TIME  PERMITTING,  THE  MCC  WILL  BE  ADVISED  OF  IMPENDING 
FLIGHT  TERMINATION  PRIOR  TO  INITIATION  OF  THE  FLIGHT 
TERMINATION  COMMANDS. 

4.  IN  ALL  INSTANCES,  THE  FCO  WILL  MAKE  A  DECISION  CONCERNING 
CONTINUED  FLIGHT  OR  TERMINATION  BASED  ON  INTERPRETATION 
OF  REAL-TIME  EVENTS  AND  STS  MISSION  RULES,  ALL  AVAILABLE 
DATA  SOURCES,  AND  SOUND  JUDGMENT. 

B.  LOSS  OF  DATA/ COMMUNICATIONS 

1.  TOTAL  LOSS  OF  ALL  FCO  VEHICLE  PERFORMANCE  DATA:  THE  FCO 
WILL  BE  UNABLE  TO  DETERMINE  IF  FLIGHT  TERMINATION/MANUAL 
MECO  CRITERIA  ARE  VIOLATED  AND  WILL  NOT  TAKE  FLIGHT 
TERMINATION/MANUAL  MECO  ACTION.  IF  MCC  STILL  HAS  DATA, 
RANGE  SAFETY  LIMIT  AVOIDANCE  ACTIONS  (RULE  {A4-260}, 

RANGE  SAFETY  LIMIT  AVOIDANCE  ACTIONS)  WILL  CONTINUE  TO 
BE  TAKEN,  INCLUDING  MANUAL  MECO  IF  NECESSARY. 

2.  TOTAL  LOSS  OF  ALL  MCC  DATA:  THE  MCC  WILL  BE  UNABLE  TO 
DETERMINE  THE  VEHICLE  STATUS. 

a.  IF  FCO  STILL  HAS  DATA,  FCO  WILL  PROVIDE  MCC  WITH 

ESTIMATES  OF  TIME  TO  MECO  LINE  VIOLATION,  INCLUDING 
"30  SEC  TO  THE  LINE."  AT  THAT  TIME,  IF  COMM  IS 
AVAILABLE,  MCC  WILL  INITIATE  MANUAL  MECO  PROCEDURES. 
@[053096  PRCB-4001]  ©[081497-6306A] 
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FLIGHT  TERMINATION /MANUAL  ME CO  EVALUATION 
(CONTINUED) 

FCO  WILL  INITIATE  THE  ABORT  REQUEST  COMMAND  (ABORT 
LIGHT)  IF  THE  IIP  CONTACTS  A  MECO  LINE  AS  AN 
INDICATION  TO  THE  CREW  THAT  AN  IMMEDIATE  MANUAL 
MECO  IS  REQUIRED.  THE  MANUAL  MECO  CODEWORD  WILL  BE 
VERBALLY  TRANSMITTED  TO  THE  MCC  SIMULTANEOUSLY  ON 
THE  FD  AND  FCO  PRIME  LOOPS  AS  A  SECOND  INDICATION, 

IF  COMM  IS  AVAILABLE.  @[053096  PRCB-4001] 

3.  AFTER  TOWER  CLEAR  AND  PRIOR  TO  SRB  SEP 

a.  AMBER  ZONE  AND  LOSS  OF  FCO/MCC  COMM:  THE  FCO  WILL 
DETERMINE  BY  REAL-TIME  TELEMETRY  IF  THE  VEHICLE  IS 
CONTROLLABLE  AND  ACT  IN  ACCORDANCE  WITH  RULE  {A4-256}, 
CONTROLLABILITY. 

b.  LOSS  OF  TELEMETRY  AT  MCC  AND  ROCC :  THE  VEHICLE  WILL 
BE  ASSUMED  TO  BE  UNDER  CONTROL  AND  VIOLATION  OF  THE 
PRIMARY  ILL  WILL  BE  ALLOWED.  MCC  WILL  ATTEMPT  TO 
CONFIRM  CONTROLLABILITY  WITH  THE  ORBITER  CREW  AND 
ADVISE  THE  FCO. 

c.  LOSS  OF  FCO/MCC  COMM  AND  FCO  TELEMETRY:  THE  VEHICLE 
WILL  BE  ASSUMED  TO  BE  UNDER  CONTROL  AND  VIOLATION  OF 
THE  PRIMARY  ILL  WILL  BE  ALLOWED. 

4.  LOSS  OF  FCO/MCC  COMM  AFTER  SRB  SEP:  FCO  WILL  REQUIRE 
MCC/CREW  ACTION  IN  ACCORDANCE  WITH  RULES  {A4-258},  FLIGHT 
TERMINATION/MANUAL  MECO  CRITERIA,  PART  E,  AND  {A4-259}, 
FLIGHT  TERMINATION/MANUAL  MECO  ACTION. 

5.  RADAR  INDICATES  BREAKUP  AND  TELEMETRY  INDICATES  VEHICLE 
UNDER  CONTROL:  THE  VEHICLE  WILL  BE  ASSUMED  TO  BE  INTACT 
AND  THE  FCO  WILL  ACT  IN  ACCORDANCE  WITH  RULE  {A4-256}, 
CONTROLLABILITY. 

C.  CONFLICTING  DATA:  IN  THE  EVENT  OF  A  CONFLICT  IN  MECO  LINE 

PROXIMITY  ASSESSMENT  BETWEEN  THE  MCC  AND  FCO  WHEN  BOTH  HAVE 
VALID  TRAJECTORY  DETERMINATION  DATA,  THE  FCO  IS  PRIME  FOR 
DETERMINATION  OF  BOTH  THE  PROXIMITY  TO  THE  LINE  AND  THE 
POTENTIAL  REQUIREMENT  FOR  MANUAL  MECO.  @[053096  PRCB-4001] 


A4-257 

b . 
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A4-258  FLIGHT  TERMINATION /MANUAL  ME CO  CRITERIA 

FLIGHT  TERMINATION  ACTION  AND  FLIGHT  TERMINATION  CRITERIA,  AS 
SPECIFIED  IN  EWR  127-1,  ARE  SUPERSEDED  BY  THIS  RULE.  FLIGHT 
TERMINATION  WILL  BE  INITIATED,  OR  A  MANUAL  MECO  REQUESTED,  BY  THE 
FCO  ONLY  IF  CONTINUATION  OF  THE  FLIGHT  VIOLATES  THE  CRITERIA 
SPECIFIED  IN  THIS  RULE.  @[053096  PRCB-4001] 

A.  PRIOR  TO  SRB  IGNITION:  AFTER  SSME  IGNITION,  PAD  ABORTS  ARE 
POSSIBLE.  FIRE  OR  OTHER  CATASTROPHIC  EVENTS  MAY  BE  APPARENT 
FROM  VEHICLE  BEHAVIOR  DATA.  UNDER  NO  CIRCUMSTANCES  WILL  THE 
FCO  TAKE  FLIGHT  TERMINATION  ACTION  PRIOR  TO  SRB  IGNITION. 

B.  SRB  IGNITION  TO  TOWER  CLEAR  (7  SEC) :  IF  A  CATASTROPHIC 
FAILURE  OCCURS,  THE  FCO  WILL  TAKE  FLIGHT  TERMINATION  ACTION 
TO  PREVENT  INTACT  IMPACT,  CONTAIN  THE  SRB'S,  AND  DISPERSE  THE 
ET  PROPELLANTS. 

C.  TOWER  CLEAR  TO  SRB  NLE : 

1.  THE  FCO  WILL  TAKE  FLIGHT  TERMINATION  ACTION  WHEN 
TRAJECTORY  DETERMINATION  SOURCES  INDICATE  THAT  THE 
VEHICLE  HAS  VIOLATED  FLIGHT  TERMINATION  CRITERIA,  SUBJECT 
TO  RULE  { A4 -2 5 6 } ,  CONTROLLABILITY. 

2.  IF  A  CATASTROPHIC  FAILURE  OCCURS,  THE  FCO  WILL  TAKE 
FLIGHT  TERMINATION  ACTION  TO  PREVENT  INTACT  IMPACT, 
CONTAIN  THE  SRB'S,  AND  DISPERSE  THE  ET  PROPELLANTS. 

a.  FOR  VEHICLE  PITCH  OVER,  A  FLIGHT  TERMINATION  DECISION 
WILL  BE  BASED  ON  TRAJECTORY  DETERMINATION  DATA 
CONFIRMED  WITH  MCC  INDICATION  OF  NEGATIVE  HDOT 
(DOWNWARD  ALTITUDE  RATE),  OR  THE  PRIMARY  VEHICLE 
BEHAVIOR  DATA  CUE. 

b.  FOR  VEHICLE  BREAKUP,  A  FLIGHT  TERMINATION  DECISION 
WILL  BE  BASED  ON  THE  PRIMARY  VEHICLE  BEHAVIOR  DATA 
CUE,  TWO  SECONDARY  VEHICLE  BEHAVIOR  DATA  CUES,  OR 
BOTH  ONE  SECONDARY  AND  ONE  TERTIARY  VEHICLE  BEHAVIOR 
DATA  CUE.  @[053096  PRCB-4001] 
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FLIGHT  TERMINATION /MANUAL  ME CO  CRITERIA 
(CONTINUED) 

FOR  STS  MISSIONS  EQUIPPED  WITH  THE  SRB  RADAR  BEACON 
TRACKING  SYSTEM  (SRBTS) ,  FLIGHT  TERMINATION  ACTION  WILL 
BE  DELAYED  TO  ALLOW  MAXIMUM  SEPARATION  OF  THE  ORBITER  AND 
THE  SEPARATED  ELEMENTS  IF  POSITIVE  TRACK  OF  BOTH  SRB' S 
CONFIRMS  THE  SRB'S  ARE  NOT  ENDANGERING  PUBLIC  SAFETY  AND 
THE  DEBRIS  ELLIPSE  HAS  MOVED  OFF  LAND.  @[053096  PRCB-4001] 

IF  CONSIDERED  VALID  BY  THE  FCO,  THE  DEBRIS  ELLIPSE  DISPLAY 
WILL  BE  THE  SOLE  CRITERIA  FOR  DETERMINING  FLIGHT  TERMINATION 
LINE  VIOLATION.  IF  THE  DEBRIS  ELLIPSE  DISPLAY  IS  CONSIDERED 
TO  BE  INVALID  BY  THE  FCO,  ALL  OTHER  VALID  DISPLAYS  MUST 
CONFIRM  THE  FLIGHT  TERMINATION  CRITERIA  VIOLATION.  FLIGHT 
TERMINATION  ACTION  UNDER  THESE  CRITERIA  IS  SUBJECT  TO  RULE 
{ A4 -2  5  6 } ,  CONTROLLABILITY. 

D.  SRB  NLE  TO  SRB  SEPARATION:  THE  FCO  WILL  TAKE  FLIGHT 
TERMINATION  ACTION  WHEN  TRAJECTORY  DETERMINATION  SOURCES 
INDICATE  THAT  THE  VEHICLE  HAS  VIOLATED  FLIGHT  TERMINATION 
CRITERIA,  SUBJECT  TO  RULE  {A4-256},  CONTROLLABILITY. 

E.  SRB  SEPARATION  TO  MECO:  THE  FCO  WILL  CALL  FOR  MANUAL  MECO 
ONLY  WHEN  VALID  TRAJECTORY  DETERMINATION  SOURCES  INDICATE  A 
MECO  LINE  IS  VIOLATED.  A  MANUAL  MECO  CALL  WILL  BE  PRECEDED 
BY  NOTIFICATION  IN  ACCORDANCE  WITH  FLIGHT  RULE  {A4-254},  FCO 
TO  MCC  WARNING  NOTIFICATION,  AND  WILL  BE  EXECUTED  PER  RULE 

{ A4 -2  5  9 } ,  FLIGHT  TERMINATION/MANUAL  MECO  ACTION. 

F.  LANDMASS  OVERFLIGHT  GATES 

1.  A  NOMINAL  VEHICLE  THAT  VIOLATES  A  GATE  WILL  NOT  REQUIRE 
MANUAL  MECO  ACTION,  AND  THE  IIP  WILL  BE  ALLOWED  TO  PASS 
THROUGH  THE  GATE. 

2.  WHILE  LIMIT  LINE  AVOIDANCE  ACTIONS  ARE  BEING  TAKEN, 

MANUAL  MECO  WILL  NOT  BE  INVOKED  UNTIL  VIOLATION  OF  A 
SOLID  MECO  LINE.  @[053096  PRCB-4001] 
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_ FLIGHT  RULES _ 

A4-258  FLIGHT  TERMINATION /MANUAL  ME CO  CRITERIA 

(CONTINUED) 

3.  IF  THERE  IS  IRREFUTABLE  EVIDENCE  THAT  THE  VEHICLE  IS 
NON-NOMINAL  AND  CANNOT  PROCEED  TO  AN  ACCEPTABLE  INTACT 
OR  CONTINGENCY  ABORT  MODE  AS  DETERMINED  BY  THE  MCC,  THE 
MCC/CREW  WILL  REACT  PER  RULE  {A4-260},  RANGE  SAFETY 
LIMIT  AVOIDANCE  ACTIONS.  IF,  AFTER  EXECUTION  OF 
AVAILABLE  RECOVERY  OPTIONS,  THE  VEHICLE  STATUS  IS 
CONFIRMED  UNRECOVERABLE,  MANUAL  MECO  WILL  BE  INITIATED 
TO  PRECLUDE  VIOLATION  OF  THE  GATE.  @[053096  PRCB-4001] 

4.  IF  THE  VEHICLE  STATUS  IS  UNKNOWN  OR  RECOVERABLE  OR 
PROCEEDING  TO  AN  ACCEPTABLE  INTACT  OR  CONTINGENCY  ABORT, 
THE  IIP  WILL  BE  ALLOWED  TO  PASS  THROUGH  THE  GATE. 

G.  EXCLUSIONS  FOR  GUIDANCE  MODE  TRANSITION 

1.  THIS  RULE  IS  DESIGNED  TO  PROTECT  A  VEHICLE  AGAINST 
FLIGHT  TERMINATION  ACTION  DURING  THE  TRANSITION  FROM 
USE  OF  THE  DEBRIS  FOOTPRINT  DESTRUCT  CRITERIA,  WITH  ITS 
ASSOCIATED  ILL'S,  TO  THE  USE  OF  THE  IIP/DESTRUCT  LINE 
CRITERIA,  WHICH  OCCURS  AT  APPROXIMATELY  T  +  120  SEC. 

THE  FTS  IS  STILL  AVAILABLE  FOR  USE  UNTIL  SRB  SEP 
(APPROXIMATELY  T  +  125  SEC),  AT  WHICH  TIME  THE  DESTRUCT 
LINES  BECOME  MANUAL  MECO  LINES. 

2.  A  CONTROLLABLE  VEHICLE  NOT  IN  VIOLATION  OF  EITHER  THE 
BACKUP  ILL  IN  THE  IMMEDIATE  LAUNCH  AREA  OR  THE  SINGLE 
ILL'S  WHICH  EXTEND  UP  THE  COAST  FROM  THE  LAUNCH  AREA  MAY 
SUBSEQUENTLY  BE  IN  VIOLATION  OF  THE  IIP  DESTRUCT/MECO  LINE 
AFTER  IT  IS  DISPLAYED  AT  APPROXIMATELY  T  +  120  SECONDS. 
NEITHER  FLIGHT  TERMINATION  ACTION  NOR  MANUAL  MECO  ACTION 
WILL  BE  REQUIRED  IF  THE  FOLLOWING  CRITERIA  ARE  SATISFIED: 

a.  VEHICLE  ATTITUDES  ARE  STABLE. 

b.  THE  IIP  IS  NOT  MOVING  FURTHER  INTO  THE  VIOLATION 
REGION. 

C.  THE  IIP  BEGINS  TO  MOVE  TOWARD  THE  NON-VIOLATION 

REGION  FOLLOWING  SRB  SEPARATION  AND  INITIATION  OF 
SECOND  STAGE  GUIDANCE.  @[053096  PRCB-4001] 
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A4-259  FLIGHT  TERMINATION /MANUAL  ME CO  ACTION 

A.  FLIGHT  TERMINATION  ACTION:  FLIGHT  TERMINATION  ACTION  IS 

APPLICABLE  DURING  FIRST  STAGE  ONLY  AND  IS  ACCOMPLISHED  VIA 

FCO  COMMAND  ACTIVATION  OF  THE  FTS  .  ©[081497-6306A] 

B.  MANUAL  MECO  PROCEDURE:  MANUAL  MECO  ACTION  IS  APPLICABLE 

DURING  SECOND  STAGE  ONLY  AND  IS  PERFORMED  BY  THE  FLIGHT 

CREW  UPON  DIRECTION  FROM  THE  MCC  OR  FCO,  AS  SPECIFIED 

BELOW.  @[053096  PRCB-4001] 

1.  THE  FDO  WILL  CALL  "15  SEC  TO  MANUAL  MECO"  WHEN  THE  IIP  IS 
30  SECONDS  FROM  THE  MECO  LINE. 

2.  AT  THAT  TIME,  CAPCOM  WILL  CALL  TO  CREW  "15  SECONDS  TO 
MANUAL  MECO,  RETURN  TO  AUTO  (IF  CSS),  PREPARE  FOR  MANUAL 
MECO."  THE  RETURN  TO  AUTO  FLIGHT  CONTROL  ALLOWS 
ACTIVATION  OF  AUTO  THREE-SSME  OUT  CONTINGENCY  LOGIC. 

3.  ONCE  A  GOOD  ONBOARD  CONFIGURATION  IS  CONFIRMED,  MCC  WILL 
CALL  FOR  "MANUAL  MECO  NOW."  FD  AND/OR  FDO  WILL  SEND  THE 
ABORT  REQUEST  COMMAND  (ABORT  LIGHT)  AS  AN  ADDITIONAL  CUE. 

4.  IF  FOR  ANY  REASON,  THE  IIP  CONTACTS  THE  MECO  LINE,  THE 
FCO  WILL  INITIATE  THE  ABORT  REQUEST  COMMAND  (ABORT  LIGHT) 
AND  WILL  TRANSMIT  THE  MANUAL  MECO  CODEWORD  (REF. 

PARAGRAPH  D,  BELOW)  TO  THE  MCC  AT  THAT  TIME. 

C.  TWO  CUES  ARE  REQUIRED  FOR  THE  CREW  TO  INITIATE  MANUAL  MECO. 

IMMEDIATE  MANUAL  MECO  ACTION  IS  REQUIRED  WHEN  ANY  OF  THE 

FOLLOWING  CRITERIA  ARE  MET: 

1.  "FIFTEEN  SEC  TO  MANUAL  MECO"  CALL  AND  "MANUAL  MECO  NOW" 
CALL. 

2.  "FIFTEEN  SEC  TO  MANUAL  MECO"  CALL  AND  ABORT  LIGHT.  NOTE: 
IF  THE  ABORT  LIGHT  WAS  ALREADY  ON  WHEN  "15  SEC  TO  MANUAL 
MECO"  CALL  WAS  MADE,  MANUAL  MECO  ACTION  WILL  BE  TAKEN 
AFTER  15  SEC. 

3.  ABORT  LIGHT  ON  AND  "MANUAL  MECO  NOW"  CALL.  @[053096  PRCB-4001] 

4.  ANY  OTHER  CUES  AS  APPROPRIATE.  ©[081497-6306A] 
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A4-259 

FLIGHT  TERMINATION /MANUAL  MECO  ACTION  (CONTINUED) 

D  .  MANUAL  MECO  CODEWORD  ©[081497-6306A] 


1  . 

THE  MANUAL  MECO  CODEWORD  IS  USED  BY  THE  FCO  TO  INDICATE 

TO  THE  MCC  THAT  AN  IMMEDIATE  MANUAL  MECO  IS  REQUIRED. 

WHEN  USED,  IT  IS  TRANSMITTED  VERBALLY  OVER  BOTH  FD  AND 

FCO  PRIME  LOOPS  SIMULTANEOUSLY. 

2  . 

UPON  MCC  RECEIPT  OF  THE  CODEWORD,  CAPCOM  WILL  IMMEDIATELY 
NOTIFY  THE  CREW  WITH  THE  FOLLOWING  CALL:  "MANUAL  MECO 

NOW,  MANUAL  MECO  NOW."  @[053096  PRCB-]  ©[081497-6306A] 

A4-260 

RANGE  SAFETY  LIMIT  AVOIDANCE  ACTIONS 

THE  FOLLOWING  PRIORITIZED  ACTIONS  WILL  BE  TAKEN  BY  THE  MCC  AND/OR 
CREW  IN  ORDER  TO  PRECLUDE  VIOLATION  OF  RANGE  SAFETY  DESTRUCT 
CRITERIA.  @[053096  PRCB-4001] 

A.  FIRST  STAGE: 


1  . 

STATE  VECTOR  UPDATE,  IF  TRAJECTORY  DEVIATION  IS  DUE  TO 
ERRONEOUS  ONBOARD  NAVIGATION. 

2  . 

ENGAGE  CSS  (APPLICABLE  ONLY  AFTER  90  SECONDS  MET)  AND 
MANUALLY  FLY  AWAY  FROM  LIMIT  LINES  AS  DESCRIBED  UNDER 

PART  B . 3  BELOW. 

3. 

BFS  ENGAGE,  IF  TRAJECTORY  DEVIATION  IS  DUE  TO  ERRONEOUS 
GUIDANCE . 

NOTE:  BFS  ENGAGE  WILL  ONLY  BE  USED  IF  IT  IS  KNOWN  THAT 

IT  WILL  CORRECT  THE  DEVIATION.  BFS  ENGAGE 

SEVERELY  LIMITS  POTENTIAL  SECOND  STAGE  ACTIONS. 
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A4-260  RANGE  SAFETY  LIMIT  AVOIDANCE  ACTIONS  (CONTINUED) 

B.  SECOND  STAGE: 

1.  STATE  VECTOR  UPDATE,  IF  TRAJECTORY  DEVIATION  IS  DUE  TO 
ERRONEOUS  ONBOARD  NAVIGATION. 

2.  PRE-MECO  ATO  ABORT  SELECTION,  IF  VARIABLE  IY  IS  ENABLED. 

3.  ENGAGE  CSS  AND  MANUALLY  FLY  AWAY  FROM  LIMIT  LINES.  MCC 
WILL  PROVIDE  YAW  STEERING  COMMANDS  OVER  AIR-TO-GROUND. 

FDO  IS  PRIME  FOR  DETERMINATION  OF  YAW  STEERING  COMMANDS. 
NOTE:  THIS  OPTION  IS  NO  LONGER  AVAILABLE  AFTER  A  BFS 
ENGAGE . 

4.  PRE-MECO  TAL  OR  RTLS  ABORT  SELECTION  (SELECT  HIGHEST 
APPLICABLE  ABORT  PRIORITY  MODE) . 

NOTE:  PRIORITY  OF  CSS  AND  TAL/RTLS  SELECTION  OVER  BFS  IN 

SECOND  STAGE  MAY  BE  WAIVED  IF  IT  IS  KNOWN  THAT  BFS 
WILL  RECOVER  AUTO  GUIDANCE  TO  CORRECT  TARGET 
CONDITIONS.  @[053096  PRCB-4001] 

5.  BFS  ENGAGE.  @[053096  PRCB-4001] 

NOTE:  BFS  ENGAGE  WILL  ONLY  BE  CONSIDERED  IF  IT  IS  KNOWN 

THAT  IT  WILL  CORRECT  THE  DEVIATION  AND  IF  MORE 
THAN  ONE  SSME  IS  RUNNING.  SINGLE-SSME  FLIGHT  ON 
THE  BFS  IS  NOT  POSSIBLE,  AND  AUTO,  THREE-SSME  OUT 
CONTINGENCY  LOGIC  IS  NOT  AVAILABLE  IN  THE  BFS. 

6.  MANUAL  MECO:  REFERENCE  RULE  {A4-259},  FLIGHT 
TERMINATION/MANUAL  MECO  ACTION.  @[081 497-6306A] 
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SECTION  5  -  BOOSTER 


FAILURE  DEFINITIONS 


A5-1  LOSS  OF  SRB  THRUST  VECTOR  CONTROL  (TVC)  @[012402-4987] 

SRB  TVC  IS  LOST  WHEN  THE  HYDRAULIC  SUPPLY  PRESSURES  OF  BOTH  HPU' S 
ON  THE  SAME  SRB  ARE  100  0  PSIG  OR  LESS.  @[0411 96-1 874A] 

The  SRB  TVC  system  has  a  lock-out  style  valve  which  will  actuate  to  the  lock  position  when  the  hydraulic 
supply  pressure  is  1000  to  600  psig.  Two  hydraulic  power  units  (HPU’s)  are  installed  per  SRB ,  and  both 
can  supply  hydraulic  power  to  the  TVC  actuators.  Actuator  source  pressure  is  switched  from  the 
primary  HPU  to  the  secondary  HPU  when  the  hydraulic  supply  pressure  on  a  single  HPU  reaches  2050 
±150  psig.  This  switchover  is  indicated  by  an  Actuator  Primary  Pressure  OK  discrete  value  of  False  and 
it  effectively  loses  one  HPU.  However,  TVC  is  not  lost  until  neither  HPU  can  deliver  hydraulic  supply 
pressure  of  1000  psig  to  the  actuators.  ( Reference  System  Handbook  Drawing  9.14  and  USBI  documents 
10SPC-0055,  rev  B,  section  4.2.2.10,  and  10MNL-0045,  Rev  D).  ®[oi  2402-4987  ] 

Note:  Above  1000  psig,  the  lock-out  valve  opens,  and  TVC  is  still  available.  @[0411 96-1 875A] 

A5-2  SPACE  SHUTTLE  MAIN  ENGINE  OUT  ©[121197-6472A] 

PREMATURE  ENGINE  SHUTDOWN  IS  CAUSED  BY  AN  ENGINE  LIMIT  EXCEEDED, 
DUAL  CONTROLLER  ELECTRONICS  FAILURES,  OR  A  COMBINATION  OF  A  SINGLE 
CHANNEL  LIMIT  EXCEEDED  AND  A  CONTROLLER  ELECTRONIC  FAILURE.  THE 
CUES  FOR  DETERMINING  AN  ENGINE  SHUTDOWN  ARE  DEFINED  IN  PARAGRAPHS 
A,  B,  C,  AND  D  OF  THIS  RULE.  THE  SHUTDOWN  SOFTWARE  LIMITS  ARE 
DEFINED  IN  PARAGRAPH  E.  THE  AVIONIC  FAILURE  COMBINATIONS  ARE 
DEFINED  IN  PARAGRAPH  F. 

ENGINE  OUT  DETERMINATION  WILL  BE  BASED  ON  THE  FOLLOWING  CUES: 

A.  ONBOARD  (WITH  VALID  SSME  DATA) : 

1.  RED  MAIN  ENGINE  STATUS  LIGHT  IS  ILLUMINATED. 

2.  PC  <  30  PERCENT  (METER) 
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A5-2  SPACE  SHUTTLE  MAIN  ENGINE  OUT  (CONTINUED) 

3.  SSME  FAIL  L  (C,R) 

Two  cues  are  required  for  calls  that  may  cause  an  abort.  The  MPS  dedicated  display  driver  sequence  in 
the  flight  software  illuminates  the  red  status  light  if  the  SSME  is  in  the  shutdown  or  post-shutdown  phase. 
The  SSME  operations  sequence  in  the  flight  software  uses  power  level  <  30  percent  as  the  indication  that 
the  SSME  has  shut  down.  The  30  percent  value  represents  a  power  level  below  which  the  engine  cannot 
operate.  The  PASS  SSME  fail  message  is  generated  by  the  GAX  when  the  engine  fail  flag  is  set  by  the 
SSME  OPS  sequence.  The  flag  is  set  when  either  the  engine  status  word  shows  shutdown  or  post 
shutdown  phase,  or  a  data  path  failure  has  occurred  and  the  engine  scifing  command  flag  has  been  set. 

B.  MCC  (WITH  VALID  SSME  DATA) : 

AT  LEAST  TWO  OF  THE  FOLLOWING  CUES  ARE  REQUIRED: 

1.  SSME  FAILURE  IDENTIFIER  (FID)  "013"  INDICATING  SSME 
SHUTDOWN  FOR  REDLINE  VIOLATION. 

2.  SHUTDOWN  OR  POST-SHUTDOWN  PHASE  (REFLECTED  IN  ENGINE 
STATUS  WORD) . 

3.  PC  <  900  PSIA. 

4.  SSME  FAIL  L  (C,R) 

Two  cues  are  required  for  calls  that  may  cause  an  abort.  A  FID  013  issued  by  the  SSME  controller 
represents  an  engine  shutdown  due  to  a  redline  exceedance.  The  redline  that  was  exceeded  is  defined  by 
the  delimiter  part  of  the  FID.  Shutdown  and  post-shutdown  phases  are  set  in  the  engine  status  word  when 
the  SSME  controller  commands  shutdown.  Pc  of  900  psia  corresponds  to  approximately  30  percent  power 
level.  The  PASS  SSME  fail  message  is  generated  by  the  GAX  when  the  engine  fail  flag  is  set  by  the  SSME 
OPS  sequence.  The  flag  is  set  when  either  the  engine  status  word  shows  shutdown  or  post  shutdown  phase, 
or  a  data  path  failure  has  occurred  and  the  engine  scifing  command  flag  has  been  set.  ®[121197-6472A] 

C.  ONBOARD  (WITH  SSME  DATA  PATH  FAILURE) : 

AT  LEAST  THREE  OF  THE  FOLLOWING  ARE  REQUIRED: 

1.  G-LEVEL  DECREASE  (ON  DEDICATED  DISPLAY  G-METER  OR  BFS  CRT 
TRAJECTORY  DISPLAY  G-LINE) . 
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A5-2  SPACE  SHUTTLE  MAIN  ENGINE  OUT  (CONTINUED) 

2.  A  HELIUM,  DP/DT  FAULT  MESSAGE  FOLLOWED  BY  CONSTANT  ENGINE 
HELIUM  TANK  PRESSURE  (IF  NO  PREVIOUS  FAULT  MESSAGE  FOR  A 
HELIUM  LEAK) . 

3.  MPS  H2  OUT  P  L  (C,R) 

4.  MPS  02  OUT  T  L  (C,R) 

During  second  stage  when  the  first,  second,  and  third  engines  shut  down  in  sequence,  the  g-Ievel  decreases 
by  33,  50,  and  100  percent,  respectively.  During  first  stage,  the  SRB  thrust  far  exceeds  the  SSME  thrust 
making  it  difficult  to  detect  an  engine  shutdown  based  upon  changes  in  vehicle  acceleration.  If  the  engine 
did  not  previously  have  a  helium  leak,  the  crew  will  get  a  helium  DP/DT  fault  message,  followed  by 
constan  t  helium  tank  pressure  on  the  affected  engine.  If  the  tank  pressure  remains  constan  t,  no  helium  is 
being  used  and;  therefore,  the  engine  has  shut  down.  In  01-22  and  subs,  the  crew  will  get  fault  messages 
for  both  the  GH2  outlet  pressure  and  GO2  outlet  temperature  dropping  below  1050  psia  and  125  deg  F, 
respectively.  Because  both  of  these  parameters  are  channelized  through  the  same  OIMDM  and  powered 
from  the  same  01  DSC,  the  two  fault  messages  could  be  generated  by  a  single  MDM  or  DSC  failure.  For 
this  reason,  the  crew  must  use  three  of  the  four  cues  when  determining  an  engine  out  behind  a  data  path 
failure.  @[020196-1812]  ®[1 21 1 97-6472A] 

D.  MCC  (WITH  SSME  DATA  PATH  FAILURE) : 

AT  LEAST  TWO  OF  THE  FOLLOWING  CUES  ARE  REQUIRED: 

1.  A  SUDDEN  DROP  IN  ACCELERATION  OR  THRUST  FACTOR  AS 
DETERMINED  FROM  TELEMETRY  DATA.  (THRUST  FACTOR  AVAILABLE  IN 
SECOND  STAGE  ONLY) . 

2.  ORBITER  GH2  OUTLET  PRESSURE  <  800  (1050)  PSIA  OR  ORBITER 

G02  OUTLET  TEMPERATURE  <260  DEG  (300  DEG)  F. 

3.  A  HELIUM  DP/DT  FAULT  MESSAGE  FOLLOWED  BY  CONSTANT  ENGINE 
HELIUM  TANK  PRESSURE  (IF  NO  PREVIOUS  FAULT  MESSAGE  FOR  A 
HELIUM  LEAK) . 

4.  A  DROP  IN  SECOND  STAGE  PERFORMANCE  AS  DETERMINED  BY  THE  ARD . 
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A5-2  SPACE  SHUTTLE  MAIN  ENGINE  OUT  (CONTINUED) 

Two  cues  are  required  for  calls  that  may  cause  an  abort.  For  cm  engine  failure  in  second  stage,  an  abrupt 
drop  in  vehicle  acceleration  will  result.  The  GH2  outlet  pressure  and  GO2  outlet  temperature  are  orbiter 
parameters  that  can  be  used  to  determine  the  status  of  cm  engine.  Both  the  GH2  and  GO 2  limits  are  set  to 
correspond  to  an  engine  power  level  of  approximately  30  percent.  This  is  well  below  the  power  level  that 
an  engine  can  operate.  Flight  data  from  STS  51-F  indicates  the  GO2  outlet  temperature  was  <  125  deg  F 
for  about  15  seconds  post  engine  shutdown.  The  GO2  outlet  temperature  did  rise  again  post  shutdown  to  a 
value  of  approximately  300  deg  F.  Since  both  orbiter  parameters  are  channelized  through  the  same  01 
MDM  and  powered  from  the  same  01  DSC,  the  two  are  grouped  together  as  one  engine  out  cue.  If  cm 
engine  did  not  previously  have  a  helium  leak,  the  crew  will  get  a  DP/DT fault  message  while  the  engine 
initiates  shutdown  purges.  Once  the  helium  purges  have  terminated,  the  engine  will  no  longer  use  helium 
and;  therefore,  the  helium  tank  pressure  will  remain  constant.  Thrust  factor  (FT  FACTOR)  is  a  second 
stage  guidance  downlisted  parameter  from  the  vehicle  and  is  calculated  by  dividing  the  expected  thrust  by 
the  calculated  thrust.  If  cm  engine  shuts  down  behind  a  data  path  failure,  the  thrust  factor  will  drop  to  a 
value  less  than  1.0.  If  an  engine  fails  in  first  stage,  thrust  factor  is  not  available,  but  the  second  stage 
performance  as  determined  by  the  ARD  would  reflect  the  loss  in  performance  from  the  engine  shutdown. 
®[032395-1 765A]  @[020196-1812]  ®[1 21 1 97-6472A] 
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A5-2  SPACE  SHUTTLE  MAIN  ENGINE  OUT  (CONTINUED) 


E.  ENGINE  LIMIT  EXCEEDED  AND  SHUTDOWN  SENSOR  FAILURE 
DEFINITIONS : 


PARAMETERS 

(A) 

QUALIFICATION/ 

REASONABLENESS 

TESTING 

(C) 

SHUTDOWN  LIMITS 

(D) 

NOTES 

( B ) 

HPFTP  COOLANT 

>4500  PSIA 

PHASE  II,  BLOCK  1,  &  IIA: 

LINER  PRESSURE 

>CNTL  CAL  LIMIT 

SENSORS  A  &  B 

<1800  PSIA 

(PSIA) 

NO  LOWER  LIMIT 

(E) 

IqBSS 

HPFT  TURBINE 

A2  (A3,B2,B3)>  2650?  R 

PHASE  II  &  BLOCK  1: 

m 

DISCHTEMP 

'A2-A3?>  50?  R  (D/Q  LWR) 

CH  A  >1960?R 

THERMOCOUPLE 

B2-B3?>  50?  R  (D/Q  LWR) 

CH  B  >1960?R 

[3] 

[7] 

SENSORS 

DOWN  TO  1  ON  BOTH/EITHER: 

A2,  A3,  B2  &  B3 

(B  AVG  -  AX)  >150?  R  (D/Q  AX) 

[4] 

[9] 

(?R) 

(A  AVG  -  BX)  >  150?  R  (D/Q  BX) 

BLOCK  IIA  &  BLOCK  II: 

AX-BY?>  150?  R  (D/Q  LWR) 

CH  A  >1860?R 

[11] 

CH  B  >1 860?R 

(F) 

NO  LOWER  LIMIT 

HPOT  TURBINE 

A2  (A3,B2,B3)>  2650?  R 

PHASE  II  &  BLOCK  1: 

[1] 

DISCHTEMP 

A2-A3?>  50?  R  (D/Q  LWR) 

>1 760?R 

THERMOCOUPLE 

B2-B3?>  50?  R  (D/Q  LWR) 

[3] 

[9] 

SENSORS 

DOWN  TO  1  ON  BOTH/EITHER: 

BLOCK  IIA  &  BLOCK  II: 

A2,  A3,  B2  &  B3 

(B  AVG  -  AX)  >150?  R  (D/Q  AX) 

>1 660?R 

[4] 

[11] 

(?R) 

(A  AVG  -  BX)  >  150?  R  (D/Q  BX) 

(G) 

AX-BY?>  150?  R  (D/Q  LWR) 

<720?  R 

HPOTP SECONDARY 

>300  PSIA 

PHASE  II: 

SEAL  PRESSURE 

>100  PSIA 

SENSORS  A  &  B 

<4  PSIA 

(PSIA) 

NO  LOWER  LIMIT 

(H) 

131 

HPOTP  INTERMEDIATE 

>650  PSIA 

NO  UPPER  LIMIT 

[i] 

[5] 

SEAL  PRESSURE 

SENSORS  A  &  B 

<0  PSIA 

PHASE  II: 

[3] 

(PSIA) 

<170  PSIA 

OR 

[4] 

BLOCK  1,  IIA,  &  II: 

(I) 

<159  PSIA 

MCC  PC  SENSOR 

NO  UPPER  LIMIT 

[1] 

[8] 

AVERAGE  SENSORS 

|  BRIDGE  1  -  BRIDGE  2  | 

A  &  B  (PSIA) 

?  125  PSI 

ALL  ENGINE  TYPES: 

[3] 

PC  CHANNEL  AVG 

PC  CHANNEL  AVG  < 

?3500  PSI 

PC  REF -  200  PSI 

[4] 

?1000  PSI 

(STEADY  STATE) 

AND 

PC  REF  -  400  PSI 

(DURING  THROTTLING  OR 

_ (JL 

WHEN  ?  75%  RPL) 

@[111094-1732]  @[032395-1 765A]  @[0921 95-1 792 B]  @[020196-1812]  @[1211 97-6472A] 
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NOTES: 

[1]  MUST  EXCEED  LIMIT  OR  FAIL  REASONABLENESS  FOR  60  MSEC. 

A  parameter  must  be  over  its  redline  or  reasonableness  limit  for  three  consecutive  20  msec  con  troller 
cycles  before  action  is  taken  by  the  controller.  This  requirement  prevents  action  from  being  taken  on  a 
data  hit. 

[2]  THE  HPOTP  SECONDARY  SEAL  PRESSURE  REDLINE  IS  ONLY  ACTIVE  ON  THE  PHASE  II  SSME.  THIS  REDLINE  IS 
NOT  PRESENT  ON  THE  BLOCK  I  SSME,  BLOCK  IIA  SSME,  OR  THE  BLOCK  II  SSME.  @[032395-1 765A]  @[121197- 
6472A] 

[3]  SHUTDOWN  FOR  AN  OUT-OF-LIMIT  CONDITION  INITIATED  BY  MAIN  ENGINE  CONTROLLER  IF  LIMIT  ENABLED.  LIMIT 
INHIBIT/ENABLE  OPERATIONS  DEPENDENT  ON  THE  POSITION  OF  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SWITCH. 

This  indicates  that,  if  the  limit  shutdown  logic  is  enabled,  then  a  redline  violation  will  result  in  an  SSME 
shutdown. 

[4]  IF  ALL  SENSORS  FAIL  REASONABLENESS,  THAT  REDLINE  IS  DELETED.  @[0921 95-1 792B] 


Redline  mon  itoring  is  no  longer  performed  because  the  redline  sen  sors  have  failed. 

[5]  THE  HPOTP  INTERMEDIATE  SEAL  PRESSURE  LOWER  REDLINE  IS  170  PSIA  ON  THE  PHASE  II  SSME  AND  IS 
159  PSIA  ON  THE  BLOCK  I  SSME,  BLOCK  IIA  SSME,  AND  THE  BLOCK  II  SSME.  @[032395-1 765A]  @[020196- 
1812] 

[6]  THE  REDLINE  UPPER  LIMIT  IS  CALCULATED  IN  REAL  TIME  BY  CONTROLLER  SOFTWARE  AND  IS  A  FUNCTION  OF 
ENGINE  POWER  LEVEL.  THEREFORE,  THE  LIMITS  AT  67,  1 00,  1 04,  AND  1 09  PERCENT  POWER  LEVELS  ARE 
APPROXIMATELY  2436,  3543,  3677,  AND  3846  PSIA  FOR  A  PHASE  II  SSME,  2447,  3559,  3694,  AND  3862  PSIA  FOR  A 
BLOCK  I  SSME,  AND  2243,  3254,  3392  (@104.5),  AND  3530  PSIA  FOR  A  BLOCK  IIA  SSME,  RESPECTIVELY.  THIS 
REDLINE  HAS  BEEN  DELETED  FOR  THE  BLOCK  II  SSME.  @[111094-1732]  @[0921 95-1 792B]  ©[121197-6472A] 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  BOOSTER  5-6 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A5-2  SPACE  SHUTTLE  MAIN  ENGINE  OUT  (CONTINUED) 


The  HPFTP  coolant  liner  pressure  varies  with  actual  chamber  pressure. 


[7]  THIS  REDLINE  MAY  BE  REVISED  ON  A  FLIGHT-BY-FLIGHT  BASIS  TO  ENSURE  COMPARABLE  MARGIN  ON  CHANNEL 
A  AND  CHANNEL  B  BETWEEN  THE  PREDICTED  NOMINAL  VALUE  AND  THE  REDLINE  VALUE.  IF  A  CHANNEL  A  TO  B 
BIAS  IS  ADDED,  THEN  THIS  BIAS  IS  CARRIED  OVER  INTO  THE  REASONABLENESS  CALCULATIONS  FOR  THE 
INTERCHANNEL  CHECKS.  ®[092195-1792B] 


Some  flight  SSME  HPFTP’s  may  operate  at  a  lower  temperature.  Engines  with  these  turbopumps  may 
have  their  channel  A  redline  adjusted  downward  to  provide  the  same  100  deg  R  difference  between  the 
mean  stage  operating  temperature  and  the  redline  as  present  on  other  HPFTP’s.  ®[1 11094-1732  ] 


[8]  THE  INTRACHANNEL  CHECK  AND  THE  CHANNEL  AVERAGE  MUST  BE  WITHIN  THE  SPECIFIED  LIMITS  IN  ORDER 
TO  BE  PROCESSED  BY  THE  CONTROLLER'S  SHUTDOWN  LIMIT  LOGIC.  THESE  REASONABLENESS  CHECKS  ARE 
IN  ADDITION  TO  THE  NORMAL  SENSOR  MONITORING  PERFORMED  FOR  IGNITION  CONFIRMED  AND  CONTROL 
LOOP  PROCESSING  QUALIFICATION. 


The  MCC  Pc  channels  will  be  disqualified  for  control  purposes  for  an  intrachcmnel  difference  of  greater 
than  75  psi.  The  MCC  Pc  redline  logic  incorporates  two  reasonableness  criteria  to  ensure  that  only 
valid  pressures  will  be  used. 

[9]  THE  LOGIC  FOR  THE  HPFT  AND  THE  HPOT  DISCHARGE  TEMPERATURE  WAS  MODIFIED  BY  THE 

IMPLEMENTATION  OF  THE  THERMOCOUPLES.  THE  THERMOCOUPLE  MODIFICATION  UTILIZES  TWO  SENSORS 
PER  CHANNEL  FOR  A  TOTAL  OF  FOUR  SENSORS  PER  REDLINE.  ®[0921 95-1 782B]  ®[0921 95-1 782B] 


The  sensor  processing  logic  was  modified  to  accommodate  the  different  failure  modes  for  the 
thermocouple  sensors  (versus  the  previous  resistive  thermal  devices-RTD’s)  and  to  handle  the  additional 
number  of  sensors.  The  additional  sensors  were  added  to  increase  reliability  against  sensor  failures 
resulting  in  pad  aborts,  erroneous  in-flight  shutdown,  or  the  loss  of  redline  protection.  ®[1 21 1 97-6472A] 

[10]  THE  HPFTP  COOLANT  LINER  PRESSURE  REDLINE  IS  ONLY  AVAILABLE  FOR  THE  PHASE  II,  BLOCK  I,  AND  BLOCK 
IIA  ENGINE  TYPES.  ®[1 21 1 97-6472A] 


The  Block  II  SSME  uses  a  Pratt  &  Whitney  HPFTP/ AT  which  does  not  have  a  coolant  liner. 

[11]  A  COLD  JUNCTION  REFERENCE  TEMPERATURE  (TCj)  IS  PROVIDED  FOR  EACH  CONTROLLER  CHANNEL  TO 

PROCESS  THE  HOT  GAS  THERMOCOUPLE  SENSOR  DATA.  THE  TCJ  IS  USED  TO  CALIBRATE  THE  TEMPERATURE 
MEASUREMENT  INPUT.  EACH  CHANNEL  HAS  A  SINGLE  RTD  TCJ  WHICH  IS  USED  FOR  BOTH  THE  HPOT  AND  HPFT 
TEMPERATURE  MEASUREMENTS.  IF  ONE  CHANNEL'S  TCJ  IS  DISQUALIFIED,  THE  OTHER  CHANNEL'S  TCJ  WILL  BE 
USED  FOR  BOTH  CHANNELS.  IF  BOTH  TCJ  S  ARE  DISQUALIFIED,  THE  LAST  QUALIFIED  VALUE  WILL  BE  USED  FOR 
SENSOR  PROCESSING. 


Thermocouple  measurements  require  a  cold  junction  reference  temperature  to  provide  accurate 
readings.  The  controller  and  its  software  was  modified  to  accommodate  the  addition  of  these  two 
transducers,  which  are  required  for  use  with  the  thermocouples. 
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a.  PARAMETERS  -  This  table  covers  parameters  which  the  SSME  controller  qualifies,  monitors,  and 
uses  to  shut  down  the  engine. 

b.  CONTROLLER  SHUTDOWN  PROCESSING  -  All  qualified  sensors  must  vote  for  shutdown  for 
action  to  proceed.  ®[092i  95-1 792B] 

c.  QUALIFICATION/REASONABLENESS  TESTING  -  Qualification,  also  known  as  reasonableness 
testing,  is  required  to  qualify  the  sensors  for  application  to  shu  tdown  logic.  The  values  chosen 
screen  out  sensors  with  identified  sensor  problems.  ®[1 21 1 97-6472A] 

d.  SHUTDOWN  LIMITS  -  Redline  parameters  are  monitored  to  assure  that  the  engine  is  performing 
within  safe  operating  conditions.  Limits  are  set  to  guard  against  uncontained  SSME  damage.  The 
limits  are  based  upon  test  stand  data,  flight  experience,  and  engineering  analysis.  The  engine 
redline  design  criteria  was  defined  by  MSFC  and  approved  by  Level  II. 

e.  HPFTP  COOLANT  LINER  PRESSURE  ®[092195-1792B] 

Phase  II,  Block  I,  and  Block  IIA  SSME’s  -  The  redline  limit  was  selected  to  prevent  buckling  of  the 
coolant  liner  and  subsequent  stalling  of  the  HPFTP.  This  limit  was  derived  from  an  uncontained 
failure  of  SSME  0108  during  a  ground  test.  The  exhaust  turnaround  duct  buckled,  the  HPFTP 
stalled,  and  the  low  pressure  fuel  duct  ruptured.  Based  upon  this  incident  and  analysis,  the 
buckling  pressure  has  been  determined  to  be  595  psid  with  the  delta  pressure  being  measured 
between  the  coolan  t  liner  cavity  and  the  turnaround  duct.  The  redline  was  set  to  protect  for  a  delta 
pressure  of 400  psi  and  has  been  verified  by  lab  tests.  The  reasonableness  limits  of 4500  and  1800 
psi  were  established  because  they  bracket  the  sensor  range. 

f.  HPFT  TURBINE  DISCHARGE  TEMPERATURE  ®[092i  95-1 792B] 

The  limit  was  derived  from  analysis  and  protects  against  stress  rupture  of  the  HPFT  blades  due 
to  high  temperature  operation.  This  redline  was  developed  following  uncontained  failures  on 
engines  0204  and  2013  during  ground  testing.  These  failures  were  attributed  to  tu  rbine  blade 
failure  which  resulted  in  HPFTP  seizure  and  low  pressure  fuel  duct  rupture.  Subsequent  analysis 
determined  a  2160  deg  R  maximum  turbine  blade  root  temperature  capability  for  109  percent 
power  level.  This  temperature  equates  to  a  2060  deg  R  turbine  exhaust  temperature.  The  1960 
deg  R  limit  provides  a  100  deg  R  margin  for  the  Phase  II  and  Block  I  SSME’s.  The  1860  deg  R 
limit  provides  a  200  deg  R  margin  for  the  Block  IIA  and  Block  II  SSME’s.  This  reduction  for  the 
Block  IIA  and  Block  II  SSME’s  still  leaves  satisfactory  margin  from  nominal  operating 
conditions  to  the  redline,  due  to  the  reduced  temperature  environment  facilitated  by  the  large 
throat  MCC  (reference  8/15/97  Ascent/Entry  Flight  Techniques  Panel).  The  channel  A  location 
on  some  HPFTP’s  may  run  cooler,  thus  necessitating  a  lower  redline  value  ( potentially  as  low  as 
1850  deg  Rfor  the  Phase  II  and  Block  I  or  1750  deg  Rfor  the  Block  IIA  and  Block  II).  ®[i  1 1 094- 

1732]  ®[1 21 1 97-6472A] 
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The  upper  reasonableness  limit  of 2650  deg  R  guards  against  open  circuits  and  analog-to-digital 
(A/D)  converter  failures.  The  intrachannel  and  interchannel  reasonableness  limits  are  screens  for 
internal  short  circuits.  An  absolute  lower  limit  is  not  feasible  since  a  short  will  result  in  an  in-range 
failure  signature.  If  only  one  sensor  remains,  only  the  open  circuit  failure  mode  is  detectable. 
®[092195-1792B]  ®[1 21 1 97-6472A] 

g.  HPOT  TURBINE  DISCHARGE  TEMPERATURE  ®[092i  95-1 792B] 

The  upper  redline  limit  was  derived  from  analysis  to  protect  the  heat  exchanger  from  overheating 
and  rupturing  leading  to  catastrophic  failure.  The  limit  of  1760  deg  R  provides  a  100  deg  margin 
(1860  deg  R  is  based  on  meeting  one  mission  life  capability;  i.  e. ,  until  nominal  predicted  MECO) 
for  the  Phase  II,  and  Block  I  SSME’s.  The  1660  deg  R  limit  provides  a  200  deg  R  margin  for  the 
Block  IIA  and  Block  II  SSME’s.  This  reduction  for  the  Block  IIA  and  Block  II  SSME’s  still  leaves 
satisfactory  margin  from  nominal  operating  conditions  to  the  redline,  due  to  the  reduced 
temperature  environment  facilitated  by  the  large  throat  MCC  ( reference  8/15/97  Ascent/Entry  Flight 
Techniques  Panel).  The  lower  redline  limit  of  720  deg  R  provides  protection  against  inadvertent 
deep  throttling  of  the  engine,  which  causes  ice  formation  in  the  HPOT  turbine,  subsequen  t  turbine 
imbalance,  and  potential  catastrophic  HPOTP  failure.  ®[i  21 1 97-6472A] 

The  reasonableness  limit  of 2650  deg  R  guards  against  open  circuits  and  A/D  converter  failures. 

The  in  trachannel  and  in  terchannel  reasonableness  limits  are  screens  for  in  terned  short  circuits.  An 
absolute  lower  limit  is  not  feasible  since  a  short  will  result  in  an  in-range  failure  signature.  If  only 
one  sensor  remains,  only  the  open  circuit  failure  mode  is  detectable.  ®[1 21 1 97-6472A] 

h.  HPOTP  SECONDARY  SEAL  PRESSURE 

PHASE  II SSME  -  The  redline  limit  was  derived  from  analysis  to  prevent  the  L02from  the  HPOTP 
pump  combin  ing  with  the  hot  fuel-rich  tu  rbine  gas  in  the  seal  purge  cavity.  The  redline  protects 
against  failures  of  the  HPOTP  primary  or  secondary  turbine  seals.  The  limit  is  set  to  ensure  that 
the  HPOTP  intermediate  seed  cavity  pressure  is  greater  than  the  HPOTP  secondary  seal  cavity 
pressure  by  9  psi  during  main  stage,  with  a  minimum  seed  purge  flow  rate  and  a  maximum  seal  gap. 
Both  reasonableness  tests  provide  protection  against  avionics  failures  of  the  pressure  sensor  system. 
®[032395-1765A]  ®[0921 95-1 792B] 

BLOCK  1  SSME,  BLOCK  IIA  SSME,  and  BLOCK  II  SSME  -  Due  to  significant  design  changes  in  the 
alternate  HPOTP  seal  package  on  these  engines,  this  transducer  and  its  redline  have  been  eliminated. 
Rationale  for  this  is  the  oxidizer  and  secondary  H2  drain  pressure  margins  are  large,  and  a  secondary 
labyrinthine  (lab)  seal  analysis  at  more  than  six  times  its  maximum  possible  operating  clearance 
showed  helium  barrier  delta  pressure  is  insensitive  to  lab  seal  clearance  changes.  ®[032395-l765A] 

®[1 21 1 97-6472A] 
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i.  HPOTP  INTERMEDIATE  SEAL  PRESSURE  - 

PHASE  II SSME  -  The  redline  limit  was  derived  from  analysis  to  prevent  the  L02from  the  HPOTP 
pump  combining  with  the  hot  fuel-rich  turbine  gas  in  the  purge  cavity.  This  redline  guards  against 
excessive  seed  wear  or  loss  of  helium  purge  by  ensuring  that  the  HPOTP  intermediate  seed  cavity 
pressure  is  greater  than  the  HPOTP  secondary  seal  cavity  pressure  by  9  psi  during  mean  stage  under 
the  worst  seal  gap  condition.  Both  reasonableness  tests  provide  protection  against  avionics  failures  of 
the  pressure  sensor  system.  ®[032395-l765A]  ®[0921 95-1 792B]  ®[1 21 1 97-6472A] 

BLOCK  1  SSME,  BLOCK  IIA  SSME,  and  BLOCK  II  SSME  -  The  redline  limit  was  derived  from 
analysis  to  prevent  L02from  the  alternate  HPOTP  pump  combining  in  the  purge  cavity  with  H2from 
the  fuel  cooled  roller  and  ball  bearing  package.  This  redline  guards  against  excessive  seal  wear  or 
loss  of  helium  purge  by  ensuring  that  the  HPOTP  intermediate  seal  cavity  pressure  is  greater  than  the 
HPOTP  O2  cavity  and  secondary  H2  cavity  pressures  by  10  psi  during  main  stage  under  the  worst  seal 
gap  condition.  Both  reasonableness  tests  provide  protection  against  avionics  failures  of  the  pressure 
sensor  system.  ©[032395-1765A]  ®[0921 95-1 792B]  ®[1 21 1 97-6472A] 

j.  MCC  PC  SENSOR  AVERAGE  -  The  redline  was  initially  added  to  protect  the  engine  against  the 
type  of  failure  seen  on  engine  2106,  in  which  a  burnthrough  of  the  bellows  section  of  the  high 
pressure  oxidizer  turbopump  turbine  section  occurred.  This  failure  was  caused  by  an  oxidizer 
preburner  failure  and  resulted  in  a  bypass  of  hot  gas  flow  from  the  turbine  directly  into  the  hot 
gas  manifold  which  caused  a  massive  drop  in  MCC  Pc.  The  original  redline  limit  of 400  psi 
below  the  commanded  Pc  was  chosen  based  upon  the  amoun  t  of  damage  sustained  by  the  engine 
2106  high-pressure  oxidizer  turbopump  at  the  time  the  engine  was  shut  down  by  a  facility 
redline.  The  MCC  Pc  redline  was  updated  for  STS-89  and  subsequent  flights  to  200  psi  below 
the  commanded  Pc  during  steady  state  operations,  while  retaining  the  400  psi  during  throttling 
and  when  power  level  is  less  than  or  equal  to  75  percent  RPL.  This  update  was  based  upon  the 
amoun  t  of  damage  sustained  by  engine  0524  which  experienced  a  nozzle  failure  and  uncontained 
shutdown  during  test  901-933.  ®[1 21 1 97-6472A] 

The  intrachannel  reasonableness  limit  (I Bridge  1  -  Bridge  21  ?  125  psi)  protects  against  single- 
bridge  failures.  Due  to  hardware  and  software  limitations  in  the  controller  for  sampling  sensor 
inputs,  the  delta  value  must  be  set  large  enough  to  account  for  differences  in  the  actual  MCC  Pc  if 
the  actual  MCC  Pc  is  decreasing  rapidly  due  to  a  real  engine  combustion  problem.  If  the  value  is 
set  too  tight,  the  actual  MCC  Pc  could  drop  greater  than  the  reasonableness  limit  between  sampling 
the  bridge  1  and  bridge  2  sensor  measurements.  A  smaller  value  could  cdlow  one  or  both  MCC  Pc 
channels  to  be  erroneously  disqualified.  If  both  channels  are  disqualified,  the  MCC  Pc  redline  is 
disabled  at  a  time  it  is  most  needed.  The  redline  qualification  limit  was  increased  from  75  psi  to 
125  psi  in  response  to  the  catastrophic  failure  of  development  SSME  0212  (test  904-44),  during 
which  the  actual  decay  rate  of  the  MCC  Pc  was  105  psi  between  input  samples  of  the  A1/A2  and 
B1/B2  Pc  pairs.  The  channel  average  upper  reasonableness  limit  protects  against  an  off-scale  high 
sensor  pair  or  input  electronics  failure.  The  lower  limit  protects  against  a  failed  low  sensor  pair  or 
input  electronics  failure.  ®[1 21 1 97-6472A] 
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A5-2  SPACE  SHUTTLE  MAIN  ENGINE  OUT  (CONTINUED) 

F.  SSME  INSTRUMENTATION/ELECTRONICS  FAILURE  MATRIX: 
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@[030994-1 61 4A]  @[032395-1 765A]  @[0921 95-1 792B]  @[121 1 97-6472A] 

NOTES: 

[1]  CHANNEL  A  FAILURES  WHEN  ALIGNED  WITH  SPECIFIC  CHANNEL  B  FAILURES  THAT  CAUSE  SHUTDOWN  ARE 
DENOTED  BY  X  OR  m . 

[2]  ALL  QUALIFIED  SENSORS  EXCEED  REDLINE  LIMIT.  @[030994-1 61 4A]  @[0921 95-1 792B]  ©[121197-6472A] 

[3]  LOSS  OF  CONTROLLER  REDUNDANCY. 

[4]  DOES  NOT  APPLY  TO  THE  BLOCK  I  SSME,  BLOCK  IIA  SSME,  OR  THE  BLOCK  II  SSME  @[032395-1 765A] 

[5]  DOES  NOT  APPLY  TO  THE  BLOCK  II  SSME.  ©[121197-6472A] 

LEGEND: 

X  SHUTDOWNS  THAT  CANNOT  BE  INHIBITED.  PNEUMATIC  SHUTDOWN  WILL  OCCUR  BEHIND  A  DATA  PATH 
FAILURE.  @[030994-1 61 4A] 

^  SHUTDOWNS  THAT  CAN  BE  INHIBITED  USING  MAIN  ENGINE  LIMIT  SHUTDOWN  SWITCH. 
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A5-2  SPACE  SHUTTLE  MAIN  ENGINE  OUT  (CONTINUED) 

This  matrix  identifies  failures  which  result  in  loss  of  controller  redundancy  and  in  premature  engine 
shutdown.  Shutdown  caused  by  dual  controller  failures  cannot  be  prevented  even  if  the  limit  shutdown 
monitoring  is  inhibited.  In  these  cases  when  the  second  failure  occurs,  the  engine  will  immediately  shut 
down  via  the  controller’s  fail-safe  pneumatic  shutdown  sequence.  Shutdowns  caused  by  redline  violations 
can  be  inhibited  manually  by  the  limit  shutdown  monitoring  switch  or  automatically  by  the  GPC  software 
after  an  engine  out  or  data  path  failure. 

Rules  { A5-5J ,  SUSPECT  ENGINE;  {A5-6j,  SSME  REDLINE  SENSOR  FAILED;  (A5-7J,  SSME  ONE 
REDLINE  SENSOR  FAILURE  AWAY  FROM  AN  ERRONEOUS  SHUTDOWN;  { A5-8 j,  SPACE 
SHUTTLE  MAIN  ENGINE  TYPES;  {A5-110},  SSME  PERFORMANCE  DISPERSION;  and  {A5-111}, 

AC  BUS  SENSOR  ELECTRONICS  CONTROL  [ CIL],  reference  this  rule.  ®[i 21 1 97-6482B]  ®[i 21 1 97- 

6472A]  ®[1 1 1 298-6785A]  ®[ED  ] 

A5-3  STUCK  THROTTLE 

FAILURE  OF  A  MAIN  ENGINE  TO  THROTTLE  COULD  BE  CAUSED  BY 
COMBINATIONS  OF  ENGINE  AND  AVIONICS  FAILURES  WHICH  CAUSE  THE  ENGINE 
OPERATING  MODE  TO  CHANGE  TO  ELECTRICAL  OR  HYDRAULIC  LOCKUP,  OR  BY 
ORBITER  AND  MAIN  ENGINE  AVIONICS  FAILURES  CAUSING  A  COMMAND  PATH 
FAILURE . 

A.  ELECTRICAL  LOCKUP 

THE  ENGINE  PROPELLANT  VALVES  ARE  ACTIVELY  CONTROLLED  AT  THEIR 
LAST  COMMANDED  POSITION  THAT  EXISTED  PRIOR  TO  LOSS  OF  BOTH 
SENSOR  CHANNELS  OF  EITHER  THE  LIH>  FLOWMETER  TRANSDUCERS  OR  MAIN 
COMBUSTION  CHAMBER  PRESSURE  TRANSDUCER  PAIRS. 

The  SSME  valves  are  controlled  to  their  last  commanded  values  to  minimize  mixture  ratio  excursions. 

Mixture  ratio  is  a  function  of  measured  main  combustion  chamber  pressure  {Pc)  and  LH2  flowrate.  The 
mass  flowrate  is  calculated  from  measured  volumetric  flowrate  and  calculated  fuel  density  (as  calculated 
from  LPFT  discharge  pressure  and  temperature).  Should  the  LPFT  discharge  pressure  or  temperature  be 
disqualified,  a  “fixed”  density  value  for  the  LHj  density  will  be  used.  Should  both  channels  of  either  the 
measured  Pc  or  volumetric  flowrate  be  disqualified,  or  a  combination  of  loss  of  controller  redundancy  and  a 
loss  of  the  remaining  channel’s  Pc  or  volumetric  flowrate,  the  engine  enters  into  the  “electrical  lockup” 
mode  and  all  valves  are  maintained  at  their  last  commanded  position  until  shutdown  is  commanded.  If  the 
controller  implements  the  shutdown,  it  will  be  a  hydraulic  shutdown.  If  the  crew  must  manually  shut  down 
the  engine  (ref.  Rules  { A5-108 j,  MANUAL  SHUTDOWN  FOR  HYDRAULIC  OR  ELECTRICAL  LOCKUP, 
and  [A5-109],  MANUAL  SHUTDOWN  FOR  TWO  STUCK  THROTTLES  (NOT  DUAL  APU  FAILURES),  the 
shutdown  will  be  a  hydraulic  shutdown.  Reference  Computer  Program  CEI.  Block  II,  SSME  Controller 
Operational  Program,  CP406R0002.  @[030994-1 61 4A]  ®[ED  ] 
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A5-3  STUCK  THROTTLE  (CONTINUED) 

B.  HYDRAULIC  LOCKUP 

ALL  FIVE  ENGINE  PROPELLANT  VALVES  ARE  HYDRAULICALLY  ISOLATED 
AT  THEIR  LAST  POSITION  WHEN  BOTH  CHANNELS  OF  SERVOACTUATORS 
HAVE  BEEN  DISQUALIFIED  FOR  ANY  COMBINATION  OF  THE  FOLLOWING 
FAILURES:  ISSUANCE  OF  A  SERVOACTUATOR  ERROR  INDICATION 
INTERRUPT  (SEII),  FAILURE  OF  THE  DIGITAL-TO-ANALOG  CONVERTER 
(DAC)  TEST,  FAILURE  OF  THE  SERVOACTUATOR  MODEL,  OR  LOSS  OF 
CONTROLLER  REDUNDANCY.  THE  SEII  LIMIT  IS  6  PERCENT  FOR 
CHANNEL  A  AND  10  PERCENT  FOR  CHANNEL  B. 

Hydraulic  isolation  of  the  valves  minimizes,  but  does  not  preven  t,  valve  drift  which  could  result  in  further 
deviations  from  nominal  valve  positions  causing  loss  of  performance  and/or  possible  engine  shutdown. 
One  hydraulic  system  supplies  hydraulic  actuation  to  the  five  engine  valves  (a  differen  t  hydraulic  system 
for  each  engine).  Each  valve  has  a  redundant  servocontrol  system.  Channel  A  is  normally  controlling 
unless  it  has  been  disqualified.  Channel  A  disqualification  could  be  due  to  loss  of  channel  A  power,  loss 
of  channel  A  input  or  output  electronics,  failure  of  the  SEII  6  percent  test  (expressed  in  terms  of  percent 
full  range  valve  travel),  failure  of  the  output  electronics  (OE)  DAC  test,  or  failure  of  the  channel  A 
servoactuator  model.  The  SEII  test  compares  the  actual  valve  position  to  the  expected  valve  position 
based  on  an  interned  servoactuator  model.  The  OE  DAC  test  verifies  that  each  DAC’s  output  voltage 
level  is  equal  to  its  last  commanded  value,  and  that  the  command  decoder  addresses  the  correct  OE  DAC 
by  proper  decoding  of  the  four  LSB  ’s  of  the  OE  storage  register.  The  servoactuator  model/  monitor  test 
verifies  proper  operation  of  the  hardware  and  software  associated  with  SEII’s.  Channel  B 
disqualifications  could  be  due  to  the  same  type  of  failures  listed  for  channel  A,  except  channel  B  uses  an 
SEII  test  limit  of  10  percent  error  comparison  instead  of  6  percent  to  take  into  account  the  switchover 
transient  from  channel  A  to  B.  Should  both  channels  be  disqualified,  the  SSME  enters  into  “hydraulic 
lockup.  ”  In  this  mode,  the  engine  might  experience  loss  of  performance  due  to  valve  drift.  If  this  occurs 
and  a  redline  limit  is  exceeded,  the  engine  will  be  pneumatically  shut  down.  If  a  redline  is  not  exceeded, 
then  shutdown  of  the  engine  will  be  accomplished  by  engine  pneumatics  when  a  manual  or  commanded 
shut  down  occurs.  Reference  Computer  Program  CEI,  Block  II,  SSME  Controller  Operational  Program, 
CP406R0002. 
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A5-3  STUCK  THROTTLE  (CONTINUED) 

C.  COMMAND  PATH  FAILURE 

LOSS  OF  COMMAND  CAPABILITY  FROM  THE  GPC  TO  AN  SSME  ON  AT 
LEAST  TWO  COMMAND  CHANNELS.  @[030994-1 61 4A] 

Without  GPC  commands,  the  SSME  will  not  be  able  to  accomplish  the  following  functions:  change 
throttle  settings,  inhibit/enable  shutdown  limits,  respond  to  shutdown  commands,  or  perform  an  LO2 
dump.  Shutdown  commands  could  be  issued  by  guidance  software,  from  a  low  level  cutoff,  or  from  a 
manual  shutdown  pushbutton.  Each  controller  normally  requires  two  of  three  valid  command  paths 
from  the  GPC’s  to  con  trol  the  SSME  ( start  commands  require  three  of  three  functional  command 
paths).  SSME  controller  software  change  RCN  4354  implemented  in  version  OI-6  and  subs  added  the 
capability  for  the  engine  to  accept  a  shutdown  enable/shutdown  command  pair  on  a  single  channel 
under  special  circumstances:  an  in  ternal  timer  has  expired  (currently  set  at  512.86  seconds  from  engine 
start);  limits  have  never  been  inhibited;  the  shutdown  enable/shutdown  command  pair  come  in  on  the 
same  channel,  sequentially  (with  no  other  command  in-between);  and  a  valid  command  is  not 
concurrently  being  received  on  the  other  two  channels.  Shutdown  of  the  SSME  without  GPC  con  trol  is 
accomplished  by  the  removal  of  ac  power  to  the  controller.  This  action  activates  the  fail-safe  engine 
pneumatic  system,  shutting  the  engine  down  safely.  A  data  path  failure  will  also  result  from  this  action, 
requiring  the  crew  to  push  the  affected  engine’s  shutdown  pushbutton  to  inform  guidance  of  an  engine 
out  and  to  safe  the  engine  by  closing  the  LH2  and  LO2  prevalves.  Reference  Computer  Program  CEI, 
Block  II,  SSME  Controller  Operational  Program,  CP406R0002.  @[030994-1 61 4A] 

A5-4  DATA  PATH  FAILURE 

LOSS  OF  ALL  PRIMARY  AND  SECONDARY  DATA  FROM  THE  SSME  CONTROLLER 
TO  GPC'S. 

Since  TREF,  engine  status  word  and  average  Pc  values  are  present  in  both  the  primary  and  secondary 
data,  the  loss  of  both  data  types  from  the  controller  is  required  for  the  GPC  to  acknowledge  a  data  path 
failure.  This  failure  is  identified  by  the  GPC  SSME  SOP  software.  The  loss  of  both  data  paths  will 
prevent  onboard  and  ground  monitoring  of  all  SSME  data.  ( Ref.  FSSRfor  SSME  SOP). 
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A5-5  SUSPECT  ENGINE 

A  SUSPECT  ENGINE  IS  A  RESULT  OF  ANY  OF  THE  FOLLOWING  FAILURE 
CONDITIONS : 

A.  ALL  QUALIFIED  REDLINE  SENSORS  ON  A  PARAMETER  SHIFT  IN  THE 
SAME  DIRECTION,  WITH  AT  LEAST  ONE,  BUT  NOT  ALL,  QUALIFIED 
SENSORS  VIOLATING  THE  REDLINE  LIMIT  (S).  @[092195-1795] 

If  all  redline  sensors  pass  their  reasonableness  limits,  at  least  one,  but  not  all,  are  violating  their 
redline  limit(s)  and  all  non-voting  sensors  have  shifted  toward  their  redline(s),  the  SSME  can  continue 
to  operate  but  will  shut  down  if  the  remaining  qualified  sensors  exceed  their  shutdown  limits.  The  fact 
that  all  qualified  sensors  have  moved  toward  their  redlines  indicates  that  something  is  wrong  with  the 
engine  and  that  shutdown  could  occur  at  any  moment.  Reference  rule  {A5-2E},  SPACE  SHUTTLE 
MAIN  ENGINE  OUT,  for  reasonableness/qualification  limits  and  redline  limits.  ®[ED  ] 

B.  ALL  QUALIFIED  SENSORS  EXCEED  THE  LIMITS  FOR  A  PARTICULAR 
REDLINE  AFTER  SHUTDOWN  MONITORING  IS  INHIBITED. 

If  all  qualified  sensors  exceed  limits  with  the  shutdown  monitoring  inhibited,  the  SSME  is  approaching 
the  failure  situation  which  the  limits  were  designed  to  prevent.  The  redline  will  only  remain  inhibited 
as  long  as  the  vehicle  is  in  an  abort  region  gap.  While  the  limits  are  inhibited,  the  engine  may  fail  at 
any  moment  with  uncontained  engine  damage  and  loss  of  vehicle  and  crew,  since  the  shutdown  limit 
protection  is  not  available  for  this  case.  Reference  rule  { A5-2E  j,  SPACE  SHUTTLE  MAIN  ENGINE 
OUT,  for  redline  limits.  Reference  rule  {A5-103},  LIMIT  SHUTDOWN  CONTROL,  for  re-enabling 
boundaries.  @[092195-1795]  ®[ED  ] 

C.  NONISOLATABLE  MPS  HELIUM  LEAK 

Using  the  MPS  helium  leak  isolation  procedure,  the  crew  can  determine  if  isolating  a  given  leg  will  stop 
the  leak.  If  the  procedure  does  not  stop  the  leak,  it  is  nonisolatable  and  may  result  in  SSME  shutdown 
due  to  HPOT  intermediate  seal  pressure  dropping  below  the  redline.  The  SSME  with  a  helium  leak  is 
considered  suspect  since  its  leak  rate  could  increase  at  any  time  and  thus  could  cause  the  engine  to  shut 
down  earlier  than  predicted  by  the  MCC.  Reference  rule  {A5-153J,  PRE-MECO  SHUT  DOWN  OF 
ENGINES  DUE  TO  MPS  HELIUM  LEAKS.  @[032395-1 766  ] 

D.  LOW  LH2  NPSP 

IfLH2  NPSP  is  low  enough  to  require  manual  throttling  or  cause  a  TAL  due  to  an  LH2  tank  ullage 
leak  or  failed  closed  GH  2  flow  control  valves,  at  least  one  SSME  may  be  approaching  a  redline  limit 
shutdown  due  to  high  HPFTP  turbine  discharge  temperatures.  Reference  rules  {A5-155},  LIMIT 
SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR  LOW  LH2  NPSP,  and  {A5-156}, 

ABORT  PREFERENCE  FOR  SYSTEMS  FAILURES. 
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A5-5  SUSPECT  ENGINE  (CONTINUED) 

E.  DRIFTING  PERFORMANCE  WITH  ALL  QUALIFIED  CHANNELS  OF  ANY  GIVEN 
REDLINE  PARAMETER  APPROACHING  THEIR  REDLINE  LIMITS. 

An  engine  in  hydraulic  lockup  is  expected  to  drift.  This  performance  drift  should  elevate  HPOTP  turbine 
discharge  temperatures  which  may  eventually  exceed  the  reclline  causing  the  engine  to  shutdown.  Nozzle 
leaks  and  PIPOTP  efficiency  loss  cases  may  cause  redline  exceedance  and  subsequent  shutdown  due  to 
violation  of  one  of  the  turbine  temperature  redlines  or  the  MCC  Pc  low  redline.  MCC  Pc  shifts  and  FFM 
shifts  may  cause  a  redline  exceedance  ( probably  one  of  the  turbine  temperatures)  and  subsequent 
shutdown.  Electric  lockups  due  to  large  FFM  shifts  can  cause  a  redline  exceedance  (due  to  turbine 
temperatures  or  the  MCC  Pc  redline).  Reference  rule  / A5-2 },  paragraph  E,  SPACE  SHUTTLE  MAIN 
ENGINE  OUT,  for  redline  limits.  ®[ED  ] 

Rules  (A4-56J,  PERFORMANCE  BOUNDARIES;  and  { A5-156J ,  ABORT  PREFERENCE  FOR  SYSTEMS 
FAILURES;  reference  this  rule.  ©[092195-1770A]  ©[092195-1795] 

A5-6  SSME  REDLINE  SENSOR  FAILED 

AN  SSME  REDLINE  SENSOR  WILL  BE  DECLARED  FAILED  PER  THE  FOLLOWING 
CRITERIA:  ®[0921 95-1 794  ]  @[121296-4624] 

A.  AN  SSME  REDLINE  SENSOR  IS  DECLARED  FAILED  IF  IT  WAS 

DISQUALIFIED  BY  THE  SSME  CONTROLLER  DUE  TO  VIOLATION  OF 
ITS  REDLINE  QUALIFICATION  LIMIT  DURING  THE  START  PREP 
(PRELAUNCH),  START,  OR  MAINSTAGE  PHASE.  IN  ADDITION,  AN 
MCC  PC  CHANNEL  SHALL  BE  CONSIDERED  FAILED  IF  IT  HAS  FAILED 
ITS  CONTROL  INTRACHANNEL  QUALIFICATION  LIMIT.  @[111699-7096] 

Once  an  SSME  redline  sensor  has  been  disqualified,  it  can  no  longer  be  used  by  the  SSME  controller 
software  for  redline  monitoring  (reference  rule  (A5-2},  paragraph  E,  SPACE  SHUTTLE  MAIN  ENGINE 
OUT,  for  qualification  limits).  Redline  pressure  sensors  that  fail  during  start  prep  (prelaunch)  will 
generate  a  major  component  failure  (MCF)  and  preclude  launching.  However,  because  of  the  quadruple 
redundancy  scheme,  a  redline  temperature  sensor  can  fail  during  start  prep  (prelaunch)  without 
generating  an  MCF  and  without  an  LCC  violation.  For  the  purpose  of  limits  management,  this  is 
considered  a  failed  sensor.  (Ref.  Rule  {A5-103},  LIMIT  SHUTDOWN  CONTROL).  @[111699-7096] 

A  failure  of  the  MCC  Pc  control  intrachannel  qualification  monitor  (pressure  delta  between  the  two 
bridges  exceeds  75  psia)  is  also  indicative  of  a  sensor  failure,  even  though  the  Pc  channel  is  still  used  for 
redline  monitoring.  The  redline  intrachannel  qualification  delta  is  larger  (125  psia)  to  account  for  the 
case  of  a  real  engine  failure  dropping  the  Pc  so  quickly  that  the  delta  between  bridges  could  exceed  the 
75  psia  in  the  time  it  takes  the  controller  to  read  in  the  two  values.  The  control  intrachannel  check  is 
included  in  the  failu  re  criteria  because  that  channel  could  degrade  at  any  time  and  violate  the  redline 
intrachannel  check.  ®[1 1 1 699-7096  ] 
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A5-6  SSME  RED LINE  SENSOR  FAILED  (CONTINUED) 

The  SSME  controller  performs  a  Pc  reference  (ref)  check  as  part  of  the  Pc  control  logic.  The  Pc  ref 
logic  evaluates  the  health  of  the  Pc  channel,  as  opposed  to  the  individual  sensors,  by  comparing  the  Pc 
channel  averages  to  the  reference  Pc.  It  checks  to  see  if  the  Pc  channel  average  is  greater  than  75  psi 
from  the  reference  Pc  (200  psi  when  throttling  or  below  75  percent  RPL).  In  order  for  sensors  to  cause 
this  check  to  fail,  both  sensors  would  have  to  fail  simultaneously  and  in  the  same  direction.  It  is  more 
likely  that  there  is  a  channel  failure  causing  the  Pc  ref  limits  to  be  violated,  and  thus  this  is  not 
considered  a  failed  sensor.  If  a  channel  f  ails  the  Pc  discriminator  logic  check,  it  is  considered  a 
channel  failure,  not  a  sensor  failure. 

Rule  {A5-7},  SSME  ONE  REDLINE  SENSOR  FAILURE  AWAY  FROM  AN  ERRONEOUS  SHUTDOWN, 
references  this  rule.  @[121296-4624]  ®[ED  ] 

B.  AN  HPOTP  DISCHARGE  PRESSURE  SENSOR  OR  AN  HPFTP  DISCHARGE 
PRESSURE  SENSOR  SHALL  BE  CONSIDERED  A  FAILED  REDLINE  SENSOR 
IF  IT  WAS  DISQUALIFIED  BY  THE  SSME  CONTROLLER  DUE  TO 
VIOLATION  OF  ITS  QUALIFICATION  LIMIT  DURING  THE  START  PREP 
(PRELAUNCH),  START,  OR  MAINSTAGE  PHASE. 

NOTE:  THE  DISCHARGE  PRESSURES  DO  NOT  HAVE  AN  ASSOCIATED 

REDLINE  BUT  ARE  ELECTRONICALLY  THE  SAME  AS  THE 
REDLINE  PRESSURE  SENSORS. 

The  HPOTP  and  HPFTP  discharge  pressure  sensors  are  electronically  the  same  as  the  redline  pressure 
sensors  and  thus  are  operationally  considered  the  same  as  a  redline  sensor.  Qualification  limits  were 
added  to  these  parameters  when  the  Pc  discriminator  logic  was  introduced  post  STS-91  (ref.  SSME 
Requirement  Change  Notices  #  6503  &  6524).  Once  an  HPOTP  DP  or  HPFTP  DP  sensor  is  disqualified, 
it  is  no  longer  used  in  the  controller’s  Pc  discriminator  logic.  The  first  of  these  two  sensors  to  fail  will 
not  generate  cm  MCF  and  will  not  cause  cm  LCC  violation.  Therefore,  if  this  sensor  fails  in  the  start  prep 
(prelaunch),  start,  or  mainstage  phase,  it  is  considered  failed  for  the  purpose  of  limits  management  (ref. 
Rule  { A5-103J ,  LIMIT  SHUTDOWN  CONTROL).  Note:  a  second  discharge  pressure  sensor  failure  in 
start  prep  (prelaunch)  or  start  will  post  an  MCF  card  will  preclude  launching.  @[111699-7096  ] 

C.  IF  THE  FLIGHT  CONTROLLERS  CAN  POSITIVELY  IDENTIFY  THE  SENSOR 
FAILURE  MODE ( S )  AS  BEING  THE  CAUSE  OF  AN  ENGINE  SHUTDOWN,  THE 
AFFECTED  SSME  REDLINE  SENSOR (S)  WILL  BE  DECLARED  FAILED. 
@[092195-1794]  @[111699-7096] 

Rule  { A5-103J ,  LIMIT  SHUTDOWN  CONTROL,  references  this  rule. 
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A5-7  SSME  ONE  REDLINE  SENSOR  FAILURE  AWAY  FROM  AN 

ERRONEOUS  SHUTDOWN  ®[ED  ] 

A.  AN  SSME  WILL  BE  DECLARED  ONE  REDLINE  SENSOR  FAILURE  AWAY  FROM 
AN  ERRONEOUS  SHUTDOWN  IF  ONLY  ONE  OF  THE  HPFTP  COOLANT  LINER 
PRESSURE  TRANSDUCERS  (PHASE  II  AND  BLOCK  I  SSME  ONLY) ,  ONE  OF 
THE  HPOTP  SECONDARY  SEAL  PRESSURES  (PHASE  II  SSME  ONLY),  OR 
ONE  OF  THE  HPOTP  INTERMEDIATE  SEAL  PRESSURE  TRANSDUCERS,  IS 
QUALIFIED  FOR  REDLINE  SHUTDOWN  PROCESSING.  @[121296-4624] 

NOTE:  AN  SSME  IS  NOT  DECLARED  ONE  REDLINE  SENSOR  FAILURE 
AWAY  FROM  AN  ERRONEOUS  SHUTDOWN  IF  ONLY  ONE  OF  THE 
TWO  SSME  MCC  PC  CHANNELS  IS  DISQUALIFIED. 

The  HPFTP  coolant  liner  pressure  redline  (Phase  II  and  Block  I  SSME  only),  the  secondary  seal 
pressure  redline  (Phase  II  SSME  only),  and  the  intermediate  seal  pressure  redline  each  have  two 
pressure  transducers  per  redline  (single  transducer  per  con  troller  channel).  Therefore,  if  one  or  more 
transducers  are  disqualified  for  either  a  controller  failure  (input  electronics  or  power  supply,  reference 
Rule  {A5-2},  SPACE  SHUTTLE  MAIN  ENGINE  OUT)  or  a  sensor  failure  (reference  Rule  / A5-6 j,  SSME 
REDLINE  SENSOR  FAILED),  causing  any  remaining  pressure  redline  to  have  a  single  qualified 
transducer,  the  engine  will  be  considered  one  redline  sensor  failure  away  from  an  erroneous  shutdown. 
This  definition  is  used  by  Rule  { A5-103J ,  LIMIT  SHUTDOWN  CONTROL,  but  only  after  the  criteria 
outlined  there  (e.g.,  at  least  one  redline  sensor  has  failed)  has  been  met.  @[121296-4624]  ®[ED  ] 

No  single  main  combustion  chamber  pressure  (MCC  Pc)  transducer  failure  can  cause  an  engine  to  shut 
down  on  the  MCC  Pc  redline  when  only  one  channel  remains.  Engine  shutdown  is  prevented  because  of 
the  way  the  MCC  Pc  transducers  are  qualified  (redline  processing  is  performed  on  channel  pairs).  An 
MCC  Pc  channel  must  have  a  channel  average  between  1000  and  3500  psia,  and  the  two  transducers  on 
the  channel  must  be  within  125  psia  of  each  other,  for  the  channel  to  be  qualified  to  vote  for  shutdown, 
reference  Rule  {A5-2},  SPACE  SHUTTLE  MAIN  ENGINE  OUT.  The  channel  is  disqualified  for  redline 
processing  if  either  of  these  conditions  is  not  met.  The  redline  is  violated  if  all  qualified  channel 
averages  are  400  psia  less  than  reference  Pc  (defined  by  the  SSME  controller  for  a  given  SSME  power 
level).  If  one  of  the  Pc  transducers  drifts  high,  with  only  one  channel  remaining,  the  controller  channel’s 
two  Pc  sensors  will  be  disqualified  for  thrust  control  processing.  This  disqualification  will  occur  when 
the  delta  between  the  two  channels  reaches  75  psia.  This  will  place  the  SSME  in  electrical  lockup. 
Additionally,  if  the  sensor  continues  to  drift  such  that  delta  between  the  two  sensors  is  125  psia,  the 
controller  channel’s  Pc  transducers  will  be  disqualified  for  redline  shutdown  processing.  This 
disqualification  will  occur  prior  to  the  400  psia  redline  being  violated.  For  cases  where  both 
transducers  are  on  the  remaining  channel  drift,  ( thermal  isolator  problem  or  lee  jet/sense  tube  problem ), 
the  engine  will  continually  rebalance  in  response  to  the  drifting  Pc.  If  the  drift  is  severe  enough,  the 
engine  may  exceed  the  400  psia  engine  redline.  In  either  case,  SSME  redline  limits  should  be  reenabled 
as  specified  in  Rule  (A5-103J,  LIMIT  SHUTDOWN  CONTROL.  ®[ED  ] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A5-7  SSME  ONE  REDLINE  SENSOR  FAILURE  AWAY  FROM  AN 

ERRONEOUS  SHUTDOWN  (CONTINUED) 

B.  AN  SSME  IS  DECLARED  ONE  REDLINE  SENSOR  FAILURE  AWAY  FROM  AN 

ERRONEOUS  SHUTDOWN  IF  ONLY  ONE  HPOT  TURBINE  DISCHARGE 
TEMPERATURE  ( TDT )  TRANSDUCER  IS  QUALIFIED  FOR  REDLINE 
SHUTDOWN  PROCESSING. 

C.  AN  SSME  IS  NOT  DECLARED  ONE  REDLINE  SENSOR  FAILURE  AWAY  FROM 

AN  ERRONEOUS  SHUTDOWN  IF  ONLY  ONE  HPFT  TURBINE  DISCHARGE 
TEMPERATURE  TRANSDUCER  IS  QUALIFIED  FOR  REDLINE  SHUTDOWN 
PROCESSING. 

Once  a  sensor  has  been  disqualified,  it  can  no  longer  be  used  by  the  SSME  con  troller  software  for 
redline  monitoring.  Reference  Rule  {A5-2E},  SPACE  SHUTTLE  MAIN  ENGINE  OUT,  for  information 
on  qualification/reasonableness  testing.  There  are  known  thermocouple  failure  modes  that  can  cause  a 
sensor  to  fail  below  the  lower  HPOT  turbine  discharge  temperature  redline,  but  above  the  qualification 
limit.  Therefore,  the  HPOT  turbine  discharge  temperature  redline  will  be  considered  one  redline  sensor 
failure  away  from  cm  erroneous  shutdown  if  only  one  qualified  HPOT  turbine  discharge  temperature 
Sensor  is  qualified.  Because  there  is  no  lower  HPFT  turbine  discharge  temperature  redline  limit,  an 
SSME  is  not  declared  one  redline  sensor  failure  away  from  an  erroneous  shutdown  if  only  one  qualified 
HPFT  turbine  discharge  temperature  transducer  is  qualified  for  shutdown.  @[121296-4624]  ®[ED  ] 

A  failure  causing  one  turbine  discharge  temperature  to  remain  qualified,  but  vote  for  shutdown  on  the 
upper  redline,  can  result  in  SSME  shutdown  -  if  there  are  three  or  less  qualified  transducers  at  the 
redline  location.  This  can  occur  because  the  redline  logic  disqualifies  the  “lower”  transducers. 
Reference  Rule  {A5-2E},  SPACE  SHUTTLE  MAIN  ENGINE  OUT,  for  information  on 
qualification/reasonableness  testing.  The  only  known  thermocouple  failure  mode,  where  the 
thermocouple  fails  in-qualification-range  high  while  violating  the  upper  redline  limit,  is  a  “smart” 
failure  in  the  SSME  con  troller  thermocouple  sensor  signed  conditioning  pre-cunp  circuit.  This  failure 
mode  has  a  very  low  probability  of  occurrence  (reference  the  special  Rocketdyne  briefing  on  this  topic  to 
the  Shuttle  Program  Manager  on  11/9/95).  The  entire  thermocouple  turbine  discharge  temperature 
redline  processing  philosophy  of  disqualifying  the  “lower”  transducer  depends  on  this  low  probability. 
Since  the  redline  processing  philosophy  does  not  protect  for  this  case,  this  flight  rule  does  not  protect  for 
this  case  either.  ®[ED  ] 

Rules  {A5-2j,  SPACE  SHUTTLE  MAIN  ENGINE  OUT;  {A5-6},  SSME  REDLINE  SENSOR  FAILED;  and 
{A5-103},  LIMIT  SHUTDOWN  CONTROL,  reference  this  rule.  ®[i  21 296-4624  ]  ®[ED  ] 
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A5-8 


SPACE  SHUTTLE  MAIN  ENGINE  TYPES  ®[ED  ] 


HPOTP 

MCC 

HPFTP 

PHASE  II 

ROCKETDYNE 

STANDARD 

ROCKETDYNE 

BLOCK  I/I  A 

P&W 

STANDARD 

ROCKETDYNE 

BLOCK  1 1 A 

P&W 

LARGE  THROAT 

ROCKETDYNE 

BLOCK  II 

P&W 

LARGE  THROAT 

P&W 

®[1 21 1 97-6472A] 


THERE  ARE  MANY  HARDWARE  DIFFERENCES  ASSOCIATED  WITH  THE  VARIOUS 
SSME  TYPES.  ONLY  THE  DIFFERENCES  WITH  SIGNIFICANT  BOOSTER 
SYSTEMS  FLIGHT  CONTROLLER  OPERATIONAL  IMPACTS  ARE  LISTED  HERE. 

FROM  THE  BOOSTER  SYSTEMS  FLIGHT  CONTROLLER'S  PERSPECTIVE,  THE 
BLOCK  I  AND  THE  BLOCK  IA  OPERATIONAL  CHARACTERISTICS  ARE 
IDENTICAL.  FOR  THE  PURPOSES  OF  THE  FLIGHT  RULES,  THE 
NOMENCLATURE  'BLOCK  I'  WILL  BE  USED  FOR  BOTH. 

FOR  BLOCK  I/IIA/II:  INCORPORATION  OF  THE  PRATT  AND  WHITNEY 

(P&W)  ALTERNATE  HPOTP  IN  PLACE  OF  THE  ROCKETDYNE  BASELINE 
HPOTP  ELIMINATES  THE  SECONDARY  SEAL  REDLINE  AND  LOWERS  THE 
INTERMEDIATE  SEAL  REDLINE  (REF  RULE  {A5-2},  SPACE  SHUTTLE  MAIN 
ENGINE  OUT) . 

FOR  BLOCK  IIA/II:  INCORPORATION  OF  THE  LARGE  THROAT  MCC  IN 

PLACE  OF  THE  STANDARD  THROAT  MCC  REDUCES  THE  OVERALL  OPERATING 
PRESSURES  AND  TEMPERATURES  AT  A  GIVEN  POWER  LEVEL  AND  LOWERS  THE 
HPOTP  AND  HPFTP  TURBINE  DISCHARGE  TEMPERATURE  REDLINES  (REF  RULE 
{ A5 -2 } ,  SPACE  SHUTTLE  MAIN  ENGINE  OUT). 

FOR  BLOCK  II:  INCORPORATION  OF  THE  PRATT  AND  WHITNEY  ALTERNATE 

HPFTP  IN  PLACE  OF  THE  ROCKETDYNE  BASELINE  HPFTP  ELIMINATES  THE 
COOLANT  LINER  REDLINE  (REF  RULE  {A5-2},  SPACE  SHUTTLE  MAIN  ENGINE 
OUT)  . 

DETAILS  OF  THESE  CHANGES  ARE  COVERED  IN  BOOSTER  SYSTEMS'  CONSOLE 
TOOLS  AND  DOCUMENTATION. 


Rule  {A5-2j,  SPACE  SHUTTLE  MAIN  ENGINE  OUT,  references  this  rule.  ®[121197-6472A] 
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A5-9  LH2  ULLAGE  LEAK  ®[ED  ] 

WITH  THREE  SSME'S  RUNNING  AT  MISSION  POWER  LEVEL,  AN  ET  L^> 
ULLAGE  LEAK  IS  CHARACTERIZED  BY  ALL  OF  THE  FOLLOWING:  @[040899-681 8A] 
®[1 02501 -4880A] 


lh2 

ULLAGE  PRESSURE  IS  STEADILY  DECAYING  AND 

• 

1 . 

HAS  DROPPED  BELOW  32 . 6 
MINUTES  30  SECONDS,  OR 

(32.2)  PSIA 

PRIOR 

TO 

AN 

MET 

OF  2 

2  . 

HAS  DROPPED  BELOW  31.0 
MINUTES  30  SECONDS 

(30.6)  PSIA 

AFTER 

AN 

MET 

OF 

2 

THE  GH2  2- INCH  DISCONNECT 
PSIA. 

PRESSURE  IS 

GREATER  THAN 

444 

(414 

The  ET  LH2  ullage  pressure  is  maintained  by  the  three  flow  control  valves  (FCV’s)  in  the  orbiter  GH2 
pressurization  system.  The  set  point  for  the  GH2  FCV  signal  conditioners  is  33.0  psia.  A  0.4  psi  signal 
conditioner  deadband  encompassing  the  set  point  results  in  actual  activation  values  as  low  as  32.6  psia  or 
as  high  as  33.4  psia.  A  significant  LH2  ullage  leak  or  an  orbiter  GH2  pressurization  system  anomaly 
(reference  Rule  {A5-155J,  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR  LOW  LH2 
NPSP)  will  cause  the  LH2  ullage  pressure  to  drop  below  the  set  point  for  the  GH2  FCV  signal  conditioner. 
The  orbiter  GH2  pressurization  system  will  then  respond  by  opening  the  three  GH2  FCV’s  in  an  attempt  to 
increase  ullage  pressure.  The  FCV’s  have  been  shimmed,  such  that  an  open  FCV  provides  70  percent  flow 
through  the  valve  and  31  percent  flow  when  the  valve  is  commanded  closed.  These  settings  are  also 
referred  to  as  the  ‘high  flow’  and  ‘low  flow’  positions,  respectively. 

Data  provided  by  Lockheed  Martin/Michoud  (reference  PSIG  telecon  May  22,  2001)  indicates  that  a  GH2 
pressurization  system  operating  at  -3  sigma  could  cause  the  ullage  pressure  to  decay  to  a  minimum  pressure 
of  31.0  psia  (30.6  indicated  when  a  0.4  psi  worst  case  transducer  bias  is  included ).  To  avoid  erroneously 
declaring  an  ullage  leak  when  the  GH2  pressurization  system  is  function  ing  nominally,  an  ullage  leak  will 
not  be  declared  unless  the  ullage  pressure  is  decaying  and  has  dropped  below  32.6  (32.2)  psia  prior  to  an 
MET  of  2  minutes  30  seconds  or  below  31.0  (30.6)  psia  after  an  MET  of  2  minutes  30  seconds.  These 
ullage  pressures  (during  the  specified  time  periods )  are  the  lowest  that  could  possibly  occur  for  a  nominally 
operating  GH2  pressurization  system  (reference  PSIG  telecon  May  22,  2001).  ®[1 02501 -4880A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A5-9  LH2  ULLAGE  LEAK  (CONTINUED) 

It  is  important  to  establish  the  difference  between  an  ullage  leak  and  an  orbiter  GH2  pressurization  system 
anomaly  since  the  required  actions  are  different  (reference  Rule  {A5-156},  ABORT  PREFERENCE  FOR 
SYSTEMS  FAILURES).  The  2-inch  disconnect  pressure  cue  is  sufficient  to  distinguish  between  an  ullage 
leak  and  an  orbiter  GH2  pressurization  system  anomaly  once  the  LH2  ullage  pressure  has  decayed  below 
32.6  (32.2)  psia  or  31.0  (30.6)  psia  (depending  on  the  MET  that  it  occurs)  with  all  three  GH2  FCV’s  open. 
If  the  GH2  2-inch  disconnect  pressure  is  consisten  t  with  the  expected  value  for  three  open  FCV’s  (high  flow 
position),  then  the  LH2  u  llage  pressure  problem  is  determined  to  be  the  result  of  cm  LH2  u  llage  leak.  If  the 
GH2  2-inch  disconnect  pressure  is  below  that  expected  for  three  open  FCV’s,  then  the  cause  of  the  low 
ullage  pressure  is  cm  orbiter  GH2  pressurization  system  anomaly.  ®[1 02501 -4880A] 

A  value  for  the  2-inch  disconnect  pressure  was  chosen  at  the  lowest  expected  value  for  three  flow  control 
valves  open  and  not  less  than  the  predicted  value  for  one  flow  control  valve  failed  closed  (low  flow  position) 
to  avoid  erroneously  calling  cm  ullage  leak.  Data  provided  by  BN  A/Huntington  Beach  (reference  PSIG 
telecon  May  18,  2001),  on  all  flights  since  the  reshimming  of  the  flow  control  valves  (70  percent/31 
percen  t),  showed  that  the  lowest  2-inch  disconnect  pressure  seen  to  date  for  three  flow  con  trol  valves  open 
at  mission  power  level  was  448  psia  (on  STS-99,  97,  100,  and  106).  These  pressures  were  all  for  Block  IIA 
cluster  flights,  which  have  shown  to  provide  the  least  amount  of  ullage  pressurization  gas.  Subtracting  out 
a  one  sigma  dispersion  (4  psia)  and  a  3  percent  instrumentation  error  (30  psia )  yields  a  2-inch  disconnect 
pressure  value  of  414  psia.  Analysis  and  data  obtained  from  STS-104  (first  flight  of  a  single  Block  II 
engine)  indicates  a  Block  II SSME  will  provide  the  same  amount  of  ullage  pressurization  gas  as  a  Block  IIA 
engine;  therefore,  the  disconnect  pressure  of 444  (414)  psia  can  be  used  to  determine  the  presence  of  cm 
ullage  leak  for  any  engine  configuration  of  a  Block  IIA  or  Block  II  type  SSME.  The  disconnect  pressure  cue 
is  only  valid  at  the  mission  power  level  with  three  SSME’s  running.  ®[1 02501 -4880A] 

Rule  {A5-155},  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR  LOW  LH2  NPSP, 
references  this  rule.  @[040899-681 8A] 
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A5-10  SIGNIFICANT  ENGINE  HELIUM  SYSTEM  LEAK  ®[ED  ] 

TANK  PRESSURE  DECAY  RATE  (DP/DT)  >  20  PSIA  OVER  3  SECONDS,  OR  AN 
INDICATED  HELIUM  USAGE  WHICH  IS  GREATER  THAN  0.055  LBM/SEC  AFTER 
AN  MET  OF  1  MINUTE  .  ®[090894-1 676A] 

NOTE:  DECAY  RATE  CORRESPONDS  TO  THE  BFS  DECAY  RATE  COMPUTATION 
AND  THE  INDICATED  HELIUM  USAGE  IS  BASED  ON  MCC  MASS  FLOW  RATE 
COMPUTATIONS . 

Tank  pressure  decay  rate  (DP/DT)  >  20  psia/3  seconds  is  twice  the  nominal  value  of  approximately  10 
psia/3  seconds.  This  value  takes  into  account  normal  data  noise  and  the  10  psi  data  granularity  and 
represents  the  minimum  value  usable  to  detect  helium  leaks  on  board  the  vehicle.  In  addition  to  the 
DP/DT  computation,  the  MCC  uses  a  mass  flow  rate  computation  (Ibm/sec)  in  order  to  detect  helium 
leaks.  The  maximum  nominal  mainstage  usage  for  the  engine  HPOTP IMSL  purge  is  0.047  Ibm/sec  (ref. 
SSME-to-Orbiter  ICD  13M15000).  Usage  above  0.047  Ibm/sec  is  indicative  of  an  off-nominal  condition 
in  the  associated  MPS  helium  system  supply. 

Small  leaks  which  are  above  0.047  Ibm/sec  and  below  the  crew  alarm  criteria  (approximately  0.087 
Ibm/sec)  will  not  be  isolated  prior  to  an  MET  of  1  minute.  Action  to  isolate  small  helium  leaks  is  not 
taken  within  the  first  minute  after  liftoff  because  the  ground  computation  requires  20  seconds  of  data 
after  liftoff  for  proper  initialization  and  because  additional  time  is  required  by  the  MCC  for  leak 
evaluation.  Also,  a  leak  of  this  size  which  is  isolated  shortly  after  an  MET  of  1  minute  will  probably 
not  violate  the  single  regulator  zero-g  shutdown  requirements.  However,  continued  usage  at  this  rate 
may  significantly  reduce  the  helium  available  to  support  engine  shutdown  at  MECO. 

Even  though  helium  usage  above  0.047  is  off  nominal,  MCC  action  is  only  taken  for  leaks  with  a  usage 
above  0.055  Ibm/sec  or  greater.  This  number  accounts  for  noise  in  the  ground  computation  and  protects 
nominal  MECO  helium  requirements. 

Rule  (A5-151J,  PRE-MECO  MPS  HELIUM  SYSTEM  LEAK  ISOLATION  [CIL],  references  this  rule. 

®[090894-1676A] 
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A5-11  SIGNIFICANT  PNEUMATIC  SYSTEM  HELIUM  LEAK  ®[ED  ] 

ANY  LEAK  IN  THE  PNEUMATIC  TANK  SYSTEM  OR  PNEUMATIC  ACCUMULATOR 
WHICH  WILL  ANNUNCIATE  THE  CREW  SYSTEMS  MANAGEMENT  (SM)  ALERT 
(PNEU  TK  P  <  3800.0  PSIA)  PRIOR  TO  MECO  -30  SECONDS.  @[090894-1 676A] 
@[021199-6790] 

A/7  attempt  is  made  to  isolate  leaks  in  the  MPS  pneumatic  helium  supply  in  order  to  conserve  helium  for 
LO2  prevalve  closure  at  MECO.  Furthermore,  if  the  leak  is  isolated,  the  pneumatic  helium  supply  will 
be  available  to  support  the  operation  of  a  leaking  MPS  helium  engine  supply. 

Isolation  will  only  be  performed  if  the  leak  is  large  enough  to  annunciate  the  crew  SM  Alert  prior  to 
MECO  -30  seconds.  ®[02i  1 99-6790  ] 

Rule  (A5-151J,  PRE-MECO  MPS  HELIUM  SYSTEM  LEAK  ISOLATION  [CIL],  references  this  rule. 

@[090894-1 676A] 

A5-12  INSUFFICIENT  PNEUMATIC  HELIUM  ACCUMULATOR  PRESSURE 

®[ED  ] 

A  PNEUMATIC  ACCUMULATOR  PRESSURE  WHICH  IS  LESS  THAN  700  PSIA. 

@[090894-1 676A] 

Seven  hundred  psia  is  the  minimum  actuation  pressure  which  will  ensure  proper  LO2  and  LH2  prevalve 
closure  timing  at  MECO.  Pressures  of 400  to  500  psia  willfully  position  the  valves;  however,  timing 
requirements  may  not  be  satisfied  (ref.  SODB,  Vol.  ii,  Section  4.3.1).  Four  of  six  test  cases  of  three 
engine  prevalve  closures  at  an  initial  pressure  of 400  psia  were  within  the  timing  specification  of  1.15 
seconds  maximum  closing  time.  Of  the  two  that  violated  requirements,  one  was  0.03  seconds  slow  and 
the  other  was  0.06  seconds  slow  (reference  PSIG  telecon  charts,  5/19/93). 

It  is  critical  that  the  LO2  prevalves  close  within  timing  constraints  at  MECO.  LO2  prevalve  closure  and 
the  injection  of  helium  into  the  pogo  accumulator  are  used  to  maintain  pressure  on  the  engine  high 
pressure  oxidizer  turbopump,  preventing  pump  cavitation  during  the  shutdown  sequence. 

Rule  (A5-151),  PRE-MECO  MPS  HELIUM  SYSTEM  LEAK  ISOLATION  [CIL],  references  this  rule. 

@[090894-1 676A] 
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A5-13  MPS  DUMPS  AND  VACUUM  INERTING  DEFINITIONS  @[092701- 

4867A]  ®[ED  ] 

A.  MPS  DUMP 

A  PRESSURIZED  MPS  ID 2  AND  UNPRESSURIZED  LH2  DUMP  PERFORMED  IN 
MM  104  FOR  NOMINAL,  ATO,  AND  AOA  MISSIONS  THAT  IS  NORMALLY 
AUTOMATIC  AT  MECO  +  2  MINUTES,  BUT  CAN  BE  STARTED  OR  DELAYED 
MANUALLY  .  @[092195-1791  ] 

B.  MPS  GH2  INERT  @[092195-1791] 

A  MANUAL  INERTING  OF  GH2  THROUGH  THE  PRESS  LINE  VENT  VALVE 
PERFORMED  AFTER  THE  MPS  POWERDOWN  AND  ISOLATION  PROCEDURE  FOR 
NOMINAL,  ATO,  AND  AOA  MISSIONS.  @[111094-1719] 

C.  FIRST  AUTOMATED  VACUUM  INERT  @[092195-1791] 

AN  AUTOMATIC  INERTING  OF  THE  LH2  AND  L02  FEEDLINE  SYSTEMS 
THROUGH  THE  LH2  BACKUP  DUMP  VALVES  AND  THE  LC£  FILL/DRAIN 
VALVES  RESPECTIVELY.  THIS  INERT  IS  PERFORMED  AFTER  THE  MPS 
DUMP  FOR  NOMINAL,  ATO,  AND  AOA  MISSIONS  AT  MPS  DUMP  START  + 

17  MINUTES  (APPROXIMATELY  MECO  +19  MINUTES)  AND  CAN  ALSO  BE 
PERFORMED  MANUALLY. 

D  .  MANUAL  VACUUM  INERT  @[092195-1791  ] 

A  MANUAL  INERTING  OF  THE  LB^  OR  L02  FEEDLINE  SYSTEM  WHICH  IS 
PERFORMED  DUE  TO  INEFFICIENT  AUTOMATED  VACUUM  INERT (S).  THE 
MANUAL  VACUUM  INERT  IS  PERFORMED  ANY  TIME  AFTER  MPS  DUMP 
START  +  22  MINUTES  (APPROXIMATELY  MECO  +  24  MINUTES)  SUCH 
THAT  THE  AUTOMATED  COMMANDS  AND  THE  CREW'S  SWITCH  THROWS  WILL 
NOT  COINCIDE.  THE  LO2  FEEDLINE  SYSTEM  IS  MANUALLY  INERTED 
THROUGH  THE  L02  FILL/DRAIN  VALVES.  THE  LB^  FEEDLINE  SYSTEM 
IS  MANUALLY  INERTED  THROUGH  EITHER  THE  LBB?  BACKUP  DUMP  VALVES 
OR  THROUGH  THE  LH2  FILL/DRAIN  VALVES. 
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A5-13  MPS  PROPELLANT  DUMPS  AND  INERTING  DEFINITIONS 

(CONTINUED) 


E.  SECOND  AUTOMATED  VACUUM  INERT 

AN  INERTING  OF  THE  LH2  FEEDLINE  SYSTEM  THROUGH  THE 
BACKUP  DUMP  VALVES  PERFORMED  AFTER  THE  FIRST  AUTOMATED 
VACUUM  INERT  FOR  NOMINAL,  ATO,  AND  AOA  MISSIONS  THAT  IS 
AUTOMATICALLY  STARTED  AT  THE  MM  106  TRANSITION,  BUT  CAN 
ALSO  BE  PERFORMED  MANUALLY.  @[092701 -4867A] 

F.  ENTRY  MPS  DUMP  @[092195-1791]  @[092701 -4867A] 

AN  MPS  LH2  AND  L02  PROPELLANT  DUMP / INERT ING  STARTED 
AUTOMATICALLY  IN  MM  303  FOR  NOMINAL,  ATO,  AOA,  AND  TAL 
MISSIONS,  AND  IN  MM  602  FOR  AN  RTLS  ABORT. 


The  non-contingency  dumping  and  inerting  of  propellants  are  done  to  ensure  there  are  no  propellants  in 
the  man  ifolds  prior  to  landing.  The  orbiter  cen  ter  of  gravity  is  affected  by  dumping  the  residual  MPS 
propellants.  The  hazard  from  venting  LH2  during  entry  and  ingesting  it  into  the  aft  compartment  is 
removed  by  dumping  the  residual  LH2- 
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SRB  SYSTEMS  MANAGEMENT 


@[021694- ED  ] 

A5-51  LOSS  OF  SRB  THRUST  VECTOR  CONTROL  (TVC)  @[012402-4987] 

FOR  THE  LOSS  OF  TVC  ON  ONE  SRB,  THE  FLIGHT  WILL  BE  CONTINUED 
UNTIL  LOSS  OF  VEHICLE  CONTROL. 

The  loss  of  two  Hydraulic  Power  Units  (HPU’s)  on  one  SRB  results  in  no  TVC  control  on  that  SRB.  This 
may  result  in  loss  of  con  trol  depending  on  nozzle  position.  There  is  no  manual  control  available; 
therefore ,  there  is  no  crew  action  that  can  be  taken.  @[012402-4987  ] 

A5-52  THROUGH  A5-100  RULES  ARE  RESERVED 


VOLUME  A  11/21/02  FINAL,  PCN-1  BOOSTER  5-27 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


SSME  SYSTEMS  MANAGEMENT 


A5-101  ABORT  CUE  REQUIREMENT 

ANY  ENGINE  CONDITION  THAT  CAUSES  AN  ABORT  DECISION  WILL  BE 
CONFIRMED  USING  TWO  CUES. 

Two  cues  are  required  so  that  a  single  instrumentation  failure  will  not  cause  an  erroneous  abort 
decision. 


A5-102  AUTO/MANUAL  SHUTDOWN 

MANUAL  SHUTDOWN  OF  AN  ENGINE  WILL  NOT  BE  ATTEMPTED  IF  AUTOMATIC 
LIMIT  SHUTDOWN  CAPABILITY  IS  ENABLED  AND  AN  ENGINE  IS  APPROACHING 
A  SHUTDOWN  LIMIT.  AN  EXCEPTION  TO  THIS  RULE  IS  WHEN  EXCESSIVE 
HELIUM  LEAKAGE  REQUIRES  A  MANUAL  ENGINE  SHUTDOWN  AS  DISCUSSED  IN 
RULE  { A5-153 } ,  PRE-MECO  SHUT  DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM 
LEAKS  .  @[032395-1766  ] 

The  automatic  limit  shutdown  system  was  designed  to  prevent  a  catastrophic  failure  of  an  engine.  Due  to 
response  times  and  the  complexity  of  the  SSME,  the  ground  and  crew  will  not  try  to  interfere  with  this 
system. 


A5-103  LIMIT  SHUTDOWN  CONTROL 

A.  PREMATURE  MAIN  ENGINE  SHUTDOWN  @[121296-4625] 

THE  MAIN  ENGINE  LIMIT  SHUTDOWN  CONTROL  CAPABILITY  WILL  BE 
MANAGED  AS  FOLLOWS:  @[121296-4625]  ®[1 1 1298-6785A] 

1.  INHIBITED  AT  ONE  ENGINE-OUT 

GPC  AUTOMATICALLY  COMMANDS  INHIBIT  TO  THE  REMAINING  TWO 
ENGINES . 

The  main  engine  limit  shutdown  switch  is  a  three-position  switch:  ENABLE,  AUTO,  and  INHIBIT.  At 
lift-off,  the  switch  is  in  the  AUTO  position,  and  the  limit  shutdown  control  logic  is  enabled  on  all  three 
engines.  After  one  engine-out  occurs,  the  main  engine  limit  shutdown  control  capability  on  the  two 
remaining  engines  is  automatically  inhibited.  ®[1 1 1 298-6785A] 
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A5-103  LIMIT  SHUTDOWN  CONTROL  (CONTINUED) 

2.  WITH  ONE  ENGINE  OUT  AND  BFS  NOT  ENGAGED,  THE  MAIN  ENGINE 
LIMIT  SHUTDOWN  SOFTWARE  WILL  BE  REENABLED  BY  PLACING  THE 
MAIN  ENGINE  LIMIT  SHUTDOWN  SWITCH  TO  "ENABLE"  THEN  "AUTO." 
REENABLING  WILL  BE  BASED  UPON  THE  FOLLOWING  CONDITIONS: 

a.  THE  CREW  WILL  MANUALLY  REENABLE  THE  LIMITS  AS  SOON  AS 
POSSIBLE  FOLLOWING  THE  ENGINE  OUT  .  ®[1 1 1 298-6785A] 

The  reenabling  of  the  main  engine  limit  shutdown  software  is  required  to  regain,  as  soon  as  possible,  the 
engine  redline  shu  tdown  protection  in  the  event  of  a  second  engine  failure.  The  reenabling  of  the  main 
engine  limit  shutdown  software  will  be  accomplished  by  taking  the  mean  engine  limit  shutdown  switch  to 
ENABLE  then  to  AUTO.  This  allows  one  of  the  running  engines  to  shut  down  due  to  a  limit  violation 
while  automatically  inhibiting  the  main  engine  limit  shutdown  control  capability  on  the  one  remaining 
engine.  Single-engine  flight  control  capability  would  then  take  the  vehicle  to  MECO. 

The  philosophy  of  when  to  reenable  the  main  engine  limit  shutdown  software  attempts  to  balance  the  risk 
of  cm  engine  failing  catastrophically  while  the  limits  are  inhibited  against  the  risk  associated  with  a  two 
engine-out  contingency  abort. 

A  meeting  was  held  with  the  Shuttle  Program  Manager  on  September  10,  1998,  to  discuss  the  risks. 
Insufficient  data  is  available  to  perform  a  risk  trade  since  1)  The  likelihood  of  cm  SSME  running  safely 
above  a  redline  limit  is  unknown,  and  2)  The  likelihood  of  surviving  a  contingency  abort  and  the 
associated  ET  separation,  flight  control,  thermal,  crew  bailout,  and  rescue  is  also  unknown.  The  two 
engine-out  contingency  abort  risks  were  accepted  over  running  an  SSME  with  limits  inhibited.  The  risk 
of  running  cm  SSME  with  limits  inhibited  was  accepted  over  the  three  engine-out  contingency  abort. 

Based  on  this  philosophy,  the  main  engine  limit  shutdown  software  will  remain  enabled  (or  reenabled ) 
for  one  engine-out  cases  and  inhibited  for  all  two  engine-out  cases.  @[121296-4625  ]  ®[1 1 1298-6785A] 

The  September  15  and  November  18,  1987,  and  June  2,  1995,  Ascent/Entry  Flight  Techniques  panels 
reviewed  the  failure  history  of  the  redline  sensors  and  came  to  the  conclusion  that  the  engine  redline 
sensors  are  reliable  and  should,  in  general,  be  trusted  to  not  cause  an  inadvertent  shutdown. 

b.  IF  THE  MCC  DETERMINES  ONE  OF  THE  REDLINE  SENSORS  IS 
FAILED  AND: 
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A5-103  LIMIT  SHUTDOWN  CONTROL  (CONTINUED) 

(1)  EITHER  OF  THE  REMAINING  ENGINES  IS  ONE  REDLINE 
SENSOR  FAILURE  AWAY  FROM  AN  ERRONEOUS  SHUTDOWN, 

THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE 
INHIBITED  UNTIL  THE  FOLLOWING  BOUNDARY  IS  REACHED 
AND  THEN  REENABLED:  @[121296-4625]  ®[1 1 1 298-6785A] 

RTLS  -  SINGLE  ENGINE  RTLS  BOUNDARY 

TAL,  AOA,  ATO,  NOM  -  SINGLE  ENGINE  LIMITS  BOUNDARY 

FOR  A  PRIME  TAL  SITE  OR  OTHER 
AUGMENTED  TAL/CONTINGENCY  SITE 
IF  WEATHER  OR  LANDING  AIDS 
PERMIT  (REFERENCE  RULE  {A2-6}, 
LANDING  SITE  WEATHER  CRITERIA 
[HC] ) .  IF  WEATHER  AND/OR 
LANDING  AIDS  DO  NOT  PERMIT, 
REENABLE  AT  SINGLE  ENGINE 
PRESS.  @[092195-1793] 

(2)  NEITHER  OF  THE  REMAINING  ENGINES  IS  ONE  REDLINE 
SENSOR  FAILURE  AWAY  FROM  AN  ERRONEOUS  SHUTDOWN, 
REENABLE  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE 
AS  SOON  AS  POSSIBLE. 


The  MCC  is  responsible  for  evaluating  sensor  failures  since  the  flight  crew  has  no  visibility  into  the 
sensor  health.  Software  flags  issued  by  the  onboard  mean  engine  controller  sensor  reasonableness 
software  or  previously  observed  failure  modes  would  be  used  by  the  MCC  as  criteria  to  say  that  a  sensor- 
had  failed.  If  previous  to  the  first  engine  shutdown,  a  sensor  failure  were  detected  and  then  the  engine 
shut  down  based  on  the  remaining  redline  sensor,  that  second  failure  would  not  be  counted  as  a  sensor 
failure  unless  the  flight  controllers  could  positively  identify  the  sensor  failure  mode.  A  subsequent 
sensor  failure  on  another  running  engine  would  have  to  occur  before  two  sensor  failures  could  be 
counted.  This  type  of  situation  occurred  on  STS  51-F.  All  sensor  failures  on  STS  51-F  were  detected  by 
the  onboard  main  engine  sensor  reasonableness  software.  This  software  also  informed  the  flight 
controllers  of  the  failures  via  the  downlisted  failure  identifier  data  words.  ®[1 1 1298-6785A] 
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A5-103  LIMIT  SHUTDOWN  CONTROL  (CONTINUED) 

The  main  engine  limit  shutdown  software  will  be  enabled  at  an  appropriate  boundary  with  one  sensor 
failure  on  one  of  the  three  engines,  because  one  sensor  failure  does  not  indicate  a  trend  for  a  generic 
failure  of  the  sensors.  If  either  of  the  remaining  two  engines  is  one  sensor  failure  away  from  an 
erroneous  shutdown,  limits  will  remain  inhibited  until  an  abort  boundary  is  reached.  The  limits  will  be 
reenabled  when  an  abort  boundary  (as  defined  in  Rule  {A4-56},  PERFORMANCE  BOUNDARIES)  is 
reached  such  that  a  single-engine  abort  can  be  accomplished  to  the  desired  site.  On  an  RTLS,  this  abort 
boundary  is  Single  Engine  RTLS  ( which  is  designated  by  the  “two-out  red  on  the  TRAJ  display”  call).  If 
neither  of  the  remaining  engines  is  one  sensor  failure  away  from  cm  erroneous  shutdown,  limits  can  be 
reenabled  as  soon  as  possible.  This  allows  the  redlines  to  provide  the  earliest  protection  against  a  recti 
engine  hardware  failure.  ®[1 1 1 298-6785A] 

On  a  TAL,  AO  A,  ATO,  or  nominal  profile,  this  abort  boundary  is  Single  Engine  Limits  if  weather  or 
landing  aids  permit.  Otherwise,  the  limits  will  be  reenabled  at  Single  Engine  Press  (ref.  Rule  (A2-6j, 
LANDING  SITE  WEATHER  CRITERIA  [HC]).  With  one  sensor  failure  and  either  of  the  remaining 
engines  one  sensor  failure  away  from  shutting  down  erroneously,  the  risk  of  cm  engine  shutdown  due  to 
another  sensor  failure  is  higher  them  that  due  to  cm  actual  engine  failure  if  the  limits  were  reenabled. 
Because  of  this  increased  risk  of  cm  engine  shutdown  caused  by  sensor  failures,  the  exposure  to  bailout  is 
not  acceptable  unless  the  next  sensor  failure  will  not  cause  cm  erroneous  shutdown.  For  these  reasons, 
the  limits  are  inhibited  until  the  single  engine  limits  boundary  to  minimize  the  need  for  a  contingency 
abort  and  crew  bailout.  ®[1 21 296-4625  ] 

C.  IF  THE  MCC  DETERMINES  TWO  OR  MORE  OF  THE  SAME  TYPE 

(TEMPERATURE  OR  PRESSURE)  ENGINE  REDLINE  SENSORS  HAVE 
FAILED  AND: 

(1)  EITHER  OF  THE  REMAINING  ENGINES  IS  ONE  REDLINE 
SENSOR  FAILURE  AWAY  FROM  AN  ERRONEOUS  SHUTDOWN, 
THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE 
INHIBITED  THROUGH  MECO . 

(2)  NEITHER  OF  THE  REMAINING  ENGINES  IS  ONE  REDLINE 
SENSOR  FAILURE  AWAY  FROM  AN  ERRONEOUS  SHUTDOWN, 
REENABLE  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE 
AS  SOON  AS  POSSIBLE: 

The  shutdown  sensors  on  the  same  redline  will  be  suspected  of  having  a  generic  problem  if  more  than 
one  sensor  fails  (two  or  more  sensors  failed  on  the  same  type  of  redline).  If  either  remaining  engine  is 
one  sensor  failure  away  from  cm  erroneous  shutdown,  limits  will  remain  inhibited  through  MECO  in 
order  to  prevent  the  next  sensor  failure  from  shutting  down  a  good  engine.  The  two  failures  could  occur 
on  one  or  more  engines  including  the  failed  engine.  If  neither  engine  is  one  sensor  failure  away  from  cm 
erroneous  shutdown,  then  limits  are  reenabled  as  soon  as  possible.  This  allows  the  earliest  possible 
protection  by  the  redline  sensors  against  a  real  engine  hardware  failure.  @[121296-4625  ]  ®[1 1 1298-6785A] 
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A5-103  LIMIT  SHUTDOWN  CONTROL  (CONTINUED) 

3.  WITH  ONE  ENGINE  OUT  AND  BFS  ENGAGED,  THE  MAIN  ENGINE 
LIMIT  SHUTDOWN  SOFTWARE  WILL  BE  INHIBITED  THROUGH  MECO 
BY  THE  BFS  AUTOMATIC  COMMAND.  @[121296-4625]  ®[1 1 1 298-6785A] 

The  main  engine  limit  shutdown  control  will  be  inhibited  on  two  remaining  engines  if  the  BFS  is 
engaged.  The  BFS  does  not  have  single-engine  flight  control  software  and  therefore  cannot  control  the 
vehicle  with  two  engines  shut  down.  If  the  engine  shuts  down  after  the  BFS  is  engaged,  the  BFS  will 
automatically  command  inhibit  to  the  remaining  engines.  If  the  engine  shuts  down  while  on  the  PASS, 
limits  subsequently  reenabled,  and  then  BFS  engaged,  the  BFS  will  again  automatically  command  inhibit 
to  the  remaining  engines  since  the  BFS  reevaluates  and  responds  to  engine  out  status  when  engaged. 

4.  WITH  TWO  ENGINES  OUT,  THE  MAIN  ENGINE  LIMIT  SHUTDOWN 
SOFTWARE  WILL  REMAIN  INHIBITED  THROUGH  MECO. 

Since  three  engine-out  contingency  aborts  contain  “black  zones  ”  and  are  more  severe  than  the  two-engine 
contingency  aborts,  limits  will  remain  inhibited  on  the  last  running  engine. 

Rules  {A2-6j,  LANDING  SITE  WEATHER  CRITERIA  [ HC ];  { A2-55 j,  USE  OF  LOW-ENERGY 
GUIDANCE;  and  { A5-104 },  DATA  PATH  FAIL/ENGINE-ON  LIMIT  SHUTDOWN  CONTROL, 
reference  this  rule.  @[120894-1663  ] 

B.  STUCK  THROTTLE  IN  THE  THRUST  BUCKET 

IF  A  STUCK  THROTTLE  CONDITION  OCCURS  DURING  MAX  Q 
THROTTLING  SUCH  THAT  THE  POWER  LEVEL  IS  LESS  THAN  THE 
NOMINAL  FLIGHT  POWER  LEVEL,  THE  MAIN  ENGINE  LIMIT 
SHUTDOWN  SOFTWARE  WILL  REMAIN  ENABLED. 

When  an  engine  experiences  a  stuck  throttle  in  the  thrust  bucket,  performance  may  be  reduced 
sufficiently  that  an  abort  gap  may  occur  between  RTLS  capability  and  any  downrange  abort  capability. 
Uphill  capability  may  also  be  lost.  Main  engine  limit  shutdown  software  remains  enabled  to  allow  for 
the  stuck  engine  to  shut  down  if  it  exceeds  redline  limits.  In  the  case  of  a  hydraulic  lock-up,  valve  drift 
may  occur  resulting  in  potential  redline  limit  exceedance;  therefore,  the  main  engine  limit  shutdown 
software  remains  enabled.  It  has  been  accepted  that  the  loss  of  a  good  engine  could  result  in  a  1  and  2/3 
RTLS  contingency  abort. 

C.  WITH  ONE  ENGINE  OUT  AND  ONE  OF  THE  REMAINING  ENGINES  HAS  A 
NON- 1  SOL AT ABLE  MPS  HELIUM  LEAK,  THE  MAIN  ENGINE  LIMIT  SHUTDOWN 
SOFTWARE  WILL  BE  INHIBITED  BASED  ON  THE  FOLLOWING :  @[111 298-6785A] 
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A5-103  LIMIT  SHUTDOWN  CONTROL  (CONTINUED) 

1.  PRIOR  TO  THE  SINGLE  ENGINE  LIMITS  ( TAL  ABORT)  OR  SINGLE 
ENGINE  RTLS  (RTLS  ABORT)  BOUNDARY:  ®[1 1 1 298-6785A] 

WHEN  THE  PNEUMATIC  HELIUM  AND/OR  FAILED  ENGINE'S  MPS 
HELIUM  TANK  PRESSURE  REACHES  1150  PSIA  FOLLOWING  THE 
INTERCONNECT  TO  THE  LEAKING  SYSTEM'S  HELIUM  OR  WHEN  BOTH 
LEAKING  ENGINE'S  HELIUM  REGULATOR  PRESSURES  ARE  BELOW  715 
(679)  PSIA 

2.  OTHERWISE,  NO  ACTION  REQUIRED. 

IF  THE  SINGLE  ENGINE  LIMITS  (TAL  ABORT)  OR  SINGLE 
ENGINE  RTLS  (RTLS  ABORT)  BOUNDARY  IS  REACHED  WITHOUT 
INTERCONNECTING  TO  THE  NON-LEAKING,  RUNNING  ENGINE'S 
HELIUM,  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE 
REENABLED . 

IF  HELIUM  FROM  THE  NON-LEAKING,  RUNNING  ENGINE  IS 
REQUIRED  TO  SUPPORT  THE  LEAKING  ENGINE'S  OPERATION  (REF. 
RULE  { A5-152 } ,  PRE  MECO  MPS  HELIUM  SYSTEM  INTERCONNECTS 
[CIL]  )  ,  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL 
REMAIN  INHIBITED  THROUGH  MECO.  @[090894- 1676 A]  @[121296-4625] 

For  the  case  of  two  engines  running  (one  with  a  non-isolatable  MPS  helium  leak),  the  main  engine  limit 
shutdown  software  will  be  reenabled  by  the  crew  per  paragraph  A.2.a.  If  the  leaking  engine  cannot 
support  the  SE  Limits  or  SE  RTLS  boundary  with  an  interconnect  from  pneumatic  and/or  the  failed 
engine’s  helium,  the  leaking  engine  will  be  allowed  to  operate  below  the  HPOTP IMSL  redline  to  avoid  a 
two  engine-out  contingency  abort  (per  Rules  {A5-152},  PRE-MECO  MPS  HELIUM  SYSTEM 
INTERCONNECTS  [CIL],  and  [A5-153J,  PRE-MECO  SHUTDOWN  OF  ENGINES  DUE  TO  MPS 
HELIUM  LEAKS).  To  operate  below  the  redline,  limits  must  be  inhibited.  The  MCC  will  call  for  the 
main  engine  limit  shutdown  switch  to  “inhibit”  when  the  pneumatic  helium  and/or  failed  engine’s  helium 
tank  pressure  reaches  1150  psia  following  the  interconnect  to  the  leaking  system  or  when  the  leaking 
system’s  regulator  pressures  are  below  715  (679)  psia.  The  1150  psia  tank  pressure  cue  was  selected  as 
the  operational  cue  corresponding  to  the  crew’s  MPS  helium  tank  pressure  C&W  (not  the  pneumatic 
helium  tank  pressure  C&W)  while  ensuring  that  the  HPOTP  IMSL  redline  limit  is  not  exceeded  prior  to 
inhibiting  the  limits.  It  also  minimizes  the  amoun  t  of  time  that  the  remaining  engines  are  exposed  to 
main  engine  limits  being  inhibited.  The  715  (679)  psia  regulator  pressure  cue  was  selected  as  a  backup 
cue  for  large  MPS  helium  leaks  to  ensure  that  the  HPOTP  IMSL  redline  limit  is  not  exceeded  before 
main  engine  shutdown  limits  are  inhibited.  The  main  engine  limit  shutdown  software  will  be  reenabled 
upon  reaching  the  first  single  engine  abort  landing  site  capability,  which  is  either  SE  Limits  or  SE  RTLS 
(ref.  AEFTP  #107,  11/4/93),  if  cm  interconnect  from  a  running  engine  has  not  been  performed.  This 
represents  the  earliest  time  after  which  an  attempt  can  be  made  to  reach  a  landing  site  with  a  good 
engine  out.  ®[1 1 1 298-6785A] 
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A5-103  LIMIT  SHUTDOWN  CONTROL  (CONTINUED) 


The  main  engine  limit  shutdown  software  will  remain  inhibited  if  the  non-leaking,  running  engine’s 
helium  has  been  interconnected  to  a  leaking  engine  (no  three  engine-out  abort  capability).  Keeping 
limits  inhibited  in  this  configuration  will  allow  the  main  engine  with  the  leaking  MPS  helium  supply  to 
continue  to  operate  below  the  normal  HPOTP IMSL  redline.  Running  the  engine  below  the  normal 
redline  is  an  acceptable  risk  while  the  vehicle  is  in  an  abort  gap  since  the  only  alternative  is  an  early 
MECO  and  the  loss  of  the  vehicle  and  crew.  ®[i  21 296-4625  ]  ®[i  1 1 298-6785A] 

Reference  Rule  {A5-153},  PRE-MECO  SHUT  DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM  LEAKS. 

@[090894-1 676A] 

D.  IF  FLOW  CONTROL  VALVE  FAILURES  OR  AN  ULLAGE  GAS  LEAK  CAUSE  A 
LOW  LH2  NPSP  CONDITION,  THE  MAIN  ENGINE  LIMIT  SHUTDOWN 
SOFTWARE  WILL  BE  MANUALLY  ENABLED  BY  PLACING  THE  MAIN  ENGINE 
LIMIT  SHUTDOWN  SWITCH  TO  "ENABLE"  PER  FLIGHT  RULE  {A5-155}, 
LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR  LOW  LI£ 

NPSP.  @[121296-4625] 


Reference  Rule  and  rationale  (A5-155J,  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING 
FOR  LOW  LH2  NPSP. 

E.  IF  A  DATA  PATH  FAILURE  OCCURS  ON  AN  ENGINE  THAT  IS  CONFIRMED 
RUNNING,  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE 
REENABLED  PER  FLIGHT  RULE  {A5-104},  DATA  PATH  FAIL/ENGINE-ON 
LIMIT  SHUTDOWN  CONTROL. 

Reference  Rule  and  rationale  (A5-104J,  DATA  PATH  FAIL/ENGINE-ON  LIMIT  SHUTDOWN  CONTROL. 

F.  IF  A  GPC  SET  SPLIT  OCCURS  AND  THE  MAIN  ENGINE  LIMIT  SHUTDOWN 
SOFTWARE  ON  TWO  ENGINES  IS  AUTOMATICALLY  INHIBITED,  THE  MAIN 
ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE  MANUALLY  ENABLED. 


In  a  set  split  condition,  two  GPC’s  will  not  see  data  from  one  of  the  engines  and  will  automatically 
inhibit  the  main  engine  limit  shutdown  software  on  the  other  two  engines.  If  limits  are  reenabled  by 
taking  the  main  engine  limit  shutdown  switch  to  ENABLE  then  AUTO,  the  limits  would  be  automatically 
inhibited  on  the  next  cycle.  Therefore,  the  main  engine  limit  shutdown  switch  will  only  be  taken  to 
ENABLE.  Reference  Rule  and  rationale  {A5-104J,  DATA  PATH  FAIL/ENGINE-ON  LIMIT 
SHUTDOWN  CONTROL. 
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A5-103  LIMIT  SHUTDOWN  CONTROL  (CONTINUED) 

G.  FOR  LOSS  OF  TVC  CONTROL  ON  AN  OPERATING  MAIN  ENGINE,  THE  MAIN 
ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE  INHIBITED  (THREE 
ENGINES  RUNNING)  UNTIL  TWO-ENGINE  TAL  CAPABILITY  IS  ACHIEVED 
OR,  ON  AN  RTLS ,  UNTIL  AFTER  POWERED  PITCH-AROUND  (PPA)  IS 
COMPLETE . 

The  risk  of  running  cm  engine  with  the  main  engine  limits  inhibited  is  accepted  over  the  risk  of  loss  of 
con  trol  during  the  RTLS  powered  pitch  around  (PPA)  as  a  result  of  a  gimballing  engine  failure.  If  a 
mean  engine  has  lost  TVC  capability,  the  failu  re  of  a  gimballing  engine  could  result  in  a  loss  of 
control  even  if  single-engine  roll  con  trol  (SERC)  is  active.  Since  an  RTLS  trajectory  is  much  more 
demanding  than  an  uphill  or  TAL  case  from  a  control  standpoint,  avoiding  an  RTLS  abort  is  highly 
desirable.  Additionally,  if  the  loss  of  TVC  is  due  to  hydraulic  system  failures,  the  engines  in  hydraulic 
lockup  could  fail  due  to  valve  drift,  so  a  trajectory  that  provides  the  earliest  possible  single-engine 
capability  is  desirable.  If  a  three-engine  RTLS  is  performed,  the  mean  engine  limit  shutdown  software 
will  be  inhibited  until  after  PPA,  since  a  loss  of  con  trol  is  very  possible  if  PPA  is  attempted  with  one 
gimballing  and  one  non  gimballing  engine.  ®[1 21 296-4625  ]  ®[1 1 1 298-6785A] 

Reference  rule  {A8-61  j,  SSME  SHUTDOWN  DUE  TO  HYDRAULIC  SYSTEM  FAILURES. 

H.  DURING  A  THREE  ENGINE  RTLS  ABORT,  TIME  PERMITTING,  THE  MAIN 
ENGINE  LIMIT  SHUTDOWN  SWITCH  WILL  BE  TOGGLED  TO  INHIBIT, 
ENABLE,  AND  BACK  TO  AUTO.  THIS  ACTION  WILL  BE  DELAYED  AS 
LONG  AS  POSSIBLE,  BUT  MUST  BE  COMPLETED  PRIOR  TO  AN  MET  OF  8 
MINUTES.  @[121296-4625]  ®[1 1 1 298-6785A] 

A  GPC  or  manual  toggle  of  the  main  engine  limit  shutdown  software  to  inhibit  will  be  required  on  a 
three  engine  RTLS  abort  due  to  the  incorporation  of  single  command  chann  el  shu  tdown  logic  in  the  main 
engine  controller  software.  The  intent  of  this  is  to  protect  the  vehicle  and  crew  from  exposure  to  a  latent 
orbiter/main  engine  command  path  failure  at  MECO  (catastrophic).  This  is  accomplished  by  reducing 
the  normal  2  of  3  shutdown  command  channel  agreement  criteria  to  1  of  3  shutdown  command  channel 
acceptance  processing.  The  software,  which  is  invoked  after  a  mission  specific  timer  has  expired,  will 
allow  acceptance  and  execution  of  the  following  two  sequential  commands,  shutdown-enable  followed  by 
a  shutdown  command  on  a  single  command  channel.  Should  a  limit’s  inhibit  command  be  processed  and 
accepted  by  the  con  troller  prior  to  the  execution  of  the  single  command  channel  logic,  single  command 
channel  processing  will  no  longer  be  performed.  The  mission  specific  timer  is  calculated  by  subtracting 
5.5  seconds  (3  sigma  dispersion)  from  the  predicted  MECO  time  referenced  to  SSME  start.  That  is,  the 
predicted  MECO  time  in  MET  plus  the  time  from  the  last  SSME  start  (6.36  seconds)  minus  3  sigma 
dispersion  (5.5  seconds).  ®[09i  098-671 OA] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  BOOSTER  5-35 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A5-103  LIMIT  SHUTDOWN  CONTROL  (CONTINUED) 

Toggling  of  the  main  engine  limit  shutdown  switch  on  a  three  engine  RTLS  is  performed  in  order  to 
preclude  the  possibility  of  losing  all  main  engines  due  to  a  failed-to-sync  GPC  after  the  controller  timer 
has  expired.  Normally,  exposure  to  this  condition  is  either  minimized  (to  approximately  5  seconds )  by 
projected  MECO  times  on  the  order  of  511  seconds  on  uphill  missions  and  TAL  aborts,  or  eliminated  by 
a  main  engine  out  (the  GPC’s  command  inhibit  on  the  remaining  engines  and  the  single  command 
channel  shutdown  processing  is  disabled).  However,  the  time  of  exposure  to  a  three  engine  out  condition 
may  be  sign  ifican  t  (120  seconds )  on  a  systems  RTLS  abort.  This  exposure  results  from  the  extended 
main  engine  burntime  (MECO  at  approximately  630  seconds  MET)  and  the  absence  of  cm  engine-out 
limits  inhibit  command.  Consequently,  the  mean  engine  limit  shutdown  software  will  be  manually 
toggled  to  inhibit  in  order  to  minimize  exposure  to  a  failed-to-sync  GPC.  This  action  will  be  delayed  as 
long  as  possible  in  order  to  retain  mean  engine  shutdown  capability,  and  to  possibly  eliminate  an 
unnecessary  action,  should  a  mean  engine  out  occur  prior  to  the  expiration  of  the  controller  timer.  The 
cue  of  8  min  utes  provides  margin  prior  to  expiration  of  the  timer.  ©[090894-1679A]  @[121296-4625  ]  @[091098- 
671 0A] 


VOLUME  A  11/21/02  FINAL,  PCN-1  BOOSTER  5-36 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A5-104  DATA  PATH  FAIL/ENGINE -ON  LIMIT  SHUTDOWN  CONTROL 

WITH  A  DATA  PATH  FAILURE  AND  THE  ENGINE  CONFIRMED  ON  BY  THE  MCC, 
THE  MAIN  ENGINE  LIMIT  SHUTDOWN  CONTROL  CAPABILITY  WILL  BE  MANAGED 
IN  THE  FOLLOWING  MANNER:  ®[121296-4594A] 

A  data  path  failure  occurs  when  the  GPC’s  (PASS  or  BFS)  either  do  not  see  the  main  engine  time  reference 
word  (TREF)  updating  or  when  the  two  main  engine  identification  words  (ID  words  1  &  2)  are  not  one’s 
complements.  If  this  occurs  in  the  controlling  GPC’s,  the  controlling  GPC’s  will  automatically  inhibit  the 
main  engine  limit  shutdown  software  on  the  other  two  main  engines.  However,  the  GPC  software  will  not 
inhibit  the  limits  on  the  engine  with  the  data  path  failure.  This  response  occurs  because  the  GPC’s  assume 
the  engine  has  failed  behind  the  data  path  failure. 

A.  BFS  NOT  ENGAGED: 

1.  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE  REENABLED 
BY  PLACING  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SWITCH  TO 
"ENABLE"  THEN  "AUTO". 

Once  the  MCC  confirms  that  the  engine  with  the  data  path  failure  is  running,  the  crew  will  remove  the 
inhibits  by  manually  placing  the  main  engine  limit  shutdown  switch  to  ENABLE,  then  AUTO.  This 
switch  movement  causes  the  main  engine  limit  shutdown  software  to  be  reenabled  on  all  running  engines. 

2.  FOR  AN  ENGINE  OUT:  ®[1 1 1 298-6785A] 

a.  IF  THE  ENGINE  THAT  SHUT  DOWN  WAS  THE  ONE  THAT  HAD  THE 
DATA  PATH  FAILURE,  THE  MAIN  ENGINE  LIMIT  SHUTDOWN 
SOFTWARE  WILL  REMAIN  ENABLED. 

If  the  engine  that  shuts  down  is  the  engine  with  the  data  path  failure,  the  GPC’s  will  not  automatically 
inhibit  the  main  engine  limit  shutdown  software.  The  main  engine  limit  shutdown  software  will  remain 
enabled  to  allow  for  a  second  engine  out  (ref  Rule  {A5-103J,  LIMIT  SHUTDOWN  CONTROL). 

®[1 21 296-4594A]  ®[1 1 1 298-6785A] 
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A5-104  DATA  PATH  FAIL/ENGINE -ON  LIMIT  SHUTDOWN  CONTROL 

b.  IF  THE  ENGINE  THAT  SHUT  DOWN  WAS  NOT  THE  ONE  WITH  THE 
DATA  PATH  FAILURE,  THE  PASS  WILL  AUTOMATICALLY  INHIBIT 
LIMITS.  LIMITS  WILL  REMAIN  INHIBITED  UNTIL  MECO . 

®[1 21 296-4594A]  ®[1 1 1 298-6785A] 

If  the  engine  that  shuts  down  did  not  have  the  data  path  failure,  the  limit  shutdown  control  capability 
of  the  two  remaining  engines  will  automatically  be  inhibited  by  the  PASS  GPC’s.  In  this  case, 
however,  the  limits  will  remain  inhibited  until  MECO.  The  reason  is  that,  if  the  limits  were  reenabled 
and  the  remaining  engine  with  the  good  data  path  exceeds  a  redline  and  shuts  down,  MECO  confirmed 
conditions  would  be  satisfied  by  having  two  engines  with  main  combustion  chamber  pressure  less  than 
30  percen  t  power  level  and  one  engine  with  a  data  path  failure.  MECO  command  would  be  sent, 
resulting  in  the  shutdown  of  the  engine  with  the  data  path  failure.  This  early  MECO  could  result  in  cm 
unacceptable  underspeed.  ®[1 21 296-4594A] 

B.  BFS  ENGAGED: 

1.  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE  ENABLED 
BY  PLACING  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SWITCH  TO 
"ENABLE"  (UNLESS  THE  BFS  AUTOMATICALLY  REENABLED  LIMITS 
UPON  BFS  ENGAGE)  .  ®[1 1 1 298-6785A] 

If  the  data  path  failure  occurs  before  BFS  engage,  when  the  BFS  is  engaged,  all  data  path  failure  flags 
are  reset  in  the  BFS  software.  The  BFS  immediately  attempts  to  establish  communication  with  the 
engines.  However,  if  this  is  not  successful  a  data  path  failure  is  annunciated  on  that  engine.  At  this 
point,  the  BFS  software  automatically  inhibits  the  mean  engine  limit  shutdown  software  on  the  other  two 
engines.  If  the  data  path  failure  occurs  after  BFS  engage,  the  BFS  will  inhibit  limits  on  the  other  two 
engines.  Once  the  MCC  confirms  the  engine  with  the  data  path  failure  is  running,  the  crew  will  remove 
the  inhibits  by  manually  placing  the  main  engine  limit  shutdown  switch  to  ENABLE  to  prevent  running 
the  engines  for  the  remainder  of  the  flight  with  limits  inhibited.  The  BFS  main  engine  limit  shutdown 
switch  logic  does  not  work  the  same  way  it  does  in  the  PASS  (in  the  BFS,  ENABLE/AUTO  will  cause  the 
limits  to  go  back  to  inhibit). 

The  BFS  will  automatically  reenable  limits  if  the  data  path  failure  is  recovered  when  the  BFS  is  engaged. 
®[121296-4594A] 
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A5-104  DATA  PATH  FAIL/ENGINE -ON  LIMIT  SHUTDOWN  CONTROL 

2.  FOR  A  SUBSEQUENT  ENGINE  OUT:  ®[1 21 296-4594A] 

THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE  INHIBITED 
BY  PLACING  THE  MAIN  ENGINE  LIMIT  SHUTDOWN  SWITCH  TO 
"INHIBIT"  (UNLESS  THE  BFS  AUTOMATICALLY  INHIBITED  LIMITS 
AT  ENGINE  OUT) .  LIMITS  WILL  REMAIN  INHIBITED  UNTIL  MECO . 

If  the  BFS  has  been  engaged,  a  subsequen  t  engine  shutdown  will  require  the  limits  to  be  inhibited 
because  BFS  does  not  have  single  engine  roll  control  logic  (ref  Rule  (A5-103J,  LIMIT  SHUTDOWN 
CONTROL).  BFS  will  automatically  inhibit  limits  if  the  engine  that  shut  down  did  not  have  a  previous 
data  path  failure,  had  a  data  path  failure  at  shutdown,  or  had  a  previous  data  path  failure  prior  to  BFS 
engage  but  was  recovered  upon  BFS  engage.  Limits  will  have  to  be  manually  inhibited  by  taking  the 
main  engine  limit  shutdown  switch  to  INHIBIT  if  the  engine  that  shut  down  had  a  lion-recovered  data 
path  failu  re  prior  to  shu  tdown. 

Rules  {A5-102},  AUTO/MANUAL  SHUTDOWN,  {A5-103},  LIMIT  SHUTDOWN  CONTROL,  and  {A5-113}, 
MANUAL  MECO/MECO  CONFIRMED,  reference  this  rule.  ®[i  21 296-4594A] 
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A5-105  DATA  PATH  FAIL/ENGINE -OUT  ACTION 

IF  THE  MCC  CONFIRMS  THAT  AN  ENGINE  WITH  A  DATA  PATH  FAILURE  HAS 
SHUT  DOWN,  THAT  ENGINE'S  SHUTDOWN  pb  WILL  BE  PUSHED  TO  MODE  THE 
GUIDANCE  AND  FLIGHT  CONTROL  LOGIC  AND  TO  CLOSE  THE  ASSOCIATED 
PRE VALVES . 

SHOULD  THE  SAFING  FUNCTION  OF  THE  pb  BE  INOPERATIVE  DUE  TO 
SHUTDOWN  pb  OR  CONTROL  BUS  PROBLEMS,  THE  APPROPRIATE  MDM  PER  THE 
TABLE  BELOW  WILL  BE  POWER  CYCLED  FOR  1  SECOND  TO  ALLOW  THE  pb  TO 
OPERATE.  THE  POWER  CYCLED  MDM  MAY  BE  REGAINED  VIA  AN  I/O  RESET 
POST  SAFING.  @[021397-4823] 


S/D  pb  CONTACT 

CONTROL  BUS 

MDM 

CTR  A 

AB1 

FF1 

CTR  B 

BC1 

FF2  @[111699-7140] 

LEFT  A 

BC2 

FF2 

LEFT  B 

CA2 

FF3 

RT  A 

CA3 

FF3 

RT  B 

BC3 

FF4 

The  GPC  guidance  software  will  not  know  an  engine  has  shut  down  prematurely  if  the  data  path  from 
that  engine  has  also  failed.  Pushing  the  corresponding  shutdown  pb  will  set  the  safing  command  in  the 
GPC  for  that  engine.  When  the  safing  command  is  set,  the  SSME  OPS  sequence  will  close  the  prevalves 
and  set  the  engine  fail  flag  for  that  engine.  Closing  the  prevalves  is  essential  to  isolate  the  failed  engine 
if  the  engine  failure  caused  damage  to  the  engine  propellant  supply  lines.  There  is  a  potential  for  afire 
or  propellan  t  loss  with  the  prevalves  open.  The  engine  fail  flag  is  used  by  the  ascent  guidance  software 
to  mode  the  guidance  and  targeting  functions  to  correspond  to  the  number  of  SSME’ s  that  are  operating. 
This  is  required  for  proper  control  of  the  vehicle. 

If  the  two  contacts  on  the  shutdown  pb  disagree,  the  safing  command  will  not  be  set.  A  contact 
disagreement  can  be  caused  by  a  failure  of  a  contact,  the  loss  of  the  fuse  to  a  contact,  or  the  loss  of  the 
control  bus  providing  power  to  a  contact.  Power  cycling  the  MDM  associated  with  that  contact  will 
cause  the  failed  contact  to  be  comm  faulted;  this  will  allow  the  safing  command  to  be  set  when  the  pb  is 
pushed.  For  FF 1,  2  or  3,  the  power  cycle  must  be  of  approximately  1  second  in  duration  before  moding 
guidance.  This  is  to  ensure  that  the  MDM  is  off  long  enough  to  be  comm  faulted,  yet  repowered  quickly 
to  avoid  caging  the  associated  IMU.  The  comm  faulted  MDM  can  be  recovered  with  an  I/O  reset  after 
the  appropriate  shutdown  pb  is  pushed  and  guidance  has  been  moded.  @[021397-4823  ] 
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A5-106  MANUAL  SHUTDOWN  FOR  COMMAND/DATA  PATH  FAILURES 

MANUAL  SHUTDOWN  OF  AN  AFFECTED  ENGINE  WILL  BE  PERFORMED  PRIOR  TO 
OR  AT  MECO  FOR  THE  FOLLOWING  COMMAND  AND/OR  DATA  PATH  FAILURE 
CASES : 


A.  COMMAND  PATH  FAILURE. 


1.  NOMINAL/ ATO/AOA: 


THREE 

ENGINES 

ON  -  SHUT  DOWN  AT  VI 

=  23K 

FPS 

USING 

THE 

AC 

POWER 

SWITCHES 

AND 

SHUTDOWN 

PB. 

TWO 

ENGINES  ON  -  SHUT 

DOWN 

AT  VI  = 

24 . 5K 

FPS 

USING 

THE 

AC 

POWER 

SWITCHES 

AND 

SHUTDOWN 

PB. 

C.  MCC  CONFIRMS  COMMAND  PATH  FAILURE  BY  NO  THROTTLING  OF 
AFFECTED  ENGINE  WHEN  THE  ENGINES  ARE  COMMANDED  TO 
THROTTLE . 

2.  RTLS : 


TWO  OR  THREE  ENGINES  ON 
PITCHDOWN  AT  ALPHA  =  -1 
SHUTDOWN  PB.  @[032395-1759] 


-  SHUT  DOWN  DURING  POWERED 
USING  THE  AC  POWER  SWITCHES  AND 


3 .  TAL : 


TWO  OR  THREE  ENGINES  ON  -  SHUT  DOWN  AT  VI  =  22. 5K  FPS 
USING  AC  POWER  SWITCHES  AND  SHUTDOWN  PB. 


In  the  case  of  a  command  path  failure,  the  only  way  to  shut  down  an  engine  is  with  the  engine  ac  power 
switches.  Shutting  down  with  the  ac  power  switches  also  creates  a  data  path  failure.  Therefore,  the 
shutdown  pushbutton  is  pushed  to  tell  guidance  that  an  engine  is  out.  The  engine  is  shut  down 
approximately  30  seconds  before  MECO  to  prevent  depleting  LO2  through  an  SSME  and  causing 
uncontained  engine  damage.  A  velocity  which  equates  to  MECO  minus  30  seconds  also  gives  guidance 
time  to  compensate  for  late  engine  out  and  converge  to  the  proper  MECO  targets.  The  only  exception  is 
an  RTLS  where  the  engine  is  shut  down  during  powered  pitchdown  at  alpha  =  -1  degrees.  On  a  three-  or 
two-engine  abort  RTLS,  if  an  engine  is  shut  down  at  TGO  ?  60  seconds,  guidance  will  not  mode  to  the 
target  set  corresponding  to  the  remaining  number  of  engines.  @[032395-1 759A] 
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A5-106  MANUAL  SHUTDOWN  FOR  COMMAND/DATA  PATH  FAILURES 

(CONTINUED) 

The  cue  of  alpha  =  -1  degree  (approx  MECO-5  sec)  was  chosen  to  allow  SSME  shutdown  to  begin  prior  to 
predicted  MECO  while  the  LO2  is  still  under  G’sfrom  the  other  engine(s).  This  alleviates  LO2  net 
positive  suction  pressure  concerns  for  the  high  pressure  oxidizer  tu  rbopump  (HPOTP).  Alpha  =  -1  degree 
also  protects  for  1 -sigma  aerodynamic  dispersions.  Although  sizable  transien  ts  can  be  expected 
subsequent  to  engine  shutdown,  flight  control  has  been  demonstrated  to  null  these  transients  prior  to  ET 
separation  (in  some  cases  ET  separation  inhibits  of  approximately  1  second  will  occur,  reference  AEFTP 
# 87  and  # 122  minutes).  On  a  three-engine  press-to-MECO  case,  MECO  minus  30  seconds  occurs  at  a  VI 
=  23  kfps.  On  a  two-engine  press-to-MECO  case,  MECO  minus  30  seconds  occurs  at  a  VI  =  24.5  kfps. 

On  a  TAL  abort,  MECO  minus  30  seconds  occurs  at  a  VI  =  22.5  kfps.  ©[032395-1759A] 

B.  DATA  PATH  FAILURE 

1.  MCC  DECISION  (PRIME) 

NOMINAL/ ATO/AOA/ TAL/RTLS : 

a.  NO  ACTION  REQUIRED. 

b.  MCC  CONFIRMS  COMMAND  PATH  OPERATIONAL  BY  GH2  OUTLET 
PRESSURE  COMPARISON  TO  POWER  LEVEL  COMMAND. 

2.  ONBOARD  DECISION  (NO  COMMUNICATION). 

NOMINAL/ ATO/AOA/ TAL/RTLS : 

CREW  ACTION  SAME  AS  FOR  COMMAND  PATH  FAILURE. 

For  a  data  path  failure,  the  engine  will  accept  throttling  and  MECO  commands  so  that  no  action  is 
required.  The  crew  cannot  tell  the  difference  between  a  data  path  failure  and  a  command/data  path 
failure.  The  two  failures  that  caused  the  data  path  failure  may  also  have  caused  a  command  path  failure 
(i.e.,  two  controller  interface  adapters  (CIA’s),  or  a  CIA  and  a  multiplexer  interface  adapter  (MIA)  in  the 
EIU).  Unless  the  command  capability  is  verified  by  the  MCC,  the  crew  will  assume  a  command  and  data 
path  failure  and  will  take  the  same  action  as  a  command  path  failure.  The  MCC  can  verify  the  command 
path  status  by  observing  that  the  GH2  outlet  pressure  changes  with  the  throttle  command.  If  an  engine 
throttles  down  when  commanded,  its  command  path  is  operational. 
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A5-106  MANUAL  SHUTDOWN  FOR  COMMAND/DATA  PATH  FAILURES 

(CONTINUED) 

C.  COMMAND  AND  DATA  PATH  FAILURE. 

1.  MCC  DECISION  (PRIME) 

NOMINAL /ATO/ AOA/TAL/RTLS : 

a.  ACTION  SAME  AS  COMMAND  PATH  FAIL 

b.  MCC  CONFIRMS  CASE  BY  NO  CHANGE  IN  GH2  OUTLET  PRESSURE 
ON  THE  AFFECTED  ENGINE  WHEN  ENGINE  COMMANDED  TO 
THROTTLE . 

2.  ONBOARD  DECISION  (NO  COMMUNICATION) 

NOMINAL /ATO/ AOA/TAL/RTLS : 

CREW  ACTION  SAME  AS  FOR  COMMAND  PATH  FAILURE. 

The  loss  of  cm  EIU  or  the  loss  of  an  MIA  and  a  CIA  or  the  loss  of  two  CIA’s  will  cause  a  data  path 
failure  and  a  command  path  failure  on  the  same  engine. 

This  is  a  very  serious  failure  mode  because  this  failure  will  close  the  LO2  prevalves  on  an  operating 
engine  if  preventative  action  is  not  taken.  A  water-hammer  effect  could  occur  which  would  rupture  the 
LO 2  feedline  and  result  in  uncontained  engine  damage  and  loss  of  vehicle.  At  MECO,  the  GPC  logic 
assumes  cm  engine  with  a  data  path  failure  does  not  have  a  command  path  loss  ( i.  e. ,  the  GPC  assumes 
the  engine  accepted  and  complied  with  the  shutdown  command);  therefore,  the  prevalves  are  commanded 
closed.  To  prevent  this  catastrophic  shutdown  of  the  engine  at  MECO,  the  engine  ac  power  switches 
must  be  used  to  shut  down  the  engine  before  MECO  is  commanded.  The  ac  power  switches  will  shut 
down  the  engine;  the  pushbutton  is  then  pressed  to  mode  guidance. 

Rules  {A2-59D},  BFS  ENGAGE  CRITERIA;  {A5-109},  MANUAL  SHUTDOWN  FOR  TWO  STUCK 
THROTTLES  (NOT  DUAL  APU  FAILURES);  {A5-110},  SSME  PERFORMANCE  DISPERSION;  {A5-107}, 
MANUAL  SHUTDOWN  FOR  SUSPECT  COMMAND  PATH  FAILURES;  {A5-153},  PRE-MECO  SHUT 
DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM  LEAKS;  and  {A7-9},  REDUNDANT  SET  SPLIT,  reference 

this  rule.  @[032395-1766]  @[061 296-61 47A]  ®[ED  ] 
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A5-107  MANUAL  SHUTDOWN  FOR  SUSPECT  COMMAND  PATH  FAILURES 

AN  ENGINE  WITH  SUSPECT  COMMAND  CAPABILITY  FOR  SHUTDOWN  WILL  BE 
MANUALLY  SHUT  DOWN  PRIOR  TO  MECO  USING  THE  SAME  CUES  LISTED  FOR  A 
COMMAND  PATH  FAILURE  IN  FLIGHT  RULE  {A5-106},  MANUAL  SHUTDOWN  FOR 
COMMAND/DATA  PATH  FAILURES. 

If  a  transient  failure  observed  during  powered  flight  results  in  the  temporary  loss  of  a  command 
channel,  the  respective  command  channel  will  be  considered  suspect  since  the  failure  could  retu  rn  at 
any  time.  If  another  avionics  failure  and  a  reoccurrence  of  the  previously  obsen’ed  transient  failure 
results  in  a  command  path  failure  (per  Rule  { A5-3J ,  STUCK  THROTTLE),  the  command  capability  of 
this  engine  will  be  considered  suspect  even  if  the  engine  reacts  to  the  3g  throttle  back  command. 

Therefore,  this  engine  will  be  shut  down  pre-MECO  per  Rule  {A5-106},  MANUAL  SHUTDOWN  FOR 
COMMAND/DATA  PATH  FAILURE.  The  engines  have  single  command  channel  shutdown  logic  that 
allows  the  engine  to  shut  down  by  accepting  shutdown  commands  on  only  one  out  of  three  command 
channels.  Operationally,  this  logic  is  only  relied  upon  for  late,  unexpected  failures.  @[111501-4939] 

One  example  of  a  transient  failure  is  an  EIU  power-on-reset  failure.  A  power-on-reset  failure  causes  the 
temporary  loss  of  a  single  power  supply  in  an  EIU.  Since  the  EIU  MIA  ports  1  and  3  are  on  the  same 
power  source  (MIA  ports  2  and  4  are  on  another),  this  failure  will  cause  the  temporary  loss  of  command 
and  data  transfer  capability  on  two  MIA  ports  (ground  data  only  shows  the  status  of  MIA  ports  1  and  4; 
therefore,  MIA  ports  3  and  2  are  assumed  bypassed  with  ports  1  and  4,  respectively).  After  this  failure  has 
occurred,  the  command  transfer  capability  will  be  regained  automatically  while  the  data  transfer 
capability  will  be  regained  via  an  I/O  Reset.  The  following  scenario  is  an  example  of  the  concern  that  this 
failure  raises:  If  an  engine  has  a  command  channel  B  failure  and  a  power-on-reset  failure  on  MIA  ports  1 
and  3,  the  engine  will  be  considered  to  have  suspect  command  capability  even  if  the  engine  responds  to 
throttle  commands  and  will  be  shut  down  pre-MECO.  ®[1 11501-4939  ] 
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A5-108  MANUAL  SHUTDOWN  FOR  HYDRAULIC  OR  ELECTRICAL  LOCKUP 

AN  SSME  IN  HYDRAULIC  OR  ELECTRICAL  LOCKUP  MAY  HAVE  TO  BE  MANUALLY 
SHUT  DOWN  TO  PREVENT  A  VIOLATION  OF  THE  ENGINE  L(£  NPSP  REQUIREMENTS 
NEAR  MECO.  MANUAL  SHUTDOWN  WILL  BE  REQUIRED  UNDER  THE  FOLLOWING 
CONDITIONS  FOR  ANY  ENGINE  LOCKED  UP  ABOVE  THE  MINIMUM  POWER  LEVEL 
(KM IN)  .  @[061297-6171]  ©[090999-7052A] 

A.  NOMINAL/ ATO:  ®[ED  ] 

1.  THREE  ENGINES  ON: 

a.  ONE  STUCK  THROTTLE  -  SHUT  DOWN  THE  AFFECTED  ENGINE  AT 
VI  =  23K  FPS  USING  THE  SHUTDOWN  PB . 

b.  TWO  STUCK  THROTTLES  -  (REF.  RULE  {A5-109},  MANUAL 
SHUTDOWN  FOR  TWO  STUCK  THROTTLES  (NOT  DUAL  APU 
FAILURES),  AND  RULE  {A8-61},  SSME  SHUTDOWN  DUE  TO 
HYDRAULIC  SYSTEM  FAILURES)  .  ®[ED  ] 

2.  TWO  ENGINES  ON  -  NO  ACTION  REQUIRED. 

B.  RTLS  AND  TAL  -  NO  ACTION  REQUIRED. 

Manual  shutdown  of  an  engine  in  hydraulic  or  electrical  lockup  is  only  required  for  a  three-engine 
nominal  or  ATO  mission.  The  three-engine  LO2  low  level  cutoff  delay  timer  (as  defined  by  the  1-load 
NOM_L02_LOW_LVL_TIME_DELAY_L  -  currently  0.358  seconds)  is  designed  for  three  engines 
shutting  down  from  the  minimum  power  level  (as  defined  by  the  I-load  KMIN  -  currently  67  percen  t 
power  level).  If  one  engine  is  stuck  above  the  minimum  power  level,  the  LO2  net  positive  suction 
pressure  (NPSP)  and  post  shutdown  LO2  mass  requirements  may  be  violated.  Therefore,  an  LO2 
depletion  cutoff  at  power  levels  greater  than  that  accounted  for  by  the  low  level  timers  could  cause 
high  pressure  oxidizer  pump  overspeed  resulting  in  a  potentially  catastrophic  engine  shutdown.  Given 
the  potentially  catastrophic  nature  of  the  shutdown  and  given  that  an  LO2  low  level  cutoff  cannot 
always  be  predicted  (reference  the  STS-93  unpredicted  LO2  low  level  cutoff  which  was  caused 
primarily  by  an  SSME  nozzle  leak  which  was  smaller  than  the  minimum  criteria  of  Rule  (A5-110}, 

SSME  PERFORMANCE  DISPERSION,  and  therefore  not  modeled  in  the  Abort  Region  Determinator 
(ARD)),  it  was  decided  to  accept  the  operational  impacts  of  always  shutting  down  a  locked  up  engine 
when  three  engines  are  on  as  opposed  to  relying  on  the  ARD  to  make  a  real-time  performance 
evaluation  (reference  Ascent  Flight  Techniques  Panel  Meeting  #160,  August  27,  1999).  These  impacts 
include  up  to  60  feet  per  second  of  lost  performance  and  a  planar  error  at  MECO  of  up  to  10  feet  per 
second  (some  planar  error  is  inevitable  for  these  cases  even  if  the  stuck  engine  is  not  shut  down). 

©[090999-7052A]  @[092701 -481 9A]  ®[ED  ] 
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A5-108  MANUAL  SHUTDOWN  FOR  HYDRAULIC  OR  ELECTRICAL  LOCKUP 

(CONTINUED) 


Analysis  performed  without  dispersions  indicates  the  LO2  residual  mass  requirement  is  satisfied  for  an 
engine  stuck  at  up  to  76  percent  power  level  (reference  PSIG  telecon,  August  25,  1999).  However,  to 
protect  for  dispersions  in  the  analytically  derived  LO2  mass  requirement,  to  protect  for  potential 
uncertainties  in  the  engine  power  level  prediction  at  shutdown,  to  maximize  the  NPSP  and  LO2  residual 
mass  provided,  and  to  provide  operational  simplicity,  a  manual  engine  shutdown  is  performed  for  any 
engine  stuck  greater  than  the  minimum  power  level.  By  shutting  down  the  stuck  engine  prior  to  MECO, 
the  two  remaining  engines  will  throttle  to  91  percent  power  level  for  fine  count.  The  low  level  cutoff 
delay  timer  for  the  two-engine  on  case  is  zero,  thereby  maximizing  the  NPSP  and  LO2  residual  mass  for 
two  engines  shu  tting  down  from  91  percen  t.  ®[061 297-61 71  ]  ®[090999-7052A] 

For  the  two-engine-on  case  with  stuck  throttles  at  any  power  level,  the  technical  community  determined 
that  the  NPSP  would  not  be  severely  violated  and  the  minimum  post  shutdown  LO2  mass  requirements 
would  be  satisfied.  Therefore,  no  action  was  required  (reference  the  24th  PSIG  in  November  1983  and 
Ascent  Flight  Techniques  on  May  21,  1984).  For  an  RTLS  or  TAL  abort,  the  LO2  residuals  should  be 
sufficient  enough  to  prevent  an  LO2  low  level  shutdown. 

Shutdown  of  cm  engine  in  either  a  hydraulic  or  electric  lockup  will  be  performed  by  shutdown  pushbutton 
only.  The  shutdown  pushbutton  method  for  maimed  shutdown  of  cm  engine  in  either  hydraulic  or  electric 
lockup  minimizes  the  exposure  to  the  unnecessary  risk  of  a  pneumatic  shutdown  in  the  case  of  the 
electrically  locked-up  engine  and  simplifies  crew  procedures  in  the  case  of  the  hydraulically  locked-up 
engine.  ®[090999-7052A] 
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A5-109  MANUAL  SHUTDOWN  FOR  TWO  STUCK  THROTTLES  (NOT  DUAL 

APU  FAILURES) 

A.  THREE  ENGINES  RUNNING: 

1.  NOMINAL/ ATO  -  MANUALLY  SHUT  DOWN  ONE  ENGINE  AT  Vj  ?  23K  FPS  . 

2.  TAL  -  MANUALLY  SHUT  DOWN  ONE  ENGINE  AT  Vj  ?  22. 5K  FPS. 

ENABLE  MANUAL  THROTTLES  PRIOR  TO  ABORT  SELECTION 
TO  MAINTAIN  NOMINAL  POWER  LEVEL.  ®[082593-1 464C] 

3.  RTLS  -  BEFORE  SELECTING  RTLS ,  MANUAL  THROTTLES  WILL  BE 

ENABLED  AND  MINIMUM  THROTTLES  SELECTED.  AT  LEAST 
10  SECONDS  OF  MINIMUM  THROTTLE  LEVEL  IS  DESIRED 
PRIOR  TO  RTLS  SELECTION.  AUTO  THROTTLES  WILL  BE 
RESELECTED  ANYTIME  PRIOR  TO  POWERED  PITCH-AROUND 
(PPA) .  IF  BOTH  ENGINES  WITH  STUCK  THROTTLES  ARE 
AT  MORE  THAN  85  PERCENT,  MANUALLY  SHUT  DOWN  ONE 
ENGINE  2  MINUTES  PRIOR  TO  MECO.  @[082593-1 464C] 

SHUTDOWN  PRIORITY:  (1)  COMMAND  PATH  FAIL,  (2)  HYDRAULIC 
LOCKUP,  (3)  ELECTRICAL  LOCKUP 

B.  TWO  ENGINES  RUNNING  -  NO  ACTION  REQUIRED. 

For  dual  command  path  failures,  reference  Rule  {A5-106J,  MANUAL  SHUTDOWN  FOR 
COMMAND/DATA  PATH  FAILURES.  For  dual  hydraulic  failures,  ref  Rule  {A8-61},  SSME 
SHUTDOWN  DUE  TO  HYDRAULIC  SYSTEM  FAILURES. 

If  two  of  three  operating  engines  have  stuck  throttles,  manual  shutdown  of  an  engine  will  be  required  to 
prevent  violation  of  the  3.5g  acceleration  limit.  This  limit  cannot  be  violated  with  only  two  engines 
operating.  Also,  this  limit  cannot  be  violated  on  a  three-engine  RTLS  if  at  least  one  of  the  stuck  throttles 
is  less  than  or  equal  to  85  percent.  Above  85  percent,  shutting  down  an  engine  2  minutes  prior  to  MECO 
ensures  that  it  will  not  be  violated.  ®[1 10900-7242  ] 

For  all  RTLS  cases  with  two  stuck  throttles,  minimum  throttles  will  be  selected  prior  to  abort  selection. 

Doing  so  will  allow  guidance  to  converge  on  the  correct  average  thrust  level  and  will  reduce  the 
probability  of  an  early  PPA.  For  guidance  to  have  enough  time  to  converge,  minimum  throttle  levels 
must  be  achieved  at  least  10  seconds  prior  to  RTLS  selection.  If  not,  an  early  PPA  may  occur,  resulting 
in  MECO  conditions  that  are  not  optimized.  AUTO  throttles  should  be  reselected  at  some  point  prior  to 
PPA,  but  are  not  mandatory  prior  to  RTLS  selection.  ©[082593-1464C] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  BOOSTER  5-47 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A5-109  MANUAL  SHUTDOWN  FOR  TWO  STUCK  THROTTLES  (NOT  DUAL 

APU  FAILURES)  (CONTINUED) 

For  TAL,  it  is  undesirable  to  throttle  down  the  good  engine  due  to  the  guidance  transients  which  may 
occur  and  the  fact  that  little  time  would  be  gained  to  perform  the  abort  dump.  Therefore,  manned 
throttles  will  be  selected  to  prevent  an  automatic  throttledown  when  TAL  is  declared.  This  action  is 
not  required  if  TAL  is  declared  early  enough  that  automatic  throttling  will  not  occur  at  abort 
selection.  However,  since  there  is  no  disadvan  tage  to  selecting  manual  throttles  for  this  short  period 
of  time,  manned  throttles  will  always  be  selected  for  consistency.  AUTO  throttles  will  be  reselected 
after  TAL  is  declared.  ®[082593-i  464C] 

Shutdown  priorities  are  established  to  protect  against  the  maximum  risk.  Command  path  failure  means 
the  engine  will  not  automatically  shut  clown  at  MECO,  which  is  catastrophic.  Hydraulic  lockup  means 
shutdown  requires  the  nonredundant  pneumatic  system.  Electric  lockup  results  in  a  nominal  shutdown. 

Shutdown  will  be  performed  on  the  command  path  failed  engine  using  the  ac  power  switches  and  shutdown 
pushbutton.  Shutdown  of  cm  engine  in  either  a  hydraulic  or  electric  lockup  will  be  performed  by  shutdown 
pushbutton  only.  The  shutdown  pushbutton  method  for  manual  shutdown  of  an  engine  in  either  hydraulic 
or  electric  lockup  minimizes  the  exposure  to  the  unnecessary  risk  of  a  pneumatic  shutdown  in  the  case  of 
the  electrically  locked-up  engine  and  simplifies  crew  procedures  in  the  case  of  the  hydraulically  locked-up 
engine. 

Rule  {A2-301},  Note  8,  CONTINGENCY  ACTION  SUMMARY,  and  (A4-59},  MANUAL  THROTTLE 
SELECTION,  reference  this  rule.  ®[092195-1770A] 
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A5-110  SSME  PERFORMANCE  DISPERSION  @[070899-6819] 

A.  SHOULD  AN  SSME  PERFORMANCE  DISPERSION  ARISE,  THE  ABORT  REGION 
DETERMINATOR  (ARD)  PROGRAM  IN  THE  MCC  WILL  BE  ADJUSTED  ASAP 
WITH  THE  FOLLOWING  INFORMATION:  @[070899-6819] 

1.  AFFECTED  SSME  CAUSING  THE  PERFORMANCE  DISPERSION 

2.  TIME  OF  OCCURRENCE 

3.  MODE  AND  LEVEL  OF  THE  PERFORMANCE  DISPERSION  CONDITION 
INCLUDING  INSTANTANEOUS  PERFORMANCE  INFORMATION. 


The  SSME  performance  dispersion  rule  defines  die  failures  and  die  minimum  criteria  which  must  be  met 
prior  to  updating  the  ARD  with  an  SSME  performance  case.  The  Booster  Main  Engine  Tables  quantify 
each  of  the  performance  cases  and  include  the  minimum  criteria  for  calling  the  performance  cases. 

These  tables  are  generated  using  the  SSME  Power  Balance  Model  data  provided  by  Rocketdyne  in 
response  to  a  Shuttle  Operational  Data  Book  (SODB)  Request.  The  Engine  Status  Word  (ESW),  MCC 
Pc,  HPOT/HPFT  discharge  temperatures,  LPFP  discharge  temperature,  OPOV/FPOV position,  and/or 
HPOP/FIPFP  discharge  pressures  are  the  primary  cues  used  for  determining  performance  cases. 

Updates  to  the  ARD  consist  of  changes  in  power  level  (thrust),  specific  impulse  (Isp),  and  mixture  ratio 
(MR).  The  ARD  uses  these  SSME  performance  parameters  to  predict  abort  mode  capabilities  real  time. 

A  change  in  any  of  these  parameters  could  affect  the  abort  boundaries  significantly. 

B.  AN  SSME  PERFORMANCE  EVALUATION  CAN  ONLY  BE  MADE  WHEN  THE  SSME 
COMMANDED  POWER  LEVEL  IS  KNOWN  AND  THE  SSME  IS  IN  A  STEADY- 
STATE  CONDITION.  QUANTIFIABLE  PERFORMANCE  DISPERSIONS  ARE  AS 
FOLLOWS : 

1.  SINGLE  MCC  PC  CHANNEL  SHIFT  HIGH  OR  LOW  WILL  BE  CALLED  IF 
THE  DELTA  BETWEEN  MCC  PC  CHANNEL  A  AND  MCC  PC  CHANNEL  B 
IS  ?  50  PSI: 

a.  FOR  PC  SHIFT  HIGH  ACTUAL  LOW,  THE  LOWEST  MCC  PC  CHANNEL 
WILL  BE  USED  FOR  PERFORMANCE  EVALUATION. 

b.  FOR  PC  SHIFT  LOW  ACTUAL  HIGH,  THE  HIGHEST  MCC  PC 
CHANNEL  WILL  BE  USED  FOR  PERFORMANCE  EVALUATION. 
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A5-110  SSME  PERFORMANCE  DISPERSION  (CONTINUED) 

C.  FOR  A  SINGLE  MCC  PC  CHANNEL  SHIFT,  THE  AFFECTED  MAIN 
ENGINE  CONTROLLER  CHANNEL  WILL  BE  POWER  CYCLED  FOR  1 
SECOND  BY  THE  CREW  IF  AN  ATO  CANNOT  BE  ACHIEVED. 

THIS  PROCEDURE  WILL  NOT  BE  IMPLEMENTED  IF  IT  WILL 
CAUSE  AN  SSME  SHUTDOWN  OR  NOT  CORRECT  THE  PERFORMANCE 
DISPERSION  AS  DEFINED  BELOW:  ®[061 297-61 47A]  @[070899-6819] 

(1)  LIMIT  EXCEEDED  ON  ANY  REMAINING  SHUTDOWN  SENSOR (S) 
ON  OTHER  CHANNEL  SO  THAT  IT  CAUSES  ENGINE 
SHUTDOWN. 

(2)  LOSS  OF  OTHER  CHANNEL'S  DCU,  INPUT  ELECTRONICS,  OR 
OUTPUT  ELECTRONICS  (CAUSES  SSME  SHUTDOWN)  .  @[070899-6819] 

(3)  WHEN  IN  ELECTRICAL  LOCKUP  OR  WHEN  CHANNEL  POWER 
CYCLE  CAUSES  ELECTRICAL  LOCKUP.  @[061 297-61 47A] 

(4)  WHEN  IN  HYDRAULIC  LOCKUP  OR  WHEN  CHANNEL  POWER 
CYCLE  CAUSES  HYDRAULIC  LOCKUP.  @[061 297-61 47A] 

NOTE:  IT  IS  ACCEPTABLE  TO  CAUSE  A  MOMENTARY  OR 

PERMANENT  SSME  COMMAND  PATH  FAILURE,  BECAUSE 
THE  SSME  CAN  STILL  REBALANCE  TO  CORRECT  FOR  THE 
PERFORMANCE  CASE  .  @[061 297-61 47A] 


The  SSME  thrust  is  controlled  using  the  MCC  Pc  channel  average.  A  single  MCC  Pc  channel  erroneously 
shifting  high  or  low  will  cause  the  SSME  to  shift  in  the  opposite  direction  in  an  attempt  to  rebalance  the 
SSME.  That  is,  for  an  MCC  Pc  channel  shift  high  case,  the  SSME  will  actually  shift  low.  The  good  MCC 
Pc  channel  will  shift  in  the  direction  of  the  actual  SSME  shift  causing  a  delta  between  the  two  MCC  Pc 
channels.  The  good  MCC  Pc  channel  will  be  used  for  performance  evaluation.  A  difference  of  50  psi 
between  the  two  MCC  Pc  channels  is  the  minimum  detectable  single  MCC  Pc  channel  shift,  and  it  equates 
to  an  actual  MCC  Pc  error  of  25  psi  (level  1,  MCC  Pc  Shift  Tables). 
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A5-110  SSME  PERFORMANCE  DISPERSION  (CONTINUED) 

A  shifted  MCC  Pc  channel  can  so  adversely  impact  SSME  performance  that  an  ATO  cannot  be  achieved. 
For  such  a  case,  the  Booster  will  call  for  the  con  troller  channel  with  the  malfunctioning  MCC  Pc  channel 
to  be  power  cycled  for  1  second.  Booster  must  be  ready  to  identify  the  channel  and  switch  to  be  cycled  by 
the  crew.  The  con  troller  channel  that  has  been  power  cycled  will  remain  available  for  command  and  data 
transfer,  but  the  controller  IE  (sensor  data  to  the  controller )  and  OE  (control  to  the  valve  servo-actuators 
and  servo-switches)  on  that  channel  will  be  disqualified.  Disqualification  of  a  shifted  Pc  sensor’s  IE  will 
restore  engine  operation  to  nominal  thrust  and  mixture  ratio  conditions.  This  action  should  not  be  taken  if 
it  will  cause  engine  shutdown  or  not  correct  the  performance  dispersion.  Cases  that  would  cause  engine 
shutdown  consist  of  redline  shutdown  sensor(s)  violating  redline  limits  on  the  remaining  channel  or  loss  of 
the  remaining  channel’s  DCU,  IE,  or  OE.  Reference  (Rule  A5-2},  SPACE  SHUTTLE  MAIN  ENGINE 
OUT,  paragraphs  E  and  F.  If  the  SSME  is  in  electrical  or  hydraulic  lockup  or  when  channel  power  cycle 
causes  electric  or  hydraulic  lockup,  disqualifying  the  faulty  sensor  (channel)  will  not  correct  the  dispersion 
since  the  engine  valves  cannot  be  repositioned.  It  is  acceptable  to  create  a  momentary  or  permanen  t 
command  path  failure  because  it  is  not  necessary  for  the  controller  to  have  good  GPC  commands  in  order 
for  the  SSME  to  rebalance.  However,  command  path  failures  are  unlikely  since  the  SSME  command 
channel  is  expected  to  be  regained  once  the  controller  power  is  turned  back  on.  If  a  command  path  failure 
does  occur,  the  affected  SSME  must  be  shut  down  prior  to  MECO  based  on  the  cues  listed  in  Flight  Rule 
{A5-106},  MANUAL  SHUTDOWN  FOR  COMMAND/DATA  PATH  FAILURES.  @[070899-6819  ] 

2.  A  DUAL  MCC  PC  CHANNEL  SHIFT  HIGH  OR  LOW  CASE  WILL  BE 

CALLED  WHEN  THE  MCC  PC  ERROR  IS  ?37.5  PSI .  A  MINIMUM  MCC 
PC  ERROR  OF  37.5  PSI  IS  DEFINED  BY  THE  BOOSTER  MAIN 
ENGINE  TABLES  WHEN  ALL  THREE  TELEMETRY  PARAMETER  DELTAS 
(HPOT  DISCHARGE  TEMPERATURE,  HPOP  DISCHARGE  PRESSURE,  AND 
HPFP  DISCHARGE  PRESSURE)  EXCEED  THE  LEVEL  1.5  CRITERIA 
PER  THE  MCC  PC  SHIFT  TABLES.  A  DELTA  BETWEEN  THE  MCC  PC 
CHANNELS  MAY  OR  MAY  NOT  BE  PRESENT.  @[070899-6819] 

Actual  MCC  Pc  error  can  also  result  from  shifts  in  both  the  MCC  Pc  channels  (shifting  by  the  same  or 
different  amounts)  or  a  shift  in  one  MCC  Pc  channel  with  the  other  channel  previously  disqualified;  this 
is  defined  as  a  dual  MCC  Pc  channel  shift.  For  this  case,  the  actual  SSME  MCC  Pc  error  will  be 
determined  using  the  HPOT  discharge  temperature,  HPOP  discharge  pressure,  and  HPFP  discharge 
pressure.  A  dual  MCC  Pc  channel  shift  will  be  assessed  when  all  three  of  these  telemetry  parameter 
deltas  exceed  the  minimum  criteria  (SSME  MCC  Pc  error  237.5  psi)  listed  in  the  Booster  Main  Engine 
Tables  (approved  at  the  A/EFTP  No.  152  on  September  18,  1998).  Both  the  single  and  the  dual  MCC  Pc 
channel  shift  cases  will  use  the  same  MCC  Pc  Shift  Tables  for  the  ARD  updates,  and  the  level  in  both 
cases  will  be  based  on  the  actual  MCC  Pc  error.  For  a  dual  MCC  Pc  shift  case,  waiting  for  MCC  Pc 
error  of  37.5  psi  (level  1.5)  protects  against  erroneously  calling  the  case  due  to  prediction  sigmas,  and  it 
reliably  differen  tiates  this  case  from  other  cases  that  have  similar  SSME  temperature  and  pressure 
movements. 
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A5-110  SSME  PERFORMANCE  DISPERSION  (CONTINUED) 

3.  LPFT  DISCHARGE  TEMPERATURE  SHIFT  CASE  WILL  BE  CALLED  WHEN 
THE  LPFT  DISCHARGE  TEMPERATURE  SENSOR  SHIFTS  LOW?  2  DEG  R. 


A  shift  in  LPFT  discharge  temperature  sensor  will  cause  an  error  in  the  fuel  density  calculation.  This 
error  in  fuel  density  will  propagate  into  an  error  in  the  mixture  ratio  calculation.  The  SSME  controller 
will  then  attempt  to  return  the  calculated  mixture  ratio  to  the  nominal  value  by  adjusting  the  SSME 
valves  causing  cm  off-nomincd  engine  performance  dispersion.  A  performance  adjustment  to  the  ARD 
will  only  be  made  for  a  shift  low  of  the  LPFT  discharge  temperature  sensor  because  the  LPFT  discharge 
temperature  cannot  realistically  get  colder.  The  minimum  detectable  error  is  2  deg  R  to  cover 
instrumentation  accuracy,  run  to  run  variations,  and  to  ensure  sufficient  change  in  the  SSME 
parameters  for  failure  identification. 

4.  ELECTRICAL  LOCKUP  WILL  BE  CALLED  WHEN  THE  ENGINE  STATUS 
WORD  (ESW)  INDICATES  THAT  THE  SSME  IS  IN  ELECTRICAL 
LOCKUP . 

a.  IF  THE  MCC  PC  OR  THE  LH2  FLOWMETER  SENSORS  SHIFT 
PRIOR  TO  ELECTRICAL  LOCKUP  AND  IF  THE  SSME  IS  LOCKED 
UP  AT  THE  MISSION  POWER  LEVEL,  AN  ARD  ADJUSTMENT  WILL 
BE  MADE  USING  THE  MCC  PC  SHIFT  TABLES  OR  LH? 

FLOWMETER  SHIFT  TABLES.  @[070899-6819] 

b.  IF  THERE  IS  NO  QUANTIFIABLE  SHIFT  IN  THE  MCC  PC  OR  THE 
LH2  FLOWMETER  SENSORS  PRIOR  TO  ELECTRICAL  LOCKUP,  AN 
ARD  ADJUSTMENT  WILL  BE  MADE  USING  THE  BACKUP 
ELECTRICAL  LOCKUP  TABLES.  @[070899-6819] 

An  electrical  lockup  will  be  called  when  the  ESW  mode  indicates  that  the  SSME  is  in  electrical  lockup. 
Electrical  lockup  is  caused  by  disqualification  of  both  channels  of  either  the  MCC  Pc  or  the  LH2  flowmeter 
sensors  (reference  Flight  Rule  {A5-3J,  STUCK  THROTTLE).  If  the  MCC  Pc  or  LH2  flowmeter  sensor  shift 
caused  an  SSME  to  rebalance  prior  to  disqualification,  cm  ARD  adjustment  will  be  made  using  the  MCC 
Pc  shift  tables  or  the  LH2  flowmeter  shift  tables.  If  there  is  no  quantifiable  shift  in  the  SSME  performance 
prior  to  an  electrical  lockup,  then  an  ARD  adjustment  will  be  made  using  the  backup  electrical  lockup 
table. 

The  fuel  flow  meter  and  Pc  shift  tables  are  only  valid  at  the  mission  power  level.  For  electrical  lockups 
that  do  not  occur  at  the  mission  power  level,  the  backup  electrical  lockup  tables  are  used.  The  backup 
electrical  lockup  tables  adjust  thrust,  Isp  and  MR  for  LO2  in  let  pressure  at  the  time  of  the  lockup. 
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A5-110  SSME  PERFORMANCE  DISPERSION  (CONTINUED) 

5.  AN  LH2  FLOWMETER  SHIFT  HIGH  OR  LOW  WILL  BE  CALLED  WHEN  THE 
FUEL  FLOW  ERROR  IS  ?  450  GPM .  A  MINIMUM  FUEL  FLOW  ERROR 
OF  450  GPM  IS  DEFINED  BY  THE  BOOSTER  MAIN  ENGINE  TABLES 
WHEN  ALL  FOUR  TELEMETRY  PARAMETER  DELTAS  (HPOT  DISCHARGE 
TEMPERATURE,  HPOP  DISCHARGE  PRESSURE,  HPFP  DISCHARGE 
PRESSURE,  AND  FPOV  POSITION)  EXCEED  THE  LEVEL  1  CRITERIA. 

The  SSME  mixture  ratio  is  controlled  using  the  measured  volumetric  flowrate  from  the  LH2  flowmeter.  A 
shift  in  the  LH2  flowmeter  will  cause  the  SSME  controller  to  calculate  incorrect  values  for  LEI2  mass 
flowrate,  propagating  into  a  mixture  ratio  error.  The  controller  will  then  attempt  to  return  the  calculated 
mixture  ratio  to  the  nominal  value  by  adjusting  the  SSME  valves.  This  will  cause  the  real  thrust,  Isp,  and 
MR  to  be  off-nominal.  A  flowmeter  shift  low  will  cause  the  controller  to  increase  LH2flow,  ’’shift  low 
actual  high,  ”  causing  the  real  mixture  ratio  to  be  low.  A  LH2  flowmeter  shift  high  will  cause  the  controller 
to  decrease  the  LH2.flow,  “shift  high  actual  low,  ”  causing  the  real  mixture  ratio  to  be  high.  The  LH2 
flowmeter  shift  case  will  be  assessed  only  when  all  four  telemetry  parameter  deltas  ( HPOT  discharge 
temperature,  HPOP  discharge  pressure,  HPFP  discharge  pressure,  and  FPOV  position)  exceed  the  level  1 
criteria  (SSME  fuel  flow  error  ?  450  GPM )  listed  in  the  Booster  Main  Engine  Tables.  The  OPOV  position 
cue  was  replaced  by  the  HPFP  discharge  pressure  cue  after  the  Block  I  SSME’s  were  introduced  into  the 
fleet  -  due  to  OPOV  position  oscillations  (reference  PSIG  Action  No.  9401 12-DO  1. 

6.  HYDRAULIC  LOCKUP  WILL  BE  DECLARED  WHEN  THE  HYDRAULIC 

SUPPLY  PRESSURE  DROPS  BELOW  1500  PSIA  OR  WHEN  THE  ESW 
INDICATES  HYDRAULIC  LOCKUP.  THE  INSTANTANEOUS  AND  DRIFT 

PERFORMANCE  WILL  BE  COMPUTED  IN  REAL-TIME,  AND  THE  ARD 
WILL  BE  ADJUSTED  ACCORDINGLY.  @[070899-6819] 

The  SSME  propellant  valves  will  not  properly  actuate  with  the  hydraulic  supply  pressure  below  1500 
psia  and  will  begin  to  drift  due  to  flow  torque  effects.  Av  the  SSME  propellan  t  valves  drift  and  as  the 
SSME  controller  also  attempts  to  adjust  the  valves  to  account  for  vehicle  acceleration/inlet  pressure 
effects,  the  SSME  controller  will  disqualify  both  servo-actuators  and  mode  the  SSME  into  hydraulic 
lockup  as  indicated  by  the  ESW.  The  SSME  controller  can  also  mode  the  SSME  into  hydraulic  lockup  for 
reasons  other  than  loss  of  hydraulic  supply  pressure  (reference  Flight  Rule  ( A5-3J ,  STUCK 
THROTTLE).  For  either  case,  the  ARD  will  be  updated  with  an  instan  taneous  thrust,  Isp  and  MR.  If  the 
performance  is  changing  with  time  due  to  valve  drift,  the  mainstcige  performance  during  lockup  will  be 
calculated  real  time  via  an  algorithm  in  the  Booster  Operational  Support  Software.  Once  the  drift 
performance  can  be  quantified,  the  drift  level  and  the  drift  time  used  in  these  calculations  will  be  passed 
to  the  Trajectory  Officer  for  ARD  update.  The  drift  rate  is  assumed  to  be  linear  (based  on  SSME  test 
stand  data).  Ground  testing  of  hydraulic  lockup  has  shown  that  significant  valve  drift  can  occur  on  an 
engine  in  hydraulic  lockup.  Design  changes  to  the  SSME  valve  actuators  have  been  incorporated  to 
min  imize  valve  drift  in  case  of  hydraulic  lockup.  @[070899-6819  ] 
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A5-110  SSME  PERFORMANCE  DISPERSION  (CONTINUED) 

7.  PRE-THRUST  LIMITING  NOZZLE  LEAK  WILL  BE  CALLED  AT  LEAK 
RATES  ?  7  LBM/SEC.  A  MINIMUM  LEAK  RATE  OF  7  LBM/SEC  IS 
DEFINED  BY  THE  BOOSTER  MAIN  ENGINE  TABLES  WHEN  ALL  FOUR 
TELEMETRY  PARAMETER  DELTAS  (HPOT  DISCHARGE  TEMPERATURE, 
HPFT  DISCHARGE  TEMPERATURE,  HPFP  DISCHARGE  PRESSURE,  AND 
OPOV  POSITION)  EXCEED  THE  LEVEL  1  CRITERIA. 

Leakage  from  the  nozzle  tubes  is  the  most  likely  source  of  a  fuel  leak  based  upon  SSME  experience,  but 
Booster  will  call  any  fuel  leak  downstream  of  the  fuel  flowmeter  a  nozzle  leak.  During  a  nozzle  leak,  fuel  is 
lost  overboard  causing  a  decrease  in  thrust,  and  the  SSME  will  command  the  OPOV  open  in  an  attempt  to 
maintain  a  constant  SSME  thrust.  As  the  leak  rate  gets  larger,  the  OPOV  will  continue  to  open  causing  the 
actual  SSME  mixture  ratio  and  thrust  to  increase.  When  the  maximum  OPOV  command  limit  is  exceeded, 
the  SSME  will  enter  a  mode  called  thrust  limiting  where  the  OPOV  will  no  longer  be  commanded  to  open 
further.  If  the  leak  rate  continues  to  increase  after  thrust  limiting,  the  actual  SSME  mixture  ratio  and 
thrust  will  start  to  decrease.  Due  to  the  difference  in  performance  parameter  trends  for  pre-thrust  limiting 
and  post-thrust  limiting  nozzle  leaks,  the  Booster  Main  Engine  Tables  considers  them  separate 
performance  cases  for  the  ARD  update.  @[070899-6819  ] 

Pre-thrust  limiting  nozzle  leaks  will  be  assessed  for  an  ARD  update  only  when  all  four  telemetry  parameter 
deltas  (HPOT  discharge  temperature,  HPFT  discharge  temperature,  HPFP  discharge  pressure,  and  OPOV 
position )  exceed  the  level  1  criteria  (fuel  leak  rate  ?  7  Ibm/sec)  listed  in  the  Booster  Mean  Engine  Tables 
(approved  at  the  A/EFTP  #  152  on  September  18,  1998).  The  minimum  criteria  protects  against 
erroneously  calling  the  case  due  to  prediction  sigmas,  and  it  reliably  differentiates  this  case  from  other 
cases  that  have  similar  SSME  temperature,  pressure,  and  valve  movements.  In  the  case  of  pre-thrust 
limiting  nozzle  leaks,  the  level  1  criteria  for  OPOV  position  delta  (approximately  3  percen  t )  is  large 
enough  to  prevent  the  Block  I  SSME  OPOV  position  oscillation  (approximately  1  percent)  from 
erroneously  exceeding  the  minimum  cue  during  nominal  operations.  The  approximately  1  percent  OPOV 
oscillation  is  only  present  on  Block  I  SSME  and  not  on  Phase  II/Block  IIA/Block  II  SSME’s.  @[070899-6819  ] 

8.  POST-THRUST  LIMITING  NOZZLE  LEAKS  WILL  BE  CALLED  WITH 
THRUST  LIMITING  FLAG  SET. 

9.  AN  HPOT  EFFICIENCY  LOSS  WILL  BE  CALLED  WITH  THRUST 
LIMITING  FLAG  SET. 

An  ARD  update  will  be  made  for  a  post-thrust  limiting  nozzle  leak  or  HPOT  efficiency  loss  case  only 
when  the  SSME  has  entered  the  thrust-limiting  mode.  Subsequent  to  thrust  limiting,  the  two  cases  are 
differentiated  by  using  the  HPOT  discharge  temperature.  The  HPOT  discharge  temperature  will  rise  in 
both  of  the  thrust  limiting  cases,  but  the  delta  value  is  much  greater  in  the  case  of  a  nozzle  leak.  In  order 
to  differentiate  between  the  two  cases,  the  HPOT  discharge  temperature  delta  cue  was  developed  as  the 
breakover  value  for  each  of  these  cases.  The  HPOT  efficiency  loss  will  not  result  in  off-nominal  SSME 
operation  prior  to  thrust  limiting;  therefore,  it  is  only  assessed  after  thrust  limiting  is  initiated. 
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The  SSME  Project  Ojfice  acknowledges  that  there  are  “Overall  Call  Uncertainties”  associated  with  each 
of  the  off-nominal  SSME  performance  cases.  Uncertainties  exist  in  mixture  ratio,  power  level,  and  Isp 
values.  Subsequent  to  the  quantification  of  an  off-nominal  performance  case,  mixture  ratio,  power  level, 
and  Isp  are  passed  to  the  Flight  Dynamics  Officer  and  are  used  to  update  the  ARD.  The  uncertainties 
associated  with  each  of  these  parameters,  for  each  of  the  performance  cases,  are  documented  in  MSFC 
letter  EE2 1/09 5 -01 6  (Review  of  Booster  Real-time  Software  (BRTS)  Algorithm’s,  D.  R.  Goslin  to  B.  R. 
Stone,  March  17,  1995).  On  February  6,  1996,  the  Integration  Control  Board  (ICB)  made  the  decision 
not  to  protect  these  uncertainties  ( ICB  Item  WACMO0167,  Booster  Console  Uncertainty  on  ARD 
Performance ).  Therefore,  ARD  Flight  Propellant  Reserve  (FPR)  will  not  reflect  these  uncertainties. 
@[041196  1877] 

Rules  {A4-61},  THRUST  LIMITING,  HYDRAULIC,  OR  ELECTRICAL  LOCKUP;  {A5-2j,  SPACE 
SHUTTLE  MAIN  ENGINE  OUT;  {A5-3J,  STUCK  THROTTLE;  and  { A5-106 j,  MANUAL  SHUTDOWN 
FOR  COMMAND/DATA  PATH  FAILURES  reference  this  rule.  @[061 297-61 47A  ]  ®[ED  ]  @[070899-6819  ] 

A5-111  AC  BUS  SENSOR  ELECTRONICS  CONTROL  [CIL] 

THE  ORBITER  AC  BUS  SENSOR  ELECTRONICS  POWER  SWITCH  WILL  BE  PLACED 
TO  "OFF"  FOR  THE  FOLLOWING  ENGINE  FAILURE  CASES: 

A.  ENGINE  OUT  (REF.  RULE  {A9-152},  AC  BUS  SENSORS  SWITCH 
MAN  AGE  ME  NT)  ®[1 21 296-4624  ] 

B.  LOSS  OF  SSME  CONTROLLER  REDUNDANCY  (REF.  RULE  {A5-2},  SPACE 
SHUTTLE  MAIN  ENGINE  OUT)  ®[ED  ] 

C.  ALL  QUALIFIED  REDLINE  SENSORS  ON  A  SINGLE  REDLINE ,  ON  A 
SINGLE  CHANNEL,  VOTING  FOR  SHUTDOWN.  @[121296-4624] 

There  are  single  point  failures  in  the  ac  bus  sensor  electronics  that  can  cause  loss  of  a  single  phase  of  an 
ac  bus  which  powers  the  SSME  controllers.  After  an  engine  failure  or  electrical/avionics  failures  that 
leave  an  engine  one  failure  away  from  shutdown,  the  bus  overvoltage  protection  is  less  important  than 
keeping  an  engine  running.  Therefore,  the  sensor  monitoring  electronics  power  is  terminated  by  moving 
three  switches  (AC  BUS  SNSR)  on  panel  R1  to  OFF. 
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A5-112  MANUAL  THROTTLEDOWN  FOR  LQ2  NPSP  PROTECTION  AT 

SHUTDOWN 

MANUAL  THROTTLING  TO  THE  MINIMUM  SSME  POWER  LEVEL  WILL  BE 
PERFORMED  TO  PROTECT  MECO  LC£  NPSP  REQUIREMENTS  WHEN  LC£ 
LOW-LEVEL  CUTOFF  IS  PREDICTED  TO  OCCUR  BEFORE  FINE  COUNT 
THROTTLEDOWN.  MANUAL  THROTTLING  TO  THE  MINIMUM  POWER  LEVEL 
WILL  BE  PERFORMED  WHEN  THE  ONBOARD  PROPELLANT  REMAINING 
COMPUTATION  REACHES  2  PERCENT,  AND  THE  MCC  FLIGHT  DYNAMICS 
OFFICER  (FDO)  IS  PREDICTING  A  VELOCITY  UNDERSPEED  AT  MECO 
WHICH  IS  GREATER  THAN  THE  FOLLOWING:  @[071494-1645]  ®[121296-4630B] 

A.  TWO  OR  THREE  ENGINES  ON:  500  FT/SEC 

B.  ONE  ENGINE  ON:  250  FT/SEC 

THE  CREW  WILL  PERFORM  SSME  THROTTLEBACK  FOR  THE  ONE  ENGINE-ON 
CASE  EXCEPT  FOR  CERTAIN  CONTINGENCY  ABORT  CASES  (AS  DOCUMENTED 
ON  THE  CONTINGENCY  ABORT  CUE  CARDS  IN  THE  ASCENT  CHECKLIST 
FLIGHT  DATA  FILE)  OR  UNLESS  INSTRUCTED  TO  DO  OTHERWISE  BY  THE 
MCC.  @[071494-1645]  ®[121296-4630B] 

If  FDO  is  predicting  a  low-level  cutoff  prior  to  the  guidance  software  issuing  the  fine  count  command 
(ref.  rationale  of  Rule  {A4-59G},  MANUAL  THROTTLE  SELECTION),  the  engines  will  shut  down  at  an 
unsafe  power  level.  This  will  cause  the  LO2  NPSP  to  be  well  below  the  required  value,  possibly  causing 
uncontained  engine  damage  at  shutdown.  For  two  or  three  engine-on  cases,  analysis  indicates  that  the 
vehicle  acceleration  near  MECO  will  be  sufficien  t  to  preven  t  SSME  shutdown  prior  to  fine  count  as  long 
as  the  predicted  underspeed  (based  on  2  sigma  MPS  propellant  protection)  is  no  greater  than  500 ft/sec. 
Because  of  low  vehicle  acceleration,  analysis  of  the  single  engine-on  case  indicates  that  SSME 
requirements  will  not  be  violated  as  long  as  the  predicted  underspeed  (based  on  2  sigma  MPS  propellant 
protection)  at  MECO  is  less  than  250 ft/sec.  The  two/three  engine-on  case  assumes  a  vehicle  mass  of 
379,000  lbs  at  MECO  minus  10  seconds  and  the  one  engine-on  case  assumes  368,000  lbs  (the  difference 
is  based  on  the  additional  11,000  lbs  MPS  propellan  t  needed  for  the  two  engine-on  case,  which  will  also 
protect  the  three  engine-on  case).  Both  cases  assume  that  the  thrust  provided  by  a  single  engine  at  104 
percent  is  488,800  Ibf  The  500 ft/sec  and  250 ft/sec  cues  are  derived  from  using  the  F  =  M*A  equation, 
as  well  as  those  used  by  the  fine  count  throttle  logic  in  the  guidance  software  (reference  NASA 
memorandum  DF6-94-08,  dated  5/11/94).  If  the  predicted  underspeed  is  greater  than  allowed  for  either 
case,  manual  throttling  will  be  performed  to  the  minimum  power  level,  thereby  reducing  the  NPSP 
requiremen  ts  prior  to  reaching  a  low-level  cutoff  condition.  The  minimum  throttle  level  was  selected 
because  it  provides  the  best  LO2  NPSP  shutdown  conditions.  The  throttledown  cue  of  2  percent 
propellant  remaining  was  selected  to  allow  sufficient  time  to  perform  the  manual  throttling  while 
minimizing  any  performance  impact. 
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A5-112  MANUAL  THROTTLEDOWN  FOR  LQ2  NPSP  PROTECTION  AT 

SHUTDOWN  (CONTINUED) 


Analysis  ( reference  Ascen  t/Entry  Flight  Techniques  Panel  # 91 ,  7/1 7/92 )  shows  that  most  of  the  error  in 
the  onboard  propellant  remaining  computation  occurs  on  the  two-engine-out  press-to-MECO  abort  when 
no  OMS  dump  is  performed.  Engine  performance  problems  also  contribute  to  the  propellant  remaining 
error.  The  worst  case  engine  problem  is  low  specific  impulse  (Isp).  Worst-on-worst  analysis  with  two 
engines  out  simultaneously  at  the  press-to-MECO  boundary  and  the  third  engine  running  with  an  Isp 
which  is  10  seconds  below  nominal  shows  that  the  2  percent  cue  still  provides  sufficient  time  to  throttle 
the  engine  down  before  low-level  cu  toff  occurs.  @[071494-1645  ] 

After  throttledown,  the  crew  will  be  prepared  to  perform  a  manual  MECO  at  the  desired  MECO  velocity 
should  it  be  reached  prior  to  the  low-level  cutoff. 

The  crew  will  not  always  throttleback  for  the  one  engine-on  case.  For  certain  contingency  aborts,  the 
software  determines  and  performs  fine  count  throttles  ( throttleback )  as  required  for  MECO.  No  manual 
throttles  are  required  in  these  cases  as  documented  on  the  contingency  abort  cue  cards  in  the  ascent 
checklist  flight  datafile.  ©[121296-4630B] 

Rule  {A2-64},  MANUAL  THROTTLE  CRITERIA,  references  this  rule. 
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A5-113  MANUAL  MECO/MECO  CONFIRMED  ®[1 1 0900-7230A] 

A.  PERFORMING  MANUAL  MECO 

MANUAL  MECO  IS  PERFORMED  BY  PRESSING  ALL  THREE  MAIN  ENGINE 
SHUTDOWN  PUSHBUTTONS  SIMULTANEOUSLY.  IF  FAILURE (S)  CAUSE  THE 
MAIN  ENGINE  SHUTDOWN  PUSHBUTTONS  TO  NOT  COMMAND  MECO,  THEN  THE 
MANUAL  MECO  WILL  BE  PERFORMED  VIA  THE  ALTERNATE  METHODS  FOR 
SETTING  THE  MECO  CONFIRMED  FLAG  OUTLINED  IN  PARAGRAPH  B. 

If  required,  manual  MECO  is  usually  performed  by  pressing  the  three  SSME  shutdown  pushbuttons 
simultaneously.  The  crews  are  trained  to  perform  manual  MECO  using  all  three  pushbuttons  rather 
than  just  the  pushbuttons  of  running  engines  because  pushing  all  three  pushbuttons  protects  against 
certain  failure  scenarios  withou  t  creating  any  additional  risk.  However,  under  certain  conditions, 
pressing  all  three  pushbuttons  will  not  command  MECO.  If  a  failed  contact  ( i.  e. ,  due  to  control  bus  or 
bad  contact)  on  any  pushbu  tton  cannot  be  comm-faulted  prior  to  MECO  or  if  both  contacts  have  either 
failed  or  are  comm-faulted,  MECO  will  not  be  commanded  when  all  three  pushbuttons  are  pushed. 

These  failures  will  result  in  two  engines  being  shut  down  while  the  engine  associated  with  the  bad 
pushbutton  will  con  tinue  to  run.  If  such  a  failure  is  recognized  prior  to  MECO  and  manual  MECO  is 
required,  the  crew  will  be  instructed  to  command  MECO  by  setting  the  MECO  confirmed  flag  via  the 
appropriate  alternate  method  outlined  in  paragraph  B. 

Performing  a  manual  MECO  on  any  trajectory  is  very  time  critical,  and  it  must  be  recognized  ahead  of 
time  if  the  three  pushbuttons  will  not  work  so  that  alternate  methods  may  be  employed  at  the  required 
moment. 

B.  SETTING  THE  MECO  CONFIRMED  FLAG 

THE  THREE  MAIN  ENGINE  SHUTDOWN  PUSHBUTTONS  WILL  BE  PUSHED 
POST  MECO  FOR  MULTIPLE  COMMAND/DATA  PATH  FAILURE  CASES  TO  SET 
THE  MECO  CONFIRMED  FLAG.  IF  THE  MECO  CONFIRMED  FLAG  WILL  NOT 
BE  SET  WHEN  THE  SHUTDOWN  PUSHBUTTONS  ARE  PRESSED,  IT  WILL  BE 
OBTAINED  VIA  THE  FOLLOWING  ALTERNATE  METHODS: 

1.  NOMINAL/ ATO/TAL :  MANUALLY  PROCEEDING  TO  OPS  104 

2.  RTLS :  PERFORMING  A  FAST  SEP  FROM  THE  EXTERNAL  TANK 

®[1 1 0900-7230A  ] 
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A5-113  MANUAL  MECO/MECO  CONFIRMED  (CONTINUED) 

The  SSME  operations  sequence  will  set  the  MECO  confirmed  flag  for  chamber  pressure  less  than  30 
percen  t  on  all  three  engines  or  a  data  path  failure  on  one  engine  and  the  chamber  pressure  less  than  30 
percent  on  the  other  two  engines.  If  two  engines  experience  a  data  path  failure,  the  software  will  never 
pass  this  check  and  MECO  confirmed  flag  will  not  be  set.  To  work  around  this  problem,  the  crew  can 
push  the  three  shutdown  pushbuttons  after  MECO  to  set  the  MECO  confirmed  flag.  Prior  to  01-22,  all 
three  SSME  pushbuttons  had  to  be  pressed  simultaneously  in  order  to  set  the  MECO  confirmed  flag  in 
the  BFS.  In  01-22  and  subsequent,  the  SSME  pushbuttons  can  be  pressed  individually  to  set  the  MECO 
confirmed  flag  ( CRH  89203 A).  The  MECO  confirmed  flag  must  be  set  to  start  the  ET  separation 
sequence.  ®[1 1 0900-7230A] 

In  the  event  that  multiple  avionics  failures  or  a  failed  pushbutton  con  tact  has  disabled  a  shutdown 
pushbutton,  alternate  methods  of  setting  the  MECO  confirmed  flag  must  be  performed.  On  nominal 
ATO  and  TAL  trajectories,  the  MECO  confirmed  flag  can  be  set  by  manually  keying  in  OPS  104 
PRO.  Since  the  OPS  104  transition  is  not  legal  on  an  RTLS  trajectory,  the  MECO  confirmed  flag 
must  be  set  by  performing  a  fast  sepfrom  the  external  tank.  A  fast  sep  is  performed  by  taking  the 
ET  SEPARATION  switch  to  MAN  and  pressing  the  ET  SEPARATION  pushbutton.  In  PASS,  fast  sep 
logic  is  only  supported  in  major  modes  102,  601,  or  in  major  mode  103  when  the  Second  SSME  Fail 
Confirm  flag  had  been  set.  BFS  only  supports  fast  sep  logic  in  major  mode  102.  ®[1 1 0900-7230A] 

The  above  steps  are  taken  post  MECO  because  setting  the  MECO  confirmed  flag  at  or  before 
MECO  causes  MECO  to  be  commanded.  On  uphill  and  TAL  trajectories,  setting  the  MECO 
confirmed  flag  to  cdlow  the  ET  separation  sequence  to  proceed  is  not  particularly  time  critical  so 
the  three  pushbuttons  can  be  tried  first  before  other  methods.  However,  setting  MECO  confirmed 
on  an  RTLS  trajectory  is  very  time  critical.  In  time  critical  situations,  it  must  be  recognized  ahead 
of  time  if  the  three  pushbuttons  will  not  work  so  that  alternate  methods  may  be  employed  at  the 
required  moment.  ®[1 1 0900-7230A] 

Reference  Rule  {A5-104},  DATA  PATH  FAIL/ENGINE-ON  LIMIT  SHUTDOWN  CONTROL. 

®[121296-4594A] 
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A5-114  SSME  HYDRAULIC  REPRESSURIZATION/POSTLANDING  SSME 

REPOSITIONING 

A.  ON-ORBIT/ENTRY-1  DAY  REPRESSURIZATION 

APPLICATION  OF  MPS  HELIUM  TO  SSME  VALVE  ACTUATORS  IS  NOT 
REQUIRED  DURING  HYDRAULIC  REPRESSURIZATION  AND  SSME 
REPOSITIONING  WHEN  THE  TVC  ACTUATORS  DRIFT  OUT  OF  POSITION 
PER  FLIGHT  RULE  {A8-106},  TVC-SSME  STOW/ACTUATOR  FLUID 
FILL  (REPRESSURIZATION) . 

B.  ENTRY/POSTLANDING  REPOSITIONING 

MPS  HELIUM  WILL  BE  PROVIDED  TO  THE  ENGINES  DURING  HYDRAULIC 
REPRESSURIZATION  AND  SSME  REPOSITIONING.  THIS  ENSURES  THAT 
ENGINE  VALVES  DO  NOT  DRIFT  OPEN.  HOWEVER,  LACK  OF  HELIUM  IS 
NOT  A  CONSTRAINT  AGAINST  PERFORMING  EITHER  PROCEDURE. 


Hydraulic  pressure  is  applied  to  the  TVC  actuators  to  prevent  SSME  movement  during  on-orbit,  entry,  and 
postlanding  operations.  Maintaining  helium  pressure  on  the  closed  side  of  the  engine  valves  will  keep  the 
valves  from  opening  when  hydraulic  pressure  is  applied  to  the  TVC  actuators.  Keeping  the  valves  closed 
prevents  engine  contamination  during  entry  and  postlanding.  On-orbit  SSME  contamination  is  unlikely; 
therefore,  the  application  of  helium  for  on-orbit  TVC  drift  is  not  required.  This  will  also  reduce  MPS 
helium  regulator  cycles. 


A5-115  THROUGH  A5-150  RULES  ARE  RESERVED 
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MPS  MANAGEMENT:  PRELAUNCH  THROUGH  MECO 


A5-151  PRE-MECO  MPS  HELIUM  SYSTEM  LEAK  ISOLATION  [CIL] 

A.  MPS  ENGINE  SYSTEM  HELIUM  LEAK  ISOLATION  WILL  BE  PERFORMED  FOR 

ANY  SIGNIFICANT  LEAK  (PER  RULE  {A5-10},  SIGNIFICANT  ENGINE 
HELIUM  SYSTEM  LEAK)  AS  LONG  AS  THE  ATTEMPT  TO  ISOLATE  THE 
LEAK  WILL  NOT  CAUSE  THE  ENGINE  TO  SHUT  DOWN.  @[090894-1 676A]  ®[ED  ] 

If  an  MPS  engine  helium  system  experiences  a  helium  leak  the  crew  will  perform  a  helium  leak  isolation 
procedure.  However ,  since  certain  power  bus  failures  will  result  in  helium  leg  A  isolation  valves  failing 
closed  (MNA,  APC4  or  ALC1;  MNB,  APC5  or  ALC2;  or  MNC,  APC6  or  ALC 3  failure  will  close  the 
center,  left,  or  right  SSME  isolation  valve,  respectively),  the  crew  must  be  reminded  not  to  attempt  leak 
isolation  for  these  cases.  The  closing  of  the  leg  B  isolation  valve  will  stop  helium  flow  to  the  engine  and 
cause  an  SSME  redline  limit  shutdown  due  to  low  HPOTP  intermediate  seal  (IMSL)  purge  pressure.  The 
shutdown  may  cause  engine  damage  since  both  regulator  isolation  valves  are  closed.  No  helium  will  be 
available  for  SSME  IMSL  purging  during  the  shutdown  sequence. 

B.  AN  ATTEMPT  WILL  BE  MADE  TO  ISOLATE  ANY  SIGNIFICANT  PNEUMATIC 
SYSTEM  LEAK  (REF.  RULE  {A5-11},  SIGNIFICANT  PNEUMATIC  SYSTEM 
HELIUM  LEAK)  .  ®[ED  ] 

A  significant  pneumatic  system  helium  leak  could  result  in  insufficient  pressure  for  prevalve  actuation  at 
MECO.  The  LO2  prevalves  are  required  to  close  at  MECO  in  order  to  maintain  pressure  at  the  HPOTP 
pump  inlet.  This  prevents  pump  cavitation  and  overspeed  which  could  result  in  uncontained  SSME 
damage.  An  attempt  is  made  to  isolate  the  pneumatic  helium  supply  so  the  remaining  helium  can  be  used 
to  pressurize  the  pneumatic  accumulator  and  support  prevalve  closure  at  MECO. 

C.  IF  AN  MPS  PNEUMATIC  HELIUM  SYSTEM  LEAK/ I SOLAT ION  CAUSES 
INSUFFICIENT  PNEUMATIC  HELIUM  ACCUMULATOR  PRESSURE  (REF. 

RULE  { A5-12 } ,  INSUFFICIENT  PNEUMATIC  HELIUM  ACCUMULATOR 
PRESSURE),  THE  SYSTEM  WILL  BE  RECONFIGURED  AT  MECO-30 
SECONDS.  ®[ED  ] 

Seven  hundred  psia  in  the  pneumatic  accumulator  is  the  minimum  lion-resupplied  pressure  which  will 
close  all  the  LO2  prevalves  within  timing  constraints  at  MECO.  If  the  pneumatic  helium  supply  has  been 
isolated  due  to  a  leak  or  is  used  to  support  the  mainstage  operation  of  an  engine  with  a  helium  leak,  the 
pneumatic  accumulator  pressure  may  fall  below  700  psia.  Should  the  accumulator  pressure  fall  below 
700  psia  for  any  reason,  the  pneumatic  helium  isolation  valves,  the  left  engine  helium  crossover  valve 
and,  if  necessary,  the  engine  interconnect  valves,  will  be  reconfigured  to  repressurize  it.  This  will  be 
accomplished  at  MECO  minus  30  seconds  and  ensures  that  700  psia  is  available  in  the  pneumatic 
accumulator  until  the  start  of  prevalve  closure  at  MECO. 

Note:  Taking  the  interconnect  out-open  to  open  on  an  engine  when  the  pneumatic  tank  is  depleted  will 
not  cause  a  large  enough  flow  transien  t  to  cause  the  engine  to  shut  down  ( documented  by  RI  Downey 
internal  letter  number  287-100-93-259,  dated  11/09/93).  ©[090894-1676A] 
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A5-152  PRE-MECO  MPS  HELIUM  SYSTEM  INTERCONNECTS  [CIL] 

A.  TO  SUSTAIN  THE  OPERATION  OF  AN  ENGINE  WITH  AN  MPS  HELIUM  LEAK, 
FOR  SINGLE  REGULATOR  OPERATION,  OR  FOR  EXTENDED  BURN  TIME, 
HELIUM  SYSTEM  INTERCONNECTS  WILL  BE  PERFORMED  AT  THE  FOLLOWING 
CUES:  @[090894-1 676A]  @[050400-71 95A] 

If  a  helium  leak  develops  and  die  decay  rate  is  such  that  the  engine  will  not  meet  zero-g  shutdown 
requirements  or  will  cause  an  early  shutdown,  the  helium  system  of  an  engine  and/or  the  pneumatic 
helium  system  will  be  interconnected  to  that  engine’s  system.  This  action  may  allow  the  engine  to  meet 
the  zero-g  shutdown  requirements  and  will  maintain  engine  operation  as  long  as  possible.  Similar  action 
is  taken  if  the  leak  has  been  isolated  and  the  system  will  not  meet  shutdown  requirements. 

A  tank  pressure  of  920  psia  (900  psia  required  +  20  psia  instrumentation  error)  is  the  minimum  value, 
including  instrumentation  error,  which  will  support  the  normal  operating  range  of  the  helium  system 
regulators.  The  difference  between  the  actual  requirement,  920  psia,  and  the  C&W  value,  1150  psia, 
results  from  a  change  in  the  estimated  instrumentation  error  of  the  helium  tank  pressure  transducers  as  a 
result  of  vehicle  specific  calibration  curves.  With  calibration  curve  coefficients  unique  to  each  helium 
tank  pressure  transducer,  the  accuracy  of  each  reading  is  0.15  percent.  An  accuracy  of  0.15  percent 
over  the  5000  psia  transducer  range  equates  to  an  error  of  7.5  psia.  To  account  for  any  potential 
degradation  in  accuracy  ( e. g. ,  transducer  replacements  where  the  new  transducer  is  less  accurate  or 
calibration  equipment  changes),  one  PCM  count  (10  psia)  was  added  to  the  7.5  psia  error.  This  new 
instrumentation  error  of  17.5  psia  was  then  rounded  to  the  nearest  PCM  count  resulting  in  20  psia 
instrumentation  error  used  by  the  MCC  and  incorporated  into  crew  procedures.  The  interconnect  cues 
shown  in  the  subsequent  paragraphs  are  used  as  a  guideline  to  ensure  sufficient  helium  to  sustain  SSME 
operation  with  a  helium  leak.  It  is  important  to  note  that  the  interconnect  must  be  performed  above  the 
minimum  tank  pressure  required  to  support  the  shutdown  mode.  That  is,  the  interconnect  must  be 
performed  at  a  higher  tank  pressure  for  a  pneumatic  shutdown  than  for  a  pre-MECO  redline  shutdown 
due  to  helium  depletion  because  the  pneumatic  shutdown  requires  more  helium.  The  tank  pressure  of 
920  is  quoted  as  the  “no  later  than  ”  cue  in  order  to  provide  the  absolute  minimum  tank  pressure  above 
which  the  in  terconnect  must  be  performed.  Since  there  is  not  one  tank  pressure  interconnect  to  satisfy  all 
cases  (leak  types,  shutdown  mode,  leak  size,  etc.),  the  C&W  cue  of  1150  is  sufficient  for  the  crew  to  use 
in  no-comm  cases.  The  change  in  calculated  instrumentation  error  did  not  warrant  a  change  to  the 
onboard  software  or  hardware  caution  and  warning.  @[050495-1 767B]  @[100997-6298  ]  @[110900-7239  ] 
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Since  the  helium  tank  and  regulator  pressure  requirements  were  derived  using  vehicle  specific 
calibration  curves,  it  must  be  noted  that  the  onboard  readings  will  vary  between  the  BFS  GNC  SYS 
SUMM  1  display  and  the  OMS/MPS  MEDS  display  /  MCDS  MPS  meter.  The  BFS  GNC  SYS  SUMM  1 
data  is  based  on  vehicle  specific  calibration  curve  coefficients;  whereas  due  to  system  limitations,  the 
OMS/MPS  MEDS  display  and  the  MCDS  MPS  meter  data  are  based  on  generic  calibration  curve 
coefficients.  When  the  MCC  calls  for  cm  in  terconnect  or  SSME  shu  tdown  based  on  a  helium  tank  or 
regulator  pressure,  it  is  understood  that  the  crew  will  use  the  data  available  on  the  BFS  GNC  SYS 
SUMM  1  display.  This  understanding  was  accepted  by  CB,  DT,  and  DA8  (reference  AEFTP  #152, 
September  18,  1998).  @[110900-7239  ] 

Dropping  helium  system  regulator  outlet  pressure  is  also  used  to  detect  potential  SSME  HPOTP 
intermediate  seed  (IMSL)  purge  pressure  violations.  If  both  helium  regulators  have  been  in  steady  state 
operation  between  715  psia  and  785  psia  outlet  pressure,  a  sudden  decrease  in  outlet  pressure  may  be 
indicative  of  a  system  failure.  Action  is  taken  as  soon  as  both  regulator  outlet  pressures  fall  below  715 
(679)  psia  in  cm  attempt  to  prevent  the  engine  from  shutting  down.  Six  hundred  and  seventy  nine  psia 
was  derived  from  the  minimum  normal  regulator  outlet  pressure,  715  psia,  minus  36  psia 
instrumentation  error  prior  to  OI-26B.  For  OI-26B  and  subsequent  flights,  the  instrumentation  error 
was  reduced  to  5  psia.  However,  the  Caution  and  Warning  limit  remains  at  679  psia  because  the  change 
to  5  psia  would  result  in  a  Caution  and  Warning  value  very  close  to  the  nominal  control  band  of  the 
regulator  (regulator  is  psig,  instrumentation  is  psia )  and  was  not  considered  worth  the  effort  in  updating 
Caution  and  Warning.  With  regard  to  helium  system  leaks,  a  regulator  outlet  pressure  below  715  psia 
does  not  indicate  that  the  regulator  is  malfunctioning.  Low  outlet  pressures  are  indicative  of  helium 
system  leaks  which  result  in  high  helium  mass  flow  rates  or  supply  tank  depletion  resulting  in  low  inlet 
pressures  to  the  system  regulators.  Taking  action  at  679  psia  not  only  prevents  premature  helium  system 
in  terconnecting,  but  also  gives  some  assurance  that  another  helium  system  can  be  interconnected  to  the 
leaking  supply  before  the  engine  interface  pressure  reaches  the  expected  shutdown  value  of  518  psia  for 
the  Phase  II  SSME,  or  576  psia  for  the  BLOCK  I  SSME,  BLOCK  IIA  SSME,  and  the  BLOCK  II  SSME 
(reference  SODB  data  requests  Rl-1507  and  Rl-1640,  respectively)  even  with  the  reduction  in 
instrumentation  error  with  OI-26B.  @[050495-1 767B]  @[020196-1812]  ®[1 21 197-6472A]  @[050400-71 95A]  @[110900- 
7239] 
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1.  FOR  A  NON-I SOLATABLE  UPPER  SYSTEM  LEAK:  @[050400-71 95A] 

a.  WITH  THREE  ENGINES  ON,  HELIUM  SYSTEM  INTERCONNECTS 

WILL  BE  PERFORMED  AS  LATE  AS  PRACTICAL,  BUT  ABOVE  THE 
MINIMUM  ENGINE  TANK  PRESSURE  REQUIRED  TO  SUPPORT  THE 
ENGINE  SHUTDOWN  MODE  PER  RULE  {A5-153},  PRE-MECO 
SHUTDOWN  OF  ENGINES  DUE  TO  MPS  HELIUM  LEAKS,  AND  NO 
LATER  THAN  900  PSIA  (920  PSIA)  TANK  PRESSURE  ON  THE 
AFFECTED  ENGINE  OR  WHEN  BOTH  HELIUM  SYSTEM  REGULATOR 
PRESSURES  ARE  BELOW  715  (679)  PSIA.  @[050495-1 767B] 

@[110900-7239] 

When  a  non-isolatable  upper  system  leak  occurs,  it  is  best  to  perform  helium  interconnects  as  close  to 
the  minimum  shutdown  requirement  as  possible.  If  the  interconnect  is  performed  too  early  and  the 
system  leak  is  a  tank  leak,  helium  in  the  leaking  tank  will  no  longer  be  used  to  support  engine  operation 
and  will  therefore  be  wasted. 

b.  WITH  LESS  THAN  THREE  ENGINES  ON,  HELIUM  SYSTEM 
INTERCONNECTS  WILL  BE  PERFORMED  AS  SOON  AS  PRACTICAL 
BUT  ABOVE  THE  CUES  GIVEN  IN  PARAGRAPH  A . 1 . a . 

When  a  non-isolatable  upper  system  leak  occurs  after  an  engine  has  shut  down,  helium  interconnects 
can  be  performed  as  soon  as  practical.  An  upper  system  leak  could  be  either  a  leak  in  the  engine’s 
helium  tank  or  an  upper  system  leak  above  the  helium  regulators.  If  the  leak  is  an  upper  system  leak, 
then  interconnecting  as  soon  as  practical  does  not  waste  any  helium.  If  the  leak  is  in  the  tank, 
in  terconnecting  as  soon  as  practical  will  result  in  the  helium  from  the  leaking  tank  being  wasted. 

However,  a  good  interconnect  from  a  previously  shutdown  engine  will  provide  a  nominal  feed  rate  to 
the  engine  with  the  tank  leak  and  will  allow  it  to  support  a  zero-g  shutdown.  Interconnecting  early  not 
only  allows  the  reconfiguration  to  take  place  while  the  crew  is  in  a  low  g  environment,  but  also  allows 
for  an  earlier  assessmen  t  of  the  shut  down  requiremen  ts  of  the  leaking  engine.  @[050400-71 95A] 
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2.  FOR  A  NON-ISOLATABLE  LOWER  SYSTEM  LEAK,  HELIUM  SYSTEM 
INTERCONNECTS  WILL  BE  PERFORMED  AS  SOON  AS  PRACTICAL, 

BUT  ABOVE  THE  MINIMUM  ENGINE  TANK  PRESSURE  REQUIRED  TO 
SUPPORT  THE  ENGINE  SHUTDOWN  MODE  PER  RULE  {A5-153},  PRE- 
MECO  SHUTDOWN  OF  ENGINES  DUE  TO  MPS  HELIUM  LEAKS,  AND  NO 
LATER  THAN  900  PSIA  (920  PSIA)  TANK  PRESSURE  ON  THE 
AFFECTED  ENGINE  OR  WHEN  BOTH  HELIUM  SYSTEM  REGULATOR 
PRESSURES  ARE  BELOW  715  (679)  PSIA.  ©[050495-1767B]  @[050400-71 95A] 

@[110900-7239] 

For  non-isolatable  lower  system  leaks,  helium  interconnects  can  be  performed  immediately  after  leak 
iden  tification,  but  must  be  performed  above  the  minimum  tank  pressure  needed  to  support  engine 
shutdown.  A  leak  below  the  regulator  will  have  the  same  mass  flow  rate  after  the  in  terconnect  that  it  had 
prior  to  the  interconnect.  Interconnecting  early  allows  the  reconfiguration  to  take  place  while  the  crew 
is  in  a  low  g  environment. 

3.  FOR  A  NON  ISOLATABLE  LEAK  THAT  REQUIRES  INTERCONNECTING 
THE  HELIUM  SYSTEM  OF  A  NON-LEAKING  RUNNING  ENGINE,  THE 
INTERCONNECT  WILL  BE  PERFORMED  WHEN  THE  TANK  PRESSURES  ON 
ALL  PREVIOUSLY  INTERCONNECTED  SYSTEMS  REACH  500  PSIA  OR 
THE  AFFECTED  SSME  HPOTP  IMSL  PRESSURE  REACHES  70  PSIA. 

If  the  leaking  engine  supply,  the  previously  shut  down  engine  supply,  and  the  pneumatic  supply  are 
insufficient  to  obtain  single  engine  abort  capability  to  a  landing  site,  interconnecting  is  also  allowed, 
within  certain  limits,  from  the  remaining  engine  which  has  a  good  MPS  helium  supply  in  an  attempt  to 
regain  landing  site  abort  capability  per  paragraph  B.2.a.  Because  an  attempt  is  being  made  to  avoid  a 
contingency  abort  due  to  insufficient  MPS  helium,  the  interconnect  from  a  non  leaking  running  SSME 
helium  supply  to  an  engine  with  a  leaking  helium  supply  will  be  performed  as  late  as  is  reasonably 
possible.  The  interconnect  will  be  performed  once  the  leaking  system  reaches  500  psia  (500  psia  is  a 
generic  tank  pressure  which,  with  SSME  limits  inhibited,  should  ensure  that  crossover  margin  is 
maintained  in  the  SSME  HPOT  IMSL  package)  or  an  HPOTP  IMSL  pressure  of  70  psia  (70  psia  provides 
10  psia  interconnect  margin  against  the  Block  I/IIA/II  SSME  limit  of  60  psia  in  rule  (A5-153C}.2.a,  PRE- 
MECO  SHUT  DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM  LEAKS).  An  interconnect  cue  of  500  psia  in 
the  tank  or  70  psia  in  the  IMSL  package  should  also  preven  t  the  SSME  HPOT  IMSL  pressure  from 
decaying  below  60  psia  while  the  SSME  is  operating.  ®[050400-7i95A] 
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4.  FOR  SINGLE  REGULATOR  OPERATION  OF  THE  MPS  HELIUM  SYSTEM, 
HELIUM  SYSTEM  INTERCONNECTS  WILL  BE  PERFORMED  AS  SOON  AS 
PRACTICAL,  BUT  ABOVE  THE  MINIMUM  TANK  PRESSURE  REQUIRED 
TO  SUPPORT  THE  SINGLE  REGULATOR  SHUTDOWN  MODE  PER  RULE 
{ A5-153 } ,  PRE-MECO  SHUTDOWN  OF  ENGINES  DUE  TO  MPS  HELIUM 
LEAKS,  AND  NO  LATER  THAN  900  PSIA  (920)  OR  WHEN  BOTH 
HELIUM  SYSTEM  REGULATOR  PRESSURES  ARE  BELOW  715  (679) 

PSIA.  @[050495-1 767B]  @[050400-71 95A]  @[110900-7239] 


If  a  helium  system  is  operating  on  a  single  regulator,  due  to  an  isolated  leak  or  any  other  system 
failure,  the  resulting  mass  flow  rate  of  helium  through  the  system  is  nominal.  Therefore,  helium  system 
interconnects  may  be  accomplished  as  soon  as  convenient.  When  operating  on  a  single  regulator,  all 
shut  down  modes  must  protect  for  single  regulator  operation.  A  single  regulator  providing  helium 
flow  to  an  engine  must  flow  the  equivalent  helium  of  two  operating  regulators.  Higher  pressures  must 
be  main  tained  at  the  regulator  inlet  in  order  to  ensure  that  shutdown  pressure  and  mass  flow  rate 
requirements  are  satisfied. 

5.  FOR  AN  ENGINE  REQUIRING  EXTENDED  ENGINE  BURN  TIME,  HELIUM 
SYSTEM  INTERCONNECTS  WILL  BE  PERFORMED  AS  SOON  AS 
PRACTICAL,  BUT  ABOVE  THE  MINIMUM  ENGINE  TANK  PRESSURE 
REQUIRED  TO  SUPPORT  THE  ENGINE  SHUTDOWN  MODE  PER  THE 
HELIUM  CURVES  FOR  A  NON- I SOL AT ABLE  LOWER  SYSTEM  LEAK  WITH 
NOMINAL  FLOW  RATE  GIVEN  IN  RULE  {A5-153EJ.1,  PRE-MECO 
SHUTDOWN  OF  ENGINES  DUE  TO  MPS  HELIUM  LEAKS,  AND  NO  LATER 
THAN  900  PSIA  (920  PSIA)  TANK  PRESSURE  ON  THE  AFFECTED 
ENGINE  OR  WHEN  BOTH  HELIUM  SYSTEM  REGULATOR  PRESSURES  ARE 
BELOW  715  (67  9)  PSIA.  @[110900-7239] 


If  the  predicted  MECO  time  is  extended  due  to  low  ascen  t  performance  or  an  abort  requiremen  t  such 
that  interconnecting  is  necessary  to  meet  shutdown  requirements,  the  pneumatic  system  and  the  helium 
system  of  any  failed  engine  can  be  in  terconnected  to  a  runn  ing  engine  as  soon  as  practical.  The 
minimum  tank  pressure  which  will  support  a  zero-g  shut  down  of  an  engine  with  two  good  regulators 
and  no  helium  leak  is  given  in  the  helium  curves  for  a  non-isolatable  lower  system  leak  with  nominal 
flow  rate  in  rule  {A5-153EJ.1,  PRE-MECO  SHUTDOWN  OF  ENGINES  DUE  TO  MPS  HELIUM 
LEAKS.  Since  an  engine  with  extended  burn  time  has  a  constan  t  helium  usage,  the  curve  for  an  engin  e 
with  a  non-isolatable  lower  system  helium  leak  is  used  to  define  the  minimum  zero-g  requirement. 
@[090894-1 676A]  @[050400-71 95A]’ 
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6.  IN  THE  NO-COMM  CASE,  THE  CREW  WILL  PERFORM  HELIUM  SYSTEM 
INTERCONNECTS  AT  A  SYSTEM  PRESSURE  OF  1150  PSIA  OR  WHEN 
BOTH  HELIUM  SYSTEM  REGULATOR  PRESSURES  ARE  BELOW  715 
(679)  PSIA.  @[050400-71 95A] 

In  the  loss  of  comm  case,  crew  action  is  taken  at  1150  psia.  1150  psia  is  the  C&W  limit.  The  alarms 
and  tones  annunciated  at  1150  psia  are  a  good  reminder  to  the  crew  that  action  needs  to  be  taken.  If 
the  tank  pressure  reaches  this  value  and  continues  to  fall,  the  engine  HPOTP IMSL  purge  redline  limit 
may  be  violated.  Action  is  taken  at  1150  psia  to  preclude  cm  early  engine  out  situation  while  making  as 
much  use  of  available  helium  as  possible.  The  engine  IMSL  seal  limit  should  not  be  violated  until  the 
pressure  decays  below  approximately  518  psia  at  the  engine  interface  for  the  Phase  II SSME  (ref.  SODB 
Vol.  3,  Section  4.3.1)  or  576  psia  at  the  engine  in  terface  for  the  BLOCK  I  SSME,  BLOCK  IIA  SSME, 
and  the  BLOCK  II  SSME  (ref.  SSME  test  901-835  and  the  09-13-95  PSIG).  @[050495-1 767B]  @[020196- 
1812]  @[100997-6298]  @[121 197-6472A]  @[110900-7239] 

B.  IF  THE  INTERCONNECT  CUES  IN  PARAGRAPH  A  ARE  MET,  THE 

INTERCONNECT  OF  THE  PNEUMATIC  HELIUM  SYSTEM  OR  THE  HELIUM 
SYSTEM  OF  ANOTHER  ENGINE  WILL  BE  PERFORMED  PER  THE  FOLLOWING 
CONDITIONS:  @[090894-1 676A]  @[100997-6298] 

If  an  engine  helium  supply  is  depleting  due  to  a  leak,  or  helium  shut  down  requirements  are  not  met  due 
to  extended  burn  times  or  single  regulator  operation,  interconnecting  other  helium  systems  will  be 
allowed  in  some  situations  to  sustain  the  operation  of  cm  engine. 

1.  WITH  THREE  ENGINES  ON: 

ONLY  THE  PNEUMATIC  HELIUM  SYSTEM  WILL  BE  INTERCONNECTED 
AND  THE  ENTIRE  SYSTEM  WILL  BE  USED  IF  REQUIRED. 

The  en  tire  pneumatic  helium  system  will  be  used  to  sustain  the  operation  of  cm  engine,  since  sufficient 
helium  margin  should  be  available  in  the  other  two  helium  systems  and  the  pneumatic  accumulator  to 
satisfy  the  zero-g  requirements  for  prevalve  actuation,  SSME  pogo  system  post-charge,  shutdown  and 
entry  environmental  purges,  and  entry  MPS  manifold  pressurization.  @[090894-1 676A] 
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2.  WITH  TWO  ENGINES  ON:  @[050400-71 95A] 

a.  INTERCONNECTING  THE  PNEUMATIC  HELIUM  SYSTEM  AND  THE 

HELIUM  SYSTEM  OF  THE  PREVIOUSLY  SHUT  DOWN  ENGINE  WILL 
BE  PERFORMED. 


For  the  two  engine  on  case ,  interconnecting  is  allowed  from  the  previously  shut  down  engine  and  the 
pneumatic  system.  This  will  not  only  maximize  the  leaking  engine  run  time  but  may  also  re-establish 
zero-g  shutdown  capability.  ®[i  1 0900-7239  ] 

b.  INTERCONNECTING  THE  HELIUM  SYSTEM  OF  THE  NON-LEAKING 
RUNNING  ENGINE  WILL  BE  PERFORMED  BY  TAKING  THE 
INTERCONNECT  VALVE  OF  THE  NON-LEAKING  RUNNING  ENGINE 
TO  OUT  OPEN  FOR  15  SECONDS  (ONE  TIME  ONLY)  AND  THEN 
BACK  TO  THE  GPC  POSITION  IF  ALL  OF  THE  FOLLOWING 
CONDITIONS  ARE  SATISFIED: 

(1)  THE  INTERCONNECTS  PER  PARAGRAPH  B.2.a  WILL  NOT 
ALLOW  THE  LEAKING  ENGINE  TO  SUPPORT  SINGLE 
ENGINE  ABORT  CAPABILITY  TO  A  LANDING  SITE 
(SINGLE  ENGINE  LIMITS  OR  SINGLE  ENGINE  RTLS 
BOUNDARY) ,  AND 

(2)  THE  TOTAL  FLOWRATE  OF  THE  LEAKING  SYSTEM  HAS 
NEVER  BEEN  GREATER  THAN  0.30  LBM/SEC. 


Margin  in  the  non-leaking,  running  SSME  MPS  helium  supply  will  be  used  to  support  the  operation  of 
another  SSME  with  a  leaking  supply.  Interconnecting  in  this  case  will  result  in  one  MPS  helium  supply 
supporting  two  SSME’s,  one  at  an  off-nominal  flowrate.  Consequently,  the  interconnect  of  a  running 
supply  will  only  be  performed  if  the  toted  flowrate  of  the  leaking  supply  has  never  been  greater  than  0.30 
Ibm/sec.  The  0.30  Ibm/sec  total  flowrate  requirement  is  a  generic  value  which  will  provide  at  least  15 
seconds,  and  at  most  1.5  minutes,  of  additional  runtime  for  the  SSME  with  the  leaking  supply.  Toted  flow 
rates  above  0.30  Ibm/sec  make  it  extremely  likely  that  either  a  second  SSME  will  fail  prior  to  reaching  a 
certified  abort  boundary,  or  that  helium  available  to  the  last  SSME  will  be  depleted  to  a  level  which  is 
below  MECO  requirements.  By  not  interconnecting  for  large  leaks,  three  SSME  out  contingency  aborts 

are  avoided  and  a  crew  survival  path  is  maintained  by  two  SSME  out  abort  coverage.  @[100997-6298  ] 
©[121197-6472A]  @[050400-71 95A] 
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Numerous  assumptions  had  to  be  made  in  order  to  cover  this  case  with  a  generic  rule.  All  the  variables 
were  assigned  generic  values  and  discussed  at  Ascent  Entry  Flight  Techniques  # 135  on  October  18, 

1996.  The  assumptions  were  as  follows.  The  maximum  allowable  flowrate  of  the  leaking  system  was 
derived  for  the  RTLS  abort  case  since  three  out  black  zones  occur  at  a  later  MET  than  on  a  TAL.  The 
first  SSME  shuts  down  at  liftoff  and  a  non  isolatable  lower  system  leak  develops  on  one  of  the  remaining 
engines  at  the  same  time.  There  is  a  total  of  134  pounds  of  helium  available  from  both  the  leaking 
engine  and  the  one  that  shut  down.  Of  cm  initial  13  pounds  of  helium  in  the  pneumatic  system,  10  are 
available  to  support  the  leaker.  Single  engine  operation  of  the  last  engine  must  be  maintained,  while 
preserving  the  zero  g  shutdown  helium  requirement,  until  an  RTLS  MECO  time  of  10:45  MET,  which 
assumes  109  SSME  throttles.  Given  this  MECO  time,  there  are  14  excess  pounds  of  helium  available 
from  the  running  engine  to  support  the  leaking  helium  supply,  resulting  in  a  total  of  158  pounds  of 
helium  available  for  the  leaking  engine.  Assuming  2  1/2  minutes  is  the  maximum  run  time  needed  for 
single  engine  completion  of  an  RTLS  contingency  abort,  the  leaking  engine  must  support  a  run  time  of 
8:15  MET  ( MECO  time  minus  2  minu  tes  30  seconds).  Assuming  that  8  pounds  of  helium  are  required  to 
support  the  shutdown  of  the  leaking  engine,  the  remaining  150  pounds  would  support  the  engine’s 
operation  until  8:15  MET  as  long  as  the  leak  rate  is  not  greater  than  0.30  Ibm/sec.  AEFTP  was  also 
made  aware  that  a  real-time  or  non-real-time  redefinition  of  any  of  theses  variables  might  result  in  cm 
outcome  which  varies  from  current  predictions.  However,  in  any  case  it  is  agreed  that  helium  from  the 
last  SSME  should  be  interconnected  to  a  leaking  supply  in  an  attempt  to  reach  a  runway,  as  long  as  three 
SSME  out  black  zones  are  protected.  ®[i  00997-6298  ] 

The  running,  non-leaking  SSME  supply  will  only  be  interconnected  for  15  seconds.  This  will  keep  the 
SSME  running  while  the  pneumatic  system  is  repressurized.  The  interconnect  action  also  increases  the 
likelihood  that  the  last  running  SSME  with  a  non-leaking  MPS  helium  supply  will  retain  sufficient 
helium  in  its  supply  to  support  guided  MECO  once  the  second  SSME  with  a  leaking  MPS  helium 
supply  shuts  down.  ®[1 21 1 97-6472A]  ®[050400-7195A] 

The  interconnect  is  broken  by  taking  the  in  terconnect  switch  of  the  engine  with  the  non-leaking  helium 
system  to  the  GPC  position.  If  the  leaking  helium  supply  has  been  depleted  due  to  a  tank  leak,  or  an 
upper  system  leak  exists,  breaking  the  interconnects  in  this  manner  allows  the  pneumatic  system  to 
remain  interconnected  to  the  engine  with  a  leaking  helium  supply  in  order  to  support  its  shutdown. 
@[100997-6298] 
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(CONTINUED) 

3.  WITH  ONE  ENGINE  ON:  @[050400-71 95A] 

INTERCONNECTING  THE  PNEUMATIC  HELIUM  SYSTEM  AND  THE 
HELIUM  SYSTEMS  OF  ALL  PREVIOUSLY  SHUT-DOWN  ENGINES  WILL 
BE  PERFORMED. 

C.  THROTTLE  MANAGEMENT  FOR  TWO  ENGINES  ON  WITH  A  NON- I SOLATABLE 
MPS  HELIUM  LEAK  IN  ONE  OF  THE  RUNNING  SSMES  WILL  BE  PERFORMED 
PER  THE  FOLLOWING:  @[050495-1 753A]  @[100997-6298] 

With  three  engines  on,  there  are  no  regions  where  a  subsequent  engine  out  will  not  allow  the  remaining 
engines  to  perform  an  abort  to  a  landing  site.  Therefore,  109  percent  SSME  throttles  are  not  required 
for  that  case. 

1.  NOMINAL/ ATO : 

109  PERCENT  SSME  THROTTLES  IS  NOT  REQUIRED  FOR  THESE 
CASES . 

The  only  region  where  cm  abort  cannot  be  performed  to  a  landing  site  with  the  leaking  engine  out  usually 
occurs  between  the  PRESS-TO-ATO  boundary  and  the  SINGLE  ENGINE  LIMITS  boundary.  Since  the 
time  between  these  boundaries  is  less  than  1.5  minutes,  it  is  extremely  unlikely  that  cm  interconnect  from 
a  running  engine  to  a  running  engine  will  be  required.  Consequently,  the  maximum  time  spent  at  109 
throttles  (at  most  1.5  minutes)  will  not  significantly  reduce  the  predicted  MECO  time.  @[050495-1 753A] 
@[050400-71 95A] 
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2 .  TAL : 

THE  SSME '  S  WILL  BE  IMMEDIATELY  THROTTLED  TO  109  PERCENT 
POWER  LEVEL  AFTER  THE  ISOLATION  PROCEDURE  IS  COMPLETED 
AND  MPS  HELIUM  LEAK  IS  DETERMINED  TO  BE  NON- I SOLATABLE . 
IF  SINGLE  ENGINE  TAL  104  ABORT  CAPABILITY  IS  ACHIEVED 
OR  IS  PREDICTED  TO  BE  ACHIEVED  WITHOUT  INTERCONNECTING 
A  RUNNING  ENGINE  SUPPLY,  SSME  THROTTLES  MAY  BE  RETURNED 
TO  104  PERCENT  POWER  LEVEL.  @[100997-6298]  @[050400-71 95A] 

For  this  case,  the  additional  risk  associated  with  operating  the  main  engines  at  109  power  level  is 
acceptable  in  order  to  provide  the  crew  and  vehicle  a  chance  to  reach  a  runway  ( i.e.,  SE  LIMITS). 
Commanding  the  engines  to  109  percent  power  level,  while  the  vehicle  is  in  cm  abort  gap  with  a  helium 
leak  on  one  of  two  running  SSME  supplies,  maximizes  the  use  of  the  remaining  helium  by  reducing  the 
time  required  to  achieve  abort  capability  to  a  landing  site.  Furthermore,  the  increased  power  level  does 
not  increase  helium  usage  in  the  engine  HPOTP IMSL  purge  package  (usage  remains  unchanged  from 
67-109  percen  t  power  level)  and  should  have  no  negative  effect  on  the  size  of  the  leak  in  the  MPS  helium 
system.  Operationally,  the  increased  internal  engine  pressures  and  temperatures  at  109  percent  do 
increase  the  likelihood  of  having  cm  SSME  failure  (ref.  AEFTP  #108  charts,  12/17/93).  However, 
because  the  run  time  remaining  on  the  last  engine  to  MECO  cannot  be  determined  ( its  helium  supply  was 
compromised),  the  mean  engines  will  remain  at  109  percent  power  level  until  fine  count  is  reached  and 
the  software  throttles  back  the  engines,  the  crew  initiates  manned  throttles  at  the  2  percent  propellant 
remaining  in  the  ET  cue  (reference  rule  (A5-112},  MANUAL  THROTTLEDOWN  FOR  LO2  NPSP 
PROTECTION  AT  SHUTDOWN,),  or  until  the  manual  MECO  (reference  rule  (A5-153),  PRE-MECO 
SHUT  DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM  LEAKS).  @[090894-1 676A]  ®[ED  ] 

If  single  engine  TAL  104  abort  capability  is  achieved,  or  is  predicted  to  be  achieved,  after  throttling  the 
SSME’s  to  109  percent  power  level  and  without  interconnecting  a  running,  non-leaking  SSME  helium 
supply,  sufficient  helium  will  be  available  in  the  non-leciking  MPS  helium  system  to  complete  a  single 
engine  abort  at  104  or  109  percent  power  level  and  eliminate  the  possibility  of  having  to  return  to  109 
percent  power  level  should  the  engine  with  the  helium  leak  shut  down  prior  to  single  engine  TAL  104. 
Additionally,  since  the  time  between  the  single  engine  limits  and  single  engine  TAL  104  boundaries  is 
short,  it  advisable  to  leave  the  throttles  at  109  percent  to  preclude  additional  work  for  the  crew  should 
cm  engine  fail  in  this  region.  Single  engine  TAL  104  is  when  the  Flight  Dynamics  Officer  determines 
that  109  percent  power  level  is  no  longer  required  for  single  engine  abort  completion.  Per  the  rationale 
above,  it  is  desirable  that  the  SSME  throttle  setting  be  returned  to  104  percent  whenever  possible. 

®[ED  ]  @[050495-1 767B]  @[050400-71 95A] 
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3.  RTLS : 

THE  SSME'S  WILL  BE  IMMEDIATELY  MANUALLY  THROTTLED  TO  109 
PERCENT  POWER  LEVEL  AFTER  THE  ISOLATION  PROCEDURE  IS 
COMPLETED  AND  THE  MPS  HELIUM  LEAK  IS  DETERMINED  TO  BE 
NON-ISOLATABLE .  IF  IT  IS  DETERMINED  BY  THE  MCC  THAT  THE 
ABORT  CAN  BE  COMPLETED  WITHOUT  COMPROMISING  THE  NON¬ 
LEAKING  SUPPLY  OF  A  RUNNING  SSME,  MAIN  ENGINE  THROTTLES 
WILL  BE  RETURNED  TO  AUTO  PRIOR  TO  POWERED  PITCH  AROUND 
INITIATION.  OTHERWISE,  AUTO  SSME  THROTTLES  WILL  BE 
RESELECTED  AT  THE  COMPLETION  OF  POWERED  PITCH  AROUND. 
@[050495-1 753A]  @[100997-6298]  @[050400-71 95A] 

If  a  non-isolatable  MPS  helium  leak  exists  in  the  supply  of  one  of  two  running  SSME’s  while  performing 
cm  RTLS  abort ,  the  likelihood  that  the  associated  SSME  will  shut  down  early,  prior  to  reaching  single 
engine  abort  capability,  increases  significantly.  The  probability  that  the  shut  down  requirements  of  the 
last  SSME  are  violated  at  MECO  also  increases  significan  tly.  Both  possibilities  are  further  compounded 
on  the  RTLS  case  by  predicted  MECO  times  which  may  extend  by  as  much  as  3  minutes  longer  than  the 
nominal  uphill  MECO.  Furthermore,  since  the  maximum  SSME  operating  time  is  defined  at  liftoff  by  the 
prelaunch  loading  of  MPS  helium,  the  SSME  burn  time  cannot  be  extended  to  alleviate  these  concerns. 

The  only  available  option  is  to  use  a  higher  main  engine  power  level  in  order  to  minimize  the  predicted 
MECO  time. 

Analysis  by  flight  design  indicates  that  using  109  percent  throttles  on  an  RTLS  abort  can  decrease  the 
MECO  time  by  as  much  as  55  seconds,  assuming  109  is  maintained  throughout  the  trajectory  (reference 
Ascent  Abort  Panel  briefing  charts,  10/6/94,  “RTLS  MECO  Time  Reduction  for  MPS  Helium  Leaks”). 

The  resulting  decrease  in  predicted  MECO  time  may  be  the  difference  between  a  crew  bailout  and  an 
intact  abort  landing.  However,  it  must  be  noted  that  the  trade  off  of  using  109  percent  throttles  during  the 
RTLS  flyback  phase  is  that,  the  ET  separation  QBAR  is  decreased  by  approximately  1.5  psf  with  respect  to 
the  designed  RTLS  condition,  and  the  ET  separation  MPS  propellant  residuals  are  increased  by 
approximately  0.5  percent  over  the  designed  RTLS  condition.  Since  manual  throttles  must  be  maintained 
until  the  initiation  of  powered  pitch  around  in  order  to  stay  at  109  throttles  during  flyback,  the  GPC’s  will 
not  perform  mass  control  throttling  (auto  throttles  required )  and  the  resulting  separation  conditions  are 
slightly  off-nominal.  These  conditions  are  considered  acceptable  when  compared  to  violations  which  may 
occur  on  an  alternative  contingency  abort.  ®[050400-7i95A] 
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To  minimize  violations  of  the  designed  QBAR  and  residual  constraints  for  this  case,  SSME  throttles  will 
be  returned  to  the  AUTO  position  prior  to  powered  pitch  around  initiation  if  the  MCC  determines  that  the 
abort  can  be  completed  without  compromising  the  non  -leaking  helium  supply  of  a  running  SSME  while  in 
auto  throttles.  This  action  allows  the  GPC’s  to  perform  mass  control  throttling  during  flyback,  thereby 
con  trolling  ET  separation  conditions.  If  the  MCC  cannot  determine  abort  capability  prior  to  powered 
pitch  around  initiation,  then  manual  throttles  at  109  percent  are  maintained  until  powered  pitch  around  is 
complete.  Although  fine  mass  con  trol  will  not  be  performed,  returning  to  auto  throttles  after  powered 
pitch  around  completion  minimizes  crew  actions  during  the  pitch  around  maneuver  and  allows  the  engines 
to  remain  at  109  percent  power  level  until  the  fine  count  throttle  command  is  received  from  guidance  near 
MECO.  @[050400-71 95A] 

Flight  design  analysis  indicates  that  for  cases  involving  manual  throttling  after  powered  pitch  around 
initiation,  the  ET  separation  QBAR  and  MPS  residual  violations  are  minimized  when  the  109  percent 
SSME  throttle  setting  is  used  du  ring  flyback.  For  these  cases,  there  are  no  LO2  NPSP  concerns  since 
there  are  always  MPS  residuals  in  the  ET,  and  significan  t  NPSP  violations  only  occur  during  LO2  low 
level  cutoff.  Consequen  tly,  SSME  shut  down  from  the  fine  count  throttle  setting  is  a  preferred,  not  a 
mandatory,  condition.  @[050495-1 753A]  @[050400-71 95A] 

Rules  {A2-64J,  MANUAL  THROTTLE  CRITERIA;  { A4-53 },  USE  OF  MAXIMUM  THROTTLES;  {A5-5}, 
SUSPECT  ENGINE;  {A5-103J,  LIMIT  SHUTDOWN  CONTROL;  and  { A5-156 },  ABORT  PREFERENCE 
FOR  SYSTEM  FAILURES,  reference  this  rule.  ®[092195-1770A]  ®[ED  ]  @[100997-6298] 
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A.  IF  ALLOWABLE  HELIUM  INTERCONNECTS,  PER  RULE  {A5-152}, 

PRE-MECO  MPS  HELIUM  SYSTEM  INTERCONNECTS  [OIL] ,  WILL  NOT 
SATISFY  ZERO-G  SHUTDOWN  REQUIREMENTS  PER  PARAGRAPH  E, 

BUT  WILL  SATISFY  SHUTDOWN  REQUIREMENTS  AT  THE  CUES 
BELOW,  THE  AFFECTED  ENGINE  WILL  BE  SHUT  DOWN  MANUALLY 
(PUSH-BUTTON  ONLY  IF  POSSIBLE),  AS  FOLLOWS:  ©[090894-1676A] 


1.  MCC  DECISION  (PRIME) 

a.  NOMINAL/ ATO/AOA 

(1)  THREE  ENGINES  ON:  VI  =  23  KFPS 

(2)  TWO  ENGINES  ON:  VI  =  24.5  KFPS 

b.  TAL 

TWO  OR  THREE  ENGINES  ON  VI  =  22 . 5  KFPS 

c.  RTLS 

TWO  OR  THREE  ENGINES  ON:  ALPHA  =  -1  DEGREES 

@[032395-1 759A] 


In  this  case,  the  engine  will  run  with  the  helium  system  leak,  but  the  helium  supply  pressure  may  not  be 
able  to  support  the  zero-g  shutdown  requirements  at  MECO.  The  required  helium  supply  pressure  for  a 
safe  shu  tdown  will  depend  upon  the  number  of  helium  regulators  operating,  the  helium  leak  rate,  and 
type  of  shutdown  ( i.  e. ,  hydraulic  or  pneumatic).  If  the  requirements  for  a  pre-MECO  hydraulic, 
pneumatic,  or  single  regulator  shutdown  will  be  satisfied  subsequent  to  the  cues  mentioned  in  paragraph 
C,  manual  action  is  taken  to  shut  the  engine  down  while  still  protecting  shutdown  requirements.  The 
engine  is  shut  down  approximately  30  seconds  before  MECO  at  a  velocity  which  equates  to  MECO  minus 
30  seconds.  This  gives  guidance  time  to  adjust  to  the  late  engine  out  and  converge  on  the  proper  MECO 
targets.  The  only  exception  to  this  is  the  RTLS  abort  where  the  engine  is  shut  down  during  powered  pitch 
down  (alpha  equals  -I  degree).  @[032395-1 759A] 
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The  shutdown  pushbutton  is  used  for  engine  shutdown  instead  of  the  AC  power  switches  in  order  to  shut 
the  engine  down  hydraulically.  A  pre-MECO  hydraulic  shutdown  requires  less  helium  than  a  pre-MECO 
pneumatic  shutdown  and  also  retains  post-MECO  LO2  dump  capability  through  the  affected  engine.  It 
also  avoids  the  zero  fault  tolerant  pneumatic  shutdown  mode.  @[090894-1 676A] 

2.  ONBOARD  DECISION  (NO  COMMUNICATION)  @[090894-1 676A] 

a.  IF  A  NON- IS OL AT ABLE  MPS  HELIUM  LEAK  EXISTS,  THE  CREW 
WILL  SHUT  DOWN  THE  AFFECTED  ENGINE  AT  THE  APPROPRIATE 
BOUNDARY  LISTED  IN  PARAGRAPH  A1 . 

If  a  leak  develops  in  an  engine  helium  supply  and  the  crew  cannot  communicate  with  the  MCC,  shutting 
the  affected  engine  down  early  may  preven  t  the  violation  of  shutdown  helium  requiremen  ts  on  that 
engine.  With  no  communication  with  the  ground  the  crew  has  no  way  to  tell  when  the  helium 
requiremen  ts  will  be  violated.  The  helium  margin  which  exists  in  each  supply  at  liftoff  will  very  likely 
keep  shu  tdown  requiremen  ts  from  being  violated  at  the  cues  listed. 

b.  IF  AN  MPS  HELIUM  SYSTEM  IS  OPERATING  ON  A  SINGLE 
REGULATOR,  THE  CREW  CANNOT  COMMUNICATE  WITH  THE 
MCC,  AND  THE  HELIUM  SYSTEM  TANK  PRESSURE  ON  THAT 
SUPPLY  IS  LESS  THAN  2163  (2200)  PSIA  AT  MECO-60 
SECONDS,  THE  CREW  WILL  SHUT  DOWN  THE  AFFECTED 
ENGINE  AT  THE  APPROPRIATE  CUE  LISTED  ABOVE  IN 
PARAGRAPH  A1  .  @[110900-7239] 

1963  psia  is  the  minimum  engine  system  tank  pressure  which  will  support  MECO  requirements  while 
operating  on  a  single  regulator  (ref.  paragraph  E).  In  this  configuration,  approximately  200  psia  of 
helium  ( 10  psia/3  sec  x  60  sec)  is  used  between  the  velocity  cues  mentioned  in  paragraph  A1  and  MECO. 
Therefore,  if  the  affected  engine  tank  pressure  is  less  than  2163  psia  (1963  psia  +  200  psia)  at  MECO 
minus  1  minute,  MECO  shutdown  requirements  will  not  be  satisfied  and  the  engine  is  shut  down  pre- 
MECO.  The  crew  shutdown  cue  of  2200  psia  is  derived  by  adding  20  psia  instrumentation  error  and 
rounding  up  to  the  nearest  hundred  (1963  psia  +  200  psia  +  20  psia  instrumentation  error  +17  psia 
rounding  =  2200  psia).  @[110900-7239  ] 
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LEAKS  (CONTINUED) 

B.  IF  AN  ENGINE  HELIUM  SUPPLY  DEVELOPS  A  LEAK  WITHIN  60  SECONDS 
OF  MECO,  WITH  OR  WITHOUT  COMMUNICATION  WITH  THE  MCC,  THE  CREW 
WILL  USE  THE  SHUTDOWN  PUSHBUTTON  TO  SHUT  DOWN  THE  AFFECTED 
ENGINE  PRIOR  TO  MECO.  @[041196-1876] 

When  helium  system  leaks  develop  late  in  flight,  sufficient  time  to  evaluate  MECO  capability  may  not 
exist.  Since  pre-MECO  engine  shutdowns  consume  less  helium  than  zero-g  shutdowns,  it  is  safer  to  shut 
the  affected  engine  down  prior  to  MECO.  Shutting  the  engine  down  soon  after  a  helium  system  leak 
occurs  also  gives  guidance  software  time  to  converge  on  the  correct  MECO  velocity  targets. 

@[090894-1 676A] 

C.  IF  ENGINE  AND  PNEUMATIC  HELIUM  SYSTEMS  INTERCONNECTS  TO  AN 
ENGINE  WITH  A  LEAKING  MPS  HELIUM  SUPPLY  ARE  INSUFFICIENT  TO 
SUPPORT  ENGINE  SHUT  DOWN  AT  THE  CUES  OUTLINED  IN  PARAGRAPH 
Al,  ENGINE  SHUTDOWN  PRIOR  TO  THOSE  CUES  MUST  BE  ACCOMPLISHED 
IN  THE  FOLLOWING  MANNER  WHILE  TWO  OR  THREE  ENGINES  ARE 
RUNNING:  @[090894-1 676A]  ®[ED  ] 

1.  IF  NO  RUNNING  ENGINE  SUPPLIES  HAVE  BEEN  INTERCONNECTED: 

a.  THE  LEAKING  ENGINE  WILL  BE  ALLOWED  TO  SHUT  DOWN  ON 
THE  ENGINE  HPOTP  INTERMEDIATE  SEAL  (IMSL)  PURGE 
REDLINE  AS  LONG  AS  THE  ENGINE  HYDRAULIC  SYSTEM  IS 
FUNCTIONAL  AND  THE  SSME  REDLINE  LIMITS  ARE  ENABLED. 

On  the  Phase  II  SSME,  an  HPOTP  IMSL  purge  redline  violation  will  always  occur  when  the  intermediate 
seal  pressure  falls  below  170  psia.  However,  the  minimum  helium  system/engine  in  terface  pressure 
required  to  preven  t  an  HPOTP  IMSL  violation  decreases  over  the  duration  of  engine  operation.  As  the 
turbine/pump  shaft  heats  up,  the  intermediate  seal  gap  becomes  smaller.  Consequently,  lower  interface 
pressures  will  keep  the  HPOTP  IMSL  purge  pressure  above  170  psia.  If  the  helium  system  regulator 
outlet  pressure  at  the  start  of  shutdown  is  below  the  minimum  helium  system  regulator  outlet  pressure, 
the  resulting  helium  purge  flow  rates  may  be  significantly  reduced  during  the  shutdown  sequence.  If  two 
engine  abort  capability  to  a  landing  site  exists,  while  three  engines  are  running,  or  single  engine  abort 
capability  to  a  landing  site  exists,  while  two  engines  are  running,  a  leaking  engine  will  be  allowed  to  shut 
down  on  the  HPOTP  IMSL  purge  redline.  Although  minor  engine  erosion  may  occur  during  the 
shutdown  sequence  due  to  reduced  helium  pressure,  the  shutdown  will  be  contained  and  engine  run  time 
is  maximized.  @[050495-1 767B] 

On  the  BLOCK  I  SSME,  BLOCK  IIA  SSME,  and  the  BLOCK  II  SSME,  an  HPOTP  IMSL  purge  redline 
violation  will  always  occur  when  the  in  termediate  seal  pressure  falls  below  159  psia.  The  alternate 
HPOTP  used  on  these  engines  has  a  true  con  trolled  gap  IMSL  package.  Due  to  this  feature,  the 
minimum  helium  system/engine  interface  pressure  required  to  prevent  an  HPOTP  IMSL  violation  does 
not  change  over  the  duration  of  engine  operation.  @[050495-1 767B]  @[020196-1812  ]  ©[121197-6472A] 
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A5-153  PRE-MECO  SHUT  DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM 

LEAKS  (CONTINUED) 


b.  IF  A  HYDRAULIC  SHUTDOWN  CANNOT  BE  PERFORMED,  MANUAL 
SHUTDOWN  WILL  BE  PERFORMED  AT  THE  MINIMUM  REQUIRED 
PNEUMATIC  SHUTDOWN  HELIUM  INTERFACE  PRESSURE  PER 
PARAGRAPH  El  OR  E2  OF  THIS  RULE. 


If  hydraulic  shutdown  capability  is  lost  for  any  reason,  the  pneumatic  shutdown  requirements  must  be 
manually  protected  in  order  to  prevent  a  catastrophic  shutdown  from  occurring.  @[090894-1 676A1 
@[100997-6298] 

2.  IF  A  RUNNING  SSME  WITH  A  NON-LEAKING  HELIUM  SUPPLY  HAS 

BEEN  INTERCONNECTED  TO  A  RUNNING  SSME  WITH  A  LEAKING  MPS 
HELIUM  SUPPLY  (ABORT  GAP)  .  @[090894-1 676A] 

For  this  case,  the  desired  single  engine  abort  capability  is  unattainable.  However,  a  contingency  abort 
may  still  be  performed.  Getting  as  far  down  range  as  possible  prior  to  MECO  improves  ET  separation 
conditions  and  decreases  orbiter  pull-out  loads;  hence,  both  engines  will  be  allowed  to  run  as  long  as 
possible.  Shutting  the  leaking  engine  down  before  the  good  engine  may  allow  both  engines  to  shut  down 
in  a  contained  manner,  since  the  leaking  engine  will  be  shut  down  under  g  ’s  and  therefore  consume  less 
helium  during  the  sequence. 

a.  THE  LEAKING  ENGINE  WILL  BE  SHUT  DOWN  AT  AN  HPOTP 

IMSL  PURGE  PRESSURE  (ON  ALL  QUALIFIED  SENSORS)  OF: 


PHASE 

II 

SSME  : 

40 

PSIA 

BLOCK 

I, 

I I A,  AND  II  SSME: 

60 

PSIA 

®[1 00997-6298  ]  @[1211 97-6472A] 

Phase  II  SSME:  Shutting  down  the  engine  with  the  leaking  supply  at  an  HPOTP  IMSL  pressure  of  40 
psia  keeps  that  engine  running  as  long  as  feasible  (a  positive  barrier  pressure  exists  as  measured 
between  the  IMSL  and  SECONDARY  SEAL  cavities)  while  the  vehicle  is  in  an  abort  gap.  40  psia,  as 
measured  by  the  IMSL  transducers,  equates  to  approximately  25  psia  in  the  IMSL  cavity.  The  nominal 
pressure  in  the  secondary  seal  cavity  is  12  psia.  This  results  in  a  pressure  differential  of  13  psia  across 
the  carbon  seals.  A  similar  barrier  pressure  margin  exists  across  the  carbon  seal  to  the  oxygen  (pump 
side)  drain.  Allowing  the  engine  with  the  leaking  MPS  helium  supply  to  run  to  cm  IMSL  pressure  of  40 
psia  is  a  worst  case  scenario  which  assumes  that  the  desired  abort  boundary  has  not  been  achieved,  and 
that  the  turbopump  seal  packages  are  intact.  @[050495-1 767B] 
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BLOCK  I SSME,  BLOCK  IIA  SSME,  and  BLOCK  II SSME:  Shutting  down  the  engine  with  the  leaking 
supply  at  an  HPOTP IMSL  pressure  of  60  psia  keeps  that  engine  running  as  long  as  feasible  (a  positive 
barrier  pressure  exists  between  the  IMSL  and  the  O2  and  H2  cavities)  while  the  vehicle  is  in  an  abort  gap. 
60  psia,  as  measured  by  the  IMSL  transducers,  equates  to  approximately  42  psia  in  the  IMSL  cavity.  The 
nominal  pressure  in  the  O2  cavity  is  16  psia  and  the  nominal  pressure  in  the  H2  cavity  is  25  psia.  This 
results  in  a  pressure  differential  of  26  and  17  psia  across  the  carbon  seeds.  Allowing  the  engine  with  the 
leaking  MPS  helium  supply  to  run  to  an  IMSL  pressure  of  60  psia  is  a  worst  case  scenario  which  assumes 

that  the  desired  abort  boundary  has  not  been  achieved  and  that  the  engine  seed  packages  are  intact. 
®[050495-1767B]  @[020196-1812]  @[100997-6298]  ®[1 21 1 97-6472A] 

b.  THE  NON-LEAKING,  RUNNING  ENGINE  WILL  BE  ALLOWED  TO 
RUN  UNTIL  MECO  OR  1150  PSIA,  WHICHEVER  COMES  FIRST. 

IF  A  MANUAL  SHUTDOWN  IS  REQUIRED,  IT  WILL  BE  WITH  THE 
SHUT  DOWN  PUSHBUTTON  ONLY.  @[090894-1 676 A]  @[100997-6298] 

Although  1288  psia  is  the  minimum  helium  system  tank  pressure  which  will  support  zero-g  shut  down  of 
cm  engine  with  two  good  regulators  and  no  helium  system  leak,  the  last  engine  will  be  allowed  to  run 
until  the  MPS  supply  pressure  reaches  the  crew  C&W  limit  of  1150  psia.  Allowing  the  engine  to  run  to 
1150  psia  provides  a  clear  engine  shutdown  cue  for  the  crew  (C&W  alarm  at  1150)  and  also  takes 
advan  tage  of  any  instrumentation  error/margin  which  may  exist  in  the  onboard  measuremen  t  system  and 
the  ground  predicted  shut  down  requirements  respectively.  @[100997-6298  ] 

Reference  Rule  {A5-152},  PRE-MECO  MPS  HELIUM  SYSTEM  INTERCONNECTS  [CIL],  for 
in  terconnect  procedures. 

D.  IF  AN  MPS  HELIUM  SYSTEM  IS  OPERATING  ON  A  SINGLE  REGULATOR 
AND  DOES  NOT  MEET  THE  ZERO-G  SHUTDOWN  REQUIREMENTS  OF  THE 
ASSOCIATED  ENGINE  AS  PREDICTED  BY  THE  MCC,  THE  ENGINE  WILL 
BE  SHUT  DOWN  PER  PARAGRAPHS  A  OR  C  ABOVE,  WHILE  PROTECTING 
THE  SINGLE  REGULATOR  SHUTDOWN  REQUIREMENTS  OF  PARAGRAPH  E.6 
BELOW. 

When  cm  MPS  helium  system  is  operating  on  a  single  helium  regulator,  the  supply  may  not  meet  the 
MECO  (zero-g)  shutdown  requirements  of  the  affected  engine.  If  it  is  predicted  that  the  MECO 
requirements,  as  stated  in  paragraph  E.6  below,  will  be  violated,  the  engine  must  be  shut  down  early 
according  to  paragraphs  A.  1,  C.l  or  C.2  above.  @[090894-1 676A] 
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E.  HELIUM  SYSTEM  REQUIREMENTS  FOR  ENGINE  SHUTDOWN  @[090894-1 676A] 

1.  MINIMUM  SHUTDOWN  PRESSURES  FOR  AN  ENGINE  WITH  A  LOWER 
SYSTEM  MPS  HELIUM  LEAK. 


TOTAL  HELIUM  MASS  FLOW  RATE  AT  ENGINE  S/D 
(LBM/SEC) 


Zero-G  S/D 


— ■—  Pneu  S/D 


Phil  R/L  S/D 
BLKI/II  R/L  S/D 


@[110900-7239] 


ZERO  G  S/D,  630  PSIA  AT  S/D  +7  SEC 
SINGLE  REG:  1963  (1983)  PSIA  @[110900-7239] 


es  PNEU  S/D,  529  PSIA  AT  S/D  +7  SEC 
SINGLE  REG:  1457  (1477)  PSIA 

A  PHASE  II  SSME: 

REDLINE  S/D,  518  PSIA  AT  S/D 
SINGLE  REG:  600  (620)  PSIA 


x  BLOCK  I  SSME,  BLOCK  IIA  SSME,  AND  BLOCK  II  SSME: 
REDLINE  S/D,  576  PSIA  AT  S/D 
SINGLE  REG:  679  (699)  PSIA 

@[050495-1 767B]  @[0201 96-1812]  ®[1 21 1 97-6472A]  ®[1 1 0900-7239  ] 
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A5-153  PRE-MECO  SHUT  DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM 

LEAKS  (CONTINUED) 


A  lower  system  MPS  helium  leak  is  a  leak  downstream  of  the  system  regulators.  The  resulting  leak  rate 
should  be  constant.  Lower  system  leaks  are  isolatable  only  when  they  occur  between  the  regulator  and 
the  downstream  check  valve. 

The  zero-g  line  represents  the  minimum  supply  pressure  to  support  a  hydraulic  or  pneumatic  shutdown 
at  MECO  (zero-g)  with  two  system  regulators,  with  or  without  a  lower  system  MPS  helium  leak.  This 
requirement  is  the  ICD  value  of 630  psia  interface  pressure  at  shutdown  plus  7  seconds  (ref.  SSME-to- 
Orbiter  ICD  13M15000).  The  pneumatic  shutdown  line  represents  the  minimum  supply  pressure  to 
support  a  pre-MECO  pneumatic  shutdown  with  two  system  regulators,  with  or  without  a  lower  system 
leak.  This  requirement  is  based  on  an  analytical  value  of  529  psia  interface  pressure  at  shutdown  plus 
7  seconds.  The  redline  shutdown  curve  is  the  minimum  supply  pressure  at  which  the  HPOTP IMSL 
purge  redline  will  be  violated  with  one  or  two  system  regulators,  with  or  without  a  lower  system  leak. 
For  the  Phase  II SSME,  this  value  is  518  psia  interface  pressure  at  shutdown  and  is  based  on  an 
analysis  and  minimal  test  data  (reference  SODB  data  request  Rl-1507 ).  For  the  BLOCK  I  SSME, 
BLOCK  IIA  SSME,  and  the  BLOCK  II  SSME,  this  value  is  576  psia  interface  pressure  at  shutdown  and 
is  based  on  SSME  test  901-835  (reference  SODB  data  request  Rl-1640).  The  minimum  pressure  which 
will  support  the  expected  shutdown  mode  and  mass  flow  rate  should  always  be  protected.  These  curves 
include  20  psia  instrumentation  error.  ®[090894-l  676A]  ®[0201 96-1812]  ®[1 21 1 97-6472A]  ®[1 1 0900-7239  ] 
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A5-153  PRE-MECO  SHUT  DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM 

LEAKS  (CONTINUED) 


2.  MINIMUM  SHUTDOWN  PRESSURES  FOR  AN  ENGINE  WITH  AN  UPPER 
SYSTEM  MPS  HELIUM  LEAK.  @[090894-1 676A] 


@[110900-7239] 

?  ZERO  G  S/D,  630  PSIA  AT  S/D +7  SECONDS 
PNEU  TK:  2800  (2820)  PSIA  (3  ENGINES  S/D) 

PNEU  TK:  2357  (2377)  PSIA  (1  ENGINE  S/D) 

^  PNEU  S/D,  529  PSIA  AT  S/D +  7  SECONDS 
PNEU  TK:  2036  (2056)  PSIA 

A  PHASE  II  SSME: 

REDLINE  S/D,  518  PSIA  AT  S/D 
PNEU  TK:  600  (620)  PSIA 

x  BLOCK  I  SSME,  BLOCK  IIA  SSME,  AND  BLOCK  II  SSME: 
REDLINE  S/D,  576  PSIA  AT  S/D 
PNEU  TK:  639  (659)  PSIA 

@[050495-1 767B]  @[020196-1812]  ®[1 21 1 97-6472A]  @[110900-7239] 
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A5-153  PRE-MECO  SHUT  DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM 

LEAKS  (CONTINUED) 


An  MPS  upper  system  helium  leak  is  a  leak  upstream  of  the  system  regulators.  The  resulting  leak  rate 
should  decay  over  time.  Upper  system  leaks  are  isolatable  only  when  they  occur  between  the  helium 
isolation  valve  and  the  downstream  regulator. 

The  zero-g  line  represents  the  minimum  supply  pressure  to  support  a  hydraulic  or  pneumatic  shutdown 
at  MECO  (zero-g)  with  two  system  regulators,  with  or  without  an  upper  system  leak.  This  requirement 
is  the  ICD  value  of 630  psia  interface  pressure  at  shutdown  plus  7  seconds  (ref.  SSME-to-Orbiter  ICD 
13M15000).  The  pneumatic  shutdown  line  represents  the  minimum  supply  pressure  to  support  a  pre- 
MECO  pneumatic  shut  down  with  two  system  regulators,  with  or  without  an  upper  system  leak.  This 
requirement  is  based  on  an  analytical  value  of  529  psia  interface  pressure  at  shutdown  plus  7  seconds. 
The  redline  shutdown  curve  is  the  minimum  supply  pressure  at  which  the  HPOTP IMSL  purge  redline 
will  be  violated  with  one  or  two  system  regulators,  with  or  without  an  upper  system  leak.  For  the 
Phase  II SSME,  this  value  is  518  psia  interface  pressure  at  shutdown  and  is  based  on  analysis  and 
minimal  test  data  (reference  SODB  data  request  Rl-1507).  For  the  BLOCK  I  SSME,  BLOCK  IIA 
SSME,  and  the  BLOCK  II  SSME,  this  value  is  576  psia  interface  pressure  at  shutdown  and  is  based  on 
SSME  test  901-835  (reference  SODB  data  request  Rl-1640).  The  minimum  pressure  which  will 
support  the  expected  shutdown  mode  and  mass  flow  rate  should  always  be  protected.  These  curves 
include  20  psia  instrumentation  error.  ©[050495-1767B]  <S>[1 21 1 97-6472A]  ®[i  1 0900-7239  ] 

3.  IF  THE  ENGINE  CAN  SHUT  DOWN  HYDRAULICALLY  BUT  HPOTP 
IMSL  REDLINE  SHUT  DOWN  CAPABILITY  IS  LOST  FOR  ANY 
REASON,  A  MANUAL  SHUTDOWN  MUST  PROTECT  THE  MINIMUM 
INTERFACE  PRESSURES  FOR  A  PRE-MECO  HYDRAULIC  SHUT  DOWN 
AS  SHOWN  ABOVE  IN  PARAGRAPH  E.  @[090894-1 676A] 

If  both  HPOTP  IMSL  purge  pressure  transducers  have  failed  or  the  redline  limit  software  is  not 
available  for  any  reason,  a  redline  engine  shutdown  will  never  occur.  Manual  action  must  be  taken 
above  the  minimum  hydraulic  shutdown  interface  pressure. 

4.  IF  A  PNEUMATIC  SHUT  DOWN  IS  REQUIRED  FOR  ANY  REASON, 

A  MANUAL  SHUT  DOWN  MUST  PROTECT  THE  MINIMUM  INTERFACE 
PRESSURES  FOR  A  PRE-MECO  PNEUMATIC  SHUTDOWN  PER 
PARAGRAPH  E. 

For  all  four  SSME  types  (Phase  II,  BLOCK  /,  BLOCK  IIA,  and  BLOCK  II),  it  takes  significantly  more 
helium  to  support  a  pre-MECO  pneumatic  shutdown  than  it  does  to  support  a  pre-MECO  hydraulic 
shutdown.  Consequently,  pre-MECO  pneumatic  shutdown  capability  must  be  manually  protected  for  all 
cases  where  hydraulic  engine  function  has  been  lost  or  for  which  a  pneumatic  shutdown  will  occur. 
@[050495-1 767B]  ®[1 21 1 97-6472A] 
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A5-153  PRE-MECO  SHUT  DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM 

LEAKS  (CONTINUED) 

5.  IF  THE  PNEUMATIC  SYSTEM  ALONE  WILL  BE  USED  TO  SUPPORT  THE 
SHUTDOWN  HELIUM  REQUIREMENT  OF  AN  ENGINE,  AND  THE  ENGINE 
SYSTEM  HAS  TWO  OPERATIONAL  REGULATORS  AND  NO  DOWNSTREAM 
HELIUM  LEAK,  THE  FOLLOWING  NUMBERS  MUST  BE  PROTECTED: 

a.  ZERO-G  -  2800  (2820)  PSIA 

(3  ENG  S/D)  @[110900-7239] 

-  2357  (2377)  PSIA 

(1  ENG  S/D) 

b.  PRE-MECO  PNEUMATIC  -  2036  (2056)  PSIA 

c.  PRE-MECO  HYDRAULIC: 

PHASE  II  SSME  -  600  (  620)  PSIA 

BLOCK  I,  I I A,  AND  II  SSME  -  639  (  659)  PSIA 

@[050495-1 767B]  @[020196-1812]  ®[1 21 1 97-6472A]  @[110900-7239] 

If  the  MPS  supply  system  has  an  upper  system  leak,  the  pneumatic  system  will  be  interconnected  to  the 
engine  as  late  in  the  flight  as  is  practical,  but  above  the  minimum  tank  pressure  required  to  support 
engine  shut  down.  After  the  interconnect  is  performed  a  determination  is  made  as  to  whether  or  not  the 
leak  is  an  upper  system  leak  or  a  tank  leak.  If  the  leak  is  found  to  be  a  tank  leak,  the  pneumatic  tank  only 
numbers  must  be  protected.  The  leak  in  the  tank  may  deplete  all  of  the  engine  system  helium  before  the 
pneumatic  tank  and  engine  tank  equalize  in  pressure.  If  this  is  the  case,  the  pneumatic  tank  alone  must 
support  engine  shutdown.  @[090894-1 676A] 
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A5-153  PRE-MECO  SHUT  DOWN  OF  ENGINES  DUE  TO  MPS  HELIUM 

LEAKS  (CONTINUED) 


6.  WHEN  AN  MPS  HELIUM  SUPPLY  OPERATION  OCCURS  THROUGH  A 

SINGLE  REGULATOR  BECAUSE  OF  AN  ISOLATED  LEAK  OR  SYSTEM 
FAILURE,  SINGLE  REGULATOR  SHUTDOWN  REQUIREMENTS  MUST  BE 
PROTECTED.  THE  MINIMUM  ENGINE  SYSTEM  HELIUM  TANK 
PRESSURE  REQUIREMENTS  FOR  SINGLE  REGULATOR  SHUTDOWN 
WITHOUT  A  HELIUM  LEAK  ARE:  ®[090894-1 676A] 

a.  ZERO-G  -  1963  (1983)  PSIA  ®[i 1 0900-7239 ] 

b.  PRE-MECO  PNEUMATIC  -  1457  (1477)  PSIA 

c.  PRE-MECO  HYDRAULIC: 


PHASE 

II 

SSME 

600 

(  620) 

PSIA 

BLOCK 

1/ 

I I A,  AND  II  SSME  - 

679 

(  699) 

PSIA 

®[050495-1767B]  @[020196-1812]  ®[1 21 1 97-6472A]  @[110900-7239] 

The  requiremen  ts  for  engine  shutdown  in  the  single  regulator  mode  are  represen  ted  by  three  distinct 
pressures.  The  single  regulator  must  now  flow  two  times  nominal  mass  in  order  to  meet  shutdown 
requiremen  ts.  A  higher  in  itial  helium  tank  pressure  is  needed  to  meet  this  demand.  @[050495-1 767B] 
®[ED  ]  @[100997-6298] 

Rules  { A5-5J ,  SUSPECT  ENGINE;  (A5-102},  AUTO/MANUAL  SHUTDOWN;  {A5-103},  LIMIT 
SHUTDOWN  CONTROL;  { A5-106 }.  MANUAL  SHUTDOWN  FOR  COMMAND/DATA  PATH 
FAILURES;  and  {A5-152},  PRE-MECO  MPS  HELIUM  SYSTEM  INTERCONNECTS  [CIL],  reference 

this  rule.  @[121 197-6482B]  ®[1 1 1298-6785A] 
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A5-154  LH2  TANK  PRESSURIZATION  [CIL] 

THE  ET  LH2  TANK  ULLAGE  PRESSURE  WILL  BE  MANUALLY  CONTROLLED 
USING  THE  LH2  ULLAGE  PRESSURE  SWITCH  WHEN  THE  LH>  ULLAGE 
PRESSURE  IS  <  27.7  (28.0)  PSIA.  THE  PRESSURIZATION  WILL  BE 

CONTROLLED  SO  THAT  THE  ULLAGE  PRESSURE  DOES  NOT  EXCEED  35  (34.0) 

PSIA  TO  AVOID  THE  LOW  CRACKING  PRESSURE  OF  THE  TANK  VENT/RELIEF 
VALVE.  ©[101096-4474A] 

The  pressurization  flow  control  system  consists  of  three  tank  ullage  pressure  sensors,  signal  conditioners 
for  the  orbiter  flow  control  valve  electronics,  and  three  gaseous  hydrogen  flow  control  valves.  Each 
ullage  pressure  sensor  is  wired  to  a  signal  conditioner  which  in  turn  controls  the  GH2  pres surant  flow 
from  its  respective  engine.  Each  control  system  is  single  string;  i.  e. ,  ullage  pressure  no.  1  feeds  only  the 
electronics  for  the  center  SSME,  no.  2  to  the  left  SSME,  and  no.  3  to  the  right  SSME.  The  flow  control 
valves  are  used  to  maintain  the  LH2  tank  ullage  pressure  between  32  and  34  psia.  The  signal 
conditioners  use  33.0  psia  as  the  set  point  for  the  ullage  pressure.  Failure  of  one  flow  control  valve  to 
the  closed  position  (low  flow)  does  not  cause  the  ullage  pressure  to  drop  below  28.0  psia  or  violate  the 
SSME  NPSP ICD.  However,  the  pressure  cannot  be  maintained  above  28.0  psia  when  two  flow  control 
valves  fail  closed.  Additionally,  failure  of  one  flow  control  valve  to  the  open  position  (high  flow)  does 
not  cause  the  ullage  pressure  to  rise  to  the  LH2  tank  vent  valve  relief  setting  of  36  psia  (reference 
December  22,  1995  PSIG  and  Rockwell  action  item  951208-02).  ®[02i  199-6791  A] 

There  are  several  failure  modes  associated  with  the  LH2  tank  pressurization  flow  control  system.  This 
flight  rule  addresses  the  case  of  two  ullage  pressure  sensors  failed  high  (i.e.,  above  the  ullage  pressure 
where  the  flow  control  valve  is  commanded  closed)  which  will  cause  their  respective  flow  control  valves 
to  remain  closed.  The  remaining  flow  control  system  will  not  main  tain  the  tank  pressure.  When  the  true 
tank  pressure  decays  to  28.0  psia  on  the  remaining  good  sensor,  a  class  3  BFS  alert  will  be  set.  (The 
28.0  psia  value  was  reviewed  and  approved  as  DCR  3 581 A  and  DCR  3586  at  the  July  11,  1996  SASCB.) 
An  LH2  ullage  pressure  of  28.0  psia  is  the  value  at  which  manual  action  will  be  taken.  This  pressure 
includes  crew  response  time  and  one  sigma  dispersions  of  the  instrumen  tation  error:  0.21  psia  (reference 
Booster  SCP  2.2.1).  Additionally,  this  lower  value  of  28.0  psia  protects  the  minimum  ullage  pressure  to 
support  the  NPSP  requirement  of  27.7  (reference  December  22,  1995  PSIG  and  Rockwell  action  item 
951208-02,  chart  1-18).  In  response  to  the  alert,  the  crew  will  use  the  LH2  ullage  pressure  switch  to 
open  the  flow  control  valves  by  overriding  the  electronics  on  all  flow  control  valves.  The  tank  pressure 
should  then  increase.  However,  the  pressure  could  go  through  the  control  band  and  reach  the  tank  vent 
valve  relief  setting  of  36  ?  1  psig.  Therefore,  the  value  of  34.0  psia  was  chosen  as  the  value  at  which  the 
crew  would  close  the  flow  control  valves  before  ven  ting  could  occur.  If  venting  occurs  while  the  vehicle 
is  in  first  stage,  afire  could  propagate  along  the  side  of  the  external  tank  (reference  PRCB  presentation 
February  10,  1987  and  the  32nd  PSIG).  The  high  flow  setting  of  the  -1301  FCV’s  (70  percen  t  instead  of 
100  percen  t  used  with  the  -0361)  allows  for  manual  action  to  be  taken  prior  to  staging.  For  this  failure 
case,  venting  GH2  is  not  a  concern  due  to  a  gradual  pressure  recovery  when  the  switch  is  placed  in  the 
high  flow  position  during  first  stage  (reference  May  8,  1996  PSIG  and  action  item-94 1005 -03  Rev  3). 
®[101096-4474A]  ®[021 1 99-6791  A] 
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A5-154  LH2  TANK  PRESSURIZATION  [CIL]  (CONTINUED) 

Other  failure  modes  of  the  GH2  pressurization  system  include:  a  mechanical  failure  of  two  flow  control 
valves,  a  flow  restriction  in  either  an  SSME  GH2  repressurization  path  or  in  the  main  pressurization  line, 
a  hole  in  the  side  of  the  LH2  tank  or  a  vent  valve  not  closed.  However,  the  LH2  ullage  pressure  switch 
cannot  correct  conditions  caused  by  these  failure  modes.  For  these  cases,  all  three  ullage  pressures  could 
decay  below  28.0  psia  since  the  sensors  are  accurately  reading  the  decaying  tank  pressure.  If  the  pressure 
decay  continues,  the  minimum  NPSP  of  the  engines  will  be  violated.  ®[101096-4474A]  ®[021 199-6791  A] 

Rules  { A4-56H },  PERFORMANCE  BOUNDARIES,  and  {A5-1 55},  LIMIT  SHUTDOWN  CONTROL  AND 
MANUAL  THROTTLING  FOR  LOW  LH2  NPSP,  reference  this  rule.  ®[07i 494-1 646A] 

A5-155  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR 

LOW  LH2  NPSP  @[040899-681 8A] 

A.  MAIN  ENGINE  LIMIT  SHUTDOWN  SOFTWARE  WILL  BE  MANUALLY  ENABLED 
UPON  RECOGNITION  OF  EITHER  AN  LIH>  ULLAGE  LEAK  OR  FOR  ANY 
ORBITER  GH2  PRESSURIZATION  SYSTEM  ANOMALY  EXCEPT  ONE  Gt£ 

FLOW  CONTROL  VALVE  FAILED  CLOSED. 


For  LH2  net  positive  suction  pressure  (NPSP)  decaying  below  the  ICD  requirement,  the  engines  will 
eventually  violate  their  high  pressure  fuel  turbopump  (HPFTP)  turbine  discharge  temperature  (TDT) 
redlines.  Low  LH2  NPSP  causes  the  fuel  turbopumps  to  cavitate,  resulting  in  turbine  overspeed  and 
increased  discharge  temperatures.  Cavitation  is  possible  on  all  SSME's;  therefore,  the  main  engine  limit 
shutdown  software  will  be  manually  enabled  to  allow  any  number  of  engines  to  shut  down  for  HPFT  TDT 
redline  exceedance. 

B.  ORBITER  GH2  PRESSURIZATION  SYSTEM  ANOMALY 

IF  ULLAGE  PRESSURE  IS  STEADILY  DECAYING  BELOW  THE  CONTROL  BAND  AND 
IS  NOT  THE  RESULT  OF  AN  ULLAGE  LEAK  (PER  RULE  {A5-9},  LH2  ULLAGE 
LEAK) ,  THE  ENGINES  WILL  BE  MANUALLY  THROTTLED  PER  THE  STEPS  GIVEN 
BELOW.  THE  MANUAL  THROTTLE  STEPS  WILL  BE  BASED  ON  THE  SETTINGS 
LISTED  IN  THE  TABLE  BELOW  WHEN  THE  LH>  NPSP  DROPS  BELOW  3.5  PSI  OR 
THE  HPFTP  TDT ’ S  INCREASE  TO  WITHIN  75  DEG  R  OF  THEIR  REDLINES.  TO 
PREVENT  THE  VEHICLE  ACCELERATION  FROM  EXCEEDING  3.0  G' S  AFTER 
MANUAL  THROTTLING  IS  INVOKED,  THE  CREW  WILL  MANUALLY  THROTTLE  BACK 
TO  MAINTAIN  3.0  G' S  .  ®[ED  ]  @[040899-681 8A]  @[031500-71 81  A]  ®[ED  ] 

STEP  THROTTLE  SETTING  (PERCENT) 

1  95 

2  80 

3  67 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  BOOSTER  5-86 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A5-155  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR 

LOW  LH2  NPSP  (CONTINUED) 

ONCE  INITIATED,  MANUAL  THROTTLES  WILL  BE  MAINTAINED  UNTIL  MECO . 

A  MANUAL  MECO  WILL  BE  REQUIRED. 

A  GH2  pressurization  system  anomaly  could  be  caused  by  either  multiple  flow  control  valves  failed 
closed  or  a  plugged  GH2  pressurization  leg.  Coverage  of  the  highly  unlikely  GH2  plugged 
pressurization  leg  failure  mode  is  a  result  ofPRCB  Directive  S050270DP,  “ Main  Propulsion  System 
(MPS)  Critical  Items  List  ( CIL)  Submitted  Weaver  Request,  ”  November  9,  1998.  @[040899-681 8A] 

Underspeeds  resulting  from  two  GH2  flow  control  valves  fedled  closed  or  a  plugged  GH2  pressurization 
leg  for  specific  engine  configurations,  or  three  GH2flow  con  trol  valves  failed  closed  in  all  cases,  will 
potentially  result  in  loss  of  crew  and  vehicle  due  to  either  early  engine  shutdowns  ( due  to  LH2  NPSP)  or 
ET  structural  failure.  Manually  throttling  to  a  lower  throttle  setting  increases  the  supplied  NPSP  by 
lowering  LH2  pressure  losses  across  the  LH2  manifolds  and  lines  and  also  reduces  the  SSME  NPSP 
requirement  for  engine  operation.  The  combination  of  higher  supplied  NPSP  and  reduced  NPSP 
requirement  enables  continued  engine  operation.  Once  initiated,  manned  throttles  are  maintained  until 
MECO  in  order  to  prevent  the  auto  throttle  up  to  the  mission  power  level  that  would  occur  following  an 
SSME  failure.  Since  the  NPSP  drops  with  this  throttle  up,  maintaining  manned  throttles  protects  against 
the  potential  loss  of  additional  SSME(s).  ®[05i  500-7181  A] 

The  severity  of  the  LH2  NPSP  loss  is  not  only  dependen  t  upon  the  GH2  pressurization  system  failure 
mode  but  also  upon  the  engine  configuration  and  power  level  for  a  particular  mission.  Analysis  shows 
that  two  GH2flow  control  valves  failed  closed  on  a  nominal,  ATO,  or  AO  A  mission  using  three  Block  I 
or  Phase  II  SSME’s  at  104  percent  will  not  result  in  a  LH2  NPSP  degradation  which  requires  throttling 
( reference  February  19,  1997  PSIG,  Action  Item  970205-01).  Analysis  also  shows  that  missions  using 
specific  combinations  of  Block  I  and  Block  II  SSME’s  may  require  throttling  if  two  flow  control  valves 
are  failed  closed.  Further  analysis  suggests  that  throttling  may  be  expected  for  those  missions  using 
three  Block  IIA/II  SSME’s  if  two  flow  control  valves  are  fedled  closed  or  one  of  the  SSME’s 
pressurization  legs  becomes  plugged  such  that  there  is  0  percent  flow  from  that  leg. 

A  GH2  pressurization  leg  refers  to  the  series  of  hardware  in  the  GH2  pressurization  line  that  carries 
flow  from  each  SSME’s  LPFTP  turbine  outlet  to  the  2-inch  pressurization  line  that  provides  ullage 
pressure  to  the  ET  LH2  tank.  Each  engine  contains  a  check  valve,  a  filter,  and  a  flow  control  valve 
(reference  SSSH  10-12).  The  hardware  in  these  lines  could  poten  tially  fail  closed  or,  in  the  most  extreme 
case,  become  plugged  by  contamination.  @[040899-681 8A] 
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A5-155  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR 

LOW  LH2  NPSP  (CONTINUED) 


There  are  three  possible  scenarios  resulting  in  a  plugged  GH2  pressurization  system  leg.  The  first 
scenario  involves  the  filter  upstream  of  the  flow  control  valve  becoming  plugged,  resulting  in  0  percen  t 
flow  to  the  associated  valve.  The  second  and  third  scenarios  are  cm  obstruction,  or  mechanical  failure, 
of  the  check  valve  upstream  of  the  flow  con  trol  valve  or  an  obstruction  of  the  flow  control  valve  itself. 
This  would  result  in  0  percent  flow  being  provided  from  that  engine  to  the  2-inch  pressurization  line. 
Since  flow  from  cdl  three  pressurization  legs  is  required  to  maintain  ullage  pressure  above  32.6  psia,  all 
three  flow  control  valves  will  be  commanded  open  as  the  system  attempts  to  maintain  pressure  in  the  ET 
LH2  tank.  However,  since  flow  in  a  single  leg  is  obstructed,  ullage  pressure  will  steadily  decay  below 
the  control  band  as  the  fuel  volume  in  the  ET  LH2  tank  decreases.  @[040899-681 8A] 

The  value  of  3.5  psifor  the  LH2  NPSP  was  chosen  as  the  primary  cue  to  avoid  LH2  NPSP  regions  where 
severe  cavitation  occurs  and  HPFTP  turbine  temperatures  increase  exponentially.  The  HPFTP  is 
expected  to  run  to  a  LH2  NPSP  of  1.0  to  2.0  psi  before  cavitation  becomes  critical.  The  ground  LH2 
NPSP  computation  assumes  a  3  sigma  worst  case  LH2  inlet  temperature  of  37.2  deg  Rfrom  liftoff  until 
MECO.  The  use  of  this  worst  case  temperature  provides  for  2  sigma  protection  ( i.  e. ,  a  0.8  psi  bias)  in 
the  ground  NPSP  computation.  The  ground  computation  uncertain  ties  are  a  result  of  measuremen  t 
inaccuracies  in  ullage  pressure,  head  pressure,  frictional  losses,  and  vapor  pressure  used  in  the 
derivation  of  NPSP.  On  average,  the  actual  vehicle  NPSP  will  be  0.8  psi  higher  than  the  NPSP  value 
displayed  by  the  MCC  ground  computation.  HPFTP  TDT’s  were  selected  as  a  backup  cue  in  case  an 
HPFTP  starts  to  severely  cavitate  at  a  higher  LH2  NPSP  value  than  expected.  Both  temperature  limits 
(channels  A  and  B)  are  calculated  by  subtracting  75  deg  R  from  the  redlines.  Larger  margins  from  the 
redline  may  overlap  the  nominal  operating  temperature  range  and  provide  false  cues  for  action  (ref. 
PSIG  Flight  Rule  Reviews  on  2/25/88,  3/23/88,  and  11/17/93).  ®[07i  494-1 646A] 

The  cue  of  3.0  g’s  of  acceleration  was  selected  to  ensure  protection  of  vehicle  acceleration  limits  (3.0  g). 
Various  vehicle  configurations  or  GH2  pressurization  system  failure  modes  may  or  may  not  result  in 
exceedance  of  vehicle  acceleration  limits.  However,  if  a  3.0  g  acceleration  limit  is  used  as  an  auto  or 
manned  throttling  cue  for  all  cases,  vehicle  structural  limits  are  protected  at  all  times.  Reference  Rule 
/ A2-61 j,  Q-BAR/G-CONTROL.  Three-g  is  not  used  as  a  cue  for  the  first  manual  throttle  step  since 
leaving  throttles  in  auto  will  throttle  at  3.0  g  ’s.  Once  man  ned  throttles  are  taken  for  an  NPSP  or  HPFTP 
TDT  cue,  throttles  will  remain  in  manned  and  3.0  g’s  will  be  protected  in  addition  to  the  NPSP  and 
HPFTP  TDT  cues.  The  shuttle  crews  are  trained  that  after  selecting  manned  throttles,  if  the  vehicle 
acceleration  exceeds  3.0  g’s,  they  will  need  to  manually  throttle  to  maintain  3.0  g’s.  ®[03i 500-71 81  A] 

Throttling  in  three  steps  was  selected  to  minimize  crew/MCC  impact  and  workload.  The  steps 
approximately  divide  the  action  equally  into  thirds.  The  first  step,  95  percent,  was  originally  chosen  to 
avoid  the  Rocketdyne  HPFTP  impeller  resonance  region  ( i.  e. ,  88  to  92  percent).  This  is  no  longer  a 
concern  as  a  result  of  a  redesign  of  the  impeller.  The  throttle  setting  of  95  percent  was  retained  for 
training  simplicity.  The  second  step,  80  percen  t,  is  midway  between  the  first  step  and  the  minimum 
power  level.  The  last  step,  67  percent,  is  the  minimum  power  level  and  further  commanded  power 
reduction  is  not  possible.  @[040899-681 8A] 
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A5-155  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR 

LOW  LH2  NPSP  (CONTINUED) 

C.  LH2  ULLAGE  LEAK  @[040899-681 8A] 

MANUAL  THROTTLES  WILL  BE  SELECTED  IMMEDIATELY  FOLLOWED  BY  A 
TAL  ABORT  TO  THE  MOST  IN-PLANE  SITE  (GO  TAL  SITE  OR  ACLS) . 
AFTER  TAL  SELECTION,  THE  THROTTLES  WILL  BE  RETURNED  TO  AUTO. 

Throttling  for  low  LH2  NPSP  due  to  an  LH2  ullage  leak  (reference  Rule  {A5-9},  LH2  ULLAGE  LEAK), 
or  an  open  LH2  vent/relief  valve,  delivers  less  ullage  pressurization  gas  causing  LH2  NPSP  to  decay 
faster  than  keeping  the  engines  at  104  percent.  ®[ED  ] 

GPC  software  automatically  throttles  the  engines  down  if  TAL  is  selected  above  an  I-locided  inertial 
velocity.  To  prevent  the  software  from  throttling  the  engines  down  when  there  is  an  LH2  ullage  leak, 
manual  throttles  are  selected  prior  to  selecting  TAL.  Once  TAL  is  selected,  the  throttles  will  be  returned 
to  AUTO  where  they  will  stay  at  104  percent  until  3  g’s  are  reached.  Three-g  throttling  may  cause 
engine  shutdowns,  but  this  is  an  accepted  risk  to  avoid  vehicle  structural  damage.  @[071 494-1 646A] 

Since  there  is  no  way  to  accurately  predict  when  engine  shutdown  will  occur  for  this  case,  it  is  important 
to  reach  multiple  engine-out  capability  and  an  acceptable  MECO  as  soon  as  possible.  The  earliest 
multi-engine  out  abort  site,  either  ACLS  or  TAL,  will  always  be  the  preferred  one  for  this  case  (reference 
rule  {A4-56J,  PERFORMANCE  BOUNDARIES). 

The  main  engine  limit  shutdown  software  will  be  manually  enabled  upon  recognition  of  this  failure  to 
protect  against  multiple  engine  shutdowns  without  limits  enabled. 

Rules  (A2-64J,  MANUAL  THROTTLE  CRITERIA;  (A2-61J,  Q-BARJG-CONTROL;  (A2-301J, 
CONTINGENCY  ACTION  SUMMARY;  {A4-56},  PERFORMANCE  BOUNDARIES;  {A4-59},  MANUAL 
THROTTLE  SELECTION;  { A5-9 },  LH2  ULLAGE  LEAK;  {A5-103J,  LIMIT  SHUTDOWN  CONTROL; 

{. A5-154 },  LH2  TANK  PRESSURIZATION  [CIL];  and  {A5-156},  ABORT  PREFERENCE  FOR  SYSTEMS 
FAILURES,  reference  this  rule.  ®[092195-1770A]  @[040899-681 8A]  ®[ED  ] 
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A5-156  ABORT  PREFERENCE  FOR  SYSTEMS  FAILURES 

A.  LH2  ULLAGE  LEAK  @[040899-681 8A] 

IF  LOW  LH2  NPSP  OCCURS  DUE  TO  AN  EXTERNAL  TANK  LH?  ULLAGE 
LEAK,  A  TAL  ABORT  WILL  BE  PERFORMED  TO  A  TAL  OR  ACLS  BASED 
ON  WHICHEVER  PROVIDES  THE  EARLIEST  MULTIPLE  ENGINE-OUT 
CAPABILITY.  ®[ED  ] 

B.  GH2  PRESSURIZATION  SYSTEM  ANOMALIES 

IF  THE  LOW  LH2  NPSP  OCCURS  DUE  TO  THREE  GH2  FLOW  CONTROL 
VALVES  FAILED  CLOSED,  A  TAL  ABORT  WILL  BE  PERFORMED  TO  A 
TAL  OR  ACLS  BASED  ON  WHICHEVER  PROVIDES  THE  EARLIEST 
MULTIPLE  ENGINE-OUT  CAPABILITY.  THIS  IS  THE  ONLY  GIJ 
PRESSURIZATION  SYSTEM  ANOMALY  FOR  WHICH  AN  ABORT  WILL  BE 
PERFORMED.  REFERENCE  RULE  {A5-155},  LIMIT  SHUTDOWN  CONTROL 
AND  MANUAL  THROTTLING  FOR  LOW  LH?  NPSP. 

A  TAL  abort  is  preferred  over  RTLS  because  TAL  MECO  conditions  are  satisfied  sooner  than  RTLS 
MECO  conditions.  If  an  LHj  ullage  leak  occurs,  throttling  will  not  be  performed  for  low  LH2  NPSP 
(see  rationale  for  Rule  {A5-155CJ,  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING 
FOR  LOW  LH2  NPSP).  Once  an  ullage  leak  occurs,  it  is  possible  for  the  leak  to  worsen.  In  this  case, 
the  NPSP  may  deteriorate  much  faster  than  the  failed  closed  flow  control  valve  case.  There  is  no 
method  to  predict  when  engine  shutdown  will  occur.  It  is  important  to  reach  multiple  engine-out 
capability  and  MECO  conditions  as  soon  as  possible.  The  earliest  MECO  conditions  and  multiple 
engine-out  capabilities  are  available  during  a  TAL  abort  or  an  abort  to  an  ACLS.  If  an  intact  abort  is 
not  performed,  the  risk  of  a  bailout  or  other  contingency  condition  will  increase.  @[021 199-6791  A] 

An  abort  will  not  be  performed  for  two  flow  control  valves  failed  closed  or  for  a  plugged  GH2 
pressurization  system  leg.  The  flow  con  trol  valves  are  normally  open  valves  (must  be  powered  closed). 
The  close  power  will  cycle  the  valves  as  required  to  satisfy  the  ullage  pressure  control  band  (reference 
Rule  { A5-154  j,  LH2  TANK  PRESSURIZATION  [ CIL]).  It  is  assumed  that  the  failure  will  occur  during 
power  cycling.  With  two  valves  failed  closed,  the  third  valve  will  not  be  power-cycled.  Therefore,  the 
third  valve  will  remain  open  ( unpowered )  and  nominal  MECO  conditions  may  be  achieved  by 
implementing  Rule  / A5-155 },  LIMIT  SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR 
LOW  LH2  NPSP.  For  a  plugged  GH2  pressurization  leg,  the  other  two  flow  control  valves  will 
operate  and  nominal  MECO  conditions  may  be  achieved  by  implementing  Rule  { A5-155 },  LIMIT 
SHUTDOWN  CONTROL  AND  MANUAL  THROTTLING  FOR  LOW  LH2  NPSP.  If  three  flow  control 
valves  are  failed  closed,  a  TAL  abort  will  be  selected.  @[040899-681 8A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A5-156  ABORT  PREFERENCE  FOR  SYSTEMS  FAILURES  (CONTINUED) 

C.  ENGINE-TO-ENGINE  HELIUM  INTERCONNECT 

A  TAL  ABORT  TO  EITHER  A  TAL  OR  ACLS,  BASED  ON  WHICHEVER 
PROVIDES  THE  EARLIEST  MULTIPLE  ENGINE-OUT  CAPABILITY,  WILL 
BE  PERFORMED  IF  THE  HELIUM  SYSTEM  FROM  A  RUNNING  ENGINE  IS 
INTERCONNECTED  TO  A  LEAKING  ENGINE  HELIUM  SUPPLY  IN  ORDER 
TO  ACHIEVE  INTACT  ABORT  CAPABILITY  (REF.  RULE  {A5H.52B}, 
PRE-MECO  MPS  HELIUM  SYSTEM  INTERCONNECTS  [CIL]  )  @[090894-1 676A ] 

Because  of  the  severity  of  the  helium  leak  which  requires  the  implemen  tation  of  Rule  (A5-152B},  PRE- 
MECO  MPS  HELIUM  SYSTEM  INTERCONNECTS  [ CIL],  adequate  helium  may  not  be  available  to 
support  three-engine  operation  to  nominal  MECO.  In  this  case,  it  is  possible  that  a  non-leaking  engine  as 
well  as  the  leaking  engine  could  shut  down  due  to  inadequate  helium.  Therefore,  it  is  important  to  reach 
multiple  engine-out  capability  and  MECO  conditions  as  soon  as  possible.  This  will  be  accomplished  by 
performing  a  TAL  abort  or  an  abort  to  an  ACLS.  @[090894-1 676A]  ®[021 199-6791  A] 

Rule  {A5-9},  LH2  ULLAGE  LEAK,  references  this  rule.  @[040899-681 8A]  ®[ED  ] 
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A5-157  ET  LOW  LEVEL  CUTOFF  SENSOR  FAILED  DRY 

THE  FAILURE  TO  THE  DRY  STATE  OF  THREE  OR  MORE  ET  PROPELLANT  LOW 
LEVEL  SENSORS  ON  THE  SAME  TANK  WILL  REQUIRE  A  TAL  ABORT  TO  BE 
PERFORMED  (TO  A  TAL,  OR  ACLS  IF  NO  TAL  SITE  IS  AVAILABLE)  IF 
UPHILL  CAPABILITY  DOES  NOT  EXIST  (REF.  RULE  {A4-56H}.1, 
PERFORMANCE  BOUNDARIES) .  A  PREFLIGHT  EVALUATION  WILL  BE 
REQUIRED  TO  DETERMINE  UPHILL  CAPABILITY  FOR  THIS  FAILURE. 

@[021397-4824] 

NOTE:  THREE  OR  MORE  "DRY"  INDICATIONS  WILL  CAUSE  PREMATURE  MECO 

IF  THE  LOW  LEVEL  ARM  COMMAND  IS  PRESENT  PRIOR  TO  REACHING 
THE  REQUIRED  MECO  TARGET.  TWO  SENSORS  INDICATING  "DRY" 
WILL  NOT  REQUIRE  AN  ABORT. 

Propellant  low  level  shutdown  software  is  provided  to  protect  the  vehicle  from  an  uncon  trolled  engine 
failure  which  would  be  caused  by  the  depletion  of  either  LO2  or  LH2  propellant  to  a  running  engine. 

The  software  logic  requires  two  qualified  sensors  to  indicate  dry  after  the  arming  mass  is  reached  in 
order  to  start  the  low  level  timer  and  issue  the  MECO  command.  On  the  first  pass  after  the  arming 
mass  is  reached,  the  software  will  disable  one  dry  low  level  sensor.  On  the  next  pass,  the  software 
will  command  MECO  if  two  other  low  level  sensors  on  the  same  tank  are  failed  dry.  Therefore,  three 
sensors  dry  when  the  arming  mass  is  reached  will  result  in  an  early  MECO  which  may  require  a  TAL 
or  ACLS  abort.  The  failure  of  two  sensors  will  not  cause  a  premature  MECO  when  the  arming  mass 
is  reached,  since  one  will  be  disabled.  The  crew  will  be  required  to  abort  TAL  (or  ACLS  if  no  TAL 
site  is  available)  on  some  performance-critical  missions  (as  determined  by  flight  design)  to  prevent  a 
MECO  from  occurring  in  a  region  where  no  abort  capability  exists.  @[021397-4824  ] 

Rule  (A2-301J,  Note  31,  CONTINGENCY  ACTION  SUMMARY,  references  this  rule. 

A5-158  THROUGH  A5-200  RULES  ARE  RESERVED 
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MPS  MANAGEMENT :  POST-MECO 


A5-201  MPS  DUMP  INHIBIT  [CIL]  ®[020196-1813A] 

A.  INSIGHT  INTO  ENGINE  INLET  CONDITIONS  AVAILABLE: 

IF  A  PROPELLANT  LEAK  IS  DETECTED  PRE-MECO  ON  ANY  ENGINE  WHICH 
SHUTS  DOWN  (MANUAL  OR  CONTROLLER  INITIATED)  PRIOR  TO  MECO,  IT 
WILL  BE  ISOLATED  FROM  DUMPING  IMMEDIATELY  FOLLOWING  MECO. 

THIS  DUMP  INHIBIT  DECISION  WILL  BE  BASED  ON  THE  FOLLOWING: 

1.  LO2  INLET  PRESSURE  <  40  PSIA, 

FOR  A  DUMP  INHIBIT  OF  THE  L02  SYSTEM,  AN  EARLY  APU 
SHUTDOWN  WILL  BE  REQUIRED  FOR  TAL  AND  RTLS  ABORTS 
(REFERENCE  FLIGHT  RULE  {A16-205A},  EARLY  APU  SHUTDOWN). 
®[0201 96-1 81 3A] 

2.  LH2  INLET  PRESSURE  <  30  PSIA. 

FOR  A  DUMP  INHIBIT  OF  THE  LH2  SYSTEM,  AN  EMERGENCY 
POWERDOWN/MODE  V  EGRESS  WILL  BE  REQUIRED  FOR  TAL  AND  RTLS 
ABORTS  (REFERENCE  FLIGHT  RULES  {A16-12B}.2,  EMERGENCY 
POWERDOWN) .  AN  EARLY  APU  SHUTDOWN  WILL  OCCUR  AS  A  RESULT 
OF  THE  EMERGENCY  POWERDOWN.  ®[0201 96-1 81 3A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A5-201  MPS  DUMP  INHIBIT  [CIL]  (CONTINUED) 

For  nominal,  RTLS,  TAL,  ATO,  and  AOA  missions,  the  dump  inhibit  will  be  performed  immediately  post- 
MECO  on  the  affected  SSME  if  insight  into  the  engine  inlet  conditions  is  available  and  the  above  criteria 
are  met.  The  dump  inhibit  is  performed  by  manually  closing  the  associated  prevalve  and  powering  down 
that  engine’s  controller.  To  minimize  dump  and  vacuum  inert  impacts,  only  the  associated  prevalve  will 
be  closed  on  the  side  which  was  determined  to  be  leaking.  The  engine  con  troller  is  powered  off  to  close 
the  bleed  and  hydraulic  valves.  These  actions  will  prevent  excessive  leakage  of  propellant  into  the  aft 
compartment  during  the  MPS  propellant  dump,  thereby  minimizing  a  potentially  hazardous  condition  in 
the  aft  compartmen  t  (reference  the  PSIG  Flight  Rule  Review  of  2/25/88).  Causes  for  early  shutdown 
include  redline  limit  shutdown,  multiple  loss  of  controller  avionics,  and  manual  shutdown  for  a  MPS 
helium  leak,  a  hydraulic  or  electrical  lockup,  or  a  command  path  failure.  Since  flight  data  indicates  that 
the  pump  inlet  pressures  drop  below  the  above  limits  after  MECO,  an  engine  propellan  t  leak  cannot  be 
detected  if  a  low  level  cutoff  occurs.  The  low  pressure  fuel  pump  discharge  pressure  can  be  used  as  a 
backup  to  the  LH2  inlet  pressure  and  would  also  use  30  psia  as  the  dump  inhibit  criterion.  If  a  breach  of 
one  or  more  of  the  LH2  propellant  lines  has  occurred,  the  possibility  exists  of  uncontained/uncontrolled 
LH2  propellan  t  in  the  aft,  which  constitu  tes  a  flammability  and  explosion  hazard  on  a  RTLS  or  TAL 
abort.  This  condition  requires  the  most  expeditious  powerdown  of  the  vehicle  ( emergency  powerdown) 
and  crew  egress  (Mode  V)  possible.  An  LO2  leak  is  not  considered  as  hazardous  as  an  LH2  leak  and 
therefore  does  not  require  cm  emergency  powerdown  and  Mode  V  egress.  However,  both  kinds  of  leaks 
do  warrant  an  early  APU  shutdown  after  an  RTLS  or  TAL  abort  in  order  to  eliminate  an  ignition  source 
in  a  hydrogen  or  oxygen  enriched  environment.  These  postlanding  actions  are  not  required  after  a 
nominal,  ATO,  or  AOA  mission  since  no  uncontained  residuals  will  remain  in  the  aft  compartment  at  the 
time  of  landing. 

Rules  { A16-12BJ.2 ,  EMERGENCY  POWERDOWN,  and  [A1 6-205 A},  EARLY  APU  SHUTDOWN, 
reference  this  rule.  ®[0201 96-1 81 3A] 
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A5-201  MPS  DUMP  INHIBIT  [CIL]  (CONTINUED) 

B.  INSIGHT  INTO  ENGINE  INLET  CONDITIONS  UNAVAILABLE: 

1.  NOM/ATO/AOA: 

FOR  ANY  ENGINE  WHICH  SHUTS  DOWN  (MANUAL  OR  CONTROLLER 
INITIATED)  PRIOR  TO  MECO,  THE  MPS  DUMP  INHIBIT  WILL  BE 
PERFORMED  IMMEDIATELY  POST-MECO  ON  THE  PROPELLANT 
SYSTEM (S)  ON  WHICH  INSIGHT  HAD  BEEN  LOST.  THIS  ACTION 
WILL  BE  TAKEN  ON  A  TIME  PERMITTING  BASIS  TO  MINIMIZE 
POTENTIAL  LEAKAGE.  THE  LPFP  DISCHARGE  PRESSURE  CAN  BE 
USED  AS  A  BACKUP  CUE  TO  ASSESS  LH2  INLET  CONDITIONS. 

Loss  of  insight  into  the  inlet  pressures  (and  the  LPFP  discharge  pressure  for  the  fuel  side )  results  in  the 
inability  to  assess  the  inlet  conditions.  Therefore,  the  dump  will  be  inhibited  for  any  engine  shut  down 
prior  to  MECO  for  the  nominal  case,  an  ATO,  or  an  AOA  if  the  inlet  condition(s)  cannot  be  assessed  (at 
the  time  of  shutdown)  due  to  avionics  failures  since  a  con  tained  shutdown  cannot  be  guaranteed.  In  the 
case  where  there  was  no  leakage,  any  residuals  trapped  in  the  engine  by  the  dump  inhibit  procedure  will 
have  time  to  bleed  out  prior  to  landing. 

2.  TAL/RTLS: 

THE  MPS  DUMP  INHIBIT  WILL  NOT  BE  PERFORMED. 

Due  to  the  extremely  low  probability  of  a  noncatcistrophic,  uncontained  shutdown,  and  the  additional 
failure  to  lose  insight,  the  cases  of  survivable  shutdowns  with  leakage  hidden  due  to  loss  of  insight  on  a 
TAL  and  RTLS  will  not  be  covered.  If  the  MPS  dump  is  inhibited  for  the  RTLS  and  TAL  cases  due  to  loss 
of  insight  and  no  leakage  existed,  it  would  induce  an  unnecessary  risk  of  trapped  LH2  residuals 
(approximately  26  lbs.  LH2  on  a  RTLS  and  approximately  8  lbs.  LH2  on  a  TAL  abort,  at  touchdown). 
These  amounts  ofLH2  are  enough  to  cause  a  venting  concern  for  the  convoy  and  preclude  normal 
convoy  operations  and  would  require  as  a  minimum  an  expedited  powerdown  and  Mode  V  egress  per 
Rule  (A16-1 1FJ,  EXPEDITED  POWERDOWN.  However,  if  leakage  was  assumed,  cm  emergency 
powerdown  and  Mode  V  egress  would  be  performed  per  paragraph  A  of  this  rule.  ®[0201 96-1 81 3A] 
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A5-202  ET  SEPARATION  INHIBIT  FOR  17-INCH  DISCONNECT 

FAILURE  [CIL] 


A.  NOMINAL 

IF  AN  ET/ORBITER  17-INCH  DISCONNECT  VALVE  IS  NOT  VERIFIED 
CLOSED,  ET  SEPARATION  WILL  BE  DELAYED  UNTIL  MECO  PLUS  6 
MINUTES  TO  ALLOW  THRUST  DECAY  FROM  THE  OPEN  VALVE  AND  THUS 
PREVENT  RECONTACT  BETWEEN  THE  ET  AND  ORBITER.  THE  MPS 
PROPELLANT  DUMP  WILL  BE  AUTOMATICALLY  PERFORMED  DURING  THE 
WAIT  PERIOD.  FOR  AN  UNDERSPEED  AT  MECO  WHICH  REQUIRES  THE 
OMS-1  BURN  TO  BE  PERFORMED  PRIOR  TO  MECO  PLUS  6  MINUTES,  ET 
SEPARATION  WILL  BE  PERFORMED  AT  OMS-1  TIG  MINUS  1  MINUTE  30 
SECONDS  OR  IMMEDIATELY  IF  REQUIRED,  AND  THE  MPS  DUMP  WILL  BE 
MANUALLY  DELAYED  UNTIL  AFTER  SEPARATION.  @[030994-1 61 8B] 

BOTTOM-SUN  WILL  BE  REQUIRED  FOR  THERMAL  CONDITIONING 
(REFERENCE  RULE  {A10-243},  ET  UMBILICAL  DOOR  CLOSURE 
DELAY  FOR  DISCONNECT  VALVE  FAILURE  [CIL]).  ©[021199-6795A] 

B.  RTLS/TAL 

ET  SEPARATION  IS  AUTOMATIC  FOR  17-INCH  DISCONNECT  VALVE 
FAILURE . 


The  ET  separation  sequence  software  in  the  GPC’s  will  inhibit  ET  separation  automatically  if  it  does  not 
receive  at  least  one  of  the  two  close  position  indications  from  each  of  the  orbiter  17-inch  disconnect 
valves.  The  closed  position  indicators  may  not  show  closed  for  real  valve  failures  or  loss  of  insight. 

This  prevents  a  recontact  problem  which  could  occur  between  the  ET  and  the  orbiter  after  separation 
due  to  the  large  venting  force  (>10,000  Ibf)  of  the  open  17-inch  valve  (reference  SODB.  volume  1, 
section  3.4.3. 1). 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A5-202  ET  SEPARATION  INHIBIT  FOR  17-INCH  DISCONNECT 

FAILURE  [CIL]  (CONTINUED) 


The  crew  will  perform  a  manual  separation  6  minutes  after  the  nominal  separation  time.  This  waiting 
period  allows  the  tank  and  the  Orbiter  manifold  to  vent  to  a  level  where  the  ven  ting  force  <  1800  Ibf 
which  is  considered  safe  for  separation  (reference  SODB,  volume  1,  section  3. 4. 3.1).  For  underspeeds  at 
MECO,  which  require  an  OMS-1  to  be  performed  prior  to  MECO  plus  6  minutes,  ET  separation  has  to 
be  performed  1  minute  30  seconds  prior  to  OMS-1  ignition.  The  1  minute  30  second  time  was  selected  to 
ensure  that  the  crew  had  sufficien  t  time  to  prepare  for  the  OMS-1  ignition  (reference  SODB,  volume  1, 
section  3.4.3. 1).  The  MPS  dump  will  be  manually  delayed  by  placing  the  MPS  Propellant  Dump 
Sequence  Switch  in  the  STOP  position  if  the  separation  time  would  occur  during  the  scheduled  MPS 
dump.  The  switch  is  taken  back  to  the  GPC  position  after  the  ET  SEP  -Z  translation  to  allow  the 
automated  MPS  dump  to  commence.  The  MPS  dump  is  delayed  since  performing  the  MPS  dump  during 
ET  separation  is  not  a  certified  separation  mode.  Time  criticality  during  an  RTLS  and  TAL  aborts 
necessitates  an  automatic  ET  separation  for  01-22  and  subsequen  t  software.  The  RTLS  ET  separation 
software  allows  6  seconds  of  venting.  Recontact  damage  will  be  risked  on  an  RTLS  to  avoid  rapid 
degradation  ofET  separation  conditions  and  possible  loss  of  control.  The  TAL  ET  separation  software 
allows  15  seconds  of  venting  to  avoid  recon  tact  while  minimizing  the  time  to  OPS  3  transition.  TAL 
aborts  incorporate  an  I-loaded  software  timer  expiration  (MSID  V97U9717C)  to  sequence  automatic  ET 
separation  while  RTLS  aborts  use  a  hardcoded  software  constant  for  separation. 

The  LO2  MPS  manifold  repressurization  valves  are  not  commanded  open  after  a  17 -inch  LO2 
disconnect  failure  to  prevent  excessive  loss  of  helium  during  the  MPS  dump.  The  LH2  MPS  manifold 
repressurization  valves  are  not  opened  during  this  timeframe. 

Rule  { A10-243J ,  ET  UMBILICAL  DOOR  CLOSURE  DELAY  FOR  DISCONNECT  VALVE  FAILURE 
[CIL],  references  this  rule.  ®[021 1 99-6795A] 
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A5-203  MPS  PROPELLANT  MANIFOLD  OVERPRESSURE  [CIL] 

A.  AN  MPS  PROPELLANT  MANIFOLD  OVERPRESSURE  CONDITION  (>  312 
(249)  PSIA  FOR  LO2  OR  >  66  (60)  PSIA  FOR  LH2)  WILL  BE 

RELIEVED  BY  THE  FOLLOWING  METHODS: 

1.  P RE -MPS  DUMP 

THE  MPS  DUMP  WILL  AUTOMATICALLY  BE  STARTED  IMMEDIATELY  IF 
THE  LH2  MANIFOLD  PRESSURE  IS  BETWEEN  60  AND  90  PSIA  AND 
NOT  COMMFAULTED  .  @[092701 -4867A] 

2.  POST-MPS  DUMP,  PRE-FIRST  AUTOMATED  VACUUM  INERT 

THE  LH2  OUTBOARD  FILL/DRAIN  AND  TOPPING  VALVES  WILL 
AUTOMATICALLY  OPEN  IF: 

a.  THE  LH2  MANIFOLD  PRESSURE  IS  BETWEEN  60  AND  90  PSIA 
AND  NOT  COMMFAULTED  AND 

b.  THE  LH2  BACKUP  DUMP  VALVES  SWITCH  WAS  NOT  TAKEN  TO 
OPEN. 

THE  LH2  OUTBOARD  FILL/DRAIN  AND  TOPPING  VALVES  WILL 
AUTOMATICALLY  CLOSE  AT  MPS  DUMP  START  +19  MINUTES 
(APPROXIMATELY  MECO  +21  MINUTES) .  IF  THE  OUTBOARD 
FILL/DRAIN  DOES  NOT  CLOSE,  THE  SOFTWARE  WILL  COMMAND  THE 
LH2  INBOARD  FILL/DRAIN  VALVE  CLOSED.  @[111 094-1 730A]  @[021 1 99-6792B] 

3.  POST-FIRST  AUTOMATED  VACUUM  INERT  @[092701 -4867A] 

THE  AFFECTED  L02  OR  LH2  OUTBOARD  FILL/DRAIN  VALVE  WILL  BE 
MANUALLY  OPENED  IMMEDIATELY.  THIS  VALVE  WILL  BE  CLOSED 
AFTER  THE  SYSTEM  HAS  BEEN  INERTED. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A5-203  MPS  PROPELLANT  MANIFOLD  OVERPRESSURE  [CIL] 

(CONTINUED) 


Because  of  the  characteristics  of  the  LO2  system ,  it  is  highly  unlikely  that  a  real  overpressure  condition 
will  occur  without  multiple  (>  2)  system  failures  prior  to  the  start  of  the  MPS  dump  (nominally  at  MECO 
+  2  minutes).  Therefore,  no  crew  action  is  taken  for  LO2  manifold  pressure  above  C&W  (249  psia). 

Heat  soak  back  will  vaporize  any  fluid  propellants,  increasing  the  pressure  in  the  lines.  On  the  LO2  side, 
the  pressure  can  be  relieved  by  either  the  MPS  dump  or  vacuum  inerting.  On  the  LH2  side,  the  pressure 
can  be  relieved  by  MPS  dump,  vacuum  inerting,  or  opening  the  LH2  backup  dump  valves  in  OPS  1.  An 
automatic  MPS  dump  will  be  performed  to  avoid  reaching  proof  pressure  (66  psig)  if  the  software  limit 
(greater  than  60  psia  and  less  than  90  psia )  is  reached  before  the  scheduled  MPS  dump  occurs.  If  the 
LH2  manifold  pressure  C&W  limit  of  65  psia  is  reached,  the  crew  will  open  the  LH2  backup  dump  valves 
and  both  LH2  inboard  and  outboard  fill/drain  valves  per  the  Ascent  Pocket  Checklist  procedure.  If  the 
LH2  manifold  pressure  is  between  60  and  90  psia  after  the  MPS  dump  terminates  but  prior  to  the  first 
automated  vacuum  inert  start  ( dump  start  +17  minutes,  approximately  MECO  +  19  minutes)  and  the 
LH2  backup  dump  valves  switch  on  panel  R2  was  not  taken  to  OPEN,  an  automated  contingency  LH2 
vacuum  inert  will  be  started  by  the  software  and  relieve  the  pressure.  This  contingency  inert  will  be 
performed  by  opening  the  LH2  topping  and  LH2  outboard  fill/drain  valves  (the  LH2  inboard  fill/drain 
valve  remains  open  following  the  MPS  dump).  If  the  LH2  manifold  pressure  is  between  60  and  90  psia 
after  the  MPS  dump  terminates  but  prior  to  the  first  automated  vacuum  inert  start  and  the  LH2  backup 
dump  valves  switch  on  panel  R2  was  taken  to  OPEN,  an  automated  contingency  LH2  vacuum  inert  will 
not  be  started  by  the  software  because  manual  action  has  already  been  taken.  @[092701 -4867A] 

If  either  the  LO2  or  LH2  C&W  limit  is  reached  after  the  first  automated  vacuum  inert,  the  affected  LO2  or 
LH2  outboard  fill/drain  valve  will  be  opened  manually  to  relieve  the  pressure.  Only  the  outboards  are 
opened  since  the  inboards  should  already  be  open.  This  is  only  performed  for  true  high  pressure  in  the 
affected  manifold  and  not  for  instrumentation  failures.  Procedures  in  the  Orbit  Pocket  Checklist  have  the 
crew  open  all  the  fill/drain  valves  since  the  crew  does  not  have  time  to  determine  which  system  has  the 
overpressure  condition.  The  LO2  manifold  pressure  C&W  limit  (249  psia)  is  approximately  midway 
between  the  relief  (190  psig )  and  proof  (312  psig )  pressures  (ref.  SODB,  volume  I,  section  4.3).  The  LH2 
manifold  pressure  C&W  limit  (65  psia)  is  set  to  avoid  having  system  delays  in  starting  the  MPS  dump 
allow  the  LH2  manifold  pressure  to  exceed  the  C&W  limit.  Rule  { A5-205C },  NOMINAL,  AOA,  AND  ATO 
MPS  DUMP  FAILURES,  references  this  rule.  ®[1 1 1 094-1 730A  ]  @[021 1 99-6792B]  @[092701 -4867A]  ®[ED  ] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  BOOSTER  5-99 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A5-203  MPS  PROPELLANT  MANIFOLD  OVERPRESSURE  [CIL] 

(CONTINUED) 

B.  IF  THE  LH2  RELIEF  ISOLATION  VALVE  FAILS  CLOSED  POST-MECO  AND 
ANY  OMS  BURN  TIG  IS  PRIOR  TO  THE  START  OF  THE  FIRST  AUTOMATED 
VACUUM  INERT  AT  MPS  DUMP  START  +  17  MINUTES  (APPROXIMATELY 
ME  CO  +  19  MINUTES):  ®[0211 99-6792  B]  @[090999-7035]  @[092701 -4867A] 

1.  THE  LH2  BACKUP  DUMP  VALVES  WILL  BE  MANUALLY  OPENED  PRIOR 
TO  THE  OMS  BURN.  THE  LH2  BACKUP  DUMP  VALVES  WILL 
AUTOMATICALLY  CLOSE  AT  THE  COMPLETION  OF  THE  FIRST 
AUTOMATED  VACUUM  INERT  AT  MPS  DUMP  START  +19  MINUTES 
(APPROXIMATELY  MECO  +  21  MINUTES) . 

2.  THE  AUTOMATED  LH2  MANIFOLD  REPRESSURIZATION  FOLLOWING  THE 
SECOND  AUTOMATED  VACUUM  INERT  WILL  BE  MANUALLY  INHIBITED 
BY  TAKING  THE  LH2  MANIFOLD  PRESS  SWITCH  TO  CLOSE  PRIOR  TO 
THE  MM  106  TRANSITION.  THE  LR?  MANIFOLD  PRESS  SWITCH 
WILL  BE  TAKEN  TO  GPC  AFTER  THE  MM  106  TRANSITION  +  3 
MINUTES . 

If  the  LH2  relief  isolation  valve  does  not  open,  the  LH2  manifold  cannot  be  relieved  through  the  relief 
valve.  The  nominal  pressure  buildup  post-MECO  is  not  expected  to  reach  the  manifold  relief  setting 
with  a  nominal  MPS  dump  and  nominal  vacuum  inerts.  If  the  manifold  pressure  builds  up  greater  than 
60  psia,  the  software  will  automatically  start  the  MPS  dump  or  an  automated  contingency  LH2  vacuum 
inert  (through  the  LH2  fill/drain  valves)  to  relieve  the  pressure.  The  LH2  backup  dump  valves  will  be 
manually  opened  if  an  OMS  burn  is  expected  to  occur  prior  to  the  nominal  first  automated  vacuum 
inert  start  time  of  MPS  dump  start  +  17  minutes  (approximately  MECO  +  19  minutes).  The  OMS  burn 
will  increase  the  sublimation  of  the  LH2  residuals,  resulting  in  a  pressure  buildup  that  may  reach  the 
relief  setting.  Although  the  software  will  automatically  provide  pressure  relief  if  needed,  the  LH2 
backup  dump  valves  are  opened  to  prevent  the  pressure  rise  from  nearing  the  proof  pressure  of  the 
manifold  (66  psig).  The  valves  will  be  left  open  until  the  end  of  the  first  automated  vacuum  inert  when 
they  will  automatically  close.  The  second  automated  vacuum  inert  will  be  allowed  to  proceed  normally 
except  for  the  LH2  manifold  repressurization.  The  repressurization  is  manually  inhibited  by  taking  the 
LH2  man  ifold  press  switch  to  close  because  there  is  no  manifold  relief  capability.  This  will  be 
performed  prior  to  the  MM  106  transition  because  the  second  automated  vacuum  inert  and  subsequent 
manifold  repressurization  will  initiate  at  the  MM  106  transition.  The  LH2  manifold  press  switch  will 
be  taken  to  GPC  after  the  MM  106  transition  +  3  minutes  (corresponding  to  the  completion  of  the 
second  automated  vacuum  inert  and  subsequent  manifold  repressurization)  in  order  to  avoid  powering 
the  valve  until  it  is  nominally  checked  in  the  Deorbit  Prep  timeframe.  @[092701 -4867A] 
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C.  IF  AUTOMATIC  LH2  VENT,  DUMP,  AND  RELIEF  CAPABILITY  IS  LOST 
AS  A  RESULT  OF  DUAL  GPC/FA  MDM  FAILURES  (GPC'S/FA  MDM' S  1 
AND  3,  1  AND  4,  OR  3  AND  4),  THE  CREW  WILL  MANUALLY  OPEN  THE 

LH2  FEEDLINE  RELIEF  ISOLATION  VALVE  IMMEDIATELY  POST-MECO. 
@[090999-7035  ] 

Certain  dual  GPC/FA  MDM  failure  combinations  occurring  during  ascen  t  will  preven  t  the  LH2  relief 
isolation  valve  as  well  as  the  LH2  backup  dump  valves  and  LH2  fill/drain  valves  from  opening  after 
MECO.  Without  a  relief  path,  the  LH2  manifold  pressure  will  rapidly  rise  to  a  dangerous  pressure  level 
in  seconds.  During  the  STS-1  flight,  where  the  LH2  backup  dump  valves  were  not  commanded  open  at 
11.4  seconds  after  MECO  as  they  are  now,  the  LH2  manifold  pressure  went  from  34  psia  before  17-inch 
disconnect  closure  to  50  psia  within  15  seconds  and  subsequently  relieved  until  the  start  of  the  MPS 
dump.  The  LH2  manifold  burst  pressure  is  83  psig.  The  crew  can  manually  open  the  LH2  feedline  relief 
isolation  valve  with  a  single  switch  throw  on  panel  R4.  Pressure  rise  on  the  LO2  side  is  not  a  major 
concern  as  a  result  of  the  slower  pressure  rise  rate,  higher  manifold  burst  pressure,  and  the  available 
leak  path  through  the  SSME  oxidizer  pump  seal  packages.  For  any  dual  GPC/FA  MDM  failures,  the 
onboard  procedure  has  the  crew  take  both  the  LO2  and  LH2  feedline  relief  isolation  valve  switches  to 
open  for  procedural  simplicity.  @[030994-1 61 8B]  @[021 1 99-6792B]  @[092701 -4867A] 
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A5-204  MANUAL  MPS  DUMP  ®[09270i-4867A] 

THE  MPS  DUMP  WILL  BE  MANUALLY  DELAYED  BY  TAKING  THE  MPS  DUMP 
SEQUENCE  SWITCH  TO  "STOP"  UNTIL  AFTER  ET  SEPARATION  FOR  THE 
FOLLOWING  FAILURE  CASES  IN  ORDER  TO  AVOID  PERFORMING  THE  MPS  DUMP 
DURING  ET  SEPARATION: 

A.  AFT  RCS  LEAK. 

B.  FORWARD  RCS  LEAK. 

C.  MPS  FEEDLINE  DISCONNECT  FAILURE (S)  WITH  AN  OMS-1  TIG  PRIOR 
TO  MECO  +  6  MINUTES.  @[090999-7035] 

To  prevent  orbiter  recontact  with  the  ET,  the  MPS  dump  is  delayed  until  after  ET  separation  for  RCS 
leaks  and  the  feedline  disconnect  failure(s).  With  an  RCS  leak,  the  potential  exists  for  the  MPS  dump 
forces  to  overwhelm  the  reduced  RCS  control  authority  during  ET  separation;  therefore,  the  MPS  dump 
is  delayed  until  after  separation  by  taking  the  MPS  dump  sequence  switch  to  stop.  With  a  feedline 
disconnect  failure  and  an  OMS-1  TIG  prior  to  MECO  +  6  minutes,  the  MPS  dump  is  delayed  per  Rule 
{ A5-202 j,  ET  SEPARATION  INHIBIT  FOR  17-INCH  DISCONNECT  FAILURE  [CIL],  to  prevent  dump 
forces  from  interfering  with  the  separation  sequence  (dump  and  vent  forces  could  cause  recontact ). 
Analysis  certifying  the  MPS  dump  during  ET  separation  (SSEIG  minutes,  April  26,  1999)  is  not  valid  in 
these  cases  because  the  analysis  assumed  1)  the  only  RCS  jets  that  are  failed  are  those  affected  by  a 
GPC  4  failure,  and  2)  the  MPS  dump  can  occur  no  earlier  than  1.4  seconds  after  ET  structural 
separation.  @[090999-7035]  @[092701 -4867A]  ®[ED  ] 

Taking  the  MPS  dump  sequence  switch  to  stop  for  an  ET  toggle  switch  failure  along  with  an  LH2 
manifold  pressure  transducer  bias  between  60  and  90  psia  is  not  covered  per  the  direction  of  the  PRCB 
(PRCBD  #  S050270EF)  on  July  1,  1999.  Since  the  most  likely  time  that  the  ET  toggle  switch  failure 
(FMEA/CIL’s  05-6-2237-02  and  05-6-2237-03)  can  occur  is  post  MECO,  the  crew  would  not  have  time 
to  inhibit  the  MPS  dump  prior  to  MECO  +  20  seconds  (dump  start  time  for  the  LH2  transducer  failure). 
The  PRCB  also  considered  the  combination  of  these  two  failures  to  be  too  unlikely  to  be  specifically 
covered  by  crew  procedures  or  by  the  Flight  Rules.  Rule  {A5-205},  NOMINAL,  AOA,  AND  ATO  MPS 
DUMP  FAILURES,  references  this  rule.  @[090999-7035]  @[092701 -4867A]  ®[ED  ] 
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A5-205  NOMINAL,  AO  A,  AND  ATO  MPS  T  DUMP  FAILURES 

@[092701 -4867A]  ®[ED  ] 

A.  MPS  DUMP  SWITCH  FAILURE  -  IF  THE  MPS  DUMP  SEQUENCE  SWITCH  IS 
NEEDED  TO  DELAY  THE  MPS  DUMP  AND  IS  UNAVAILABLE  DUE  TO  A 
CONTROL  BUS  FAILURE,  THE  AFFECTED  CONTACT  WILL  BE  COMM 
FAULTED  BY  POWER  CYCLING  THE  APPROPRIATE  MDM  PER  THE  TABLE 
BELOW.  @[021 397-4825  ] 

SW  CONTACT  CONTROL  BUS  MDM 


A 

AB3 

FF1 

B 

BC3 

FF2 

The  MPS  dump  sequence  switch  can  no  longer  be  used  to  manually  control  the  dump  if  the  switch  fails 
redundancy  management.  The  MPS  dump  sequence  switch  is  only  used  to  delay  the  automated  MPS 
dump  until  after  ET  separation  for  an  aft  RCS  leak,  a  forward  RCS  leak,  or  an  ET  separation  inhibit  due 
to  feedline  disconnect  failures  with  an  OMS-1  TIG  prior  to  MECO  +  6  minutes  per  Rule  (A5-204}, 
MANUAL  MPS  DUMP.  If  the  MPS  dump  sequence  switch  is  needed  to  delay  the  MPS  dump  and  one  of 
the  contacts  is  failed  due  to  loss  of  either  con  trol  bus  AB3  or  BC3,  the  affected  con  tact  could  be  taken 
out  of  the  switch  RM  logic  by  power  cycling  either  MDM  FF1  or  FF2.  ®[i  1 1 094-1 720B]  ®[02i  397-4825  ] 
@[092701 -4867A]  ®[ED  ] 
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(CONTINUED) 

B.  LH2  DUMP  FAILURES  -  AN  LH2  DUMP  WILL  BE  PERFORMED  BY  MANUALLY 
OPENING  THE  LH2  BACKUP  DUMP  VALVES  PRIOR  TO  THE  END  OF  THE 
MPS  DUMP  FOR  THE  FAILURE  TO  OPEN  EITHER  THE  LH2  INBOARD  OR 
OUTBOARD  FILL/DRAIN  VALVE.  THE  LH2  BACKUP  DUMP  VALVES  WILL 
BE  MANUALLY  CLOSED  BETWEEN  MECO  +  7  MINUTES  AND  MECO  +10 
MINUTES  BY  TAKING  THE  LH2  BACKUP  DUMP  VALVE  SWITCH  TO  CLOSE 
THEN  GPC .  OTHERWISE,  THE  LH2  MANIFOLD  REPRESSURIZATION 
FOLLOWING  THE  SECOND  AUTOMATED  VACUUM  INERT  WILL  BE  MANUALLY 
INHIBITED  BY  TAKING  THE  LH2  MANIFOLD  PRESS  SWITCH  TO  CLOSE 
PRIOR  TO  THE  MM  106  TRANSITION.  THE  LH2  MANIFOLD  PRESS 
SWITCH  WILL  BE  TAKEN  TO  GPC  AFTER  THE  MM  106  TRANSITION  +  3 

MINUTES.  @[09270 1 -4867A] 

The  LH2  portion  of  the  MPS  dump  is  a  120-second  unpressurized  dump  through  the  LH2  fill/drain 
valves,  the  LH2  topping  valve,  and  the  LH2  backup  dump  valves.  If  the  LH2  outboard  fill/drain  valve 
fails  closed  prior  to  the  start  of  the  MPS  dump,  approximately  57  Ibm  of  hydrogen  will  remain  at  the 
end  of  the  MPS  dump.  If  the  LH2  inboard  valve  fails  closed,  approximately  6  Ibm  of  hydrogen  will 
remain.  For  these  cases,  the  LH2  backup  dump  valves  will  be  taken  to  the  open  position  prior  to  the 
end  of  the  MPS  dump.  This  will  allow  all  but  approximately  5  Ibm  of  hydrogen  to  be  vented  off  before 
the  LH2  backup  dump  valves  are  manually  closed. 

If  no  other  crew  action  is  taken,  the  LH2  backup  dump  valves  will  remain  open  until  the  termination  of 
the  first  automated  vacuum  inert  (dump  start  +  19  minutes,  approximately  MECO  +  21  minutes).  At  the 
termination  of  the  first  automated  vacuum  inert,  the  LH2  backup  dump  valves  will  automatically  close 
until  the  start  of  the  second  automated  vacuum  inert  at  the  MM  106  transition.  At  the  termination  of  the 
second  automated  vacuum  inert,  all  but  0.24  Ibm  of  hydrogen  will  be  vented.  This  amount  of  hydrogen 
residual  is  sufficiently  high  to  cause  concern  regarding  the  automatic  manifold  press  checkout  because 
the  manifold  pressure  is  expected  to  reach  approximately  41  psia  which  is  high  enough  to  open  the  LH2 
feedline  relief  valve.  In  order  to  avoid  opening  the  LH2  feedline  relief  valve  ( the  vent  port  is  located 
near  the  vertical  stabilizer),  the  automatic  manifold  press  checkout  will  be  manually  inhibited  by  taking 
the  LH2  manifold  press  switch  to  close.  This  will  be  performed  prior  to  the  MM  106  transition  because 
the  second  automated  vacuum  inert  and  subsequent  manifold  repressurization  will  initiate  at  the  MM 
106  transition.  The  LH2  manifold  press  switch  will  be  taken  to  GPC  after  the  MM  106  transition  +  3 
minutes  (corresponding  to  the  completion  of  the  second  automated  vacuum  inert  and  subsequent 
manifold  repressurization)  in  order  to  avoid  powering  the  valve  until  it  is  nominally  checked  in  the 
Deorbit  Prep  timeframe.  @[092701 -4867A] 
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If  the  crew  closes  the  LH2  backup  dump  valves  between  MECO  +  6  minutes ,  40  seconds  and  MECO  + 

10  minutes,  (prior  to  the  start  of  the  first  au  tomated  vacuum  inert),  the  hydrogen  residuals  following  the 
second  automated  vacuum  inert  will  be  between  0.09  Ibm  and  0.10  Ibm,  respectively.  For  simplicity,  the 
crew  action  to  take  the  LH2  backup  dump  valve  switch  to  close  then  GPC  will  be  performed  between 
MECO  +  7  minutes  and  MECO  +  10  minutes.  It  is  believed  that  these  residuals  are  insufficient  to 
cause  hydrogen  to  relieve  on  orbit.  All  residuals  are  based  on  Boeing  IL  SHA0-01 -014  /  SI-01 -044 
dated  February  19,  2001.  @[092701 -4867A] 

Manual  control  of  the  LH2  backup  dump  valves  is  only  available  in  OPS  1.  If  the  hydrogen  residuals 
were  not  properly  inerted  in  OPS  1,  the  manifold  pressure  may  rise  above  the  83  psig  burst  pressure  of 
the  manifold.  This  scenario  would  require  the  crew  to  pro  to  OPS  303  (via  OPS  301)  in  order  for  the 
software  to  automatically  open  the  LH2  backup  dump  valves.  Once  the  manifold  pressure  returns  to 
normal,  the  vehicle  may  be  transitioned  back  to  OPS  2.  For  this  reason,  the  hydrogen  residuals  are 
managed  in  OPS  1  via  the  LH2  backup  dump  valve  switch. 

Currently,  no  ops  code  exists  to  open  the  LH2  backup  dump  valves  via  real-tune  command  (RTC),  and 
due  to  the  fact  that  the  pressure  will  rise  from  the  max  relief  setting  to  the  burst  pressure  in  a  relatively 
short  amount  of  time  ( approximately  TO  hour),  the  decision  was  made  not  to  pursue  a  GPC  memory 
read/write  (GMEM).  In  the  case  of  cm  AO  A,  the  manifold  pressure  should  not  reach  burst  pressure 
prior  to  the  OPS  303  transition.  ®[1 1 1 094-1 720B] 

C.  LC>2  DUMP  FAILURES  -  AN  INCOMPLETE  LC£  DUMP  MAY  REQUIRE  A 

MANUAL  L02  VACUUM  INERT  TO  BE  PERFORMED  PER  RULE  {A5-206}, 
MANUAL  VACUUM  INERTING  REQUIREMENTS  (NOMINAL,  ATO,  AO A) . 

@[111 094-1 730A]  @[021397-4825] 

The  LO2  is  dumped  through  the  SSME  mean  oxidizer  valves.  There  is  no  secondary  dump  path  available 
during  the  MPS  dump.  However,  after  MPS  dump  termination,  residuals  will  vent  through  the  engine 
high  pressure  oxidizer  pump  seals,  and  the  relief  system  will  protect  the  manifold  from 
overpressurization.  @[092701 -4867A] 
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A5-206  MANUAL  VACUUM  INERTING  REQUIREMENTS  (NOMINAL,  ATO, 

AO  A) 

A.  FOR  NOMINAL/ATO  MISSIONS,  A  MANUAL  LO2  VACUUM  INERTING  MAY  BE 
PERFORMED  BY  THE  CREW  IF  THE  LC£  MANIFOLD  PRESSURE  IS  GREATER 
THAN  30  PSIA  AFTER  THE  SCHEDULED  TERMINATION  OF  THE  FIRST 
AUTOMATED  VACUUM  INERT.  MANUAL  LC£  VACUUM  INERTING  WILL  NOT 
BE  PERFORMED  UNTIL  THE  LC£  MANIFOLD  PRESSURE  VENTS  BELOW  30 
PSIA.  ®[1 1 1094-1 71 8A  ]  @[092701 -4867A] 

LO2  vacuum  inerting  can  be  delayed  because  the  LO2  prevalves  remain  open  after  the  MPS  dump  which 
allows  the  pressure  to  vent  through  the  engine  high-pressure  oxidizer  pump  seals.  After  the  pressure 
decays  below  30  psia,  the  software  or  crew  can  then  perform  vacuum  inerting  without  any  vehicle  control 
problems.  The  software  can  only  perform  the  automated  LO2  vacuum  inert  between  MPS  dump  start 
+  17  minutes  (approximately  MECO  +  19  minutes)  and  MPS  dump  start  +  19  minutes  ( approximately 
MECO  +  21  minutes ). 

For  a  nominal  and  ATO  mission,  there  should  be  sufficient  time  to  allow  the  pressure  to  decay  and  then 
perform  the  LO2  vacuum  inert  if  required.  The  manual  vacuum  inert  may  not  be  necessary  depending  on 
the  effectiveness  of  the  pressure  relief  through  the  engine  high-pressure  oxidizer  pump  seals.  On  an 
AOA,  there  may  not  be  sufficient  time  to  vent  below  30  psia,  however,  no  action  would  be  required 
because  the  LO2  manifold  will  be  inerted  automatically  in  MM  304  by  the  MPS  entry  dump  sequence. 

LO2  manifold  pressure  will  be  less  than  30  psia  if  the  MPS  dump  was  performed  successfully. 

However,  if  two  or  three  engine  main  oxidizer  valves  were  not  able  to  open  for  the  MPS  dump,  the 
residual  oxidizer  could  result  in  a  manifold  pressure  greater  than  30  psia.  Opening  the  LO2  fill/drain 
valves  when  the  manifold  pressure  is  greater  than  30  psia  will  cause  the  vehicle  to  I'oll  significantly  as 
was  experienced  during  an  MPS  clump  detailed  test  objective  on  STS  51-D.  The  roll  was  due  to  the 
oxidizer  flow  force  at  the  LO2  outboard  fill/drain  valve  and  flow  impingement  on  the  wing. 

B.  FOR  A  BCE  STRING  2C  FAILURE,  A  MANUAL  LC£  VACUUM  INERT  WILL 
BE  PERFORMED  AFTER  MPS  DUMP  START  +  22  MINUTES  (APPROXIMATELY 
MECO  +  24  MINUTES)  IF  THE  LC£  MANIFOLD  PRESSURE  IS  CONFIRMED 
TO  BE  LESS  THAN  30  PSIA. 

The  loss  of  BCE  STRING  2C  commfaults  the  LO2  manifold  pressure  sensor.  The  MPS  dump  sequence 
will  not  perform  the  LO2  portion  of  the  first  automated  vacuum  inert  if  the  manifold  pressure  sensor  is 
commfaulted.  Any  LO2  inlet  pressure  sensor  can  be  used  by  the  MCC  as  a  backup  to  the  LO2 
manifold  pressure  if  the  corresponding  LO2  prevalve  is  open.  The  crew’s  manifold  pressure  meter  on 
panel  F7  should  also  be  available  to  determine  the  LO2  manifold  pressure.  The  BCE  STRING  X 
procedure  in  the  Ascent  Pocket  Checklist  directs  the  crew  to  perform  the  MPS  vacuum  inert  procedure 
for  the  STRING  2C  failure.  ®[09270i-4867A] 
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A5-206  MANUAL  VACUUM  INERTING  REQUIREMENTS  (NOMINAL,  ATO, 

AO A)  (CONTINUED) 

C.  ON  A  SYSTEMS  AO A,  A  MANUAL  VACUUM  INERT  MAY  BE  REQUIRED  IF 
OPS  3  IS  ENTERED  PRIOR  TO  INITIATION  OF  THE  FIRST  AUTOMATED 
VACUUM  INERT.  @[092701 -4867A] 


On  a  systems  AOA,  there  may  not  be  sufficient  time  for  the  software  to  initiate  the  first  automated 
vacuum  inert  and  the  crew  must  manually  perform  the  vacuum  inert  to  insure  no  residuals,  since  no  entry 
dump/inert  will  be  performed. 

D.  MANUAL  LH2  VACUUM  INERTING  WILL  BE  PERFORMED  BY  MANUALLY 

OPENING  THE  LH2  INBOARD  AND  OUTBOARD  FILL/DRAIN  VALVES  FOR 
THE  FAILURE  TO  OPEN  THE  LH2  BACKUP  DUMP  VALVES.  THE  FIRST 
MANUAL  VACUUM  INERT  WILL  BE  PERFORMED  AS  CLOSE  TO  THE 
AUTOMATIC  SEQUENCE  AS  POSSIBLE,  BETWEEN  MPS  DUMP  START  +  17 
MINUTES  (APPROXIMATELY  MECO  +19  MINUTES)  AND  MPS  DUMP  START 
+  19  MINUTES  (APPROXIMATELY  MECO  +  21  MINUTES) .  THE  SECOND 
MANUAL  VACUUM  INERT  WILL  BE  PERFORMED  POST  OMS-2  AND  PRIOR  TO 
THE  MM  106  TRANSITION.  @[092195-1791] 


If  either  of  the  LH2  backup  dump  valves  do  not  open  during  the  MPS  dump  or  automated  vacuum 
inert(s),  the  system  will  be  manually  inerted  using  the  LH2  fill/drain  valves  in  order  to  minimize 
residuals  in  the  LH2  manifold.  The  first  manual  vacuum  inert  will  be  performed  as  close  to  the 
automatic  secjuence  timing  as  possible  (to  minimize  hydrogen  residuals).  The  second  manual  vacuum 
inert  will  be  performed  prior  to  the  MM  106  transition  in  order  to  cdlow  the  automatic  manifold  press 
checkout  and  to  minimize  hydrogen  residuals.  By  performing  the  manual  vacuum  inert(s),  the 
hydrogen  residuals  will  be  sufficiently  low  to  allow  for  the  automatic  manifold  press  checkout.  The 
MCC  will  direct  the  crew  to  perform  the  manual  vacuum  inerting  procedure  in  the  Ascent  Pocket 
Checklist  for  both  vacuum  inerts.  ®[ED  ]  @[092701 -4867A] 
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A5-206  MANUAL  VACUUM  INERTING  REQUIREMENTS  (NOMINAL,  ATO, 

AO A)  (CONTINUED) 

E.  IF  A  MANUAL  VACUUM  INERTING  IS  REQUIRED,  THE  MCC  WILL 
REQUEST,  WHENEVER  POSSIBLE,  THAT  THE  CREW  PERFORM  THE 
PROCEDURE  ON  THE  AFFECTED  SYSTEM  (S)  ONLY  L(£/LH2.  IF 
POSSIBLE,  THE  MER  MPS  ENGINEER  WILL  BE  CONSULTED  PRIOR  TO 
SCHEDULING  A  MANUAL  VACUUM  INERT.  ®[1 1 1 094-1 71 8A]  @[092701 -4867A] 

Although  several  crew  LO2/LH2  vacuum  inerting  procedures  are  integrated  in  order  to  cover  single 
failure  cases  which  affects  both  systems,  it  is  preferable  that  the  procedures  be  performed  on  only  the 
affected  system(s)  whenever  possible.  Performing  the  manual  vacuum  inert  for  on  ly  the  affected  system 
will  minimize  cycling  of  the  MPS  fill/drain  valves  and  should,  consequently,  maximize  the  useful  life  of 
the  MPS  hardware.  ®[1 1 1 094-1 71 8A  ]  ®[ED  ] 

Vacuum  inerting  will  be  repeated  if  propellants  are  believed  to  remain  in  the  manifolds.  Because  there 
are  several  potential  causes  for  propellan  t  residuals,  because  of  the  significant  technical  resources 
available  to  the  MER  MPS  engineer,  and  because  it  is  likely  that  there  will  be  a  significant  period  of  time 
to  discuss  the  situation,  the  Booster  Flight  Control  Team  will  consult  with  the  MER  MPS  engineer  if  at 
all  possible.  Based  on  reviews  of  Boeing  IL  SHA0-01 -014  /  SI-01 -044  dated  February  19,  2001,  LH2 
manifold  pressures  above  40  psia  will  be  considered  high  enough  to  perform  a  manual  vacuum  inert  of 
the  LH 2  manifold.  @[092701 -4867A] 


A5-207  LH2  PRESSURIZATION  VENT  CONTROL 

AFTER  THE  ET/ORBITER  UMBILICAL  DOOR  IS  CLOSED,  THE  Lf£ 
PRESSURIZATION  LINE  VENT  WILL  NOT  BE  OPENED  TO  AVOID  VENTING  L§ 
INTO  THE  UMBILICAL  CAVITY.  @[021199-6793] 

Damage  to  the  door  or  cavity  may  occur  if  the  LH2  pressurization  line  vent  is  opened  while  line  pressure 
is  high  and  the  vent  door  is  closed  (ref.  SODB,  volume  /,  section  3. 4. 3. 1-6). 
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A5-208  POST-MECO  AND  ENTRY  HELIUM  ISOLATION  ®[ED  ] 

A.  MPS  ENGINE  OR  PNEUMATIC  HELIUM  REGULATOR  PRESSURE  >  800  (810) 

PS  I A  AND  THE:  ®[021 1 99-6787B] 

1.  VENT  DOORS  CLOSED:  CLOSE  THE  ASSOCIATED  MPS  HELIUM 
ISOLATION  VALVE  ASAP. 

2.  VENT  DOORS  OPEN:  CLOSE  THE  ASSOCIATED  MPS  HELIUM 
ISOLATION  VALVE  AS  TIME  PERMITS. 

Analysis  indicates  an  MPS  helium  regulator  failed  open  can  cause  an  overpressurization  of  the  aft 
compartmen  t  in  approximately  17  seconds  if  the  vent  doors  are  closed.  This  overpressurization  will  not 
result  in  a  loss  of  the  vehicle.  However,  the  safety  factor  for  the  1307  Bulkhead  will  be  reduced  to  1.31 
during  entry  and  structural  damage  will  likely  occur  which  will  require  the  vehicle  to  be  taken  out  of 
serx’icefor  thorough  inspection  and  refurbishment  as  necessary  (reference  Rockwell  International 
Analysis  PCIN  R76186,  July  15,  1988). 

Crew  action  is  required  above  800  psig  when  the  relief  valve  begins  to  flow  helium  into  the  aft 
compartment.  Since  any  action  will  be  taken  where  the  ambient  pressure  is  near  zero  psia,  800  psia 
will  be  equivalent  to  800  psig.  Crew  caution  and  warning  is  set  to  810  psia  for  the  MPS  helium 
regulator  pressures.  810  psia  is  sufficiently  close  to  805  psia  (the  relief  valve  cracking  pressure  of  800 
psig  plus  5  psia  for  transducer  accuracy)  that  action  can  be  taken  at  the  crew  caution  and  warning  cue 
while  still  maintaining  adequate  margin  to  850  psig  where  the  relief  valve  goes  full  open. 

With  the  vent  doors  open,  no  action  is  required.  The  vent  doors  close  on  a  TAL  at  ET  SEP  command. 
During  an  RTLS,  the  vent  doors  close  at  the  MM  602  transition.  During  the  nominal  or  AT O  entry,  the 
vent  doors  close  at  the  transition  to  MM  304.  During  an  AOA,  the  vent  doors  are  manually  closed  just 
prior  to  the  MM  304  transition.  For  all  of  these  entry  profiles,  the  vent  doors  open  at  Mach  2.4. 

Entry  MPS  helium  regulator  shifts  are  most  likely  to  occur  during  periods  of  high  flow  demand  such  as 
when  the  MPS  helium  isolation  valves  open  at  the  transition  to  MM  303  or  when  the  MPS  helium 
blowdown  valves  open  at  Mach  5.3.  For  simplicity,  the  crew  procedure  for  MPS  helium  regulator  shifts 
call  for  the  immediate  isolation  of  the  associated  MPS  helium  isolation  valve(s)  on  entry  prior  to  Mach 
2.4.  After  Mach  2.4,  MCC  may  direct  the  crew  to  close  the  associated  MPS  helium  regulator  valves,  time 
permitting.  Training  in  the  nominal  helium  leak  isolation  procedure  will  allow  the  crew  to  react  to  the 
caution  and  warning  system  in  less  than  15  seconds.  ®[021199-6787B] 
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A5-208  POST-MECO  AND  ENTRY  HELIUM  ISOLATION  (CONTINUED) 

B.  FOR  ALL  OTHER  POST-MECO  AND  ENTRY  HELIUM  OR  PNEUMATIC  SYSTEM 
LEAKS,  THE  SYSTEM  WILL  BE  ISOLATED  AS  TIME  PERMITS.  POST¬ 
ISOLATION,  AN  ATTEMPT  WILL  BE  MADE  TO  MANUALLY  RECONFIGURE 
THE  MPS  HELIUM  SYSTEM  TO  SUPPORT  THE  ENTRY  PURGE  IF  TIME 
PERMITS.  ®[021 1 99-6787B] 

If  a  leak  occurs  on  an  engine  or  pneumatic  helium  system ,  the  affected  system  will  be  isolated  as  time 
permits.  Helium  is  required  for  manifold  pressurization  during  the  MPS  clump  and  entry,  for  valve 
actuation,  and  for  the  entry  aft  compartment  purge.  Since  the  crew  has  no  insight  into  the  configuration 
of  the  MPS  helium  system  interconnect  valves,  it  is  likely  that  the  crew  will  need  assistance  from  MCC 
in  order  to  isolate  any  post-MECO  helium  leak.  These  procedures  may  be  complicated  and  will  be 
performed  as  time  permits. 

For  nominal  missions,  if  a  leak  occurs  prior  to  the  MPS  dump,  the  leak  may  be  isolated  and  the  helium 
system  subsequently  reconfigured  to  support  the  MPS  dump.  On  entry,  if  time  permits  after  the  leak  is 
isolated,  the  helium  system  may  be  manually  reconfigured  to  support  the  entry  purge.  The  entry  purge 
is  highly  desirable  for  the  nominal  end  of  mission  but  is  considered  mandatory  during  aborts.  If  a 
hazardous  gas  leak  is  evident  in  the  aft  compartment  or  OMS  pods,  the  entry  purge  will  be  required. 
Also,  contamination  may  be  ingested  into  the  evacuated  MPS  manifolds  if  the  helium  pressurization  is 
not  performed.  The  contamination  in  the  lines  would  require  cleaning  before  the  next  flight  which 
would  increase  the  vehicle’s  turnaround  time. 

During  an  RTLS  abort,  post-MECO  isolation  may  not  be  performed.  Because  of  the  limited  flight 
duration  and  the  crew  workload,  there  may  not  be  adequate  time  to  reconfigure  the  MPS  helium  system 
to  support  the  entry  purge. 

C.  IF  ALL  CAUTION  AND  WARNING  IS  LOST  FOR  ANY  MPS  HELIUM 
REGULATOR  PRESSURE  TRANSDUCER ( S ) : 

1.  NOMINAL/ ATO : 

a.  PRIOR  TO  MACH  2.4:  MCC  WILL  HAVE  THE  CREW  CLOSE  THE 
ASSOCIATED  MPS  HELIUM  ISOLATION  VALVE ( S ) . 

b.  AFTER  MACH  2.4:  NO  ACTION  REQUIRED.  ®[021 1 99-6787B] 

2.  AOA/TAL/RTLS  :  NO  ACTION  REQUIRED  .  ®[021 1 99-6787B] 
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A5-208  POST-MECO  AND  ENTRY  HELIUM  ISOLATION  (CONTINUED) 

Without  hardware  or  software  caution  and  warning,  it  is  unlikely  that  MCC  could  diagnose  cm  MPS 
helium  regulator  failed  open  and  tell  the  crew  to  close  the  associated  MPS  helium  isolation  valve  before 
the  aft  compartmen  t  is  overpressurized  (17  seconds).  For  a  nominal  or  ATO  entry,  if  hardware  and 
software  caution  and  warning  is  unavailable,  the  crew  will  preemptively  close  the  associated  MPS  helium 
isolation  valve(s).  Caution  and  warning  may  be  lost  due  to  the  loss  (or  bias)  of  the  MPS  helium 
regulator  pressure  transducer,  loss  of  the  associated  01  DSC  or  OlMDM,  or  loss  of  the  BFS. 

After  the  vent  doors  open  at  Mach  2.4,  the  overpressurization  of  the  aft  compartment  is  no  longer  a 
concern  and  preemptively  closing  the  MPS  helium  isolation  valve(s)  to  protect  for  a  potential  MPS 
helium  regulator  failed  open  is  not  required.  Preemptive  helium  isolation  is  also  not  required  on  the 
AOA,  TAL,  or  RTLS  entry.  Protecting  for  the  additional,  unrelated  failure  of  cm  MPS  helium  regulator 
following  the  loss  of  caution  and  warning  will  not  be  performed  because  of  the  relatively  short  exposure 
period  and  high  crew  workload  during  aborts. 

Preemptive  closure  of  MPS  helium  isolation  valves  for  the  loss  of  caution  and  warning  will  require  cm 
MCC  call  except  for  a  failure  of  the  BFS  GPC.  The  BFS  FAIL  crew  procedure  in  the  Entry  Pocket 
Checklist  and  Ascent/Entry  Systems  Procedures  directs  the  crew  to  close  the  MPS  helium  B  isolation 
valves  and  the  pneumatic  helium  isolation  valves  since  caution  and  warn  ing  for  these  pressure 
transducers  is  only  available  in  the  BFS.  This  procedure  does  not  differentiate  between  a  nominal  and 
abort  entry  profiles.  ®[021 1 99-6787B] 
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A5-209  ENTRY  MPS  HELIUM  PURGE/MANIFOLD  PRESSURIZATION 

@[022802-5080  ]  ®[ED  ] 

THE  ENTRY  MPS  HELIUM  PURGE  AND  MANIFOLD  PRESSURIZATION  FUNCTIONS 
ARE  HIGHLY  DESIRABLE  TO  PURGE  THE  AFT  COMPARTMENT  OF  ANY 
HAZARDOUS  FLUID  BUILDUP  AND  TO  PREVENT  AIR  INGESTION  INTO  THE  MPS 
LO2  AND  LH2  MANIFOLDS.  IF  THIS  FUNCTION  IS  LOST,  THEN  THE 
FOLLOWING  ATTEMPTS  WILL  BE  MADE,  TIME  PERMITTING,  TO  RECOVER 
THEM: 

A.  NOMINAL/ AOA : 

EFFORTS  TO  RECOVER  THE  ENTRY  MPS  HELIUM  PURGE  AND  LC£  AND  LH2 
MANIFOLD  PRESSURIZATION  WILL  ONLY  BE  ATTEMPTED  IF  IT  WILL  NOT 
IMPACT  CRITICAL  CAPABILITY  IN  OTHER  ORBITER  SYSTEMS.  FOR 
CRITICAL  POWER/COOLING  CASES  (I.E.,  LOSS  OF  TWO  FUEL  CELLS  OR 
TWO  FREON  LOOPS) ,  THE  ENTRY  PURGE  AND  MANIFOLD  PRESSURIZATION 
WILL  BE  INHIBITED  PER  CREW  PROCEDURES. 

B.  RTLS/TAL : 

1.  FOR  THE  ENTRY  MPS  HELIUM  PURGE,  RECOVERY  EFFORTS  WILL 
ONLY  BE  ATTEMPTED  IF  IT  WILL  NOT  IMPACT  CRITICAL 
CAPABILITY  IN  OTHER  ORBITER  SYSTEMS. 

2.  FOR  THE  MPS  LH2  MANIFOLD  PRESSURIZATION,  IF  THE  SITUATION 
PERMITS,  THE  FUNCTION  WILL  BE  RECOVERED  (BY  A  SWITCH 
THROW,  PORT  MODE,  OR  RESTRING)  IN  ORDER  TO  AVOID 
INGESTION  OF  AIR  INTO  THE  LB^  MANIFOLD. 

NOTE:  FAILURE  TO  PRESSURIZE  THE  LH2  MANIFOLD  WITH  MPS 

HELIUM  REQUIRES  AN  EXPEDITED  POWERDOWN  AND  MODE  V 
EGRESS  PER  RULE  {A16-11F},  EXPEDITED  POWERDOWN. 
@[022802-5080  ] 
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A5-209  ENTRY  MPS  HELIUM  PURGE/MANIFOLD  PRESSURIZATION 

(CONTINUED) 


The  MPS  entry  helium  purge  is  used  to  purge  the  aft  compartment  of  hazardous  fluids  (e.g.  ,  LH2,  LO2, 
N2H4  NH 2,  or  hydraulic  oil)  during  entry.  For  nominal  and  AO  A  entries,  hazardous  MPS  propellants 
will  have  had  time  to  be  fully  inerted  as  part  of  the  MPS  dump  sequence;  and  therefore,  the  importance 
of  the  purge  is  low.  On  RTLS  and  TAL  entries,  residual  MPS  propellants  may  be  present,  thereby 
increasing  the  importance  of  the  purge.  If  the  presence  of  hazardous  fluids  is  suspected  due  to  system 
leaks  or  failures,  the  purge  may  help  to  reduce  the  potential  for  combustion  by  reducing  the  hazardous 
fluid  concen  trations  in  the  aft  compartment.  The  effectiveness  of  the  MPS  entry  purge  is  unknown; 
therefore,  critical  capability  in  other  Shuttle  systems  should  not  be  traded  off  to  regain  the  purge.  At  the 
Ascent  Entry  Flight  Techniques  Panel  Meeting  (AEFTP  # 168  on  10/27/00),  it  was  decided  that  if  it  was 
deemed  appropriate  by  the  flight  control  team  to  regain  the  purge,  a  temporary  port  mode  (to  latch  the 
purge  valve  commands)  could  be  attempted,  but  a  restring  was  determined  to  not  be  warranted  due  to  the 
unknown  effectiveness  of  the  purge.  The  decision  to  port  mode  will  depend  upon  the  specific  flight  phase 
and  failure  scenario  present  in  the  orbiter  as  established  in  Flight  Rule  {A2-5j,  PORT 
MODING/RESTRINGING  GUIDELINES.  @[022802-5080  ] 

It  is  desirable  to  pressu  rize  the  MPS  propellan  t  manifold  during  entry  because  failure  to  do  so  will  result 
in  the  ingestion  of  air  into  the  MPS  propellant  lines  requiring  additional  turnaround  time  to  clean  the 
contaminated  manifolds.  Also,  loss  of  the  LH2  manifold  pressurization  on  RTLS  and  TAL  aborts  will 
result  in  the  creation  of  cm  explosive  mixture  in  the  LH2  manifold  as  air  is  ingested  and  mixes  with  the 
hydrogen  residuals.  This  scenario  will  require  an  expedited  powerdown  per  Flight  Rule  { A16-11 }, 
EXPEDITED  POWERDOWN.  At  the  AEFTP  Meeting  ( AEFTP  # 168  on  10/27/00),  it  was  decided  that 
the  recovery  technique  for  the  loss  ofLH2  manifold  pressurization  could  be  a  switch  throw,  temporary 
port  mode  (to  latch  the  LH2  manifold  pressurization  commands),  or  restring.  In  general,  a  switch  throw 
will  be  attempted  before  a  port  mode,  which  will  be  attempted  before  a  restring;  however,  the  recovery 
technique  used  will  depend  upon  the  specific  flight  phase  and  failure  scenario  present  in  the  orbiter  as 
established  in  Flight  Rule  (A2-5f,  PORT  MODING/RESTRINGING  GUIDELINES.  The  importance  of 
the  LO2  man  ifold  pressurization  function  is  insufficien  t  to  justify  recovery  actions  during  cm  RTLS  or 
TAL  entry  (contamination/reflight  issue). 

To  accomplish  a  safe  entry  on  a  nominal  or  AO  A  entry  with  the  loss  of  two  Freon  loops  or  the  loss  of  two 
fuel  cells,  critical  power  and  cooling  capability  must  be  conserved  via  power  reductions  in  all  orbiter 
systems.  MPS  valves  that  are  normally  closed  valves  will  be  positioned  to  the  CLOSE  position  in  order 
to  conserve  power  (as  documented  in  the  Orbit  Pocket  Checklist,  Entry  Pocket  Checklist,  Contingency 
Deorbit  Prep,  and  Systems  AO  A  Procedures  Flight  Data  File).  This  reconfiguration  will  save 
approximately  218.4  watts.  @[022802-5080  ] 


VOLUME  A  11/21/02  FINAL,  PCN-1  BOOSTER  5-113 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A5-210  ENTRY  MPS  PROPELLANT  DUMP  FAILURES  [CIL] 

@[0201 96-1 81 3A] 

A.  NOMINAL/ ATO  :  @[110900-7240] 

NO  ACTION  IS  REQUIRED. 

During  nominal/ ATO  missions,  automatic  software  or  crew  procedures  will  insure  dumping  and/or 
inerting  of  the  LO2  and  LH2  residuals  prior  to  entry.  A  complete  LH2  dump  can  be  done  if  either  the 
LH2  backup  dump  valves  or  LH 2., fill/drain  valves  are  open.  A  complete  LO2  dump  can  be  done  if  two  or 
three  SSME's  perform  LO2  dumps,  or  if  the  LO 2  fill/ drain  valves  are  both  open  (reference  Rockwell 
Internal  Letter  no.  287-104-87-004,  dated  January  8,  1987).  The  LH2  backup  dump  valves  are  the  only 
dump  path  opened  during  the  nominal/ ATO  entry  MPS  dump  sequence,  and  no  action  is  required  in  the 
event  that  these  valves  do  not  open. 

B.  AOA/TAL : 

IN  MM  304,  IF  GPC/MDM  FAILURES  CAUSE  ALL  LH?  DUMP  PATHS  TO  BE 
LOST  (INCLUDING  THE  LH2  BACKUP  DUMP  VALVES),  THE  AFFECTED  LH? 
FILL/DRAIN  VALVE (S)  WILL  BE  MANUALLY  OPENED.  IF  THE  SOFTWARE 
CANNOT  CLOSE  THE  LH2  OUTBOARD  FILL/DRAIN  OR  THE  LB?  INBOARD 
FILL/DRAIN  AND  TOPPING  VALVES,  THE  LH?  OUTBOARD  FILL/DRAIN 
VALVE  WILL  BE  MANUALLY  CLOSED  AT  A  RELATIVE  VELOCITY  (^EL) 

OF  5300  FT/SEC. 

In  the  LH2  system,  there  are  single  GPC/MDM  failures  which  result  in  the  loss  of  GPC  control  of  the 
LH 2  fill/drain  valves  and  the  LH2  topping  valve.  In  these  cases,  the  affected  LH2  fill/drain  valve(s)  will 
be  manually  opened  on  a  TAL  only  if  the  LH2  backup  dump  valves  are  not  open.  Sufficient  time  exists  to 
dump  LH2  residuals  through  the  backup  LH2  valves  for  AO  A  or  TAL  aborts,  leaving  approximately  3  lbs 
of  hydrogen  residuals  (per  Rockwell  International  internal  letter  287-100-94-164,  dated  August  9,  1994). 
There  are  also  combinations  of  GPC/MDM  failures  which  result  in  the  loss  of  all  LH2  dump  paths.  On  a 
TAL  abort,  the  crew  will  manually  open  the  affected  LH2  fill/drain  valve(s).  The  LH2  backup  dump 
valves  cannot  be  manually  opened  in  these  cases  because  the  switch  is  software  driven  and  only  read  in 
OPS  1.  The  LH2  outboard  fill/drain  valve  will  be  closed  in  order  to  preserve  helium  for  the  aft 
compartment  purge  and  to  prevent  the  combination  of  atmospheric  O2  with  the  residual  LH2  in  the 
manifold.  The  velocity  cue  used  to  close  the  LH2  outboard  fill/drain  valve  represents  the  nominal 
closing  time  and  corresponds  to  an  altitude  at  which  possible  ignition  of  residual  LH2  can  occur. 

®[1 1 1 094-1 730A  ]  ®[1 1 0900-7240  ] 
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C.  RTLS :  @[110900-7240] 

IN  MM  602,  IF  GPC/MDM  FAILURES  CAUSE  THE  LH2  OUTBOARD 
FILL/DRAIN  DUMP  PATH  TO  BE  LOST  (DUE  TO  A  FAILURE  OF  THE  LfJ 
OUTBOARD  FILL/DRAIN,  OR  THE  LB^  INBOARD  FILL/DRAIN  AND 
TOPPING  VALVES),  THE  AFFECTED  LR>  FILL/DRAIN  VALVE ( S )  WILL  BE 
MANUALLY  OPENED.  IF  THE  SOFTWARE  CANNOT  CLOSE  EITHER  THE  L^ 
OUTBOARD  FILL/DRAIN  VALVE  OR  THE  LH?  INBOARD  FILL/DRAIN  AND 
TOPPING  VALVES,  THE  LH2  OUTBOARD  FILL/DRAIN  VALVE  WILL  BE 
CLOSED  AT  A  VREL  OF  3800  FT/SEC. 

NOTE:  AN  EXPEDITED  POWERDOWN/MODE  V  EGRESS  WILL  BE  REQUIRED 

IF  A  DUMP  PATH  THROUGH  THE  LH2  OUTBOARD  FILL/DRAIN 
VALVE  CANNOT  BE  ACQUIRED  (REFERENCE  RULE  {A16-11F}, 
EXPEDITED  POWERDOWN)  .  @[0201 96-1 81 3A] 

In  the  LH2  system,  there  are  GPC/MDM  failures  which  result  in  the  loss  of  GPC  control  of  the  LH2 
fill/drain  valves  and  the  LH2  topping  valve.  The  failure  of  the  LH2  outboard  fill/drain  valve  will  result 
in  an  incomplete  LH2dump  on  RTLS  aborts.  Analysis  has  shown  that  approximately  40.8  pounds  ofLH2 
residuals  will  remain  in  the  MPS  LH2  manifold  if  the  only  LH2  dump  path  is  through  the  backup  LH2 
valves  (reference  Rockwell  internal  letter  287-100-04-164,  dated  August  9,  1994).  Venting  LH2 
residuals  will  preclude  normal  convoy  operations  (reference  rule  (A16-1  IF},  EXPEDITED 
POWERDOWN).  In  order  to  avoid  this  ground  hazard,  the  affected  LH2  fill/drain  valve(s)  will  be 
opened.  The  LH2  outboard  fill/drain  valve  will  be  closed  in  order  to  preserve  helium  for  the  aft 
compartment  purge  and  to  prevent  the  combination  of  atmospheric  O2  with  the  residual  LH2  in  the 
manifold.  The  velocity  cue  used  to  close  the  LH2  outboard  fill/drain  valve  represents  the  nominal 

closing  time  and  corresponds  to  an  altitude  at  which  possible  ignition  of  residual  LH2  can  occur. 

@[111 094-1 730A]  @[110900-7240] 
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FAILURE  DEFINITIONS 


A6-1  OMS/RCS  HELIUM  TANK 

AN  OMS  AND/OR  HELIUM  TANK  IS  CONSIDERED  LOST  IF: 

A.  OMS  PRESSURE  <  390  (640)  PSIA,  RCS  PRESSURE  <  400  (456)  PSIA. 

The  fail  limit  is  defined  as  a  low  helium  tank  pressure  such  that  the  regulated  outlet  pressure  is 
insufficient  to  maintain  the  propellant  tank  pressure  within  normal  operating  range. 

The  OMS  fail  limit  is  390  psia.  At  that  helium  pressure  a  single  engine  flow  rate  will  result  in  lower  than 
nominal  propellant  tank  pressures  (below  250  psia).  Off-nominal  testing  has  shown  that  under  a  single  engine 
flow  rate  the  helium  tank  pressure  decreased  to  180  psia  before  a  chamber  pressure  of  80  percent  was  reached. 
However,  the  390  psia  limit  guarantees  nominal  regulator  performance  (390  psia  corresponds  to  the  regulator 
spec  inlet  pressure).  Reference  SODB  constraint  4.3.3.2.1.e.l  for  the  390  psia  limit. 

The  RCS  fail  limit  is  400  psia.  At  this  helium  pressure  a  four-jet  flow  rate  will  result  in  lower  than  nominal 
propellant  tank  pressures  (below  245  psia).  Reference  SODB  constraint  4.3.2.3.3-f.2  for  the  400  psia  limit. 

B.  ALL  PRESSURIZATION  PATHS  CLOSED. 

If  both  valves  or  regulators  are  failed  closed,  no  passageway  exists  for  He  to  pressurize  the  propellan  t 
tank.  Therefore,  the  He  tank  is  effectively  lost. 

A6-2  OMS  PROPELLANT  TANK  (OXIDIZER  OR  FUEL) 

AN  OMS  PROPELLANT  TANK  IS  CONSIDERED  LOST  IF: 

A.  PREBURN  -  FUEL  INLET  PRESSURE  <  208  (216)  OR  OXIDIZER  INLET 

PRESSURE  <  143  (151)  OR  BOTH  FUEL  AND  OXIDIZER  INLET  PRESSURE 

<  158  (166)  PSIA  OR  PROPELLANT  QUANTITY?  3  PERCENT. 

A  low  fuel  inlet  pressure  ( <  208)  preburn  will  result  in  reduced  fuel  flow  at  the  OMS  engine  during  the 
burn.  The  fuel  is  used  as  a  coolant  for  the  engine  combustion  chamber,  and  with  reduced  flow,  the 
cooling  jacket  temperature  will  increase.  At  ignition,  a  low  fuel  inlet  pressure  (208  psia)  will  result  in 
the  violation  of  the  onboard  OMS  fuel  injector  temperature  fault  detection  annunciation  (FDA)  limit  (260 
deg  F).  Within  approximately  10  to  20  seconds,  the  injector  temperatures  will  increase  to  a  dangerous 
level  causing  possible  chamber  wall  burn  through.  Consequently,  for  confirmed  low  fuel  inlet  pressure 
as  defined  in  the  Flight  Rules,  the  affected  propellant  feed  system  will  be  considered  failed. 
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A  low  oxidizer  pressure  less  than  normal  but  >  143  psia  preburn  will  cause  the  engine  to  burn  cooler  than 
normal  (fuel  rich  mixture  ratio  results  in  a  cooler  burn).  However,  with  oxidizer  inlet  pressure  <  143  psia,  the 
chamber  pressure  violates  the  FDA  limit  of  80  percent  and  may  cause  unstable  combustion  and  chamber  wall 
hot  spots.  Therefore,  this  engine  should  not  be  started  to  prevent  possible  chamber  wall  burn  through. 

When  both  of  the  oxidizer  and  fuel  inlet  pressures  are  low  (i.e.,  operating  in  a  blowdown  condition),  the  OMS 
engines  can  be  burned  until  the  inlet  pressures  reach  158  psia  because  the  mixture  ratio  remains  fairly 
constant.  Although  the  chamber  FDA  limit  is  violated,  the  engine  can  be  safely  operated  until  both  the  oxidizer 
and  fuel  inlet  pressures  decrease  below  the  158  psia  value,  the  chamber  pressure  decreases  below  72  percent, 
or  the  fuel  injector  temperature  reaches  260  deg  F. 

The  OMS  propellant  tank  is  also  considered  failed  (unusable)  when  propellant  quantities  are  <  3  percent. 

This  is  to  prevent  the  propellant  tank  from  reaching  depletion  levels  during  a  burn  and  ingesting  helium  into 
the  OMS  engine.  The  ingestion  of  helium  into  the  OMS  engine  could  result  in  unstable  operation.  For  a 
propellant-critical  situation,  the  engine  can  be  operated  until  tank  depletion  without  risk  of  uncontained 
engin  e  damage.  The  3  percen  t  quan  tity  is  derived  as  follows:  2.3  percen  t  trapped  propellan  t  in  the  tank  plus 
>0.7  percen  t  gauge  error  (0.7  percen  t  gauge  error  on  ly  applies  for  toted  quan  tities  less  than  5.0  percen  t). 

The  3  percent  value  should  be  utilized  only  during  the  burn  while  monitoring  the  OMS  hardware  quantity 
gauging  system. 

B.  ALL  ASSOCIATED  TANK  ISOLATION  VALVES  FAILED  CLOSED. 

Restriction  of  a  propellant  path  from  the  propellant  tanks  to  the  OMS  engine  is  cm  effective  loss  of  the 
propellant  tank. 

C.  PROPELLANT  TEMPERATURE  <  40  DEG  (44  DEG)  F  OR  >  100  DEG 
(96  DEG)  F. 

The  engine  design  specification  is  40  deg  to  100  deg  F  propellant.  These  temperatures  define  an 
envelope  for  which  it  is  known  to  be  safe  to  start  and  operate  the  OMS  engine.  Engine  testing  has  been 
limited  to  this  temperature  range  and  engine  performance  is  unknown  beyond  this  range.  High 
propellan  t  (fuel)  temperature  may  result  in  propellant  boiling  in  the  cooling  jacket  causing  unknown 
performance.  It  is  also  believed  that  low  propellant  temperatures  could  cause  large  Pc  spikes  at  engine 
start.  (Reference  SODB.  volume  I,  paragraph  4.3.3.  D.) 
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D.  RESTRICTION  IN  OXIDIZER  FEED  SYSTEM:  PC  <  76  (80)  PERCENT, 

OMS  RM  ENGINE  SELECT  DOWN  ARROW  ( '? " )  ON  MANEUVER  EXECUTE 
DISPLAY  (POST-MECO  ONLY),  AND  OXIDIZER  INLET  PRESSURE  <  128 
(136)  PSIA. 


An  oxidizer  restriction  may  cause  Pc  and  total  vehicle  acceleration  to  decrease  below  the  OMS  RM  limit 
triggering  the  down  arrow.  The  oxidizer  feed  restriction  can  be  confirmed,  during  the  burn,  with  a  low 
oxidizer  inlet  pressure  which  corresponds  to  the  Pc  limit  of  80  percent.  ( Reference  SODB  paragraph 
3.4. 3. 3-1  la  for  minimum  Pc,  and  SODB  request  response  R921  for  inlet  pressure  verification.) 

E.  RESTRICTION  IN  FUEL  FEED  SYSTEM:  OMS  FUEL  INJECTOR 

TEMPERATURE  >  260  DEG  (260  DEG)  F*  AND  FUEL  INLET  PRESSURE 
LESS  THAN  OR  EQUAL  TO  THE  LOWER  FAIL  LIMIT. 

*  NORMAL  OPERATING  TEMPERATURE  PLUS  INSTRUMENTATION 
ACCURACY  WILL  NOT  MEET  FAILURE  LIMIT. 


ENGINE 

SERIAL# 

FU  IN  P  LOWER 

FAIL  LIMIT  (PSI) 

101 

199  (207) 

105 

201  (209) 

106 

196  (204) 

107 

193  (201) 

108 

206  (214) 

109 

204  (212) 

110 

199  (207) 

111 

201  (209)  | 

113 

200  (208)  I 

114 

192  (200) 

115 

197  (205) 

116 

203  (211) 

117 

193  (201) 

@[110900-7250] 


The  fuel  flow  through  the  engine  cooling  jacket  may  be  reduced  by  a  fuel  restriction,  causing  hot  spots  in 
the  combustion  chamber.  Without  proper  engine  cooling,  the  probability  exists  for  an  engine  burn 
through,  creating  a  hazard  to  the  surrounding  structure  and  pod.  In  addition,  a  restriction  in  the  fuel 
feed  line  system  would  result  in  an  oxidizer  rich  mixture  ratio  with  a  higher  combustion  temperature. 
SODB  data  indicates  a  need  for  engine  specific  fuel  inlet  pressures  as  cues  for  OMS  propellant  tank 
failures.  Instrumentation  inaccuracy  of  8  psi  must  be  protected  to  adequately  protect  the  OMS  engine. 
SODB,  volume  III  (CAUTION:  SODB,  volume  III,  contains  engineering  estimates  for  lion-nominal 
performance  evaluation.  Data  may  not  be  supported  by  test.),  table  4.3.3  contains  engine-specific  data 
and  should  be  used  to  determine  tank  failure  limits. 
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A  260  deg  F  fuel  injector  temperature  at  the  cooling  jacket  outlet  clearly  iden  tifies  an  off-nomincd 
situation,  yet  is  sufficiently  removed  from  the  failure  limit  to  allow  time  for  crew  action.  The  low  fuel 
inlet  pressure  indicates  that  the  restriction  is  upstream  of  the  transducer.  A  restriction  large  enough  to 
result  in  a  decreased  fiiel  inlet  pressure  and  high  fuel  injector  temperature  beyond  the  defined  limits 
results  in  the  failure  of  the  propellant  tank  to  support  further  OMS/RCS  activities. 

Rule  {A6-256},  OMS/RCS  HEATER  PERFORMANCE  MONITORING,  references  this  rule. 

F.  OXIDIZER  AND  FUEL  BOTH  IN  BLOWDOWN  (LOSS  OF  HE  TANK),  OMS  RM 

ENGINE  SELECT  DOWN  ARROW  ( "? " )  ON  MANEUVER  EXECUTE  DISPLAY 
AND  PC  <  68  (72)  PERCENT. 

Test  results  have  determined  that  with  both  the  oxidizer  and  fuel  tanks  in  blowdown,  the  OMS  engines 
can  be  safely  operated  below  the  80  percent  Pc  alarm  with  cm  acceptable  propellant  mixture  ratio.  When 
Pc  drops  below  68  percent,  unstable  combustion  occurs.  {Reference  SODB.  paragraph  3. 4. 3. 3-1  lb.) 

G.  PROPELLANT  LEAK  UPSTREAM  OF  BALL  VALVES,  PC  <  76  (80)  PERCENT 
AND  OMS  RM  ENGINE  SELECT  DOWN  ARROW  ( '? " )  ON  MANEUVER  EXECUTE 
DISPLAY. 

A  propellant  leak  large  enough  to  cause  low  Pc  and  decayed  acceleration  during  an  OMS  engine  burn, 
as  indicated  by  a  down  arrow,  iden  tifies  an  OMS  propellant  system  failure.  Even  though  the  leak  may  be 
isolated,  the  engine  and  associated  propellant  system  cannot  be  used  since  the  leak  would  affect 
crossfeed  (ref.  SODB,  paragraph  3.4. 3. 3-1  la). 
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A6-3  QMS  ENGINE 

AN  OMS  ENGINE  IS  CONSIDERED  LOST  IF: 

A.  AN  ENGINE  BALL  VALVE  POSITION  <  47  (70)  PERCENT  THAT  RESULTS 

IN  AN  ENGINE  PC  <  76  (80)  PERCENT  AND  AN  OMS  DOWN  ARROW  (’?") 

ON  THE  MANEUVER  EXECUTE  DISPLAY. 

OMS  engine  Pc  must  be  >  76  (80)  percent  (100  psia)  when  not  in  ullage  blowdown  (reference  SODB, 
volume  I,  paragraph  3. 4. 3. 3)  or  Pc  must  be  >  68  (72)  percent  (90  psia)  in  ullage  blowdown  (reference 
SODB,  volume  I,  paragraph  3. 4. 3. 3)  to  ensure  safe  engine  operation.  A  ball  valve  position  of  47  percent 
causes  sufficient  blockage  of  propellant  flow  to  result  in  an  engine  Pc  =  76  percent  (100  psia).  Although 
ball  valve  position  >47  percent  results  in  safe  engine  operation,  a  conservative  70  percent  (ref.  SODB, 
volume  I,  paragraph  3. 4. 3. 3)  is  required  to  clearly  identify  ball  valves  not  in  a  normal  position.  This 
ball  valve  failure  confirms  that  the  problem  is  an  engine  failure  and  not  a  propellant  tank  failure. 

B.  OMS  ENGINE  FEEDLINE  TEMPERATURE  <30  DEG  (38  DEG)  F  OR 
>  125  DEG  (117  DEG)  F. 

Test  data  have  demonstrated  that  engine  starts  are  acceptable  with  propellant  temperatures  at  these 
limits  as  long  as  the  bulk  propellant  tank  temperature  is  within  limits.  Operation  with  bulk  propellant 
outside  of  these  limits  is  untested  and  uncertified.  Problems  that  would  probably  be  encountered  are 
rough  combustion,  insufficien  t  cooling,  and  excessive  high  chamber  pressure  which  could  overstress  the 
engine  chamber.  (Reference  SODB,  paragraph  4. 3. 3. 4.) 
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A6-3  QMS  ENGINE  (CONTINUED) 

C.  FUEL  RESTRICTION:  OMS  FUEL  INJECTOR  TEMPERATURE  >260  DEG 

(260  DEG)  F*  AND  FUEL  INLET  PRESSURE  GREATER  THAN  OR  EQUAL  TO 
THE  UPPER  FAIL  LIMIT. 

*  NORMAL  OPERATING  TEMPERATURE  PLUS  INSTRUMENTATION 
ACCURACY  WILL  NOT  MEET  FAILURE  LIMIT. 


ENGINE 

SERIAL# 

FU  IN  P  UPPER 

FAIL  LIMIT  (PSI) 

101 

230  (222) 

105 

235  (227) 

106 

228  (220) 

107 

227  (219) 

108 

238  (230) 

109 

238  (230) 

110 

234  (226) 

111 

232  (224) 

113 

228  (220) 

114 

229  (221) 

115 

233  (225) 

116 

233  (225) 

117 

225  (217) 

@[110900-7251  ] 


Fuel  is  used  to  cool  the  OMS  engine  combustion  chamber.  The  fuel  injector  temperature  is  measured  after 
the  fuel  has  passed  through  the  regenerative  cooling  jacket.  Normally  this  temperature  is  220  deg  F 
during  a  burn.  The  260  deg  limit  was  selected  to  positively  identify  that  the  engine  was  operating  in  an 
anomalous  manner.  At  all  temperatures  below  260  deg  F,  engine  operation  is  safe.  However,  as  the  fuel 
injector  temperature  exceeds  this  limit,  combustion  chamber  wall  burn  through  becomes  increasingly 
likely.  Since  chamber  pressure  is  largely  unaffected  by  the  loss  of  cooling,  only  fuel  inlet  pressu  re  can 
confirm  that  a  fuel  restriction  exists.  A  higher-than-normal  fuel  inlet  pressure  is  indicative  of  a  restriction 
in  the  fuel  flow  downstream  of  the  engine  bcdl  valves.  SODB  data  indicates  a  need  for  engine-specific  fuel 
inlet  pressures  as  a  secondary  cue  for  OMS  engine  failure.  Instrumen  tation  inaccuracy  of  8  psi  must  be 
protected  to  prevent  the  crew  concluding  fuel  injector  temperature  transducer  failure  when  an  OMS  engine 
failure  has  occurred. 


SODB.  volume  III,  table  4.3.3  (CAUTION :  SODB  volume  III  contains  engineering  estimates  for  non- 
nominal  performance  evaluation.  Data  may  not  be  supported  by  test.)  contains  engine-specific  data  and 
should  be  used  to  determine  engine  failure  limits. 
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D.  PROPELLANT  LEAK  DOWNSTREAM  OF  BALL  VALVES,  PC  <  76  (80) 

PERCENT,  AND  OMS  RM  ENGINE  SELECT  DOWN  ARROW  ( '? " )  ON 
MANEUVER  EXECUTE  DISPLAY  OR  FUEL  INJECTION  TEMP  >260  DEG  F. 

A  propellant  leak  large  enough  to  cause  low  Pc  and  decayed  acceleration,  as  indicated  by  the  down 
arrow  or  fuel  injector  temperature  high,  during  a  burn  results  in  the  loss  of  the  affected  engine. 

( Reference  SODB,  volume  I,  paragraphs  3.4. 3. 3  and  3. 4. 4. 3.) 

E.  PREVIOUS  FUEL  OR  OXIDIZER  DEPLETION  CUTOFF. 

Although  WSTF  tests  with  a  fuel  depletion  cutoff  did  not  damage  an  OMS  engine,  there  is  significan  t  risk 
that  engine  damage  may  occur  during  shutdown.  This  is  due  to  the  loss  of  engine  cooling  when  fuel  no 
longer  passes  through  the  cooling  jacket  around  the  combustion  chamber.  Uncontained  damage  did  not 
occur  during  WSTF  tests  but  zero-g  effects  are  unknown. 

It  is  not  desirable  to  reuse  an  OMS  engine  following  an  oxidizer  depletion  cutoff.  A  period  of  time  is 
required  for  oxidizer  from  a  different  propellant  source  to  reach  the  engine  during  the  first  engine  start 
following  oxidizer  depletion  cutoff.  During  this  time,  unburned  fuel  accumulates  in  the  combustion 
chamber  because  of  the  very  low  vapor  pressure  of  monomethylhydrazine.  When  the  oxidizer  reaches  the 
injector,  extremely  rough  combustion  will  result.  Uncontained  engine  damage  could  result. 

There  have  not  been  any  tests  to  verify  reuse  of  an  engine  which  has  experienced  a  previous  oxidizer  or 
fuel  depletion  cutoff. 

Reference:  SODB  3.4. 3. 3.  Rule  { A6-106J ,  OMS  ENGINE  BURN  TO  DEPLETION,  references  this  rule. 

F.  PRE-MECO  PC  ?  76  (80)  PERCENT  CONFIRMED  BY  ENGINE  BALL 

VALVE  POSITION  <  47  (70)  PERCENT  OR  OXIDIZER  INLET  PRESSURE 

>  235  (227)  PSIA. 

The  crew  will  get  a  class  2  alarm  at  Pc  <  76  (80)  percent,  but  there  is  no  MNVR  EXEC  display  or  ENG 
SEL  down  arrow  pre-MECO  to  indicate  loss  of  acceleration.  Therefore,  oxidizer  inlet  pressure  or  ball 
valve  position  is  checked  for  an  additional  indication  of  an  engine  failure.  The  rationale  used  for 
paragraphs  A  and  C  (CAUTION :  SODB,  volume  III,  contains  engineering  estimates  for  non-nominal 
evaluation.  Data  may  not  be  supported  by  test.)  applies  here  also.  (Reference  SODB,  volume  I,  3. 4. 3. 3, 
table  3.4. 3. 3  and  SODB  request  response  R921.) 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A6-3  QMS  ENGINE  (CONTINUED) 


G. 


OXIDIZER  RESTRICTION:  PC  <  76  (80) 
SELECT  DOWN  ARROW  ( "? " )  ON  MANEUVER 
OXIDIZER  INLET  PRESSURE  >  235  (227) 


PERCENT,  OMS  RM  ENGINE 
EXEC  DISPLAY,  AND 
PSIA. 


The  engine  can  also  fail  if  the  oxidizer  injector  is  restricted,  which  causes  the  upstream  oxidizer  inlet 
pressure  to  increase.  Operating  at  this  low  oxidizer  inlet  pressure  will  result  in  an  engine  failure 
indicated  by  low  Pc  and  acceleration.  { Reference  SODB,  volume  I,  paragraph  3. 4. 3. 3.  A  request  has 
been  submitted  for  inlet  pressure  verification.) 

H.  OMS  BALL  VALVE  POSITION  >  0  PERCENT  (FAILED  OPEN  RANGE  LOWER 
LIMIT)  AND  <  47  (70)  PERCENT  POSTBURN  AND  INSTRUMENTATION 

FAILURE  CANNOT  BE  POSITIVELY  IDENTIFIED. 


ENGINE 

SERIAL# 

OMS  BALL  VALVE  FAILED 

OPEN  RANGE  LOWER  LIMIT 

BV1  % 

BV2  % 

101 

6 

5 

105 

3 

5 

106 

4 

6 

107 

6 

6 

108 

4 

5 

109 

4 

6 

110 

3 

4 

111 

6 

3 

113 

4 

4 

114 

5 

3 

115 

3 

3 

116 

2 

4 

117 

5 

4 

@[110900-7251]  ©[1112102-ED  ] 


For  failure  definition  purposes,  the  OMS  ball  valves  are  considered  a  functionally  integral  part  of  the 
OMS  engine.  OMS  ball  valve  position  indicators  are  single-point  instrumentation  on  the  series  ball 
valves.  To  distinguish  cm  instrumentation  failure  from  a  hardware  failure,  it  is  necessary  to  examine  the 
time-ordered  history  of  the  anomaly. 


The  normal  position  of  the  ball  valves  when  not  operating  is  0  percent  open  (decimals  of  percent  open  are 
rounded).  If  the  ball  valves  are  failed  to  <  47  percen  t,  the  affected  OMS  Pc  will  be  <  80  percen  t  which  is 
level  at  which  the  engine  is  considered  failed.  (Refer  to  rationale  of  Rule  { A6-108 j,  OMS  BALL  VALVE 
FAILURE  MANAGEMENT. )  The  position  indicators  have  cm  instrumentation  accuracy  of  5  percent. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A6-3  QMS  ENGINE  (CONTINUED) 

In  order  to  avoid  declaring  an  engine  failed  due  to  instrumentation  accuracy  effects,  the  ball  valve  will 
be  considered  closed  if  the  indicated  position  is  less  than  or  equal  to  5  percen  t.  The  failed  open  range 
lower  limits  listed  in  the  above  table  are  based  on  this  value  of  5  percent,  plus  an  engine-specific  error. 
This  additional  error  is  caused  by  the  generic  scale  and  generic  bias  factor  used  to  convert  the  voltage 
measured  by  the  hardware  to  a  percent  open.  These  generic  factors  are  used  for  all  engines  and  vary 
slightly  from  the  individual  scale  and  bias  factors  associated  with  each  engine.  For  example,  the  value 
of  4  percen  t  shown  for  ball  valve  1  of  engine  109  is  the  result  of  adding  the  scale  and  bias  factor  error 
of  -1  percent  to  the  instrumentation  error  of  5  percent.  When  that  ball  valve  is  closed,  it  should 
indicate  within  the  range  of  -6  to  4  percent. 

Note  that  flow  through  the  valve  begins  at  10  percent.  If  the  failed  open  range  lower  limit  is  exceeded, 
then  the  valve  is  failed  open  and  a  flow  path  through  that  valve  may  exist.  Since  there  are  two  ball 
valves  in  series,  should  any  single  ball  valve  be  open  >  10  percent  postburn,  the  other  bcdl  valve  in  that 
series  will  prevent  propellant  leakage  into  the  engine  proper. 

If  an  instrumentation  failure  cannot  be  positively  identified,  the  engine  is  considered  failed.  The  affected 
engine  will  be  used  for  deorbit  only,  and  then,  only  if  the  other  engine  is  failed.  If  the  ball  valve  position 
is  more  than  47  percent  open,  an  acceptable  OMS  Pc  will  be  obtained  during  any  subsequent  engine 
operation.  ( Reference  SODB,  volume  I,  paragraph  3.4.3.3-17,  and  Flight  Rules  {A6-3A},  OMS  ENGINE, 
and  { A6-108 j,  OMS  BALL  VALVE  FAILURE  MANAGEMENT. ) 

I.  OMS  GN2  SYSTEM  FAILURE  (REF.  RULE  {A6-5},  OMS  N? 

ACCUMULATOR) . 

Reference  Rule  {A6-5},  OMS  N2  ACCUMULATOR,  for  rationale.  Rules  (A6-106J,  OMS  ENGINE 
BURN  TO  DEPLETION;  and  (A6-108},  OMS  BALL  VALVE  FAILURE  MANAGEMENT,  reference  this 
rule. 
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A6-4  QMS  N2  TANK 

AN  OMS  N2  TANK  IS  CONSIDERED  LOST  IF: 

A.  PRESSURE  <  309  (469)  PSIA  (NO  PURGE  AVAILABLE) . 

An  OMS  /V2  tank  failure  is  defined  as  insufficient  GN2  pressure  to  allow  a  nominal  engine  start  with  no 
purge  and  a  subsequent  accumulator  only  start  with  the  GN2  tank  isolation  valve  closed.  A  GN2  tank 
pressure  of 309  psia  ( 283  psifor  an  accumulator  start  arid  26  psifor  a  nominal  no  purge  start)  will 
provide  sufficient  pressure  to  accomplish  this  requirement  with  a  100  percent  ball  valve  opening  on  both 
burns.  (Reference  SODB,  volume  I,  paragraph  3.4.3.3.14.) 

B.  REGULATOR  FAILED  CLOSED. 

C.  FAILED  CLOSED  CHECK  VALVES. 

D.  OMS  ENGINE  PRESSURE  VALVE  FAILED  CLOSED. 

Any  one  of  these  conditions  has  isolated  the  tank  from  the  ball  valve  rack  assembly,  effectively  failing  the 
tank.  Rule  { A6-55 },  OMS  N2  TANK  FAILURE  MANAGEMENT,  references  this  rule. 

A6-5  OMS  N2  ACCUMULATOR 

THE  OMS  N2  SYSTEM  IS  CONSIDERED  LOST  IF: 

INSUFFICIENT  N2  REGULATOR  PRESSURE  TO  OPERATE  ENGINE  BALL  VALVES: 


A. 

n2  REGULATOR  PRESSURE 
VALVE  CLOSED. 

<  283 

(299) 

PSIA 

WITH 

ENGINE 

PRESSURE 

B. 

n2  REGULATOR  PRESSURE 

<  244 

(260) 

PSIA 

WITH 

ENGINE 

PRESSURE 

VALVE  OPEN  (ASSUMES  N2 
PRESSURE) 

TANK 

PRESSURE  EQUAL  TO  N2  REGULATOR 

An  OME  is  considered  failed  if  ball  valves  cannot  be  guaranteed  to  fully  open.  The  engine  can  be  used 
in  a  contingency  if  ball  valves  can  be  guaranteed  to  open  >  90  percen  t.  With  the  engine  pressurization 
valve  closed,  the  pressure  below  the  valve  must  be  above  283  psia  to  move  the  ball  valve  rack  assembly. 
With  the  pressurization  valve  open,  allowing  the  large  tank  volume  to  pressurize  the  accumulator,  the 
ball  valve  rack  will  only  require  244  psi.  (Both  the  regulator  pressure  and  tank  pressure  must  be  above 
244  psia.)  Performance  drops  off  drastically  at  lower  N  2  or  accumulator  pressures.  Instrumentation 
accuracy  is  16  psi  on  the  accumulator  pressure.  (Reference  SODB,  volume  I,  table  4. 3. 3-3.) 

Rules  { A6-3I j,  OMS  ENGINE;  {A6-51},  OMS  FAILURE  MANAGEMENT  [CILJ;  { A6-55} ,  OMS  N2 
TANK  FAILURE  MANAGEMENT;  and  {A6-56},  OMS  N2  REGULATOR  FAILURE  MANAGEMENT, 
reference  this  rule. 
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A6-6  OMS/RCS  CROSSFEED  LINE 

THE  OMS/RCS  CROSSFEED  LINE  IS  CONSIDERED  LOST  IF: 

A.  OMS/RCS  CROSSFEED  TEMPERATURE  <  40  DEG  (48  DEG)  F  OR  >  125  DEG 
(117  DEG)  F. 

It  takes  approximately  10  seconds  from  ignition  to  reach  thermal  equilibrium  in  an  OMS  engine  and 
regenerative  cooling  jacket.  A  crossfed  OME  will  use  the  propellant  from  the  feedlines  and  all  of  the 
propellant  in  the  crossfeed  lines  during  this  thermal  startup  phase.  It  takes  approximately  6  seconds  to 
burn  the  feedline  and  crossfeed  line  propellant  through  an  OME.  @[092701-4850  ] 

The  OME  starts  with  propellant  below  30  deg  F  or  OME  steady  state  operation  with  propellant  below 
40  deg  F  may  result  in  rough  combustion  and  excessive  high  chamber  pressure  which  could  overstress 
the  engine  chamber.  Propellant  temperatures  below  40  deg  F  may  also  affect  structural  components 
such  as  sendee  couplings  and  transducer  fittings.  Below  30  deg  F,  there  is  a  concern  that  the  oxidizer 
may  freeze,  rupturing  or  blocking  propellant  lines.  RCS  jet  operation  with  propellant  below  40  deg  F 
may  result  in  rough  combustion.  For  RCS  crossfeed  during  entry,  the  lower  limit  is  68  deg  (70  deg)  F 
to  protect  against  ZOT’s  (refer  to  Flight  Rule  (A6-258),  ARCS  BULK  PROPELLANT  TEMPERATURE 
MANAGEMENT). 

OME  startup  with  propellant  above  125  deg  F  reduces  engine  cooling  effectiveness,  resulting  in 
violation  of  injector  temperature  limits.  Localized  “hot  spots”  of  propellant  may  develop  in  stagnant 
crossfeed  lines.  This  is  caused  by  non-uniformity’ s  in  line  heater  installation  coupled  with  non- 
synchronous  heater  cycling.  Hot  spots  can  be  tracked  and  confirmed  during  periods  of  interconnect. 

Hot  spots  less  than  125  deg  F  are  acceptable  for  OME  and  RCS  steady  state  operation.  Refer  to  SODB 
table  3. 4. 3. 3. 

B.  NO  FLOW  PATH  EXISTS. 

The  OMS/RCS  crossfeed  lines  are  considered  failed  when  no  flow  path  exists.  Dual  valve  failure  or  a 
line  leak  could  result  in  a  flow  path  loss. 

C.  CROSSFEED  LINE  PRESSURE  IS  <  15  (49)  PSI  OXIDIZER  OR 

<  1  (35)  PSIA  FUEL  (AS  INDICATED  BY  RCS  MANIFOLD 

PRESSURES)  AS  A  RESULT  OF  PROPELLANT  LEAKAGE. 

Pressure  less  than  49  psia  oxidizer  or  35  psiajuel  as  a  result  of  propellant  leakage  is  cause  to  declare 
the  crossfeed  line  failed.  A  known  leaking  line  resulting  in  violation  of  the  above  limits  will  not  be 
repressed  unless  staged  repress  techniques  increase  pressures  to  within  acceptable  limits.  The  OMS 
crossfeed  line  pressure  will  be  checked  via  RCS  manifold  pressures  until  additional  pressure  transducers 
are  installed.  Any  attempt  to  repressurize  the  leaking  line  risks  structural  damage  as  a  result  of 
excessive  surge  pressures. 

For  a  crossfeed  pressure  less  than  the  above  limit  as  a  result  of  thermal  affects,  the  crossfeed  line  may  be 
repressed  according  to  the  Flight  Rules  restrictions. 
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A6-7  RCS  PROPELLANT  TANK  (OXIDIZER  OR  FUEL) 

AN  RCS  PROPELLANT  TANK  IS  CONSIDERED  LOST  IF: 

A.  PRESSURE  IS  <  185  (190)  PSIA. 

To  maintain  primary  jet  inlet  pressures  greater  than  175  psia,  the  tank  pressure  must  remain  above  185  psia. 
With  lower  than  normal  inlet  pressures  (<  175),  the  chamber  pressure  during  a  firing  becomes  significantly 
higher  than  the  inlet  pressure.  This  results  in  a  high  frequency  “chug”  or  combustion  instability  which  causes 
hot  spots  on  the  chamber  wall  and  in  extreme  cases  may  cause  the  chamber  wall  to  fail.  Reference  SODB 
3.43.2.  lO.a. 

The  vernier  jets  have  a  lower  but  undefined  operational  limit  where  the  lower  pressure  can  lead  to  the 
accumulation  of  carbon  deposits  in  the  chamber  pressure  tube.  Blockage  of  the  Pc  tube  may  result  in 
false  fail-off jet  indications. 

B.  ARCS: 

1.  ARCS  (ENTRY  ONLY)  AND  FRCS :  PROPELLANT  QUANTITY 
?  0  PERCENT. 

Propellant  gauge  quantity  reflects  usable  propellant.  Trapped  propellant  and  gauge  error  are  not 
included  in  the  gauge  quantity.  For  the  FRCS,  the  gauge  error  propellan  t  is  available  for  con  tingency 
operations  to  1.5  percent  below  a  gauge  reading  ofO  percent  (ref.  Rule  { A6-357 },  FORWARD  RCS 
CONTINGENCY  PROPELLANT  A  VAILABLE). 

2.  ARCS  ON  ORBIT:  PROPELLANT  QUANTITY  ?  20  PERCENT. 

The  on-orbit  aft  RCS  tank  failure  limit  is  based  upon  the  on-orbit  expulsion  efficiency  of  the  RCS  tank 
(78  percent  of  the  design  tank  volume;  ref.  SODB  4.3.2.2.1.f.2).  The  on-orbit  expulsion  efficiency  of  the 
RCS  is  significantly  less  than  the  entry  expulsion  efficiency  because  the  aft  RCS  tanks  were  designed  to 
operate  most  efficiently  during  entry  g-loading.  Propellant  can  be  expelled  on  orbit  to  16  percent  PVT 
gauge  quantity  (provided  PVT  gauging  is  perfectly  accurate).  Protecting  for  gauge  error  (50  lbs  OX,  34 
lbs  FU),  the  minimum  quantity  on  orbit  becomes  20  percent.  The  20  percent  of  propellant  will  be 
available  for  control  during  entry  (post  EI:  g>  0.05),  since  expulsion  efficiency  during  this  period 
increases  to  96.5  percen  t  of  the  design  tank  volume. 

C.  ASSOCIATED  TANK  ISOLATION  VALVES  FAILED  CLOSED. 

No  passageway  exists  for  propellant  to  flow  from  the  tank  to  the  jets,  effectively  failing  the  tank. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A6-7  RCS  PROPELLANT  TANK  (OXIDIZER  OR  FUEL) 

(CONTINUED) 

D.  ARCS  PROPELLANT  TEMPERATURE  IS  <  50  DEG  (52  DEG)  F  OR  >  100  DEG 
(98  DEG)  F. 

The  concern  with  violating  the  upper  limit  is  that  the  oxidizer  viscosity  and  adhesion  to  the  acquisition 
screens  cdlows  a  lower  pressure  to  pull  helium  into  the  lower  compartmen  t  and  then  to  the  jets.  Violating 
the  lower  limit  increases  the  restriction  of  fuel  flow  in  the  channels.  During  high  flow  demands,  the 
large  delta  pressure  across  the  screens  occurs  near  the  tank  outlet.  This  large  delta  pressure  breaks 
down  the  screen  and  pulls  helium  into  the  lower  compartment.  ( Reference  SODB.  volume  I,  table 
3. 4. 3. 2.) 

E.  FRCS  PROPELLANT  TEMPERATURE  <  40  DEG  (42  DEG)  F  OR  >  100  DEG 
(98  DEG)  F. 

Tank  certification  constraint  (reference  SODB,  volume  I,  table  3. 4. 3. 2). 

F.  PROPELLANT  ACQUISITION  DEVICE  BREAKDOWN. 

Confirmed  evidence  of  propellant  acquisition  device  breakdown  will  be  cause  to  declare  that  RCS  tank 
failed.  Multiple  jet  fail-offs  on  the  same  feed  system  (e.g.,  multiple  LRCS  jet  fail-offs  while  feeding  from 
the  LRCS)  are  the  indication  that  a  breakdown  has  occurred  in  either  the  screens  or  bulkhead  of  the  RCS 
tank.  Helium  ingestion  resulting  from  the  tank  failure  may  be  cleared  using  propellant  from  either  the 
good  RCS  feed  system  or  the  OMS.  The  tank  will  not  be  used  except  as  a  last  resort  du  ring  entry.  Rule 
{A6-305},  AFT  RCS  REDLINES,  references  this  rule. 
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A6-8  RCS  THRUSTER 

AN  RCS  THRUSTER  IS  CONSIDERED  LOST  IF: 

A.  FAILED  ON  -  FIRES  IN  ABSENCE  OF  GPC  "ON"  COMMAND. 

A  thruster  is  “failed-on"  when  it  fires  in  the  absence  of  an  “ON”  command  from  the  GPC.  This  failure 
will  occur  if  the  injector  valve  power  (driver  output)  from  the  RJD  fails  high  or  if  both  the  oxidizer  and 
fuel  thruster  valves  fail  open.  The  failure  is  detected  by  RCS  RM  when  an  RJD  output  discrete  is  present 
with  the  absence  of  the  GPC  jet  command  B  for  three  consecutive  cycles.  The  failure  is  confirmed  on  the 
ground  via  the  analog  chamber  pressure  (Pc)  and/or  vehicle  rates,  and  propellant  consumption. 

The  BFS  fail-on  jet  is  detected  by  RM  when  the  affected  jet  Pc  discrete  is  present  (>  36  psia)  with  no 
GPC  command  B  for  three  consecutive  cycles  and  fuel  manifold  valve  open  discrete  indicates  true. 

B.  FAILED  OFF  -  DOES  NOT  FIRE  IN  PRESENCE  OF  GPC  "ON"  COMMAND. 

A  thruster  is  “failed-ojf”  when  the  jet  does  not  fire  in  the  presence  of  an  “ON”  command  from  the  GPC. 
This  failure  will  occur  when  the  RJD  output  discrete  fails  low  (which  can  be  caused  by  any  of  a  number 
of  upstream  failures)  or  one  of  the  thruster  valves  fails  closed.  The  failu  re  is  detected  by  RCS  RM  when 
the  Pc  discrete  is  zero  (indicating  Pc  <  26  psia  as  sensed  by  the  RJD  electronics )  in  the  presence  of  a 
GPC  command  Bfor  three  consecu  tive  cycles.  The  failure  is  confirmed  on  the  ground  via  analog  Pc, 

RJD  output  discrete,  jet  injector  temperature,  or  vehicle  rates. 

C.  FAILED  LEAK  -  LOSS  OF  PROPELLANT  THROUGH  THRUSTER  VALVE  AS 
CONFIRMED  BY  PRIMARY  OXIDIZER  INJECTOR  TEMPERATURE  <  30  DEG  F 
OR  FUEL  INJECTOR  TEMPERATURE  <  20  DEG  F;  OPS  2  VERNIER 
INJECTOR  TEMPERATURE  (OXIDIZER  OR  FUEL)  <  130  DEG  F. 

A  jet  is  “failed-leak”  if  either  injector  valve  (oxidizer  or  fuel)  fails  to  close  completely  or  if  propellant 
leaks  through  a  deformed  or  damaged  thruster  valve  seal.  Seal  leakage  is  the  most  common  form  of  jet 
leak.  The  failure  is  detected  both  on  the  ground  and  by  RCS  RM  when  either  injector  temperature  falls 
below  RCS  RM  limits  for  three  consecutive  cycles.  The  RM  limits  are  established  as  specified  in  the 
SODB.  The  failure  is  confirmed  on  the  ground  via  the  injector  temperature  signature  or  RCS  quantity 
telemetry.  The  vernier  injector  temperatures  are  assumed  to  track  together;  therefore,  action  will  be 
taken  when  the  first  of  either  fuel  or  oxidizer  is  <  130  deg  F. 

During  entry,  residual  fuel  may  be  held  against  the  injector  on  the  primary  upfiring  jets  by  gravity.  This 
is  why  thefirel  limit  is  lower  than  the  oxidizer  limit.  Vernier  jet  injector  temperature  sensors  are  located 
on  a  large  mass  of  metal  which  acts  as  a  heat  source.  Because  of  the  location,  these  sensors  respond 
more  slowly  to  leaks  than  do  the  primary  jet  sensors.  The  vernier  leak  limit  is  set  to  accommodate  these 
conditions. 
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A6-9  RCS  JET  HEATER 

AN  RCS  JET  HEATER  IS  CONSIDERED  LOST  IF: 

A.  PRIMARY  THRUSTER  -  BOTH  OXIDIZER  AND  FUEL  INJECTOR 
TEMPERATURES  DECREASE  TOGETHER  TO  BELOW  50  DEG  (55  DEG)  F. 

Normal  heater  operations  will  keep  the  jets  above  60  deg  F.  In  the  event  of  a  jet  heater  failure,  the 
colder  temperatures  may  result  in  shrinkage  of  the  injector  valve  seats  causing  jet  leakage.  To  prevent 
seat  shrinkage,  the  jet  should  be  kept  above  50  deg  F;  and  to  prevent  RMfrom  deselecting  the  jet,  the 
temperatures  should  be  kept  above  the  thermal  leak  limit  ( fuel  >  20  deg  F,  oxidizer  >  30  deg  F).  The  jets 
may  be  warmed  by  hot-firing  the  jets  for  at  least  2  seconds  (firing  a  cold  jet  less  than  2  seconds  may 
cause  the  jet  to  leak).  Reference  SODB,  volume  I,  paragraph  3. 4. 3.2. 13. a. 

B.  VERNIER  THRUSTERS: 

1.  INADEQUATE  JET  HEATER  OPERATION  -  THRUSTER  HAS  NOT  BEEN 
FIRED  IN  AT  LEAST  1.5  HOURS  AND  BOTH  OXIDIZER  AND  FUEL 
INJECTOR  TEMPERATURES  DROP  BELOW  130  DEG  F  AND  DECREASE 
FROM  130  DEG  TO  90  DEG  F  AT  A  RATE  OF  LESS  THAN  15  DEG  F 
PER  HOUR  WITH  NO  INCREASE  IN  THE  JET  CHAMBER  PRESSURE. 

2.  HEATER  FAILED  OFF  -  BOTH  OXIDIZER  AND  FUEL  INJECTOR 
TEMPERATURES  DROP  BELOW  130  DEG  F  AND  DECREASE  FROM 
130  DEG  TO  90  DEG  F  AT  A  RATE  OF  LESS  THAN  2  DEG  F  PER 
MINUTE  WITH  NO  INCREASE  IN  THE  JET  CHAMBER  PRESSURE. 

Normal  operating  temperatures  for  vernier  jets  are  above  140  deg  F.  However,  some  attitudes  ( e.  g. , 
gravity  gradient)  which  do  not  require  vernier  jet  firings  may  allow  a  vernier  jet  to  cool  to  below  130  deg 
F,  even  without  a  heater  failure,  because  the  heaters  are  undersized.  For  inadequate  jet  heater  operation 
or  a  failed  vernier  heater,  the  vernier  minimum  injector  temperature  can  be  reduced  from  130  deg  to  90 
deg  F  if  the  conditions  set  forth  in  this  rule  are  met.  Failure  to  meet  these  conditions  indicates  a  vernier 
jet  leak.  Cooler  temperatures  are  less  likely  to  cause  the  verniers  to  leak  than  the  primaries  because  of 
the  conical  valve  seat  design.  The  90  deg  F  coldsoak  limit  will  prevent  seal  shrinkage  which  would  result 
in  propellant  leakage.  It  is  possible  that  a  slow  temperature  decay  rate  is  due  to  a  leak  that  is  contained 
within  the  vernier  thrust  chamber.  If  the  chamber  pressure  increases,  it  is  probable  that  the  vernier  has 
leaked,  the  jet  throat  has  frozen  closed,  and  the  leak  has  continued.  In  this  case,  firing  the  affected 
thruster  may  cause  damage  in  the  pod. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A6-9  RCS  JET  HEATER  (CONTINUED) 

Vernier  jet  injector  temperatures  less  than  130  deg  F  indicate  either  inadequate  heater  operation,  a 
heater  failure,  or  an  injector  leak.  Inadequate  heater  operation  or  a  heater  failure  will  allow  both  fuel 
and  oxidizer  temperatures  to  decay  together.  Jet  injector  leaks  will  cause  the  injector  temps  to  decay 
much  faster  than  for  a  heater  failure.  Also,  the  leaking  injector  temperature  (oxidizer  or  fuel)  will  decay 
further  than  the  nonleaking  injector  temperature.  However,  an  instrumentation  contact  resistance  may 
cause  false  readings  greater  than  15  deg  F  delta  oxidizer  and  fuel  temperatures  masking  any  5  deg  F  or 
greater  delta  created  by  a  leak.  Therefore,  delta  temperature  cannot  be  used  to  distinguish  leaks  from 
heater  failures.  Reference  Rule  {A6-158},  RCS  LEAKING  JET  MANAGEMENT;  and  SODB,  volume  I, 
paragraph  3. 4. 3. 2. 13.  b. 

A6-10  THROUGH  A6-50  RULES  ARE  RESERVED 
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OMS/RCS  MANAGEMENT 


A6-51  QMS  FAILURE  MANAGEMENT  [CIL] 

(ASSUMES  NOMINAL  MECO) 


FAILURE  MATRIX 

STD 

STD 

STD/DIRECT 

DIRECT 

L/O 

TO 

OMS-1 

OMS-1 

TO 

OMS  -2 

OMS-2 

TO 

DEORBIT 

L/O  TO  OMS-2 

1  OMS  HE  TANK  LEAK 

A 

A 

B 

A 

1  OMS  HE  TANK  FAIL 

C 

D 

E 

C 

2  OMS  HE  TANK  LEAK/FAIL 

F 

G 

H 

F 

1  OMS  HE  LEG  LEAK 

1 

1 

1 

1 

2  OMS  HE  LEG  LEAK 

J 

J 

J 

J 

1  OMS  GN2  TANK  LEAK/FAIL 

K 

K 

K 

K 

2  OMS  GN2  TANK  LEAK/FAIL 

L 

L 

L 

L 

1  OMS  GN2  ACCUMULATOR  LEAK 

M 

M 

M 

M 

2  OMS  GN2  ACCUMULATOR  LEAK 

N 

N 

N 

N 

1  OMS  PROP  TANK  LEAK 

0 

0 

P 

0 

1  OMS  PROP  TANK  FAIL 

0 

0 

0 

0 

2  OMS  PROP  TANK  LEAK/FAIL 

R 

R 

R 

R 

1  OMS  INLET  LINE  LEAK 

S 

S 

T 

S 

2  OMS  INLET  LINE  LEAK 

U 

U 

U 

U 

1  OMS  ENGINE  FAIL 

V 

V 

V 

V 

2  OMS  ENGINE  FAIL 

W 

W 

W 

W 

NOTES: 

[1]  USE  OMS  ENGINE  IN  BLOWDOWN  UNTIL  OMS  CHAMBER  PRESSURE  <  72  PERCENT  ON  ENGINE  BEING  SUPPLIED 
BY  LEAKING  POD,  THEN  SEGP. 

[2]  DELAYED  ATO  OMS-1  WITH  NOMINAL  MECO  DOES  NOT  REQUIRE  OMS-2  BURN. 

[3]  REPRESSURIZE  LEAKING  TANK.  BURN  IF  FUEL  INLET  PRESSURE  >216  PSIA,  OXIDIZER  PRESSURE  >  151  PSIA. 

[4]  ENTER  FIRST  DAY  PLS. 

[5]  ENTER  NEXT  PLS. 

[6]  CUTOFF  AT  MINIMUM  HP  WHICH  REQUIRES  THE  LEAST  TOTAL  DELTA  V  FOR  THE  INSERTION  AND  DEORBIT 
BURNS  AND  ENSURES  ORBITAL  LIFETIME  AT  LEAST  TWO  ORBITS  BEYOND  THE  FIRST  DAY  PLS.  (REF.  ANNEX 
FLIGHT  RULE.  TRAJECTORY  AND  GUIDANCE  PARAMETERS.)  ®[ED  ] 

[7]  IF  TANK  IS  FAILED  PERFORM  ALL  BURNS  SEGP. 


_ OMS  CONFIGURATION _  _ DEORBIT 

TEGP-  TWO  ENGINES  GOOD  POD 

TETP  -  TWO  ENGINES  TWO  PODS  NOMINAL  DEORBIT: 

(NORMAL  CONFIGURATION)  NOMINAL  (STEEP)  TARGETS 

TELP-  TWO  ENGINES  LEAKING  POD 
SETP  -  SINGLE  ENGINE  TWO  PODS 
(CROSSFEED  IN  BURN) 

SESP-  SINGLE  ENGINE  SINGLE  POD 
(MAY  BE  CROSSFEED) 

SELP-  SINGLE  ENGINE  LEAKING  POD 
SEGP  -  SINGLE  ENGINE  GOOD  POD 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A6-51  QMS  FAILURE  MANAGEMENT  [CIL]  (CONTINUED) 

FAILURE  DEFINITION 


OMS  HE  TANK  LEAK/FAIL: 


•  HE  TANK  LEAK  IF  PRESSURE  >  640  PSI  AND  DECREASING  WHEN  NOT 
BURNING. 

•  HE  TANK  FAIL  IF  PRESSURE  <  640  PSI. 

•  FULL  BLOWDOWN  IF  PROPELLANT  TANK  QUANTITY  ?  39  PERCENT. 

MAXIMUM  BLOWDOWN  IF  PROPELLANT  TANK  QUANTITY  APPROXIMATELY 
EQUAL  TO  3  9  PERCENT  (ENGINE  SPECIFIC)  .  @[072398-651 8A] 

•  OMS  PROPELLANT  TANK  LANDING  WEIGHT  CONSTRAINT  IS  EOM  QUANTITY 
APPROXIMATELY  22  PERCENT  PER  POD. 

ACTION  SUMMARY 

A.  ONE  OMS  HE  TANK  LEAK  PRIOR  TO  OMS-2 : 


STD  : 

1.  IF  HE  TANK  LEAK  RATE  WILL  NOT  SUPPORT  OMS-1  TELP  TO  A 

QUANTITY  SUFFICIENT  TO  PROTECT  THE  OMS  PROPELLANT  LANDING 
WEIGHT  CONSTRAINT: 

a.  CONTINUE  PRE-MECO  OMS -ASS I  ST /ATO  OMS  DUMP  SELP . 

b.  PERFORM  PRE-MECO  OMS  DUMP  UNTIL  AFFECTED  POD  MAXIMUM 
BLOWDOWN  OR  HE  TANK  PRESSURE  ?  640  PSI. 

C.  DELAYED  ATO  OMS-1  [2],  TEGP ,  RAISE  ORBIT  WITHIN 
REDLINES . 

d.  IF  NO  OMS  DUMP,  OR  DUMP  NOT  COMPLETED  AND  HE  TANK 
WILL  SUPPORT  OMS-1  TETP ,  PERFORM  NOMINAL  OMS-1  TELP; 
GO  TO  PARAGRAPH  D.  IF  HE  TANK  WILL  NOT  SUPPORT  OMS-1 
TETP,  GO  TO  PARAGRAPH  C.  @[072398-651 8A] 

e.  DEORBIT  TETP  [1]  . 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A6-51  QMS  FAILURE  MANAGEMENT  [CIL]  (CONTINUED) 

2.  IF  HE  TANK  LEAK  RATE  WILL  SUPPORT  OMS-1  TELP  TO  A 
QUANTITY  SUFFICIENT  TO  PROTECT  THE  OMS  PROPELLANT  LANDING 
WEIGHT  CONSTRAINT:  @[072398-651 8A] 

a.  IF  NO  PRE-MECO  ATO  OMS  DUMP  REQUIRED,  NOMINAL  OMS-1 
TELP.  IF  AFFECTED  POD  FULL  BLOWDOWN  ACHIEVED, 

NOMINAL  OMS-2  TEGP ;  OTHERWISE  STEP  3. 

b.  IF  PRE-MECO  ATO  OMS  DUMP  REQUIRED,  CONTINUE  ATO  DUMP 
TELP.  IF  NOT  AT  MAXIMUM  BLOWDOWN  AND  HE  TANK 
PRESSURE  >  640  PSI,  DELAYED  ATO  OMS-1  [2],  TELP; 
OTHERWISE  PERFORM  DELAYED  ATO  OMS-1  [2],  TEGP. 

C.  RAISE  ORBIT  WITHIN  REDLINES . 

3.  IF  HE  TANK  LEAK  RATE  WILL  SUPPORT  OMS-2  TETP ,  PERFORM 
OMS-2  TELP  UNTIL  AFFECTED  POD  MAXIMUM  BLOWDOWN  OR  UNTIL 
HE  TANK  PRESSURE  ?  640  PSI.  OTHERWISE;  IF  RATE  INDICATES 
HE  WILL  NOT  SUPPORT  OMS-2  TETP,  PERFORM  DUMP  POST  OMS-1 
TELP  UNTIL  AFFECTED  POD  MAXIMUM  BLOWDOWN  OR  HE  TANK 
PRESSURE  ?  640  PSI . 

4 .  DEORBIT  TETP  [1]  . 

DIRECT : 

1.  IF  HE  TANK  LEAK  RATE  WILL  SUPPORT  OMS-2  TELP  TO  A 
QUANTITY  SUFFICIENT  TO  PROTECT  THE  LANDING  WEIGHT 
CONSTRAINT : 

a.  CONTINUE  PRE-MECO  OMS-ASSIST/ATO  OMS  DUMP  SELF. 

b.  NOMINAL  OMS-2  TELP  UNTIL  AFFECTED  POD  MAXIMUM 
BLOWDOWN  OR  UNTIL  HE  TANK  PRESSURE?  640  PSI. 

c.  IF  HE  TANK  PRESSURE  >  640  PSI  POST  OMS-2,  PERFORM 
DUMP  TELP  UNTIL  AFFECTED  POD  MAXIMUM  BLOWDOWN  OR  HE 
TANK  PRESSURE  ?  640  PSI. 

d.  CREW  WORKLOAD  PERMITTING,  AN  EARLIER  DUMP  TO  MAXIMUM 
BLOWDOWN  MAY  BE  PERFORMED  TO  OPTIMIZE  DELTA  V 
CAPABILITY.  @[072398-651 8A] 
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2.  IF  HE  TANK  LEAK  RATE  WILL  SUPPORT  POST-MECO  TELP  TO  A 

QUANTITY  SUFFICIENT  TO  PROTECT  THE  OMS  PROPELLANT  TANK 

LANDING  WEIGHT  CONSTRAINT:  @[072398-651 8A] 

a.  CONTINUE  PRE-MECO  OMS-ASSIST/ATO  OMS  DUMP  SELP . 

b.  PERFORM  DUMP  TELP  ASAP  POST-MECO  UNTIL  AFFECTED  POD 
MAXIMUM  BLOWDOWN  OR  HE  TANK  PRESSURE?  640  PSI  . 

c.  OMS-2  TEGP ,  CUTOFF  AT  MINIMUM  HP  [6],  RAISE  ORBIT 
WITHIN  REDLINES . 

d.  CREW  WORKLOAD  PERMITTING,  AN  EARLIER  DUMP  TO  MAXIMUM 
BLOWDOWN  MAY  BE  PERFORMED  TO  OPTIMIZE  DELTA  V 
CAPABILITY. 

3.  IF  HE  TANK  LEAK  RATE  WILL  NOT  SUPPORT  POST-MECO  DUMP  TELP 

TO  A  QUANTITY  SUFFICIENT  TO  PROTECT  THE  OMS  PROPELLANT 

TANK  LANDING  WEIGHT  CONSTRAINT: 

a.  CONTINUE  PRE-MECO  OMS-ASSIST/ATO  OMS  DUMP  SELP. 

b.  PERFORM  PRE-MECO  OMS  DUMP  UNTIL  AFFECTED  POD  MAXIMUM 
BLOWDOWN  OR  HE  TANK  PRESSURE  ?  640  PSI. 

C.  IF  NO  PRE-MECO  OMS  DUMP  OR  DUMP  NOT  COMPLETE  AND  HE 
PRESSURE  >640  PSI,  PERFORM  POST-MECO  DUMP  TELP. 

d.  OMS-2  TEGP,  CUTOFF  AT  MINIMUM  HP  [6],  RAISE  ORBIT 
WITHIN  REDLINES. 

4 .  DEORBIT  TETP  [1] . 

B.  ONE  OMS  HE  TANK  LEAK  AFTER  OMS-2: 

STD/DIRECT : 

1.  CONTINUE  OMS  ACTIVITIES  WITHIN  REDLINES.  USE  OMS 

ACTIVITIES  TO  MAXIMIZE  BLOWDOWN. 

2.  DEORBIT  TETP  [1]  @[072398-651 8A] 
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C.  ONE  OMS  HE  TANK  FAILURE  PRIOR  TO  OMS-1  :  @[072398-651 8A] 

STD  : 

1.  CANCEL  PRE-MECO  CMS-ASSIST/ATO  OMS  DUMP. 

2.  DELAYED  ATO  OMS-1  [2],  TEGP . 

3.  RAISE  ORBIT  WITHIN  REDLINES . 

4.  DEORBIT  TETP  [1] 

DIRECT : 

1.  CANCEL  PRE-MECO  CMS-ASSIST/ATO  OMS  DUMP. 

2.  OMS-2  TEGP,  CUTOFF  AT  MIN  HP  [6]. 

3.  RAISE  ORBIT  WITHIN  REDLINES. 

4 .  DEORBIT  TETP  [1]  . 

D.  ONE  OMS  HE  TANK  FAILURE  BETWEEN  OMS-1  AND  OMS-2: 

STD  : 

1.  OMS-2  TEGP,  CUTOFF  AT  MIN  HP  [6]. 

2.  CONTINUE  OMS  ACTIVITIES  WITHIN  REDLINES. 

3.  DEORBIT  TETP  [1]  . 

E.  ONE  OMS  HE  TANK  FAILURE  POST  OMS-2: 

STD/DIRECT : 

1.  CONTINUE  OMS  ACTIVITIES  WITHIN  REDLINES. 

2.  DEORBIT  TETP  [1].  @[072398-651 8A] 
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F.  TWO  OMS  HE  TANKS  LEAKING/FAILED  PRIOR  TO  OMS-1:  @[072398-651 8A] 

STD  : 

1.  CONTINUE  PRE-MECO  OMS-ASS I ST / ATO  OMS  DUMP  TETP . 

2.  IF  LEAKING  AND  RATES  INDICATE  BOTH  HE  TANKS  WILL  SUPPORT 
OMS-2,  NOMINAL  OMS-1  AND  -2;  OTHERWISE  STEP  3. 

3.  PERFORM  PRE-MECO  OMS  DUMP  TETP  TO  MAXIMUM  BLOWDOWN  OR  HE 
TANK  PRESSURE  ?  640  PSI,  DELAYED  ATO  OMS-1  [2] . 

4.  IF  EITHER  HE  TANK  FAILED  PRIOR  TO  PRE-MECO  OMS  DUMP,  OR 
PREMATURE  OMS  DUMP  TERMINATION  RESULTS  IN  INSUFFICIENT 
DELTA  V  TO  ACHIEVE  ATO  SHALLOW  OR  AOA  STEEP  (OMS+ARCS), 
THEN  TAL/TAL  TO  AN  ACLS .  IF  POST-MECO,  AOA  SHALLOW  IF 
SUFFICIENT  DELTA  V  AVAILABLE  (OMS+RCS) .  IF  INSUFFICIENT 
DELTA  V  AVAILABLE  FOR  AOA  SHALLOW,  TAL  TO  AN/ACLS/ELS . 

5.  IF  AT  OMS-2  TIG: 

?  NEITHER  HE  TANK  PRESSURE  ?  640,  TETP 

?  EITHER  HE  TANK  PRESSURE  ?  640,  SINGLE  ENGINE, 

NON-FAILED  POD 

?  BOTH  HE  TANK  PRESSURE  ?  640,  SESP 

CUT  OFF  AT  HP  ?  MINIMUM  HP.  RAISE  ORBIT  WITHIN  REDLINES , 
DEORBIT  TETP  [1]  IF  AVAILABLE. 

DIRECT : 

1.  CONTINUE  PRE-MECO  OMS-ASS I ST /ATO  OMS  DUMP. 

2 .  PERFORM  PRE-MECO  OMS  DUMP  TETP  TO  MAXIMUM  BLOWDOWN  OR  HE 
TANK  PRESSURE  ?  640  PSI. 

3.  IF  PRE-MECO  DUMP  NOT  COMPLETE  OR  POST-MECO  AND  BOTH  HE 
PRESSURE  >640  PSI,  PERFORM  POST-MECO  DUMP  TETP  TO  MAXIMUM 
BLOWDOWN  OR  HE  TANK  PRESSURE?  640  PSI.  @[072398-651 8A] 
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4.  IF  EITHER  HE  TANK  FAILED  PRIOR  TO  PRE-MECO  OMS  DUMP,  OR 

PREMATURE  OMS  DUMP  TERMINATION  RESULTS  IN  INSUFFICIENT 
DELTA  V  TO  ACHIEVE  ATO  WITH  SHALLOW  OR  AOA  STEEP 
(OMS+ARCS),  THEN  TAL/TAL  TO  AN  ACLS .  IF  POST-MECO,  AOA 
SHALLOW  IF  SUFFICIENT  DELTA  V  AVAILABLE  (OMS+RCS) .  IF 
INSUFFICIENT  DELTA  V  AVAILABLE  FOR  AOA  SHALLOW,  TAL  TO  AN 
ACLS  /ELS  .  @[072398-651 8A] 

5.  IF  AT  OMS-2  TIG: 

?  NEITHER  HE  TANK  PRESSURE  ?  640,  TETP 

?  EITHER  HE  TANK  PRESSURE  ?  640,  SINGLE  ENGINE, 

NON-FAILED  POD 

?  BOTH  HE  TANK  PRESSURE  ?  640,  SESP 

CUT  OFF  AT  HP  ?  MINIMUM  HP.  RAISE  ORBIT  WITHIN  REDLINES , 
DEORBIT  TETP  [1]  IF  AVAILABLE. 

G.  TWO  OMS  HE  TANKS  FAILED  BETWEEN  OMS-1  AND  OMS-2: 


STD  : 

1.  PERFORM  OMS-2  WITHIN  REDLINES  (FRCS,  ARCS,  OR  SELP), 
CUT  OFF  AT  MINIMUM  HP  [6] . 

2.  CONTINUE  ON-ORBIT  ACTIVITIES  WITHIN  REDLINES. 

3.  DEORBIT  TETP  [1]  IF  AVAILABLE. 

H.  TWO  OMS  HE  TANKS  FAILED  POST  OMS-2: 

STD/DIRECT : 

1.  CONTINUE  OMS  ACTIVITIES  WITHIN  REDLINES. 

2.  DEORBIT  TETP  [1].  @[072398-651 8A] 
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FAILURE  DEFINITION 

QMS  HE  LEG  LEAK: 

•  HE  TANK  PRESSURE  DECREASING  WITH  HE  PRESS/VAP  ISOLATION  VALVE 
OPEN  WHILE  NOT  BURNING. 

ACTION  SUMMARY 


I.  ONE  OMS  HE  LEG  LEAK:  @[072398-651 8A] 

STD/DIRECT : 

1.  CONTINUE  OMS-ASSIST/ATO  DUMP  TETP .  PERFORM  OMS-1  TELP 
UNTIL  AFFECTED  POD  MAXIMUM  BLOWDOWN  OR  OMS  HE  TK  P  <  640 
PSI  . 

2.  PERFORM  OMS-2  TELP  UNTIL  AFFECTED  POD  MAXIMUM  BLOWDOWN  OR 
OMS  HE  TK  P  <  640  PSI . 

3.  USE  ON-ORBIT  ACTIVITIES  TO  MAXIMIZE  BLOWDOWN. 

4.  CONTINUE  OMS  ACTIVITIES  WITHIN  REDLINES .  ONLY  BLOWDOWN 
CAPABILITY  IN  AFFECTED  POD  WILL  BE  CONSIDERED  IN  REDLINE 
DETERMINATION. 

5 .  DEORBIT  TETP  [1] . 

J.  TWO  OMS  HE  LEG  LEAKS: 

STD/DIRECT : 

1.  CONTINUE  OMS-ASSIST/ATO  OMS  DUMP  TETP.  PERFORM  OMS-1 
TETP  . 

2.  PERFORM  OMS-2  TETP. 

3.  USE  ON-ORBIT  ACTIVITIES  TO  MAXIMIZE  BLOWDOWN. 

4.  CONTINUE  OMS  ACTIVITIES  WITHIN  REDLINES.  ONLY  BLOWDOWN 
CAPABILITY  WILL  BE  CONSIDERED  IN  REDLINE  DETERMINATION. 

5.  DEORBIT  TETP  [1].  @[072398-651 8A] 
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FAILURE  DEFINITION 


OMS  GN2  TANK  LEAK/FAIL: 


•  GN2  TANK  LEAK  IF  PRESSURE  DECREASING  WHEN  GN?  PRESS  VALVE  NOT 
OPEN.  @[072398-651 8A] 

•  GN2  TANK  FAIL  IF  PRESSURE  <  470  PSI. 

ACTION  SUMMARY 

K.  ONE  OMS  GN2  TANK  LEAK/FAIL: 

STD/DIRECT : 

1.  PERFORM  PRE-MECO  OMS-ASSIST/ATO  OMS  DUMP  SEGP  IF  AFFECTED 
GN2  PRESSURE  <  470  PSI  AT  TIG.  OTHERWISE,  PERFORM  ALL 
PRE-MECO  DUMPS  TETP . 

2.  PERFORM  OMS-1,  OMS-2,  AND  ON-ORBIT  BURNS: 

a.  TETP  IF  AFFECTED  GN2  PRESSURE  >  470  PSI  AT  TIG. 

b.  SESP  (GOOD  ENGINE)  IF  AFFECTED  GN?  PRESSURE  <  470  PSI 
AT  TIG,  CROSSFEED  AS  REQUIRED. 

3.  DEORBIT  TETP. 

L.  TWO  OMS  GN2  TANKS  LEAKING/FAILED: 


STD  : 

1.  CANCEL  PRE-MECO  CMS-ASSIST/ATO  OMS  DUMP  IF  BOTH  TANKS 
FAILED.  FOR  OTHER  PRE-MECO  ABORT  DUMPS,  TETP. 

2.  IF  LEAK  RATE  INDICATES  EITHER  GN2  PRESSURE  >  470  PSI  AT 
TIG,  TREAT  AS  SINGLE  LEAK/FAIL.  (SEE  PARAGRAPH  K.) 

3.  IF  BOTH  GN2  PRESSURES  <  470  PSI  AT  TIG,  PERFORM  DELAYED 
ATO  OMS-1  [2]  SINGLE  ENGINE  (OMS  ENG  -  ARM  POST  IGN) , 
RAISE  ORBIT  WITHIN  REDLINES  .  DEORBIT  TETP  IF  BOTH  GI$ 
REG  PRESSURES  >  299  PSIA,  OTHERWISE  SESP .  @[072398-651 8A] 
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DIRECT : 

1.  CANCEL  PRE-MECO  CMS-ASSIST/ATO  OMS  DUMP  IF  BOTH  TANKS 
FAILED.  FOR  OTHER  PRE-MECO  ABORT  DUMPS,  TE  TP  .  @[072398-651 8A] 

2.  IF  LEAK  RATE  INDICATES  EITHER  GN2  PRESSURE  >  470  PSI  AT 
TIG,  TREAT  AS  SINGLE  LEAK/FAIL.  (SEE  PARAGRAPH  K.) 

3.  IF  BOTH  GN2  PRESSURES  <  470  PSI  AT  TIG,  PERFORM  OMS-2 
SINGLE  ENGINE,  CUT  OFF  AT  MIN  HP  [6]  (OMS  ENG  -  ARM  POST 
IGN) .  RAISE  ORBIT  WITHIN  REDLINES .  DEORBIT  TETP  IF  BOTH 
GN2  REG  PRESSURES  >  299  PSIA,  OTHERWISE  SESP . 

FAILURE  DEFINITION 


OMS  GN2  ACCUMULATOR  LEAK 

•  OMS  GN2  ACCUMULATOR  PRESSURE  DECREASING. 

ACTION  SUMMARY 


M.  ONE  OMS  GN2  ACCUMULATOR  LEAK: 

STD/DIRECT : 

1.  IF  LEAK  RATE  IS  CONFIRMED  TO  BE  ?  14  PSIA/SEC  WITH  ENGINE 
PRESS  VALVE  CLOSED  (?  5  PSIA/SEC  WITH  P  VALVE  OPEN)  AND 
N2  ACCUMULATOR  PRESSURE  ?  260  PSIA  PREBURN  (P  VALVE 
OPEN)  :  ®[ED  ] 

a.  OMS-1  TETP,  OMS-2  SESP  (GOOD  ENGINE),  CROSSFEED  AS 
REQUIRED . 

b.  PERFORM  ON-ORBIT  OMS  BURNS  SESP  (GOOD  ENGINE),  WITHIN 
REDLINES.  @[072398-651 8A] 
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IF  THE  LEAK  RATE  WILL  NOT  SUPPORT  THE  ENTIRE  DEORBIT 
BURN  (PLUS  REPRESS)  SINGLE  (LEAKING)  ENGINE,  OR  IF 
THE  LEAK  RATE  IS  INCREASING,  THEN  THE  ENGINE  IS  NOT  A 
VALID  DEORBIT  MODE  AND  RCS  STEEP  DEORBIT  MUST  BE 
REDLINED  .  @[072398-651 8A] 

THE  LEAKING  ENGINE  MAY  BE  USED  FOR  THE  DEORBIT  BURN 
IF  THE  LEAK  RATE  WILL  SUPPORT  SINGLE  (LEAKING)  ENGINE 
COMPLETION  FROM  AN  HP  ?  SAFE  HP  (IF  THE  GOOD  ENGINE 
FAILS  ABOVE  THIS  HP,  TERMINATE  AND  REPLAN  THE  BURN) . 
OTHERWISE,  DEORBIT  GOOD  ENGINE  WITH  RCS  STEEP  AS  THE 
DOWNMODE . 

2.  IF  LEAK  RATE  IS  UNKNOWN  OR  IS  >  14  PSIA/SEC  WITH  ENGINE 
PRESS  VALVE  CLOSED  (>  5  PSIA/SEC  WITH  P  VALVE  OPEN)  OR 
GN2  ACCUMULATOR  PRESSURE  <  260  PS I A  PREBURN  (P  VALVE 
OPEN)  :  ®[ED  ] 

•  AFFECTED  OMS  ENGINE  IS  CONSIDERED  FAILED  (SEE 
PARAGRAPH  V) . 

N.  TWO  OMS  GN2  ACCUMULATOR  LEAKS  OMS  1/2  AND  DIRECT: 

STD/DIRECT : 

1.  IF  BOTH  LEAK  RATES  ARE  CONFIRMED  TO  BE  ?  14  PSIA/SEC  WITH 
ENGINE  PRESS  VALVE  CLOSED  (?  5  PSIA/SEC  WITH  P  VALVE 
OPEN)  AND  N2  ACCUMULATOR  PRESSURE  ?  260  PSIA  PREBURN  (P 
VALVE  OPEN)  :  ®[ED  ] 

a.  DELAYED  ATO  OMS-1  [2],  TETP . 

b.  RCS  STEEP  DEORBIT  MUST  BE  REDLINED.  PERFORM  ON-ORBIT 
BURNS  RCS.  RAISE  ORBIT  WITHIN  REDLINES . 

C.  A  LEAKING  ENGINE  MAY  BE  USED  FOR  THE  DEORBIT  BURN  IF 
THE  LEAK  RATE  WILL  SUPPORT  SINGLE  ENGINE  COMPLETION 
FROM  AN  HP  ?  SAFE  HP  (IF  AN  ENGINE  FAILS  ABOVE  THIS 
HP,  TERMINATE  AND  REPLAN  THE  BURN) .  OTHERWISE, 
DEORBIT  SINGLE  ENGINE  WITH  RCS  STEEP  AS  THE  DOWNMODE. 
@[072398-651 8A] 
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2.  IF  EITHER  LEAK  RATE  IS  UNKNOWN  OR  IS  >  14  PSIA/SEC 
WITH  ENGINE  PRESS  VALVE  CLOSED  (>  5  PSIA/SEC  WITH  P 
VALVE  OPEN)  OR  GN2  ACCUMULATOR  PRESSURE  <260  PSIA 
PREBURN  (P  VALVE  OPEN)  :  ®[ED  ] 

•  AFFECTED  OMS  ENGINE  IS  CONSIDERED  FAILED  (SEE 
PARAGRAPHS  V  AND  W) . 

FAILURE  DEFINITION 


OMS  PROPELLANT  TANK  LEAK/FAIL: 

•  PROPELLANT  TANK  LEAK  IF  FUEL  INLET  PRESSURE  ?  216, 

OXIDIZER  INLET  PRESSURE  ?  151  AND  DECREASING. 

•  PROPELLANT  TANK  FAILED  IF  FUEL  INLET  PRESSURE  <  216 

OXIDIZER  INLET  PRESSURE  <  151  AND  NOT  REPRESSIBLE,  OR 

QUANTITY  ?  3  PERCENT,  OR  BLOCKAGE,  OR  CONTAMINATION. 

ACTION  SUMMARY 

0.  ONE  OMS  PROPELLANT  TANK  LEAK/FAIL  PRIOR  TO  END  OF  OMS-2 

[CIL]  :  @[072398-651 8A] 

STD  [7]  : 

1.  CONTINUE  PRE-MECO  OMS  ASSIST/ATO  OMS  DUMP  SELP .  IF  TANK 
FAILED,  CANCEL/DUMP. 

2.  DELAYED  ATO  OMS-1  TETP  [2] [3].  POST  DELAYED  ATO  OMS-1, 
PERFORM  DUMP  SELP  TO  DEPLETION.  USE  FRCS  TO  RAISE  HP  IF 
REQUIRED  TO  INCREASE  ORBITAL  LIFETIME  FOR  PROPELLANT 
SUBLIMATION.  DEORBIT  [4]  MIXED  CROSSFEED.  OTHERWISE  IF 
INSUFFICIENT  PROPELLANT  FOR  ATO,  PERFORM  AOA  SHALLOW  OMS- 
1,  -2  . 

3.  IF  AFTER  OMS-1,  CUTOFF  OMS-2  AT  MIN  HP  [6],  TETP  [3] 
PERFORM  DUMP  SELP  [3]  TO  DEPLETION. 

4.  DEORBIT  [4]  SEGP  WITH  MIXED  CROSSFEED  IF  REQUIRED  AND 
AVAILABLE.  @[072398-651 8A] 
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DIRECT  [7] : 

1.  CONTINUE  PRE-MECO  OMS  ASSIST/ATO  OMS  DUMP  SELP .  IF  TANK 
FAILED,  CANCEL  DUMP.  @[072398-651 8A] 

2.  POST-MECO,  PERFORM  DUMP  SELP  [3]  TO  DEPLETION. 

3.  OMS-2  SEGP ,  CUT  OFF  AT  MIN  HP  [6] . 

4.  DEORBIT  [4]  MIXED  CROSSFEED  IF  REQUIRED  AND  AVAILABLE. 

P.  ONE  OMS  PROPELLANT  TANK  LEAK  POST-OMS-2 : 

STD/DIRECT : 

1.  CANCEL  ON-ORBIT  BURNS. 

2.  PERFORM  OMS  BURN  TO  DEPLETION  AT  NEXT  OPPORTUNITY,  SELP 
[3],  IN  ACCORDANCE  WITH  RULE  {A4-104},  OMS  LEAK/PERIGEE 
ADJUST . 

3.  DEORBIT  [4]  SEGP. 

Q.  ONE  OMS  PROPELLANT  TANK  FAIL  POST  OMS-2  [CIL] : 

STD/DIRECT  : 

1.  DURING  DEORBIT,  CUTOFF  BURN  IF  HP  ?  PROPELLANT  FAIL  HP. 

2.  DEORBIT  [5],  SEGP  WITH  MIXED  CROSSFEED  IF  REQUIRED  AND 
AVAILABLE.  @[072398-651 8A] 
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R.  TWO  OMS  PROPELLANT  TANKS  LEAKING/FAILED  [3]  :  @[072398-651 8A] 


STD  : 

1.  SAME  SIDE,  TREAT  AS  SINGLE  LEAK/FAIL  (SEE  PARAGRAPHS  0, 

P,  AND  Q)  . 

2.  DIFFERENT  SIDES: 

a.  TAL  IF  PRIOR  TO  LAST  TAL  BOUNDARY.  AFTER  TAL 
BOUNDARY  AND  PRE-MECO,  TAL  TO  AN  ACLS  .] 

b.  IF  POST-MECO,  OPTIMUM  AOA  OMS-1,  AOA  OMS-2  [3]  (MIXED 
CROSSFEED  IF  AVAILABLE;  COMPLETE  WITH  RCS  IF 
NECESSARY) . 

DIRECT : 

1.  SAME  SIDE,  TREAT  AS  SINGLE  LEAK/FAIL  (SEE  PARAGRAPHS  0, 

P,  AND  Q)  . 

2.  DIFFERENT  SIDES: 

a.  TAL  IF  PRIOR  TO  LAST  TAL  BOUNDARY;  AFTER  TAL  BOUNDARY 
AND  PRE-MECO,  TAL  TO  AN  ACLS.  @[072398-651 8A] 

b.  IF  POST-MECO,  AOA  OMS-2  (MIXED  CROSSFEED  IF 
AVAILABLE;  COMPLETE  WITH  RCS  IF  NECESSARY) . 
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FAILURE  DEFINITION 


OMS  INLET  LINE  LEAK: 


INLET  LINE  LEAK  IF  INLET  PRESSURE  DECREASING  OR  ZERO  WITH  TANK 
ISOLATION  AND  CROSSFEED  VALVES  CLOSED  (SYSTEM  SECURE  IS  ASSUMED) . 
@[072398-651 8A] 


ACTION  SUMMARY 

S.  ONE  OMS  INLET  LINE  LEAK  PRIOR  TO  OMS-2 : 


STD  : 

1.  SECURE  POST-MECO. 

2.  DELAYED  ATO  OMS-1  TETP  [2] [3].  POST  DELAYED  ATO  OMS-1, 
SECURE.  USE  FRCS  TO  RAISE  ORBIT  IF  REQUIRED  TO  INCREASE 
ORBITAL  LIFETIME  FOR  PROPELLANT  SUBLIMATION.  PERFORM 
DUMP  SELP  [3]  IF  REQUIRED  TO  SATISFY  CG  ENVELOPE  OR  OMS 
TANK  LANDING  WEIGHT  CONSTRAINT.  DEORBIT  [4]  MIXED 
CROSSFEED  IF  REQUIRED  AND  AVAILABLE. 

3.  IF  AFTER  OMS-1,  CMS-2  SEGP  CUTOFF  AT  MIN  HP  [6].  PERFORM 
DUMP  SELP  [3]  IF  REQUIRED  TO  SATISFY  CG  ENVELOPE  OR  OMS 
TANK  LANDING  WEIGHT  CONSTRAINT. 

4.  DEORBIT  [4]  SEGP  WITH  MIXED  CROSSFEED  IF  REQUIRED  AND 
AVAILABLE . 

DIRECT : 

1.  SECURE  POST-MECO. 

2.  OMS-2  SEGP,  CUT  OFF  AT  MIN  HP  [6]. 

3.  POST  OMS-2,  PERFORM  DUMP  SELP  [3]  IF  REQUIRED  TO 
SATISFY  CG  ENVELOPE  OR  OMS  TANK  LANDING  WEIGHT 
CONSTRAINT . 

4.  DEORBIT  [4]  SEGP  WITH  MIXED  CROSSFEED  IF  REQUIRED  AND 
AVAILABLE.  @[072398-651 8A] 
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T.  ONE  OMS  INLET  LINE  LEAK  POST  OMS-2  :  @[072398-651 8A] 

STD/DIRECT : 

1.  PERFORM  PERIGEE  ADJUST  BURN  SELP  [3].  IF  PROPELLANT 
REMAINS  POST  PERIGEE  ADJUST  BURN,  PERFORM  DUMP  SELP  [3] 
IF  REQUIRED  TO  SATISFY  CG  ENVELOPE  OR  OMS  TANK  LANDING 
WEIGHT  CONSTRAINT  (REF.  RULE  {A6-203},  OMS  LEAKING  INLET 
LINE  PERIGEE  ADJUST  BURN) . 

2.  DEORBIT  [5]  SEGP  WITH  MIXED  CROSSFEED  IF  REQUIRED  AND 
AVAILABLE . 

U.  TWO  OMS  INLET  LINES  LEAKING: 


STD  : 

1.  SAME  SIDE,  TREAT  AS  SINGLE  LEAK  (SEE  PARAGRAPHS  S  AND 
T)  EXCEPT  PERFORM  UPHILL  BURN  SEGP.  DO  NOT  REPRESS. 
@[072398-651 8A] 

2.  DIFFERENT  SIDES,  SAME  PROPELLANT: 

a.  IF  PRE-MECO,  SAME  AS  TWO  TANK  LEAKS  (SEE  PARAGRAPH  R) 

b.  IF  POST-MECO,  OPTIMUM  AOA  OMS-1  TETP  [3] .  AOA  OMS-2 
TETP  [3]  (COMPLETE  WITH  RCS  IF  NECESSARY) . 

3.  DIFFERENT  SIDES,  DIFFERENT  PROPELLANTS: 

a.  IF  PRE-MECO,  SAME  AS  TWO  TANK  LEAKS  (SEE  PARAGRAPH  R) 

b.  IF  POST-MECO,  DELAYED  ATO  OMS-1  TETP  [2]  [3] .  POST 

DELAYED  ATO  OMS-1,  SECURE.  USE  FRCS  TO  RAISE  ORBIT 
IF  REQUIRED  TO  INCREASE  ORBITAL  LIFETIME  FOR 
PROPELLANT  SUBLIMATION.  DEORBIT  [4]  MIXED  CROSSFEED 
4+X  (COMPLETE  WITH  RCS  IF  NECESSARY) . 
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DIRECT : 

1.  SAME  SIDE,  TREAT  AS  SINGLE  LEAK  (SEE  PARAGRAPHS  S  AND 
T)  EXCEPT  PERFORM  UPHILL  BURNS  SEGP .  DO  NOT  REPRESS. 
@[072398-651 8A] 

2.  DIFFERENT  SIDES,  SAME  PROPELLANT: 

a.  IF  PRE-MECO,  SAME  AS  TWO  TANK  LEAKS  (SEE  PARAGRAPH  R) 

b.  IF  POST-MECO,  SECURE.  AOA  OMS-2  TETP  [3]  (COMPLETE 
WITH  RCS  IF  NECESSARY) . 

3.  DIFFERENT  SIDES,  DIFFERENT  PROPELLANT: 

a.  IF  PRE-MECO,  SAME  AS  TWO  TANK  LEAKS  (SEE  PARAGRAPH  R) 

b.  IF  POST-MECO,  SECURE.  OMS-2  TETP  [3]  CUTOFF  AT  MIN 
HP  [6] .  DEORBIT  [4]  MIXED  CROSSFEED  4+X  (COMPLETE 
WITH  RCS  IF  NECESSARY) . 
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FAILURE  DEFINITION 

QMS  ENGINE  FAIL: 

ACTION  SUMMARY 

V.  ONE  OMS  ENGINE  FAILURE:  @[072398-651 8A] 

STD/DIRECT : 

1.  PERFORM  OMS-1  SESP,  CROSSFEED  AS  REQUIRED. 

2.  PERFORM  OMS-2  AND  ON-ORBIT  OMS  BURNS  WITHIN  REDLINES  (RCS 
STEEP  DEORBIT  MUST  BE  REDLINED) . 

W.  TWO  OMS  ENGINES  FAILED:  @[072398-651 8A] 

STD  : 

1.  USE  OMS  INTERCONNECT  TO  RCS  +X  JETS. 

2.  IF  PRIOR  TO  OMS-1,  PERFORM  DELAYED  ATO  OMS-1,  [2];  IF 
BETWEEN  OMS-1  AND  OMS-2,  CUT  OFF  OMS-2  AT  MIN  HP  [6] . 

3 .  DEORBIT  [4] . 

DIRECT : 

1.  USE  OMS  INTERCONNECT  TO  RCS  +X  JETS. 

2.  IF  PRIOR  TO  OMS-2,  CUT  OFF  OMS-2  AT  MIN  HP  [6]. 

3 .  DEORBIT  [4 ] . 
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QMS  He  TANK  LEAK/FAIL  @[072398-651 8A] 

A.  ONE  OMS  HELIUM  TANK  LEAK  PRIOR  TO  OMS-2: 

STD: 

Since  pre-MECO  ATO  dumps  may  be  required  for  ascent  performance  ( i.  e. ,  to  avoid  TAL),  the  dump  will 
be  con  tin  ued  whenever  possible. 

If  the  leak  rate  cannot  support  OMS-1  TELP  to  a  quan  tity  sufficien  t  to  protect  the  OMS  propellan  t 
landing  weight  constraint  (EOM  quantity  <  22  percen  t  per  OMS  tank),  a  pre-MECO  OMS  clump  to 
maximum  blowdown  will  be  performed. 

Utilizing  the  clump  software  to  increase  the  OMS  blowdown  available  prior  to  helium  tank  failure  results 
in  the  capability  to  achieve  cm  ATO  orbit  with  steep  deorbit  and  nominal  CG  ’s  versus  cm  ATO  orbit  with 
shallow  deorbit  and  1.9  Y  CG  using  forward  RCS  and  aft  RCS  propellan  t  to  quantity-1  supplement  (no 
dump  and  He  tank  fails  pre-OMS-I).  Mission  Control  Center  (MCC)  is  prime  to  recommend  the  pre- 
MECO  dump  based  on  a  leak  rate  evaluation  and  time  to  MECO. 

If  no  pre-MECO  dump  is  performed  or  the  dump  is  terminated  early  and  the  affected  He  tank  can 
support  nominal  OMS-1  TETP,  then  nominal  OMS-1  will  be  performed,  TELP,  in  order  to  maximize 
blowdown  available  prior  to  He  tank  fail.  The  OMS  BURN  MONITOR  cue  card,  He  P  LOW  will  be 
utilized  by  the  crew  for  the  burn.  Since  not  enough  time  is  available  to  reconfigure  TELP  prior  to 
ignition,  the  burn  will  be  initiated  TETP,  then  reconfigured  to  a  TELP  burn.  The  burn  will  be  continued 
TELP  until  He  tank  fail  or  maximum  blowdown.  At  that  time,  the  crew  will  reconfigure  to  TEGP  for  the 
remainder  of  the  burn.  If  no  pre-MECO  dump  to  maximum  blowdown  is  performed  or  the  dump  is 
terminated  early  and  the  affected  He  tank  cannot  support  OMS-1,  go  to  single  He  tank  fail  prior  to  OMS- 
1.  An  ATO  orbit  can  still  be  achieved.  @[072398-651 8A] 

If  the  leak  rate  indicates  the  helium  tank  will  support  nominal  OMS-1  TELP  to  a  quantity  sufficien  t  to 
protect  the  OMS  propellant  tank  landing  weight  constraint  (22  percent),  OMS-1  will  be  performed  TELP 
until  He  tank  fail  or  until  maximum  blowdown  has  been  achieved.  If  maximum  blowdown  is  achieved,  no 
additional  OMS  propellant  is  trapped  onboard,  and  therefore  allows  the  EOM  quantity  <  22  percent.  If 
the  amoun  t  of  He  required  to  support  OMS-1  TELP  to  a  quantity  sufficien  t  to  protect  the  landing  weight 
constraint  is  less  than  the  amount  of  He  required  for  the  entire  OMS-1  TELP,  protecting  the  landing 
weight  constraint  rather  than  the  entire  OMS-1  TELP  increases  the  chances  of  allowing  nominal  OMS-1 
to  be  performed,  and  decreases  the  requirement  for  the  pre-MECO  dump  to  maximum  blowdown. 
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Using  the  leaking  He  tank  for  OMS-1  rather  than  dumping  pre-MECO  has  two  advantages: 

a.  No  pre-MECO  crew  actions  required. 

b.  Using  the  delta  V for  OMS-1  rather  than  dumping  pre-MECO  results  in  a  net  gain  of  delta  V. 

In  the  case  where  the  He  required  to  support  OMS-1  TELP  to  a  quantity  sufficient  to  protect  the  landing 
weight  constraint  is  more  than  the  amount  of  He  required  for  the  entire  OMS-1  TELP.  the  landing  weight 
must  still  be  protected. 

If  full  blowdown  has  been  achieved  post-OMS-1,  OMS-2  will  be  performed  TEGP.  If  not  in  full 
blowdown  post-OMS-1  and  the  leak  rate  indicates  the  tank  will  support  OMS-2  TETP.  the  burn  will  be 
performed  TELP.  The  OMS  BURN  MONITOR  cue  card  He  P  LOW  will  be  utilized  by  the  crew  for  the 
burn.  The  burn  will  be  initiated  TELP  until  He  tank  fail  or  maximum  blowdown  is  achieved.  At  that 
time,  the  crew  will  reconfigure  to  TEGP  for  the  remainder  of  the  burn.  If  the  leak  rate  will  not  support 
OMS-2  TETP,  a  dump  will  be  performed  TELP  ASAP  post-OMS-1.  Again,  the  dump  will  be  continued 
until  He  tank  fail  or  maximum  blowdown  is  achieved.  @[072398-651 8A] 

If  a  pre-MECO  ATO  dump  is  required  and  the  leak  rate  will  support  nominal  OMS-1  TELP  to  a  quantity 
sufficient  to  support  the  landing  weight  constraint  (22  percent),  the  ATO  dump  should  be  performed. 
Since  ATO  targets  will  be  used,  a  dump  TELP  to  maximum  blowdown  or  He  tank  fail  will  be  performed 
ASAP  post-MECO. 

DIRECT 

If  performing  a  pre-MECO  OMS  cissist/ATO  dump  will  increase  available  blowdown,  the  dump  will  be 
con  tinued  whenever  possible. 

If  the  leak  rate  indicates  the  He  tank  will  support  nominal  OMS-2  TELP  to  a  quantity  sufficient  to  protect 
the  OMS  tank  landing  weight  constraint  (22  percent),  perform  nominal  OMS-2  TELP  until  affected  pod 
maximum  blowdown  or  He  tank  fail.  If  the  He  tank  is  not  failed  and  the  pod  is  not  in  full  blowdown  post- 
OMS-2,  a  dump  will  be  performed  postburn  in  order  to  maximize  blowdown  in  the  affected  pod.  If 
performing  an  earlier  pre-  or  post-MECO  dump  will  result  in  a  net  increase  in  delta  V  available  for  the 
mission,  then  consideration  may  be  given  to  doing  so,  crew  workload  permitting.  It  is  possible  a  nominal 
mission  can  be  achieved  without  violating  Y  CG  limits  or  landing  weight  constraints.  @[072398-651 8A] 
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If  the  leak  rate  cannot  support  OMS-2  TELP,  however,  a  dump  must  be  performed  in  order  to  maximize 
blowdown  prior  to  He  tank  fail.  If  the  leak  rate  will  support  a  post-MECO  dump  TELP  to  a  quantity 
sufficient  to  protect  the  OMS  landing  weight  constraint  (22  percent),  perform  same  until  He  tank  fail  or 
maximum  blowdown  is  achieved.  A  “post-MECO  dump  ”  implies  the  leak  rate  should  support  a  dump  to 
at  least  49  percent  at  MET  15:00  minutes.  49  percent  remaining  provides  enough  ullage  in  the  tank  to 
use  the  tank  in  blowdown  mode  to  22  percent.  49  percent  applies  to  engine  no.  106  only.  The  quantity 
is,  of  course,  engine  specific  and  may  vary  ±  2  percen  t.  The  leak  rate  is  extrapolated  to  MET  15:00 
minutes.  Fifteen  minutes  was  chosen  in  order  to  provide  the  crew  sufficient  time  to  set  up  and  complete 
the  dump.  The  dump  should  be  started  ASAP  post-MECO  and  should  continue  until  He  tank  fail  or 
maximum  blowdown  is  achieved.  Dumping  post-MECO  is  generally  preferred  because  it  precludes  any 
pre-MECO  crew  action.  Still,  if  performing  the  dump  pre-MECO  will  result  in  a  net  increase  in  delta  V 
available,  and  if  crew  workload  permits,  consideration  may  be  given  to  doing  so.  @[072398-651 8A] 

Cutoff  at  minimum  Hp  which  requires  the  least  total  delta  V for  the  insertion  and  deorbit  burns  and 
ensures  orbital  lifetime  at  least  two  orbits  beyond  the  first  day  PLS. 

( Ref.  Annex  Flight  Rule,  TRAJECTORY  AND  GUIDANCE  PARAMETERS. )  ®[ED  ] 

If  the  leak  rate  will  not  support  a  post-MECO  dump  TELP  to  a  quantity  sufficien  t  to  protect  the  OMS 
tank  landing  weight  constraint,  a  pre-MECO  dump  to  maximum  blowdown  should  performed.  For  this 
case,  the  pre-MECO  clump  increases  the  OMS  blowdown  capability  prior  to  He  tank  fail,  thus  resulting 
in  a  net  increase  in  delta  V  available. 

B.  ONE  OMS  HELIUM  TANK  LEAK  POST-OMS-2: 

STD/DIRECT: 

Full  blowdown  may  exist  post  OMS-2.  If  full  blowdown  does  not  exist,  nominal  orbit  activities  and/or  an 
OMS  burn  may  be  used  to  maximize  blowdown  (ref.  Rule  (A6-201),  OMS/RCS  LEAKING  HE  TANK 
BURN). 

C.  ONE  OMS  HELIUM  TANK  FAIL  URE  PRIOR  TO  OMS-1: 

STD: 

If  a  He  tank  fail  occurs  prior  to  OMS-1,  only  blowdown  delta  V  is  available  in  that  system  (approximately 
15  fpsfor  a  full  OMS  load).  Pre-flight  analysis,  based  on  OMS  load  and  mass  properties,  determines  the 
resulting  abort  mode  capability  on  a  flight  specific  basis. 

If  a  pre-MECO  OMS  assist  or  ATO  dump  is  required,  the  dump  will  be  terminated  in  order  to  prevent 
exceeding  the  Y  CG  limit.  @[072398-651 8A] 
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DIRECT:  @[072398-651 8A] 

If  an  OMS  assist  or  AT O  OMS  dump  is  required  and  an  OMS  He  tank  failure  has  occurred,  the  OMS 
assist  or  AT O  OMS  dump  must  be  terminated.  If  the  dump  is  completed,  the  Y  CG  will  considerably 
exceed  the  limit. 

If  a  He  tank  fail  occurs  prior  to  OMS-2,  blowdown  delta  V  is  available  in  that  system  (approximately 
15  fps  for  a  full  OMS  load).  Pre-flight  analysis,  based  on  OMS  load  and  mass  properties,  determines 
the  resulting  abort  mode  capability  on  a  flight  specific  basis. 

D.  ONE  OMS  HELIUM  TANK  FAIL  URE  BETWEEN  OMS-1  AND  OMS-2. 

OMS-2  is  cut  off  at  minimum  Hp  in  order  to  assess  available  delta  V  to  achieve  steep  deorbit  and  cm 
acceptable  orbit  altitude. 

E.  ONE  OMS  HELIUM  TANK  FAILURE  POST-OMS-2: 

STD/DIRECT: 

Full  blowdown  may  exist  post-OMS-2.  OMS  redlines  must  be  assessed  to  determine  whether  all  orbit 
activities  can  be  accomplished. 

F.  TWO  OMS  HELIUM  TANKS  LEAKING/FAILED  PRIOR  TO  OMS-1: 

STD: 

If  both  He  leak  rates  will  support  OMS-1  and  OMS-2,  nominal  OMS-1,  -2  will  be  performed  TETP 

If  both  He  tanks  will  not  support  OMS-1  and  OMS-1,  2,  the  abort  dump  software  will  be  utilized  to 
increase  the  OMS  blowdown  prior  to  He  tank  fail.  MCC  is  prime  to  recommend  the  pre-MECO  dump 
based  on  cm  evaluation  of  both  the  leak  rate  and  time  to  MECO.  Performing  the  pre-MECO  dump  may 
result  in  the  capability  to  achieve  an  ATO  orbit  with  steep  deorbit  and  nominal  CG  ’s  versus  aborting 
pre-MECO.  @[072398-651 8A] 
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If  either  He  tank  fails  or  a  partial  dump  is  performed,  insufficient  delta  V  may  exist  to  achieve  an  ATO 
shallow  or  AO  A  steep.  In  this  case,  an  abort  will  be  performed  according  to  the  abort  priorities 
(reference  Rule  (A2-52A},  ASCENT  MODE  PRIORITIES  FOR  PERFORMANCE  CASES)  TAL,  if  prior 
to  last  TAL  boundary.  After  TAL  boundary,  TAL  to  cmACLS.  If  failures  occur  post-MECO,  utilize 
optimum  AO  A  shallow  targets  ( minimum  delta  V  requirement)  if  sufficient  OMS  blowdown  plus  ARCS  to 
the  PRESS  QTY  is  available.  If  sufficien  t  delta  V  is  not  available,  a  TAL  to  an  ACLS/ELS  is  required. 
@[072398-651 8A] 

DIRECT: 

If  pre-MECO  OMS  dump  is  required,  continue  dump  TETP.  For  OMS  assist/ATO  dumps,  when  at 
maximum  blowdown  or  He  tank  pressure  <  640  psi,  reconfigure  dump  to  SEGP  until  remaining  system  at 
maximum  blowdown  or  He  tank  pressure  <  640  psi. 

If  both  OMS  He  tanks  are  leaking,  the  abort  dump  software  will  be  utilized  to  increase  the  OMS 
blowdown  prior  to  He  tank  fail.  MCC  is  prime  to  recommend  the  pre-MECO  dump  based  on  cm 
evaluation  of  both  the  leak  rate  and  time  to  MECO.  Performing  the  pre-MECO  dump  may  result  in  the 
capability  to  achieve  an  ATO  orbit  with  steep  deorbit  and  nominal  CG’s  versus  aborting  pre-MECO. 

If  either  He  tank  fails  or  a  partied  dump  is  performed,  insufficient  delta  V  may  exist  to  achieve  an  ATO 
shallow  or  AO  A  steep.  In  this  case,  an  abort  will  be  performed  according  to  the  abort  priorities 
(reference  Rule  { A2-52A },  ASCENT  MODE  PRIORITIES  FOR  PERFORMANCE  CASES).  TAL,  if  prior 
to  last  TAL  boundary.  After  TAL  boundary  and  pre-MECO,  TAL  to  cm  ALCS.  Post-MECO,  AOA- 
shallow  will  be  performed  if  sufficient  delta  V  is  available.  OMS  blowdown  delta  V  with  aft  RCS 
supplement  to  AFT  PRESS  QTY  will  be  used.  If  insufficient  delta  V  is  available  for  an  AO  A  shallow,  a 
TAL  to  cm  ACLS/ELS  must  be  performed. 

If  uphill  capability  available  (due  to  OMS  load  or  pre-MECO  dump)  and  either  He  tank  pressure  will  be 
<  640  psi  post-OMS-2,  perform  OMS-2  SESP.  This  will  preserve  the  remaining  system  for  deorbit. 
Determination  of  which  system  to  use  for  OMS-2  is  situation  dependen  t.  In  general,  if  one  He  system 
will  support  through  OMS-2,  that  system  should  be  used.  This  will  preserve  the  engine  for  a  second  start 
without  violating  OMS  engine  start  box  constraints  (refSODB  Vol  III,  Para.  4.3.3.14).  Target 
consideration  for  OMS-2  should  include  post-burn  start  box,  eg  and  tank  landing  weight  constraints. 

If  both  He  leak  rates  will  support  OMS-2,  nominal  OMS-2  will  be  performed  TETP.  Note:  Nominally, 
maximum  blowdown  will  not  exist  post-OMS-2,  thus  an  additional  dump  may  be  required  post-OMS  2. 
@[072398-651 8A] 
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A6-51  QMS  FAILURE  MANAGEMENT  [CIL]  (CONTINUED) 

G.  TWO  OMS  HELIUM  TANKS  FAILED  BETWEEN  OMS-1  AND  OMS-2:  @[072398-651 8A] 

STD: 

Insufficient  delta  V  exists  to  continue  nominal  ascent.  Enough  delta  V  may  exist  in  the  OMS  pods 
supplemen  ted  with  RCS  to  deorbit  steep  from  minimum  Hp.  If  steep  targets  cannot  be  met,  shallow 
deorbit  will  be  performed.  Rationale  in  paragraph  F  also  applies  to  this  scenario. 

H.  TWO  OMS  HELIUM  TANKS  FAILED  POST-OMS-2: 

STD/DIRECT: 

If  maximum  blowdown  exists  post-OMS-2,  some  portion  of  the  mission  may  be  supported.  If  maximum 
blowdown  does  not  exist,  shallow  deorbit  may  be  required  with  RCS  supplement.  OMS  redlines  must  be 
assessed  to  determine  whether  orbit  activities  can  be  accomplished. 

OMS  HELIUM  LEG  LEAK 

I.  ONE  OMS  HELIUM  LEG  LEAK: 

STD/DIRECT: 

The  inten  t  of  this  rule  is  to  maximize  the  blowdown  available  in  the  affected  system  with  as  few  represses 
as  possible.  Each  time  the  helium  isolation  valves  are  opened  to  repress  the  leaking  leg,  there  is  a 
possibility  that  the  sudden  increase  in  pressure  in  that  leg  will  completely  fracture  the  helium  line, 
causing  total  loss  of  that  helium  tank.  After  OMS-1  and/or  -2,  the  affected  system  should  be  at  or  below 
maximum  blowdown.  If  the  leak  occurs  on  orbit,  orbit  activities  would  be  used  to  bring  the  remaining 
propellant  quantity  down  to  maximum  blowdown.  However,  if  interconnect  operations  are  used  towards 
this  end,  only  that  blowdown  capability  predicted  to  be  available  at  the  next  PLS  TIG  can  be  included  in 
the  planning  for  that  deorbit.  This  is  to  avoid  relying  on  a  repressurization  from  the  leaking  helium  leg 
to  meet  the  deorbit  redlines. 

J.  TWO  OMS  HELIUM  LEG  LEAKS:  @[072398-651 8A] 

Same  as  single  leak  rationale. 
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A6-51  QMS  FAILURE  MANAGEMENT  [CIL]  (CONTINUED) 

QMS  GN2  TANK  -LEAK/FAIL  @[072398-651 8A] 

K.  ONE  OMS  GN2  TANK  LEAK/FAIL: 

STD/DIRECT: 

Av  long  as  the  GN2  tank  can  support  an  engine  burn  without  affecting  the  accumulator  pressure  and 
subsequent  one  start  capability,  the  affected  OMS  engine  is  available.  GN2  tank  failures  do  not  impact 
abort  dumps  since  only  one  start  is  required  for  the  OMS  dump.  If  the  GN2  tank  has  failed,  the  OMS 
assist  or  AT O  dump  should  be  performed  SEGP  to  save  the  last  start  for  OMS  or  deorbit. 

L.  TWO  OMS  GN2  TANK  LEAKING/FAILED: 

STD/DIRECT: 

GN2  tank  failures  do  not  impact  abort  dumps  since  only  one  start  is  required  for  the  OMS  dump.  An  OMS 
assist  or  ATO  dump  is  canceled  to  reserve  the  OMS  starts  for  OMS-1  and  deorbit.  @[072398-651 8A] 

A.v  long  as  the  GN2  tank  can  support  an  engine  burn  without  affecting  the  accumulator  pressure  and 
subsequen  t  one  start  capability,  the  affected  OMS  engin  e  is  available.  If  both  OMS  GN2  tanks  are  failed 
prior  to  the  scheduled  burn,  use  one  of  the  remaining  OMS  starts  for  OMS-1  and  save  the  other  start  for 
the  deorbit  burn.  After  a  safe  orbit  has  been  achieved,  a  tail-Sun  attitude  may  be  selected  to  warm  up  the 
OMS  accumulator  in  an  attempt  to  gain  another  OMS  start  (N2  REG  P  >  299  is  sufficient  N2  to  operate 
engine  ball  valves). 

Previous  rules  specified  performing  OMS-1  4+Xfor  this  case.  The  rule  was  changed  to  perform  OMS-1 
using  one  of  the  two  remaining  starts  for  the  following  reasons: 

a.  Provides  redundancy  (downmode  from  OMS  to  4+X).  If  burn  initially  performed  4+X  and  a  +X 
jet  failure  occu  rs,  the  remaining  jets  may  not  have  the  capability  to  perform  uphill  OMS-1  due  to 
lack  of  thrust. 

b.  Depending  on  the  OMS-1  delta  V,  4+X  thrust  may  be  insufficient  to  accomplish  the  burn  ( large 
underspeed  cases). 

c.  Saves  propellant. 

d.  Have  the  capability  to  change  attitude  while  on  orbit  to  warm  up  OMS  GN2  accumulator  and 
increase  the  pressure  to  greater  than  299  psi  (299  allows  one  additional  start). 
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A6-51  QMS  FAILURE  MANAGEMENT  [CIL]  (CONTINUED) 

QMS  GN2  ACCUMULATOR  LEAK  @[072398-651 8A] 

M.  ONE  OMS  GN2  ACCUMULATOR  LEAK: 

STD/DIRECT: 

WSTF  testing  has  shown  that,  if  a  GN2  leak  occurs  through  the  purge  valves  at  a  rate  of?  14  psia/sec 
with  the  engine  press  valve  closed  (?  5  psia/sec  with  P  valve  open),  sufficient  cooling  will  be  provided  to 
the  affected  OMS  engine  and  chamber  wall  burn  through  will  not  occur.  Av  a  result,  the  affected  OMS 
engine  can  be  used,  but  only  for  OMS-1  and  deorbit.  In  addition,  the  GN2  accumulator  pressure  must  be 
>  260  psici  preburn  (ref.  { A6-5 j,  OMS  N2  ACCUMULATOR ).  The  engine  will  not  be  used  for  OMS-2 
and  on-orbit  burns  to  preclude  increasing  the  leak  rate  each  time  the  purge  valves  are  used  and  to 
presence  GN2  for  the  deorbit  burn.  ®[ED  ]  ®[ED  ] 

Note  that  the  WSTF  data  indicated  a  leak  rate  of  14  psia/sec  through  the  purge  valves  will  not 
significantly  affect  engine  startup,  operation,  or  shutdown.  However,  leak  rates  >  14  psia/sec  were  not 
tested  due  to  concern  s  that  the  GN2  tank  did  con  tain  enough  supply  to  support  larger  leak  rates  for  an 
appreciable  (deorbit-sized)  OMS  burn.  There  are  also  concerns  of  engine  cooling  at  higher  leak  rates; 
however,  no  data  or  analysis  exists  to  validate  these  concerns. 

If  the  engine  will  not  support  the  en  tire  deorbit  burn  SETP,  then  it  is  not  considered  a  valid  deorbit 
downmode  (ref  Annex  Flight  Rule,  OMS/RCS  DOWNMODING  CRITERIA)  and  RCS  steep  deorbit  must 
be  redlined.  Otherwise,  if  RCS  steep  deorbit  is  not  redlined  and  the  good  OMS  engine  fails  during  the 
deorbit  burn,  the  burn  cannot  be  completed  SETP  and  RCS  4+X  steep  deorbit  capability  would  not  exist. 
In  addition,  if  the  leak  rate  increases,  RCS  steep  deorbit  must  be  redlined  since  there  is  no  way  to 
guarantee  that  the  rate  will  not  increase  again  and  exceed  14  psia/sec.  ®[ED  ] 

If  RCS  steep  deorbit  must  be  redlined,  nominal  OMS-1  and  OMS-2  will  be  performed  only  if  sufficient 
OMS  and  RCS  propellant  margin  is  available  to  cover  RCS  deorbit  from  the  nominal  orbit.  Propellant 
trade-offs  as  defined  in  Rule  (A2-108J,  CONSUMABLES  MANAGEMENT,  must  also  be  considered  when 
calculating  the  redline.  If  sufficient  margin  does  not  exist  to  cover  RCS  deorbit  to  steep  targets,  perform 
delayed  ATO  OMS-1  and  OMS-2.  Raise  orbit  within  redlines.  These  calculations  are  performed 
preflight  and  are  based  on  nominal  MECO  delta  V’s  obtained  from  FDO’s  prior  to  flight.  @[072398-651 8A] 
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A6-51  QMS  FAILURE  MANAGEMENT  [CIL]  (CONTINUED) 

If  the  leak  rate  cannot  support  the  deorbit  bu  rn  leaking  engin  e ,  two  pods  from  an  HP  >  safe  HP,  then  a 
two  OMS  engines  to  one  OMS  engine  downmode  will  not  be  available  to  complete  the  burn  should  the 
good  engine  fail.  For  this  case,  the  leaking  engine  will  experience  a  GN2  depletion  shu  tdown,  and  a 
subsequent  downmode  to  RCS  will  be  required.  To  avoid  a  GN2  depletion  shutdown  ( which  carries  a 
risk  of  unstable  combustion),  it  is  pruden  t  in  this  case  to  not  use  the  leaking  engine  for  deorbit  but 
instead  to  plan  the  burn  SETP  using  the  non-leaking  engine.  This  not  only  provides  a  valid  downmode  to 
RCS  for  a  subsequent  engine  failure  but  allows  the  use  of  existing  procedures  (one  OME  burn  card,  etc.). 
Attempting  TETP  downmode  to  RCS  is  not  recommended  due  to  the  complications  associated  with  real¬ 
time  modification  of  procedures  and  downmode  cues.  @[072398-651 8A] 

If  the  leak  rate  will  support  SETP  from  greater  than  safe  Hp,  then  the  engine  may  be  used  for  deorbit 
with  the  condition  that  if  the  good  engine  fails  above  safe  Hp  but  prior  to  having  SETP  completion,  the 
burn  must  be  stopped.  @[072398-651 8A] 

(Ref  SODB,  Volume  I,  Paragraph  3.4.3.3-15.)  ®[ED  ] 

N.  TWO  OMS  GN2  ACCUMULATOR  LEAKS 

OMS  1/2  AND  DIRECT: 

Delayed  ATO  targets  are  chosen  for  two  GN2  accumulator  leaks  in  order  to  preserve  the  remaining  GN2 
for  the  deorbit  burn.  The  orbit  may  be  raised  using  RCS  jets  within  redlines.  Sufficien  t  GN2  to  complete 
the  deorbit  burn  single  engine  must  be  available  in  each  OMS  pod  in  order  to  raise  the  orbit. 

(Ref  SODB,  Volume  I,  Paragraph  3.4.3.3-15.)  ®[ED  ]  @[072398-651 8A] 
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A6-51  QMS  FAILURE  MANAGEMENT  [CIL]  (CONTINUED) 

OMS  PROPELLANT  TANK  LEAK/FAIL  @[072398-651 8A] 

O.  ONE  OMS  PROPELLANT  TANK  LEAK/FAIL  PRIOR  TO  END  OF  OMS-2: 

STD: 

Since  pre-MECO  ATO  dumps  may  be  required  for  ascent  performance,  the  ATO  dump  should  be 
continued  SELP  to  avoid  a  TAL  abort.  The  dump  will  burn  a  portion  of  the  leaking  propellant  which 
prevents  this  propellant  from  being  trapped  onboard.  Dumping  the  leaking  propellant  provides  more 
ullage  in  the  good  tank  of  the  affected  pod.  The  ullage  is  required  to  allow  mixed  crossfeed.  FDO  must 
analyze  the  amount  of  propellant  dumped  during  the  ATO  dump  to  determine  whether  an  AOA  or  an 
ATO  abort  is  feasible.  The  amount  of  delta  V  remaining  (limited  by  the  leak,  quantity  of  propellant 
dumped,  and  Y  CG)  must  quickly  be  calculated  to  determine  whether  sufficient  delta  V  is  available  to 
perform  delayed  ATO  OMS-1,  -2  and  deorbit  shallow.  RCS  supplement  should  be  considered  (ref.  Rules 
(. A2-52  j,  ASCENT  MODE  PRIORITIES  FOR  PERFORMANCE  CASES;  and  {A2-53},  FORWARD  RCS 
USAGE  GUIDELINES ).  If  an  AOA  or  ATO  orbit  cannot  be  achieved,  a  TAL  abort  must  be  performed. 

Since  delayed  ATO  targets  require  less  delta  V  than  nominal  OMS-1,  delayed  ATO  targets  are  used. 
OMS-1  is  performed  TETP  for  the  following  reasons:  (1)  cannot  perform  burn  SELP  because  OMS-1  is  a 
critical  burn  and  redundancy  is  required,  (2)  cannot  perform  burn  TELP  because  bad  propellan  t  WILL 
NOT  be  fed  into  a  good  system,  (3)  cannot  perform  burn  entirely  out  of  the  good  pod  since  it  is  desirable 
to  use  as  much  leaking  propellant  as  possible.  Post-delayed  ATO  OMS-1,  the  leaking  pod  should  be 
dumped  to  depletion.  Dumping  the  leaking  pod  prevents  this  propellant  from  being  trapped  onboard.  As 
a  result,  more  delta  V  is  available  from  the  good  OMS  pod  without  a  Y  CG  impact.  Post-delayed  ATO 
OMS-1  Ha  and  Hp  are  usually  high  enough  to  provide  sufficient  stay  capability  to  preclude  a 
requ  iremen  t  for  OMS-2  (assuming  nominal  MECO).  Since  a  propellant  leak  may  cool  the  pod  to  where 
cm  orbit  3  deorbit  is  not  feasible,  a  safe  orbit  altitude  which  allows  a  48-hour  stay  capability  to 
sublimate  leaked  propellan  t  may  be  required.  If  the  pod  thermal  environmen  t  indicates  freeze-up  may 
occur  and  the  current  orbit  does  not  provide  48-hour  stay  capability,  raise  orbit  with  FRCS.  Deorbit 
using  mixed  crossfeed  if  required  and  available  with  RCS  supplemen  t. 

If  the  tank  fails  at  OMS-1  ignition,  complete  the  burn  SEGP.  Deorbit  using  mixed  crossfeed  (if  available 
and  required). 

Note  that  consideration  may  be  given  to  executing  the  deorbit  burn  using  mixed  crossfeed  if  doing  so 
will  optimize  overall  performance  and  vehicle  health  (CG  impacts,  tank  landing  constraints,  etc.). 
@[072398-651 8A] 
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A6-51  QMS  FAILURE  MANAGEMENT  [CIL]  (CONTINUED) 

DIRECT:  @[072398-651 8A] 

For  cases  where  the  amount  ofOMS  delta  V  available  from  the  non-leaking  side,  supplemented  with  RCS 
delta  V  above  the  Aft  Press  Quantity,  is  insufficient  to  protect  a  Press-to-Orbit  (ref.  Rule  (A2-52J,  ASCENT 
MODE  PRIORITIES  FOR  PERFORMANCE  CASES)  which  includes  AO  A  Steep  and  ATO  to  Min  Hp  with 
FPLS  or  FD2  deorbit  to  shallow  targets  (ref  Rule  (A4-56},  PERFORMANCE  BOUNDARIES),  a  TAL 
abort  must  be  declared.  This  case  will  typically  occur  for  those  missions  that  have  the  combination  of  a 
small  OMS  load,  large  ballast  requiremen  ts,  and  large  delta  V  requiremen  ts  for  the  described  scenario. 
Analysis  must  be  performed  post-dump  to  determine  whether  the  trapped  propellant  on  the  leaking  side 
might  be  able  to  offset  any  aft  RCS  ballast  requirements. 

Since  pre-MECO  ATO  dumps  may  be  required  for  ascent  performance,  the  ATO  dump  should  be 
continued  SELP  to  avoid  a  TAL  abort.  The  dump  will  burn  a  portion  of  the  leaking  propellant  which 
prevents  this  propellant  from  being  trapped  onboard.  Dumping  the  leaking  propellant  provides  more 
ullage  in  the  good  tank  of  the  affected  pod.  The  ullage  is  required  to  allow  mixed  crossfeed.  FDO  must 
analyze  the  amount  of  propellant  dumped  during  the  ATO  dump  to  determine  whether  an  AOA  or  an 
ATO  abort  is  feasible.  The  amount  of  delta  V  remaining  (limited  by  the  leak,  quantity  of  propellant 
dumped,  and  Y  CG)  must  quickly  be  calculated  to  determine  whether  sufficien  t  delta  V  is  available  to 
perform  delayed  ATO  OMS-1,  -2  and  deorbit  shallow.  Forward  and  aft  RCS  supplement  to  aft  quantity- 
1  should  be  considered.  If  an  AOA  Steep  or  ATO  orbit  cannot  be  performed,  a  TAL  abort  must  be 
performed. 

Direct  insertion  ascent  implies  that  an  OMS-1  burn  is  nominally  not  performed.  Since  OMS-2  is  not 
performed  until  approximately  43  minutes  into  the  flight,  the  leaking  propellant  will  be  dumped  ASAP 
post-MECO.  Dumping  the  propellant  prevents  the  weight  of  the  propellant  from  being  trapped  onboard. 

As  a  result,  cdl  of  the  propellan  t  in  the  good  pod  can  be  used  without  a  Y  CG  impact.  In  addition, 
dumping  the  propellant  reduces  the  likelihood  of  freezing  the  entire  pod. 

Since  no  propellant  will  be  available  for  use  in  the  leaking  pod,  OMS-2  will  be  performed  SEGP.  Cut  off 
at  minimum  Hp  which  requires  the  least  toted  delta  V for  the  insertion  and  deorbit  burns  and  ensures 
orbited  lifetime  at  least  two  orbits  beyond  the  first  day  PLS  (ref.  Annex  Flight  Rule,  TRAJECTORY  AND 
GUIDANCE  PARAMETERS).  Deorbit  first  day  PLS  if  the  leaking  pod  thermal  environment  allows. 

Most  likely,  pod  thermal  will  indicate  that  an  orbit  3  deorbit  is  not  feasible.  ®[ED  ] 

If  tank  fail  occurs  prior  to  post-MECO  dump  or  at  OMS-2  ignition  (all  propellant  trapped  onboard), 
steep  day  2  deorbit  targets  may  be  accomplished  with  RCS  supplement  and  Y  CG  within  limits. 

Note  that  consideration  may  be  given  to  executing  the  deorbit  burn  using  mixed  crossfeed  if  doing  so 

will  optimize  overall  performance  and  vehicle  health  (CG  impacts,  tank  landing  constraints,  etc.). 
@[072398-651 8A] 
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P.  ONE  OMS  PROPELLANT  TANK  LEAK  POST-OMS-2:  @[072398-651 8A] 

STD/DIRECT: 

A  perigee  adjust  or  out-of-plane  burn  is  performed  immediately  in  accordance  with  Flight  Rule  { A4-104 ), 
OMS  LEAK/PERIGEE  ADJUST.  Propellant  should  be  dumped  to  depletion  (1  on  crew  display )  in  order 
to  reduce  the  amount  of  propellant  leaked  into  the  pod  and  to  minimize  the  amount  of  propellant  that  is 
trapped  onboard. 

Q.  ONE  OMS  PROPELLANT  TANK  FAIL  POST-OMS-2: 

STD/DIRECT: 

For  a  propellan  t  tank  failu  re  during  the  deorbit  burn,  the  deorbit  burn  must  be  terminated  if  the  perigee 
is  above  a  value  calculated  by  FDO  that  will  cdlow  completion  of  the  OMS  burn.  If  above  this  PRPLT 
FAIL  Hp,  insufficient  delta  V  remains  in  the  OMS  and  RCS  to  complete  the  planned  deorbit  burn. 

R.  TWO  OMS  PROPELLANT  TANKS  LEAKING/FAILED: 

STD: 

For  two  OMS  leaks  in  the  same  pod,  treat  as  a  single  leak/fail  realizing  mixed  crossfeed  is  not  an  option, 
see  paragraphs  O,  P,  and  Q  rationale. 

For  two  OMS  leaks  on  different  sides,  abort  according  to  the  abort  priorities  (ref.  Flight  Rule  { A2-52A }, 
ASCENT  MODE  PRIORITIES  FOR  PERFORMANCE  CASES).  TAL,  if  prior  to  last  TAL  boundary.  After 
TAL  boundary  and  pre-MECO,  a  TAL  to  cm  ALCS  will  be  performed.  If  the  leaks  occur  post-MECO, 
perform  optimum  AO  A  OMS-1  shallow  OMS-2.  Use  mixed  crossfeed  if  available  in  order  to  keep  the  Y  CG 
within  limits.  Aft  RCS  supplement  to  AFT  PRESS  QTY  should  also  be  used. 

Note  that  consideration  may  be  given  to  executing  the  deorbit  burn  using  mixed  crossfeed  if  doing  so 
will  optimize  overall  performance  and  vehicle  health  (CG  impacts,  tank  landing  constraints,  etc.). 
@[072398-651 8A] 
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If  two  OMS  leaks  occur,  different  propellants  and  different  sides,  an  ATO  will  not  be  attempted. 

Previously,  delayed  ATO  was  attempted  if  either  leak  rate  supported  delayed  ATO  OMS-1.  A  delayed 

ATO  is  not  cm  option  for  the  two  leaks -different  propellants  and  different  sides.  Consider  the  following 

scenarios: 

a.  Two  OMS  leaks,  different  propellant,  different  sides,  and  one  leak  rate  supports  delayed  ATO 
OMS-1;  delayed  ATO  OMS-2  is  performed  with  RCS.  160  fps  is  required  to  satisfy  shallow 
targets.  No  OMS  delta  V  is  available,  however,  since  one  pod  was  not  used  for  OMS-1.  As  a 
result,  no  blowdown  is  available  for  mixed  crossfeed  deorbit  from  this  pod.  44  fps  RCS  delta  V 
was  used  for  OMS-2.  Therefore,  only  57  fps  RCS  delta  V  remains.  AS  A  RESULT,  IF  ONE 
LEAK  RATE  SUPPORTS  DELAYED  ATO  OMS-1,  THE  DELAYED  ATO  IS  NOT  A  VIABLE 
OPTION. 

b.  Two  OMS  leaks,  different  propellant,  different  sides,  and  both  leak  rates  support  delayed  ATO 
OMS-1;  delayed  ATO  OMS-2  is  performed  with  RCS.  160  fps  is  required  to  satisfy  shallow 
targets.  Only  70  fps  is  available  in  the  OMS  ( limited  by  the  amoun  t  of  blowdown  available  in  the 
good  tanks  for  mixed  crossfeed).  44  fps  RCS  delta  V  was  used  for  OMS-2.  Therefore,  only  57 
fps  RCS  delta  V  remains.  The  toted  delta  V  available  is  127 fps,  not  enough  to  satisfy  the  160  fps 
required  for  shallow  deorbit.  AS  A  RESULT,  IF  BOTH  LEAK  RATES  SUPPORT  DELAYED 
ATO  OMS-1,  THE  DELAYED  ATO  IS  STILL  NOT  A  VIABLE  OPTION. 

c.  Two  OMS  leaks,  different  propellant,  different  sides,  and  both  leak  rates  support  nominal  OMS-1; 
OMS-2  cutoff  at  100  nm  is  performed  with  RCS.  130  fps  is  required  to  satisfy  shallow  targets. 

Only  90  fps  is  available  in  the  OMS  ( limited  by  the  amoun  t  of  blowdown  available  in  the  good  tanks 
for  mixed  crossfeed).  88  fps  RCS  delta  V  was  used  for  OMS-2.  Therefore,  only  13  fps  RCS  delta  V 
remains.  The  total  delta  V  available  is  103  fps,  not  enough  to  satisfy  the  130  fps  required  for 
shallow  deorbit.  AS  A  RESULT,  IF  BOTH  LEAK  RATES  SUPPORT  NOMINAL  OMS-1, 

NOMINAL  OMS-1,  OMS-2  CUTOFF  AT  100  NM  IS  NOT  A  VIABLE  OPTION. 

For  two  OMS  leaks  same  propellant,  the  earliest  abort  option  will  be  chosen  since  no  OMS  mixed 

crossfeed  is  available. 
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A6-51  QMS  FAILURE  MANAGEMENT  [CIL]  (CONTINUED) 

DIRECT: 

For  two  OMS  leaks  in  the  same  pod,  treat  as  a  single  leak/fail  realizing  mixed  crossfeed  is  not  an  option, 
see  paragraphs  O,  P,  and  Q  rationale. 

For  two  OMS  leaks  on  different  sides,  abort  according  to  the  abort  priorities  (reference  Rule  { A2-52AJ , 
ASCENT  MODE  PRIORITIES  FOR  PERFORMANCE  CASES).  TAL,  if  prior  to  last  TAL  boundary. 

After  TAL  boundary  and  pre-MECO,  TAL  to  an  ACLS.  If  the  leaks  occur  post-MECO,  an  AO  A  must  be 
performed.  AO  A  delta  V  costs  vary  according  to  MECO  Ha.  As  a  result,  RCS  supplement  may  or  may 
not  be  required.  Again,  mixed  crossfeed  will  be  used  if  required  and  available  in  order  to  main  tain  Y  CG 
within  limits.  @[072398-651 8A] 

Similar  to  the  standard  insertion  case,  an  ATO  will  not  be  considered  for  the  two  leak  case.  Again,  with 
two  OMS  leaks,  insufficient  blowdown  delta  V  exist  post-OMS-2  for  a  shallow  deorbit. 

OMS  INLET  LINE  LEAK 

S.  ONE  OMS  INLET  LINE  LEAK  PRIOR  TO  OMS-2:  @[072398-651 8A] 

STD: 

Post-MECO,  the  leak  will  be  secured  to  minimize  propellant  leakage  into  the  pod.  Since  delayed  ATO 
targets  require  less  delta  V  than  nominal  OMS-1  with  cutoff  at  Hp  =  100,  a  delayed  ATO  OMS-1  is 
performed.  OMS-1  is  performed  TETP  for  the  following  reasons:  (1)  should  not  perform  SELP  because 
OMS-1  is  a  critical  burn  and  redundancy  is  required,  (2)  cannot  perform  burn  TELP  because  bad 
propellan  t  WILL  NOT  be  fed  into  a  good  system,  (3)  do  not  perform  burn  SEGP  since  it  is  desirable  to  use 
as  much  propellant  from  the  leaking  system  as  possible.  Post-delayed  ATO  OMS-1  Ha  and  Hp  are  usually 
high  enough  to  provide  sufficient  stay  capability  to  preclude  a  requirement  for  OMS-2  (assuming  nominal 
MECO).  Since  a  propellant  leak  may  cool  the  pod  to  a  point  where  a  rev.  3  deorbit  is  not  possible,  an  orbit 
altitude  which  allows  48-hour  stay  capability  for  propellant  sublimation  may  be  required.  If  the  pod 
thermal  environmen  t  indicates  freeze-up  may  occur  and  the  curren  t  orbit  does  not  provide  48-hour  stay 
capability,  raise  orbit  with  FRCS.  In  order  to  minimize  repress  cycles  on  the  inlet  line,  a  dump  will  be 
performed  only  if  necessary  to  satisfy  Orbiter  CG  envelope  or  OMS  tank  landing  weight  constraint. 

Deorbit  using  mixed  crossfeed  if  required  and  available  with  forward  and  aft  RCS  supplement.  Note  that 
consideration  may  be  given  to  executing  the  deorbit  burn  using  mixed  crossfeed  if  doing  so  will  optimize 
overall  performance  and  vehicle  health  (CG  impacts,  tank  landing  constraints,  etc.). 

If  the  inlet  line  repress  fails  at  OMS-1,  perform  OMS-1  SEGP.  Propellant  tank  fail  rules  now  apply  (see 
paragraphs  O  and  Q). 
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DIRECT: 

If  the  delta  V  available  supports  continuing  to  MECO,  Post-MECO,  the  leak  will  be  secured  to  minimize 
propellant  leakage  into  the  pod.  Direct  insertion  implies  that  an  OMS-1  is  nominally  not  performed.  To 
avoid  a  repress  of  the  inlet  line,  OMS-2  is  performed  SEGP  cutoff  at  minimum  Hp.  As  in  the  OMS  1/2 
case,  a  dump  will  be  performed  only  if  necessary  to  satisfy  the  Orbiter  CG  envelope  or  the  OMS  tank 
landing  weight  constrain  t.  Deorbit  using  mixed  crossfeed  if  required  with  forward  and  aft  RCS 
supplement. 

Note  that  consideration  may  be  given  to  executing  the  deorbit  burn  using  mixed  crossfeed  if  doing  so  will 
optimize  overall  performance  and  vehicle  health  (CG  impacts,  tank  landing  constraints,  etc.). 

If  the  inlet  line  repress  fails,  propellant  tank  fail  rules  apply  (see  paragraphs  O  and  Q).  @[072398-651 8A] 

T.  ONE  OMS  INLET  LINE  LEAK  POST  OMS-2:  @[072398-651 8A] 

STD/DIRECT: 

A  perigee  adjust  burn  is  performed  at  the  next  opportunity  to  lower  Orbiter  altitude  using  the  leaking 
propellant.  Rule  {A6-203},  OMS  LEAKING  INLET  LINE  PERIGEE  ADJUST  BURN,  provides 
additional  guidelines  on  the  scheduling  of  the  perigee  adjust  burn.  If  propellant  remains  after  the 
perigee  adjust  burn,  an  out-of-plcine  clump  may  be  performed  if  required  to  satisfy  the  Orbiter  CG 
envelope  or  the  OMS  tank  landing. 

U.  TWO  OMS  INLET  LINES  LEAKING: 

STD: 

For  two  OMS  inlet  line  leaks  in  the  same  pod,  treat  as  a  single  leak.  Mixed  crossfeed  is  not  cm  option 
(see  paragraphs  S  and  T). 

For  two  OMS  inlet  line  leaks,  different  sides  same  propellant,  cm  ATO  will  not  be  attempted  since  mixed 
crossfeed  is  not  an  option.  Pre-MECO,  the  leaks  will  be  treated  as  tank  leaks.  Post-MECO,  optimum 
AO  A  targets  will  be  used  to  minimize  OMS  propellant  requirements.  Attempt  AO  A  OMS-1  and  OMS-2 
TETP. 

For  two  OMS  inlet  line  leaks,  different  sides  different  propellants,  an  ATO  will  be  attempted  since  4+X 
mixed  crossfeed  is  available.  A  delayed  ATO  OMS-1  will  be  performed.  Deorbit  4+X  mixed  crossfeed 
with  aft  RCS  supplement  to  aft  quantity-1. 
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DIRECT: 

For  two  OMS  inlet  line  leaks  in  the  same  pod,  treat  as  a  single  leak.  Mixed  crossfeed  is  not  an  option 
(see  paragraphs  S  and  T). 

For  two  OMS  inlet  line  leaks,  different  sides,  same  propellant,  an  ATO  will  not  be  attempted  since  mixed 
crossfeed  is  not  an  option.  The  leaks  will  be  secured  post-MECO  to  minimize  leakage  into  the  pod  and 
cm  AO  A  OMS-2  TETP  will  be  attempted  with  RCS  supplement  if  required. 

For  two  OMS  inlet  line  leaks,  different  sides,  different  propellant,  an  ATO  will  be  attempted  since  4+X 
mixed  crossfeed  is  available.  The  leaks  will  be  secured  post-MECO  to  minimize  leakage  into  the  pod 
and  cm  OMS-2  cutoff  at  minimum  Hp  will  be  performed.  Deorbit  4+X  mixed  crossfeed  with  RCS 
supplemen  t  if  required.  @[072398-651 8A] 

OMS  ENGINE  FAILURE: 

V.  ONE  OMS  ENGINE  FAILURE:  @[072398-651 8A] 

STD/DIRECT: 

If  sufficient  OMS  and  RCS  propellant  margin  is  available  to  redline  RCS  steep  deorbit  from  the 
nominal  orbit,  then  nominal  OMS-1  and  OMS-2  will  be  performed.  Propellant  trade-offs  as  defined 
in  Rule  {A2-108},  CONSUMABLES  MANAGEMENT,  must  also  be  considered  when  calculating  the 
redline.  If  sufficient  margin  does  not  exist  to  cover  RCS  deorbit  to  steep  targets,  perform  delayed 
ATO  OMS-1  and  OMS-2.  If  the  failure  occurs  du  ring  OMS-1,  nominal  OMS-1  must  be  completed. 
Perform  OMS-2  cutoff  at  minimum  Hp.  Raise  orbit  within  redlines. 

These  calculations  are  performed  preflight  and  based  on  nominal  MECO  delta  V’s  obtained  from  FDO’s 
prior  to  flight. 

IV.  TWO  OMS  ENGINES  FAILED: 

STD/DIRECT: 

RCS  +X  is  the  last  option  for  translation  after  both  OMS  engines  have  failed.  RCS  4+X  uses  more  OMS 
propellant  than  the  OMS  engines  for  an  equivalent  delta  V  due  to  Isp  differences.  Therefore,  cm  ATO  to 
minimum  Hp  is  performed  to  minimize  the  delta  V  requirements.  Deorbit  is  scheduled  first  day  or  next 
PLS  opportunity  because  the  next  failu  re  resu  lts  in  the  loss  of  deorbit  capability.  @[072398-651 8A] 

Rule  {A6-204},  OMS  GN2  ACCUMULATOR  LEAK  DETERMINATION,  references  this  rule. 
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FAILURE  MATRIX 

L/OTO 

OMS-1 

OMS-2 

OMS-1 

TO 

TO 

OMS-2 

DEORBIT 

1  OR  2  FRCS  HE  TANK  LEAK . 

A 

A 

B 

1  OR  2  FRCS  HE  TANK  FAIL . 

C 

C 

D 

1  OR  2  FRCS  PROP  TANK  LEAK.... 

E 

E 

E 

1  OR  2  FRCS  PROP  TANK  FAIL . 

F 

F 

F 

1  ARCS  HE  TANK  LEAK/FAIL . 

G 

G 

H 

2  ARCS  HE  TANK  LEAK/FAIL . 

1 

1 

1 

1  ARCS  PROP  TANK  LEAK/FAIL . 

J 

J 

J 

2  ARCS  PROP  TANK  LEAK/FAIL . 

K 

K 

K 

NOTES: 

[1]  WITH  FRCS  SECURED,  LOSE  VERNIER  CONTROL. 

[2]  ENTER  FIRST  DAY  PLS. 

[3]  ENTER  NEXT  PLS. 

[4]  CUT  OFF  AT  MINIMUM  HP  WHICH  REQUIRES  THE  LEAST  TOTAL  DELTA  V  FOR  THE  INSERTION  AND  DEORBIT 
BURNS  AND  ENSURES  ORBITAL  LIFETIME  AT  LEAST  TWO  ORBITS  BEYOND  THE  FIRST  DAY  PLS. 
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A6-52  RCS  FAILURE  MANAGEMENT  (CONTINUED) 

FAILURE  DEFINITION 

FRCS  HE  TANK  LEAK/FAIL: 

•  HE  TANK  LEAK  IF  PRESSURE  >  456  PS I  AND  DECREASING  ABNORMALLY. 

•  HE  TANK  FAIL  IF  PRESSURE  <  456  PSI . 

•  FULL  BLOWDOWN  IF  PROPELLANT  TANK  QUANTITY  <  23  PERCENT. 

ACTION  SUMMARY 

A.  ONE  OR  TWO  HE  SYSTEM  LEAK  PRIOR  TO  OMS-2 : 

1.  PRE-MECO  SECURE,  RATE  DAMP  WITH  ARCS. 

2.  USE  FRCS  FOR  ET  SEPARATION,  CANCEL  +X  TRANSLATION. 

3.  USE  UNTIL  HE  FAILED,  THEN  SECURE  FRCS  [1]. 

4.  USE  RCS  PROPELLANT  CONSERVATION  TECHNIQUES. 

B.  ONE  OR  TWO  LEAK  POST-OMS-2 : 

1.  PERFORM  -X  TRANSLATION  OR  FRCS  DUMP  TO  ACHIEVE  MAXIMUM 
BLOWDOWN  UNTIL  HE  TANK  FAIL. 

2.  DESELECT  FRCS  JETS  [1]  UNLESS  REQUIRED  FOR  HIGH  PRIORITY 
ACTIVITIES . 

3.  USE  RCS  PROPELLANT  CONSERVATION  TECHNIQUES. 

4.  RESELECT  FRCS  JETS  PRIOR  TO  DEORBIT. 

5.  SECURE  FRCS  WHEN  PROPELLANT  TANK  PRESSURE  ?  190  PSI. 
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A6-52 

C.  ONE 

1  . 

2  . 
3. 

4  . 

D .  ONE 

1  . 

2  . 
3. 

4  . 


RCS  FAILURE  MANAGEMENT  (CONTINUED) 

OR  TWO  FAIL  PRIOR  TO  OMS-2 : 

PRE-MECO  SECURE,  RATE  DAMP  WITH  ARCS. 

USE  FRCS  FOR  ET  SEPARATION,  CANCEL  +X  TRANSLATION. 
POST-ET  SEPARATION,  SECURE  FRCS  [1] 

USE  RCS  PROPELLANT  CONSERVATION  TECHNIQUES. 

OR  TWO  FAIL  POST-OMS-2: 

DESELECT  FRCS  JETS  [1]  UNLESS  REQUIRED  FOR  HIGH  PRIORITY 
ACTIVITIES . 

USE  RCS  PROPELLANT  CONSERVATION  TECHNIQUES. 

RESELECT  FRCS  JETS  PRIOR  TO  DEORBIT. 

SECURE  FRCS  WHEN  PROPELLANT  TANK  PRESSURE  ?  190  PSI. 


FRCS  is  critical  for  ET  separation.  Since  very  little  blowdown  capability  exists  at  launch,  the  mated 
coast  rate  damping  is  performed  using  the  ARCS  maximizing  the  FRCS  capability  for  ET  separation. 

The  MCC  can  determine  if  the  helium  tank  will  support  a  nominal  mated  coast/ET  separation  and  will 
advise  crew  to  open  FRCS  pre-MECO  (maximizing  blowdown)  if  the  capability  exists;  otherwise  the  crew 
will  perform  mated  coast  with  the  ARCS.  Once  the  helium  tank  has  failed,  the  FRCS  capability  is 
drastically  reduced.  Therefore,  propellant  conservation  techniques  must  be  utilized  to  stretch  mission 
duration.  Sufficient  blowdown  capability  is  available  to  perform  a  successful  ET  separation. 

Post-OMS-2,  time  is  available  to  attempt  a  maximum  blowdown  burn  to  maximize  FRCS  capability  for 
high  priority  on-orbit  activities  which  require  FRCS,  in  the  entry  preparation  and  deorbit  burn 
timeframes. 

The  full  blowdown  quantity  of  23  percen  t  assumes  use  of  the  propellan  t  tank  to  a  pressure  of  190  psi. 
(Reference  SODB  4. 3. 2.1.) 
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A6-52  RCS  FAILURE  MANAGEMENT  (CONTINUED) 

FAILURE  DEFINITION 
FRCS  PROPELLANT  TANK  LEAK/FAIL: 

•  PROPELLANT  TANK  LEAK  IF  QUANTITY  DECREASE  ABNORMAL. 

•  PROPELLANT  TANK  FAIL  IF  QUANTITY  ?  0  PERCENT  OR  PRESSURE 
?  190  PSI  . 

ACTION  SUMMARY 

E.  ONE  OR  TWO  LEAK: 

1.  SECURE,  IF  LEAK  RATE  CAN  SUPPORT  MATED  COAST/ET 
SEPARATION,  USE  FRCS  FOR  MATED  COAST  AND  ET  SEPARATION. 
OTHERWISE,  RATE  DAMP  WITH  ARCS. 

2.  USE  FRCS  FOR  ET  SEPARATION.  CANCEL  +X  TRANSLATION. 

3.  PERFORM  FRCS  DUMP  TO  DEPLETION,  THEN  SECURE  FRCS  [1]. 

4.  USE  RCS  PROPELLANT  CONSERVATION  TECHNIQUES. 

NOTE:  IF  THE  LEAK  RATE  RESULTS  IN  A  QTY  <  52  PERCENT  AT  MECO, 

AND  MECO  CONDITIONS  EXIST  WHICH  PROVIDE  A  DELAYED  ET  SEP 
CAPABILITY  WITHOUT  IMPACTING  ORBITER  PERFORMANCE  (N/A 
RTLS ,  TAL) ,  PERFORM  DELAYED  ET  SEP  (MECO  +  6  MINUTES) . 

This  rule  allows  using  the  FRCS  to  0  percent  versus  performing  a  NO  FRCS  ET  SEP  by  optimizing 
FRCS  capability  for  ET  SEP.  The  A/E  FTP  # 48 ,  9/9/88,  judged  the  risk  of  using  the  FRCS  for  ET  SEP 
(when  the  computed  quantity  at  MECO  is  <  52  percent)  to  be  lower  than  the  uncertified  NO  FRCS  ET 
SEP  procedure.  Delaying  ET  SEP  ( MECO  +  6  minutes)  provides  additional  time  to  allow  possible 
FRCS  screen  rewetting  to  occur.  Rewetting  the  screens  may  prevent  jet  fail  off’s  due  to  helium 
ingestion.  If  an  RTLS,  TAL,  or  unclerspeed  conditions  exist  at  MECO,  an  on-time  ET  SEP  will  be 
performed. 

Same  as  paragraph  A  except  apply  propellant  tank  and  perform  FRCS  dump  to  depletion.  Dumping 
propellant  overboard  versus  allowing  propellant  to  leak  into  the  FRCS  module  minimizes  on-orbit  cool 
down  or  postlanding  fire  hazard. 
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F .  ONE 
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2  . 
3. 


RCS  FAILURE  MANAGEMENT  (CONTINUED) 

OR  TWO  FAIL: 

SECURE  [1],  RATE  DAMP  WITH  ARCS. 

PERFORM  NO  JET  ET  SEPARATION,  CANCEL  +X  TRANSLATION. 
USE  RCS  PROPELLANT  CONSERVATION  TECHNIQUES. 


Loss  of  the  FRCS  for  ET  separation  requires  the  use  of  a  special  technique  to  separate  from  the  external 
tank. 


FAILURE  DEFINITION 


ARCS  HE  TANK  LEAK/FAIL: 

•  HE  TANK  LEAK  IF  PRESSURE  >  456  PS I  AND  DECREASING  ABNORMALLY. 

•  HE  TANK  FAIL  IF  PRESSURE  <  456  PSI . 

•  FULL  BLOWDOWN  IF  PROPELLANT  TANK  QUANTITY  <  24  PERCENT. 

ACTION  SUMMARY 

G.  ONE  LEAK/FAIL  PRIOR  TO  OMS-2 : 

1.  RATE  DAMP  AND  ET  SEPARATION  IN  NORMAL  CONFIGURATION, 
CANCEL  +X  TRANSLATION. 

2.  WHEN  HE  TANK  PRESSURE  <  456  PSI  PRE/DURING  OMS-1 
CROSSFEED  FROM  GOOD  SIDE.  POST-OMS-1,  INTERCONNECT  FROM 
OMS  . 

3.  NOMINAL  DEORBIT  [2]. 

4.  PRE-EI,  CROSSFEED  FROM  GOOD  SIDE. 

The  full  blowdown  quantity  of  24  percen  t  assumes  use  of  the  propellan  t  tank  to  a  pressure  of  190  psi. 

( Reference  SODB  4. 3. 2.1.) 

Use  mated  coast/ET  separation  to  increase  the  blowdown  capability  if  the  helium  tank  has  not  yet  failed. 
If  helium  tank  has  failed,  good  pod  RCS  can  be  used  for  ET  separation.  However,  the  RCS  entry  redline 
has  been  violated  due  to  loss  of  RCS  in  affected  pod.  Use  OMS  interconnect  capability  to  conserve  the 
remain  ing  RCS  for  entry  at  the  next  PLS  opportun  ity.  Stay  in  in  terconnect  configuration  through  OMS-2 
and  the  deorbit  burn. 
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A6-52  RCS  FAILURE  MANAGEMENT  (CONTINUED) 

H.  ONE  LEAK/FAIL  P0ST-0MS-2 : 

1.  INTERCONNECT  FROM  OMS . 

2.  IF  LEAKAGE  CANNOT  SUPPORT  NEXT  PLS  OPPORTUNITY,  CROSSFEED 
FROM  LEAKING  RCS  AND  PERFORM  +X  TRANSLATION  TO  MAXIMUM 
BLOWDOWN.  WHEN  HE  TANK  FAILED  OR  MAXIMUM  BLOWDOWN, 
INTERCONNECT  FROM  OMS  THROUGH  THE  DEORBIT  BURN. 

CROSSFEED  FROM  GOOD  RCS  FOR  ENTRY. 

3.  IF  LEAK  CAN  SUPPORT  NEXT  PLS,  PRIOR  TO  DEORBIT,  RECONFIGURE 
ARCS  TO  NORMAL  FEED.  IF  HE  TANK  PRESSURE  <456  PSI, 
CROSSFEED  FROM  GOOD  SIDE  FOR  ENTRY. 

4.  NOMINAL  DEORBIT  [2]  [3]. 

Interconnect  to  OMS  is  required  to  enable  MCC  to  establish  a  reliable  leak  rate.  Once  leak  rate  is 
determined ,  then  the  decision  to  perform  a  maximum  blowdown  burn  or  wait  to  the  next  PLS  opportunity 
can  be  made.  Regardless  of  the  decision,  stay  in  interconnect  configuration  to  conserve  RCS  propellan  t 
in  the  good  pod.  Save  affected  pod  blowdown  for  entry  preparation  and  deorbit. 

I.  TWO  LEAK/FAIL: 

1.  IF  ON  SAME  SIDE,  TREAT  AS  SINGLE  LEAK/FAIL.  SEE 
PARAGRAPHS  G  AND  H. 

2.  IF  LEAKING,  CONTINUE  TO  USE  TO  MAXIMIZE  ULLAGE  UNTIL  HE 
TANK  FAILED. 

3.  IF  SAME  PROPELLANT,  UPHILL  ABORT  [4]. 

4.  IF  DIFFERENT  PROPELLANT,  INTERCONNECT  FROM  OMS  TO  SAVE 

RCS  ULLAGE.  NOMINAL  DEORBIT  [2]  [3],  USE  MIXED  CROSSFEED 

FOR  ENTRY. 

Same  as  paragraph  H.  If  same  propellant  in  different  pods,  mixed  crossfeed  cannot  be  utilized  to 
support  entry. 

With  the  01-8  NO  YAW  JET  software,  a  certified  entry  from  a  Q-bar  =  20  to  touchdown  is  now 
available.  With  this  capability,  previous  abort  calls  for  dual  RCS  He/propellcmt  tank  fail/leak  can  be 
avoided  if  control  can  be  guaranteed  through  a  Q-bar  =  20.  OMS  interconnect  is  utilized  from  MECO 
until  prior  to  El  for  attitude  control  to  minimize  RCS  propellant  requirements. 
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A6-52  RCS  FAILURE  MANAGEMENT  (CONTINUED) 

The  two  He  tank  fail  same  propellant  TAL  abort  case  was  eliminated.  Sufficient  blowdown  is  available  to 
supply  propellant  requirements  for  El  to  a  Q-bcir  =  20  (available  blowdown  =  160  lb;  required  from  El 
to  Q-bcir  -20  ?  127  lb  (based  on  review  of  GNC  entry  data)).  An  uphill  abort  cutting  off  at  minimum 
Hp,  which  requires  the  least  delta  V for  the  insertion  and  deorbit  burns  and  ensures  orbital  lifetime  at 
least  two  orbits  beyond  the  first  day  PLS,  is  selected  to  maximize  the  amoun  t  ofOMS  remaining  to  protect 
for  interconnect  operations  post-deorbit  burn.  OMS  remaining  post-deorbit  burn  must  be  ?  10.3  percen  t 
(SODB  3.4. 3. 3.7.  C)  plus  any  expected  usage. 

The  action  is  the  same  for  one  or  both  helium  tanks  leaking  as  for  two  He  tanks  failed.  The  rationale 
deals  with  the  time  to  maximize  blowdown  in  the  leaking  system(s).  The  time  from  MECO  until  a  Q-bcir 
=  20  on  ci  TAL  is  374  seconds  (6.25  minutes)  where  if  applied  to  a  normal  ascent  would  allow  time  to 
increase  blowdown  capability. 

Two  propellant  tanks  failed  same  propellant  does  not  allow  any  type  of  certified  entry.  Since  no  control 
can  be  guaranteed ,  the  most  prudent  action  is  the  one  that  allows  the  most  time  and  the  most  benign 
environment.  By  pressing  uphill,  time  is  gained  to  allow  complex  procedure  and/or  software  changes  to 
take  place  to  help  provide  control  until  a  Q-bar  =  20  (i.e.,  DAP  or  procedure  changes  that  will  allow 
forward  RCS  control  in  pitch  and  yaw).  A  delayed  ATO  is  selected  to  maximize  the  amount  of  OMS 
remaining  to  protect  for  interconnect  operations  post-deorbit  burn. 

For  the  cases  of  one  propellant  tank  fail  and  the  other  leaking  or  both  leaking  same  propellant  yields  a 
more  complex  case.  If  one  pod  con  tains  75  percen  t  or  more,  ET  separation  can  be  performed  in  a  timely 
and  safe  manner.  The  leak  rate  after  ET  separation  must  still  support  Q-bar  =  20  to  guarantee  control 
until  NO  YAW  JET  can  be  engaged.  If  the  leak  rate  supports  TAL,  the  proper  course  of  action  is  to  abort 
TAL.  If  the  leak  rate  does  not  support  TAL,  this  case  becomes  the  same  as  two  propellant  tanks  failed. 
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A6-52  RCS  FAILURE  MANAGEMENT  (CONTINUED) 

FAILURE  DEFINITION 
ARCS  PROPELLANT  TANK  LEAK/FAIL: 

•  PROPELLANT  TANK  LEAK  IF  QUANTITY  DECREASE  ABNORMAL. 

•  PROPELLANT  TANK  FAILURE  IF  QUANTITY  <  0  PERCENT  OR  PRESSURE 
<  190  PSI. 

•  NOMINAL  OR  ABORT  ET  SEPARATION:  PROPELLANT  TANK  FAILURE  IF 
QUANTITY  <  75  PERCENT. 

ACTION  SUMMARY 


J.  ONE  LEAK/FAIL: 

1.  PRE/DURING  OMS-1,  IF  FAILED,  CROSSFEED  FROM  GOOD  RCS  FOR 
ET  SEP,  CANCEL  +X  TRANSLATION. 

2.  POST-OMS-1,  IF  FAILED,  INTERCONNECT  FROM  OMS . 

3.  PERFORM  NOMINAL  CMS-1  AND  OMS-2 . 

4.  PERFORM  PERIGEE  ADJUST  OR  OUT-OF-PLANE  BURN  IMMEDIATELY. 

5.  NOMINAL  DEORBIT  [2]  [3]. 

6.  IF  FAILED,  PRE-EI,  CROSSFEED  FROM  GOOD  RCS. 

Crossfeed  from  good  RCS  to  guarantee  ET  separation  is  accomplished.  Then  interconnect  from  OMS  to 
conserve  good  pod  RCS  propellants.  There  is  no  reduction  in  the  OMS  delta  V  capability  so  a  nominal 
ascent  can  be  completed.  However,  deorbit  will  occur  at  the  next  PLS  opportunity  due  to  the  violation  of 
the  RCS  entry  redline. 
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A6-52  RCS  FAILURE  MANAGEMENT  (CONTINUED) 

K.  TWO  LEAK/FAIL: 

1.  IF  ON  SAME  SIDE,  TREAT  AS  SINGLE  FAILURE,  SEE  PARAGRAPH  J. 

2.  INTERCONNECT  FROMOMS,  CANCEL  +X  TRANSLATION.  POST-EI, 
FEED  FROM  RCS . 

3.  IF  SAME  PROPELLANT,  SELECT  RETURN,  PRIORITY: 

•  TAL/LATE  TAL  (IF  LEAK  RATE  SUPPORTS  ET  SEPARATION  AND 
ENTRY  TO  A  Q-BAR  =  20) . 

•  AOA  (IF  POST-MECO  AND  LEAK  RATE  SUPPORTS  AN  ENTRY  TO 
A  Q-BAR  =  20)  . 

•  ELS  (IF  LEAK  RATE  SUPPORTS  AN  ENTRY  TO  A  Q-BAR  =20 
CONSISTENT  WITH  RULE  {A2-205},  EMERGENCY  DEORBIT). 

•  UPHILL  ABORT  [4] . 

4.  IF  DIFFERENT  PROPELLANT,  INTERCONNECT  FROM  OMS  TO  RCS  TO 
SAVE  RCS  PROPELLANT.  NOMINAL  ENTRY  [3] .  USE  MIXED 
CROSSFEED  FOR  ENTRY. 

The  rationale  is  the  same  as  that  for  paragraphs  I  and  J. 
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A6-53  QMS  HELIUM  INGESTION 

FOR  HELIUM  INGESTION  INTO  THE  OMS  PROPELLANT  TANK  AFT 
COMPARTMENT  AS  REFLECTED  IN  AN  OMS  PROPELLANT  TANK  AFT 
QUANTITY  DECREASE  OF  >  1.0  PERCENT  FOR  ANY  SINGLE  BURN  WHEN 
OMS  TANK  QUANTITY  >  45  PERCENT,  OMS/RCS  INTERCONNECT  FROM 
THAT  POD  WILL  NOT  BE  PERFORMED  EXCEPT  FOR  DEORBIT. 

The  OMS  bulkhead  screen  should  not  allow  more  than  1  percen  t  of  helium  gas  to  enter  the  aft 
compartment  for  a  single  OMS  burn.  Experience  to  date  has  shown  little  or  no  gas  transfer.  A  decrease 
in  the  aft  quantity  gauge  >  1  percent  during  a  burn  when  the  propellant  level  covers  the  bulkhead  screen 
indicates  screen  breakdown  has  occurred  and  further  use  of  that  tank  without  propellant  settling  burns  is 
prohibited. 

OMS  tank  propellant  quantity  less  than  45  percent,  RCS  interconnect  propellant  usage  may  result  in  a 
decrease  in  OMS  aft  quantity  (the  forward  compartmen  t  propellant  may  not  be  in  contact  with  the  bulkhead 
screen).  With  OMS  propellant  quantity  less  than  30  percent,  there  is  no  propellant  remaining  in  the  forward 
compartment  and  all  usage  will  come  from  the  aft  compartmen  t.  In  these  cases,  a  decrease  in  the  aft 
compartment  quantity  is  not  indicative  of  a  screen  failure.  ( Reference  SODB,  volume  I,  paragraph  3. 4. 3. 3.) 


VOLUME  A  06/20/02  FINAL  PROPULSION  6-60 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A6-54  QMS  PROPELLANT  FAIL  FEED  CONSTRAINTS  [CIL] 

THE  OMS  CROSSFEED  OR  INTERCONNECT  MODE  WILL  NOT  BE  USED  TO  FEED 
FROM  A  FAILED  OR  A  SUSPECTED  FAILED  OMS  PROPELLANT  TANK  AS  LONG 
AS  SHALLOW  TARGETS,  TANK  LANDING  WEIGHT  CONSTRAINTS,  AND  CG 
LIMITS  ARE  PRESERVED.  IF  ANY  OF  THE  ABOVE  CONSTRAINTS  ARE 
VIOLATED,  THE  INTERCONNECT  MODE  MAY  BE  USED  TO  ATTEMPT  AN  RCS  +X 
PERIGEE  ADJUST. 

A.  ABOVE  MINIMUM  SAFE  PERIGEE  (SAFE  HP),  THE  INTERCONNECT  MODE 
MAY  BE  USED  TO  ATTEMPT  AN  RCS  +X  PERIGEE  ADJUST.  ©[072398-6692A] 

The  only  case  of  propellant  blockage  to  date  (STS-1)  demonstrated  that  the  screens  present  in  the 
system  are  adequate  to  preven  t  migration  of  contaminants.  STS-1  data  showed  that  50  percen  t  of 
the  OMS  oxidizer  inlet  filter  was  blocked  by  contaminants  with  small  traces  downstream.  The 
blockage  may  allow  flow  rate  sufficient  to  support  a  +X  translation  while  not  supporting  an  OMS 
flow  rate  ( +X  OX=3.9  Ib/sec  and  FU=2.4  Ib/sec  compared  to  OMS  OX=12  Ib/sec  and  FU=7.2 
Ib/sec,  reference  SODB  tables  4. 3. 2-1  and  4. 3. 3-1  for  flow  rates).  Troubleshooting  can  be 
performed  by  interconnecting  to  the  L(R)  RCS  1/2  leg.  The  OMS  propellant  might  be  able  to 
support  an  RCS  flow  rate,  thus  avoiding  an  undesirable  entry,  ( OMS  propellant  fail  is  not  protected 
and  can  mean  a  shallow  deorbit  and  no-yaw  jet  entry).  For  propellant  contamination  in  the  OMS 
to  reach  the  RCS  jets,  it  must  pass  through  seven  screens  (two  on  each  ac-motor  valve  and  one  at 
the  inlet  to  the  jet).  This  rule  will  also  allow  determination  of  a  leak  downstream  of  the  ball  valves 
that  would  appear  as  a  propellant  fail. 

CIL  retention  rationale  (FMEA  03-3-4002-1)  addresses  the  case  of  propellant  filter  screens 
blocked  by  con  tamination.  However,  the  conclusion  of  the  March  9,  1995,  PRCB  was  that  by  the 
time  of  the  deorbit  burn,  the  system  has  proved  itself  free  of  contaminants.  Even  so,  propellant 
lines  may  be  frozen  by  a  small,  undetected  leak  (ref.  AEFTP  #141,  August  15,  1997),  resulting  in  a 
propellant  fail  condition.  For  any  OMS  propellant  fail  (actual  or  suspected)  above  minimum  safe 
perigee  (safe  hp),  the  CIL  requirement  is  to  stop  the  burn  and  troubleshoot  the  problem  via 
interconnect.  ®[072398-6692A] 
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A6-54  QMS  PROPELLANT  FAIL  FEED  CONSTRAINTS  [CIL] 

(CONTINUED) 

B.  BELOW  MINIMUM  SAFE  PERIGEE  (SAFE  HP),  OMS  CROSSFEED  MAY  BE 

ATTEMPTED  FROM  THE  FAILED  SYSTEM  AFTER  THE  GOOD  SYSTEM  USABLE 
PROPELLANT  HAS  BEEN  USED.  ®[072398-6692A] 

Once  below  safe  Hp,  the  deorbit  burn  must  be  completed.  The  best  immediate  response  is  to  terminate 
propellant  wasting,  ensuring  the  delta  V from  the  remaining  OMS  is  utilized  efficiently.  Still,  because 
OMS  propellant  fail  is  not  protected  ( Ref.  All  Flights  Rule  (A6-303B},  OMS  REDLINES  [CIL]), 
attempting  completion  of  the  deorbit  burn  using  only  the  remaining  systems  (Good  OMS  +  Aft  RCS  + 

Fwd  RCS )  will  most  likely  violate  one  or  more  of  the  constraints  listed  above.  It  is  prudent,  therefore,  to 
attempt  a  crossfeed  from  the  failed  system  but  only  when  the  good  system  is  nearly  empty  ( i.  e. ,  4  percent 
quantity  remaining.)  In  that  way,  if  the  crossfeed  is  unsuccessful,  almost  no  delta  V  has  been  lost  in  the 
attempt.  However,  if  the  failure  proves  not  to  have  been  a  propellant  failure,  or  if  the  blockage  is  below 
the  crossfeed  tee,  the  crossfeed  will  be  successful  and  the  deorbit  burn  can  be  completed  normally.  RCS 
in  terconnect  to  the  failed  system  below  minimum  safe  perigee  should  not  be  attempted  since,  should  the 
interconnect  not  succeed,  there  is  not  sufficient  time  available  to  execute  the  necessary  recovery 
procedures  (staged  manifold  repress,  failed  jet  recovery,  etc.).  ®[072398-6692A] 

A6-55  OMS  N2  TANK  FAILURE  MANAGEMENT 

FOR  A  FAILED  OMS  N2  TANK,  THE  ASSOCIATED  ENGINE  WILL  NOT  BE  USED 
UNTIL  THE  DEORBIT  BURN  IN  ORDER  TO  CONSERVE  THE  FINAL  ENGINE 
RESTART.  IF  N2  REGULATOR  PRESSURE  >  366  (382)  PSIA,  TWO  STARTS 

ARE  POSSIBLE. 

With  an  )V2  tank  failure,  a  minimum  of  one  OMS  start  remains  in  the  accumulator.  This  start  will  be 
saved  for  the  final  engine  burn  in  order  to  main  tain  OMS  engine  redundancy  while  on  orbit.  If  the 
accumulator  pressure  is  sufficient  to  support  two  OMS  burns  (7V2  regulator  pressure  >  366  (382)  psi, 

83  psi  for  the  first  start  (no  purge),  and  283  psi  for  the  last  start  and  16  psi  instrumentation),  the 
engine  may  be  burned  if  subsequent  failures  dictate.  A  pressure  of  366  (382)  assumes  that  sufficient 
time  is  allowed  between  burns  to  allow  the  )V2  tank  to  return  to  equilibrium.  Both  burns  will  be  100 
percent  ball  valves  open.  (Ref.  Rules  {A6-4J,  OMS  N2  TANK;  {A6-5},  OMS  N2  ACCUMULATOR; 
and  [A6-56],  OMS  N2  REGULATOR  FAILURE  MANAGEMENT.)  (Reference  SODB,  volume  I, 
paragraph  3.4.3.3.15  and  4.3.3.1.d.) 
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A6-56  QMS  N2  REGULATOR  FAILURE  MANAGEMENT 

AN  OMS  ENGINE  WITH  INSUFFICIENT  OMS  N?  ACCUMULATOR  PRESSURE  (N2  REG 
PRESS  <  283  (299)  PSIA)  TO  OPEN  BOTH  BALL  VALVES  FULLY  WILL  NOT  BE 

USED  UNLESS  THE  OTHER  ENGINE  HAS  FAILED  AND  THEN  ONLY  FOR  THE 
DEORBIT  BURN.  IF  THE  OTHER  OMS  ENGINE  HAS  FAILED,  ACCUMULATOR 
PRESSURE  ON  THE  REMAINING  OME  MUST  SUPPORT  90  PERCENT  BALL  VALVE 
OPENING  (N2  REG  PRESS  >  270  (270)  PSIA) . 

Lower  than  100  percent  ball  valve  opening  will  result  in  off-nominal  start  characteristics.  The  risk  of 
using  an  engine  with  <  100  percent  ball  valve  opening  is  only  acceptable  if  it  is  the  last  OME  available 
for  the  deorbit  burn.  If  an  OMS  engine  has  failed  and  the  other  will  support  90  percent  opening  (N2  Reg 
P  >  270  (270)  psia),  then  the  risk  versus  risk  tradeoff  is  between  90  percent  OME  ball  valve  opening  (no 
regulator  pressure  instrumentation)  and  RCS  deorbit.  The  90  percent  OME  is  preferable  in  this  case.  If 
the  last  remaining  OME  can  only  support  <  90  percent,  then  an  RCS  deorbit  must  be  performed  since 
performance  drops  off  drastically  at  lower  N 2  or  accumulator  pressures.  At  228  psia  with  pressurization 
valves  open  ( 246  psia  if  closed),  the  ball  valves  only  open  to  70  percen  t  with  greater  than  1/2  second 
transition  time.  Engine  starting  characteristics  are  unacceptable  with  this  slow  opening  time.  Reference 
Rules  {A6-5j,  OMS  N2  ACCUMULATOR;  and  {A6-55},  OMS  N2  TANK  FAILURE  MANAGEMENT. 

( Reference  SODB,  volume  I,  3.4.3.3.14,  and  volume  III,  table  4.3.3.) 
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A6-57  AFT  RCS  PROPELLANT  TANK  FAIL/HELIUM  INGESTION 

A.  MATRIX: 


PRE-MECO 

TANK  QUANTITY 
(PERCENT) 

RTLS 

ASCENT 

ORBIT 

ENTRY 

QTY  >75 

?  NOM  ET  SEP 

?  NOM  ET  SEP 

?  NOM  ORBIT  OPS 

?  NOM  ENTRY 

QTY  <75 

?  XFEED  FROM 
GOOD  RCS  FOR 

ET  SEP 

?  AFFECTED  POD 
AVAIL  FOR  GRTLS 
IF  REQ’D 

?  XFEED  FROM 
GOOD  RCS  FOR 

ET  SEP 

?  POST-OMS-1 
INTERCONNECT 
FROM  OMS 

?  PRIMARY  JETS: 

INTERCONNECT 
FROM  OMS  OR 
XFEED  FROM 
GOOD  RCS 

?  VERNIER  JETS: 

NOM  ORBIT  OPS 

?  AFFECTED  POD 
AVAIL  POST-EI 

B.  RULES: 

1.  AN  RCS  TANK  WILL  BE  CONSIDERED  FAILED  FOR  ET  SEPARATION 
IF  PRE-MECO  TANK  QUANTITY  <  75  PERCENT.  ET  SEPARATION 
WILL  BE  PERFORMED  IN  CROSSFEED  FROM  GOOD  RCS. 

An  analysis  has  been  completed  based  upon  the  RCS  tank  redesign  ( addition  of  abort  helium  diffusers 
and  deletion  of  abort  ducts )  and  recertification  of  the  ARCS  tanks.  The  analysis  has  shown  that  a  gauge 
quantity  of  less  than  75  percent  prior  to  MECO  results  in  a  gas  “short”  to  the  lower  compartment  (L/C) 
and  large  quan  tities  of  gas  will  transfer  to  the  L/C  prior  to  the  start  of  mated  coast  extern  al  tank 
separation  (MC/ET  SEP).  Usage  from  tanks  in  this  condition  should  be  avoided  during  MC/ET  SEP  by 
crossfeeding  from  the  good  side  to  prevent  possible  jet  fail  because  of  helium  ingestions.  Reference 
SODB,  volume  I,  paragraph  3. 4. 3.2-14.  c. 

2.  AN  RCS  TANK  SUSPECTED  TO  HAVE  INGESTED  HE: 

a.  CAN  BE  USED  DURING  ENTRY  (POST-EI)  WITH  NO 

RESTRICTIONS  OTHER  THAN  TO  ACCOUNT  FOR  INCREASED  TANK 
RESIDUALS  (LOSS  OF  PROPELLANT  PRIOR  TO  MECO  WILL 
INCREASE  TANK  RESIDUALS  BY  1 1  PERCENT) . 

The  additional  gas  that  transfers  to  the  L/C  will  impact  the  tank  entry  expulsion  efficiency  by  as  much  as 
11  percent.  However,  during  entry  the  gravitational  force  will  hold  the  propellant  over  the  tank  outlet 
preventing  helium  ingestion  and  allowing  use  of  the  tank. 
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A6-57  AFT  RCS  PROPELLANT  TANK  FAIL/HELIUM  INGESTION 

(CONTINUED) 

b.  CAN  BE  USED  FOR  VERNIER  JET  OPERATIONS. 

C.  WILL  NOT  BE  USED  FOR  PRIMARY  JET  ORBIT  OPERATIONS. 

Since  the  vernier  jets  do  not  result  in  an  excessive  delta  pressure  across  the  RCS  bulkhead  screens  to 
cause  screen  breakdown,  verniers  may  be  used  for  on-orbit  operations.  Rule  {A2-54J,  RTLS,  TAL,  AND 
AO  A  ABORTS  FOR  SYSTEM  FAILURES  [CIL],  references  this  rule. 

A6-58  RCS  REGULATOR  FAILURE  TROUBLESHOOTING 

THE  FORWARD  AND  AFT  RCS  WILL  NOT  BE  OPERATED  IN  BLOWDOWN  MODE  TO 
TROUBLESHOOT  A  REGULATOR  PATH  IF  A  REDUNDANT  PRESSURE  PATH 
EXISTS . 

There  will  be  no  troubleshooting  for  an  RCS  regulator  flow  path  unless  additional  failures  restrict  the 
remaining  flow  path.  Crew  actions  and  flight  impact  are  independent  of  the  failure  mode  determined  by 
troubleshooting  the  system.  It  is  not  prudent  to  expose  the  system  to  off-nominal  operating  conditions 
during  troubleshooting  when  no  real  procedural  advantage  can  be  realized. 
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A6-59  LOSS  OF  AFT  RCS  LEAK  DETECTION 

RCS  CROSSFEED  OR  OMS/RCS  INTERCONNECT  WILL  BE  UTILIZED  DURING 
CREW  SLEEP  PERIODS  FOR  THE  LOSS  OF  SINGLE  ARCS  POD  LEAK  DETECTION 
CAPABILITY. 

During  crew  sleep  periods,  by  crossfeeding  or  interconnecting  to  a  good  system  (RCS  or  OMS 
respectively),  use  of  the  system  with  no  leak  detection  capability  available  can  be  avoided  and  the  feeding 
system  leak  detection  capability  can  be  utilized. 

Because  of  SMS  limitations  and  inability  to  model  thermal  effects,  training  in  propellant  leak  detection 
has  typically  been  limited  to  annunciation  of  pressure  decays  with  no  associated  temperature  decrease. 

For  small  leaks,  we  feel  that  temperature  will  be  our  only  indication.  For  large  leaks,  cooling  will 
certainly  accompany  the  pressure  decay.  Therefore,  with  the  existing  temperature  sensors  and 
associated  FDA,  we  believe  the  primary  means  for  leak  detection  will  be  thermal  monitoring. 

The  philosophy  to  terminate  in  terconnect  prior  to  crew  sleep  was  changed  prior  to  STS  4FB  because  of 
newly  identified  crossfeed  line  surge  pressure  concerns  and  the  desire  to  minimize  the  number  of  times 
the  interconnect  mode  was  established.  In  addition,  a  better  understanding  of  the  pod  thermal  effects  as 
a  result  of  propellant  leakage  resulted  in  an  increased  confidence  that  small  leaks  would  be  more  readily 
detectable  through  thermal  indications  rather  than  the  standard  pressure  decay  (reference  APU 
HYDRAZINE  LEAK  ON  STS  41 -A).  Consequently,  we  feel  that  maintaining  interconnect  operations 
during  sleep  periods  can  be  accomplished  safely  while  at  the  same  time  maintaining  an  adequate  leak 
detection  capability  with  associated  crew  FDA. 

During  crew-awake  periods,  the  RCS  propellant  tank  pressure  FDA  may  be  used  to  provide  leak 
detection  by  isolating  the  helium  tank  and  forcing  the  RCS  to  operate  in  a  blowdown  mode.  This  allows 
propellant  to  be  used  from  the  degraded  system  while  still  providing  leak  detection  capability.  Also, 
because  the  RCS  has  much  less  ullage  than  the  OMS,  less  propellant  would  be  leaked  prior  to 
annunciation  when  operating  with  the  RCS  in  blowdown  than  when  interconnected  from  the  OMS. 
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A6-60  RCS  MANIFOLD  CLOSURE  CRITERIA 

RCS  MANIFOLDS  MAY  BE  CLOSED  FOR  THE  FOLLOWING  CONDITIONS: 

RCS  man  ifolds  are  nominally  open.  Manifolds  that  have  been  closed  may  cause  complications  if  they 
are  reopened  after  the  manifold  pressure  significantly  decreases  due  to  a  temperature  change  or  a  leak. 
A  high  pressure  spike  will  be  transmitted  through  the  manifold  when  the  manifold  valve  is  reopened.  If 
the  pressure  spikes  are  large  enough,  thruster  valve  bounce  may  occur  resulting  in  propellant  leakage. 

Therefore,  the  manifolds  are  only  cycled  for  the  following  identified  cases. 

*  Note:  There  is  no  concern  with  vernier  manifold  pressure  spikes  and  no  concern  with  rupturing  the 

primary  manifold  bellows.  (Some  test  data  indicate  primary  thruster  valves  may  only  bounce 
if  helium  gas  is  in  the  injector  valve.) 

A.  SYSTEM  LEAK  TROUBLESHOOTING. 

Current  leak  isolation  procedures  require  manifold  isolation  valves  to  be  closed.  In  the  event  of  a 
manifold  leak,  the  manifold  valve  must  be  closed  to  prevent  any  further  leakage.  If  the  leak  was  not  in 
the  manifold,  the  manifold  valve  can  be  reopened  with  no  damage  to  the  failed  system. 

B.  ISOLATION  OF  RM  INDICATED  FAILED-ON  JET  (FOR  VERIFIED  FAILED 
ON  JET,  MANIFOLD  WILL  NOT  BE  OPENED) . 

For  an  RCS  jet  failed  on,  the  associated  manifold  valve  must  be  closed  to  prevent  excessive  propellant 
usage  and  attitude  control  problems. 

For  false  fail-on  indications,  the  manifold  can  be  reopened.  MCC  should  then  consult  Rule  {A6-156}, 
RCS  RM  LOSS  MANAGEMENT. 

For  real  fail-on  jets  the  manifold  will  be  evacuated  when  closed.  If  the  failure  has  been  cleared  and  the 
affected  manifold  is  required  to  be  GO  for  on-orbit  operations,  a  GMEM  procedure  is  available  to 
repressurize  the  evacuated  manifold.  Consult  Rule  { A6-61J ,  RCS  MANIFOLD/OMS  CROSSFEED  LINE 
REPRESSURIZATION  [CIL ]. 
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A6-60  RCS  MANIFOLD  CLOSURE  CRITERIA  (CONTINUED) 

C.  ISOLATION  OF  RM  INDICATED  LEAKING  JET. 

1.  IF  DIVERGENCE  OCCURS  BETWEEN  OXIDIZER  AND  FUEL 
QUANTITIES . 

2.  IF  CORRESPONDING  NONLEAKING  INJECTOR  TEMPERATURE  DROPS 
BELOW  40  DEG  F. 

3.  IF  INJECTOR  TEMPERATURES  AND  CHAMBER  PRESSURE  SIGNATURES 
INDICATE  BOTH  INJECTOR  VALVES  ARE  LEAKING. 

4.  IF  LEAK  RATE  IS  OF  THE  MAGNITUDE  THAT  RESULTS  IN  PLUGGING 
OF  THE  CHAMBER  THROAT  AS  INDICATED  BY  CHAMBER  PRESSURE 
AND  INJECTOR  TEMPERATURES. 

Normally  no  action  is  taken  if  a  jet  should  fail  leak.  The  injector  valves  are  pressure  assisted  by  design. 
Maintaining  system  pressure  on  the  valve  provides  the  best  seed  possible  at  the  injector  valve  seat  which 
may  help  seal  the  leak.  Also,  it  is  undesirable  to  close  the  manifold  isolation  valve  because  of  the  loss  of 
additional  RCS  jets  on  that  manifold  (RCS  RM  declares  the  jets  unavailable  if  manifold  isolation  valves 
are  closed ).  If  the  manifold  isolation  valve  were  to  be  closed,  the  isolated  manifold  pressure  would 
quickly  decrease  because  of  the  leak. 

The  manifold  isolation  valve  shall  be  closed  if  any  of  the  following  conditions  are  met: 

a.  To  isolate  the  leaking  jet  from  the  system  should  a  divergence  be  detected  between  the  oxidizer  and 
fuel  quantities. 

b.  To  preven  t  ZOTS  from  occurring  if  both  injector  valves  should  start  leaking.  Due  to  the  evaporative 
cooling  effect  of  the  initial  propellan  t  leak,  the  temperature  of  the  nonleaking  engine  valve  will  tend 
to  decrease.  Should  the  second  propellant  valve  begin  to  leak  due  to  cold  temperature,  the  resulting 
dual  propellant  leak  can  have  very  undesirable  effects,  such  as  valve  ZOT.  The  minimum 
temperature  reached  by  the  nonleaking  valve  is  primarily  a  function  of  the  leak  rate  of  the  leaking 
valve.  Thus,  for  a  leaking  jet,  the  nonleaking  valve/injector  temperature  differen  tial  cannot  be 
determined.  The  40  deg  F  limit  represen  ts  best  engineering  judgmen  t  for  the  min  imum  acceptable 
injector  temperature  for  the  nonleaking  valve.  @[091098-6708  ] 

c.  To  prevent  off-nominal  combustion  in  the  chamber  due  to  both  valves  leaking,  as  evidenced  by 
injector  temperature  and  chamber  pressure.  @[091098-6708  ] 

d.  To  preven  t  second  valve  leakage  due  to  initial  valve  leakage  causing  blockage  of  the  chamber 
throat.  Blockage  of  the  chamber  throat  will  cause  pressure  to  build  up  on  the  outside  portion  of 
the  seal  of  the  nonleaking  valve,  thus  reducing  its  seeding  force. 
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A6-60  RCS  MANIFOLD  CLOSURE  CRITERIA  (CONTINUED) 

D.  SYSTEM  SECURING  AS  A  RESULT  OF  POWERDOWNS. 

Orbiter  failures  resulting  in  powerdown  of  electrical  buses  may  cause  the  loss  of  RCS  jet  heaters  and/or 
jet  injector  temperatures.  Loss  of  the  jet  heaters  will  allow  the  jets  to  cool  and  the  injector  valve  Teflon 
seeds  to  shrink.  When  injector  temperatures  reach  approximately  47  deg  F,  leakage  may  occur 
preven  ting  future  use  of  the  jet  (ref.  Rule  {A6-257},  RCS  JET  TEMPERATURE  MANAGEMENT). 
Special  hot  fire  procedures  could  be  utilized  to  warm  the  jets  but  may  be  unpractical  because  of  the 
numerous  jets  affected.  The  manifold  valves  can  be  closed  reducing  propellant  leakage  into  the  jet. 
@[091098-6708] 

E.  UNRECOVERABLE  LOSS  OF: 

1.  COMMAND  PATH  TO  ALL  JETS  ON  A  MANIFOLD. 

2.  ELECTRICAL  POWER  (BOTH  REDUNDANT  SOURCES)  TO  A  REACTION 
JET  DRIVER  (RJD) . 

3.  RJD  FUNCTION  TO  ALL  ITS  ASSOCIATED  JETS. 

These  three  cases  lose  all  jets  on  a  single  manifold.  No  additional  jets  can  be  lost  because  of  the 
manifold  closure.  Thus  no  additional  capability  is  lost  and  the  manifold  will  remain  closed  to  protect 
against  leaks  or  jet  failures. 
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A6-61  RCS  MANIFOLD/OMS  CROSSFEED  LINE  REPRESSURIZATION 

[CIL] 

A.  RCS  MANIFOLD  REPRESSURIZATION  MANAGEMENT: 

1 .  GENERAL : 

a.  MANIFOLDS  WILL  BE  REPRESSURIZED  DIRECTLY  FROM  THE 
TANK  VOLUME  USING  THE  MANIFOLD  ISOLATION  VALVE 
ANYTIME  BOTH  THE  MANIFOLD  PRESSURES  >  130  PSIA. 

Tests  conducted  at  WSTF  revealed  that  when  repressurization  of  a  manifold  was  attempted  with  an  initial 
manifold  pressure  <  50  psia  and  the  tank  pressure  approximately  245  psia,  the  thruster  valves  bounced, 
leaking  propellant  into  the  combustion  chamber.  The  uncontrolled  leaking  of  oxidizer  or  fuel  into  the 
chamber  can  lead  to  oxidizer/fuel  detonation  in  the  injector  passage  (ZOT’s).  The  concern  is  that  the 
fuel  will  stay  in  the  oxidizer  injector  passages  and  will  not  vaporize  prior  to  the  oxidizer  reaching  the  jet 
(vapor  pressure:  oxidizer  =  15  psi;  fuel  =  0  psi).  Consequently,  combustion  will  take  place  in  the 
injector  instead  of  the  chamber,  leading  to  thruster  valve  damage  and  propellant  leaks.  Based  on  these 
concerns  and  the  test  results,  it  was  agreed  inflight  techniques  to  use  special  procedures  (stage  repress) 
if  time  permits  for  repressurization  of  manifolds  where  both  the  oxidizer  and  fuel  manifold  pressure  < 

130  psia  (130  =  50  pressure  +  50  pad  +  30  instrumentation).  Repress  via  the  manifold  isolation  valve 
will  be  performed  only  if  mandatory  for  attitude  control  during  time-critical  phases.  There  is  no 
restriction  against  repressing  manifolds  if  the  manifold  pressure  >  130  psia. 

b.  SIMULTANEOUS  REPRESSURIZATION  OF  MORE  THAN  ONE  SET 
(OXIDIZER  AND  FUEL)  OF  EVACUATED  MANIFOLDS  FROM  AN 
RCS  TANK  IS  NOT  ALLOWED. 

Simultaneous  repressurization  of  evacuated  manifolds  is  not  allowed.  Two  evacuated  manifolds 
repressed  at  WSTF  resulted  in  an  RCS  tank  bulkhead  delta  pressure  >7.0  psid  (spec  limit  =  3.7  psid). 
This  could  result  in  damage  to  the  bulkhead,  resulting  in  broken  screens,  helium  gas  ingestion  into  the 
jets,  jet  failure,  and  subsequen  t  loss  of  the  tank. 

C.  VERNIER  MANIFOLDS  WILL  BE  REPRESSURIZED  USING  THE 
MANIFOLD  ISOLATION  VALVE  IF  THE  VERNIER  JETS  ARE 
OTHERWISE  AVAILABLE  FOR  NORMAL  ON-ORBIT  OPERATIONS. 

There  is  no  constraint  against  repressing  a  vernier  manifold.  The  vernier  thruster  valves  are  solenoid, 
not  pilot  operated,  arid  do  not  bounce  when  subjected  to  large  pressure  spikes.  The  vernier  alignment 
bellows  spec  limit  was  exceeded  during  repress  tests  at  WSTF,  but  resulted  in  no  damage.  As  long  as  the 
vernier  jet  capability  is  not  precluded  by  another  system  failure,  vernier  manifolds  will  be  repressed  as 
required. 
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A6-61  RCS  MANIFOLD/OMS  CROSSFEED  LINE  REPRESSURIZATION 

[CIL]  (CONTINUED) 

d.  LEAKING  LINES  WILL  NOT  BE  REPRESSURIZED  UNLESS 
MANDATORY  FOR  VEHICLE  CONTROL. 

The  risks  associated  with  leaking  propellant  into  an  OMS  pod  or  forward  RCS  module  do  not  warrant 
feeding  a  leak  if  the  flow  path  is  not  mandatory  to  maintain  vehicle  con  trol.  Leaking  lines  should  not  be 
repressed  to  gain  redundancy.  The  corrosive  effects  of  oxidizer  (N2O4),  along  with  structural  integrity 
(bulkhead  delta  P)  concerns  and  toxicity,  make  it  undesirable  to  feed  an  OX  leak  un  less  mandatory.  The 
fire ,  explosive,  and  toxicity  hazards  of  the  fuel  (mmH)  make  it  undesirable  to  feed  a  fuel  leak  unless 
mandatory.  Leakage  of  either  propellan  t  in  a  vacu  um  en  vironmen  t  may  cause  freezing  of  other  pod 
componen  ts  resu  lting  in  loss  of  additional  propulsion  capability. 

2.  INDIVIDUAL  OXIDIZER  OR  FUEL  MANIFOLD  PRESSURE  <  130  PSIA: 

MANIFOLDS  WILL  BE  REPRESSURIZED  DIRECTLY  FROM  THE  TANK 
USING  THE  MANIFOLD  ISOLATION  VALVE  EXCEPT  IF  CAUSED  BY  A 
JET  FAIL  LEAK  OR  PROPELLANT  LEAK.  MANIFOLD (S)  WILL  BE 
REPRESSURIZED  IF  REQUIRED  FOR  ET  SEPARATION  OR  ENTRY 
CONTROL. 

ANYTIME  IF  MANDATORY  TO  MAINTAIN  ATTITUDE  CONTROL. 

Repressing  a  manifold  where  cm  individual  oxidizer  or  fuel  manifold  pressure  <  130  psia  and  the  other 
pressure  >  130  psia  is  allowed  using  the  manifold  isolation  valve.  For  this  case,  the  expected  valve 
bounce  will  only  occur  on  the  affected  propellant  manifold,  leaking  only  oxidizer  or  fuel  into  the 
chamber.  The  presence  of  one  propellan  t  does  not  represen  t  a  ZOT  risk  if  the  propellan  t  sublimes  and 
clears  the  chamber  before  further  jet  use.  Oxidizer  will  clear  the  chamber  in  approximately  10  seconds 
while  fuel  takes  1  to  2  minutes. 

Manifolds  will  not  be  repressed  on  orbit  if  the  manifold  pressure  decay  was  caused  by  a  propellan  t  leak. 
Repressing  the  man  ifold  may  increase  the  leak  rate.  For  jet  leaks,  manifolds  may  be  repressed  in  cm 
attempt  to  put  pressure  on  the  injector  valve,  possibly  sealing  the  leak.  These  manifolds  can  be 
repressed  during  entry  if  mandatory  for  control. 

3.  BOTH  OXIDIZER  AND  FUEL  MANIFOLD  PRESSURE  <  130  PSIA: 

a.  AN  EVACUATED  MANIFOLD  CAUSED  BY  A  JET  FAIL-ON  WILL 
NOT  BE  REPRESSURIZED  UNLESS  THE  FAILURE  HAS  BEEN 
CLEARED . 
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A6-61  RCS  MANIFOLD/OMS  CROSSFEED  LINE  REPRESSURIZATION 

[CIL]  (CONTINUED) 

b.  MANIFOLDS  WILL  BE  REPRESSURIZED  DIRECTLY  FROM  THE 
TANK  USING  THE  MANIFOLD  ISOLATION  VALVE: 

(1)  ANYTIME  IF  MANDATORY  TO  MAINTAIN  ATTITUDE 
CONTROL. 

(2)  DURING  NOMINAL/RTLS  ASCENT  IF  REQUIRED  FOR  ET 
SEPARATION.  (SEE  RULE  {A8-55},  ET  SEPARATION 
RCS  REQUIREMENTS.) 

NOTE:  MANIFOLDS  WILL  NOT  BE  REPRESSED  TO  REGAIN 
REDUNDANCY.  MULTIPLE  MANIFOLDS  WILL  BE 
REPRESSED  IF  REQUIRED  FOR  ET  SEPARATION  OR 
ENTRY  CONTROL. 

C.  INADVERTENT  EVACUATED  MANIFOLDS  WILL  BE  REPRESSURIZED 
ON  ORBIT  USING  A  READ/WRITE  PROCEDURE  IF  REQUIRED  TO 
BE  GO  TO  STAY  ON  ORBIT. 

d.  A  STAGED  REPRESSURIZATION  PROCEDURE  WILL  BE  USED  ON 
ORBIT  TO  REPRESSURIZE  MANIFOLDS  AT  VAPOR  PRESSURE 
(LIQUID  IN  LINES) . 

A  staged  repressurization  or  read/write  procedure  will  be  used  on  orbit  to  repressurize  desired 
manifolds  where  both  the  oxidizer  and  fuel  manifold  pressures  are  <  130  psia.  The  staged 
repressurization  procedure  is  only  effective  if  liquid  exists  in  the  lines  and  will  not  work  for  an 
evacuated  manifold.  The  manifold  is  repressurized  using  the  line  volume  between  the  tank  isolation 
valves  and  the  manifold  isolation  valves  until  a  manifold  pressure  >  130  psia  is  achieved.  (If  the 
manifold  pressure  is  not  above  vapor  pressure  after  the  first  cycle  of  the  staged  repressurization 
procedure,  the  manifold  may  be  partially  evacuated  and  the  staged  repressurization  procedure  will  not 
work.)  Repressurization  directly  from  the  tank  is  acceptable  after  manifold  pressures  are  >  130  psia. 

The  read/write  procedure  allows  the  inadvertent  evacuated  manifold  to  be  repressurized  on  orbit 
withou  t  the  risk  of  a  ZOT  occurring.  The  GMEM  procedu  re  con  sists  of  open  ing  the  oxidizer  tank 
isolation  valve  prior  to  the  fuel  isolation  valve,  allowing  the  oxidizer  to  sublimate  before  the  fuel 
arrives  at  the  jet.  These  procedures  will  not  be  attempted  in  time-critical  phases.  Deorbit  preparation 
OPS  3  transition  has  been  baselined  as  the  point  at  which  these  special  procedures  will  no  longer  be 
utilized.  The  manifold  isolation  valve  will  be  used  to  repressurize  a  manifold  directly  from  the  tank 
volume  during  time-critical  phases.  Confirmed  jet  fail-on  evacuated  manifolds  will  not  be 
repressurized  due  to  excessive  propellant  consumption  and  the  possibility  of  further  jet  and  RCS 
propellant  tank  damage.  However,  jet  fail-on  evacuated  manifolds  will  be  repressurized  if  the  failures 
have  been  cleared  (no  driver  out  command  with  the  RJD  power  on).  The  inadvertent  evacuated 
manifold  repressurized  actions  should  be  used  in  this  case. 
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A6-61  RCS  MANIFOLD/OMS  CROSSFEED  LINE  REPRESSURIZATION 

[CIL]  (CONTINUED) 


B.  OMS/RCS  CROSSFEED  LINE  REPRESSURIZATION  MANAGEMENT  [CIL] : 


FUEL  PRESSURE 


>  130  PSIA 

<  130  PSIA  AND  > 
35  PSIA 

<  35  PSIA 

OXID  PRESSURE 
>  130  PSIA 

[i] 

[i] 

[3]  [4] 

OXID  PRESSURE 
<  130  PSIA  AND 
>49  PSIA 

[i] 

[2]  [5] 

[4]  [6] 

OXID  PRESSURE 
<49  PSIA 

[3]  [4] 

[4]  [6] 

[4]  [6] 

NOTES: 

[1]  NOMINAL  OPERATIONS  ALLOWED. 

[2]  CROSSFEED  LINE  AVAILABLE  FOR  INTERCONNECT/CROSSFEED  OPERATIONS  SUBJECT  TO 
RCS  MANIFOLD  REPRESS  CONSTRAINTS. 

[3]  REPRESSURIZATION  OF  RCS  MANIFOLDS  ALLOWED  FROM  THE  RCS  USING  THE  MANIFOLD 
ISOLATION  VALVES  ONE  MANIFOLD  AT  A  TIME.  (REF.  PARAGRAPH  A.) 

[4]  REPRESSURIZATION  OF  CROSSFEED  NOT  ALLOWED  UNLESS  CRITICAL  FOR  CREW  SAFETY. 

[5]  REPRESSURIZATION  OF  RCS  MANIFOLDS  ALLOWED  USING  RCS  OR  OMS  STAGED 
REPRESSURIZATION  PROCEDURE.  (REF.  PARAGRAPH  A.) 

[6]  REPRESSURIZATION  OF  RCS  MANIFOLDS  ALLOWED  USING  RCS  STAGED  REPRESSURIZATION 
PROCEDURES  ONLY.  (REF.  PARAGRAPH  A.) 


1.  RCS  MANIFOLD  PRESSURES  WILL  BE  USED  ON  ORBIT  TO  DETERMINE 
THE  GO/NO-GO  STATUS  OF  THE  CROSSFEED  LINE  PRIOR  TO 
REPRESSURIZATION  DIRECTLY  FROM  THE  PROPELLANT  TANK. 


All  10  manifolds  are  used  because  analysis  indicates  if  the  crossfeed  pressure  were  at  a  minimum 
because  of  thermal  cycles,  the  pressure  con  tained  in  the  volume  of  10  manifolds  is  sufficient  to  bring  the 
crossfeed  pressure  up  to  within  acceptable  limits  without  a  special  staged  repressurization  procedure. 
There  are  pressure  transducers  on  the  crossfeed  lines;  however,  when  the  lines  are  isolated,  thermal 
cycles  cause  the  pressures  of  the  hydraulically  locked-up  lines  to  cycle  significantly.  The  crossfeed  line 
pressure  transducers  have  a  large  instrumentation  error  (34  psia);  and,  when  the  lines  are  isolated,  the 
fuel  line  pressure  frequently  indicates  below  the  sum  of  the  vapor  pressure  (1  psia)  and  the 
instrumentation  error.  The  RCS  manifold  pressures  are,  therefore,  used  as  a  pressure  check  at  the  time 
of  in  terconnect  or  crossfeed.  Note  that  when  the  RCS  manifolds  are  opened  to  the  crossfeed  lines,  the 
RCS  tank  isolation  and  OMS  crossfeed  valves  are  closed,  alleviating  the  concern  of  a  pressure  surge 
from  a  large  pressurcint  source  and  ullage.  An  average  pressure  of  all  oxidizer  man  ifolds  will  be  used  as 
the  oxidizer  crossfeed  line  pressure  for  evaluation.  An  average  will  also  be  used  for  the  fuel  crossfeed 
line  pressure.  Instrumentation  bias  must  also  be  considered  prior  to  averaging  the  pressures. 
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A6-61  RCS  MANIFOLD/OMS  CROSSFEED  LINE  REPRESSURIZATION 

[CIL]  (CONTINUED) 

a.  OXIDIZER  OR  FUEL  MANIFOLD  PRESSURES  <  15  (49)  PSIA 

OXIDIZER  OR  <  1  (35)  PSIA  FUEL.  THE  CROSSFEED  LINE 

WILL  BE  CONSIDERED  FAILED  FOR  FURTHER  ON-ORBIT 
OPERATIONS  UNLESS  CRITICAL  FOR  CREW  SAFETY.  DEORBIT 
WILL  BE  SCHEDULED  AT  THE  NEXT  PLS . 

If  the  oxidizer  pressure  is  <  49  psia  and/or  the  fuel  pressures  <  35  psia,  repress  of  the  OMS  crossfeed 
line  from  a  high  pressure  tank  is  not  allowed.  A  staged  repressurization  may  be  attempted  to  increase 
the  crossfeed  pressures  to  within  acceptable  limits.  If  the  staged  repressurization  is  unsuccessful ,  the 
crossfeed  line  will  be  declared  failed.  The  pressure  limits  are  based  on  cm  instrumentation  error  of  34 
psia  and  vapor  pressure  of  15  psia  for  the  oxidizer  and  one  for  the  fuel.  WSTF  tests  have  verified  that 
repressurizing  a  crossfeed  line  at  pressures  less  than  propellant  vapor  pressure  is  known  to  create 
unacceptable  large  surge  pressures  and  must  be  avoided  if  possible.  ( Reference  SODB  3.4.3.3.17.) 

Flight  Rules  require  two  methods  of  deorbit  capability  to  be  go  past  the  next  PLS.  Because  of  the 
crossfeed  line  failure,  there  will  be  no  downmode  capability  for  an  OMS  engine  failure  during  the 
deorbit  burn.  ( Reference  Rule  {A6-358J,  VIOLATION  OF  MISSION  COMPLETION  REDLINES 
MATRIX.) 


b.  OXIDIZER  AND  FUEL  MANIFOLD  PRESSURES  >  15  (49)  PSIA 

OXIDIZER  OR  >  1  (35)  PSIA  FUEL.  THE  CROSSFEED  LINE 

IS  AVAILABLE  FOR  INTERCONNECT/CROSSFEED  OPERATIONS 
SUBJECT  TO  RCS  MANIFOLD  REPRESSURIZATION  CONSTRAINTS 
(REF.  PARAGRAPH  A.) 


For  crossfeed  pressures  >  49  psia  oxidizer  or  >  35  psia  fuel,  there  are  no  crossfeed  line  con  strain  ts. 
However,  the  RCS  manifolds  require  a  staged  repressurization  when  both  propellants  are  <  130  psia. 
The  staged  repressurization  procedure  will  preven  t  surge  pressures  from  bouncing  the  jet  injector  valves 
and  causing  a  ZOT.  An  OMS  staged  repressurization  procedure  exists  that  allows  the  repressurization 
of  all  10  RCS  manifolds  simultaneously  rather  than  one  at  a  time.  ( Ref.  paragraph  A.) 

2.  THE  OMS  CROSSFEED  LINE  WILL  BE  USED  INDEPENDENT  OF  THE 
CROSSFEED  LINE  PRESSURE  FOR  MANEUVERS  CRITICAL  FOR  CREW 
SAFETY,  ABORT  PROPELLANT  DUMPS,  OR  IF  REQUIRED,  TO 
MAINTAIN  ATTITUDE  CONTROL. 


Any  interconnect  or  crossfeed  required  for  crew  safety  will  be  executed  without  regard  to  the  crossfeed 
line  pressure. 
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A6-61  RCS  MANIFOLD/OMS  CROSSFEED  LINE  REPRESSURIZATION 

[CIL]  (CONTINUED) 


3.  THE  OMS  CROSSFEED  LINE  WILL  NOT  BE  USED  TO  SUPPORT 

MISSION  SUCCESS  ACTIVITIES  (CROSSFEED/ INTERCONNECT)  UNTIL 
AN  ACCEPTABLE  CROSSFEED  LINE  PRESSURE  HAS  BEEN  VERIFIED. 


The  OMS  crossfeed  line  will  not  be  used  to  support  mission  success  activities  (crossfeed/interconnect)  until 
a  satisfactory  pressure  check  has  been  performed.  This  includes  on-orbit  crossfeed  burns  ( planned  or  as  a 
result  of  an  engine  failure).  The  risk  of  structural  damage  as  a  result  of  excessive  surge  pressures  ( i.  e. ,  no 
crossfeed  pressure  check)  will  only  be  accepted  if  the  crossfeed  is  required  to  maintain  crew  safety. 

Rules  { A2-54B.3 },  RTLS,  TAL,  AND  AO  A  ABORTS  FOR  SYSTEMS  FAILURES  [CIL];  and  (A6-60J, 

RCS  MANIFOLD  CLOSURE  CRITERIA,  reference  this  rule. 

A6-62  OMS /RCS  CONTINUOUS  VALVE  POWER  MANAGEMENT 

WHEN  DETECTED,  CONTINUOUS  POWER  TO  AN  OMS /RCS  AC  MOTOR  VALVE  WILL 
BE  REMOVED  ACCORDING  TO  THE  FOLLOWING  GUIDELINES: 

A.  BY  PLACING  THE  APPROPRIATE  SWITCH  IN  GPC,  OR 

B.  IF  "A"  IS  UNSUCCESSFUL  AND  CONTINUOUS  POWER  OCCURRED  DURING  A 
NONCRITICAL  RECONFIGURATION  PERIOD,  BY  PULLING  THE 
APPROPRIATE  AMC  POD  BUS  CIRCUIT  BREAKERS. 

CIRCUIT  BREAKERS  PULLED  UNDER  "B" : 

1.  WILL  BE  RESET  DURING  CRITICAL  RECONFIGURATION  PERIODS. 

2.  MAY  BE  RESET  IF  VALVE  MOVEMENT  IS  REQUIRED. 

A  CRITICAL  RECONFIGURATION  PERIOD  IS  DEFINED  AS  MM  102  TO  105,  MM 
302  THROUGH  THE  OPS  9  TRANSITION,  RENDEZVOUS,  OR  ORBIT  BURNS 
REQUIRING  A  NON-STRAIGHTFEED  DOWNMODE. 

Continuous  power  is  detectable  only  through  ground  monitoring  of  MCA  logic  status  discretes.  A 
reading  of  “0”  for  an  unexpected  length  of  time  indicates  the  presence  of  a  continuous  power  situation. 
Analysis  indicates  that  continuous  power  on  a  valve  in  conjunction  with  a  fuel  leak  through  the  valve 
bellows  may  result  in  auto-decomposition  ofnvnH.  Since  bellows  leaks  are  not  detectable  in  flight, 
removing  power  minimizes  the  potential  hazard.  Tests  to  date  have  not  yet  resulted  in  auto- 
decomposition  ofmmH.  Therefore,  during  critical  reconfiguration  periods  where  immediate  OMS/  RCS 
valve  movement  is  required,  the  circuit  breakers  will  be  reset.  Use  of  the  switch  to  remove  power  is 
preferred  over  pulling  the  circuit  breakers,  since  it  affects  only  a  single  valve.  Pulling  of  the  AMC  pod 
bus  circuit  breakers  affects  only  OMS/RCS  valve  functions. 
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A6-63  RCS  BFS  PVT  INIT  PRELAUNCH  CRITERIA 

RCS  PVT  INIT  TMBU  WILL  BE  UPLINKED  PREFLIGHT  IF  THE  I -LOADED 
WEIGHT  OF  HE  INITIAL  (WHI)  RCS  QUANTITIES  DIFFER  FROM  THE  ACTUAL 
LOADED  RCS  QUANTITIES  BY  GREATER  THAN  3  PERCENT  (HIGHER  OR 
LOWER) .  ALL  RCS  QUANTITIES  WILL  BE  CORRECTED  WHEN  AN  UPLINK  IS 
REQUIRED  FOR  ONE  OR  MORE  QUANTITIES  OUT  OF  LIMITS. 

I-loadecl  WHI’s,  which  are  used  to  calculate  the  RCS  usable  quantities,  are  based  on  standard 
temperatures,  pressures,  and  propellant  loadings.  Changes  in  temperatures,  pressures,  forward  RCS 
propellant  off-loading,  off-nominal  helium  loads  (still  within  LCC  limits),  and  transducer  biases  or 
failures  can  affect  the  quantity  readings.  With  these  conditions  present,  it  is  possible  to  get  false  leak 
messages  or  degraded  leak  detection  due  to  incorrect  quantity  readings.  Preflight  RCS  PVT  INIT 
TMBU’s  are  sent  to  the  BFS  computer  to  update  the  BFS  quantity  gauging  WHI  constants.  The  updated 
constants  reflect  the  actual  temperatures,  pressures,  and  propellant  loadings  in  the  RCS  systems  and 
adjust  and  finely  tune  the  RCS  quantity  readings.  The  3  percent  uplink  criteria  was  developed  to 
minimize  preflight  uplinks  (PVT  INIT)  and  still  provide  reasonable  leak  detection  protection.  Currently, 
leak  alarms  are  annunciated  when  the  delta  between  the  oxidizer  and  fuel  quantities  is  9.5  percent.  With 
the  3  percent  criteria  a  leak  alarm  will  not  be  annunciated  until  a  12.5  percent  oxidizer/fuel  delta  (169  lb 
oxidizer  or  106  lb  fuel).  On  orbit  both  the  PASS  (OPS  2)  and  BFS  (OPS  3)  RCS  WHI  constants  will  be 
updated  via  TMBU/UPLINK  to  reflect  the  actual  usable  RCS  quantities  remaining. 

If  an  uplink  is  required  prelaunch  to  correct  quantities  that  differ  from  actual  by  3  percent,  WHI’s  will  be 
uplinked  to  correct  all  RCS  quantities.  Once  a  prelaunch  TMBU  is  required,  the  risk  of  building  and 
sending  the  TMBU  is  not  dependent  on  the  number  of  constants  being  updated. 

A6-64  THROUGH  A6-100  RULES  ARE  RESERVED 
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OMS  ENGINE  MANAGEMENT 


A6-101  OMS  ENGINE  BELL  MOVEMENT  DURING  ASCENT 

A.  FOR  OMS  TVC  MOVEMENT  CONFIRMED  BY  TWO  SOURCES  DURING  THE 
HIGH  QBAR  REGION  (REF.  RULE  {A8-53C},  OMS  TVC  LOSS),  THE 
AFFECTED  OMS  ENGINE  WILL  BE  CONSIDERED  FAILED  FOR  ALL 
PURPOSES  INCLUDING  ABORT  PROPELLANT  DUMPS.  THE  OMS  ENGINE 
SWITCH  WILL  BE  IMMEDIATELY  MODED  TO  THE  "OFF"  POSITION  TO 
PRECLUDE  ANY  SUBSEQUENT  FIRING.  @[111298-6733] 

B.  FOR  TVC  MOVEMENT  SUSPECTED  DURING  THE  HIGH  Q-BAR  REGION  BUT 
NOT  CONFIRMED  DUE  TO  MOVEMENT  INDICATED  BY  ONLY  ONE  SOURCE, 

THE  AFFECTED  OMS  ENGINE  WILL  BE  CONSIDERED  FAILED  FOR  ATO,  OMS 
ASSIST,  AND  ON-ORBIT  BURNS  PENDING  FURTHER  TROUBLESHOOTING. 

THE  OMS  ENGINE  SWITCH  WILL  BE  PLACED  IN  THE  "OFF"  POSITION 
PRIOR  TO  OMS  ASSIST  OR  FOLLOWING  MECO. 

PRE-MECO,  THE  ENGINE  WILL  BE  USED  FOR  RTLS ,  TAL,  AND 
CONTINGENCY  DUMPS.  POST-MECO,  THE  ENGINE  WILL  ONLY  BE  USED 
IN  CONTINGENCY  CASES  IF  REQUIRED  FOR  ORBITER  OR  CREW  SAFETY, 
NOT  FOR  MISSION  SUCCESS.  @[111298-6733] 

The  consequences  of  using  an  OMS  engine  which  has  suffered  engine  bell  damage  due  to  aerodynamic 
forces  can  be  severe  (reference  System  Briefs  “  OMS  Gimbal  Position  Constraints  During  Ascent  Max 
G” ).  Clearly,  such  an  engine  should  be  disabled  ASAP.  Further  note  that  since  some  abort  propellant 
dumps  and  OMS  Assist  start  both  OMS  engines  immediately,  the  OMS  engine  switch  must  be  in  the  OFF 
position  prior  to  abort  selection  to  prevent  the  engine  from  firing.  Therefore,  for  confirmed  thrust  vector 
control  (TVC)  movement  during  the  high  Q-bar  region  of  ascent,  the  engine  will  be  considered  failed 
(including  OMS  Assist,  OMS-1,  OMS-2,  and  abort  dumps).  @[111298-6733] 

However,  the  consequences  of  performing  an  abort  dump  without  using  an  OMS  engine  are  not  riskfree. 
During  RTLS,  TAL,  and  contingency  aborts,  the  resultant  vehicle  CG  (both  X  and  Y)  may  be 
unacceptable  for  flight  control,  the  total  vehicle  weight  may  be  significantly  above  the  design  factor  of 
safety  for  g  forces  around  the  HAC  or  for  touchdown,  and  the  OMS  propellant  tank  may  be  significantly 
above  the  constraint  for  both  the  g  forces  around  the  HAC  and  landing.  For  all  these  cases  possible  loss 
of  vehicle  could  occur. 
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A6-101  QMS  ENGINE  BELL  MOVEMENT  DURING  ASCENT  (CONTINUED) 

®[ED  ] 

Additionally,  there  are  other  cases,  extreme  MECO  underspeeds  or  loss  of  other  OMS  engine  and  RCS 
capability,  where  the  results  would  be  catastrophic  if  the  affected  engine  were  not  used. 

Therefore,  if  the  TVC  movement  during  the  high  Q-bar  region  cannot  be  confirmed  with  two  sources,  the 
engine  bell  will  be  considered  failed  for  OMS  Assist,  ATO,  and  On-orbit  burns  only.  The  engine  bell  will 
be  used  for  RTLS,  TAL,  and  con  tingency  aborts  where  maximum  dumping  is  required  to  avoid  violating 
constrain  ts  which  may  result  in  loss  of  vehicle.  ATO  dumps  are  designed  to  protect  ET  impact  constraints 
and  will  not  be  performed  (ref.  Rule  {A2-62EJ,  ET  FOOTPRINT  CRITERIA).  ®[i  1 1 298-6733  ] 

During  orbit,  the  suspect  engine  bell  will  not  be  used  if  other  methods  of  propulsion  are  available.  Rule 
{A8-53J,  OMS  TVC  LOSS,  references  this  rule. 

A6-102  OMS  PROPELLANT  SETTLING  REQUIREMENT 

AN  RCS  SETTLING  BURN  (15  SECONDS  2  +X  JETS)  IS  REQUIRED  PRIOR  TO 
EACH  OMS  ENGINE  RESTART  IF  THE  OMS  PROPELLANT  TANK  (OXIDIZER  OR 
FUEL)  AFT  QUANTITY  <  11  PERCENT. 

If  the  OMS  aft  quantity  is  less  than  11  percent,  bulkhead  screens  have  been  uncovered  allowing  helium  to 
enter  into  the  tanks  aft  compartment.  The  next  OMS  burn  could  pull  this  helium  into  the  OMS  engine 
unless  a  15 -second  RCS  +X  burn  is  performed  prior  to  the  OMS  burn.  The  RCS  +X  burn  forces  the 
propellant  over  the  outlet  tube  of  the  tank,  preven  ting  helium  ingestion  and  improper  mixture  ratio  shifts. 


A6-103  OMS  BURN  DOWNLIST  REQUIREMENT 

DURING  OMS  BURNS  IN  OPS  2  AND  3,  44.8  KBPS  HIGH  RATE  GNC  DOWNLIST 

DATA  IS  REQUIRED  (EITHER  REAL-TIME  OR  RECORDED  AND  DUMPED)  EVEN 
IF  THIS  CAUSES  TEMPORARY  LOSS  OF  PAYLOAD  DATA  OR  REAL-TIME  LOW 
DATA  RATE  DOWNLINK. 

There  are  parameters  ( e. g. ,  OMS  Pc,  inlet  pressure,  etc.)  that  are  not  available  in  LDR  OPS  2  and  3 
GNC  downlist  that  are  mandatory  to  determine  failu  re  modes  in  the  OMS  system.  If  these  data  are  not 
available  either  real  time  or  in  postburn  dumps,  relatively  minor  anomalies  may  result  in  severe  mission 
action  being  required  to  cover  the  worst  case  failure  mode  since  the  exact  mode  cannot  be  determined. 

For  example,  in  certain  circumstances,  the  difference  between  an  OMS  engine  failure  and  an  OMS 
propellant  system  failure  cannot  be  determined.  The  consequences  of  an  OMS  engine  failure  are  loss  of 
redundancy  and  possible  mission  termination;  the  consequences  of  an  OMS  propellant  system  failure 
include  very  shallow  deorbit  burns  with  RCS  completions  to  the  minimum  requirements  for  entry  control, 
plus  Y  CG  offsets  that  may  be  unacceptable  from  the  flight  control  standpoin  t.  The  inconvenience  of  not 
having  a  short  period  of  real-time  data  or  payload  data  (less  than  2  minutes)  is  greatly  outweighed  by 
the  consequences  of  not  having  OMS  data  to  resolve  anomalies  during  burns.  Rule  { A2-129 j,  ORBITER 
ON-ORBIT  HIGH  DATA  RATE  REQUIREMENTS,  references  this  rule. 
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A6-104  QMS  ENGINE  INSTRUMENTATION  REQUIREMENT 

A.  LOSS  OF  OMS  ENGINE  FUEL  INJECTOR  TEMPERATURE  INDICATION  (MDM 
FAIL,  TRANSDUCER  FAIL,  ETC.)  WILL  BE  CAUSE  TO  NO-GO  FURTHER 
USE  OF  THE  AFFECTED  ENGINE  FOR  NONCRITICAL  OMS  BURNS  IF  THE 
OTHER  OMS  ENGINE  IS  STILL  AVAILABLE.  THE  AFFECTED  ENGINE 
WILL  BE  USED  FOR  CRITICAL  BURNS  TO  MEET  DOWNMODING  CRITERIA 
PROVIDED  ALL  OTHER  ENGINE  PARAMETERS  REMAIN  WITHIN  NORMAL 
OPERATING  LIMITS.  @[091098-6366] 

The  fuel  injector  temperature  is  a  primary  cue  for  mon  itoring  engine  health  and  analyzing  engine 
failure.  During  normal  engine  operation ,  the  nominal  fuel  inlet  pressure  often  exceeds  the  documented 
engine  fail  limit.  Without  the  fuel  injector  temperature,  the  crew  monitoring  capability  is  severely 
degraded  and  an  engine  failure  may  be  impossible  to  distinguish  from  nominal  engine  operation. 

For  critical  crew  safety  burns,  such  as  OMS-1,  -2,  and  deorbit,  the  affected  engine  will  be  used  with  the 
remaining  good  engine  (two-engine  burn)  to  provide  a  downmode  capability.  For  safety  critical  on-orbit 
burns,  such  as  an  inertial  upper  stage  (IUS)  separation,  the  good  engine  should  be  used  with  downmode 
to  RCS.  If  there  is  no  remaining  good  engine,  the  FRCS  -X  jets  can  be  used.  For  mission  critical  on- 
orbit  burns  that  are  too  large  for  an  RCS  downmode,  both  engines  can  be  used. 


Other  engine  parameters  also  include  Pc,  oxidizer  and  fuel  inlet  pressures. 

B.  THE  FOLLOWING  CRITERIA  WILL  BE  USED  TO  DETERMINE  SYSTEM 
STATUS  FOR  LOSS  OF  OMS  INLET  PRESSURE  INSIGHT  (MDM  FAIL, 
TRANSDUCER  FAIL,  ETC.)  IN  COMBINATION  WITH  A  FUEL  INJECTOR 
TEMP  HIGH  ANNUNCIATION  OR  A  PC  LOW  ANNUNCIATION  (CONFIRMED  BY 
DOWN  ARROW  OR  GIMBAL  MOVEMENT;  NO  CONFIRMATION  IS  AVAILABLE 
DURING  PRE-MECO  DUMPS) . 

AN  ENGINE  FAILURE  WILL  BE  ASSUMED  IF  ALL  OF  THE  FOLLOWING 
CONDITIONS  ARE  MET: 

1.  FAILURE  OCCURS  DURING  POWERED  FLIGHT. 

2.  PROPELLANT  SYSTEM  AND  ENGINE  PERFORMED  NOMINALLY  ON  THE 
PREVIOUS  FLIGHT. 

3.  NO  INTRUSION  WAS  MADE  INTO  THE  OMS  FEEDLINES  DURING 
VEHICLE  TURNAROUND.  @[091098-6366] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A6-104  QMS  ENGINE  INSTRUMENTATION  REQUIREMENT  (CONTINUED) 

OTHERWISE,  A  PROPELLANT  FAILURE  WILL  BE  ASSUMED  UNTIL  DATA 
REVIEW  CAN  CONCLUSIVELY  DIAGNOSE  THE  FAILURE.  @[091098-6366] 

This  flight  rule  documents  the  decisions  made  at  the  March  9,  1995,  PRCB  stemming  from  the  ROMS 
Oxidizer  Inlet  pressure  bias  observed  prior  to  the  liftoff  of  STS-66  (PCIN  S062105). 

Thirty  hours  before  the  scheduled  liftoff  of  STS-66,  the  ROMS  OX  inlet  pressure  biased  up  approximately 
6  psia.  However,  per  Launch  Commit  Criteria  (LCC),  this  is  a  NO-GO  condition  until  the  transducer  is 
replaced.  The  OMS  inlet  pressure  is  the  primary  cue  to  determine  and  confirm  engine  fail,  propellant 
fail,  or  instrumentation  fail  for  FUEL  INJECTOR  TEMP  HIGH  and  PC  LOW  FDA.  Without  this 
insight,  the  proper  system  diagnosis  cannot  be  performed  and  the  worst  case,  propellant  fail,  is  assumed. 
Because  of  the  launch  impact  of  replacing  the  OMS  Inlet  Pressure  transducers  on  the  pad,  the  decision 
was  made  by  the  PRCB  to  waive  the  LCC.  The  decision  was  based  on  1 )  the  affected  pod  had 
considerable  flight  time  without  incident,  2)  previous  flight  data  indicated  no  problems,  and  3)  the 
propellant  tank  and  feedline  plumbing  had  not  been  breached  during  vehicle  turnaround.  The 
procedures  were  updated  so  that  any  ROMS  PC  annunciation  during  pre-MECO  dumps  would  be 
assumed  an  engine  failure.  Post-MECO,  any  ROMS  PC  annunciation  in  combination  with  a  failed 
acceleration  check  would  be  assumed  to  be  a  propellant  failure  to  cdlow  time  for  evaluation. 

After  STS-66,  the  PRCB  elected  to  permanently  change  the  LCC  based  on  the  rationale  above.  The 
PRCB  discussions  centered  on  interned  contamination  that  could  cause  a  blockage  of  the  system 
resulting  in  a  propellant  failure.  However,  there  are  external  conditions  that  can  induce  a  blockage 
within  the  system.  For  example,  if  a  propellant  line  has  a  small  leak,  the  leaked  propellant  could  freeze 
the  OME  inlet  line.  Engineering  analysis  shows  that  less  than  1  pound  of  fuel  can  freeze  a  3foot  length 
of  oxidizer  feedline.  A  leak  could  develop  that  would  be  small  enough  that  it  would  go  undetected  in  tank 
pressure  decay  for  some  time  and  yet  be  sufficient  to  freeze  the  feedline.  This  condition  is  not  applicable 
to  powered  flight  because  any  leaked  propellant  would  pool  at  the  bottom  of  the  pod  and  not  affect  the 
feedlines.  If  a  detectable  amount  of  propellant  is  leaked,  it  is  understood  that  the  pod  could  be  adversely 
affected  and  a  real-time  evaluation  of  the  situation  would  be  required. 

It  should  be  noted  that  there  are  cases  where,  if  an  engine  fail  was  assumed  when  an  actual  propellant 
fail  has  occurred,  the  loss  of  vehicle  and  crew  would  result.  @[091098-6366  ] 
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A6-104  QMS  ENGINE  INSTRUMENTATION  REQUIREMENT  (CONTINUED) 

C.  FOR  LOSS  OF  AN  OMS  ENGINE  PRESSURIZATION  VALVE  POSITION 

INDICATION,  THE  AFFECTED  ENGINE  WILL  BE  USED  ONLY  FOR  OMS-1 
AND  DEORBIT  UNLESS  USE  OF  THE  ENGINE  IS  REQUIRED  TO  MEET 
OMS/RCS  DOWNMODING  CRITERIA,  OR  IF  PROPER  ENGINE 
PRESSURIZATION  VALVE  OPERATION  CAN  BE  VERIFIED  BY  AN  INCREASE 
IN  THE  OMS  GN2  REGULATOR  PRESSURE  AND/OR  DECREASE  IN  THE  GN? 
TANK  PRESSURE  PRIOR  TO  IGNITION. 

For  OMS  burns,  proper  pressurization  valve  operation  is  required  in  order  to  ensure  one  start  capability 
for  the  affected  engine  is  retained  for  the  deorbit  burn.  For  OMS-1  the  valve  is  assumed  to  be  open  for 
confirmed  instrumentation  losses  because  redundant  hardwired  command  paths  are  used.  The  risk  of 
using  the  last  start  if  the  valve  is  actually  closed  (dual  failure)  is  accepted  since  the  burn  is  critical  for 
orbit  insertion. 

For  burns  other  than  OMS-1  and  deorbit,  it  is  prudent  not  to  use  the  affected  engine  if  the  burn  can  be 
accomplished  without  it.  The  engine  may  be  used,  however,  if  proper  valve  operation  can  be  verified,  or 
if  required  to  meet  OMS/RCS  downmoding  requirements  as  defined  by  Rule  {A2-114},  OMS/RCS 
MANEUVER  CRITICALITY.  For  instance,  the  engine  may  be  used  for  OMS-2  if  proper  valve  operation 
has  been  verified  prior  to  insight  being  lost  as  a  result  of  an  MDM  FA3  or  FA4  failure  since  a 
subsequent  MDM  FA1  or  FA2  power  failure  would  f cal  the  other  OME  and  four  +X  capability.  If  the 
OMS  engine  pressurization  valve  is  actually  failed  closed,  two  OMS  starts  may  still  be  available  due  to 
the  initial,  higher  than  normal  regulator  pressure  available  prelaunch,  assuming  the  ARM/PRESS  switch 
is  taken  to  ARM  before  the  purge.  @[091098-6366  ] 
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A6-105  QMS  BURN  MINIMUM  PRESSURE  REQUIREMENTS 

AN  OMS  ENGINE  WILL  NOT  BE  USED  FOR  NONCRITICAL  ON-ORBIT  BURNS 
IF  THE  FUEL  INLET  PRESSURE  <  244  PSIA  OR  OXIDIZER  INLET 
PRESSURE  <  244  PSIA  OR  N2  TANK  PRESSURE  <  563  PSIA. 

The  OMS  engine  inlet  pressure  requirements  preserve  blowdown  capability  in  an  OMS  system  that  has 
incurred  a  previously  undetected  failure  of  the  pressurization  system.  The  engine  inlet  pressure  limits 
represent  the  bottom  of  the  regulator  band  ( 252  psia )  minus  2  percent  instrumentation  error  ( 8  psia ).  If 
either  inlet  pressure  cannot  be  repressed  to  above  244  psia,  the  system  can  be  operated  further  in 
blowdown.  However,  the  blowdown  capability  should  be  preserved  for  critical  burns. 

The  nominal  start  envelope  limits  are  239  and  238  psia  for  the  fuel  and  oxidizer  inlet  pressures, 
respectively  ( reference  SODB,  volume  I,  figure  4.3.3).  The  N2  criteria  represents  the  following: 


(1) 

Engine  start 

26  psia  (ref.  SODB,  volume  I,  fig.  4.3.3) 

(2) 

Purge 

94  psia 

(3) 

Accumulator  start  at  100 

(ref.  SODB,  volume  I,  table  3.4. 3. 3) 

percent  ball  valve  opening 

283  psia 

(4) 

Instrumentation  error 

160  psia 

Total  = 

563  psia 

The  limits  defined  in  this  rule  are  used  in  the  FDF  for  noncritical  on-orbit  OMS  burns. 
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A6-106  QMS  ENGINE  BURN  TO  DEPLETION 

FOR  A  LEAKING  PROPELLANT  PERIGEE  ADJUST  BURN  OR  FOR  A  DEORBIT  BURN, 
AN  OMS  ENGINE  MAY  BE  BURNED  TO  DEPLETION  (PC  =80  PERCENT) .  THE 
ENGINE  WOULD  BE  USED  SUBSEQUENTLY  ONLY  IF  IT  IS  THE  ONLY  DEORBIT 
METHOD  AVAILABLE.  (REF.  RULE  {A6-3E},  OMS  ENGINE.) 

Critical  OMS  bums  (leaking  OMS  perigee  adjust  and  deorbit )  may  be  continued  to  a  depletion  level 
( defined  as  an  80  percent  chamber  pressure  and  an  OMS  engine  “?  ”  on  the  MNVR  EXECUTE  display ) 
to  maximize  delta  V  and  minimize  the  residuals  in  the  leaking  tank.  OMS  propellant  gage  quantity  will 
not  be  used  as  a  cu  tojf  cue  since  the  hardware  readings  are  unreliable.  Consequently,  no  effort  will  be 
made  to  stop  the  burn  prior  to  exhausting  the  propellant  in  the  lines. 

During  depletion,  the  Pc  decreases.  The  presence  of  a  single  propellant  mixing  with  helium  pressurant 
in  the  chamber  prevents  the  Pc  from  reading  zero.  However,  the  Pc  will  fall  below  the  fault  detection 
threshold  (80  percent)  resulting  in  an  alert.  During  WSTF  tests  to  depletion  in  a  one-g  environment, 
engine  damage  did  not  occur.  There  are  substantial  unknowns  regarding  zero-g  operations  and  crew 
response  time  to  the  failure  to  minimize  damage.  If  engine  damage  occurs  during  the  depletion  cutojf, 
off-nominal  mixture  ratios  may  cause  uncontained  engine  damage  when  the  engine  is  restarted.  Because 
of  this  potential  for  engine  damage  an  engine  which  has  failed  due  to  depletion  of  either  propellant  (OX 
or  FU)  will  not  be  reused  unless  mandatory  and  then  only  for  the  deorbit  burn. 

(Reference  SODB,  3. 4. 3. 3.) 
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A6-107  QMS  ENGINE  FAILURE  MANAGEMENT 

FOR  THE  LOSS  OF  ONE  OMS  ENGINE: 

A.  THE  REMAINING  GOOD  OMS  WILL  BE  USED  FOR  ON-ORBIT  BURNS  ONLY 
IF  THE  FIRST  FAILURE  CAN  BE  IDENTIFIED  AS  AN  ENGINE  FAILURE 
AND  IS  UNDERSTOOD. 

As  long  as  the  first  failure  is  confirmed  to  be  an  engine  failure,  the  affected  pod’s  propellant  will  be 
available  for  use  through  the  remaining  good  engine  via  crossfeed  operation.  Engine  versus  propellant 
failures  must  be  determined  prior  to  future  crossfeed  operations  to  protect  against  contamination 
affecting  the  remaining  good  OMS  engine. 

B.  RCS  4  +X  JETS  WILL  BE  HOT-FIRED  PRIOR  TO  COMMITTING  TO 
CONTINUE  TO  NOMINAL  EOM  UNLESS  THE  JETS  HAVE  PREVIOUSLY 
FIRED . 

For  the  loss  of  an  OMS  engine,  the  good  OMS  engine  and  the  RCS  4  +X  jets  are  considered  the 
remaining  two  deorbit  methods  (sufficient  propellant  to  redline  RCS  steep  deorbit  must  be  available). 

If  either  of  the  remaining  deorbit  methods  is  lost,  a  next  PLS  must  be  invoked  since  zero  fault  tolerance 
exists  (ref.  Rule  { A2-201 },  DEORBIT  GUIDELINES ).  If  the  4  +X  RCS  jets  have  not  fired  previously, 
the  health  of  the  jets  is  unknown.  As  a  result,  if  the  jets  have  not  fired,  in  order  to  gain  confidence  in 
the  +X  jets,  the  jets  should  be  hot-fired.  Since  these  jets  are  hot-fired  the  day  before  entry  in  the 
normal  hot-fire  procedure,  the  normal  hot-fire  procedure  should  be  rescheduled  to  an  earlier  time. 
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A6-108  QMS  BALL  VALVE  FAILURE  MANAGEMENT 

AN  OMS  ENGINE  WITH  A  FAILED  OPEN  BALL  VALVE  INDICATING  GREATER 
THAN  THE  FAILED  OPEN  RANGE  LOWER  LIMIT  (FLIGHT  RULE  {A6-3H},OMS 
ENGINE)  BUT  <  47  (70)  PERCENT  POSTBURN  WILL  NOT  BE  USED  UNLESS 

THE  OTHER  ENGINE  HAS  FAILED,  AND  THEN  ONLY  FOR  THE  DEORBIT  BURN. 
HOWEVER,  IF  THE  FAILED  OPEN  BALL  VALVE  INDICATES  >  47  (70) 

PERCENT,  THE  ENGINE  IS  NOT  CONSIDERED  FAILED  BUT  WILL  BE  USED 
ONLY  FOR  THE  DEORBIT  BURN. 

Each  OMS  engine  has  two  ball  valves  in  series  (VI  and  V2)  for  both  the  oxidizer  and  fuel  lines. 

Instrumentation  for  VI  on  both  the  oxidizer  and  fuel  is  measured  by  one  potentiometer  while  both  V2 
valves  are  measured  by  another.  Either  VI  or  V2  failed  closed  will  prevent  propellant  from  feeding  the 
engines. 

If  postburn  and  either  ball  valve  indicates  open  (after  a  nominal  OMS  burn  cutoff),  either  the 
instrumentation  has  shifted  high  or  the  valve  has  failed  partially  open.  There  are  no  problems  with 
burning  an  engine  with  failed  instrumentation  since  the  valves  function  properly.  The  lower  limit  of  the 
failed  open  range  is  engine  specific  and  is  listed  in  Flight  Rule  (A6-3H},  OMS  ENGINE.  If  the  ball  valve 
position  is  between  the  lower  limit  and  70  percent  there  is  no  guarantee  that  the  affected  ball  valve  will 
open  properly.  The  possibility  of  engine  hard  start  or  combustion  instability  then  exists,  with  the  result 
of  structural  failure  and/or  chamber  burn  through. 

If  the  other  engine  is  failed,  it  is  preferable  to  attempt  to  burn  the  engine  with  the  failed  ball  valves,  relying  on 
them  to  open  greater  than  70  percent,  rather  than  to  attempt  a  4  +X  deorbit.  Should  the  ball  valves  fail  to  open 
sufficiently,  the  4  +X  deorbit  downmode  is  still  available.  With  the  4  +X  deorbit  there  is  no  downmode. 

In  any  case,  whenever  a  burn  is  attempted  using  an  engine  with  failed  open  ball  valves,  the  crew  should 
be  prepared  to  cut  off  the  burn  by  closing  the  appropriate  tank  isolation  valves  if  a  generic  problem 
keeps  both  sets  of  ball  valves  from  closing. 

If  the  ball  valve  indicates  >  70  percent  open,  even  a  real  valve  problem  will  support  a  nominal  engine 
flow  rate.  Consequently,  the  engine  can  be  used  for  the  deorbit  burn.  ( Reference  SODB,  volume  I, 
paragraph  3.4.3.3-17.)  Rule  {A6-3},  OMS  ENGINE,  references  this  rule. 

A6-109  THROUGH  A6-150  RULES  ARE  RESERVED 
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RCS  THRUSTER  MANAGEMENT 


A6-151  RCS  JET  DRIVER  MANAGEMENT  [CIL] 

A.  THE  PRIMARY  JET  RJD  CONFIGURATION  WILL  BE  ALL  ON  DURING 
CREW  AWAKE  PERIODS  INCLUDING  PROXIMITY  OPERATIONS,  PAYLOAD 
DEPLOYMENT,  AND  RENDEZVOUS  MANEUVERS.  THE  PRIMARY  RJD'S 
WILL  BE  POWERED  OFF  DURING  CREW  SLEEP  PERIODS  AND  EVA 
OUTSIDE  THE  PAYLOAD  BAY. 

B.  IF  VERNIER  JET  CAPABILITY  IS  LOST,  CREW  SLEEP  PERIODS  WILL  BE 
FLOWN  PROS,  TAIL  ONLY  OPTION  PRIMARY  CONTROL  WITH  ALL  RJD'S 
POWERED  ON. 

C.  IF  A  FAILURE  IS  DETECTED  IN  THE  RJD  LOGIC  POWER  CIRCUIT  VIA 
MCC  TELEMETRY,  THE  AFFECTED  RJD  POWER  WILL  REMAIN  POWERED  ON 
FOR  CREW  SLEEP  PERIODS. 

RJD  system  testing  has  resulted  in  a  failure  rate  of  one  failure  every  10  billion  hours.  With  the  possibility 
of  failure  so  low,  the  RJD  configuration  will  be  all  on  during  crew  awake  periods.  If  a  failure  were  to 
occur,  crew  accessibility  would  allow  prompt  corrective  action.  During  sleep  periods,  the  RJD’s  will  be 
powered  off  because  of  the  crew  response  time  to  failures  while  sleeping  in  the  middeck.  For 
extravehicular  activities  {EVA’s)  outside  the  payload  bay,  plume  impingement  activities  are  the  concern. 

Failure  of  the  RJD  logic  power  circuit  as  detected  by  RJD  logic  switch  telemetry  has  no  immediate 
effect  on  the  operation  of  the  affected  jets.  However,  if  RJD  power  is  removed  per  the  normal  presleep 
procedure,  the  jets  will  be  permanently  lost.  In  this  instance,  the  risk  of  a  failu  re  causing  an  RCS  jet  to 
fail  on  is  considered  more  acceptable  than  a  definite  loss  of  two  manifolds  of  RCS  jets.  It  is  considered 
prudent  to  sleep  in  tail-only  PRCS  control.  Rule  { A15-22 },  RCS/APU  THRUSTER  PLUME 
AVOIDANCE,  references  this  rule. 

A6-152  RCS  ENTRY  HOTFIRE  CHECK 

ALL  ENTRY-CRITICAL  JETS  (OTHER  THAN  FIRST  PRIORITY  ON-ORBIT  JETS) 
WILL  BE  HOT-FIRED  ONCE  DURING  THE  MISSION. 

The  hot-fire  test  is  performed  to  verify  that  all  primary  jets  needed  for  deorbit  or  entry  are  operating 
properly.  The  n  umber  one  priority  orbit  DAP  jets  are  fired  during  normal  orbit  ops  and  will  not  need  to 
be  fired  again  during  the  hot-fire  test. 

A  special  hot-fire  test  will  be  required  for  the  first  flight  of  a  new  vehicle  to  test  all  jets  including  the 
forward  up-firing  jets  since  these  jets  are  not  normally  fired  and  need  to  be  tested. 
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A6-153  RCS  JET  MAXIMUM  BURN  TIME 

A.  THE  OPERATIONAL  LIMIT  FOR  CONTINUOUSLY  FIRING  PROS  JETS  IS 
150  SECONDS.  THE  CONTINUOUS  FIRING  LIMIT  FOR  VERNIER  RCS 
JETS  IS  275  SECONDS.  THE  VERNIER  JETS  ALSO  HAVE  A  SEPARATE 
CONSTRAINT  OF  NO  MORE  THAN  1000  "ON"  COMMANDS  PER  HOURS. 
@[072398-6690  ]  ®[1 1 0900-7249  ] 

The  limiting  component  of  the  primary  thrusters  is  the  titanium  canister  because  it  is  heat-load 
sensitive.  Exceeding  temperature  limits  could  damage  adjacent  components.  The  limiting  component 
for  the  vernier  thrusters  is  the  aluminum  structure  since  it  too  is  heat-load  sensitive.  The  1000  “ON” 
commands  limitation  is  driven  by  the  PC  transducer  which  could  fail  due  to  overheating  leading  to  a 
false  fail off.  The  150-second  firing  limit  is  driven  by  a  qualification  limit  and  not  by  any  data  that 
shows  damage  occurs  at  these  durations.  (Ref.  SODB.  volume  I,  paragraph  3. 4. 3. 2).  Additional 
analysis  data  shows  that  the  PRCS  thrusters  could  be  fired  for  250  seconds  without  violating  thermal 
limits  even  with  entry  heating  immediately  following  the  firing.  WSTF  testing  in  support  of  the  Hubble 
reboost  has  demonstrated  that  27 5 -second  VRCS  firings  do  not  violate  any  vernier  jet  thermal 
constraints  (ref.  SODB.  volume  I,  paragraph  3. 4. 3. 2).  There  is  no  minimum  cooldown  period  required 
between  275-second  VRCS  firings.  For  on-orbit  conditions  where  an  extended  cooldown  period  is 
available,  consideration  may  be  given  to  raising  the  limits  to  400/710  seconds  for  primary  and  vernier 
jets  respectively,  with  associated  cooldowns  of  2100/1400  seconds  (35  minutes/23  minutes  20  seconds ). 
(Ref.  SODB.  Volume  III,  Paragraph  4. 3.2.9.  (Caution:  SODB,  Volume  III  contains  engineering 
estimates  for  lion-nominal  performance  evaluation.  Data  may  not  be  supported  by  test.))  @[110900-7249  ] 

B.  A  SINGLE  MISSION  CONTINGENCY  FIRING  OF  800  SECONDS  FOR  ARCS 
(+X)  THRUSTERS  AND  300  SECONDS  FOR  FRCS  (-X)  THRUSTERS  IS 
PERMISSIBLE . 

The  800/300-second  constraints  represent  the  maximum  +X/-X  burn  time  that  can  be  used  in  a 
contingency  without  resulting  in  structural  damage  due  to  overheating.  (Ref.  SODB,  Volume  I, 
Paragraph  3. 4. 3.2).  Additional  thermal  analysis  shows  that  a  1050-second  (17  minutes  30  seconds) 
ARCS  and  400-second  FRCS  thruster  firing  may  be  permissible.  For  these  durations,  the  limiting 
component  for  the  ARCS  thrusters  is  the  Kapton  wire  insulation.  If  the  temperature  limit  is  exceeded,  it 
could  jeopardize  the  capability  to  refire  the  jet  if  a  3500-second  (58  minute  20  second)  cooldown  period 
is  not  allowed.  The  limiting  component  for  the  FRCS  thrusters  is  the  Inconel  thermal  barrier  spring.  If 
the  limit  is  exceeded,  the  elasticity  of  the  spring  will  be  degraded  and  its  life  span  shortened.  (Ref. 

SODB,  Volume  III,  Paragraph  4. 3. 3.2.9.  (Caution:  SODB,  Volume  III  contains  engineering  estimates  for 
non-nominal  performance  evaluation.  Data  may  not  be  supported  by  test.))  @[072398-6690  ] 
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A6-154  RCS  VERNIER  OPERATION  TERMINATION 

RCS  VERNIER  THRUSTER  OPERATION  SHALL  BE  TERMINATED  AND  SYSTEM 
OPERATION  PERFORMED  ON  PRIMARY  THRUSTERS  WHENEVER: 

A.  THE  RCS  FUEL  TANK  PRESSURE  IS  20  (20)*  PSID  GREATER  THAN  THE 

OXIDIZER  TANK  PRESSURE.  VERNIER  OPERATION  MAY  BE  RESUMED 
WHEN  FUEL/OXIDIZER  TANK  PRESSURE  DELTA  <  20  (20)  PSID. 

NOTE:  *  ZERO  INSTRUMENTATION  ERROR  IS  USED  SINCE  SECONDARY 

REGULATOR  OPERATION  PLUS  INSTRUMENTATION  INACCURACY 
COULD  EXCEED  CONSTRAINTS. 

Vernier  thruster  test  data  have  demonstrated  that  low  oxidizer/fuel  mixture  ratio  (less  than  1.6)  shifts  the 
main  combustion  from  the  center  to  near  the  wall  of  the  chamber  which  results  in  high  combustion 
chamber  temperatures.  Tests  conducted  at  an  oxidizer/fuel  mixture  ratio  of  1.3  resulted  in  severe 
damage  to  the  vernier  thruster  chamber  protective  coating.  The  test  duration  was  equivalent  to 
approximately  one  mission  day.  Continued  operation  at  this  mixture  ratio  would  have  resulted  in 
chamber  burnthrough.  By  limiting  the  differential  of  the  oxidizer  and  fuel  propellant  tank  pressures  to 
20  psid,  the  mixture  ratio  for  the  vernier  thruster  will  not  be  less  than  1.5.  Tests  were  conducted  at  a 
mixture  ratio  of  1.5  for  an  equivalent  of  approximately  3  mission  days  with  no  detectable  coating 
damage.  Also,  20  psid  allows  vernier  operation  when  the  He  system  is  operating  on  the  secondary 
regulator  ( including  system  tolerances  2-sigma). 

B.  THE  HIGH-LOAD  FLASH  EVAPORATOR  IS  OPERATING  FOR  MORE  THAN 
20  MINUTES. 

On  STS-2,  overtemperatures  in  the  VRCS  thrusters  occurred  during  lengthy  operation  of  the  flash 
evaporator.  The  propulsive  vent  holds  the  DAP  to  one  side  of  the  deadband.  The  DAP  continues  to  cycle 
the  same  jets  at  such  a  frequency  that  the  thrusters  do  not  have  an  opportunity  to  cool  down.  The  best 
way  to  protect  the  vernier  thrusters  from  overheating  is  to  configure  the  DAP  to  the  PRCS  when  the  high 
load  evaporator  will  be  run  for  more  than  20  or  30  minutes.  Reference  STS-3  Orbit  Flight  Techniques 
meeting  number  14,  March  30,  1982. 

C.  THE  VRCS  DAP  MODE  IS  LOST. 

Reference  Flight  Rule  { A8-60  j,  LOSS  OF  VERNIER  RCS  DAP  MODE,  to  determine  the  status  of  the 
VRCS  DAP  mode  following  the  loss  of  the  six  VRCS  jets. 
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A6-155  SUSPECT  RCS  JET  REPRIORITIZATION  CRITERIA 

A.  A  SUSPECT  PRIMARY  JET  WILL  BE  CHANGED  TO  LAST  PRIORITY  FOR 
THE  FOLLOWING  CONDITIONS: 

1.  CONFIRMATION  OF  OFF-NOMINAL  OPERATING  CONDITIONS  (LOW  PC, 
THRUST) . 

2.  SUSPECT  INSTRUMENTATION  (OXIDIZER/FUEL  INJECTOR  TEMPERATURE 
DELTA  >  25  DEG  LOW,  BIASED  PC  WITH  DELTA  >  25  PSIA  FROM 
NOMINAL) . 

B.  A  VERNIER  JET  WITH  SUSPECT  INSTRUMENTATION  (LOW  PC)  MAY  BE 
DESELECTED  DURING  CREW  SLEEP  PERIODS  TO  AVOID  NUISANCE 
ALARMS . 

Low  Pc  confirmed  with  low  rates  ( indicating  low-thrust)  identifies  a  real  jet  problem.  Further  use  of  the 
affected  jet  could  create  hot  spots  along  the  thruster  wall  damaging  the  jet. 

Injector  temperatures  and  Pc  are  used  for  determining  jet  leaks  and  jet  fail -offs.  Biased  instrumentation 
could  mask  a  real  problem  and,  if  the  jet  is  fired,  create  a  large  jet  leak  or  unstable  combustion. 

A  jet  placed  in  last  priority  will  not  be  called  on  to  fire  unless  the  DAP  determines  it  to  be  necessary  due 
to  additional  jet  failures  in  the  associated  direction.  If  the  crew  deselects  the  jet,  it  becomes  one 
additional  action  required  by  the  crew  if  the  jet  is  later  required.  For  entry,  a  yaw  jet  will  be  deselected 
because  the  DAP  will  command  all  available  yaw  jets  to  fire  during  roll  reversals. 

With  either  case,  it  is  prudent  to  discontinue  use  of  the  jet  when  other  jets  are  available.  The  affected  jet 
will  be  placed  in  last  priority  so  that  if  it  is  needed  for  achieving  mission  objectives,  it  can  be  used. 

Vernier  jets  with  suspect  instrumentation  may  be  deselected  for  sleep  to  avoid  possible  fail-off  nuisance 
alarms.  The  affected  jet  must  be  hot  fired  to  determine  whether  it  is  a  real  problem  or  instrumentation 
problem.  For  real  problems,  the  jet  will  only  be  used  for  mission  success.  For  instrumentation  problems 
the  jet  will  be  used  except  for  sleep. 
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A6-156  RCS  RM  LOSS  MANAGEMENT 


RCS  RM  LOSS 

VERNIER  JETS 

PRIMARY  JETS 

ORBIT  DAP 

ORBIT/TRANS  DAP 

AEROJET/GRTLS  DAP 

FAIL 

RESELECT  IF  AUTO 

CHANGE  AFFECTED  JET  TO  LAST 

CHANGE  AFFECTED  JET  TO 

OFF 

DESELECTED 

PRIORITY 

LAST  PRIORITY 

DETECTION 

CONTINUE  TO  USE 
WITHOUT  "FAIL  OFF- 
DETECTION 

RESELECT  IF  AUTO  DESELECTED 

AT  SEAT  INGRESS: 

IF  YAW  JET  DESELECT 

IF  YAW  JET  DESELECT  [2] 
OTHERWISE  RESELECT 

FAIL 

IF  L5L  AND/OR  R5R 

CHANGE  AFFECTED  JET  TO  LAST 

CHANGE  AFFECTED  JET  TO 

LEAK 

DETECTION 

DESELECT 
AFFECTED  JET 

PRIORITY 

LAST  PRIORITY 

CONTINUE  TO  USE 
VRCS 

IF  DOWNFIRING 

VRCS JET,  SELECT 
PRCS, CLOSE 
AFFECTED  VRCS 
MANIFOLD 

RESELECT  IF  AUTO  DESELECTED 

AT  SEAT  INGRESS: 

IF  YAW  JET  DESELECT 

IF  YAW  JET  DESELECT  [2] 
OTHERWISE  RESELECT 

FAIL 

CONTINUE  TO  USE 

CHANGE  AFFECTED  JET  TO  LAST 

CHANGE  AFFECTED  JET  TO 

ON 

DETECTION 

DURING  CREW 
AWAKE  PERIODS 

SELECT  PRCS  TAIL 
ONLY  FOR  CREW 
SLEEP  AND 

VERNIER  RJD-OFF 

PRIORITY 

SET  MANIFOLD  STATUS  TO  “CLOSED” 

IF  FAIL-SAFE  REDUNDANCY  EXISTS 

AFFECTED  RJD-OFF  [1] 

AT  SEAT  INGRESS: 

AFFECTED  RJD-ON 

SET  MANIFOLD  STATUS  TO  “OPEN” 

IF  YAW  JET  DESELECT 

LAST  PRIORITY 

IF  YAW  JET  DESELECT  [2] 

TOTAL  RM 

SELECT  PRIMARY 

CHANGE  AFFECTED  JET  TO  LAST 

CHANGE  AFFECTED  JET  TO 

(MDM  INPUT 

JETS 

PRIORITY 

LAST  PRIORITY 

OR  BCE 

BYPASS) 

CLOSE  AFFECTED 

LEAVE  MANIFOLD  STATUS  “CLOSED”  IF 

LEAVE  MANIFOLD  STATUS 

VRCS  MANIFOLDS 

VERNIER  RJD-OFF 

FAIL-SAFE  REDUNDANCY  EXISTS 

AFFECTED  RJD-OFF  [1] 

FOR  OMS-1 ,2  OR  DEORBIT  SET 
MANIFOLD  STATUS  TO  “OPEN”  AND 
AFFECTED  RJD-ON  TO  REGAIN  ANY 
AFFECTED  ±  JETS 

AT  SEAT  INGRESS: 

AFFECTED  RJD-ON 

“CLOSED”  IF  FAIL-SAFE 
REDUNDANCY  EXISTS 

NOTES: 

[1  ]  JETS  MAY  BE  MADE  AVAILABLE  FOR  HIGH  PRIORITY  ACTIVITIES  REQUIRING  MULTIPLE  JETS  AND/OR 
REDUNDANCY. 

[2]  JETS  MAY  BE  RESELECTED  TO  MAINTAIN  FAIL-SAFE  REDUNDANCY. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  PROPULSION 

Verify  that  this  is  the  correct  version  before  use. 


6-90 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A6-156  RCS  RM  LOSS  MANAGEMENT  (CONTINUED) 

A.  VERNIER  JETS 
1.  ORBIT  DAP: 

a.  FAIL  OFF 

The  vernier  jets  will  continue  to  be  used  after  the  loss  of fail-off  protection.  In  the  event 
of  an  undetected  fail  off  of  a  vernier  jet,  drifting  attitude  control  problems  may  result, 
but  there  are  no  system  problems  associated  with  additional  firing  on  a  vernier  fail-off 
jet. 

b.  FAIL  LEAK 

WSTF  testing  has  demonstrated  that  propellant  leakage  into  the  chamber  may  freeze  and 
block  the  small  vernier  chamber.  If  the  failure  went  undetected  and  the  jet  were  allowed 
to  fire,  the  blockage  could  cause  severe  damage.  Therefore,  for  loss  of  failed  leak 
protection,  the  jet  will  be  deselected.  If  the  remaining  vernier  jets  have  good  RM  and 
are  adequate  to  maintain  attitude  control,  vernier  control  may  be  selected;  otherwise, 
primary  jets  must  be  selected. 

c.  FAIL  ON 

During  active  attitude  hold,  a  vernier  jet  failed  on  would  force  the  orbiter  outside  the 
DAP  deadbands.  Opposing  jets  would  then  fire  to  correct  the  attitude  until  the  failed-  on 
jet  was  stopped  (i.e.,  manifold  closure  or  RJD  driver  power  off)  or  the  propellant  was 
depleted.  Normally,  the  RCS  RM  would  annunciate  the  failure  but  with  loss  ofRM  there 
would  be  no  alarm.  During  crew  awake  periods,  numerous  jet  firings  would  alert  the 
crew  to  take  corrective  action  before  significant  propellant  loss  occurs.  However, 
during  crew  sleep,  the  failure  could  go  undetected  for  severed  hours  depleting  the  RCS 
tanks.  Therefore,  during  crew  sleep  the  vernier  jets  would  not  be  used  for  loss  of  fail-on 
RM.  Primary  jets  will  be  selected  in  the  tail-only  con  trol  mode  to  eliminate  cabin  noise 
associated  with  the  firing  of  the  FRCS  thrusters. 

d.  TOTAL  RM 

An  MDM  comm  fault  or  BCE  bypass  would  cause  loss  of  toted  RM  on  a  pair  of  vernier 
jets  (e.g.,  L5L  and  L5D).  This  would  be  at  least  equivalent  to  the  worst  case  of  loss  of 
fail  leak  RM  and  therefore  cause  the  loss  of  verniers  and  selection  of  primary  jets. 
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A6-156  RCS  RM  LOSS  MANAGEMENT  (CONTINUED) 

B.  PRIMARY  JETS 

For  any  loss  ofRM  protection  during  any  DAP  phase  the  affected  jet  will  be  changed  to  the  lowest 
priority.  The  lowest  priority  jet  will  not  fire  during  normal  orbit/trans  DAP  operations.  Jet 
availability  (reselect/deselect)  will  be  managed  to  minimize  the  use  of  the  jet.  For  orbit/trans  DAP. 
the  affected  jet  (all  axes)  will  remain  available  ( reselected )  to  provide  system  redundancy  should 
multiple  failures  (additional  jet  loss)  occur.  This  allows  the  jet  to  be  available  without  requiring 
crew  actions  during  a  time-critical  phase. 

For  Aero jet/GRTLS  DAP,  only  an  affected  yaw  jet  will  be  deselected.  This  prevents  the  affected  yaw 
jet  from  being  fired  during  roll  reversals.  The  DAP  commands  all  available  yaw  jets  to  provide 
attitude  control.  All  other  jet  axes  will  remain  available  to  provide  system  redundancy,  since  these 
jets  will  not  fire  while  in  lowest  priority  during  normal  operations  of  the  Aerojet/GRTLS  DAP. 

RCS  manifolds  will  not  be  closed  due  to  the  loss  ofRM  protection  on  primary  jets.  Complications 
that  may  result  from  manifold  closure  are  more  probable  than  the  failures  due  to  loss  ofRM,  such 
as  manifold  pressure  decay  resulting  in  jet  leaks  or  possible  staged  repress  procedures. 

Firing  jets  with  loss  of  fail  leak  or  fail  off  detection  may  result  in  zots,  valve  damage,  or 
contamination.  This  minimal  risk  is  accepted  to  provide  vehicle  control  capability  should  multiple 
failures  occur. 

1.  ORBIT/TRANS  DAP: 

The  orbit  and  trans  DAP  require  one  jet/direction/pod  to  maintain  attitude  con  trol.  Fail-safe 
redundancy  (two  jets/direction/pod)  is  required  for  time  and  safety  critical  events  (RNDZ, 
deploy). 

Action  for  loss  of  fail  off,  leak,  on,  or  toted  RM  will  usually  be  delayed  until  after  FT  SEP  or 
OMS-1  in  order  to  minimize  crew  activity  during  the  ascen  t  phase. 

a.  FAIT  OFF/LEAK 

The  affected  jet  will  remain  available  and  be  put  into  last  priority.  The  orbit  and  trans 
DAP  will  only  fire  one  jet/direction/pod  for  rotational  control.  For  translation  the  DAP 
may  fire  more  than  one  jet/direction/pod.  Multiple  failures  may  require  the  use  of  the 
affected  jet  to  maintain  fail  safe  redundancy  for  time/safety  critical  events.  The  jet  will 
be  available  without  further  crew  action. 
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RCS  RM  LOSS  MANAGEMENT  (CONTINUED) 

FAIL  ON 

The  affected  manifold  status  will  be  set  to  “closed”  and  the  RJD  powered  off  This  will 
eliminate  any  chance  of  an  undetected  fail-on  jet. 

For  high  priority  events  which  require  the  affected  jet,  such  as  -X  jets  for  low-Z 
translations,  the  affected  jet  can  be  reselected  and  RJD  power  turned  on.  The  risk  of  a 
jet  fail-on  is  considered  acceptable  to  achieve  mission  success  activities. 

While  in  the  trans  DAP  for  entry,  manifold  status  actions  may  be  performed  to  prepare 
for  Aerojet  DAP  and  deorbit  burn. 

TOTAL  RM 

The  affected  manifold  status  will  be  left  “closed”  and  the  RJD  powered  off.  This  will 
eliminate  any  possible  chance  of  cm  undetected  fail-on  jet. 

With  cm  MDM  comm  fault  or  BCE  bypass,  the  manifold  status  will  be  set  to  “closed” 
automatically.  For  OMS-1,  -2  or  deorbit  any  affected  manifold  with  ±X  jets  will  be  set  to 
“open”  and  associated  RJD  powered  on.  The  risk  of  cm  undetected  jet  failure  will  be 
accepted  to  ensure  RCS  X  jets  are  available  for  OMS-1,  -2  or  deorbit. 

While  in  the  trans  DAP  for  entry,  RJD  actions  may  be  performed  to  prepare  for  aerojet 
DAP  and  deorbit  burn. 
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A6-156  RCS  RM  LOSS  MANAGEMENT  (CONTINUED) 

2.  AEROJET/GRTLS  DAP: 

Entry  requires  three  yaw  jets/pod  and  two  pitch  jets/direction/pod  for  the  aft  RCS  to  maintain 
fail-safe  redundancy. 

a.  FAIL  OFF/LEAK/ON 

The  Aerojet/GRTLS  DAP  will  fire  four  yaw  jets  if  available  during  roll  reversals. 
Therefore  a  yaw  jet  with  loss  of  fail  off,  leak  or  on  detection  will  be  deselected  and 
placed  in  last  priority.  For  subsequen  t/multiple  failures  the  jet  may  be  reselected  per  the 
reselection  priority  table  { Rule  { A6-159 j,  FAILED  PRCS  JET  RESELECTION 
PRIORITY). 

The  possibility  of  firing  three  pitch  jets  in  the  Aerojet/GRTLS  DAP  exists;  however,  the 
probability  of  firing  the  last  priority  jet  is  small  enough  that  it  is  an  accepted  risk  not  to 
deselect  a  pitch  jet  that  has  lost  RM  detection.  Therefore,  the  pitch  jet  will  be  placed  in 
last  priority  and  reselected  if  it  was  autodeselected. 

The  affected  jet  may  remain  available  if  it  is  not  a  yaw  jet.  Multiple  failures  may  require 
the  use  of  the  jet  to  main  tain  fail-safe  redundancy.  The  jet  will  be  available  withou  t 
further  crew  actions. 

b.  TOTAL  RM 

The  affected  manifold  status  will  be  set  to  “ closed  ”  and  the  RJD  powered  off.  These 
actions  provide  a  conservative  approach  to  compensate  for  the  loss  of  all  three  detection 
methods.  Jets  may  be  reselected,  if  necessary,  depending  on  the  cause  of  the  failu  re  and 
based  on  the  criteria  in  Rule  {A6-159},  FAILED  PRCS  JET  RESELECTION  PRIORITY. 
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A6-157  RCS  JET  FAILED  OFF  HOTFIRE  TEST 

FOR  RM  FAIL-OFF,  VERNIER  THRUSTERS  WILL  BE  TESTED  AFTER  THE  FIRST 
FAILURE.  PRIMARY  THRUSTERS,  FOR  UNKNOWN  FAILURES,  WILL  BE  TESTED 
IN  ORDER  TO  MAINTAIN  FAIL-SAFE  REDUNDANCY. 

Vernier  thrusters  will  be  hot  fired  for  failures  where  the  cause  is  unknown  in  an  attempt  to  regain  vernier 
control.  Vernier  jets  are  required  for  propellant  conservation  such  that  mission  objectives  can  be 
completed  and  mission  success  achieved.  Primary  jets  will  not  be  hot  fired  after  the  first  failure  because 
of  redundant  jet  availability  and  to  avoid  any  unnecessary  risks  associated  with  the  hot  fire.  If  multiple 
failures  make  troubleshooting  desirable  because  of  loss  of  fail-safe  redundancy,  the  primary  jets  may  be 
hot  fired,  depending  on  the  suspected  failure.  For  example,  if  it  is  suspected  that  hot  firing  might  result 
in  loss  of  the  entire  manifold  of  jets,  the  test  will  not  be  performed.  For  suspected  instrumentation 
failures,  the  jet  may  be  hot  fired  after  the  first  failure.  The  risk  is  low  if  the  data  indicate  an 
instrumentation  problem,  plus  accomplishing  the  hot  fire  may  reduce  vehicle  turnaround  time 
postlanding. 

For  real  fail  leak  jets,  the  affected  jet  will  not  be  hot  fired  because  of  possible  ice  in  the  chamber  and 
injector  plate.  Reference  Rule  {A6-158J,  RCS  LEAKING  JET  MANAGEMENT. 
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A6-158  RCS  LEAKING  JET  MANAGEMENT 

A.  PRIMARY  JETS: 

1.  A  LEAKING  JET  WILL  NOT  BE  DESELECTED  UNLESS  THE  INJECTOR 
TEMPERATURE  VIOLATES  THE  RCS  RM  LIMIT  OR  PROPELLANT 
LEAKAGE  IMPACTS  CONTAMINATION  SENSITIVE  ORBIT  ACTIVITIES. 

2.  FOR  A  LEAKING  JET  THAT  HAS  BEEN  DESELECTED  BY  RCS  RM,  THE 
JET  CAN  BE  RESELECTED  AND  USED  ON  A  NONINTERFERENCE  BASIS 
(NO  IMPACT  TO  MISSION  EVENTS)  ONCE  THE  OXIDIZER  AND  FUEL 
INJECTOR  TEMPERATURES  WARM  UP  >  65  DEG  F. 

3.  A  LEAKING  JET  THAT  HAS  BEEN  ANNUNCIATED  "FAIL  LEAK"  ON 
TWO  SEPARATE  OCCASIONS  WILL  BE  CHANGED  TO  THE  LOWEST  JET 
PRIORITY  AND  REMAIN  DESELECTED  UNLESS  REQUIRED  TO 
MAINTAIN  ATTITUDE  CONTROL.  DURING  ENTRY  IF  BOTH  OF  THE 
INJECTOR  TEMPERATURES  >  65  DEG  F,  THE  JET  WILL  BE 
RESELECTED  AS  REQUIRED  TO  MAINTAIN  FAIL-SAFE  REDUNDANCY. 

In  three  different  leak  cases  (FIL  on  STS-4,  R4U  and  L2D  on  STS-6),  the  leak  always  started  coincident 
with  the  jet  being  fired.  A  sharp  decay  in  the  injector  temperature  occurs  until  thermal  equilibrium  is 
obtained  or  until  the  leak  has  stopped.  Subsequent  firing  of  the  affected  jet  after  the  leak  has  stopped  and 
warmed  up  to  normal  temperatures  does  not  necessarily  restart  the  leak  as  evidenced  with  FIL  and  R4U. 
These  two  cases  showed  no  further  leakage  even  after  repeated  jet  use.  Data  have  indicated  that  the  leak 
will  eventually  stop  and  the  temperatures  warm  up  without  firing  the  jet,  i.e.,  applying  pressure  to  jet 
injector  valve  may  result  in  leak  stoppage  due  to  valve  seat  design  and  compression  of  valve  into  Teflon 
seat.  The  leaks  that  we  have  seen  to  date  have  been  very  small,  on  the  order  of  0.1  to  0.3  Ib/hr  or  less  than 
100  cc/hr  propellant  leakage.  It  is  felt  that  these  sizes  of  leaks  do  not  represent  any  impact  to  mission 
operations.  However,  the  system  will  be  configured  to  minimize  any  jet  leakage  that  may  occur  by  taking 
advantage  of  redundant  jets  and  preclude  further  firing  of  the  affected  jet.  Firing  a  leaking  primary  jet 
(RCS  RM  declared  failed  leak)  presents  no  hardware  concerns  if  the  injector  temperatures  >  65  deg  F. 
WSTF  tests  showed  that  with  the  injector  temperatures  <  65  deg  F  (ref.  SODB,  volume  I,  paragraph 
3.4.3.2-12a),  ZOT’s  could  occur  that  may  increase  the  jet  leak  and  require  a  manifold  be  closed.  However, 
if  the  primary  jet  is  required  for  control  during  entry,  the  risk  of  further  damage  to  the  jet  is  low  compared 
to  the  crew  risk  if  not  reselected. 
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A6-158  RCS  LEAKING  JET  MANAGEMENT  (CONTINUED) 

B.  VERNIER  JETS: 

LEAKING  VERNIER  JETS  WILL  CONTINUE  TO  BE  USED  UNLESS 
DESELECTED  BY  RCS  RM .  SUBSEQUENT  RESELECTION  AND  USE  IS  ONLY 
ALLOWED  IF  THE  INJECTOR  TEMPERATURES  HAVE  BEEN  GREATER  THAN 
THE  RM  LIMIT  FOR  3  HOURS  VERIFYING  THAT  NO  ICE  REMAINS  IN  THE 
INJECTOR.  @[091098-6708] 

A  vernier  jet  known  to  be  leaking  will  be  used  until  the  injector  temperatures  violate  the  RCS  RM  leak 
limit  and  is  automatically  deselected.  Until  this  limit  is  violated,  there  are  no  risks  associated  with  firing 
the  jet.  Conversely,  after  the  RM  limit  has  been  violated,  the  leak  freezes  and  plugs  the  small  chamber 
quickly.  Subsequent  jet  firings  may  result  in  possible  uncontained  damage. 

Reference  SODB  Volume  1,  Paragraphs  3. 4. 3. 2. 12. b  and  3. 4. 3. 2. 13. b. 

Rules  { A6-9B j,  RCS  JET  HEATER;  (A6-157J,  RCS  JET  FAILED  OFF  HOTF1RE  TEST;  and  {A6-159j, 
FAILED  PRCS  JET  RESELECTION  PRIORITY,  reference  this  rule.  @[091 098-6708  ] 
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A6-159  FAILED  PRCS  JET  RESELECTION  PRIORITY 

FOR  MULTIPLE  PRIMARY  JET/RM  FAILURES  RESULTING  IN  JET  DESELECTION 
AND  PRIORITY  CHANGES,  JET  WILL  BE  RESELECTED,  AS  REQUIRED,  TO 
PROVIDE  ATTITUDE  CONTROL  OR  FAIL-SAFE  REDUNDANCY  IN  THE  FOLLOWING 
ORDER  (HIGHEST  RESELECT  FIRST) : 

A.  JET  WHICH  HAS  BEEN  ANNUNCIATED  FAIL  LEAK,  AND  BOTH  INJECTOR 
TEMPERATURES  >  65  DEG  F. 

B.  JET  WITH  DEGRADED  INSTRUMENTATION. 

C.  JET  WITHOUT  FAIL-ON  RM . 


D  . 

JET 

WITH 

DEGRADED 

OR 

LOSS 

OF 

FAIL-OFF  RM. 

E  . 

JET 

WITH 

DEGRADED 

OR 

LOSS 

OF 

FAIL  LEAK  RM . 

F.  JET  WITH  LOSS  OF  TOTAL  RM . 

G.  JET  WHICH  HAS  BEEN  ANNUNCIATED  FAIL  LEAK  TWICE  AND  BOTH 

INJECTOR  TEMPERATURES  >  65  DEG  F. 

H.  JET  WHICH  HAS  BEEN  ANNUNCIATED  FAIL-OFF. 

I.  JET  WHICH  HAS  BEEN  ANNUNCIATED  FAIL  LEAK  AND  INJECTOR 

TEMPERATURES  <  65  DEG  F  (POSSIBLY  STILL  LEAKING) . 

The  redundancy  in  primary  jets  allows  a  single  jet  failure  to  be  deselected  with  little  or  no  impact  to  the 
vehicle  capability.  If  no  capability  is  lost,  it  would  be  desirable  to  deselect  the  jet  since  subsequent 
failures  may  go  undetected.  For  the  second  jet  failure,  fail-safe  redundancy  can  be  lost  since  two  pitch 
jets  and  three  yaw  jets  are  required  and  only  three  pitch  and  four  yaw  jets  are  available.  To  maintain 
fail-safe  redundancy,  it  may  be  worth  the  risk  to  reselect  the  jet  and  be  exposed  to  a  subsequent  failure 
going  undetected.  After  all,  the  jet  with  failed  instrumen  tation  or  the  jet  that  has  stopped  leaking  are 
healthy  and  if  used  will  be  exposed  to  the  same  failures  as  a  jet  with  no  problem. 

The  priority  for  choosing  which  jet  to  reselect  is  provided  in  this  rule  starting  with  a  jet  with  good  RM 
and  only  sligh  tly  degraded  instrumentation.  Jets  with  no  fail  on  RM  will  be  reselected  next  since  the 
chances  of  a  failed -on  jet  are  minimal  compared  to  fail-off  jets.  Loss  of  leak  RM  would  create  more  of  a 
problem  since  a  leaking  jet  undetected  could  cause  the  leak  to  increase.  Loss  of  total  RM  ( ON,  OFF, 
LEAK )  increases  the  chances  of  a  failed  jet  being  undetected. 
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A6-159  FAILED  PRCS  JET  RESELECTION  PRIORITY  (CONTINUED) 

Jets  which  have  leaked  once,  but  stopped  as  indicated  by  injector  temperatures  >  65  deg  F,  may  be 
reselected  and  used  on  a  noninterference  basis  (reference  SODB,  volume  I,  paragraph  3.4.3.2-12a).  (See 
Flight  Rule  {A6-158},  RCS  LEAKING  JET  MANAGEMENT. )  Jets  which  have  leaked  twice,  but  stopped 
as  indicated  by  injector  temperatures  >  65  deg  F,  may  be  reselected  according  to  the  priority  listing 
above.  For  a  jet  that  has  failed  leak,  experience  has  shown  that  there  are  no  means  for  determining 
whether  the  jet  will  leak  again  and  be  declared  fail  leak  by  RM.  These  jets  will  be  selected  before  a  jet 
that  has  failed  off  since  these  jets  are  known  to  be  healthy.  Since  the  failed-ojf  jet  status  has  not 
changed,  the  failed-ojf  jet  will  most  likely  fail  off. 

Jets  that  have  been  annunciated  fail  off  will  have  RM  toggled  so  that  it  may  be  declared  fail  off  again,  if 
the  failure  is  still  present.  Reselecting  the  jet  would  not  be  a  safety  hazard. 

Jets  which  have  been  annunciated  fail  leak  and  may  be  still  leaking  will  not  be  reselected  except  to 
maintain  attitude  control  since  firing  a  leaking  jet  may  cause  injector  seal  leakage  to  increase. 

Rule  {A6-156},  RCS  RM  LOSS  MANAGEMENT,  references  this  rule. 

A6-160  THROUGH  A6-200  RULES  ARE  RESERVED 
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OMS/RCS  LEAK  MANAGEMENT 


A6-201  OMS/RCS  LEAKING  HE  TANK  BURN 

FOR  A  LEAKING  OMS/RCS  HELIUM  TANK,  A  BURN  MAY  BE  SCHEDULED  TO 
INCREASE  THE  PROPELLANT  ULLAGE  VOLUME. 

It  is  importan  t  to  increase  the  ullage  volume  for  He  tank  leaks  so  that  the  delta  velocity  (V)  lost  with  a  He 
tank  failure  is  minimized.  IfOMS  propellant  tank  quantities  are  below  39  percent,  the  OMS  tanks  can  be 
used  in  the  blowdown  mode  (no  He  tank  support )  with  little  or  no  loss  of  capability.  Ascent  procedures 
for  OMS  He  tank  leaks  have  been  developed  to  maximize  blowdown  capability  by  performing  a 
contingency  abort  dump  using  the  leaking  OMS  propellant.  Post-OMS-2  quantities  are  sometimes  below 
39  percent  and  will  not  require  a  blowdown  maximization  burn.  If  post-OMS  2  quantities  are  above  39 
percent,  a  maximum  blowdown  burn  should  be  performed.  After  evaluating  the  total  delta  velocity 
available  it  may  be  desirable  to  perform  a  perigee  adjust  burn  to  achieve  maximum  blowdown.  The  RCS 
propellant  tanks  reach  maximum  blowdown  at  22  (OX)  and  23  ( FU )  percent.  Maximum  blowdown 
procedures  for  use  on  orbit  are  documented  in  the  MALF  PROC  titled  “LEAKING  He  RCS  BURN ”  and 
in  the  Orbit  Pocket  titled,  “  OUT  OF  PLANE  OMS  PRPLT/He  BURN”  for  the  OMS.  Next  PLS  may  be 
required  if  propellant  margins  dictate. 

Rule  { A6-51B },  OMS  FAILURE  MANAGEMENT  [CIL],  references  this  rule. 

A6-202  OMS  LEAKING  HE  SYSTEM  BURN 

DURING  OMS  BURNS,  A  LEAKING  HELIUM  SYSTEM  MAY  BE  USED  TO  FEED 
BOTH  ENGINES  TO  INCREASE  PROPELLANT  ULLAGE  VOLUME. 

As  long  as  the  helium  tank  pressure  supports  a  nominal  propellant  tank  pressure,  a  leaking  helium  tank 
can  be  used  to  feed  both  OMS  engines.  This  configuration  attempts  to  maximize  the  blowdown  delta  V 
capability  in  the  affected  OMS  system  prior  to  the  helium  tank  being  declared  failed.  No  risk  of  damage 
to  the  OMS  engines  exists  because  a  good  propellant  feed  source  is  always  used.  Starting  two  OMS 
engines  from  one  pod  is  acceptable. 
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A6-203  QMS  LEAKING  INLET  LINE  PERIGEE  ADJUST  BURN 

FOR  AN  OMS  INLET  LINE  LEAK  WHICH  HAS  BEEN  ISOLATED  ON  ORBIT,  A 
PERIGEE  ADJUST  OR  OUT-OF-PLANE  BURN  WILL  BE  PERFORMED  AS  SOON  AS 
PRACTICAL  TO  ASSURE  TIME  FOR  POSTBURN  PROPELLANT  SUBLIMATION. 
MISSION-CRITICAL  EVENTS  MAY  BE  COMPLETED  PRIOR  TO  THE  PERIGEE 
ADJUST  BURN  ONLY  IF  THE  EVENT  CANNOT  BE  COMPLETED  AFTER  THE 
PERIGEE  ADJUST  BURN  AND  IF  THE  EVENT  DOES  NOT  RESULT  IN  A  NET 
LOSS  OF  DELTA  V  CAPABILITY. 

OMS  inlet  line  leaks  which  have  been  isolated  must  be  repressurized  prior  to  performing  a  burn.  The 
repressurization  will  create  a  surge  which  could  cause  the  leak  to  increase,  and  as  a  result,  it  is  unknown 
how  much  delta  V  may  be  available  from  the  leaking  system.  Therefore,  the  remaining  RCS  and  good 
OMS  propellant  must  be  conserved  until  after  the  burn.  Also,  the  earlier  the  burn,  the  more  time  for 
propellant  sublimation 

Rule  { A6-51T },  OMS  FAILURE  MANAGEMENT  [CIL],  references  this  rule. 

A6-204  OMS  GN2  ACCUMULATOR  LEAK  DETERMINATION 

A  LEAKING  OMS  GN2  ACCUMULATOR  MAY  BE  REPRESSURIZED  TO  DETERMINE 
THE  LEAK  RATE . 

Since  the  leak  rate  is  so  critical  in  determining  health  of  the  OMS  engine,  the  accumulator  may  be 
repressurized  to  determin  e  the  leak  rate.  If  a  leak  occu  rs  through  the  purge  valves,  each  time  the  purge 
valves  are  used  this  leak  rate  may  increase.  Since  the  affected  OMS  engine  may  be  used  for  OMS-1  and 
a  purge  will  occur  at  OMS-1  cutoff,  the  leak  rate  should  be  checked  before  the  deorbit  burn  to  ensure  the 
rate  has  not  increased  to  beyond  acceptable  limits. 

( Reference  Rule  { A6-51M },  OMS  FAILURE  MANAGEMENT  [CIL ] ),  ®[ED  ] 
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A6-205  RCS  LEAKING  PROPELLANT  TANK  BURN 

FOR  RCS  PROPELLANT  TANK  LEAKS,  A  PERIGEE  ADJUST  OR  OUT-OF-PLANE 
MANEUVER  WILL  BE  EXECUTED  IMMEDIATELY.  PROPELLANT  MAY  BE  DUMPED 
TO  DEPLETION. 

Thermal  effects  of  a  propellant  leak  and  propellant  sublimation  rates  vary  as  a  function  of  which 
propellant  is  leaking,  the  location  of  the  leak ,  the  distribution  of  the  propellant  within  the  pod,  and  the 
thermal  environment.  As  a  result,  to  preclude  propellant  feedlines  from  freezing  thus  rendering  the  entire 
pod  unusable,  the  propellant  will  be  dumped  immediately.  If  the  tank  is  dumped  to  depletion,  MALF  RCS 
SSR-7  will  be  used  to  clear  the  helium  from  the  propellant  lines.  (OMS  tank  leaks  are  handled  in  a  similar 
manner.)  This  leak  philosophy  was  agreed  upon  at  the  July  13,  1987,  Flight  Rules  PRCB. 


A6-206  RCS  MANIFOLD/LEG  LEAK  REPRESSURIZATION 

RCS  LINE  LEAKS  WILL  NOT  BE  REPRESSURIZED  IN  MM  602,  304  (POST 

Q-BAR  =  20),  AND  305  TO  RECOVER  RCS  YAW  JETS  IF  NO  YAW  JET  DAP 
MODE  IS  AVAILABLE.  RCS  LINE  LEAKS  WILL  BE  REPRESSURIZED  TO 
RECOVER  FAIL  CRITICAL  JET  REQUIREMENTS  FOR  ET  SEPARATION  AND 
PRIOR  TO  Q-BAR  =20  AFTER  ALL  OTHER  OPTIONS  HAVE  BEEN  ATTEMPTED 
(E.G.,  RESTRING,  PORTMODE,  ETC.) 

GNC  Flight  Rule  {A8-19},  YAW  JET  DOWNMODE,  addresses  entry  yaw  jet  downmode  for  multiple 
failures.  This  rule  prescribes  No  Yaw  Jet  selection  if  all  four  jets  are  failed  on  either  side.  No  yaw  jet 
DAP  mode  is  a  certified  flight  control  mode,  and  without  numerous  failures  further  downmode  will  not  be 
required.  Leaking  oxidizer  (N2O4)  or  fuel  { MMH )  may  create  a  greater  flammability  hazard  due  to  the 
operation  of  the  APU’s.  Fuel  (MMH)  has  demonstrated  afire  potential  when  leaked  onto  the  internal 
thermal  blankets.  The  vent  doors  must  be  opened  for  a  nonisolated  N2O4  leak  during  entry  which  will 
result  in  major  vehicle  damage  and  subsequent  extended  down  time  for  repairs.  Additionally,  leaking 
oxidizer  (N2O4)  will  cause  corrosion  of  in  ternal  components  potentially  requiring  replacement.  Flight 
Rules  {A1 6-204 },  WINDWARD  APU  OPERATIONS  CONSTRAINT  (oxidizer);  and  {A16-11},  EXPEDITED 
POWERDOWN  (fuel),  address  the  off  nominal  postlanding  impacts  for  leaking  propellants  into  the  pods. 
Due  to  the  nature  of  the  propellants  and  the  uncertainty  of  a  successful  repressurization,  all  other  options 
should  be  pursued  prior  to  attempting  repressurization  of  a  leaking  line.  If  no  other  option  exists,  then  the 
line  will  be  repressed  and  the  leak  supported  to  a  Q-bar  =  20.  At  Q-bar  =  20  no  yaw  jet  DAP  mode  will  be 
selected  and  the  leaking  RCS  isolated.  ®[021 998-6485B] 
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THERMAL  REDLINES  AND  MANAGEMENT 


A6-251  GENERAL 

A.  IF  INSTRUMENTATION  IS  LOST  FOR  VERIFICATION  OF  HEATER 
OPERATION,  THE  REDUNDANT  SET  (A  OR  B)  WILL  NOT  BE  BROUGHT 
ONLINE  WITH  THE  EXCEPTION  OF  THE  OMS/RCS  CROSSFEED  HEATERS. 

The  loss  of  insight  into  the  heater  operations  does  not  make  the  heater  suspect.  The  heater  in  use  has 
been  proven  functional  and  there  is  no  reason  to  switch  to  the  redundant  heater  set  with  unknown 
operation. 

The  pod  heaters  are  designed  differently  than  the  crossfeed  heaters.  If  both  sets  of  pod  heaters  are 
powered  on  possible  heater  patch  delamination  could  occur  since  the  patches  (A  and  B)  are  laid  on  top 
of  each  other.  The  crossfeed  line  heaters  are  wrapped  around  the  line,  with  A  and  B  circuits  wrapped 
together  in  a  single  “rope”  heater.  Consequently,  both  heaters  can  be  powered  on  simultaneously  to 
protect  for  failed-off  heaters  without  risking  damage  to  heater  elements.  The  crossfeed  line  heaters  also 
have  series  redundant  thermostats  for  overtemperature  protection. 

B.  THE  HEATERS  WILL  BE  CYCLED  TO  THE  REDUNDANT  SET  (A  OR  B)  AT 
LEAST  ONCE  DURING  THE  MISSION. 


Ensures  two  functioning  heater  systems. 


C.  RCS  PRIMARY  THRUSTERS  HEATERS  WILL  BE  OFF  FOR  ASCENT,  UNLESS 
THE  AMBIENT  TEMPERATURE  AT  THE  LAUNCH  SITE  IS  <  50  DEG  F. 

THE  HEATERS  WILL  BE  ENABLED  FOR  ALL  OTHER  FLIGHT  PHASES  OF 
THE  MISSION.  VERNIER  THRUSTER  HEATERS  WILL  BE  ENABLED  PRIOR 
TO  LAUNCH  AND  TURNED  OFF  FOR  ENTRY. 


Primary  jet  heaters  are  powered  off  for  ascent  to  provide  additional  power  savings. 

For  cold  launch  conditions  where  the  ambient  temperature  at  the  launch  site  is  <  50  deg  F  (reference 
OMRSD,  general  requirements,  9.2.5),  the  primary  heaters  may  be  powered  on  during  ascent  to  preclude 
launch  commit  criteria  (LCC)  violations  (injector  temperature  ?  64  deg  F)  (reference  LCC  page  6.3-28). 
The  LCC  limits  preclude  jet  valve  seat  shrinkage  and  subsequent  jet  leakage  during  ascent. 

Primary  heaters  can  only  be  turned  on  if  the  ascent  electrical  load  for  the  particular  mission  is  small 
enough  to  allow  the  additional  power  consumption.  However,  if  power  requirements  do  not  permit, 
heaters  should  be  left  on  until  T-20  minutes. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A6-251  GENERAL  (CONTINUED) 


Vernier  jet  heaters  are  on  prelaunch  through  ascent  to  ensure  proper  operating  temperature  for  on-orbit 
operations.  They  are  turned  off  for  entry  since  the  jets  are  not  used,  and  to  prevent  overtemping. 


Jet  heaters  may  be  turned  off  in  flight  for  contingency  powerdowns. 

D.  IN  THE  EVENT  THAT  ONE  SET  OF  HEATERS  IS  NOT  OPERATING  IN  ITS 
HEATER  CONTROL  RANGE  AND  THE  THERMAL  ENVIRONMENT  CONDITIONS 
ARE  NOT  A  FACTOR,  THAT  SET  WILL  BE  TURNED  OFF  AND  THE  OTHER 
SET  TURNED  ON.  IF  THE  APPROPRIATE  TEMPERATURE  INDICATES  THAT 
THE  HEATER  IS  THEN  OPERATING  WITHIN  ITS  HEATER  CONTROL  RANGE, 
THEN  THE  FIRST  SET  OF  HEATERS  WILL  BE  DECLARED  FAILED. 

After  switching  to  another  heater  set  which  controls  the  thermal  environment  within  normal  limits,  the 

first  set  of  heaters  is  declared  failed  because  no  other  factors  were  involved. 

E.  ANY  HEATER  SET  (A  OR  B)  THAT  IS  FAILED  ON  WILL  BE  CONTROLLED 
BY  MANUAL  OPERATION  AND  STILL  BE  CONSIDERED  OPERATIONAL  IF 
THE  OTHER  SET  FAILS. 

Failed-on  heaters  are  not  considered  failed  because  they  can  manually  be  controlled  by  cycling  power  on 

and  off 

Rule  {A6-256J,  OMS/RCS  HEATER  PERFORMANCE  MONITORING,  references  this  rule. 
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A6-252  OMS/RCS  POD  HEATER 

LOSS  OF  REDUNDANT  CRITICAL  HEATER  CIRCUITS  IN  THE  OMS  POD  NECESSARY 
TO  MAINTAIN  CG  CONTROL,  PROPELLANT  REDLINES ,  AND  RCS  ATTITUDE 
CONTROL  FOR  ENTRY  IS  CAUSE  FOR  ENTRY  AT  THE  NEXT  PLS  IF  THE 
ENVIRONMENT  CANNOT  MAINTAIN  THERMAL  REDLINES: 

CRITICAL  HEATER  LOCATION  EQUIPMENT 


A.  KEEL  WEB,  INNER  "Y"  WEB  OMS/RCS  TANKS,  RCS  HE  LINES 

B.  RCS  HOUSING  HEATERS  RCS  PROPELLANT  LINES 

C.  (2  OF  3)  -  UPPER  "Y"  WEB,  RCS  MANIFOLD  LINES 

OUTBOARD  "Y"  WEB,  GSE  SERVICE 

PANEL 

D.  OME  COVER  OME  PROPELLANT  FEEDLINES 

E.  OME  COMPARTMENT  OME  PROPELLANT  FEEDLINES 

GN2  TANK  AND  ACCUMULATOR 


All  critical  OMS/RCS  heater  circuits  are  redundant.  For  the  loss  of  both  A  and  B  heaters,  vehicle 
attitude  may  be  used  to  maintain  an  acceptable  thermal  environment.  The  heater  circuitry  protects  all 
equipment  that  contains  propellant.  The  propellant  temperatures  must  be  maintained  for  each  piece  of 
equipmen  t  according  to  the  Flight  Rules.  Violation  of  the  thermal  redlines  will  be  cause  for  deorbit  at 
the  next  PLS. 

*  Part  C  says  “(2  of  3)”  because  all  three  heaters  provide  heating  for  the  same  vicinity. 

A6-253  FORWARD  RCS  MODULE  TEMPERATURE  MANAGEMENT 

WHEN  NO  SM  MACHINE  IS  RUNNING,  FRCS  HEATERS  WILL  BE  OFF.  MANUAL 
CYCLING  OF  HEATER  SWITCHES  WILL  BE  MCC  CALL. 

The  forward  pod  will  stay  within  acceptable  limits  for  a  sufficien  t  period  of  time  without  the  heaters 
being  powered  on.  The  concern  is  that  afailed-on  heater  will  result  in  overtemping  manifold  lines 
without  being  annunciated  by  SM. 
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A6-254  OMS/RCS  PODS  TEMPERATURE  MANAGEMENT 

A.  ONE  OF  THE  REDUNDANT  SETS  OF  POD  HEATERS  WILL  BE  USED  TO 
MAINTAIN  ACCEPTABLE  THERMAL  CONDITIONS  IN  THE  PODS.  BOTH 
SETS  OF  HEATERS  WILL  NOT  BE  USED  SIMULTANEOUSLY. 

The  OMS  pod  heaters  are  operated  only  one  circuit  at  a  time.  The  concern  is  that  the  heater  patches  will 
overtemperature  and  debond  from  the  structure  if  both  sets  of  heaters  are  operated  concurrently.  This 
would  result  in  heater  circuit  failures  in  both  circuits  since  both  circuits  are  contained  in  each  heater 
patch  and  the  patches  must  be  on  the  structure  to  work  properly. 

B.  DURING  OPS  1,  ALL  POD  HEATERS  WILL  BE  TURNED  OFF.  MANUAL 

CYCLING  OF  HEATER  SWITCHES  WILL  BE  ON  MCC  CALL. 

The  OMS  pods  are  warmed  by  hot  GN2  prelaunch.  The  heaters  are  off  du  ring  ascen  t  phase  to  reduce  the 
power  level  in  the  event  a  power  failure  would  occur  during  launch.  Further,  since  the  switches  are  not 
accessible  during  ascent,  corrective  action  could  not  be  taken  for  a  heater  failed  on. 

C.  ALL  POD  HEATERS  WILL  BE  TURNED  OFF  AT  CREW  SEAT  INGRESS  FOR 
ENTRY  AND  WILL  REMAIN  OFF  THROUGH  ENTRY. 

The  OMS  pods  heaters  are  not  required  during  entry  due  to  aero  heating.  Also,  the  heaters  are  off 
during  entry  to  reduce  the  power  level  in  the  event  a  power  failure  would  occur  during  entry. 

D.  WHEN  THERE  IS  NO  ONBOARD  THERMAL  VISIBILITY  INTO  THE  PODS  (NO 
SM  AND  NO  BFS ) ,  ALL  POD  HEATERS  WILL  BE  OFF.  MANUAL  CYCLING 
OF  HEATER  SWITCHES  WILL  BE  ON  MCC  CALL. 

An  undetected  fail-011  heater  may  damage  pod  components.  The  ground  will  monitor  the  pod 
temperatures  and  cycle  the  heaters  as  required  to  maintain  temperatures  within  limits. 
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A6-255  OMS/RCS  CROSSFEED  LINES  TEMPERATURE  MANAGEMENT 

A.  DURING  ASCENT,  FROM  LIFT-OFF  UNTIL  POST  OMS-2,  BOTH  (A  AND  B) 
SETS  OF  HEATERS  WILL  BE  ON. 

The  crossfeed  line  heaters  are  wrapped  around  the  line,  with  A  and  B  circuits  wrapped  together  in  a 
single  “rope”  heater.  Consequently,  both  heaters  can  be  powered  on  simultaneously  to  protect  for 
failecl-off  heaters  without  risking  damage  to  heater  elements.  The  crossfeed  line  heaters  also  have  series 
redundant  thermostats  for  overtemp  protection. 

B.  DURING  ON-ORBIT  PERIODS,  ONE  OF  THE  REDUNDANT  HEATERS  (A  OR 
B)  WILL  BE  ON. 

Heaters  are  required  to  main  tain  the  crossfeed  line  thermal  conditions  within  acceptable  limits  for 
interconnect  and  crossfeed  operations. 

C.  BOTH  (A  AND  B)  SETS  OF  HEATERS  WILL  BE  TURNED  ON  AT  CREW  SEAT 
INGRESS  FOR  ENTRY  AND  WILL  REMAIN  ON  THROUGH  ENTRY. 

The  crossfeed  line  heaters  are  wrapped  around  the  line,  with  A  and  B  circuits  wrapped  together  in  a 
single  “rope”  heater.  Consequently,  both  heaters  can  be  powered  on  simultaneously  to  protect  for 
failed- off  heaters  without  risking  damage  to  heater  elemen  ts.  The  crossfeed  line  heaters  also  have  series 
redundant  thermostats  for  overtemp  protection. 

D.  WHEN  THERE  IS  NO  ONBOARD  THERMAL  VISIBILITY  INTO  THE 
CROSSFEED  LINES  (NO  SM  AND  NO  BFS ) ,  BOTH  (A  AND  B)  SETS  OF 
HEATERS  WILL  BE  TURNED  ON. 

The  heater  operation  cannot  be  verified  without  instrumentation.  Therefore  both  A  and  B  heaters  are 
tu  rned  on  to  provide  fail-safe  protection. 
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A6-256  OMS/RCS  HEATER  PERFORMANCE  MONITORING 

THE  PARAMETERS  MARKED  IN  THE  TABLES  WITH  SINGLE  ASTERISKS  ARE 
LOCATED  NEAR  HEATER  THERMOSTATS,  AND  ARE  USED  TO  MONITOR  HEATER 
OPERATION.  THE  NOMINAL  TEMPERATURE  RANGE  FOR  EACH  HEATER  IS 
VEHICLE/POD  SPECIFIC.  THE  RANGE  DEPENDS  ON  THE  TESTED  SET  POINTS 
OF  THE  CONTROLLING  THERMOSTATS,  AS  DOCUMENTED  IN  THE  SPACE  SHUTTLE 
SYSTEMS  HANDBOOK  DRAWINGS  11.7  THROUGH  11.9.  THE  TEMPERATURE 
INDICATED  BY  THE  01  PARAMETER  NEAR  THE  HEATER  THERMOSTAT  MAY  VARY 
SLIGHTLY  OUTSIDE  THE  SET  POINT  RANGE  DUE  TO  THE  DIFFERENCE  IN 
LOCATION  BETWEEN  THE  01  PARAMETER  AND  THE  THERMOSTAT,  AND  DUE  TO 
THE  EFFECT  OF  VEHICLE  ATTITUDE. 

THE  PARAMETERS  USED  TO  MONITOR  COMPONENT  TEMPERATURES  SHOULD 
NOMINALLY  REMAIN  WITHIN  THE  SYSTEM  REDLINES : 


FWD  RCS  HEATERS 


HEATER/COMPONENT 

Ol  PRIMARY 
PARAMETER 

Ol  BACKUP 
PARAMETER 

SYSTEM 
REDLINE  (?F) 

RESPONSE/NOTE 

FU  FWD  RCS 

V42T1 306A* 

V42T1308A 

40-  150  ** 

FU  FILL  LN 

V42T1304A 

-30-150 

FU  TKT 

V42T1300C 

40-150  *** 

FU  HE  TK 

V42T1104C 

-160-125 

-160-150 

PROP  QTY  >85% 
PROP  QTY? 85% 

OX  FWD  RCS 

V42T1 206A* 

V42T1208A 

40-150  ** 

OX  FILL  LN 

V42T1204A 

20-150 

OX  TKT 

V42T1200C 

40-150  *** 

OX  HE  TK 

V42T1100C 

-160-125 

-160-150 

PROP  QTY  >85% 
PROP  QTY? 85% 

NOTE:  A  OR  B  HTRS  ONLY,  NOT  BOTH. 

*  CONTROL  PARAMETER  NEAREST  THERMOSTAT.  SPEC  HTR  THERMOSTAT  RANGE  55  DEG-70  DEG  F 
(MINIMUM  6  DEG  F  DB). 

**  THESE  ARE  ON-SERVICE  LINES  WHICH  HAVE  AN  UPPER  LIMIT  OF  150  DEG  F.  HOWEVER,  THEY  ARE 
USED  TO  MONITOR  MANIFOLD  LINES  WHICH  HAVE  AN  UPPER  LIMIT  OF  100  DEG  F  NOMINALLY  AND 
150  DEG  F  FOR  A  5-SECOND  TRANSIENT.  @[062801 -4341  A] 

***  1 00  DEG  F  UPPER  LIMIT  FOR  BULK  PROPELLANT  TEMPERATURE.  TEMPERATURE  SENSOR  IS  ON 

TANK  SKIN  WHICH  HAS  UPPER  LIMIT  OF  150  DEG  F  FOR  LOCALIZED  REGIONS. 
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A6-256  OMS/RCS  HEATER  PERFORMANCE  MONITORING  (CONTINUED) 


RIGHT/LEFT  OMS/RCS  POD  HEATERS 


HEATER  COMPONENT 

Ol  PRIMARY 
PARAMETER 

Ol  BACKUP 
PARAMETER 

RESPONSE/NOTE 

‘Y’ WEBOME 
COMPARTMENT  HTRS 

UPPER  Y  WEB 

BlSi 

OUTBOARD  Y  WEB 

BmH 

INBOARD  Y  WEB*** 

V43T5704A * 

(4704A) 

V43T5705A * 

(4705A) 

20-150 

ENG  SERV  PNLOME 
COMPARTMENT  HTRS 

20-150 

[1] 

OME COVER 

BlSiBfi 

V43T5216A 

(421 6  A) 

OX  INLTT 

30-125 

FU  FDLN  T 

V43T5642A 

(4642A) 

30-125 

OX  BPV  T 

V43T5641 A 

(4641  A) 

30-125 

FU  INJ  T 

V43T5643A 

(4643A) 

NA-260 

@[062801 -4341  A] 


NOTE:  BOTH  A  AND  B  POD  HTRS  SHOULD  NOT  BE  USED  SIMULTANEOUSLY. 

*  CONTROL  PARAMETER  NEAREST  THERMOSTAT.  SPEC  HTR  THERMOSTAT  RANGE  55  DEG  -  75  DEG  F 
(MIN  6  DEG  DB). 

**  PARAMETER  MEASURES  STRUCTURE  TEMPERATURE  ONLY,  AND  IS  USED  TO  VERIFY  HEATER 

PERFORMANCE.  THE  TEMPERATURE  OF  COMPONENTS  AND  FLUID  WARMED  BY  HEATERS  MAY  VARY 
FROM  SENSED  TEMPERATURE 

***  INCLUDES  OX  DRAIN  PANEL. 

[1]  THERMAL  ANALYSIS  IS  REQUIRED  FOR  THE  LOSS  OF  INSIGHT  IN  THIS  REGION  DUE  TO  THE  LACK  OF 
REDUNDANT  PARAMETERS  AND  DUE  TO  THE  POTENTIAL  CONSEQUENCES  OF  A  HEATER  FAILED  ON 
OR  OFF.  @[06280 1-4341  A] 
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A6-256  OMS/RCS  HEATER  PERFORMANCE  MONITORING  (CONTINUED) 


RIGHT/LEFT  OMS/RCS  POD  HEATERS 


HEATER/COMPONENT 

Ol  PRIMARY 
PARAMETER 

Ol  BACKUP 
PARAMETER 

RESPONSE/NOTE 

OMS  HE  TK 

igQgrcnnTOf 

Wmuwam^ 

-160-200 

RCS  OX  HE 

V42T3100C 

(2100C) 

V42T3104C  (FU) 
(2104C) 

-160-125 

-160-150 

PROP  QTY  >85% 
PROP  QTY  ?85% 

RCS  FU  HE 

V42T3104C 

(2104C) 

V42T3100C  (OX) 
(2100C) 

-160-125 

-160-150 

PROP  QTY  >85% 
PROP  QTY  ?85% 

GSE  SERV  PNL 

V43T5706A* 

(4706A) 

20-150 

[1] 

RCS  HOUSING 

HEATERS 

DRAIN  PNL 

IKIHII 

VERNIER  PNL 

nan 

mmmm 

flHKEKBBII 

OX  MANF1  TEMP 

V42T3204A 

(2204A) 

40-150  *** 

VERN  OX  FDLN 

V42T3560A 

(2560A) 

40-200 

@[062801 -4341  A] 


NOTES: 

*  CONTROL  PARAMETER  NEAREST  THERMOSTAT.  SPEC  HTR  THERMOSTAT  RANGE  55  DEG  -  75  DEG  F 
(MIN  6  DEG  DB). 

**  PARAMETER  MEASURES  STRUCTURE  TEMPERATURE  ONLY,  AND  IS  USED  TO  VERIFY  HEATER 

PERFORMANCE.  THE  TEMPERATURE  OF  COMPONENTS  AND  FLUID  WARMED  BY  HEATERS  MAY  VARY 
FROM  SENSED  TEMPERATURE. 

***  70  DEG  F  LOWER  LIMIT  DURING  ENTRY  FOR  ZOT  PREVENTION.  UPPER  LIMIT  IS  1 00  DEG  F  NOMINALLY, 

AND  1 50  DEG  F  FOR  A  5-SECOND  TRANSIENT. 

[1]  THERMAL  ANALYSIS  IS  REQUIRED  FOR  THE  LOSS  OF  INSIGHT  IN  THIS  REGION  DUE  TO  THE  LACK  OF 
REDUNDANT  PARAMETERS  AND  DUE  TO  THE  POTENTIAL  CONSEQUENCES  OF  A  HEATER  FAILED  ON 
OR  OFF.  @[06280 1-4341  A] 
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A6-256  OMS/RCS  HEATER  PERFORMANCE  MONITORING  (CONTINUED) 


RIGHT/LEFT  OMS/RCS  POD  HEATERS 


@[062801 -4341  A] 

NOTE:  BOTH  A  AND  B  POD  HTRS  SHOULD  NOT  BE  USED  SIMULTANEOUSLY. 

*  CONTROL  PARAMETER  NEAREST  THERMOSTAT.  SPEC  HTR  THERMOSTAT  RANGE,  A  HTRS  55  DEG  - 
75  DEG  F,  B  HTRS  70  DEG  -  90  DEG  F  (MIN  6  DEG  DB). 

**  70  DEG  F  LOWER  LIMIT  DURING  ENTRY  FOR  ZOT  PREVENTION. 

***  1 00  DEG  F  UPPER  LIMIT  FOR  BULK  PROPELLANT,  BASED  ON  EXPULSION  EFFICIENCY. 

TEMPERATURE  SENSOR  IS  LOCATED  ON  TANK  SKIN  WHICH  HAS  UPPER  LIMIT  OF  150  DEG  F  FOR 
LOCALIZED  REGIONS. 

****  1 00  DEG  F  UPPER  LIMIT  FOR  BULK  PROPELLANT.  TEMPERATURE  SENSOR  IS  LOCATED  ON  TANK 

SKIN  WHICH  HAS  AN  UPPER  LIMIT  OF  150  DEG  F. 
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A6-256  OMS/RCS  HEATER  PERFORMANCE  MONITORING  (CONTINUED) 


AFT  FUSELAGE  HEATERS 


HEATER/COMPONENT 

Ol  PRIMARY 
PARAMETER 

Ol  BACKUP 
PARAMETER 

RESPONSE/NOTE 

XFD  FLOW  LINES 

OX  XFD  LN  C  ** 

V43T6242A * 

40-125 

OX  XFD  LN  L  ** 

V43T6243A * 

40-125 

OX  XFD  LN  R  ** 

V43T6244A * 

40-125 

AFT  XFD  L  TEMP  ** 

V43T6218A * 

40-125 

1  AFT  XFD  R  TEMP** 

V43T6219A * 

40-125 

DRAIN  LINES 

LH  OX  LP  DL  HTRS  ** 

V43T6236A * 

20-150 

RH  OX  LP  DL  HTRS  ** 

V43T6237A * 

20-150 

@[062801 -4341  A] 


NOTE:  BOTH  A  AND  B  XFD  HTRS  CAN  BE  USED  SIMULTANEOUSLY. 

*  CONTROL  PARAMETER  NEAREST  CONTROL  THERMOSTAT,  SPEC  HTR  THERMOSTAT  RANGE  55  DEG 
-  75  DEG  F.  EACH  HEATER  CIRCUIT  ALSO  HAS  AN  OVERTEMP  THERMOSTAT,  RANGE  70  DEG  -  90 
DEG  F. 

**  TEMPERATURE  SENSOR  IS  ON  OX  LINE,  BUT  THERMOSTAT  CONTROLS  BOTH  OX  AND  FU  HEATERS. 
@[062801 -4341  A] 


The  heater  matrix  allows  a  determination  to  be  made  on  the  health  of  the  OMS/RCS  heater  system.  The 
different  heater  systems  are  shown  down  to  the  heater/component  level.  The  instrumentation  used  to 
verify  the  operation  of  each  heater  is  defined. 


Operating  outside  of  the  nominal  temperature  range  (vehicle/pod  and  attitude-dependent)  may  iden  tify  a 
heater  failure  condition  (refer  to  Rule  j A6-251DJ ,  GENERAL  (thermal  management)).  The  thermostat 
set  points  SSSH  drawings  are  supplied  by  the  Operational  Space  Shuttle  Orbiter  Heater  Systems  Book, 
JSC-18549,  which  is  maintained  by  the  JSC/ES311  Thermal  Branch. 


Several  of  the  parameters  in  the  tables  monitor  heater  operation  by  close  proximity  to  the  heater 
thermostat.  If  the  indicated  temperature  of  such  a  parameter  exceeds  the  thermostat  set  point  range 
by  5  deg  F  or  more,  then  this  must  be  explained  by  the  influence  of  sensor  location  with  respect  to  the 
thermostat  and/or  by  the  vehicle  attitude,  else  the  heater  will  be  declared  failed. 

The  OMS  and  RCS  thermal  redlines  are  defined  in  the  SODB  tables  3. 4. 3.2-1  and  3.4. 3-1.  If  a 
parameter  directly  measures  the  temperature  of  a  componen  t  that  has  SODB  constraints,  then  these 
constraints  are  listed  in  this  rule  under  SYSTEM  REDLINE.  In  several  cases  (as  noted  with  asterisks  in 
the  SYSTEM  REDLINE  column),  the  parameter  is  mounted  on  the  pod  structure  and  is  used  to  monitor 
heater  performance  only.  These  structure  temperatures  do  not  necessarily  reflect  the  temperature  of 
components  that  are  warmed  by  the  monitored  heaters. 
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A6-256  OMS/RCS  HEATER  PERFORMANCE  MONITORING  (CONTINUED) 

Thermal  analysis  (reference  Data  Request  -  RI-1512A)  has  shown  that  for  the  loss  of  temperature 
parameters  listed  as  requiring  thermal  analysis  it  may  be  possible  to  tolerate  a  heater  failing  on  or  off. 

A  thermal  analysis  for  the  specific  planned  attitude  timeline  will  be  required  if  loss  of  insight  occurs  to 
determine  if  vehicle  attitude  managemen  t  and/or  manual  cycling  of  heaters  will  be  required  to  protect 
SODB  redlines.  @[062801 -4341  A] 

The  crossfeed  flow  lines  and  drain/bleed  lines  are  all  wrapped  with  rope-type  heaters.  The  thermal 
status  of  each  section  of  crossfeed  line  is  monitored  by  the  temperature  parameters  near  the  thermostat 
for  that  section  of  line.  Although  these  parameters  measure  the  line  temperatures  directly,  the 
configuration  of  the  rope  heaters  may  allow  warm  spots  to  develop  in  the  line  away  from  any 
temperature  parameter.  For  this  reason,  the  fault  detection  annunciation  (FDA)  limits  for  these 
temperature  parameters  are  well  within  the  system  redlines,  allowing  action  to  be  taken  before  the 
redlines  are  violated  anywhere  in  the  lines.  These  FDA  limits  are  documented  in  SSSH  drawing  11.9, 
HTR  AFT  OMS/RCS. 

Rule  (A1 8-451},  ORBITER  THERMAL  CONSTRAINTS  AND  ATTITUDE  MANAGEMENT  [CIL], 
references  this  rule.  @[062801 -4341  A] 
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A6-257  RCS  JET  TEMPERATURE  MANAGEMENT 

A.  PRIMARY  JETS:  @[091098-6708] 

1.  IN  THE  EVENT  OF  A  FAILED-OFF  PRIMARY  RCS  JET  HEATER,  THE 
AFFECTED  THRUSTER  MAY  BE  FIRED  MANUALLY  OR  CHANGED  TO 
FIRST  PRIORITY,  OR  ORBITER  ATTITUDE  MAY  BE  CHANGED  TO 
MAINTAIN  INJECTOR  TEMPERATURES  >  42(47)  DEG  F  (50  DEG  AT 
VALVE  SEAT) . 

The  50  deg  F  limit  (ref.  Shuttle  Operational  Data  Book  (SODB)  volume  I,  table  3. 4. 3.2-1,  note  L) 
protects  against  increased  risk  of  valve  leakage.  The  corresponding  injector  temperature  limit  is  derived 
from  thermal  math  model  analysis  data  for  the  case  of  a  heater  failed  off  and  exposure  to  deep  space.  If 
the  jet  is  exposed  to  some  solar  heating  (but  not  enough  to  alleviate  the  leakage  concern ),  then  the 
injector/valve  temperature  differential  may  diminish  slightly;  however,  since  the  rule  assumes  worst-case 
instrumentation  error  (5  deg  F),  the  50  deg  valve  limit  is  reasonably  protected. 

Note  that  a  primary  RCS  jet  heater  is  considered  failed  when  the  injector  temperatures  reach  55  deg  F 
(ref.  Rule  { A6-9J ,  RCS  JET  HEATER).  Firing  the  jet  periodically  will  maintain  the  injector  within 
operating  limits.  (Testing  has  shown  that  a  2-second  firing  will  increase  the  jet  injector  temperature 
approximately  16  deg  F.)  If  planned  orbit  activities  would  result  in  single  minimum  duration  pulse 
firings,  hot-fire  the  jet  for  a  minimum  of  2  seconds  prior  to  changing  the  jet  to  first  priority.  A  minimum 
duration  pulse  firing  with  the  injector  temperatures  ?  55  deg  F  can  cause  a  jet  leak  due  to  cold  Teflon 
valve  seats  not  seating  properly.  (Ref.  SODB,  volume  I,  paragraph  3.4.3.2.13). 

2.  PROS  JETS  MAY  NOT  BE  FIRED  IF  INJECTOR  TEMPERATURES 
EXCEED  162  (157)  DEG  F  (150  DEG  F  AT  VALVE  SEAT)  FOR  A 
SUSTAINED  PERIOD  (EXCEPT  AS  DEFINED  IN  PARAGRAPH  A. 3  OF 
THIS  RULE) .  TO  STAY  BELOW  THIS  OPERATIONAL  THERMAL 
LIMIT : 

a.  ORBITER  ATTITUDE  MAY  BE  CHANGED 

b.  THE  AFFECTED  JET(S)  MAY  BE  PLACED  IN  LAST  PRIORITY 
C.  A  FAILED-ON  HEATER  MAY  BE  SWITCHED  OFF  @[091098-6708] 
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A6-257  RCS  JET  TEMPERATURE  MANAGEMENT  (CONTINUED) 

The  150  deg  F  limit  ( ref  SODB  volume  I,  table  3. 4. 3. 2-1,  note  L)  protects  against  permanent 
deformation  and  damage  to  the  Teflon  valve  seat  due  to  the  combined  effects  of  high  closing  seat 
loads  and  degraded  Teflon  strength  at  the  higher  temperature.  In  turn,  this  protects  against  resulting 
valve  leakage  and  reduced  valve  lifetime.  The  157  deg  F  injector  temperature  limit  is  derived  from 
the  150  deg  F  valve  limit  +12  deg  F  injector/valve  differential  ( based  on  Rockwell-Downey  thermal 
analysis)  -5  deg  F  instrumentation  error.  Unrestricted  thruster  firings  with  valve  seat  temperatures 
above  150  deg  F  are  not  permitted.  In  this  case,  any  DAP/RM  configuration  that  could  result  in  the 
firing  of  the  affected  primary  thrusters  is  forbidden.  Depending  on  the  heat  source  (Sun,  heat  of 
combustion,  or  failed  heater),  a  variety  of  actions  may  be  performed,  as  appropriate,  to  keep  a 
thruster  operational.  Note  that  the  crew  does  not  have  insight  into  jet  injector  temperatures  on  board, 
so  these  actions  must  be  initiated  by  the  ground.  Every  reasonable  effort  will  be  made  to  do  this  in  a 
timely  manner  such  that  jet  firings  above  the  operational  limit  may  be  avoided.  @[091098-6708  ] 

3.  PRCS  JETS  MAY  BE  FIRED  IF  INJECTOR  TEMPERATURES  HAVE 

EXCEEDED  162  (157)  DEG  F,  BUT  ONLY  IF: 

a.  ALL  JETS  IN  THE  GROUP  (SAME  POD  AND  DIRECTION)  HAVE 
EXCEEDED  THIS  OPERATIONAL  LIMIT. 

b.  THE  DAP  IS  CONFIGURED  TO  ENSURE  A  MINIMUM  FIRING 
DURATION  OF  400  MSEC. 

The  main  concern  with  thruster  operation  above  157  deg  F  is  the  load  imparted  on  the  valve  seat  as  the 
poppet  closes.  Since  the  real  concern  is  at  valve  closing,  increasing  the  minimum  “on  time’’  reduces  the 
valve  seat  temperature  to  cm  acceptable  level  at  shutdown.  However,  immediately  following  the  firing, 
the  temperatures  will  rise  quickly  back  up  due  to  thermal  soak  back  effects.  If  a  thruster  needs  to  be 
fired,  a  minimum  “on  time”  of 400  msec  may  be  used  to  preclude  valve  seat  degradation  (ref.  SODB 
volume  III,  paragraph  4.3.2. 7.  Note  that  SODB  volume  III  contains  engineering  data  which  may  not  be 
supported  by  test. ). 

A  thruster  which  has  exceeded  the  operational  limit  of  157  deg  F  due  to  a  high  duty  cycle  will  be  placed 
in  last  priority  in  favor  of  a  colder,  redundan  t  jet  in  the  same  group.  If  all  jets  in  a  group  exceed  the 
operational  limit  and  use  of  the  jet  group  is  still  required,  then  the  DAP  will  be  configured  accordingly. 
This  approach,  documented  in  CHIT  013,  was  successfully  utilized  during  STS-77  rendezvous  activities. 
One  re-prioritization  was  required  for  both  of  the  first  priority  +X  jets,  but  the  redundant  +X  jets  did  not 
reach  their  operational  limit  for  the  remainder  of  the  rendezvous  and  no  further  actions  were  required. 
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A6-257  RCS  JET  TEMPERATURE  MANAGEMENT  (CONTINUED) 

4.  ONE  OF  THE  FOLLOWING  ACTIONS  WILL  BE  TAKEN  TO  PREVENT 

INJECTOR  TEMPERATURES  FROM  EXCEEDING  187  (182)  DEG  F  (175 

DEG  F  AT  VALVE  SEAT)  :  @[091098-6708] 

a.  ORBITER  ATTITUDE  WILL  BE  CHANGED.  IF  DOING  SO  WILL 

VIOLATE  MISSION  REQUIREMENTS,  THEN  RCS  JET  INJECTORS 
MAY  BE  EXPOSED  TO  TEMPERATURES  UP  TO  207  (202)  DEG  F 

(195  DEG  F  AT  VALVE  SEAT)  FOR  UP  TO  12  HOURS  PER 
SHUTTLE  MISSION.  @[091098-6708] 

b.  A  FAILED-ON  HEATER  WILL  BE  SWITCHED  OFF. 

The  175  deg  F  limit  (ref.  SODB  volume  I,  table  3. 4. 3.2-1,  note  L)  protects  against  permanent 
deformation  and  damage  (cold  flow)  to  the  Teflon  seat  from  extended  exposure  to  high  temperatures  and 
seal  loads  at  system  pressure.  The  182  deg  F  injector  temperature  limit  is  derived  from  the  175  deg  F 
valve  limit  +12  deg  F  injector/valve  differential  (based  on  Rockwell -Downey  thermal  analysis)  -5  deg  F 
instrumentation  error. 

The  195  deg  F  limit  (ref.  SODB  volume  I,  table  3. 4. 3. 2-1,  note  L)  is  a  contingency  value  intended  to 
accommodate  predicted  peak  temperatures  during  continuous  exposure  to  solar  radiation.  The  12-hour 
constraint  is  a  cumulative  total  and  is  not  “reset”  if  the  thruster  injector  temperatures  decrease  to  below 
the  limit  for  any  amoun  t  of  time. 

B.  VERNIER  JETS: 

1.  IN  THE  EVENT  OF  A  FAILED-OFF  VERNIER  RCS  JET  HEATER  OR 

INADEQUATE  DUTY  CYCLES,  THE  FOLLOWING  STEPS  MAY  BE  TAKEN 
TO  INCREASE  FIRING  FREQUENCY  AND  DURATION,  IF  REQUIRED  TO 
PREVENT  A  FALSE  RM  FAIL  LEAK  ANNUNCIATION: 

a.  BIAS  THE  ATTITUDE. 

b.  DESELECT  AFT  YAW  VERNIERS. 

C.  TIGHTEN  THE  DEADBAND. 

These  methods  have  been  employed  on  many  previous  flights.  However,  it  has  been  shown  that  biasing  the 
attitude  (and  taking  advantage  of  gravity  gradient  torque )  and  deselecting  the  aft  yaw  verniers  are  better 
long-term  methods  of  raising  jet  temperatures  (as  determined  from  STS-62  and  STS-94)  because  both 
methods  cause  certain  targeted  jets  to  fire  more  frequently  while  allowing  others  to  fire  less  frequently. 
Tightening  the  deadband  increases  jet  firing  frequency  (which  is  undesirable  for  microgravity  payloads) 
and  unless  the  deadband  is  severely  tightened  may  not  solve  the  problem.  Ref.  Rule  j A6-9BJ ,  RCS  JET 
HEATER,  for  relevant  failed-heater  definitions.  @[091 098-6708  ] 
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A6-257  RCS  JET  TEMPERATURE  MANAGEMENT  (CONTINUED) 

2.  A  VERNIER  JET  THAT  HAS  INCURRED  A  FALSE  RM  FAIL  LEAK 

ANNUNCIATION  DUE  TO  A  FAILED-OFF  JET  HEATER  OR  INADEQUATE 
DUTY  CYCLES  MAY  BE  USED  WITHOUT  ONBOARD  LEAK  RM  UNDER  THE 
FOLLOWING  CONDITIONS:  @[091098-6708] 


a . 

JET 

IS 

USED  DURING  AOS  PERIODS 

ONLY. 

b . 

THE 

JET 

INJECTOR 

TEMPERATURES 

ARE  >  90 

DEG  F  AND 

<  14 

0  DEG  F. 

c . 

THE 

JET 

INJECTOR 

TEMPERATURES 

HAVE  NOT 

DECREASED 

>20  DEG  F  PER  MINUTE  AT  ANY  TIME  IN  THE  PAST 
HOUR. 

Due  to  inadequate  or  failed  heater  operations ,  the  forward  vernier  jets  may  cool  during  extended  periods 
of  low  activity  resulting  in  a  violation  of  the  130  deg  F  RCS  RM  leak  detection  limit  and  a  false  leak 
annunciation.  False  annunciation  can  be  distinguished  from  an  actual  leak  based  on  ground  data 
evaluation.  The  130  deg  F  limit  protects  against  leaking  propellant  freezing  and  plugging  the  combustion 
chamber  and  is  not  applicable  if  there  is  no  leak;  therefore,  once  it  has  been  determined  that  a  deselected 
jet  is  not  leaking,  it  may  be  used  without  onboard  RM  as  long  as  the  injector  temperatures  remain  above 
90  deg  F,  which  protects  against  seal  shrinkage  and  propellant  leakage  (ref.  Rule  ( A6-9B },  RCS  JET 
HEATER). 

Use  of  the  jet  must  be  confined  to  AOS  periods  since  the  MCC  is  now  prime  for  leak  detection,  and  the 
crew  does  not  have  onboard  insight  into  jet  injector  temperatures.  If/when  the  injector  temperatures 
recover  and  are  sufficiently  above  the  RM  limit  (upon  reaching  140  deg  F),  RM  must  be  toggled  for  the 
jet  so  as  to  re-enable  automatic  onboard  leak  detection.  For  vernier  operation  below  the  RM  limit, 
engineering  analysis  ( ref.  Marquardt  Report  No.  TM05-V009,  June  1980)  has  determined  that  a  leak  will 
be  indicated  by  an  injector  temperature  drop  of  more  than  20  deg  F  per  minute.  In  this  case,  the  MCC 
will  immediately  instruct  the  crew  to  cease  use  of  the  jet  (via  jet  deselection  or  DAP  configuration). 

Note  that  a  10-second  steady-state  firing  will  warm  a  vernier  jet  injector  from  90  deg  F  to  above  the  130 
deg  F  RM  limit  (ref.  SODB  volume  1,  paragraph  3.4.3.2.13).  Such  a  firing  is  particularly  advisable  after 
vernier  injector  temperatures  have  dropped  significantly  below  130  deg  F  (for  example,  when  a  deorbit 
backout  and  24-hour  waiveoff  are  declared  and  verniers  are  reactivated  hours  after  their  heaters  have 
been  turned  off),  and  it  is  desired  to  immediately  re-enable  RCS  RM.  @[091098-6708  ] 
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A6-258  ARCS  BULK  PROPELLANT  TEMPERATURE  MANAGEMENT 

VEHICLE  ATTITUDE  WILL  BE  CHANGED  ON  A  NONINTERFERENCE  BASIS  TO 
PROVIDE  ARCS  BULK  PROPELLANT  TANK  TEMPERATURE  THERMAL  CONDITIONING 
WHENEVER  THE  ARCS  TANK  TEMPERATURE  IS  <  68  DEG  (70  DEG)  F.  IF  AN 
ATTITUDE  CHANGE  IMPACTS  HIGH  PRIORITY  FLIGHT  OBJECTIVES,  THE  ARCS 
TANK  TEMPERATURE  LIMIT  MAY  BE  REDUCED  TO  65  DEG  (67  DEG)  F  BEFORE 
ACTION  IS  REQUIRED.  THE  FOLLOWING  ATTITUDES  ARE  DESIRABLE  TO  PROVIDE 
THERMAL  CONDITIONING  TO  INCREASE  PROPELLANT  TEMPERATURES: 

A.  NOSE  SUN  10  DEGREES  PITCHUP. 

B.  NOSE  SUN. 

C.  TAIL  SUN. 

D.  BOTTOM  SUN. 

FOR  HIGH  BETA  ANGLE  (>  60  DEGREES)  BOTTOM  SUN  WOULD  BE  PREFERRED 
OVER  TAIL  SUN  TO  AVOID  ORBITER  MANEUVERING  ENGINE  (OME)  LINE 
TEMPERATURE  CONSTRAINTS . 

Rules  (A6-6A),  OMS/RCS  CROSSFEED  LINE;  and  {A1 8-451},  ORBITER  THERMAL  CONSTRAINTS 
AND  ATTITUDE  MANAGEMENT  [CIL],  reference  this  rule. 


Propellant  temperatures  must  be  maintained  above  the  70  deg  F  limit  to  avoid  possible  ZOT’s  during 
entry  jet  firings  below  70,000 feet.  WSTF  testing  has  shown  that  65  deg  F  propellant  temperatures 
caused  minor  ZOT’s  without  creating  jet  leaks.  Similar  tests  with  propellant  temperatures  at  60  deg  F 
have  caused  several  ZOT’s  which  resulted  in  liquid  leakage  at  the  jet. 


Because  of  the  entry  ZOT  concern,  the  70  deg  F  bulk  propellant  constraint  will  be  protected  if  it  can  be 
done  without  violating  mission  objectives.  If  the  mission  objectives  prevent  the  proper  vehicle  attitude 
required  to  maintain  the  70  deg  F  limit,  the  bulk  propellant  constraint  will  be  reduced  to  67  deg  F  (65  deg 
plus  2  deg  F  instrumentation  accuracy)  with  the  understanding  that  an  increased  risk  of  ZOT’s  exists 
during  entry.  The  decision  to  reduce  the  bulk  propellant  constraint  will  be  a  real-time  call  and  will  not  be 
used  as  a  premission  planning  tool.  Because  the  67  deg  F  limit  resides  in  SODB,  volume  3,  the  engineering 
community  (MER)  will  be  notified  of  the  plan  to  reduce  the  bulk  propellant  temperature  constraint  and 
given  the  associated  rationale. 
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A6-258  ARCS  BULK  PROPELLANT  TEMPERATURE  MANAGEMENT 

(CONTINUED) 


To  prevent  cold  tank  temperatures,  the  vehicle  can  be  oriented  (OMS  pods  are  in  the  shade)  causing  the 
heater  to  cycle  on.  Top  to  Sun  and  side  to  Sun  attitudes  prevent  heater  cycles  and  result  in  a  decay  in 
tank  temperature.  Changing  attitudes  will  not  result  in  immediate  heater  activation  since  heater 
thermostats  are  located  on  the  warm  pod  deck  [4  to  6  hours  for  first  cycle).  The  following  table  was 
generated  from  flight  data  and  will  help  determine  which  attitude  provides  the  required  response. 


Attitude 

Nose  Sun  10°  Up 
Nose  Sun 
Tail  Sun  * 
Bottom  Sun  * 


Equil.  Temp  (°  F) 
74 

74 

75 
75 


Rise  rate  (°  F/day ) 
5 

No  data 
>1 
>1 


*High  beta  angles  will  cause  bondline  temperature  limit  concerns. 
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CONSUMABLES  DEFINITIONS  AND  REDLINES 


A6-301  QMS  USABLE  PROPELLANT 

A.  OMS  GAGED  PROPELLANT  IS  DEFINED  AS  THE  AMOUNT  OF  OMS 
PROPELLANT  LOADED  PER  POD  MINUS  THE  LINE  TRAPPED: 

OX  FU 

LINE  TRAPPED:  50.5  26.5 

@[092701-4850] 

B.  OMS  USABLE  PROPELLANT  IS  DEFINED  AS  THE  OMS  GAGED  PROPELLANT 
MINUS  THE  FOLLOWING  RESIDUALS: 

OX  FU 

TANK  TRAPPED:  212  110 

DISPERSIONS:  (REF.  PARAGRAPH  C)  (REF.  PARAGRAPH  C) 


C.  OMS  DISPERSIONS  ARE  DEFINED  AS  THE  RSS  OF  (1)  FLOW  RATE  AND 
MIXTURE  RATIO  ERROR  BASED  ON  NOMINAL  LOAD  WITH  2  PERCENT 
ERROR  AND  (2)  LOADING  UNCERTAINTY.  DISPERSIONS  ARE 
CALCULATED  AS  FOLLOWS: 

1.  a  =  FLOW  RATE  AND  MIXTURE  RATIO  ERROR. 

a  =  0.02  (OX  (FU)  GAGED  LBS  PROPELLANT  -  OX  (FU)  TANK 
TRAPPED) . 

2.  b  =  LOADING  UNCERTAINTY: 


BENCHMARK 

RESIDUALS 

WSP 

AVAIL 

LOADING 

UNCERTAINTY 

GOOD 

N/A 

N/A 

40  LB  OX, 

24 

LB 

FU 

OUT-OF-SPEC 

N/A 

N/A 

81  LB  OX, 

49 

LB 

FU 

NO 

N/A 

YES 

81  LB  OX, 

49 

LB 

FU 

NO 

AFT  GAGE 

NO 

1.5  PERCENT, 

PROP 

LOADED  PLUS  4 0  LB 
OX,  24  LB  FU 


NO  CALCULATED  NO  1.5  PERCENT  PROP 

LOADED 
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A6-301  QMS  USABLE  PROPELLANT  (CONTINUED) 

RESIDUALS 

IF  |  AFT  GAGE  RESIDUALS  -  CALCULATED  RESIDUALS  |  <  1  PERCENT 

THEN  USE, 

RESIDUALS  =  AFT  GAGE  RESIDUALS 
OTHERWISE  USE, 

RESIDUALS  =  CALCULATED  RESIDUALS 

DISPERSION  (OX  (FU)  PER  POD)  =  (a2  +  b2)y2. 

Since  the  OMS  tank  and  line-trapped  propellant  cannot  be  burned,  it  must  be  accounted  for  when 
calculating  usable  propellant.  Since  OMS  dispersions  may  or  may  not  be  in  the  tank,  this  propellant 
must  also  be  accounted  for  when  calculating  usable  propellant.  The  OMS  tank  and  line-trapped 
quantities  are  documented  in  SODB,  volume  II,  section  4.1. 

The  calculation  for  loading  uncertainty  is  based  on  whether  KSC  gets  a  “benchmark”  while  loading. 

The  “benchmark”  is  defined  as  the  point  at  which  the  total  quantity  updates  after  the  forward  probe 
gets  wet.  A  “good  benchmark”  is  a  benchmark  that  occurs  at  45  ±  0.5  percent  (quantity  of  propellant 
in  tank  is  determined  by  a  flowmeter).  A  “benchmark  out-of-spec”  is  a  benchmark  that  occurs  greater 
than  45.5  percent  or  less  than  44.5  percent.  “No  benchmark”  is  when  the  forward  probe  does  not  give 
a  quantity  reading. 

The  primary  loading  method  uses  the  onboard  OMS  gages.  Only  for  the  no-benchmark  loading  cases 
are  the  wet  sense  point  (WSP)  and  residuals  considered.  The  WSP  is  the  first  edge  of  the  forward  probe 
which  senses  propellan  t.  There  is  a  delay  between  the  forward  probe  getting  wet  and  the  total  quantity 
gage  update.  The  update  is  not  triggered  until  a  voltage  threshold  in  the  totalizer  electronics  is  met. 
Normally  this  delay  is  not  important,  but  for  a  no-benchmcirk  case,  the  WSP  is  determined  by 
in  terpreting  graphical  data  of  toted  quantity  gage  output  versus  time.  These  graphs  show  a  distinct 
chcmge  in  voltage  which  correlates  to  wetting  of  the  forward  probe. 

The  loading  uncertainty  for  the  good  benchmark  is  defined  as  40  lb  OX  and  24  lb  FU  equal  to  0.5 
percen  t  of  a  full  load.  This  0.5  percen  t  is  the  advertised  accuracy  of  the  onboard  OMS  gages.  The  out- 
of-spec  benchmark  adds  an  additional  0.5  percent  for  a  total  uncertainty  of  81  lb  and  49  lb.  For  the 
first  of  the  three  no-benchmcirk  loading  cases,  the  WSP  is  known.  The  confidence  in  loading  with  the 
WSP  is  considered  equal  to  that  of  the  out-of-spec  case;  therefore,  the  loading  uncertainty  is  81  lb  OX 
and/or  49  lb  FU. 
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A6-301  QMS  USABLE  PROPELLANT  (CONTINUED) 

For  the  next  two  no-benchmark  cases ,  the  WSP  could  not  be  determined,  so  a  residuals  check  is  made. 
The  residuals  check  determines  the  confidence  in  the  aft  gages.  If  the  absolute  difference  between  the 
calculated  residuals  and  aft  gage  residuals  is  less  than  1  percent,  then  there  is  confidence  in  the  aft 
gages  (i.e.,  the  aft  gage  and  onboard  totalizer  is  tracking  the  GSE).  The  problem;  therefore,  lies  in  the 
forward  probe.  Subsequently,  the  loading  uncertainty  retains  the  initial  40  lb  and  24  lb,  then  adds  1.5 
percent  more  loading  uncertainty;  that  is,  1.5  percent  of  the  remaining  propellant  to  be  loaded  using  the 
GSE  flowmeters.  This  1.5  percent  additional  loading  uncertainty  is  the  advertised  accuracy  of  the  GSE 
gages.  The  tanks  are  not  drained  and  refilled  because  of  the  amoun  t  of  work  involved,  the  aft  gages  are 
working,  and  the  1.5  percent  additional  propellant  is  conservative. 

In  the  final  no-benchmark  cases,  the  WSP  is  unknown  and  the  absolute  difference  of  the  residuals  is 
greater  than  1  percent  (i.e.,  the  aft  gage  and  onboard  totalizer  are  not  tracking  the  GSE).  The  problem 
lies  in  the  totalizer,  or  both  the  aft  and  forward  probes.  In  this  case,  the  tanks  are  drained  and  the 
loading  is  restarted  with  zero  percent  residuals.  Rules  (A4-153K.1  j,  CG  PLANNING;  and  {A6-303}, 
OMS  REDLINES  [ CIL],  reference  this  rule. 

A6-302  RCS  USABLE  PROPELLANT 

RCS  USABLE  PROPELLANT  IS  DEFINED  AS  THE  AMOUNT  OF  RCS  PROPELLANT 
LOADED  MINUS  THE  FOLLOWING  RESIDUALS: 


ARCS 

OX 

FU 

TANK  TRAPPED 

58 

33 

GAGE  ERROR 

50 

34 

LINE  TRAPPED 

59 

39 

LBS/POD 

167 

106 

FRCS 

OX 

FU 

TANK  TRAPPED 

139 

84 

GAGE  ERROR 

50 

34 

LINE  TRAPPED 

38 

21 

LBS/POD 

227 

139 

Since  the  propellant  trapped  in  the  tank  and  lines  cannot  be  burned,  this  propellant  must  be  accounted 
for  when  calculating  RCS  usable  propellant.  Since  the  gage  error  may  or  may  not  be  in  the  tank,  this 
propellant  must  also  be  accounted  for  when  calculating  RCS  usable  propellant.  ( Reference  SODB, 
volume  II,  table  4.2.) 
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OMS  DEORBIT  REDLINE  RESERVES  PROPELLANT  FOR:  ©[092800-7247A] 


TANK  TRAPPED  644 
DISPERSIONS  AND  UNCERTAINTIES  TBD 
OMS  STEEP  DELTA  V  TBD 
NOMINAL  DEORBIT  PREP  TBD 
DEORBIT  WAVE-OFF  EXTENSION  DAY  [1]  156 
OMS  ENGINE  FAIL  106 
WEATHER  WAVE-OFF  EXTENSION  DAY  [1]  TBD 
ADDITIONAL  DEORBIT  OPPORTUNITIES  TBD 
CG  BALLAST  (IF  REQUIRED)  TBD 


DISPERSIONS  AND  UNCERTAINTIES  ARE  THE  RSS  OF  LOADING 
UNCERTAINTY  AND  DISPERSIONS  IN  OMS  ENGINE  FLOWRATE  AND 
MIXTURE  RATIO.  THE  OMS  STEEP  DELTA  V  MUST  PROTECT  THE 
PLANNED  EOM  OPPORTUNITY  AND  A  BACKUP  PLS  OPPORTUNITY  (IF 
AVAILABLE)  ONE  REV  LATER.  FOR  EACH  EXTENSION  DAY  (EOM+1  AND 
EOM+2),  THE  CHEAPEST  COMBINATION  OF  A  PLS  OPPORTUNITY  WITH  A 
ONE  REV  LATE  BACKUP  SLS  OPPORTUNITY  MUST  BE  PROTECTED.  IF 
ADDITIONAL  DEORBIT  ATTEMPTS  ARE  PROTECTED,  AS  DOCUMENTED  IN 
THE  FLIGHT  RULE  ANNEX,  THEN  OMS  STEEP  DELTA  V  MUST  ALSO 
PROTECT  THESE  ADDITIONAL  OPPORTUNITIES.  OMS  STEEP  DELTA  V 
WILL  BE  COMPUTED  WITH  3-SIGMA  N-CYCLE  PROTECTION.  EXTENSION 
DAYS,  NOMINAL  DEORBIT  PREPARATION,  AND  ADDITIONAL  DEORBIT 
ATTEMPTS  MUST  BE  PROTECTED  IN  THE  AFT  RCS  IF  NOT  PROTECTED  IN 
THE  OMS.  THE  WEATHER  WAVE-OFF  EXTENSION  DAY  MAY  BE  DELETED 
IN  FAVOR  OF  CRITICAL  PAYLOAD  ACTIVITIES  AS  DOCUMENTED  IN  RULE 
{A2-108},  CONSUMABLES  MANAGEMENT,  AND  THE  FLIGHT  RULE  ANNEX. 
OMS  ENGINE  FAILURE  FOR  THE  DEORBIT  WAVE-OFF  EXTENSION  DAY  MAY 
BE  GIVEN  UP  IN  ORDER  TO  ACCOMPLISH  HIGHER  PRIORITY  ACTIVITIES 
AS  DOCUMENTED  IN  THE  FLIGHT  RULE  ANNEX.  IF  OMS  ENGINE 
FAILURE  IS  PROTECTED,  THE  ADDITIONAL  SINGLE  ENGINE  RESIDUALS 
(77  LBS)  ARE  ACCOUNTABLE  AS  BALLAST.  VIOLATION  OF  THE  OMS 
DEORBIT  REDLINE  IS  CAUSE  FOR  DEORBIT  AT  NEXT  PLS  IF  NO 
FURTHER  PROPELLANT  TRADE-OFFS  CAN  BE  ACCOMPLISHED  AS  LISTED 
IN  RULE  {A2-108},  CONSUMABLES  MANAGEMENT.  @[091 098-671 1 B]  ©[092800-7247A] 
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NOTE:  [1]  ASSUMES  ATTITUDE  CONTROL  IN  -ZLV  -XVV  PER  RULE 
{ A2 -1 0 8 } ,  CONSUMABLES  MANAGEMENT.  IF  THERMAL 
CONDITIONING  IS  REQUIRED,  UTILIZE  ATTITUDE 
PROFILE  PER  RULE  {A2-110},  STRUCTURES  THERMAL 
CONDITIONING,  OR  AS  SPECIFIED  IN  THE  FLIGHT  RULES 
ANNEX  .  ©[092800-7247A] 

644  -  Propellant  which  cannot  be  extracted  by  the  propellant  acquisition  system. 

@[091098-671  IB] 

TBD  Dispersions  -  Dispersions  for  flow  rate,  mixture  ratio,  and  loading  errors  must  be  taken  into 

account  (ref  Rule  {A6-301},  OMS  USABLE  PROPELLANT). 

TBD  OMS  Steep  -  OMS  steep  delta  V  will  be  based  on  targeting  constraints  which  require  enough 

N-cycles  (guidance  cycles  from  closed-loop  guidance  initiation  to  the  first  non¬ 
zero  roll  command  (ref.  Rule  { A4-152  j,  DEORBIT  BURN  TARGETING 
PRIORITIES)  to  protect  3 -sigma  entry  dispersions.  Note  that  real-time  planning 
may  reflect  a  delta  V  which  protects  more  N-cycles,  if  propellant  is  available.  In 
order  to  guarantee  that  there  is  sufficient  propellant  to  perform  an  OMS  steep 
deorbit,  standard  redlines  must  protect  a  delta  V  sufficient  to  deorbit  at  nominal 
end  of  mission,  EOM  plus  1  day,  and  EOM  plus  2  days  (ref.  Rule  {A2-103J, 
EXTENSION  DAY  REQUIREMENTS.)  Standard  redlines  protect  four  attempts 
over  3  days;  thus,  the  OMS  steep  delta  V  must  cover  the  planned  EOM 
opportunity,  a  one  orbit  late  backup  to  the  PLS,  and  the  cheapest  combination  of 
a  PLS  opportunity  with  a  one  rev  backup  SLS  opportunity  for  EOM  +1  and  +2. 
This  level  of  protection  is  referred  to  as  2-1-1  deorbit  opportunities.  The 
specific  opportunities  protected  may  need  to  be  modified  in  reed  time  to  account 
for  trajectory  variations,  weather  conditions,  non-propulsive  consumables 
margins,  etc.  If  greater  than  2-1-1  deorbit  attempts  are  protected,  OMS  steep 
delta  V  may  need  to  be  increased. 

TBD  Nom  D/O  Prep  -  It  is  not  operationally  desirable  to  protect  any  part  of  the  nominal  deorbit  prep 

in  the  OMS.  However,  if  for  any  reason  it  cannot  be  protected  in  the  Aft  RCS, 
then  it  must  be  protected  in  the  OMS. 
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-  Standard  redlines  protect  as  much  of  the  deorbit  wave-off  extension  day 

propellant  as  is  operationally  convenient  in  the  OMS.  This  helps  to  assure  that 
the  aft  RCS  deorbit  redline  is  protected  at  a  higher  priority  than  OMS  steep 
deorbit  propellant,  because  any  excess  usage  during  these  extension  days  will 
come  from  the  OMS.  However,  any  or  all  of  this  propellant  can  be  protected  in 
the  aft  RCS  in  order  to  maximize  capability  and/or  minimize  crew  workload. 
The  extension  day  portion  of  the  deorbit  wave-off  extension  day  protects  56  lb 
and  is  based  on  using  Nose/Tail  ALT  control.  An  additional  100  lb  of 
propellant  are  normally  redlined  in  the  OMS  to  perform  a  partial  deorbit 
preparation  after  the  extension  day.  This  propellant  covers  the  period  from  the 
start  of  deorbit  preparation  activities  at  TIG-4:40  to  TIG-0.30  minutes.  The 
remainder  of  this  deorbit  prep  is  normally  redlined  in  the  aft  RCS.  The  156  lb 
must  be  increased  to  321  lb  if  Tail-Only  control  is  required.  The  deorbit 
(systems)  wave-off  extension  day  propellant  cannot  be  traded  against  other- 
orbit  activities.  Per  Rule  {A2-108},  CONSUMABLES  MANAGEMENT,  the 
deorbit  wave-off  extension  day  must  be  protected  using  the  primary  jets  since 
many  of  the  orbiter  contingencies  which  require  such  a  wave-off  also  fail  the 
vernier  jets.  Note  also  that  the  deorbit  wave-off  extension  day  assumes  a 
specific  attitude  profile:  -ZLV-XW  is  the  default  attitude  and  was  chosen  to 
provide  the  minimum  propellant  consumption  with  maximum  debris  protection, 
and  because  it  is  relatively  insensitive  to  altitude,  thus  providing  the  best 
protection  for  off-nominal  (abort)  orbits.  However,  if  a  different  attitude 
profile  is  required  for  deorbit  thermal  conditioning,  this  must  be  protected. 

Ref.  Rule  { A2-110 },  STRUCTURES  THERMAL  CONDITIONING,  and  the 
Flight  Rule  Annex.  The  deorbit  wave-off  extension  day  requires  382  lb 
Nose/Tail  ALT  or  533  lb  Teal- Only  ALT  with  10  hours  of  Tail-Only  ALT  5 
degrees  PTC  protected  per  Rule  {A2-110},  STRUCTURES  THERMAL 
CONDITIONING.  According  to  an  email  dated  June  5,  2000,  from  ES/Y. 
Chang,  up  to  a  10-degree  deadband  for  PTC  is  thermally  acceptable. 

®[091 098-671 1 B]  ®[092800-7247A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


06/20/02  FINAL  PROPULSION  6-125 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


A6-303 

106 


VOLUME  A 


FLIGHT  RULES 


QMS  REDLINES  [CIL]  (CONTINUED) 


-  Reference  Rockwell  International  Internal  Letter  IL  P&AS-DLJ-77-032,  the  OMS 
portion  of  OMS  engine  failure  protection  consists  of  out-of-plcine  thrusting  during 
ginibal  retrim  (15  lb  per  pod)  and  increased  tank  residuals  due  to  less  favorable 
orien  tation  of  the  propellant  with  respect  to  the  acquisition  screens  (38.4  lb  per 
pod).  These  increased  tank  residuals  must  be  protected,  especially  after  the  loss 
of  one  OMS  engine.  However,  because  the  residual  propellant  (77  lb)  remains  in 
the  tank,  it  may  be  counted  toward  the  CG  ballast  requirement.  The  original 
OMS  engine  failure  requirement,  as  documented  in  the  letter  referen  ced  above, 
also  protected  14  lb  of  fuel  per  pod  to  account  for  the  OMS  crossfeed  mixture 
ratio  shift.  This  protection  is  no  longer  required  since  current  propellant 
managemen  t  procedures  account  for  actual  engine  performance  including 
crossfeed.  Because  the  deorbit  wave-off  extension  day  is  resented  specifically  for 
orbiter  contingencies  (ref  Rule  { A2-103J ,  EXTENSION  DAY  REQUIREMENTS), 
the  risk  of  having  a  major  orbiter  systems  failure  followed  by  an  OMS  engine  fail 
is  small.  On  a  flight  specific  basis,  it  may  be  worth  accepting  that  risk  in  order  to 
accomplish  high  priority  objectives,  as  documented  in  the  Flight  Rule  Annex.  If 
OMS  engine  fail  protection  is  given  up,  then  the  deorbit  wave-off  extension  day 
propellant  should  be  distributed  in  the  OMS  and  aft  RCS  to  cover  the  equivalent 
of  OMS  engine  failure  propellan  t  in  each  system  at  the  nominal  EOM  cleorbit 
burn.  This  implicit  protection  will  be  lost  if  the  extension  day  propellant  is  used. 
Once  cm  OMS  engine  failure  occurs,  then  explicit  OMS  engine  failu  re  protection 
is  mandatory.  ®[091 098-671 1 B] 
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-  In  order  to  protect  against  unforeseen  weather  that  results  in  unacceptable 
deorbit/landing  conditions,  Rule  {A2-108},  CONSUMABLES  MANAGEMENT, 
provides  a  weather  wave-off  extension  day.  Although  it  would  normally  be 
desirable  to  protect  the  extension  portion  of  the  weather  wave-off  extension  day 
in  the  OMS,  a  single  maneuver  and  19  hours  of  vernier  attitude  hold  is  only  23 
lb  which  would  require  first  establishing  in  terconnect,  performing  a  15-minute 
maneuver,  and  then  immediately  performing  an  OMS  tank  switch,  which  is  not 
practiced.  Thus,  the  propellan  t  requ  ired  to  extend  24  hours  on  the  vern  ier  jets 
(or  N/T  ALT)  is  normally  redlined  in  the  Aft  RCS.  However,  if  failures  or  other 
considerations  require  an  increase  in  the  amount  of  propellant  protected  for  the 
24-hour  extension,  then  it  may  become  practical  to  protect  the  extension  day 
propellant  in  the  OMS.  For  example,  ifT/O  ALT  attitude  hold  (89  lb)  is 
required  for  the  extension  day,  it  would  normally  be  preferable  to  protect  it  it  in 
the  OMS.  Unlike  the  propellant  redlined  for  the  deorbit  wave-off  extension  day, 
the  weather  wave-off  extension  day  is  tradable  against  critical  on-orbit 
activities  per  the  established  priorities  detailed  in  Rule  {A2-108}, 
CONSUMABLES  MANAGEMENT,  and  Rule  {A6-358J,  VIOLATION  OF 
MISSION  COMPLETION  REDLINES  MATRIX.  Note  that  the  weather  wave-off 
extension  day  assumes  a  specific  attitude  profile:  -ZLV-XW  is  the  default 
attitude  and  was  chosen  to  provide  the  minimum  propellant  consumption  with 
maximum  debris  protection,  and  because  it  is  relatively  insensitive  to  altitude, 
thus  providing  the  best  protection  for  off-nominal  (abort)  orbits.  However,  if  a 
different  attitude  profile  is  required  for  deorbit  thermal  conditioning,  this  must 
be  protected.  Ref.  Rule  { A2-110 },  STRUCTURES  THERMAL 
CONDITIONING,  and  the  Flight  Rule  Annex.  The  weather  wave-off  extension 
day  requires  98  lb  of  OMS  with  10  hours  of  vern  ier  1  deg  PTC  protected  (250 
lb  Nose/Tail  ALT  or  301  lb  Tail -Only  ALT,  both  with  10  hours  of  5  deg  Tail- 
Only  PTC)  per  Rule  {A2-110},  STRUCTURES  THERMAL  CONDITIONING. 
According  to  an  etnail  dated  June  5,  2000 from  ES/Y.  Chang,  up  to  a  10-deg 
deadband  for  PTC  is  thermally  acceptable.  @[091098  6711B]  ©[092800-7247A] 
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-  Propellant  for  additional  deorbit  attempts ,  such  as  extra  orbits  of  attitude  hold 
in  the  deorbit  burn  configuration,  may  be  protected  on  a  flight  specific  basis 
as  documented  in  the  Flight  Rule  Annex.  Propellant  for  extra  deorbit  attempts 
is  typically  resented  in  the  Aft  RCS,  but  may  be  protected  in  the  OMS,  Aft 
RCS,  or  both.  ®[091 098-671 1 B]  ©[092800-7247A] 

-  Propellant  may  be  redlined  to  act  as  ballast  to  maintain  the  X  and  Y  CG  within 
limits.  The  amount  of  propellant  required  for  CG  ballast  (ref.  Rule  {A4-153}, 

CG  PLANNING)  is  determined  during  preflight  analysis  and  updated  in  real 
time.  Ballast  will  be  protected  in  the  OMS,  the  Aft  RCS,  or  both.  Care  must  be 
taken  in  apportioning  ballast  because  OMS  and  ARCS  propellant  are  not 
equ  ivalen  t  for  ballast  purposes.  CG  ballast  cannot  be  traded  against  other 
orbit  activities.  CG  ballast  can  be  traded  against  other  redline  items  only  if  the 
ballast  requiremen  t  changes  for  extension  day  deorbit  opportunities. 

B.  OMS  TANK  FAIL: 

OMS  TANK  FAIL  IS  NOT  PROTECTED. 

There  is  no  requiremen  t  to  protect  for  an  OMS  tank  failure. 

C.  OMS  REDLINE  FOR  RCS  DEORBIT  [CIL] : 

AFTER  THE  LOSS  OF  ONE  OMS  ENGINE,  ADDITIONAL  OMS  PROPELLANT 
WILL  BE  REDLINED  TO  PROTECT  4+X  RCS  DEORBIT  TO  STEEP  TARGETS. 
IF  INSUFFICIENT  OMS  PROPELLANT  IS  AVAILABLE,  ADDITIONAL  RCS 
PROPELLANT  MUST  BE  REDLINED.  IF  INSUFFICIENT  OMS  AND  RCS 
PROPELLANT  IS  AVAILABLE  TO  PROTECT  4+X  RCS  DEORBIT  TO  STEEP 
TARGETS,  DEORBIT  WILL  BE  PLANNED  FOR  THE  NEXT  PLS  OPPORTUNITY. 

If  RCS  propellan  t  must  be  used  to  supplemen  t  OMS  propellan  t  during  a  deorbit  burn,  a  two-stage  deorbit 
burn  is  preferred  in  order  to  simplify  execution  of  the  actual  deorbit  burn.  @[091098-671  IB] 
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D.  OMS  MISSION  COMPLETION  REDLINE :  @[091098-671  IB] 

THE  OMS  MISSION  COMPLETION  REDLINE  IS  DEFINED  AS  THE  OMS 
DEORBIT  REDLINE  PLUS  THE  REMAINING  FLIGHT  PLAN  ACTIVITIES. 
REFERENCE  RULE  {A6-358},  VIOLATION  OF  MISSION  COMPLETION 
REDLINES  MATRIX,  FOR  ACTIONS  REQUIRED  FOR  VIOLATION  OF  THE 
OMS  MISSION  COMPLETION  REDLINE. 

Self-explanatory. 

E.  OMS  ENTRY  REDLINE: 

THERE  IS  NO  OMS  REQUIREMENT  FOR  ENTRY. 

The  OMS  tanks  cannot  be  used  during  entry  because  of  the  tank  design  constraints. 

Rules  {A2-108A.il}  and  {A2-108C},  CONSUMABLES  MANAGEMENT;  {A2-121A.1},  RNDZ/PROX 
OPS  PROPULSION  SYSTEMS  MANAGEMENT;  {A4-1B},  PERFORMANCE  ANALYSES;  {A6-351}, 
OMS  PROPELLANT  MANAGEMENT  MATRIX;  and  {A6-1001},  OMS/RCS  GO/NO-GO  CRITERIA 

[CIL];  reference  this  rule.  @[091 098-671  IB]  ©[092800-7247A] 

A6-304  FORWARD  RCS  REDLINES 

A.  FORWARD  RCS  DEORBIT  REDLINE 

THE  FRCS  DEORBIT  REDLINE  RESERVES  FOR:  @[091 098-671 1 B]  092800-7247A 

NOMINAL  DEORBIT  PREPARATION  57 

OMS  ENGINE  FAIL  ATTITUDE  CONTROL  12 

DEORBIT  WAVE-OFF  EXTENSION  DAY  [1]  110 

WEATHER  WAVE-OFF  EXTENSION  DAY 


EXTENSION  DAY 


85 


1  REV  DEORBIT  DELAY 
ADDITIONAL  DEORBIT  OPPORTUNITIES 
DEORBIT  SUPPLEMENT  (IF  REQUIRED) 
CG  BALLAST  (IF  REQUIRED) 

@[091 098-671  IB]  ©[092800-7247A] 
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THE  WEATHER  WAVE-OFF  ACTIVITIES  MAY  BE  DELETED  IN  FAVOR  OF 
CRITICAL  PAYLOAD  ACTIVITIES  AS  DOCUMENTED  IN  RULE  {A2-108}, 
CONSUMABLES  MANAGEMENT,  AND  THE  FLIGHT  RULE  ANNEX.  OMS 
ENGINE  FAILURE  FOR  THE  DEORBIT  WAVE-OFF  EXTENSION  DAY  MAY  BE 
DELETED  FOR  HIGHER  PRIORITY  ACTIVITIES  AS  DOCUMENTED  IN  THE 
FLIGHT  RULE  ANNEX.  ADDITIONAL  DEORBIT  ATTEMPTS  MAY  BE 
PROTECTED  AS  DOCUMENTED  IN  THE  FLIGHT  RULE  ANNEX.  VIOLATION 
OF  THE  FRCS  DEORBIT  REDLINE  IS  CAUSE  FOR  DEORBIT  AT  NEXT  PLS 
IF  INSUFFICIENT  PROPELLANT  IS  AVAILABLE  TO  PROTECT  THE  OMS 
AND  ARCS  DEORBIT  REDLINES  USING  TAIL-ONLY  CONTROL.  @[091098-671 1 B] 
©[092800-7247A] 

NOTE:  [1]  ASSUMES  ATTITUDE  CONTROL  IN  -ZLV  -XVV  PER  RULE 
{ A2 -1 0 8 } ,  CONSUMABLES  MANAGEMENT.  IF  THERMAL 
CONDITIONING  IS  REQUIRED,  UTILIZE  ATTITUDE 
PROFILE  PER  RULE  {A2-110},  STRUCTURES  THERMAL 
CONDITIONING,  OR  AS  SPECIFIED  IN  THE  FLIGHT  RULES 
ANNEX  .  ©[092800-7247A] 


57  -  Reserved  for  nominal  deorbit  prep. 

12  -  If  an  OMS  engine  fails  during  the  deorbit  burn,  the  FRCS  will  control  the  attitude 

excursions  that  will  occur  while  the  OMS  engine  gimbals  to  realign  the  thrust 
vector  through  the  CG.  Propellant  is  normally  redlined  to  protect  for  this 
contingency.  FRCS  is  not  necessarily  required  if  sufficien  t  aft  propellan  t  is 
redlined  to  control  the  attitude  excursion  using  tail  only  control.  The  requirement 
for  OMS  engine  fail  protection  after  a  deorbit  wave-off  extension  may  be  deleted  in 
order  to  accomplish  higher  priority  activities  as  documented  in  the  Flight  Rule 
Annex.  If  so,  engine  fail  protection  should  still  be  provided  at  nominal  end  of 
mission  using  the  deorbit  wave -off  extension  allotment  or  the  FRCS  contingency 
propellant  (ref.  Rule  (A6-357),  FORWARD  RCS  CONTINGENCY  PROPELLANT 
AVAILABLE). 
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-  The  deorbit  wave-off  extension  day  consists  of  66  lb  for  a  deorbit  prep  plus  11 
lb  for  the  waveoff,  which  will  sustain  nose-tail  control  for  1  hour  until  vernier 
con  trol  can  be  established,  plus  33  lb  for  the  extra  day  Nose/T ail  ALT.  Note 
that  Nose/T ail  ALT  is  assumed  because  many  failures  which  require  a  deorbit 
wave-off  extension  day  also  fail  the  vernier  jets,  reference  Rule  (A2-108}, 
CONSUMABLES  MANAGEMENT.  Nose/Tail  ALT  control  is  normally 
protected  instead  of  Tail- Only  ALT  con  trol  because  it  requires  less  propellant 
overall  and  also  provides  sufficient  propellant  to  utilize  the  vernier  jets  if  they 
actually  are  available.  Note  also  that  the  deorbit  wave-off  extension  day 
assumes  a  specific  attitude  profile:  -ZLV  -XVV  is  the  default  attitude  and  was 
chosen  to  provide  the  minimum  propellant  consumption  with  maximum  debris 
protection,  and  because  it  is  relatively  insensitive  to  altitude,  thus  providing  the 
best  protection  for  off-nominal  (abort)  orbits.  However,  if  a  different  attitude 
profile  is  required  for  deorbit  thermal  conditioning,  this  must  be  protected. 

Ref.  Rule  {A2-110J,  STRUCTURES  THERMAL  CONDITIONING,  and  the 
Flight  Rule  Annex.  The  deorbit  wave-off  extension  day  requires  92  lb  for  Nose- 
Tail  ALT  with  10  hours  of  Tail-Only  5  deg  PTC  protected  per  Rule  {A2-110}, 
STRUCTURES  THERMAL  CONDITIONING.  According  to  an  email  dated 
June  5,  2000,  from  ES/Y.  Chang,  up  to  a  10  deg  deadband  for  PTC  is  thermally 
acceptable.  ©[092800-7247A] 

-  As  part  of  the  weather  wave-off  extension  day,  propellant  is  provided  to 
perform  a  wave-off/backout  (11  lb),  a  vernier  extension  day  (17  lb),  and  an 
additional  nominal  deorbit  prep  (57  lb).  This  item  requires  107  lb  if  protected 
Nose/T ail  ALT.  Propellant  budgeted  for  the  weather  wave-off  extension  day 
may  be  traded  for  critical  on-orbit  activities  as  defined  in  Rule  { A2-108 j, 
CONSUMABLES  MANAGEMENT,  and  the  Flight  Rule  Annex.  Note  that  the 
extension  day  portion  of  the  weather  wave-off  extension  day  assumes  a  specific 
attitude  profile:  -ZLV -XW  is  the  default  attitude  and  was  chosen  to  provide 
the  minimum  propellant  consumption  with  maximum  debris  protection,  and 
because  it  is  relatively  insensitive  to  altitude,  thus  providing  the  best 
protection  for  off-nominal  (abort)  orbits.  However,  if  a  differen  t  attitude 
profile  is  required  for  deorbit  thermal  conditioning,  this  must  be  protected. 

Ref.  Rule  {A2-110J,  STRUCTURES  THERMAL  CONDITIONING,  and  the 
Flight  Rule  Annex.  The  weather  wave-off  extension  day  requires  134  lb  with 
10  hours  of  vernier  1  deg  PTC  protected  (115  lb  for  Nose-Tail  ALT  with  10 
hours  of  5  deg  Tail-Only  PTC)  per  Rule  {A2-110J,  STRUCTURES  THERMAL 
CONDITIONING.  According  to  an  email  dated  June  5,  2000,  from  ES/Y. 
Chang,  up  to  a  10-deg  deadband  for  PTC  is  thermally  acceptable.  @[092800- 
7247A] 
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17  -  As  part  of  the  weather  wave-off  extension  day,  propellant  to  perform  one  rev  of 

attitude  hold  on  the  TRANS  DAP  is  provided  to  ensure  2  consecutive  deorbit 
attempts  on  one  of  the  three  deorbit  days.  Propellant  budgeted  for  the  weather 
wave-off  extension  day  may  be  traded  for  critical  on-orbit  activities  as  defined 
Rule  {A2-108},  CONSUMABLES  MANAGEMENT,  and  the  Flight  Rule  Annex. 

©[092800-7247A] 

TBD  D/O  Attempts  -  Propellan  t  for  additional  deorbit  attempts,  such  as  extra  orbits  of  attitude 

hold  in  the  deorbit  burn  configuration,  may  be  protected  as  specified  in  the 
Flight  Rule  Annex.  One  orbit  ofNose/T ail  Trans  DAP  with  FES  will  cost  17 
lb  Fwd  RCS.  ®[091 098-671 1 B] 

TBD  D/O  Supplement-  If  Forward  RCS  propellant  is  required  to  supplement  the  OMS  deorbit  steep 

propellant,  either  for  +X  translation,  +Z  translation,  or  for  attitude  hold 
during  aft  RCS  +X  translation,  then  this  propellant,  as  well  as  any  associated 
maneuvers,  must  be  protected.  @[091098-671  IB] 

TBD  CG  Ballast  -  Propellant  may  be  redlined  to  act  as  ballast  to  maintain  the  X  and  Y  CG  within 

limits.  The  amount  of  propellant  required  for  CG  ballast  (ref.  All  Flights  Rule 
{A4-153},  CG  PLANNING)  is  determined  during  preflight  analysis  and  updated 
in  real  time.  CG  ballast  cannot  be  traded  against  other  orbit  activities.  CG 
ballast  can  be  traded  against  other  redlined  items  only  if  the  ballast 
requ  iremen  t  changes  for  extension  day  deorbit  opportun  ities. 

B.  FORWARD  RCS  RED LINE  FOR  OMS  TANK  FAIL 

FORWARD  RCS  DELTA  V  IS  NOT  CONSIDERED  WHEN  DETERMINING  OMS 
TANK  FAIL  CAPABILITY.  IF  FORWARD  RCS  PROPELLANT  IS  TO  BE 
USED  FOR  A  PERIGEE  ADJUST  AFTER  AN  OMS  TANK  FAIL,  SUFFICIENT 
AFT  RCS  PROPELLANT  MUST  BE  REDLINED  TO  ACCOUNT  FOR  ATTITUDE 
CONTROL  DURING  THE  -X  TRANSLATION  (TBD) ,  PLUS  TWO  VERNIER 
MANEUVERS  (6  LB  FORWARD  RCS,  1 9  LB  AFT)  .©[092800-7247A] 

Forward  RCS  can  not  be  committed  to  the  deorbit  burn  when  compu  ting  OMS  tank  fail  capability,  e.g., 

steep  vs.  shallow,  in-plane  vs.  out-of-plane  dump,  etc.  (ref.  Flight  Rule  { A4-104} ,  OMS  LEAK/PERIGEE 

ADJUST).  However,  Forward  RCS  delta  V  is  available  for  a  -X  perigee  adjust  if  required  to  supplemen  t 

the  Aft  RCS/OMS.  OPS  2  2-X  with  forward  pitch  control  requires  2.5  lb  of  Aft  RCS  attitude  hold  perfps. 
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C.  FORWARD  RCS  MISSION  COMPLETION  REDLINE 

THE  FORWARD  RCS  MISSION  COMPLETION  REDLINE  IS  DEFINED  AS 
THE  FORWARD  RCS  DEORBIT  REDLINE  PLUS  THE  REMAINING  FLIGHT 
PLAN  ACTIVITIES.  SEE  RULE  {A6-354},  RCS  ENTRY  REDLINE 
PROTECTION,  FOR  ACTIONS  REQUIRED  AS  A  RESULT  OF  VIOLATION 
OF  THE  FORWARD  RCS  MISSION  COMPLETION  REDLINE.  ®[091 098-671 1 B] 
®[092800-7247A] 

D.  FLIGHT  DAY  2  FORWARD  RCS  PRESS  QUANTITY  ®[01 2402-51 12B] 

THE  FD2  FORWARD  RCS  PRESS  QUANTITY  IS  THE  AMOUNT  OF  FORWARD 
RCS  PROPELLANT  FOR  ATTITUDE  HOLD  AND  MANEUVERS  THAT  MUST  BE 
PROTECTED  IN  ORDER  TO  SUPPORT  A  FD2  DEORBIT.  FORWARD  RCS 
USABLE  PROPELLANT  IN  EXCESS  OF  THE  FORWARD  RCS  PRESS  QUANTITY 
CAN  BE  USED  FOR  ORBIT  ADJUST  BURNS  TO  PROVIDE  FD2  ORBIT 
LIFETIME.  THE  FORWARD  RCS  PRESS  QUANTITY  FOR  FD2  IS  DEFINED 
AS  : 


OMS  ENGINE  FAIL  ATTITUDE  CONTROL  12 

USAGE  MECO  TO  DEORBIT  267 

MNVRS  TO  SUPPORT  OPS2  FORWARD  RCS  BURNS  12 

ATTITUDE  HOLD  FOR  +X  TRANSLATION  TBD 

®[01 2402-51 12B] 
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12  -  For  a  press  case,  the  OMS  engines  are  deliberately  burned  to  depletion.  The  OMS 

engine  fail  propellant  will  be  used  to  control  the  attitude  transients  resulting  from 
sequen  tial  OME  shutdown  during  the  depletion  sequence.  This  quantity  cannot 
not  be  traded  against  any  other  events  or  activities  (reference  All  Flights  Rule  j A6- 
352},  OMS  PROPELLANT  BUDGET  GROUND  RULES).  ®[oi 2402-51 12B] 

267  -  Forward  RCS  usage  required  for  window  protect  through  the  maneuver  to  the 

deorbit  burn.  Usage  from  launch  to  deorbit  for  the  ATO  case  is  dependent  on 
when  the  FD2  deorbit  opportun  ity  occurs.  FD2  assumes  OPS  2  and  vern  ier  jets. 

12  -  The  Forward  RCS  will  be  utilized  in  OPS  2  to  raise  or  lower  the  orbit  as 

needed.  Four  vernier  maneuvers  will  be  protected  to  support  two  Forward  RCS 
burns. 

TBD  Attitude  Hold  -  The  amount  of  propellant  required  to  control  the  vehicle  during  a  +X 

translation  is  a  function  of  the  Aft  RCS  propellan  t  available  above  the  Aft  RCS 
press  quantity,  which  is  defined  by  Flight  Rule  ( A6-305G} ,  AFT  RCS 
REDLINES. 

The  addition  of  the  FD2  Forward  RCS  Press  Quantity  is  a  result  of  decisions  made  at  the  A/E  Flight 

Techniques  #178,  which  allows  the  Forward  RCS  Delta  V  capability  to  be  considered  for  OPS  2  burns  in 

support  of  a  FD2  PLS  (reference  Flight  Rule  {A2-53},  FORWARD  RCS  USAGE  GUIDELINES ). 

®[01 2402-51 12B] 

Rules  {A2-108C},  CONSUMABLES  MANAGEMENT;  (A2-121A.1J,  RNDZ/PROX  OPS  PROPULSION 

SYSTEMS  MANAGEMENT;  {A4-1B},  PERFORMANCE  ANALYSES;  (A4-153I},  CG  PLANNING;  and 

{ A6-351 },  OMS  PROPELLANT  MANAGEMENT  MATRIX;  reference  this  rule.  ®[092800-7247A] 
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A.  AFT  RCS  DEORBIT  REDLINE  :  ®[091 098-671 1 B] 

THE  TOTAL  AFT  RCS  REQUIRED  FOR  DEORBIT  IS  DEPENDENT  UPON 
ORBITER  X  CG  LOCATION.  THE  AFT  RCS  DEORBIT  REDLINE  RESERVES 
PROPELLANT  FOR:  ®[092800-7247A] 

ORBITER  X  CG  (IN) 

?  1095  >  1095 


NOMINAL  DEORBIT  PREP 

162 

162 

USAGE  DEORBIT  TO  El 

160 

160 

99.5  PERCENT  USAGE  El  TO  MACH  1 

1175 

1375 

OMS  ENGINE  FAIL 

70 

70 

DEORBIT  WAVE-OFF  AND  MIN  ENTRY  PREP 

WEATHER  WAVE-OFF  EXTENSION  DAY 

81 

81 

EXTENSION  DAY  [1] 

228 

228 

1  REV  DEORBIT  DELAY 

65 

65 

DEORBIT  SUPPLEMENT  (IF  REQUIRED) 

TBD 

TBD 

ADDITIONAL  DEORBIT  ATTEMPTS 

TBD 

TBD 

CG  BALLAST  (IF  REQUIRED) 

TBD 

TBD 

PREBANK  (IF  REQUIRED) 

150 

150 

NOMINAL  DEORBIT  PREP,  DEORBIT  WAVE-OFF  AND  MIN  ENTRY  PREP, 
WEATHER  WAVE-OFF  ACTIVITIES,  AND  ADDITIONAL  DEORBIT  ATTEMPTS 
MUST  BE  PROTECTED  IN  THE  OMS  IF  NOT  PROTECTED  IN  THE  ARCS. 
WEATHER  WAVE-OFF  ACTIVITIES  MAY  BE  DELETED  IN  FAVOR  OF 
CRITICAL  ON-ORBIT  ACTIVITIES  PER  RULE  {A2-108},  CONSUMABLES 
MANAGEMENT,  AND  THE  FLIGHT  RULE  ANNEX.  OMS  ENGINE  FAILURE 
MAY  BE  DELETED  FOR  THE  DEORBIT  WAVE-OFF  EXTENSION  DAY  IN 
ORDER  TO  ACCOMPLISH  HIGHER  PRIORITY  ACTIVITIES  AS  DOCUMENTED 
IN  THE  FLIGHT  RULE  ANNEX.  VIOLATION  OF  THE  AFT  RCS  DEORBIT 
REDLINE  IS  CAUSE  TO  DEORBIT  AT  NEXT  PLS  IF  NO  FURTHER 
PROPELLANT  TRADE-OFFS  CAN  BE  ACCOMPLISHED  AS  LISTED  IN  RULE 
{ A2 -1 0 8 } ,  CONSUMABLES  MANAGEMENT. 

NOTE:  [1]  ASSUMES  ATTITUDE  CONTROL  IN  -ZLV  -XW  PER  RULE 
{A2-108},  CONSUMABLES  MANAGEMENT.  IF  THERMAL 
CONDITIONING  IS  REQUIRED,  UTILIZE  ATTITUDE 
PROFILE  PER  RULE  {A2-110},  STRUCTURES  THERMAL 
CONDITIONING,  OR  AS  SPECIFIED  IN  THE  FLIGHT  RULES 
ANNEX  .  ®[092800-7247A] 
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-  Aft  portion  of  nominal,  vern  ier  deorbit  prep.  Tail-Only  control  requires  298  lb. 
©[092800-7247A] 

-  Required  to  support  attitude  control  from  the  cleorbit  burn  to  entry  interface. 
This  is  mean  usage  and  is  confirmed  by  actual  flight  data.  @[091098-671  IB] 

-  The  amount  of  Aft  RCS  required  to  perform  an  entry  from  El  to  Mach  1  given  a 
specific  orbiter  X  CG  location,  reference  A/E  Flight  Techniques  #150.  The  X 
CG  constraint  applies  throughout  the  entry  profile  (ref.  Rule  {A4-153},  CG 
PLANNING),  but  because  the  X  CG  moves  forward  from  El  to  Mach  1,  the  X 
CG  at  El  is  used  to  determine  the  redline.  These  numbers  were  chosen  to 
provide  99.5  percent  WRAP  DAP  protection  based  on  Weissman’s  estimator  for 
non-normal  distributions.  The  Monte  Carlo  data  were  generated  with  STS-1 
through  STS-89  (less  STS-4)  reconstructed  flight  atmospheres  using  both  SES 
and  SDAP  simulators.  @[091 098-671 1 B] 

-  If  an  OMS  engine  failure  should  occur  during  the  deorbit  burn,  70  lb  of  Aft 
RCS  usage  are  required  to  perform  single  OMS  engine  attitude  control 
(reference  STSOC  Transmitted  Form  No.  330-320-352).  This  number  should  be 
increased  to  82  lb  if  Tail-Only  control  is  required.  OMS  engine  fail  protection 
may  be  given  up  for  the  deorbit  wave-off  extension  day  in  order  to  accomplish 
high  priority  mission  success  activities  as  documented  in  the  Flight  Rule  Annex. 
If  OMS  engine  fail  protection  is  given  up,  then  the  deorbit  wave-off  extension 
day  propellant  should  be  redistributed  in  the  OMS  and  Aft  RCS  in  order  to 
retain  the  equivalent  of  the  OMS  engine  failure  propellant  in  each  system  at 
nominal  end  of  mission.  This  implicit  protection  will  be  lost  if  the  deorbit 
wave-off  extension  day  is  used.  If  cm  OMS  engine  has  previously  failed,  then 
this  allotment  must  be  redlined  in  the  Aft  RCS  or  OMS  to  provide  roll  control 
during  the  deorbit  burn.  @[091 098-671 1 B] 

-  Normally,  as  part  of  the  deorbit  wave-off  extension  day,  the  propellan  t 
required  for  a  deorbit  prep  backout  and  the  last  30  minutes  of  a  subsequent 
deorbit  preparation  is  protected  in  the  Aft  RCS  deorbit  redline.  This 
consists  of  43  lb  that  is  budgeted  to  support  PRCS  attitude  control  for  1 
hour  until  the  RCS  system  can  be  interconnected  to  the  OMS,  and  38  lb  to 
perform  the  last  30  minutes  of  deorbit  preparation.  This  propellan  t  can  be 
protected  in  the  OMS  if  required.  The  equivalent  quantity  for  Tail-Only 
control  is  147  lb.  @[091 098-671  IB]  ®[092800-7247A] 
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-  Propellant  reserved  as  part  of  the  weather  wave-off  extension  day  to  back  out  of 
the  deorbit  burn  config  (43  lb),  extend  one  day  (23  lb),  and  then  complete  a 
second  nominal  deorbit  prep  (162  lb).  The  extension  day  propellant  is 
protected  in  the  Aft  RCS  because  it  is  such  a  small  amount  of  propellant  that  it 
is  not  operationally  convenient  to  protect  it  in  the  OMS.  Similarly,  Nose/T ail 
ALT  control  requires  43  lb  for  the  backout,  53  lb  for  the  extension  day,  and  137 
lb  for  the  deorbit  prep,  toted  233  lb.  Note  that  if  the  propellant  required  for  the 
extension  day  increases,  such  as  for  Tail-Only  ALT  control  (as  men  tioned 
below),  or  because  cm  alternate  attitude  profile  is  required  for  structural 
thermal  conditioning,  the  extension  day  may  be  protected  either  in  the  OMS  or 
the  Aft  RCS.  Tail-Only  ALT  control  requires  75  lb  for  the  deorbit  backout  and 
298  lb  for  the  deorbit  prep,  toted  373  lb,  with  the  extension  day  propellant  (89 
lb)  normally  protected  in  the  OMS.  Note  also  that  the  weather  wave-off 
extension  day  assumes  a  specific  attitude  profile:  -ZLV-XW  is  the  default 
attitude  and  was  chosen  to  provide  the  minimum  propellant  consumption  with 
maximum  debris  protection,  and  because  it  is  relatively  insensitive  to  altitude, 
thus  providing  the  best  protection  for  off-nominal  (abort)  orbits.  However,  if  a 
different  attitude  profile  is  required  for  deorbit  thermal  conditioning,  this  must 
be  protected.  Ref.  Rule  {A2-110J,  STRUCTURES  THERMAL 
CONDITIONING,  and  the  Flight  Rule  Annex.  The  weather  wave-off  extension 
day  requires  205  lb  of  aft  RCS  with  10  hours  of  vernier  1  deg  PTC  protected 
(180  lb  Nose/Tail  ALT,  373  lb  Tail-Only  ALT,  both  with  10  hours  of  5  deg  Tail- 
Only  PTC)  per  Rule  {A2-110J,  STRUCTURES  THERMAL  CONDITIONING, 
with  the  remainder  of  the  extension  day  propellant  protected  in  the  OMS. 
According  to  an  email  dated  June  5,  2000,  from  ES/Y.  Chang,  up  to  a  10-deg 
deadband  for  PTC  is  thermally  acceptable.  All  propellant  budgeted  for  the 
weather  wave-off  extension  day  may  be  traded  for  critical  on-orbit  activities  as 
defined  in  Rule  {A2-108},  CONSUMABLES  MANAGEMENT,  and  the  Flight 
Rule  Annex.  ©[092800-7247A] 

-  Also  as  part  of  the  weather  wave-off  extension  day,  propellant  is  provided  to 
perform  one  rev  of  attitude  hold  on  the  TRANS  DAP  to  ensure  two  consecutive 
deorbit  attempts  on  one  of  the  three  days.  All  propellant  budgeted  for  the 
weather  wave-off  extension  day  may  be  traded  for  critical  on-orbit  activities  as 
defined  in  Rule  {A2-108},  CONSUMABLES  MANAGEMENT,  and  the  Flight 
Rule  Annex.  One  orbit  of  Nose/T ail  Trans  DAP  with  FES  will  cost  65  lb  aft 
(113  lb  Tail-Only  control).  This  propellant  may  be  protected  in  the  OMS  if 
required.  ®[092800-7247A] 
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TBD  D/O  Supplement-  If  Aft  RCS  propellant  is  required  to  supplement  the  OMS  deorbit  steep  propellant, 

either  for  +X  translation,  +Z  translation,  or  for  attitude  hold  during  FRCS  -X 
translation,  this  propellant,  plus  any  associated  maneuvers,  must  be  protected. 

TBD  D/O  Attempts  -  Propellan  t  for  additional  deorbit  opportunities,  such  as  extra  orbits  of  attitude 

hold  in  the  deorbit  burn  configuration,  may  be  protected  on  a  flight  specific 
basis  as  documented  in  the  Flight  Rule  Annex.  One  orbit  of  Nose  Tail  Trans 
DAP  with  FES  will  cost  65  lb  aft  (113  lb  Tail-Only  control).  This  propellant 
may  be  protected  in  the  OMS  if  required.  ©[092800-7247A] 

TBD  CG  Ballast  -  Propellan  t  may  be  redlined  to  act  as  ballast  to  maintain  the  X  and  Y  CG  within 

limits.  The  amount  of  propellant  required  for  CG  ballast  (ref.  Rule  {A4-153}, 

CG  PLANNING)  is  determined  during  preflight  analysis  and  updated  in  real 
time.  Ballast  will  be  protected  in  the  OMS,  the  Aft  RCS,  or  both.  Note  that 
OMS  and  ARCS  propellant  cannot  be  traded  1:1  for  ballast  purposes.  CG 
ballast  cannot  be  traded  against  other  orbit  activities.  CG  ballast  can  be 
traded  against  other  redlined  items  if  the  ballast  requiremen  t  changes  for 
extension  day  deorbit  opportunities. 

150  -  If  the  OMS  targets  are  shallowed,  an  extra  150  lb  of  Aft  RCS  propellant  must 

be  redlined  to  perform  the  prebcmk  maneuvers.  The  size  of  the  prebcmk 
maneuver  is  not  a  factor;  a  1-degree  prebcmk  maneuver  is  estimated  to  use  as 
much  propellant  as  a  90-degree  prebcmk.  A  shallow  deorbit  causes  the  vehicle 
to  enter  the  atmosphere  at  a  shallower  angle  than  usual  and  is  more  prone  to 
“skip  ”  off  the  atmosphere  back  into  orbit.  To  avoid  skipping  off  the 
atmosphere,  the  vehicle  is  rolled  (“banked”)  so  that  the  lift  from  the  orbiter 
wings  is  minimized.  This  increases  the  sink  rate  and  decreases  the  possibility 
of  skipping  back  out  of  the  atmosphere.  The  consequences  of  skipping  back  out 
are  likely  to  be  catastrophic  -  at  the  very  least,  the  planned  landing  site  would 
be  missed.  ®[091 098-671 1 B]  ©[092800-7247A] 
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B.  MISSION  COMPLETION  REDLINE  ®[091 098-6711 B] 

THE  AFT  RCS  MISSION  COMPLETION  REDLINE  IS  DEFINED  AS  THE 
NOMINAL  AFT  RCS  DEORBIT  REDLINE  PLUS  ENOUGH  PROPELLANT  TO 
EXECUTE  THE  REMAINING  FLIGHT  PLAN  ACTIVITIES.  ®[092800-7247A] 

The  mission  completion  redline  is  the  amount  of  RCS  propellant  required  to  perform  the  flight  plan 
activities,  PTI’s,  DTO’s,  while  still  protecting  the  deorbit  redline  requirements. 

C.  AEROCAPTURE  AFT  RCS  REDLINE: 

THE  TOTAL  AFT  RCS  REQUIRED  FOR  AEROCAPTURE  ENTRY  IS  460  LBS. 
THIS  INCLUDES  DEORBIT  TO  El  USAGE  (160  LB)  AND  MEAN  SHALLOW 
El  TO  QBAR  20  USAGE  (300  LB) . 


The  aerocapture  RCS  redline  defines  a  theoretical  minimum  amount  of  Aft  RCS  propellant  required  to 
control  the  vehicle  from  deorbit  to  the  point  at  which  NO  YAW  JET  option  can  be  selected  (Qbar  =  20 
psf;  ref.  All  Flights  Rule  {A4-207C},  ENTRY  LIMITS).  300  lb  protects  mean  RCS  usage  for  a  shallow 
entry  from  El  to  Qbar  =  20  based  on  data  supplied  by  DM  after  AEFTP  #150.  The  propellant  protected 
by  this  redline  is  used  (see  Aft  RCS  Quantity  2  below )  to  define  the  maximum  propellant  that  may  be  used 
for  the  deorbit  burn  in  an  emergency  and  still  have  some  chance  for  a  successful  entry.  ©[092800-7247A] 

D.  ON  ORBIT  AFT  RCS  SINGLE  POD  QUANTITY  REDLINE: 


ARCS  ON  ORBIT  TANK  FAIL  440 
MEAN  USAGE  DEORBIT  TO  El  160 
MEAN  USAGE  STEEP  El  TO  0.05G  96 

TOTAL  696 


THE  ON-ORBIT  AFT  RCS  SINGLE  POD  QUANTITY  REDLINE  IS  THE 
MINIMUM  QUANTITY  ALLOWED  IN  EACH  AFT  RCS  SYSTEM  DURING  ORBIT 
OPERATIONS.  LEFT  AND  RIGHT  RCS  PROPELLANT  WILL  BE  MANAGED  TO 
ENSURE  THIS  QUANTITY  IS  NOT  VIOLATED  PRIOR  TO  NOMINAL  EOM . 
VIOLATION  OF  THIS  REDLINE  IS  CAUSE  FOR  DEORBIT  AT  NEXT  PLS . 

System  failures  could  result  in  cm  imbalance  between  left  and  right  RCS  usable  quantities 
(i.e.,  maximum  blowdown  burn  after  a  helium  tank  leak )  while  the  total  ARCS  usable  is  greater  than  the 
nominal  RCS  Deorbit  Redlines.  However,  if  either  RCS  system  cannot  individually  protect  the  NO 
YAW  JET  entry  redline,  a  PLS  must  be  executed.  RCS  tank  fail  protection  is  required  in  order  to  stay 
on  orbit.  ®[091 098-671 1 B] 
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The  ON-ORBIT  AFT  RCS  SINGLE  POD  QUANTITY  REDLINE  represents  the  minimum  quantity 
required  per  side  to  protect  for  an  RCS  tank  failure  and  still  guarantee  a  no  yaw  jet  entry.  This 
quantity  assumes  that  OMS  propellant  will  not  be  available  after  the  deorbit  burn  for  OMS  to  RCS 
in  terconnect  (quantity  <  11  percent  per  pod,  ref  SODB  3.4.3.3.6d).  Deorbit  to  El  (160  lb)  and  El  to 
.05g  (96  lb)  propellant  usages  must  come  out  of  the  remaining  RCS  system.  During  this  time  period, 
since  there  is  no  appreciable  acceleration  on  the  vehicle,  the  AFT  RCS  ON-ORBIT  TANK  FAIL  limit 
(ref.  All  Flights  Rule  / A6-7 },  RCS  PROPELLANT  TANK  (OXIDIZER  OR  FUEL))  applies.  The  440  lb 
of  trapped  propellant  will  become  available  once  the  entry  g-load  on  the  vehicle  increases  to  the  0.05 g 
level.  At  Qbar  =  20,  NO  YAW  JET  may  be  selected  and  RCS  propellant  is  no  longer  required. 
@[091098-671  IB] 

E.  AFT  RCS  QUANTITY  1  IS  DEFINED  AS  SUFFICIENT  AFT  RCS 

PROPELLANT  TO  GUARANTEE  1134  LB  AT  El  AND  PROVIDES  97.5 
PERCENT  CONFIDENCE  FOR  SHALLOW  El  TO  0.05G  USAGE  ABOVE  ARCS 
ON  ORBIT  TANK  FAIL.  AFT  RCS  PROPELLANT  ABOVE  AFT  RCS 
QUANTITY  1  WILL  BE  USED  DURING  THE  DEORBIT  BURN  FOR  DELTA-V 
PURPOSES  PRIOR  TO  USE  OF  FWD  RCS  PROPELLANT,  REDESIGNATION, 
OR  PREBANK.  AFT  RCS  QUANTITY  1  IS  DEFINED  AS: 


ARCS  ON  ORBIT  TANK  FAIL  880 
97.5  PERCENT  SHALLOW  USAGE  FROM  El  TO  NZ  0.05G  254 
PREBANK  150 
USAGE  DEORBIT  TO  El  160 
ATTITUDE  HOLD  FOR  FRCS  (-X)  TRANS  TBD 
FAST  FLIP  100 
CG  BALLAST  (IF  REQUIRED)  TBD 


If  OMS  propellan  t  is  depleted  during  the  deorbit  burn  prior  to  the  completion  of  the  targeted  delta  V,  the 
crew  will  use  the  Aft  RCS  propellant  through  the  +X  jets  until  either  the  desired  targets  are  achieved,  or 
until  the  Aft  RCS  propellant  quantity  decreases  to  “Aft  RCS  Quantity  1.  ”  If  deorbit  targets  still  have  not 
been  achieved,  the  crew  will  utilize  the  aft  Hp,  target  Hp,  and  flip  Hp  cues  (calculated  by  MCC)  to 
determine  the  actions  required  to  complete  the  deorbit  burn.  These  actions  may  include  requiring 
prebank,  utilizing  the  FRCS  -X  jets  which  requires  a  fast  flip  maneuver  and  attitude  hold  propellant, 
and/or  redesignation.  Since  these  tools  will  not  be  used  until  after  the  +X  translation,  their  propellant 
requirement  is  included  in  the  definition  of  “Aft  RCS  Quantity  1.  ”  The  propellant  required  to  control  the 
vehicle  during  the  FRCS  -X  translation  is  a  function  of  FRCS  propellant  available  and  is  calculated  by 
the  PROP  console  prior  to  deorbit.  The  amount  of  propellant  required  for  CG  ballast  (if  any)  to  protect 
the  nominal  CG  box  (ref.  Rule  {A4-153},  CG  PLANNING)  will  be  determined  during  preflight  analysis 
for  AO  A/ Orbit  3  scenarios.  Preflight  analysis  will  also  determine  nominal  end-of-mission  ballast 
requirements,  which  may  be  updated  during  real-time  operations.  Ballast  will  normally  be  protected  in 
the  RCS  for  AO  A/Orbit  3,  and  in  the  OMS  for  EOM,  but  may  be  protected  in  the  OMS,  or  RCS,  or 
divided  between  the  two  systems.  @[901  -98-671 1 B] 
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Per  A/E  Flight  Techniques  Meeting  #  150,  lowering  the  El  to  Mach  1  usage  protection  to  97.5  percent 
confidence  is  preferred  over  fast  flip,  redesignation,  or  prebank.  Even  so,  a  steep  entry  cannot  be 
guaranteed  in  a  case  where  AQ1  is  applied,  and  a  shallow  entry  uses  more  propellant  in  the  El  to 
Nz=0.05g  region.  To  provide  97.5  percent  protection  from  El  to  Nz=0.05g  for  a  shallow  entry  requires 
254  lb  over  and  above  the  880  lb  AFT  RCS  ON-ORBIT  TANK  FAIL  quantity  (ref.  All  Flights  Rule  {A6- 
7},  RCS  PROPELLANT  TANK  ( OXIDIZER  OR  FUEL)).  The  total  El  to  Mach  1  requirement  is  1134  lb. 
and  may  be  reduced  to  1028  lb  if  steep  targets  are  achieved  (see  section  H,  Aft  Hp  Quan  tity).  Note  that 
this  may  provide  slightly  less  than  the  97.5  percent  El  to  Mach  1  usage  and  so  may  require  the  use  of  NO 
YAW  JETS  if  worst  case  entry  conditions  are  encountered.  ®[091 098-671 1 B]  ®[092800-7247A] 

F.  AFT  RCS  QUANTITY  2  IS  DEFINED  AS  SUFFICIENT  AFT  RCS 

PROPELLANT  TO  PROTECT  AEROCAPTURE  REQUIREMENTS.  AFT  RCS 
PROPELLANT  AVAILABLE  ABOVE  AFT  RCS  QUANTITY  2  WILL  BE  USED 
FOR  DELTA  V  PURPOSES  ONLY  IF  FORWARD  RCS  PROPELLANT, 
REDESIGNATION,  AND  PREBANK  ARE  NOT  SUFFICIENT.  AFT  RCS  WILL 
BE  USED  NO  LOWER  THAN  AFT  RCS  QUANTITY  2  TO  SUPPORT  DEORBIT. 
AFT  RCS  QUANTITY  2  DOES  NOT  GUARANTEE  A  SUCCESSFUL  ENTRY. 

AFT  RCS  QUANTITY  2  IS  DEFINED  AS: 


DEORBIT  TO  El  160 
El  TO  QBAR  ?  20  300 
PREBANK  150 
ATT  HOLD  FOR  FRCS  TRANS  TBD 
FAST  FLIP  100 

®[091 098-671 1 B] 
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If,  using  all  the  Aft  RCS  available  above  Aft  RCS  Quantity  1,  all  the  Forward  RCS  available, 
redesignation  (if  available),  and  prebank  to  90  degrees,  insufficient  delta  V  is  available  to  complete  the 
deorbit  burn,  additional  Aft  RCS  must  be  used.  However,  to  run  completely  out  of  Aft  RCS  during  the 
deorbit  burn  is  also  catastrophic.  Some  minimum  amount  of  Aft  RCS  must  be  protected  to  maintain 
vehicle  control  until  the  aerosurfaces  have  some  chance  of  maintaining  con  trol.  When  completing  a 
deorbit  burn,  if  the  Aft  RCS  propellant  available  decreases  to  Aft  RCS  Quantity  1,  and  the  other 
resources  cannot  meet  the  target  (as  calculated  by  the  MCC  and  provided  in  the  form  of  aft  Hp,  target 
Hp,  and  flip  Hp),  rather  than  flip,  crew  procedures  will  continue  to  use  Aft  RCS  through  the  +X  jets. 

Note  that  time  is  not  available  to  flip  to  use  Forward  RCS  to  depletion  and  then  flip  back  to  complete 
with  Aft  RCS,  even  though  this  is  probably  the  optimum  use  of  the  propellant.  Crew  procedures  continue 
to  use  Aft  RCS  until  the  delta  V  requirement  decreases  to  the  point  that  the  other  tools  (Forward  RCS, 
redesignation,  and  prebcmk)  can  meet  the  target.  At  that  time  (or  when  Aft  RCS  propellant  decreases  to 
Aft  RCS  Quantity  2),  the  procedures  execute  the  other  options;  first  flip  to  use  Forward  RCS  to  depletion, 
then  redesignation  and  prebcmk.  All  three  options  will  be  fully  utilized;  therefore,  the  Aft  RCS  propellan  t 
requirements  for  these  additional  options  must  be  protected.  As  in  the  case  of  Aft  RCS  Quantity  1,  the 
Forward  RCS  attitude  control  propellant  is  calculated  in  the  MCC  prior  to  deorbit.  No  ballast  is 
protected  in  Aft  RCS  Quantity  2  because  a  propellant  failure  is  the  most  likely  reason  for  using  Aft  RCS 
below  Aft  RCS  Quantity  1,  in  which  case  the  propellant  trapped  in  the  failed  tank  can  serve  as  ballast. 
Further,  completion  of  the  deorbit  burn  is  a  higher  priority  than  any  ballast  requirement.  @[091098-671  IB] 

Aft  Quantity  2  does  not  protect  the  AFT  RCS  ON  ORBIT  TANK  FAIL  limit  ( ref.  All  Flights  Rule  { A6-7J , 
RCS  PROPELLANT  TANK  ( OXIDIZER  OR  FUEL)).  Below  20  percent  remaining,  with  Nz  <  0.05g,  the 
Aft  RCS  tanks  may  not  be  able  to  supply  propellant  to  the  RCS  jets.  ©[092800-7247A] 

G.  THE  AFT  RCS  PRESS  QUANTITY  IS  THE  AMOUNT  OF  AFT  RCS 

PROPELLANT  THAT  MUST  BE  PROTECTED  IN  ORDER  TO  PROVIDE  97.5 
PERCENT  ENTRY  CONFIDENCE  FOR  AN  AOA  OR  ATO .  AFT  RCS  USABLE 
PROPELLANT  IN  EXCESS  OF  THE  AFT  RCS  PRESS  QUANTITY  IS 
COMMITTED  TO  THE  PRESS  TO  ATO  CALL.  THE  AFT  RCS  PRESS 
QUANTITY  IS  DEFINED  AS:  ®[01 2402-51 12B] 

ARCS  ON  ORBIT  TANK  FAIL 
USAGE  El  TO  NZ  0.05G  SHALLOW/STEEP 
PREBANK  (IF  REQUIRED) 

USAGE  DEORBIT  TO  El 
OMS  ENGINE  FAIL  ATTITUDE  CONTROL 
USAGE  MECO  TO  DEORBIT  AOA/ ORBIT  3/ORBIT  7/FD2 
MNVRS  TO  SUPPORT  OPS  2  FRCS  BURNS  (FD2  ONLY) 

ATTITUDE  HOLD  FOR  OPS  2  FRCS  BURNS  (FD2  ONLY) 

CG  BALLAST  (IF  REQUIRED) 

©[092800-7247A]  ®[01 2402-51 12B] 
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-  At  Nz=0.05g,  the  AFT  RCS  ON-ORBIT  TANK  FAIL  constraint  (ref.  All  Flights 
Rule  (A6-7j,  RCS  PROPELLANT  TANK  ( OXIDIZER  OR  FUEL))  is  released  and 
880  lb  of  additional  Aft  RCS  becomes  available  to  support  entry  usage.  @[091098- 
671  IB] 

Data  presented  at  A/E  Flight  Techniques  # 150  showed  254  lb  required  for 
shallow  El  to  Nz=0.05g  usage  with  97.5  percent  protection.  For  a  steep 
entry ,  148  lb  of  El  to  Nz-0.05g  usage  provides  the  same  level  of  protection. 

®[091 098-671 1 B] 

For  an  AO  A  or  ATO  shallow,  prebcmk  must  be  protected.  Prebank  is  not 
required  for  a  steep  entry. 

Required  to  support  attitude  control  from  the  deorbit  burn  to  entry  interface. 

For  a  press  case,  the  OMS  engines  are  deliberately  burned  to  depletion.  The 
OMS  engine  fail  propellan  t  will  be  used  to  control  the  attitude  transien  ts 
resulting  from  sequential  OME  shu  tdown  during  the  depletion  sequence.  This 
quantity  cannott  be  traded  against  any  other  events  or  activities  (ref.  All  Flights 
Rule  {A6-352},  OMS  PROPELLANT  BUDGET  GROUND  RULES). 

Aft  RCS  usage  required  for  mated  coast/ET  SEP  through  the  maneuver  to  the 
deorbit  burn.  Usage  from  MECO  to  deorbit  for  the  ATO  case  is  dependen  t  on 
when  the  EDI  or  FD2  deorbit  opportunity  occurs.  FD2  assumes  OPS  2  and 
vern  ier  jets. 

The  Forward  RCS  will  be  utilized  in  OPS  2  to  raise  or  lower  the  orbit  as  needed 
in  support  of  a  FD2  PLS.  Four  vernier  maneuvers  will  be  protected  to  support 
two  Forward  RCS  burns.  This  applies  to  the  FD2  Aft  RCS  press  quantity  only. 
®[01 2402-51 12B] 

The  amount  of  propellant  required  to  control  the  vehicle  during  the  OPS  2 
Forward  RCS  -X  burns  is  a  function  of  Forward  RCS  propellant  available 
above  the  FD2  Forward  RCS  press  quantity,  which  is  defined  by  Flight  Rule 
{A6-304D},  FORWARD  RCS  REDLINES.  This  applies  to  the  FD2  Aft  RCS 
press  quantity  only.  ®[01 2402-51 1 2B] 

The  amount  ofCG  ballast  required  will  be  determined  during  preflight 
analysis.  This  ballast  will  nominally  be  protected  in  the  RCS.  The  nominal  CG 
box  (ref.  Rule  {A4-153},  CG  PLANNING)  is  used  for  AO  A  steep  ballast 
determination  and  the  contingency  CG  box  is  used  for  AO  A  shallow. 
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H.  AFT  HP  QUANTITY 

AFT  HP  QUANTITY  IS  DEFINED  AS  THE  AMOUNT  OF  PROPELLANT 
RESERVED  IN  AFT  QUANTITY  1  FOR  FAST  FLIP,  AFT  ATT  HOLD  FOR 
FORWARD  RCS  (-X)  TRANSLATION,  PREBANK,  AND  EXTRA  USAGE 
DURING  A  SHALLOW  ENTRY.  THIS  PROPELLANT  CAN  BE  USED  TO 
COMPLETE  THE  DEORBIT  BURN  IF  IT  IS  SUFFICIENT  TO  COMPLETE 
THE  STEEP  TARGET  REQUIREMENT.  AFT  HP  QUANTITY  IS  COMPUTED 
AS  FOLLOWS:  ©[092800-7247A] 


FAST  FLIP  100 
AFT  ATT  HOLD  FOR  FRCS  (-X)  TRANSLATION  TBD 
El  TO  0.05G  REDUCTION  FOR  STEEP  ENTRY  106 
PREBANK  150 


Fast  flip  and  shallow  targets  are  less  desirable  than  steep  targets.  If  burning  the  aft  propellan  t  reserved 
for  these  activities  will  allow  the  steep  target  to  be  met  that  is  the  preferred  action.  97.5  percent 
protection  for  shallow  El  to  Nz-0.05g  requires  254  lb  while  equivalent  protection  for  a  steep  entry  only 
requires  148  lb.  The  difference  is  106  lb.  @[091098-671  IB] 

I.  ENGAGE  NO  YAW  JET  QUANTITY  @[091 098-671 1 B] 

DURING  ENTRY,  BETWEEN  QBAR=2  0  AND  MACH  6,  WHEN  THE  TOTAL 
AMOUNT  OF  AFT  RCS  USABLE  PROPELLANT  FALLS  BELOW  10  PERCENT 
(220  LBS),  NO  YAW  JET  WILL  BE  ENGAGED.  BELOW  MACH  6,  NO  YAW 
JET  WILL  BE  DISENGAGED.  NO  YAW  JET  WILL  NOT  BE  RE-ENGAGED 
BELOW  MACH  6  UNLESS  MULTIPLE  RCS  JETS  FAIL  OFF  (PROPELLANT 
DEPLETION) . 


According  to  study  results  presented  at  the  A/E  Flight  Techniques  #150,  less  than  132  lb  (6  percent)  is 
required  for  the  Mach  6  to  Mach  1  regime.  To  reduce  the  likelihood  of  a  time  critical  RCS  crossfeed  being 
required,  the  number  actually  protected  is  10  percent  or  220  lb.  Above  Mach  6,  once  10  percent  total 
(L+R)  quantity  is  reached,  NO  YAW  JET  will  be  selected,  presenting  the  220  lb  for  any  control  problems 
which  might  be  encountered  in  NO  YAW  JET.  Once  Mach  6  is  reached,  the  220  lb  remaining  should  be 
more  than  adequate  to  complete  a  normal  entry,  so  AUTO  will  be  selected  to  lower  the  crew  workload. 
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J.  AFT  RCS  OMS  TANK  FAIL  QUANTITY 

THE  AFT  RCS  OMS  TANK  FAIL  QUANTITY  IS  DEFINED  AS  THE  AMOUNT 
OF  AFT  RCS  PROPELLANT  THAT  MUST  BE  RESERVED  FOR  OMS  TANK  FAIL 
DETERMINATION.  ONLY  AFT  RCS  USABLE  PROPELLANT  IN  EXCESS  OF 
THE  AFT  RCS  OMS  TANK  FAIL  QUANTITY  CAN  BE  COMMITTED  TO 
DEORBIT  DELTA  V.  THE  AFT  RCS  OMS  TANK  FAIL  QUANTITY  IS 
DEFINED  AS: 


ARCS  ON  ORBIT  TANK  FAIL  880 

97.5  PERCENT  SHALLOW  USAGE  El  TO  NZ  254 

0 . 05G 

PREBANK  150 

DEORBIT  TO  El  160 

ENGINE  FAIL  70 

NOMINAL  (VERNIER)  DEORBIT  PREPARATION  162 

USAGE  TO  DEORBIT  TIG  -  5  HOURS  TBD 

VRCS  EXTENSION  DAY  64 

ATTITUDE  HOLD  FOR  FRCS  TRANS  TBD 

MANEUVERS  TO  FRCS  BURN  ATTITUDE  TBD 

TWO  ULLAGE  BURNS  188 

MANEUVERS  TO  OMS  BURN  ATTITUDE  39 

CG  BALLAST  (IF  REQUIRED)  TBD 

®[092800-7247A] 


The  Aft  RCS  OMS  Tank  Fail  Quantity  is  used  to  determine  whether  a  leaking  OMS  propellant  burn  will 
be  done  retrograde  or  out-of-plane  (ref  All  Flights  Rule  { A4-104J ,  OMS  LEAK/PERIGEE  ADJUST ). 

®[091 098-671  IB] 

880  -  The  AFT  RCS  ON-ORBIT  TANK  FAIL  limit  applies  until  the  G-load  on  the 

vehicle  reaches  0.05G.  This  propellant  is  then  available  for  entry  control  (ref 
All  Flights  Rule  {A6-7},  RCS  PROPELLANT  TANK  (OXIDIZER  OR  FUEL)). 
All  Aft  RCS  propellant  available  above  this  quantity  will  be  committed  to  OMS 
tank  fail  protection.  By  not  protecting  the  full  El  to  Mach  1  propellant 
requirements,  it  is  possible  that  NO  YAW  JET  will  have  to  be  engaged  if  worst 
case  entry  conditions  are  present  (bent  airframe,  wind  and  turbulence,  and  aero 
variations).  However,  the  RCS  propellant  gained  to  commit  to  OMS  tank  fail 
may  prevent  a  southern  hemisphere  ELS  after  an  OMS  propellant  tank  leak. 
®[091 098-671 1 B]  ®[092800-7247A] 
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A6-305  AFT  RCS  REDLINES  (CONTINUED) 

254  -  The  El  to  Nz  of  0.05G  usage  must  be  protected  above  the  AFT  RCS  ON-ORBIT 

TANK  FAIL  limit  to  ensure  attitude  hold  propellant  is  available  until  0.05G 
when  the  propellant  trapped  on  orbit  becomes  usable;  254  lb  provides  97.5 
percen  t  protection  for  a  shallow  entry. 

150  -  A  prebank  maneuver  will  be  performed  in  an  OMS  tank  fail  case  since  the 

determination  of  OMS  tank  fail  capability  is  based  on  shallow  deorbit. 

160  -  Required  to  support  attitude  control  from  the  deorbit  bum  to  entry  interface. 

70  -  Since  one  engine  will  have  failed  at  the  end  of  the  leaking  OMS  depletion  burn, 

the  ensuing  deorbit  burn  will  generally  be  performed  with  a  single  engine; 
accordingly,  propellant  for  roll  control  must  be  protected.  Furthermore,  if  RCS 
completion  is  required  during  the  deorbit  burn,  propellant  is  needed  for  the 
maneuver  to  RCS  4+X  attitude.  The  70  lb  protects  both  of  these  requirements. 

162  -  Protects  a  nominal  deorbit  prep  with  no  additional  thermal  conditioning. 

USAGE  TO  DEORBIT  TIG- 5  HOURS  -  Determined  real  time  based  on  the 
actual  NPLS  TIG. 

64  -A  vernier  extension  day  is  protected  to  allow  for  propellant  sublimation  prior  to 

deorbit.  ©[092800-7247A] 

-  ATTITUDE  HOLD  FOR  FRCS  TRANS  -  Determined  real  time  based  on  the 
amount  of  FRCS  propellan  t  available.  This  will  not  be  the  standard  1:3  since 
fast  flip  is  not  to  be  used  during  the  deorbit  burn.  Instead,  the  FRCS  will  be 
used  for  a  perigee  adjust  burn  prior  to  deorbit  (ref.  All  Flights  Rule  {A4-104}, 
OMS  LEAK/PERIGEE  ADJUST).  This  will  require  2.5  lb  Aft  RCS  per  fps. 

-  MANEUVERS  TO  FRCS  BURN  ATTITUDE  -  If  an  FRCS  -X  perigee  adjust  is  to 
be  performed  after  an  OMS  tank  fail,  two  vernier  maneuvers  (19  lb)  are  required 
to  maneuver  to  and  from  the  -X  burn  attitude.  @[091098-671  IB] 
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A6-305 

AFT  RCS  REDLINES  (CONTINUED) 

188 

-  Two  15-second  ullage  burns  are  protected.  The  first  ullage  burn  is  required  for 
either  the  perigee  adjust  or  the  dump  out  of  plane.  The  second  ullage  burn  is 
required  if  the  leaking  propellant  tank  is  not  depleted  during  a  perigee  adjust 
burn.  @[091098-671  IB]  ©[092800-7247A] 

39 

-  MANEUVERS  TO  BURN  ATTITUDE  ( two  primary  maneuvers)  are  required  for 
the  leaking  OMS  perigee  adjust  burn  and  the  subsequent  out-of-plane  burn  to 
depletion.  ®[091 098-671  IB]  ©[092800-7247A] 

TBD  CG  Ballast 

-  The  amount  of  propellant,  if  any,  to  protect  the  contingency  CG  box  (ref.  Rule 
{A4-153},  CG  PLANNING)  required  for  CG  ballast  will  be  determined  real  time, 
based  on  the  next  PLS  deorbit  TIG.  Ballast  will  be  protected  in  the  OMS  or  the 
RCS,  or  divided  between  the  two  systems. 

Rules  {A2-108},  CONSUMABLES  MANAGEMENT;  {A2-121A.il,  RNDZ/PROX  OPS  PROPULSION 
SYSTEMS  MANAGEMENT;  {A4-1B},  PERFORMANCE  ANALYSES;  {A4-55},  DESIGN  AND  CRITICAL 
MECO  UNDERSPEED  DEFINITIONS;  {A4-153C.10},  {A4-153D.4},  {A4-153I},  { A4-153K.l.b j,  and 
{A4-153K.2.bJ,  CG  PLANNING;  / A6-351 J  (Note  10),  OMS  PROPELLANT  MANAGEMENT  MATRIX; 
and  { A8-19 },  YAW  JET  DOWNMODE;  reference  this  rule.  ®[092800-7247A] 
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CONSUMABLES  MANAGEMENT 


A6-351 


OMS  PROPELLANT  MANAGEMENT  MATRIX 


ITEM  TO  BE 
PROTECTED 

NOMINAL 
AME  [1] 

ATO 

PLS  DAILY 
GO/NO-GO 

PROP  REQUIREMENTS  [10] 

AME  [11 

RAISE  ORB 

LEFT 

RIGHT 

TOTAL 

1.  DISPERSIONS  [8] 

? 

? 

? 

? 

[8] 

[8] 

[8] 

2.  ENG  OUT 

? 

? 

? 

? 

62 

62 

124 

3.  TRAPPED  [9] 

? 

? 

? 

? 

399.5 

399.5 

799 

4.  DEORBIT  WAVE- 

?  [2] 

?  [2] 

?  [2] 

110 

110 

220 

OFF 

5.  Y  CG 

? 

?  [4] 

?  [4] 

TBD  IN 

REAL 

TIME 

6.  X  CG 

? 

?  [3] 

?  [3] 

7.  OMS  1 

? 

? 

8.  OMS  2 

? 

? 

9.  OMS  3,  ATO 

? 

10.  OMS  4,  ATO 

? 

11.  PYLD  SEP 

? 

? 

DEORBIT: 

12.  DEORBIT 

STEEP 

SHALLOW 

STEEP  [5] 

STEEP  [5] 

TARGET 

13.  DOWNMODE  [6] 

ONE 

NONE 

ONE 

ONE 

14.  TIG  SLIP 

ONLY  [7] 

ONLY  [7] 

ONLY  [7] 

1-RCS 

1-RCS 

1-RCS 

RESULT  IF  NOT 

ATO 

A0A 

105  CIRC 

DEORBIT 

PROTECTED 

PLS 

®[051 1 94-1 61 2A]  @[092701  -4850  ] 


[1]  OMS  1/2  EXECUTION. 

[2]  OMS  PORTION  OF  THE  DEORBIT  WAVE-OFF 
EXTENSION  DAY  MUST  BE  PROTECTED  IN  THE 
ARCS  IF  OMS  NOT  AVAILABLE. 

[3]  FORWARD  RCS  DUMP  MAY  BE  USED  TO  OPTIMIZE 
CG. 


[4]  SEE  RULE  {A6-353B},  CG  MANAGEMENT. 


[5]  SEE  RULE  {A2-1 08},  CONSUMABLES  MANAGEMENT, 
FOR  PROPELLANT  VS.  FLIGHT  ACTIVITY  TRADEOFF. 


[6]  ONE  DOWNMODE  IS  2-1  OR  1  -RCS. 

[7]  1  -RCS  TIG  SLIP  PROTECTED  ONLY  AFTER  OMS 
ENGINE  FAILURE 


[8]  OMS  DISPERSIONS  ARE  DEFINED  AS  THE  RSS  OF 
(A)  FLOW  RATE  AND  MR  ERROR,  AND  (B)  LOADING 
ERROR.  (REF.  RULE  {A6-301},  OMS  USABLE 
PROPELLANT.) 

[9]  TRAPPED  RESIDUALS  INCLUDE  LINE  AND  TANK 
TRAPPED. 

[10]  REF.  RULES  {A6-303},  OMS  REDLINES  [CIL]; 
{A6-304},  FORWARD  RCS  REDLINES;  AND  [A6- 
305},  AFT  RCS  REDLINES. 


NOTE:  CHECKMARKS  CANNOT  BE  “ADDED”  TO  COMPUTE  TOTAL  BUDGET  FOR  ANY  GIVEN  MISSION  MODE.  ?  =  ITEM 
MUST  BE  PROTECTED  TO  EXECUTE  STATED  MODE.  IF  IT  IS  NOT,  DOWNMODE  IS  IN  "RESULT”  ROW. 


@[051 1 94-1 61 2A]  @[092701  -4850  ] 


The  OMS  propellant  matrix  details  the  propellant  required  to  be  protected  in  order  to  fly  to  nominal, 
ATO,  or  AO  A  targets  as  well  as  the  daily  PLS  GO/NO-GO.  These  requirements  are  protected  by  the 
abort  maneuver  evaluator  (AME)  during  ascent  and  by  the  OMS  propellant  redlines  during  orbit.  The 
ground  rules  are  documented  in  Rule  {A6-352},  OMS  PROPELLANT  BUDGET  GROUND  RULES. 
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A6-352  QMS  PROPELLANT  BUDGET  GROUND  RULES 

A.  COMMITTING  TO  A  NOMINAL  ASCENT  WILL  BE  CONSERVATIVE  WITH 
REGARD  TO  OMS  PROPELLANT  EXPENDED.  DISPERSIONS  IN  OMS 
ENGINES  FOR  FLOW  RATE,  MIXTURE  RATIO,  OMS  TRAPPED,  ONE  ENGINE 
FAILURE,  AND  GAGING  ERROR  WILL  BE  ACCOMMODATED  WHILE 
MAINTAINING  NOMINAL  ENTRY  X  AND  Y  CG,  PAYLOAD  SEPARATION 
REQUIREMENTS,  AND  OMS  STEEP  DEORBIT  TARGETS,  WITH  PARTIAL 
PROPULSION  DOWNMODING  CAPABILITY  (2-1  OMS) . 

Ascent  to  nominal  targets  will  occur  only  if  propellant  is  available  for  the  above  items.  For  cases  where 
insufficient  propellant  exists  to  continue  to  nominal  targets,  ATO/AOA  capability  will  be  evaluated. 
Because  an  ATO  orbit  can  be  reevaluated  and  subsequently  raised  to  an  orbit  on  a  future  revolution 
depending  upon  the  OMS  propellant  available,  the  requirements  are  conservative  towards  the  nominal 
targets. 

B.  ALL  OMS  PROPELLANT  WILL  BE  USED  TO  AVOID  AN  AOA  EXCEPT 
THE  PROPELLANT  BUDGETED  FOR  OMS  SHALLOW  TARGETS  (INCLUDES 
90  DEGREES  PREBANK),  OMS  TRAPPED,  DISPERSIONS,  AND  OMS 
ENGINE  FAIL. 

Since  an  AOA  is  not  desirable  due  to  increased  trajectory  dispersion  sensitivity,  high  crew  work  load, 
and  assured  loss  of  mission,  an  AOA  will  be  avoided  if  at  all  possible.  In  order  to  avoid  an  AOA,  more 
OMS  propellant  is  committed  to  achieve  an  ATO.  OMS  shallow  deorbit,  OMS  dispersions,  and  OMS 
engine  fail  will  be  protected  in  the  AME.  Since  aft  RCS  to  RCS  PRESS  QTY  is  committed  to  achieve  an 
AOA  or  ATO,  during  propellant  critical  situations  it  is  expected  that  OMS  depletion  will  occur  during 
the  deorbit  burn  and  four  +X  RCS  will  be  used  to  complete  the  burn.  As  a  result,  OMS  engine  fail 
propellant  must  be  protected  to  protect  this  sequential  shutdown  during  the  deorbit  burn.  If  propellant  is 
not  available  to  protect  the  above  items,  an  AOA  will  be  selected  by  the  AME. 

C.  OMS  TANK  FAILURE  PROTECTION  IS  NOT  REQUIRED  TO  CONTINUE  THE 
NOMINAL  ASCENT,  TO  CONTINUE  PAST  THE  FIRST  DAY  PLS  OR  WHEN 
RAISING  AN  ATO  ORBIT.  OTHERWISE,  ALL  THE  PROPELLANT 
CONSERVATISM  INVOLVED  IN  COMMITTING  TO  THE  NOMINAL  ORBIT  WILL 
BE  OBSERVED  PLUS  CG  MANAGEMENT  AT  El /MACH  3.5,  WHILE 
MAINTAINING  OMS  STEEP  DEORBIT  TARGETS  WITH  PARTIAL  PROPULSION 
DOWNMODING  CAPABILITY  (2-1  OMS) . 

Decision  was  made  to  delete  the  tank  fail  requirement  because  of  the  low  probability  of  occurrence  and 
because  the  large  tank  fail  redline  did  not  provide  sufficient  propellant  margins  for  on-orbit  activities. 

Although  tank  fail  redlines  can  be  protected  during  the  early  part  of  a  flight,  there  is  not  sufficient 
propellant  during  the  latter  part.  The  Flight  Director  will  be  advised  of  the  tank  fail  status  but  there  has 
been  no  requirement  to  protect  a  tank  failure  since  STS-3. 
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A6-352  QMS  PROPELLANT  BUDGET  GROUND  RULES  (CONTINUED) 

In  the  event  of  an  OMS  tank  leak,  a  perigee  adjust  burn  will  be  performed  ASAP  to  make  use  of  the 
leaking  propellant. 

D.  OMS  PROPELLANT  PREVIOUSLY  ALLOCATED  FOR  A  DEORBIT  WAVEOFF 
EXTENSION  DAY  MAY  BE  COMMITTED  TO  SUPPORT  THE  DEORBIT  BURN. 
®[051 194-1 61 2A] 

The  probability  of  a  failure  occurring  that  requires  the  deorbit  burn  to  be  terminated  above  safe  Hp  is 
low.  The  failures  identified  are  redundant  set  fail,  GPC  splits,  two  mean  buses,  IMU  dilemma,  and  an 
OMS  propellant  tank  fail.  Because  of  this  low  probability,  the  propellant  allocated  for  the  deorbit 
wave-off  extension  day  may  be  used  in  calculating  deorbit  burn  targets.  If  the  deorbit  burn  should  be 
terminated  above  the  safe  Hp,  the  deorbit  wave-off  extension  day  propellan  t  requiremen  ts  could  be 
obtained  from  the  margins  in  the  ARCS  (if  any  margins  are  available )  or  by  using  OMS  propellant 
below  the  5  percent  remaining  (Rule  {A6-356},  DEORBIT  PLANNING  CRITERIA )  to  the  redlined  OMS 
trapped/dispersion  value.  If  the  deorbit  waveoff  extension  day  capability  cannot  be  obtained  from  these 
sources,  the  propellant  allocated  for  the  deorbit  burn  must  be  used  to  provide  the  deorbit  waveoff 
extension  day  capability  (results  in  shallow  deorbit  targets).  ®[051194-1612A] 

E.  NOMINALLY,  OMS  AND  RCS  PROPELLANT  WILL  BE  BUDGETED  FOR  A 
DEORBIT  WAVE-OFF  EXTENSION  DAY.  IF  OMS  PROPELLANT  IS  NOT 
AVAILABLE,  AFT  RCS  PROPELLANT  WILL  BE  BUDGETED  FOR  THE 
DEORBIT  WAVE-OFF  EXTENSION  DAY.  ®[051 194-1 61 2A] 

The  OMS  will  be  in  terconnected  to  the  RCS  jets  to  provide  the  extension  day  using  tail-on  ly  ALT  con  trol 
and  deorbit  preparation  using  nose-tail  control.  RCS  is  budgeted  for  wave-off,  until  interconnect  is 
established,  and  entry  preparation  (TIG  -  30  minutes).  ®[051 194-1 61 2A] 

Rule  {A6-351},  OMS  PROPELLANT  MANAGEMENT  MATRIX,  references  this  rule. 
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A6-353  CG  MANAGEMENT 

A.  OMS  BALLAST  FOR  X  CG  MANAGEMENT  IS  NOT  REQUIRED  TO  CONTINUE 

PAST  THE  FIRST  DAY  PLS  IF  FORWARD  RCS  PROPELLANT  IS  AVAILABLE 
TO  DUMP  POST-DEORBIT  BURN. 


The  CG  can  be  moved  aft  by  two  methods:  (1)  allocating  OMS  propellant  for  CG  management  versus 
delta  V  ( “liquid  ballast”),  or  (2)  performing  an  FRCS  dump  after  the  deorbit  burn.  Either  method  can 
improve  the  CGfor  entry  aerodynamics  but  the  latter  is  preferred  because  it  does  not  require  additional 
propellant  to  be  saved  to  EOM. 

B.  OMS  PROPELLANT  WILL  BE  MANAGED  IN  AN  ATTEMPT  TO  ACHIEVE  A 
ZERO  Y  CG  OFFSET.  CHANGES  IN  THE  NOMINAL  INTERCONNECT 
SCHEDULE  MAY  BE  MADE  IN  ORDER  TO  IMPROVE  THE  Y  CG  PRIOR  TO 
DEORBIT. 


The  OMS  propellant  will  be  budgeted  such  that  the  left  and  right  pod  imbalance  will  achieve  the  desired 
Y  CG.  This  may  be  achieved  by  feeding  from  either  OMS  system  during  on-orbit  RCS  activities  or 
during  OMS  burns. 

The  left  and  right  pod  interconnect  schedule  will  be  modified  to  achieve  the  desired  imbalance  for  CG 
management. 

C.  THE  PROJECTION  OF  PROPELLANT  USAGE  RESULTING  IN  VIOLATION  OF 
THE  CG  ENVELOPE  (REF.  RULE  {A4-153},  CG  PLANNING)  AT  THE  NEXT 
PLS  WILL  BE  CAUSE  FOR  ENTRY  AT  THE  NEXT  PLS  OPPORTUNITY. 

If  propellant  usage  cannot  be  budgeted  to  assure  a  satisfactory  CG  at  the  next  PLS,  entry  will  be 
performed  at  the  next  PLS  prior  to  violating  the  CG  envelope. 

Rule  (A6-351),  OMS  PROPELLANT  MANAGEMENT  MATRIX,  references  this  rule. 
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A6-354  RCS  ENTRY  RED LINE  PROTECTION 

THE  OMS/RCS  INTERCONNECT  WILL  BE  USED  TO  PROTECT  THE  RCS  ENTRY 
REDLINES  EVEN  AT  THE  EXPENSE  OF  STEEP  DEORBIT  PROTECTION. 

OMS  tank  fail  protection  is  not  required  to  continue  to  the  nominal  end  of  mission.  However,  if  tank  fail 
protection  is  available,  it  will  be  traded  off  to  protect  the  RCS  en  try  redlines. 

The  OMS  propellant  is  not  available  to  feed  the  RCS  jets  during  entry  due  to  tank  feed  limitations 
(location  of  propellant).  The  RCS  can  be  used  to  supply  deorbit  delta  V  and  entry  attitude  control. 

Therefore,  the  OMS  is  used  on-orbit  in  an  OMS/RCS  interconnect  mode  to  protect  RCS  redlines 
realizing  that  the  RCS  can  be  used  to  supplement  the  deorbit  delta  V  required.  The  deorbit  targets  are 
shallowed  to  45  deg  prebank  to  achieve  the  priority  mission  or  to  90  deg  prebank  to  protect  the  RCS 
entry  requirements.  This  can  be  seen  in  the  Propellant  Consumables  Management  Table  (ref.  Rule 
{. A2-108 },  CONSUMABLES  MANAGEMENT). 

Rule  {A6-304C},  FORWARD  RCS  REDLINES,  references  this  rule. 

A6-355  OMS  PROPELLANT  DEFICIENCY  FOR  DEORBIT 

IF  INSUFFICIENT  PROPELLANT  EXISTS  IN  THE  OMS  TO  MEET  THE  REQUIRED 
DEORBIT  TARGETS,  IT  IS  ACCEPTABLE  TO  REDLINE  PROPELLANT  IN  THE 
RCS  TO  PERFORM  A  TWO-STAGE  DEORBIT  TO  THE  REQUIRED  TARGETS  ONLY 
IF  THERE  IS  FAIL-SAFE  JET  REDUNDANCY  FOR  TRANSLATION  IN  THE 
AFFECTED  RCS. 

Additional  propellant  can  be  redlined  in  the  RCS  in  the  event  of  an  OMS/RCS  problem  ( i.  e. ,  isolatable 
propellant  or  helium  leak  or  high  usage)  resulting  in  insufficient  OMS  propellant  to  achieve  the  steep  deorbit 
targets.  Rather  than  performing  a  single  stage  burn  such  that  the  crew  must  downmode  to  RCS  in  a  time- 
critical  period,  a  two-stage  deorbit  is  preferred.  This  provides  steep  deorbit  capability  while  maintaining  at 
least  four  revs  between  burns  for  guidance  and  crew  planning.  However,  this  is  acceptable  only  if  fail-safe 
redundancy  exists  in  the  RCS  jets  which  means  4+X  or  3-X  jets  are  required  prior  to  the  first  stage  of  the 
deorbit.  If  a  two-stage  deorbit  is  required,  RCS  propellan  t  will  be  redlined  to  protect  2  +  X  for  the  RCS 
perigee  adjust.  This  provides  downmode  capability  from  4+X  to  2  +X  to  protect  for  a  +X  jet  failure  during 
the  burn.  2  +X  is  protected  since  this  capability  is  cheaper  than  3  +X.  (Ref.  Rule  { A2-108 },  CONSUMABLES 
MANAGEMENT,  for  propellant  trade-offs.) 

Rules  (A2-201B}.4,  DEORBIT  GUIDELINES;  and  {A6-303CJ,  OMS  REDLINES  [CIL];,  reference  this 
rule. 
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A6-356  DEORBIT  PLANNING  CRITERIA 

FOR  DEORBIT  PLANNING  PURPOSES,  OMS  PROPELLANT  CAN  BE  USED  TO 
SUPPORT  RCS  DOWNMODE  CAPABILITY  AND/OR  PROTECT  VEHICLE  CG/LANDING 
WEIGHT  CONSTRAINTS  PROVIDED  THAT  THE  OMS  REMAINING  POST-DEORBIT 
BURN  (NO  FAILURES)  IS  GREATER  THAN  5  PERCENT  PER  POD. 

RCS  downmode  protection  is  not  required  as  long  as  two  OMS  engines  are  available.  If  OMS  propellant 
margin  is  available  to  support  RCS  downmode,  deorbit  planning  will  protect  RCS  downmode  capability 
subject  to  the  constraints  identified  in  this  rule.  To  provide  for  TIG  SLIP,  RCS  downmode  capabilities 
and  to  protect  vehicle  CG  and  downweight  constraints,  additional  OMS  propellant  (above  the  OMS 
deorbit  optimal  requirements)  may  be  required.  Backing  up  TIG  requires  additional  delta  V  to  satisfy 
deorbit  targets.  The  5  percent  propellant  remaining  constraint  in  each  OMS  tank  (403  lb  oxidizer,  245 
lb  fuel)  provides  optimum  delta  V  capability  while  protecting  the  worst  case  OMS  dispersions  which 
could  occur  in  either  the  straight  feed  or  crossfeed  OMS  burn  configurations.  The  5  percent  remaining 
constraint  also  prevents  inadvertent  engine  depletion.  Engine  depletion  during  zero  gravity  (either 
oxidizer  or  fuel)  is  undesirable  during  nominal  deorbit  conditions  because  it  may  result  in  damage  to  the 
OMS  engines.  This  damage  to  the  OMS  engine  is  contained  damage  and  will  not  damage  the  orbiter. 

OMS  engine  replacement  will  be  required. 

Rules  (A4-153CJ.3,  CG  PLANNING;  and  {A6-352J,  OMS  PROPELLANT  BUDGET  GROUND  RULES, 
reference  this  rule. 


A6-357  FORWARD  RCS  CONTINGENCY  PROPELLANT  AVAILABLE 

DURING  CONTINGENCY  OPERATION  INCLUDING  OMS  ENGINE  FAILURE,  OMS 
TANK  FAILURE  AND  RENDEZVOUS  BREAKOUT  MANEUVER,  THE  FRCS  MAY  BE 
USED  TO  1.5  PERCENT  BELOW  THE  ONBOARD  GAGE  READING  OF  ZERO 
PERCENT. 

SODB  paragraph  4. 3. 2. 3  (III)  (CAUTION :  SODB,  volume  III,  contains  engineering  estimates  for  non- 
nominal  performance  evaluation.  Data  may  not  be  supported  by  test.)  indicates  that  a  gauge  reading  of 
1.5  percen  t  below  zero  assures  gas  free  propellant  (no  helium  ingestion)  flow  to  thrusters  with 
reasonable  risk.  This  assumes  a  factor  of  safety  of  1.0  on  tank  expulsion  performance  and  actual  worst 
case  gauging  error  (based  on  WSTF  test  data).  Rule  { A6-7j ,  RCS  PROPELLANT  TANK  (OXIDIZER  OR 
FUEL),  references  this  rule. 
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A6-358  VIOLATION  OF  MISSION  COMPLETION  REDLINES  MATRIX 


MISSION 
COMPLETION 
REDLINE  VIOLATED 

ACTION 

LEFT  OR  RIGHT  OMS 

1 .  PERFORM  FLIGHT  PLAN  INTERCONNECTED  FROM  GOOD  OMS  TO  THE 
TOTAL  OMS  MISSION  COMPLETION  REDLINE. 

2.  PERFORM  RCS  FLIGHT  PLAN  ACTIVITIES  NORMALLY  SCHEDULED  FOR 
INTERCONNECT  WITH  RCS  PROPELLANTS  IF  AVAILABLE  ABOVE  THE 
MISSION  COMPLETION  REDLINE. 

3.  DELETE  FLIGHT  PLAN  ACTIVITIES  AS  DEFINED  IN  RULE  {A6-359},  RCS 
PROPELLANT  CONSERVATION  PRIORITIES. 

LEFT  OR  RIGHT  AFT  RCS 

1 .  INTERCONNECT  TO  OMS  MISSION  COMPLETION  REDLINE. 

2.  CROSSFEED  FROM  OTHER  RCS  UNTIL  TOTAL  RCS  (LEFT  AND  RIGHT) 
MISSION  COMPLETION  REDLINE. 

3.  DELETE  FLIGHT  PLAN  ACTIVITIES  AS  DEFINED  IN  RULE  {A6-359},  RCS 
PROPELLANT  CONSERVATION  PRIORITIES. 

FORWARD  RCS 

1 .  DECREASE  FRCS  SUPPLEMENT  TO  OMS/RCS  DEORBIT  REDLINE  IF 
PROPELLANT  AVAILABLE  ABOVE  OMS/RCS  MISSION  COMPLETION 
REDLINE. 

2.  DELETE  FLIGHT  PLAN  ACTIVITIES  AS  DEFINED  IN  RULE  {A6-359},  RCS 
PROPELLANT  CONSERVATION  PRIORITIES. 

The  table  describes  what  action  can  be  taken  when  the  mission  completion  redline  (MCR)  has  been  violated. 
These  actions  attempt  to  regain  propellant  margins  required  to  con  tinue  to  the  nominal  end  of  mission. 

LEFT  OR  RIGHT  OMS  MCR: 

The  first  action  to  maintain  positive  propellant  margins  would  be  to  crossfeed  to  the  OMS  pod  with 
margin  to  protect  the  total  OMS  MCR  (left  and  right) 

The  second  is  to  cancel  planned  interconnects.  This  requires  the  interconnect  propellant  to  be  budgeted  in 
the  RCS,  increasing  the  RCS  MCR  and  reducing  the  OMS  MCR.  Again  the  total  OMS  MCR  is  protected. 

The  third  action  to  take  is  to  minimize  RCS  usage  as  described  in  Rule  (A6-359},  RCS  PROPELLANT 
CONSERVATION  PRIORITIES. 

LEFT  OR  RIGHT  AFT  RCS  MCR: 

The  first  action  required  to  lower  the  RCS  MCR  can  be  to  interconnect  to  an  OMS  pod  with  margin 
above  the  MCR.  Secondly,  if  one  pod  has  more  propellan  t  than  the  other  the  lower  RCS  pod  can  be  fed 
from  the  higher  RCS  pod.  This  protects  the  total  ( left  and  right)  MCR.  Thirdly,  the  mission  extension 
propellant  budget  can  be  reduced  according  to  Rule  (A2-108},  CONSUMABLES  MANAGEMENT. 

Fourthly,  implement  minimized  techniques  in  Rule  {A6-359},  RCS  PROPELLANT  CONSERVATION 
PRIORITIES,  and  if  needed  delete  flight  plan  activities  according  to  the  Propellant  Usage  versus  Flight 
Activity  table. 
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A6-358  VIOLATION  OF  MISSION  COMPLETION  REDLINES  MATRIX 

(CONTINUED) 

FORWARD  RCS  MCR: 

The  first  action  when  the  forward  RCS  MCR  has  been  violated  will  be  to  reduce  the  supplemen  t  to  the 
OMS/RCS  deorbit  redline.  The  OMS  supplement  was  used  for  tank  fail  protection  in  earlier  flights  ( tank 
fail  requirements  have  since  been  eliminated )  and  is  now  used  only  after  failures  dictate.  During  an  RCS 
deorbit,  selecting  tail-only  control  during  the  4  +X  deorbit  eliminates  the  need  for  forward  RCS 
propellant  thus  reduces  the  FRCS  deorbit  redline  while  increasing  the  OMS/RCS  deorbit  redline  due  to 
the  lower  ISP  associated  with  the  4  +X  deorbit.  The  second  action  will  be  to  minimize  RCS  usage  as 
defined  in  Rule  {A6-359},  RCS  PROPELLANT  CONSERVATION  PRIORITIES. 

Rules  (A6-61J,  RCS  MANIFOLD/OMS  CROSSFEED  LINE  REPRESSURIZATION  [CIL];  and 
{A6-303D},  OMS  REDLINES  [CIL];  reference  this  rule. 
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A6-359  RCS  PROPELLANT  CONSERVATION  PRIORITIES 

RCS  minimization  techniques  will  be  utilized  after  redline  margins  have  been  exhausted  in  each  of  the 
five  OMS/RCS  systems  (FRCS,  LRCS,  RRCS,  LOMS,  ROMS).  Redlines  are  protected  by  redlining 
additional  propellant  in  the  remaining  tanks  if  margins  exist. 

A.  UTILIZE  NOSE-ONLY/TAIL-ONLY  CONTROL  MODES. 

If  margins  exist  in  either  the  forward  or  aft  tanks,  attitude  control  can  be  performed  using  either  the 
nose-only  or  tail-only  control  technique.  This  reduces  propellant  usage  in  either  the  aft  or  forward  RCS 
to  protect  the  deorbit  redline.  Nose-only  control  mode  requires  aft  RCS  for  roll  control. 

B.  VERNIER  OR  PRIMARY  CONTROL  WIDE  DEADBANDS. 

Widening  deadbands  during  periods  of  attitude  hold  will  reduce  total  propellant  consumption.  Care 
must  be  taken  not  to  impact  specific  mission  objectives  requiring  tight  deadbands. 

C.  DELETE  MISSION  ACTIVITIES  AS  REQUIRED  (REF.  FLIGHT  RULE  ANNEX 
FOR  PRIORITIES) . 

If  further  propellant  consumption  is  required,  DTO’s  will  be  deleted  from  the  Flight  Plan  starting  with 
the  lowest  priority  defined  in  the  Flight  Rule  Annex. 

D.  GRAVITY  GRADIENT/FREE  DRIFT  DURING  CREW  AWAKE  PERIODS. 

In  an  attempt  to  remain  on  orbit  for  the  priority  flight,  gravity  gradient  or  free  drift  will  be  selected 
during  crew  awake  periods. 

E.  MINIMIZE  ENTRY  PREPARATION. 

Entry  preparation  is  a  relatively  high  usage  phase  4  hours  prior  to  deorbit.  Releasing  pre-entry 
checkout  requiremen  ts  would  be  the  last  resort  to  protect  propellan  t  for  the  entry  or  deorbit  phase. 

Rule  {A6-358},  VIOLATION  OF  MISSION  COMPLETION  REDLINES  MATRIX,  references  this  rule. 

A6-360  THROUGH  A6-400  RULES  ARE  RESERVED 
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OMS/RCS  GO/NO-GO  CRITERIA 


A6-1001  OMS/RCS  GO/NO-GO  CRITERIA  [CIL] 


FAILURE 

CONTINUE 
NOMINAL 
ASCENT  IF: 

INVOKE  MDF 
IF: 

ENTER  NEXT 
PLS  IF: 

A.  OMS 

....1.  HE  TANK  (2) . [4]  [1] 

2.  PROP  TANK  (4) . 

3.  N2  TANK  (2) . 

4.  ENGINE  (2) . 

5.  CRITICAL  OMS  POD  HEATERS 

6.  OMS  INLET  LINE . 

B.  RCS 

1.  HE  AND  PROP  TANK . 

a.  FWD  (FU&  OX  TANKS) . 

b.  AFT  (FU  &  OX  TANKS,  1  POD)  (2) 

2.  RCS  MANIFOLD . 

a.  FWD  (PRIMARY) . 

b.  AFT  PRIMARY  (4) . 

3.  +X  JETS  (PRIMARY) . 

C.  CROSSFEED 

OMS/RCS  CROSSFEED . 

2  FLOW  PATHS  (2) . 

o  ? 

o  ? 

1  ? 

i  ? 

i  ? 

2  ?  [61 

[5] 

[5] 

0  ? 

1  ? 

[2]  [3] 

[2]  [3] 

2  ? 

1  ? 

[3] 

[3] 

[3] 

2  ? 

[6] 

_ 

2  ? 

LEGEND: 

NO  REQUIREMENT 


REQUIRED 

(  )  QUANTITY 

[  ]  NOTE  REFERENCE 

NOTES: 

[1]  FOR  LOSS  OF  HE  TK,  USE  ENGINE  IN  BLOWDOWN  UNTIL  PC  =  68  (72  PERCENT). 

[2]  FWD  RCS  NOT  REQUIRED  IF  AFT  POD  HAS  FULL  CAPABILITY  FOR  RCS  DEORBIT. 

[3]  MAINTAIN  CG  CONTROL  WITH  AFT  PODS. 

[4]  OMS  HE  TANKS  NOT  REQUIRED  IF  BLOWDOWN  GREATER  THAN  TANK  FAIL  LIMIT. 

[5]  ENTRY  REQUIRED  PRIOR  TO  PREDICTED  VIOLATION  OF  THERMAL  LIMITS. 

[6]  LOSS  OF  1  OMS  ENGINE  AND  1  +X  PRCS  JET  OR  1  OMS  ENGINE  AND  LESS  THAN  RCS  STEEP  CAPABILITY  IS 
CAUSE  FOR  A  NEXT  PLS  ENTRY  [CIL], 

[7]  ONLY  IF  PROCEDURAL  WORKAROUNDS  ARE  NOT  AVAILABLE  TO  PROTECT  THE  REMAINING  FLOW  PATHS  [CIL], 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A6-1001  OMS/RCS  GO/NO-GO  CRITERIA  [CIL]  (CONTINUED) 

Rule  {A8-1001},  GNC  GO/NO-GO  CRITERIA,  references  this  rule. 

The  rationale  for  this  matrix  is  explained  in  three  categories  as  follows: 

a.  Continue  nominal  ascent  if: 

b.  Invoke  MDF  if: 

c.  Enter  next  PLS  if: 

CONTINUE  NOMINAL  ASCENT  IF: 

•  1  OMS  ENGINE  LOST: 

Nominal  ascent  can  be  continued  with  the  remaining  engine;  there  has  been  no  loss  of 
delta  V  capability. 

•  I  OMS  N2  TANK  LOST: 

Nominal  ascen  t  can  be  continued  on  the  remaining  engine;  there  has  been  no  loss  of  delta 
V  capability. 

•  2  AFT  RCS  He  OR  PROP  TANK  LEAK: 

Leaves  only  the  good  system  for  entry  control  and  ET  separation;  loss  of  the  good  system 
means  no  control  during  early  entry. 

INVOKE  MDF  IF: 

•  1  OMS/RCS  FLOW  PATH  (XFD )  LOST: 

An  MDF  is  required  only  if  procedural  workarounds  are  not  available  to  guarantee  the 
remaining  flow  path  ( i.  e. ,  open  the  remaining  crossfeed  valve  to  guarantee  crossfeed 
capability ).  If  no  workaround  is  available,  then  single  fault  tolerance  remains  to  protect 
against  engine/RCS  propellant  failures  that  require  crossfeed. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A6-1001  OMS/RCS  GO/NO-GO  CRITERIA  [CIL]  (CONTINUED) 

ENTER  NEXT  PLS  IF: 

•  2  OMS  ENGINES  LOST: 

Only  deorbit  method  is  RCS,  next  failure  means  loss  of  deorbit  capability  (fail  critical  for 
deorbit ). 

•  1  OMS  PROP  TANK  LEAK: 

OMS  tank  failure  no  longer  covered  through  end  of  mission.  Failure  means  loss  of  deorbit 
capability  (fail  critical  for  deorbit). 

Propellant  budgeting  for  any  flight  is  such  that  the  loss  of  cm  OMS  propellant  tank  early  inflight  (post- 
OMS-2)  may  not  leave  sufficient  propellant  between  the  good  OMS,  FRCS,  and  ARCS  (above  the  entry 
redline)  to  achieve  the  shallow  target  line  deorbit.  Similarly,  for  the  loss  of  both  OMS  engines  plus  one 
or  more  +X  jets,  there  may  be  enough  propellant  to  achieve  the  steep  deorbit  targets. 

•  1  OMS  INLET  LINE  LEAK: 

Due  to  high  pressure  surges  during  repress  of  the  OMS  inlet  line,  it  may  not  be  possible  to 
use  the  propellant  for  deorbit.  In  this  case,  the  inlet  line  leak  will  be  treated  as  cm  OMS 
propellant  tank  fail.  The  only  guaranteed  deorbit  method  is  the  good  OMS  engine 
supplemented  by  the  FRCS  and  aft  RCS. 

•  1  AFT  RCS  He  OR  PROP  TANK  LEAK: 

Leaves  only  the  good  system  for  entry  control;  loss  of  the  good  system  means  no  control 
during  early  entry  (fail  critical  for  entry  con  trol). 

•  2  AFT  RCS  MANIFOLD  LOST  -  SAME  SIDE: 

Next  RCS  jet  lost  could  result  in  no  control  for  entry/no  RCS  downmode  for  deorbit  (fail 
critical  for  entry  control/fail  safe  for  deorbit  since  propellant  not  available  for  2  +X 
deorbit). 

•  2  OMS/RCS  FLOW  PATH  (XFD )  LOST: 

Failure  of  OMS  engine  is  same  as  OMS  tank  failure  which  is  loss  of  deorbit  capability  (fail 
critical  for  deorbit ). 

Failure  of  RCS  prop  tank  or  He  tank  is  loss  of  RCS  jets  on  same  side,  which  is  no  con  trol 
for  entry  (fail  critical  for  entry). 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A6-1001  OMS/RCS  GO/NO-GO  CRITERIA  [CIL]  (CONTINUED) 


I  OMS  ENGINE  AND  1  IX  RCS  JET  LOST: 

Only  the  remaining  OMS  engine  and  three  IX  jets  are  available  to  provide  deorbit 
capability.  Flight  rules  define  four  IX  jets  to  steep  targets  as  the  only  acceptable  RCS 
deorbit  method.  Three  IX  jets  can  provide  a  deorbit  capability  if  sufficien  t  propellan  t  is 
available.  Because  flight  rules  do  not  recognize  three  -X  jets  as  a  deorbit  option;  loss  of 
one  +X  jet  and  one  OMS  engine  require  a  deorbit  at  the  next  PLS,  because  only  one 
deorbit  method  remains  (fail  critical). 

1  OMS  ENGINE  AND  <  RCS  STEEP  DEORBIT  PROPELLANT  REQUIREMENTS: 

RCS  steep  propellant  is  redlined  for  the  loss  of  one  OMS  engine  per  Rule  {A6-303},  OMS 
REDLINES  [  CIL].  Unavailability  of  the  propellant  necessary  for  an  RCS  steep  deorbit  in 
conjunction  with  the  loss  of  one  OMS  engine  leaves  only  one  safe  deorbit  method  and 
results  in  a  next  PLS  deorbit  ( loss  of  deorbit  redundancy).  RCS  shallow  targets  may  be 
acceptable  on  a  flight-specific  basis  if  defined  in  the  Flight  Rule  Annex  Priority  Table. 

2  OMS/RCS  FLOW  PATH  ( CROSS  FEED)  LOST: 

Failure  of  OMS  engine  is  same  as  OMS  tank  failure  which  is  loss  of  deorbit  capability  (fail 
critical  for  deorbit).  Failure  of  RCS  propellan  t  tank  or  He  tank  is  loss  of  RCS  jets  on 
same  side,  which  is  no  control  for  entry  (fail  critical  for  entry). 
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SECTION  7  -  DATA  SYSTEMS 

GPC  &  DATA  PATH  MANAGEMENT 

A7-1  PASS  DPS  FAILURE . 7-1 

A7-2  UNRECOVERABLE  GPC . 7-4 

A7-3  GPC  FAILURE . 7-5 

A7-4  TRANSIENT  GPC . 7-6 

A7-5  PASS  GPC  BCE  FAILURE  MANAGEMENT . 7-7 

A7- 6  DATA  PATH  FAILURE . 7-9 

A7-7  POWERED  OFF  GPC  ACTION  ( 1 0 IS ) . 7-10 

A7-8  REDUNDANT  SET  FAILURE . 7-10 

A7- 9  REDUNDANT  SET  SPLIT . 7-11 

A7-10  GNC  GPC  REACTIVATION  PRIORITY . 7-13 

A7-11  GNC  GPC  REDUNDANCY  REQUIREMENTS . 7-14 

A7-12  PASS/BFS  REDUNDANCY . 7-14 

A7-13  GPC  MAJOR  FUNCTION  CONFIGURATION . 7-15 

A7-14  GNC  3  ARCHIVE  MANAGEMENT . 7-19 

A7-15  SM  OPS  4  TRANSITION  REQUIREMENTS . 7-20 

A7-16  GPC  MEMORY  WRITE  CRITERIA  [CIL] . 7-21 

A7-17  GPC  MEMORY  DUMP  CRITERIA . 7-24 

A7-18  THROUGH  A7-50  RULES  ARE  RESERVED . 7-24 

BFS  SYSTEMS  MANAGEMENT 

A7-51  BFS  DPS  FAILURE . 7-25 

A7-52  ASCENT/ENTRY  BFS  MANAGEMENT  GUIDELINES . 7-28 

A7-53  ON-ORBIT  BFS  MANAGEMENT  GUIDELINES . 7-30 
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SECTION  7  -  DATA  SYSTEMS 


GPC  &  DATA  PATH  MANAGEMENT 


A7-1  PASS  DPS  FAILURE 

PASS  DPS  FAILURES  ARE  DECLARED  BY  THE  FOLLOWING  GUIDELINES  USING 
ONBOARD  AND  GROUND  MONITORING: 

A.  REDUNDANT  SET  (RS)  FAILURE  -  DURING  ASCENT  OR  ENTRY,  AN  RS 
FAILURE  IS  DEFINED  AS  FOLLOWS: 

1.  ALL  PASS  GPC'S  QUIT  OR  HALT  (POSSIBLE  ANNUNCIATION  OF 
THREE  OR  FOUR  COMPUTER  ANNUNCIATION  MATRIX  (CAM) 
DIAGONALS) . 


A  QUIT  or  HALT  state  means  that  no  software  is  being  executed. 

2.  RS  BREAKUP  TO  ALL  SIMPLEX  (THREE  OR  FOUR  DIAGONALS). 

An  RS  breakup  can  be  induced  by  a  GPC  software  or  hardware  problem.  When  an  RS  breakup  occurs, 
each  simplex  GPC  uses  only  the  response  data  from  its  assigned  string;  it  no  longer  incorporates 
response  data  from  LRU’s/BTU’s  controlled  by  the  other  GPC’s.  The  PASS  set  is  no  longer  operating  on 
the  same  information  and  individual  GPC’s  may  send  conflicting  commands  to  subsystems. 

B.  AN  RS  SPLIT  IS  DEFINED  AS  FOLLOWS: 

1.  DURING  ASCENT  OR  ENTRY,  THE  ORIGINAL  SET  OF  FOUR  PASS 
GPC'S  SPLIT  INTO  TWO  SETS  OF  TWO  GPC'S  (CALLED  A  TWO-ON- 
TWO)  WITH  EACH  SET  OF  GPC'S  VOTING  AGAINST  THE  OTHER,  OR 
TWO  GPC'S  EACH  SPLIT  FROM  THE  REMAINING  SET  OF  TWO 
GPC'S,  RESULTING  IN  A  2-1-1  SPLIT. 

A  GPC  software  or  hardware  failure  can  induce  an  RS  split.  With  this  type  of  failure,  each  set  of  two 
GPC’s  continues  to  process  as  if  that  set  were  the  only  one  running.  Although  information  is  no  longer 
exchanged  between  the  two  sets,  both  GPC’s  within  each  set  maintain  coordination.  Unlike  the 
redundant  set  breakup  to  all  simplex,  incorporation  of  flight-critical  MDM  response  data  is  maintained 
within  each  set.  In  this  configuration,  the  sets  may  send  conflicting  commands  to  subsystems. 
Additionally,  it  is  possible  for  two  GPC’s  to  each  split  from  the  remaining  redundant  set  of  two  GPC’s. 
The  result  is  three  separate  groups  of  GPC’s  that  may  each  be  issuing  commands  to  subsystems  that 
could  be  conflicting. 

2.  ON  ORBIT,  WHEN  RS  GNC  GPC'S  DO  NOT  MAINTAIN  RS  SYNC  BUT 
DO  MAINTAIN  COMMON  SET  (CS)  SYNC  WITH  EACH  OTHER. 
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A7-1  PASS  DPS  FAILURE  (CONTINUED) 

A  GPC  software  or  hardware  problem  can  induce  an  RS  split.  With  this  type  of  failure,  the  GNC  GPC 
uses  only  response  data  from  its  assigned  strings;  it  no  longer  incorporates  response  data  from 
LRU's/BTU’s  controlled  by  the  other  GNC  GPC.  The  GNC  GPC’s  do  maintain  common  set  coordination 
with  each  other  and  other  GPC(s)  in  the  common  set.  In  this  configuration,  the  sets  may  send  conflicting 
commands  to  subsystems. 

C.  A  GPC  FAILURE  IS  DEFINED  AS  FOLLOWS: 

1.  A  GPC  FAILS  OUT  OF  CS  OPERATIONS  OR  ANNUNCIATES  MULTIPLE 
"GPC  BITE"  FAULT  MESSAGES. 

GPC  BITE  fault  messages  indicate  GPC  software  or  hardware  problems  exist.  A  GPC  BITE  fault 
message  annunciated  multiple  times  by  a  single  GPC  implies  that  the  GPC  has  ceased  running  a  software 
module  for  multiple  cycles.  This  cessation  is  considered  an  abnormal  early  termination  of  software 
capability  and  the  GPC  is  considered  failed.  However,  a  GPC  which  only  experiences  a  single  GPC 
BITE  and  still  maintains  common  set  synchronization  implies  that  no  critical  processes  have  been 
affected  by  the  one-time  early  termination  and  that  no  immediate  action  is  required. 

2.  A  SINGLE  GPC  ANNUNCIATES  A  "SUMWORD  ICC  X"  FAULT  MESSAGE 
WHILE  OPERATING  IN  THE  CS  WITH  OTHER  GPC' S  IN  MM  105,  MM 
106,  OPS  2,  MM  301,  MM  302,  OR  MM  303. 

A  SUMWORD  ICC  X  fault  message  notifies  the  crew  of  data  miscompares  between  the  CS  GPC’s  on 
specific  parameters  being  passed  via  ICC  buses.  To  avoid  possible  use  of  incorrect  GPC  data  that  may 
cause  subsequent  OPS  transition  failures,  this  single  GPC  is  treated  as  failed. 

3.  DURING  ASCENT  (MM  102  TO  MM  104)  OR  ENTRY  (MM  304,  MM 
305,  MM  601  TO  MM  603),  A  GPC  ANNUNCIATING  A  "SUMWORD 
ICC  X"  FAULT  MESSAGE  AND  NOT  FAI LED-TO-S YNC  WILL  BE 
ALLOWED  TO  CONTINUE  OPERATING  IN  THE  REDUNDANT  SET  AND 
DECLARED  FAILED  FOR  THE  NEXT  OPS  TRANSITION.  MANAGEMENT 
OF  THE  GPC  SHALL  BE  PER  FIGHT  RULE  {A7-3A},  GPC  FAILURE. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A7-1  PASS  DPS  FAILURE  (CONTINUED) 

A  SUMWORD  ICC  X  message  is  not  indicative  of  a  GPC’s  ability  to  command  a  FC  bus.  If  the  GPC 
remains  in  the  RS  after  the  message  is  annunciated,  it  is  expected  that  the  set  will  remain  intact  until  the 
next  OPS  transition  when  the  GPC  should  be  moded  to  HALT.  If  the  GPC  remains  in  the  set,  control 
redundancy  is  not  affected  and  action  to  remove  the  GPC  from  the  set  is  not  warranted  since  the  worst- 
case  result  would  be  a  forced  FTS.  The  GPC  is  expected  to  FTS  at  the  OPS  transition  and  should  be 
removed  prior  to  attempting  the  transition. 

The  response  to  this  condition  is  divided  into  two  groupings  because  of  the  opportunities  to  respond  to 
the  condition.  During  ascent  through  MM  104,  GPC  MODE/POWER  switches  are  considered  to  be 
inaccessible.  Therefore,  a  non  -FTS  GPC  cannot  be  taken  to  HALT.  The  dynamic  part  of  entry  starts 
with  MM  304.  Although  GPC  MODE  switches  are  accessible,  DPS  system  reconfiguration  is  not 
allowed  except  for  certain  failure  conditions  as  stated  in  All  Flights  Rule  {A-254C},  ENTRY  STRING 
REASSIGNMENT.  Therefore,  removing  an  annunciating  GPC  would  reduce  system  redundancy.  Prior 
to  MM  304,  an  annunciating  GPC  still  in  the  RS  can  be  HALTED  and  the  DPS  system  reconfigured  to 
maintain  redundancy  ( Rule  { A2-254AJ ,  ENTRY  STRING  REASSIGNMENT)). 

This  rule  is  referenced  by  Rule  { A7-3AJ ,  GPC  FAILURE. 

D.  A  DATA  PATH  FAILURE  IS  DEFINED  AS  THE  LOSS  OF  CORRECT 

COMMUNICATION  BETWEEN  A  GPC  AND  A  BTU  OR  LRU  (I.E.,  MDM, 

MMU,  DEU,  I  MU,  HUD,  ETC.).  ©[040899-2459B] 

A  data  path  failure  is  manifested  when  problems  occur  at  the  GPC,  BTU,  or  LRU.  Loss  of  information 
to/from  a  GPC  may  be  indicated  by  an  INPUT/OUTPUT  (I/O)  ERROR  fault  message,  BCE  STRING  fault 
message,  BCE  BYPASS  fault  message,  or  MDM  OUTPUT  fault  message.  However,  failures  exist  (i.e., 
GPC  to  BTU /LRU  output  failures)  where  no  message  is  annunciated.  Failures  where  no  message  is 
annunciated  may  be  detected  by  the  flight  con  trol  community  and/or  by  crewmembers  using  subsystems 
performance  or  onboard  indications. 

Rules  (A2-59),  BFS  ENGAGE  CRITERIA,  (A2-258A},  BFS  ENGAGE,  and  (A7-4J,  TRANSIENT  GPC, 
reference  this  rule. 
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A7-2  UNRECOVERABLE  GPC 

AN  UNRECOVERABLE  GPC  IS  DEFINED  AS  FOLLOWS: 

An  unrecoverable  GPC  will  not  be  used  for  PASS  redundant/common  set  operations,  or  as  a  BFS  GPC. 

A.  THE  GPC  FAILS  AND  WILL  NOT  RESPOND  TO  AN  IPL. 

A  GPC  that  does  not  respond  to  an  IPL  after  experiencing  a  failure  is  indicative  of  a  hardware  problem. 
The  GPC  is  considered  failed  and  cannot  be  used. 

B.  THE  GPC  FAILS  FOR  UNKNOWN  CAUSES  MORE  THAN  ONCE  EVEN  THOUGH 
IT  RESPONDS  TO  AN  IPL. 


A  GPC  that  responds  to  an  IPL  even  after  it  has  failed  more  than  once  does  not  ensure  the  GPC  is 
healthy.  IPL’ing  a  computer  more  than  once  for  unexplained  failures  points  to  an  unreliable  GPC. 


C. 


THE  GPC  HAS  ONE 
RECEIVER  ON  BUS 
7,  8  OR  ANY  ICC 
GPC  BCE  FAILURE 


OR  MORE  FAILED  INPUT/OUTPUT  PROCESSOR  (IOP) 
CONTROL  ELEMENT  (BCE)  FC  1,  2,  3,  4,  5,  6, 

BCE  (EXCEPT  AS  NOTED  IN  RULE  {A7-5},  PASS 
MANAGEMENT) . 


A  PASS  GPC  with  an  ICC  receiver  failure  prevents  that  GPC  from  operating  in  a  redundant  or 
common  set.  A  PASS  GPC  with  a  flight-critical  receiver  failure  prevents  that  GPC  from  operating  in 
a  redundant  set.  Although  a  PASS  GPC  with  a  flight-critical  receiver  failure  could  operate  in  the 
common  set,  that  GPC  could  not  operate  in  the  redundant  set  for  entry.  Hence,  it  is  declared 
unrecoverable.  @[101096-451 6  ] 

The  exception  as  noted  in  Rule  { A7-5 },  PASS  GPC  BCE  FAILURE  MANAGEMENT,  is  for  BCE  FC4 
(primary  ports)  or  FC8  (secondary  ports)  receiver  failures  where  FF4  MDM  is  bypassed.  For  this  case, 
turning  off  MDM  FF4  allows  the  GPC  with  the  receiver  failure  to  be  assigned  any  string  and  operated  in 
the  redundant  set  to  allow  us  to  retain  GPC  redundancy.  @[101096-4516  ] 
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A7-3  GPC  FAILURE 

A.  DURING  ASCENT  (MM  102  TO  104)  OR  ENTRY  (MM  304,  305,  601  TO 

603),  MODE  A  FAILED  GPC  TO  "HALT"  ASAP.  POST-MM  104  OR  PRE-MM 
304,  POWER  OFF  A  FAILED  GPC  ASAP. 

A  GPC  that  experiences  a  fail -to -sync  can  send  erroneous  commands  to  the  orbiter  subsystems.  To 
prevent  a  failed  GPC  from  sending  erroneous  commands,  the  GPC  is  moded  from  RUN  to  STANDBY  then 
HALT  when  the  power  switch  is  not  accessible,  otherwise  GPC  power  is  removed  to  preserve  data  for 
analysis. 

In  general,  reach  and  visibility  constraints  do  not  allow  the  crew  to  reach  the  GPC  mode  switches  until 
post-MECO.  The  exception  to  the  MECO  cutoff  point  is  the  SSME  command  path  recovery  restring  done 
post-SRB  SEP  when  the  g-forces  have  decreased  and  the  crew  can  reach  the  switches.  The  failed  GPC 
will  have  to  be  moded  to  HALT  prior  to  the  restring  to  avoid  dual  commands.  This  rule  is  referenced  by 
Rule  IA7-1CJ,  PASS  DPS  FAILURE. 

B.  ON  ORBIT,  POWER  OFF  FAILED  GPC,  CONFIGURE  DPS  PER  RULES 

{ A7-13 } ,  GPC  MAJOR  FUNCTION  CONFIGURATION,  AND  {A7-102}, 

PASS  DATA  BUS  ASSIGNMENT  CRITERIA,  AND  ATTEMPT  TO  RECOVER 
FAILED  GPC. 

A  GPC  failure  will  create  a  loss  of  GPC  redundancy.  Depending  on  the  flight  requirements,  different 
GPC  configurations  may  be  required.  Until  GPC  recovery  can  be  performed,  the  referenced  rules  can  be 
used  as  a  guideline  for  reconfiguring  the  DPS  system  following  GPC  failures. 
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A7-4  TRANSIENT  GPC 

A  TRANSIENT  GPC  IS  DEFINED  AS: 

A.  A  GPC  WHICH  HAS  FAILED  ONLY  ONCE,  BUT  HAS  SUCCESSFULLY 
RESPONDED  TO  AN  IPL. 

A  GPC  failure  is  generally  thought  to  be  caused  by  hardware  failures  more  than  software  problems. 

Even  if  the  failed  GPC  recovers  by  doing  an  IPL,  there  is  concern  that  the  GPC  will  fail  again.  If  dump 
analysis  can  confirm  a  software-induced  failure,  the  GPC  will  be  considered  recovered.  @[092195-1798] 
@[101096-4516] 

B.  A  GPC  (101S)  WHICH  EXPERIENCES  SOFT  ERRORS  AGAINST  THE  LOWER 

PAGE  FOR  A  PASS  OR  BFS ,  OR  UPPER  PAGE  FOR  A  PASS  GPC,  OF 
MEMORY  AT  A  CONSTANT  RATE  OR  EXPERIENCES  A  SOFT  ERROR  COUNT 
OF  7F  .  @[101096-4477] 

Random  single-memory  hits  are  expected  to  occur  at  a  rate  of  several  per  day  or  in  single  bursts  of 
several  errors.  A  constant  incremen  ting  of  the  error  count  is  indicative  of  a  hard-memory  failure. 
Although  a  single  hard  bit  error  in  a  GPC  memory  location  is  corrected  by  the  error  detection  and 
correction  code,  an  additional  error  in  this  memory  location  cannot  be  corrected,  and  if  accessed  by  the 
computer  would  cause  the  GPC  to  fail.  Errors  in  the  upper  page  of  memory  are  not  reflective  of  errors  in 
the  lower  page  of  memory.  ®[1 01 096-4477  ] 

The  upper  page  of  memory  in  PASS  GPC’s  is  used  for  G3  archive.  Starting  with  01-25,  the  upper  page  of 
PASS  GPC’s  is  also  used  to  store  certain  software  library  routines.  Therefore,  a  hard  memory  error  in 
the  upper  memory  of  a  PASS  GPC  becomes  significant  to  normal  operation  in  addition  to  the  concern  for 
the  G3  archive  software.  G3  archive  concerns  with  soft  errors  against  the  upper  page  of  memory  are 
addressed  in  Rule  {A7-14},  GNC  3  ARCHIVE  MANAGEMENT.  Upper  memory  in  a  BFS  GPC  is 
currently  not  utilized.  @[101096-4477  ] 

C.  A  GPC  WHICH  ANNUNCIATES  A  SINGLE  "GPC  BITE"  FAULT  MESSAGE. 

A  GPC  BITE  fault  message  indicates  that  a  GPC  software  or  hardware  problem  exists  and  the  GPC  has 
ceased  running  a  software  module  for  at  least  one  cycle.  This  cessation  is  considered  an  abnormal  early 
termination  of  software  capability.  If  only  a  single  BITE  condition  is  annunciated,  then  the  cause  of  the 
problem  is  considered  transient  and  the  GPC  should  be  treated  as  such  under  Rule  {A7-13CJ,  GPC 
MAJOR  FUNCTION  CONFIGURATION.  If  the  GPC  fails-to-sync,  then  the  GPC  is  declared  failed  per 
Rule  {A7-IC}.  1,  PASS  DPS  FAILURE. 
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A7-5  PASS  GPC  BCE  FAILURE  MANAGEMENT 

PASS  GNC  3  GPC'S  THAT  INCUR  BCE  FAILURES  WILL  BE  CONFIGURED 
ACCORDING  TO  THE  FOLLOWING  GUIDELINES: 

A.  PRE-DEORBIT  BURN:  FOR  BCE  FAILURES  AFFECTING  STRINGS  1,  2, 

OR  3,  RESTRINGING  WILL  BE  PERFORMED  WITH  STRINGS  ASSIGNED 
PER  RULE  { A7-102 } ,  PASS  DATA  BUS  ASSIGNMENT  CRITERIA.  FOR 
STRING  4  FAILURES,  PORT  MODING  WILL  BE  DONE  TO  RECOVER  FA4 . 

B.  POST-DEORBIT  BURN:  PORT  MODING  WILL  BE  DONE  FOR  BCE  FAILURES 
IN  ORDER  TO  RECOVER  THE  CAPABILITY  OF  FF1 ,  2,  OR  3,  AND  FA4 . 
FA1 ,  2,  OR  3  WILL  BE  GIVEN  UP  IN  FAVOR  OF  FF1 ,  2,  OR  3,  AND 
FF4  WILL  BE  GIVEN  UP  IN  FAVOR  OF  FA4 . 


GPC’s  incurring  FC  BCE  failures  will  be  reconfigured  by  port  moding  or  restringing  to  obtain  the  most 
optimum  flight-critical  capabilities  depending  on  flight  phase.  Pre-deorbit  burn  restringing  will  be  done 
to  regain  the  full  capability  of  strings  1,  2,  and  3.  Restringing  will  not  be  performed  for  string  4  BCE 
failures  due  to  its  lack  of  sensor  authority  with  respect  to  strings  1  to  3.  String  4  will  be  port  moded  to 
recover  FA4  to  obtain  FCS  channel  capability.  Post-deorbit  burn,  port  moding  will  be  done  to  recover 
the  capability  ofFFl,  2,  or  3  and  FA  4.  Post-deorbit  burn  restringing  will  not  be  performed  for  FC  BCE 
failures  due  to  concerns  for  the  hazards  of  dynamic  restringing.  Port  moding  recovers  nearly  the  same 
capability  as  restringing,  while  avoiding  a  restring. 

C.  FOR  HARD  OR  TRANSIENT  PASS  GPC  BCE  RECEIVER  FAILURES  THE  GNC 
OPS  3  SET  WILL  BE  CONFIGURED  USING  THE  FOLLOWING  CRITERIA 
FOR  SYSTEM  RECONFIGURATION: 

1.  FOR  BCE  RECEIVER  FAILURES  AFFECTING  STRINGS  1,  2,  OR  3 
THE  GPC  WILL  BE  GIVEN  UP  IN  FAVOR  OF  THE  MDM  WITH 
STRINGS  ASSIGNED  PER  RULE  {A7-102},  PASS  DATA  BUS 
ASSIGNMENT  CRITERIA. 

2.  FOR  FC4  (FF4 )  RECEIVER  FAILURES,  MDM  FF4  MAY  BE  POWERED 
OFF  TO  RETAIN  GPC  REDUNDANCY. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A7-5  PASS  GPC  BCE  FAILURE  MANAGEMENT  (CONTINUED) 

3.  FOR  FC8  (FA4 )  RECEIVER  FAILURES,  STRING  4  MAY  BE  MODED 
TO  SECONDARY  PORTS  AND  MDM  FF4  MAY  BE  POWERED  OFF  TO 
RETAIN  GPC  REDUNDANCY. 

GPC’s  that  experience  flight-critical  BCE  receiver  failures  will  force  fail  to  sync  due  to  nonuniversal  I/O 
errors  that  result  from  RS  GPC’s  disagreeing  on  the  occurrence  of  the  error.  In  the  deorbit  preparation 
timeframe,  IFM’s  are  not  routinely  done  (ref.  Rule  { A2-105 },  IN-FLIGHT  MAINTENANCE  (IFM)),  so 
reconfiguration  can  be  done  to  optimize  GPC  or  LRU  redundancy  for  entry.  A  GPC  with  a  receiver 
failure  affecting  strings  1,  2,  or  3  will  be  given  up  in  favor  of  recovering  full  LRU  redundancy.  For  string 
4  failures,  FF4  may  be  given  up  in  order  to  maintain  GPC  redundancy,  since  FF4  is  the  “least  critical” 
FC  MDM.  @[101096-4516] 

If  the  failure  is  FC4  (FF4),  MDM  FF4  may  be  powered  off  prior  to  adding  the  previously  failed  GPC 
back  into  the  GNC  3  set.  This  causes  all  GPC ’s  to  see  I/O  errors  against  FF4,  therefore  FF4  is  bypassed 
and  the  recovered  GPC  does  not  fail  to  sync. 

If  the  failure  is  FC8  (FA4),  port  moding  string  4  will  cause  the  failed  BCE  (FC8)  to  attempt  to 
communicate  with  FF4’s  secondary  port.  FF4  can  then  be  powered  off  and  the  failed  GPC  can  be 
recovered. 

D.  WHEN  A  CHOICE  EXISTS  BETWEEN  LOSS  OF  A  PASS  GPC  AND  A  DEU, 
THE  DEU  WILL  NOT  BE  USED  WITH  PASS  GPC'S  AND  WILL  BE 
ASSIGNED  TO  THE  BFS  FOR  ENTRY.  FOR  MEDS  CONFIGURED 
VEHICLES,  AN  IDP  MAY  STILL  BE  USED  IN  A  NON-DPS  MODE  ONCE  IT 
HAS  BEEN  DEASSIGNED  FROM  ALL  PASS  GPC'S.  ©[040899-2459B] 

Each  GPC  in  a  redundant  set  listens  to  all  data  to  and  from  the  DEU’s  assigned  to  the  RS.  Should  a 
single  RS  GPC  have  a  receiver  failure  on  a  DK  data  bus,  that  GPC  will  fail  to  sync  with  the  rest  of  the 
redundant  set.  The  GPC  can  be  recovered  by  assigning  the  DEU  that  caused  the  problem  to  the  BFS 
because  the  RS  will  stop  listening  to  the  data  from  that  DEU.  IDP's  which  are  not  assigned  to  a  PASS 
computer  may  still  be  used  with  a  PASS  GPC  in  a  non-DPS  mode  since  only  the  DPS  mode  requires  the 
DK  data  bus  interface.  ©[040899-2459B] 

Rules  {A2-5j,  PORT MODING/RESTRINGING  GUIDELINES;  {A7-2},  UNRECOVERABLE  GPC;  and 
I A7-6J ,  DATA  PATH  FAILURE,  reference  this  rule. 
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A7— 6  DATA  PATH  FAILURE 

A.  DURING  ASCENT  OR  ENTRY,  DPS  RECONFIGURATION  MAY  BE  PERFORMED 
PER  RULES  { A2 - 63 } ,  ASCENT  STRING  REASSIGNMENT;  {A2-254}, 
ENTRY  STRING  REASSIGNMENT;  {A7-102C},  PASS  DATA  BUS 
ASSIGNMENT  CRITERIA;  OR  {A7-5},  PASS  GPC  BCE  FAILURE 
MANAGEMENT,  TO  RECOVER  DATA  PATHS  LOST  DUE  TO  GPC  FAILURES. 

Data-pcith  loss  due  to  GPC  failures  results  in  a  bypass  of  an  entire  or  half-string.  Although  the  string  is 
downmoded,  the  attached  peripheral  devices  are  healthy.  Communication  may  be  reestablished  with  the 
string  by  reassigning  the  bypassed  string(s)  to  a  good  GPC. 

For  failure  of  a  PASS  GPC  BCE  transmitter  and/or  receiver,  communications  may  be  reestablished  by 
reassigning  the  entire  string  to  another  GPC  with  a  good  BCE,  or  port  moding  will  regain  the  bypassed 
MDM  at  the  expense  of  the  alternate  MDM  on  the  same  string. 

For  string  reassignment  criteria,  refer  to  Rules  {A2-63J,  ASCENT  STRING  REASSIGNMENT;  {A2-254J, 
ENTRY  STRING  REASSIGNMENT;  and  {A7-102CJ,  PASS  DATA  BUS  ASSIGNMENT  CRITERIA.  For 
PASS  GPC  BCE  failure  management,  refer  to  Rule  { A7-5 },  PASS  GPC  BCE  FAILURE  MANAGEMENT. 

B.  ON  ORBIT,  RECONFIGURE  PER  RULES  {A7-13},  GPC  MAJOR  FUNCTION 
CONFIGURATION;  {A7-102},  PASS  DATA  BUS  ASSIGNMENT  CRITERIA; 
AND  { A7-105 }  ,  MDM  PORT  MODING.  ®[ED  ] 

Data  path  lost  because  of  GPC  failures  implies  communication  with  the  affected  string  is  lost 
temporarily,  but  the  attached  LRU’s  are  healthy.  Communications  may  be  reestablished  by  reassigning 
the  affected  string  to  a  good  GPC.  This  rule  identifies  the  legal  reassignment  phases. 

C.  ON  ORBIT,  A  BTU  OR  LRU  MAY  BE  DEACTIVATED  TO  PRECLUDE 
RECURRING  NUISANCE  FAULT  MESSAGES. 

A  recurring  fault  message  may  become  a  nuisance  to  the  crew.  If  the  cause  of  the  annunciation  can  be 
isolated  to  a  BTU  or  LRU,  consideration  will  be  given  to  deactivating  the  erring  unit.  This  will  eliminate 
the  repeat  generations  of  the  fault  message.  Deactivation  may  take  the  form  ofMCDS  entered  item 
entries  which  reconfigure  the  subsystem,  or  the  unit  may  be  powered  off. 
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A7-7  POWERED  OFF  GPC  ACTION  (101S) 

A  GPC  (101S)  THAT  HAS  HAD  POWER  REMOVED  SHOULD  BE  RE-IPL'D  BEFORE 
USE,  TIME  PERMITTING. 

The  GPC  (10 IS)  battery  maintains  memory  during  GPC  powerojf  but  does  not  support  memory  error 
correction.  This  allows  memory  errors  to  accumulate.  If  this  results  in  a  double-bit  error,  the  GPC  will 
fail  when  the  location  is  accessed.  Re-IPL’ing  the  GPC  will  remove  all  soft  errors  and  reestablish  memory 
integrity. 

Re-IPL  ’ing  a  GPC  may  not,  however,  be  the  best  action  in  all  cases  because  the  GPC  can  require 
multiple  uplinks  before  it  can  be  used.  Therefore,  for  time-critical  cases  where  the  IPL/uplink  recovery 
sequence  takes  too  much  time,  it  may  be  desirable  to  accept  the  risk  of  a  double-bit  error.  This  risk  is  not 
constant  and  is  directly  related  to  the  amount  of  time  the  GPC  is  powered  off.  As  that  time  is  reduced,  the 
risk  decreases. 

A7-8  REDUNDANT  SET  FAILURE 

FOR  AN  RS  FAILURE  DURING  ASCENT  AND  ENTRY  DYNAMIC  PHASES,  ENGAGE 
BFS  . 

This  rule  calls  for  a  BFS  engage  to  regain  vehicle  control  due  to  a  redundant  set  failure. 
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A7-9  REDUNDANT  SET  SPLIT 


A.  ASCENT: 

1.  ASCENT,  PRE-MECO,  FOR  MULTIPLE,  NEAR  SIMULTANEOUS  GPC 
FAILURES  WHERE  AT  LEAST  ONE  IS  FAIL-TO-SYNC  (INCLUDING 
2-ON-2  SPLITS),  ENGAGE  BFS  (REF.  RULE  {A2-59},  BFS 
ENGAGE  CRITERIA) .  IF  THE  BFS  IS  TRACKING  AND  BOTH  OF 
THE  FOLLOWING  ARE  TRUE,  THEN  THE  PASS  SET  WILL  BE 
RECONFIGURED  RATHER  THAN  BFS  ENGAGE: 

a.  RECONFIGURATION  CAN  BE  COMPLETED  PRE-MECO  (E.G., 

CREW  CAN  REACH  THE  AFFECTED  GPC  SWITCHES  AND 
SUFFICIENT  TIME  IS  AVAILABLE  TO  COMPLETE  THE 
PROCEDURE) . 

b.  NO  ADDITIONAL  COMPLICATING  FAILURES  ARE  PRESENT. 

2.  IF  PASS  SET  RECONFIGURATION  IS  TO  BE  PERFORMED,  MCC  WILL 
COORDINATE  WITH  THE  CREW  THE  FOLLOWING  STEPS  PRE-MECO: 

a.  HALT  SIMPLEX  (OR  NONPREFERRED  PAIR)  GPC'S. 

b.  MANUALLY  SHUT  DOWN  THE  ENGINE  (S)  WITH  COMMAND  PATH 
FAILURES  PER  RULE  {A5-106},  MANUAL  SHUTDOWN  FOR 
COMMAND/DATA  PATH  FAILURES. 

c.  RESTRING  ONLY  IN  ACCORDANCE  WITH  RULE  {A2-63}, 

ASCENT  STRING  REASSIGNMENT. 


If  the  BFS  is  standalone  at  the  set  split  during  powered  flight,  then  its  navigation  state  will  quickly 
diverge,  which  eliminates  the  BFS  engage  option  ( ref.  Rule  { A7-51B j.l,  BFS  DPS  FAILURE).  In  this 
case  immediate  engagement  is  the  only  acceptable  action.  Even  if  the  BFS  is  tracking,  BFS  engagement 
is  the  quickest  and  simplest  option  to  regain  full  vehicle  control  and  LRU  redundancy  (except  for  GPC 
redundancy,  of  course).  As  long  as  the  BFS  continues  to  track  the  PASS  following  a  set  split,  then 
reconfiguration  of  the  PASS  set  is  a  viable  option.  However,  adequate  time  must  be  available  to  complete 
the  procedures  before  MECO;  the  crew  must  be  physically  capable  of  reaching  the  required  switches 
under  g-loads;  and  the  overall  crew/MCC  work  load  due  to  additional  complicating  factors  is  not 
excessive. 
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A7-9  REDUNDANT  SET  SPLIT  (CONTINUED) 

Due  to  the  extremely  low  probability  of  this  failure  case,  no  additional  procedures  will  be  documen  ted 
nor  valuable  integrated  simulation  time  expended.  Any  crew  training  will  be  limited  and  will  emphasize 
the  BFS  engage  procedu  re  as  this  is  the  preferred  option  and  will  safely  allow  recovery  from  this  failure 
scenario. 

The  PASS  GPC  fail  procedure  in  the  ascent  cue  cards  is  considered  to  be  sufficient  to  specify  those  crew 
actions  essential  to  immediately  safing  the  vehicle  in  the  event  of  a  set  split.  Also,  additional  failures  (at 
least  two)  in  the  communications  system  that  preclude  MCC  instructions  to  the  crew  in  this  situation  is 
not  considered  credible.  Therefore,  all  remaining  actions  will  be  by  MCC  call. 

In  a  two-on-two  set  split,  the  flight  control  team  will  identify  the  GPC’s  with  the  best  remaining 
capability;  the  nonpreferred  set  will  be  moded  to  halt  pre-MECO  to  avoid  erroneous  ou  tpu  ts  from  those 
GPC’s. 

The  major  reason  for  requiring  pre-MECO  crew  action  is  to  avoid  a  catastrophic  SSME  shutdown.  For 
the  2-1-1  case,  two  or  three  engines  could  have  command  path  failures  at  MECO  with  possible  loss  of 
crew  and  vehicle. 

A  manual  shutdown  of  all  three  engines  will  not  work  because  ofLO 2  NPSP  problems  caused  by  a  zero-g 
shutdown.  Manual  shutdown  for  the  case  of  two  command  path  failures  could  result  in  loss  of  vehicle 
control  because  guidance  may  not  recognize  all  engines  that  are  shutdown.  Single  Engine  Roll  Control 
(SERC)  will  activate  immediately  after  the  second  engine  failure,  due  to  the  sensed  loss  of  vehicle 
acceleration;  however,  degraded  control  will  result  if  guidance  does  not  recognize  the  second  engine  out 
failure  flag  to  properly  establish  ascent  DAP  flight  control  gains.  To  preclude  these  problems,  the 
simplex  GPC’s  must  be  prevented  from  commanding  engines.  This  can  be  done  by  taking  the  simplex 
GPC’s  to  HALT,  if  the  crew  can  reach  the  MODE  switches.  This  may  cause  one  engine  to  have  a 
command  path  failure,  but  this  is  less  severe  than  two  or  three  engines  with  a  command  path  failure.  If 
only  one  GPC  is  halted,  then  two  engines  could  still  have  command  path  failures.  After  the  GPC(s)  are 
moded  to  HALT,  there  will  be  no  more  than  one  engine  with  a  command  path  failure  that  will  need  to  be 
shut  down  manually.  If  the  simplex  GPC’s  cannot  be  halted,  then  engaging  the  BFS  is  the  only  other 
method  to  ensure  a  safe  MECO.  After  the  second  SSME  failure,  BFS  engage  is  no  longer  an  option  since 
the  BFS  does  not  support  SERC  and  a  loss  of  con  trol  will  likely  occur  on  the  BFS.  (Ref.  A/E  FTP  # 74 
Minutes  of  1/1 8/91. )  @[022802-5250  ] 

B.  DURING  ASCENT  OR  ENTRY,  FOR  LOSS  OF  CONTROL,  ENGAGE  BFS. 

This  rule  calls  for  a  BFS  engage  to  regain  vehicle  control  for  the  case  where  a  redundant  set  split  causes 
a  loss  of  control  situation. 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  DATA  SYSTEMS  7-12 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A7-9  REDUNDANT  SET  SPLIT  (CONTINUED) 

C.  ON  ORBIT,  A  SELECTION  MAY  BE  PERFORMED  BY  IDENTIFYING  THE 
GPC  THAT  IS  COMMANDING  TWO  OF  THREE  IMU' S .  THE  OTHER  GPC 
WILL  BE  POWERED  OFF  AND  A  RESTRING  WILL  BE  PERFORMED  TO 
RECOVER  ALL  STRINGS. 

An  initial  selection  of  the  GPC  commanding  two  of  three  IMU’s  will  provide  IMU  redundancy.  The 
remaining  GPC  will  be  powered  off  to  cease  software  execution  and  allow  for  a  restring  to  be  performed. 
If  the  GPC  is  not  powered  off  and  a  restring  is  performed,  dual  commands  will  result. 

Rule  / A2-59 },  BFS  ENGAGE  CRITERIA,  references  this  rule. 


A7-10  GNC  GPC  REACTIVATION  PRIORITY 

THE  ORDER  OF  PREFERENCE  FOR  REGAINING  VEHICLE  CONTROL  FOR  LOSS 
OF  ALL  OPERATING  GNC  GPC(S)  ON  ORBIT  IS: 

A.  FREEZE-DRY  GNC  2. 

B.  FREEZE-DRY  GNC  3  (IF  AVAILABLE) . 

C.  BFS. 


Activation  of  the  G2FD  GPC  would  recover  fill  vehicle  control  with  minimal  impact  to  nominal-orbit 
configuration.  Activation  of  the  G3FD  GPC  requires  activation  of  special  LRU’s  needed  by  the  OPS  3 
software.  A  G3FD  GPC  will  only  be  available  ifG3  archive  capability  has  been  lost  and  a  G3FD  has 
been  established.  In  addition,  the  crew  procedures  for  recovering  and/or  reconfiguring  the  PASS  are 
simplified  if  the  BFS  has  not  been  engaged.  Ref.  Rule  {A7-14},  GNC  3  ARCHIVE  MANAGEMENT. 
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A7-11  GNC  GPC  REDUNDANCY  REQUIREMENTS 

REDUNDANT  GNC  GPC' S  ARE  REQUIRED  FOR  THE  FOLLOWING  ORBIT 
OPERATIONS : 

A.  RNDZ/PROX  OPS. 

B.  PAYLOAD  RETRIEVAL. 

C.  EVA  OPERATIONS  WITH  MANNED  FREE  FLYER  OPS.  @[090894-1667] 

D.  OMS/RCS  BURNS  WHICH  ARE  CRITICAL  FOR  CREW  SAFETY  AND/OR 
WHICH  ARE  CLASSIFIED  AS  FLIGHT  SUCCESS  DELTA  V  MANEUVERS. 

Redundant  GNC  GPC’s  meet  the  fail-safe  capability  that  is  required  for  these  operations.  Rendezvous 
requires  redundancy  at  the  point  in  the  profile  where  on-time  execution  of  delta  V  maneuvers  becomes 
critical  to  mission  success  and  when  a  breakout  capability  is  required.  For  crew  safety,  proximity 
operations  and  payload  retrieval  operations  require  +Z  redundancy  for  translation  separation 
maneuvers.  For  EVA  operations  involving  an  untethered  crewmember,  vehicle  control  is  required  in 
order  to  rescue  a  crewmember  for  certain  free  flyer  apparatus  ( i.  e. ,  SAFER)  failures.  OMS  burns 
require  a  downmode  capability  for  delta  V  maneu  vers  which  are  critical  for  crew  safety  (such  as  some 
postdeployment  separation  burns )  and  flight  success.  RCS  burns  require  +Z  redundancy  for 
translation  separation  maneuvers  that  are  critical  for  crew  safety  (such  as  IPS,  RMS,  or  KU  jettison). 
With  redundant  GPC’s,  uninterrupted  vehicle  control  would  be  provided  even  if  one  GNC  GPC  fails. 

Rule  (A7-13AJ,  GPC  MAJOR  FUNCTION  CONFIGURATION,  references  this  rule. 

In  general,  reference  rules  {A2-114},  OMS/RCS  MANEUVER  CRITICALITY,  and  {. A2-120 ], 
RNDZ/PROX  OPS  DPS  SYSTEMS  MANAGEMENT,  for  related  requirements.  @[090894-1 667  ] 

A7-12  PASS/BFS  REDUNDANCY 

THE  BFS  IS  NOT  CONSIDERED  IN  THE  PASS  DPS  REDUNDANCY 
REQUIREMENTS . 

The  BFS  software  was  not  designed  with  the  requirement  to  accomplish  on-orbit  operations.  It  was 
designed  to  assume  con  trol  of  the  vehicle  in  the  event  the  PASS  can  no  longer  con  trol  the  vehicle  during 
dynamic  flight  regimes.  Unlike  the  PASS,  the  BFS  cannot  perform  IMU  alignments  or  MDM  port 
moding;  and  it  does  not  have  any  time  management  controls.  The  system  management  (SM)  function  is 
limited  in  the  sense  that  all  PASS  SM  capabilities  are  not  available  in  the  BFS.  With  this  in  mind,  the 
BFS  cannot  be  considered  as  being  interchangeable  or  redundant  to  the  PASS  GPC’s. 
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A7-13  GPC  MAJOR  FUNCTION  CONFIGURATION 

GPC  MAJOR  FUNCTION  CONFIGURATION  WILL  BE  PERFORMED  PER  THE 
FOLLOWING  GUIDELINES: 

A.  ORBIT  CONFIGURATION  @[082593-1538] 

1.  NOMINAL  ON-ORBIT  GPC  DISTRIBUTION  BY  MAJOR  FUNCTION  WILL 
BE  AS  FOLLOWS : 

GPC  1  -  GNC  2 

GPC  2  -  GNC  2  (FREEZE-DRY,  IF  REQUIRED  FOR  POWER 
SAVINGS) 

GPC  3  -  GNC  2  FREEZE-DRY  (GNC  3  FREEZE-DRY) 

GPC  4  -  SM  2 
GPC  5  -  BFS 

Two  GNC  GPC’s  are  required  to  satisfy  Rule  {A7-11J,  GNC  GPC  REDUNDANCY  REQUIREMENTS. 
One  GPC  is  required  to  accomplish  the  systems  management  functions.  The  BFS  is  always  loaded  in  a 
GPC  to  gain  vehicle  control,  if  lost,  from  the  PASS  GPC’s.  The  last  GPC  is  loaded  with  G3  software  to 
protect  against  mass  memory  failures  if  no  G3  archive  is  resident  in  a  nonf ailed  GNC  major  function 
GPC,  otherwise  G2  software  will  be  loaded  into  this  GPC. 

2.  DURING  RENDEZVOUS/PROX  OPS,  A  REDUNDANT  SET  (RS)  OF 
THREE  GPC'S  MAY  BE  UTILIZED. 

Three  GNC  GPC’s  are  preferred  for  rendezvous/prox  ops  to  simplify  recovery  procedures  if  a  GNC  GPC 
fails  during  the  period  when  rendezvous  nav  is  enabled.  Only  two  GPC’s  are  actually  required  (ref.  Rule 
IA7-11J,  GNC  GPC  REDUNDANCY  REQUIREMENTS).  If  a  GNC  GPC  fails,  a  restring  to  the 
remaining  two  GPC’s  recovers  all  LRU  redundancy,  still  meets  rendezvous  GPC  requirements  and  does 
not  affect  rendezvous  nav  functions  as  long  as  the  target  set  is  not  changed.  Since  all  PASS  GPC’s  have 
G3  software  stored  in  high  memory,  there  is  not  a  concern  with  giving  up  the  G3  FD  GPC  prior  to 
rendezvous  to  form  a  three  GPC  set.  @[082593-  1538] 
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A7-13  GPC  MAJOR  FUNCTION  CONFIGURATION  (CONTINUED) 

B.  A  REDUNDANT  GNC  GPC  MAY  BE  CONFIGURED  TO  PL 9  FOR  THE 
FOLLOWING: 

Using  o  redundant  set  GPC  would  not  give  up  existing  capability,  only  redundancy. 

1 .  A  PASS  DEU  IPL 

A  DEU  can  only  be  IPL’ ed  from  PL9,  SM  OPS  2/4,  a  post-IPL  OPS  0  GPC,  or  the  BFS.  If  available,  an 
SM  2/4  DEU  IPL  is  preferred  over  a  PL9  DEU  IPL  in  order  to  preserve  GNC  GPC  redundancy.  A  PL9, 
SM  OPS  2/4,  or  post-IPL  OPS  0  GPC  provides  full  PASS  DEU  IPL  capability.  PASS  critical  formats  will 
not  be  available  after  loading  a  DEU  from  the  BFS,  so  it  is  preferable  not  to  perform  a  BFS  DEU  IPL  on 
a  DEU  which  is  to  be  driven  by  the  PASS  when  one  of  the  other  viable  alternatives  exists. 

2.  A  MASS  MEMORY  DUMP/PATCH 

SM  will  normally  be  used  for  an  MMU  dump  or  patch  as  long  as  the  MMU  load  block  is  less  than  or 
equal  to  2,048  halfwords.  PL9  has  capability  to  accommodate  an  MMU  dump  or  patch  involving  large 
MMU  load  blocks  up  to  16,384  halfwords. 

C.  A  TRANSIENT  GPC  WILL  BE  MADE  THE  REDUNDANT  GNC  GPC  ON  ORBIT, 

EXCEPT  FOR  SAFETY-CRITICAL  OPERATIONS.  A  TRANSIENT  GPC  MAY 
BE  MADE  THE  FREEZE-DRY  GNC  2  IF  REQUIRED  FOR  POWER  SAVING  ON 
ORBIT.  IF  USED  FOR  ENTRY,  A  TRANSIENT  GPC  WILL  BE  ASSIGNED 

STRING  4. 

A  transient  GPC  may  fail  again  and,  therefore,  will  not  be  used  for  orbit  periods  of  safety-critical 
operations  such  as  proximity  operations  where  continuous  and  complete  vehicle  control  is  required  to 
preclude  collisions.  For  other  periods,  running  the  transient  GPC  in  a  redundant  set  may  provide  more 
data  relating  to  the  original  failure.  The  use  of  a  transient  GPC  for  entry  will  generally  be  avoided,  but  if 
conditions  cause  a  transient  to  be  used  for  entry,  then  it  will  be  assigned  string  4  because  string  4 
interfaces  with  fewer  LRU’s  and  loss  of  this  string  is  less  significant  than  loss  of  any  other  string  during 
the  entry  timeframe. 
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A7-13  GPC  MAJOR  FUNCTION  CONFIGURATION  (CONTINUED) 

D.  FOR  TWO  PASS  GPC'S  FAILED  DURING  ASCENT,  ATTEMPTS  TO  RECOVER 
THE  GPC'S  WILL  BEGIN  FOLLOWING  THE  FIRST  DPS  TRANSITION. 

THE  CONFIGURATION  DURING  THIS  PERIOD  WILL  BE  ONE  GNC  2  GPC, 
ONE  SM  GPC,  AND  THE  BFS  (EXCEPT  AS  NOTED  IN  PARAGRAPH  E) . 

Recovery  will  be  attempted  as  soon  as  possible  after  the  data  processing  system  is  configured  for  orbit. 
One  GNC  GPC,  one  SM  GPC,  and  one  BFS  provide  the  best  configuration  to  continue  with  a  minimum 
duration  mission  and  accomplish  mission  objectives  (i.e.,  one  GNC  GPC  for  vehicle  control,  one  SM 
GPC  for  system  management,  and  the  BFS  for  backup  in  case  a  PASS  failure  occurs). 

The  exception  reference  refers  to  those  operations  that  require  redundant  GNC  GPC’s.  Orbit  operations 
that  require  redundant  GNC  GPC’s  should  be  delayed,  if  possible,  until  GPC  recovery  is  complete.  The 
SM  GPC  would  be  given  up  to  provide  a  redundant  GNC  GPC  and  the  BFS  should  be  activated  to 
provide  systems  monitoring  if  a  redundant  GNC  GPC  is  required  for  crew  safety  or  total  loss  of  major 
mission  objectives.  The  BFS  should  not  be  given  up  to  allow  the  SM  GPC  to  support  payload  operations. 

E.  FOR  A  GENERAL  PURPOSE  COMPUTER  (GPC)  FAILURE  ON  ORBIT: 
@[011295-1746  ] 

1.  A  BFS  WILL  BE  MAINTAINED  AS  LONG  AS  AT  LEAST  TWO  GPC'S 
ARE  OPERABLE. 

The  BFS  can  perform  limited  systems  management  and  it  is  preferred  over  the  PASS  SM  when  only  two 
GPC’s  are  available  because  of  its  entry  capability. 

2.  RECONFIGURATION  WILL  BE  BASED  ON  GPC  AVAILABILITY  PER 
THE  FOLLOWING  PRIORITIES: 

a.  IF  A  G2FD  (FREEZE  DRY)  IS  AVAILABLE,  THIS  GPC  MAY  BE 
RECONFIGURED  AS  A  GNC,  SM,  OR  BFS  GPC. 

b.  IF  A  G3FD  IS  CONFIGURED  (DUE  TO  A  LOSS  OF  G3 
ARCHIVE) : 

(1)  THE  G3FD  GPC  MAY  BE  RECONFIGURED  AS  A  GNC,  SM, 

OR  BFS  GPC  IF  BOTH  MASS  MEMORY  UNITS  (MMU'S)  ARE 
OPERATIONAL . 
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A7-13  GPC  MAJOR  FUNCTION  CONFIGURATION  (CONTINUED) 

(2)  IF  AN  MMU  IS  FAILED,  THE  G3FD  WILL  NOT  BE 
SACRIFICED . 

c.  IF  THE  ORIGINAL  CONFIGURATION  WAS  MULTIPLE  G2, 
RECONFIGURATION  WILL  BE  PERFORMED  AS  NEEDED  TO 
MAINTAIN  DUAL  G2  IF  REQUIRED  PER  THE  FLIGHT  RULE 
ANNEX  (I.E.,  SACRIFICE  THE  SM  IF  NECESSARY).  IF  NO 
REQUIREMENT  EXISTS  FOR  DUAL  G2'S,  THEN  A  SINGLE  GNC 
GPC  WILL  BE  MAINTAINED. 

For  normal  DPS  orbit  operations ,  there  will  be  either  one  or  two  G2FD  GPC’s  since  nominally  three 
sources  of  entry  software  will  exist  onboard  ( two  MMU’s  and  G3  archive  present  in  all  PASS  GPC’s).  A 
G2FD  will  be  given  up  for  any  GPC  failure.  If  G3  archive  is  lost  in  all  GNC  major  function  base  GPC’s, 
a  G3FD  will  be  established.  The  G3FD  will  only  be  given  up  as  long  as  both  MMU’s  are  operational. 

If  dual  G2  is  required  and  only  3  GPC’s  are  available,  the  SM  GPC  will  be  sacrificed  as  opposed  to  the 
BFS  because  of  the  rationale  provided  in  paragraph  1  above. 

Reference  {A7-3B},  GPC  FAILURE;  {A7-14A},  GNC  3  ARCHIVE  MANAGEMENT;  and  {A7-201C}  and 
D,  DPS  REDUNDANCY  REQUIREMENTS.  ®[01 1 295-1 746  ] 

F.  IF  BOTH  MMU'S  HAVE  FAILED  PRIOR  TO  SUCCESSFUL  COMPLETION  OF 
THE  GNC  OPS  3  TRANSITION,  THE  SM  GPC  WILL  BE  RETAINED  UNTIL 
TIG-50  MINUTES. 

The  SM  software  is  only  available  from  an  MMU.  In  this  case,  where  both  MMU’s  are  failed,  once  the 
SM  function  is  given  up  to  build  another  G3  GPC,  it  is  not  possible  to  reestablish  cm  SM  GPC  if  deorbit  is 
waived  off  and  a  retu  rn  to  orbit  ops  is  desired.  An  SM  machine  offers  advan  tages  over  a  BFS  for  use  in 
systems  monitoring  and  provides  for  the  use  of  the  Ku-band  system,  which  the  BFS  GPC  cannot  provide. 
TIG-50  minutes  is  chosen  as  a  convenient  point  to  finally  give  up  the  SM  machine  and  configure  to  a  full 
up  G3  set  of  GPC’s  before  stowing  all  the  orbit  FDF  and  going  to  the  Entry  Checklist  at  TIG-50  minutes. 

G.  IF  PASS  GPC'S  INCUR  HARD  IP  BCE  FAILURES,  DPS  RECONFIGURATION, 
IF  POSSIBLE,  WILL  BE  PERFORMED  TO  REGAIN  A  MAJOR  FUNCTION'S 
DOWNLIST . 

Each  GPC  has  a  single  IP  bus  to  transmit  data  to  the  PCMMU  for  downlist.  The  redundant  set 
designates  a  single  GPC  as  the  prime  downlist  GPC.  Therefore,  if  a  downlisting  GPC  can  be  recovered 
by  simply  redesignating  the  downlist  GPC  via  item  number  on  SPEC  0,  it  will  be  done.  If  the  GPC  with 
the  IP  bus  failure  is  the  SM  GPC,  the  downlist  can  be  recovered  by  placing  SM  in  one  of  the  redundant 
GNC  GPC’s  and  putting  GNC  back  into  the  GPC  previously  loaded  with  SM. 

Rules  { A7-3B },  GPC  FAILURE;  and  (A7-6BJ,  DATA  PATH  FAILURE,  reference  this  rule. 
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A7-14  GNC  3  ARCHIVE  MANAGEMENT 

A.  A  GNC  3  FREEZE-DRIED  GPC  WILL  NOT  BE  ESTABLISHED  IF  A  COPY 
OF  GNC  3  ARCHIVED  SOFTWARE  IS  RESIDENT  IN  A  NONFAILED  GNC 
MAJOR  FUNCTION  GPC.  IF  NO  GNC  MAJOR  FUNCTION  GPC' S  HAVE  A 
COPY  OF  GNC  3  ARCHIVE  RESIDENT  IN  UPPER  MEMORY,  A  GNC  3 
FREEZE-DRIED  GPC  WILL  BE  ESTABLISHED  AS  SOON  AS  PRACTICAL. 

As  long  as  a  GNC  major  function  GPC  that  has  not  failed  or  been  re-IPL’ed  on  orbit  has  a  copy  of  G3 
archive  software,  it  will  be  considered  a  redundant  source  ofG3  software.  If  no  such  GPC  exists,  a 
G3FD  GPC  will  be  loaded  to  provide  an  additional  onboard  G3  software  source. 

Reference  Rule  (A7-13EJ,  GPC  MAJOR  FUNCTION  CONFIGURATION.  ®[01 1 295-1 746] 

B.  A  GPC  CONTAINING  ARCHIVED  GNC  3  SOFTWARE,  WHICH  EXPERIENCES 
AN  UPPER  MEMORY  SOFT  ERROR  COUNT  OF  7F,  OR  A  CONSTANTLY 
INCREMENTING  COUNT  WILL  NOT  BE  USED  AS  A  SOURCE  OF  ENTRY 
SOFTWARE  FOR  NON-TAL  OPS  3  TRANSITIONS.  FOR  TAL 
TRANSITIONS,  THE  GPC  WILL  BE  USED. 

A  soft  error  counter  increment  is  indicative  of  a  single  location  memory  error  that  was  successfully 
corrected  by  the  memory  scrub  circuitry.  Random  single-memory  hits  are  expected  to  occur  at  a  rate  of 
several  per  day  or  in  single  bursts  of  several  errors.  A  constan  t  incremen  ting  of  the  error  count  is 
indicative  of  a  hard-memory  failure. 

All  targeted  G3  GPC’s  with  G3  archive  resident  in  upper  memory  will  transfer  the  OPS  3  overlay  to 
lower  memory  at  initiation  of  OPS  3  when  archive  retrieve  is  enabled.  Any  targeted  GPC’s  without  G3 
archive  resident  in  upper  memory  will  then  receive  the  overlay  from  the  lowest  ID  GPC  that  has  the 
overlay  in  lower  memory.  If  the  archive  retrieve  is  disabled,  then  the  OPS  3  transition  will  utilize  the 
mass  memory  units  (MMU’s)  as  the  source  for  the  G3  software.  If  one  memory  location  in  upper  memory 
has  two  hard  errors  and  the  location  is  used  to  store  the  G3  software,  then  the  GPC  willfail-to-halt  at  the 
transition.  If  the  location  is  not  used  to  store  G3  software,  then  the  GPC  will  continue  to  operate  without 
failing.  If  there  exists  only  a  single  error  in  any  upper  memory  location,  then  the  error  correction  code 
will  correct  the  data  before  it  is  moved  into  lower  memory  and  the  subsequent  execution  of  G3  from  lower 
memory  is  not  impacted. 
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A7-14  GNC  3  ARCHIVE  MANAGEMENT  (CONTINUED) 

For  non-TAL  G3  transitions,  there  is  no  time  criticality,  and  therefore  certain  actions  can  be  taken  to 
eliminate  the  chance  of  having  a  GPCfail  because  of  upper  memory  errors.  The  easiest  action  for  the 
crew  is  to  simply  disable  the  archive  retrieve  by  entering  a  single  item  entry  before  execution  of  the  OPS 
transition.  The  rest  of  their  procedures  can  then  be  run  withou  t  changes. 

Due  to  the  highly  dynamic  and  time  critical  nature  ofTAL  transitions,  time  delays  in  entering  OPS  3  are 
critical.  Therefore,  disabling  the  archive  retrieve  and  going  to  the  MMU’s  introduces  delays  that  should 
be  avoided.  The  chance  of  having  two  errors  in  a  single  memory  location  is  considered  to  be  very  slight, 
and  therefore  accepting  the  possibility  of  a  single  GPCfail  versus  delaying  the  entry  into  OPS  3  by  using 
the  MMU’s  is  reasonable. 

Errors  in  the  upper  page  of  memory  are  not  reflective  of  problems  with  the  lower  page  of  memory .  Rule 
/ A7-10J ,  GNC  GPC  REACTIVATION  PRIORITY,  references  this  rule. 

A7-15  SM  OPS  4  TRANSITION  REQUIREMENTS 

FOR  FLIGHTS  WHERE  SM  OPS  4  IS  NOT  SUPPORTED  IN  THE  FLIGHT 
SOFTWARE  TESTING  CYCLE,  A  TRANSITION  TO  SM  OPS  4  WILL  NOT  BE 
PERFORMED . 

In  order  to  reduce  FEID  and  testing  times  for  flight  software  loads,  missions  that  require  SM  OPS  2  only 
will  not  have  a  requirement  for  SM  OPS  4  SAV  testing  and  verification.  Therefore,  for  flights  where  SM 
OPS  4  SAV  has  not  been  tested,  an  SM  OPS  4  transition  will  not  be  performed.  Beginning  with  01-20,  a 
transition  to  SM  OPS  4  will  be  prohibited  by  the  flight  S/W  [by  generating  an  ILLEGAL  ENTRY  message 
on  the  scratch  pad  line  (SPL))  when  SM  OPS  4  SAV  testing  is  not  supported  or  required  for  the  flight. 
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A7-16  GPC  MEMORY  WRITE  CRITERIA  [CIL] 

THE  USE  OF  GPC  MEMORY  WRITE  PROCEDURES  ARE  SUBJECT  TO  THE 
FOLLOWING  GUIDELINES: 

A.  ONLY  THOSE  WRITE  PROCEDURES  WHICH  HAVE  COMPLETED  SOFTWARE 
DEVELOPMENT  LEVEL  VERIFICATION,  CREW  PROCEDURAL 
VERIFICATION,  AND  HAVE  BEEN  DOCUMENTED  IN  A  CONTROLLED 
MANNER  WILL  BE  CONSIDERED  FOR  USE. 

Changing  GPC  memory  contents  in  an  uncontrolled  manner  can  lead  to  catastrophic  results.  Therefore, 
this  rule  is  designed  to  prevent  real-time  write  procedures  from  being  used  before  they  have  been 
evaluated  and  tested. 

B.  GPC  MEMORY  PROCEDURES  THAT  MODIFY  PERFORMANCE  RELATED 
PARAMETERS  WILL  BE  VERIFIED  AND  APPROVED  IN  REAL  TIME  PRIOR 
TO  THEIR  EXECUTION. 

This  rule  documents  an  agreement  that  Systems  Division  made  with  the  Orbiter  Project  Office. 

C.  ONLY  PREFLIGHT  APPROVED  AND  VERIFIED  (PREAUTHORIZED)  GMEM 
WRITE  PROCEDURES  NEEDED  IN  TIME-CRITICAL  SITUATIONS  WILL  BE 
USED  WITHOUT  FURTHER  VERIFICATION.  WHEN  TIME  PERMITS,  THEY 
WILL  BE  REVERIFIED  BEFORE  USE.  IF  REVERIFICATION  IS  NOT 
COMPLETE  BEFORE  THE  LAST  IMPLEMENTATION  OPPORTUNITY  FOR  A 
PREAUTHORIZED  GMEM  WRITE  PROCEDURE,  IT  WILL  BE  IMPLEMENTED. 
ALL  GMEM  WRITE  PROCEDURES  THAT  ARE  NOT  PREAUTHORIZED  MUST 
UNDERGO  FULL  VERIFICATION  BEFORE  USE. 

Certain  GMEM’s  were  approved  with  the  understanding  that  they  might  be  executed  in  time-critical 
situations.  These  GMEM’s  have  been  extensively  verified  by  testing  prior  to  release  and  can  be  used 
without  further  verification  when  required.  An  informational  SPAN/MER  chit  should  be  initiated 
following  such  use.  Good  practice  and  NSTS  policy  require  any  countdown  or  in-flight  GMEM  to  be 
verified  to  the  greatest  possible  extent  in  real-time  before  being  implemented.  Therefore,  when  time 
permits,  a  SPAN/MER  chit  should  be  initiated  requesting  reverification  of  any  preauthorized  GMEM 
before  its  use.  Waiting  for  that  reverification  to  be  completed,  however,  is  not  grounds  to  delay 
implementing  a  preauthorized  GMEM  beyond  when  it  is  needed.  For  GMEM’s  that  have  not  been 
preauthorized,  a  chit  requesting  verification  must  be  submitted,  and  the  verification  must  be  completed 
before  the  GMEM  is  authorized  for  use.  The  specific  conditions,  including  major  mode  restrictions 
governing  their  use,  are  contained  in  the  PASS  Release  Authorization  Documents  (RAD’s)  and  the  BFS 
Engineering  Orders  (EO’s)  that  authorize  their  use.  The  authorizing  document  of  the  preflight  approved 
GMEM’s  is  the  Release  Authorization  for  Shuttle  Software  (RASS). 
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A7-16  GPC  MEMORY  WRITE  CRITERIA  [CIL]  (CONTINUED) 

D.  UPLINK  COMMAND  LOADS  WILL  BE  USED  WHERE  PRACTICAL  FOR 
INCORPORATION  OF  GPC  MEMORY  WRITE  PROCEDURES.  PARAGRAPH  G 
LISTS  APPROVED  AND  DOCUMENTED  GENERAL  MEMORY  WRITE  PROCEDURES. 
WRITE  PROCEDURES  THAT  WILL  NOT  BE  PERFORMED  BY  UPLINK  ARE  SO 
NOTED . 

Uplink  command  loads  from  the  ground  offer  more  flexibility  and  assurance  of  the  accuracy  of  the  GPC 
memory  procedure.  This  procedure  also  allows  a  change  of  a  larger  set  of  GPC  memory  addresses  as 
opposed  to  only  six  at  a  time  via  the  GPC  memory  SPEC.  Additionally,  it  allows  real-time  review  by  the 
MCC  personnel  before  its  use  (more  eyes  to  detect  errors). 

E.  GPC  MEMORY  WRITE  PROCEDURES  WILL  BE  IMPLEMENTED  AS  PATCHES 
TO  GPC  RESIDENT  SOFTWARE  ONLY,  AND  WILL  NOT  BE  IMPLEMENTED 
AS  PATCHES  TO  THE  MMU '  S . 

The  MMU’s  are  loaded  prelaunch  with  all  three  areas  the  same  or  with  approved  and  verified  changes. 

The  in  ten  t  here  is  to  not  pollute  the  MMU  contents  in  reed  time  because  of  lack  of  appropriate  time  to 
permit  verification  and  testing. 

F.  FOLLOWING  THE  IMPLEMENTATION  OF  THE  FIRST  IN-FLIGHT  GPC 
MEMORY  WRITE  PROCEDURE,  ADDITIONAL  PREFLIGHT  APPROVED 
GMEM  WRITES  WILL  NOT  BE  USED  UNTIL  REVERIFICATION  BY  THE 
APPROPRIATE  SOFTWARE  DEVELOPER  IS  PERFORMED,  UNLESS 
AUTHORIZED  FOR  CONCURRENT  USE. 

Once  a  GPC  write  procedure  has  been  implemented,  it  is  necessary  to  ensure  that  subsequent  use  of 
GMEM’s  do  not  induce  failures  in  the  system.  Unless  authorized  for  concurrent  use  while  maintaining 
approved  configuration,  reverification  is  required  to  confirm  that  the  next  GMEM  considered  for  use  can 
be  used  in  conjunction  with  at  most  one  other  GMEM  in  the  system  without  any  impact  to  the  system.  The 
appropriate  PASS  or  BFS  software  developer  is  responsible  for  reverifying  all  subsequent  GPC  write 
procedures  prior  to  their  use.  For  GMEM  write  procedure) s)  which  can  be  used  concurrently,  refer  to 
the  authorizing  document. 
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A7-16  GPC  MEMORY  WRITE  CRITERIA  [CIL]  (CONTINUED) 

G.  GPC  MEMORY  WRITE  CRITERIA:  PREFLIGHT  APPROVED  AND  VERIFIED 
GENERAL  MEMORY  WRITE  PROCEDURES.  EXCEPT  AS  NOTED,  THESE 
GMEM'S  WILL  NORMALLY  BE  IMPLEMENTED  VIA  UPLINK: 

APPROVED 

TITLE  IMPLEMENTATION 

OMS  MIXED  CROSSFEED  (PASS)  (CR  89577B)  *  U/L  AND  KYBD  [1] 

*  PLANNED  FOR  EXECUTION  IN  A  CRITICAL  PHASE 

NOTE:  THE  GMEM  WRITE  UPLINK  OPERATION  CODES  ARE  NOT  LEGAL  IN  PASS  OPS  1  AND  3.  THE  DEU 

EQUIVALENT  UPLINK  IS  THE  ONLY  OPTION.  DUE  TO  THE  RELATIVELY  LONG  UPLINK  TIME  OF  A  DEU 
EQUIVALENT  AND  THE  POSSIBILITY  OF  DATA  DROPOUTS,  THE  CREW  KEYBOARD  IMPLEMENTATION 
IS  PREFERRED  OVER  THE  DEU  EQUIVALENT  UPLINK  OPTION  IF  THIS  GMEM  WRITE  IS  IMPLEMENTED 
DURING  TIME-CRITICAL  ASCENT  OR  DEORBIT  OPERATIONS.  THIS  GMEM  WRITE  WILL  BE 
IMPLEMENTED  VIA  UPLINK  IF  REQUIRED  FOR  A  NONTIME-CRITICAL  DEORBIT.  @[111094-1731  ] 

Reapplication  of  a  previously  applied  GMEM  write  is  permitted  and  is  not  considered  a  second  GMEM 
write  application. 

The  list  of  GPC  memory  read/write  procedures  contained  in  paragraph  G  is  considered  critical  enough  to 
the  crew  and/or  orbiter  safety  that  preflight  approval  and  verification  for  their  use  is  obtained  prior  to  the 
flight.  Reverification  is  required  unless  specific  authorization  provides  for  procedures  used  in 
conjunction  with  another  GPC  memory  altering  procedure. 

Rule  / A2-111 },  DPS  COMMAND  CRITERIA ,  references  this  rule. 

H.  GPC  MEMORY  WRITE  CRITERIA:  PREFLIGHT  APPROVED,  UNVERIFIED 
GENERAL  MEMORY  WRITE  PROCEDURES: 

TITLE  IMPLEMENTATION 

NONE  CURRENTLY  DEFINED  N/A 

Rule  {A2-111},  DPS  COMMAND  CRITERIA,  references  this  rule. 

I .  FOR  PASS  REDUNDANT  SET  GMEM' S  APPLIED  TO  PERMANENTLY 
RESIDENT  SYSTEM  SOFTWARE,  GMEM'S  WILL  BE  APPLIED  TO  A  RE- 
IPL'ED  GPC  BEFORE  THE  GPC  IS  ADDED  TO  THE  REDUNDANT  SET. 

The  PASS  software  is  required  to  be  functionally  identical  in  each  GPC  of  the  redundant  set.  A 
re-IPL’ed  GPC  would  not  have  GMEM’s  installed,  so  reapplying  active  GMEM’s  would  be 
necessary  for  the  redundant  system  software  to  be  identical.  This  rule  is  limited  to  the  system 
software  because  GMEM’s  in  the  ops  application  software  would  be  loaded  from  the  PASS  prime 
GPC  during  the  ops  transition.  @[030994-161 1  ] 
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A7-17  GPC  MEMORY  DUMP  CRITERIA 

GPC  MEMORY  DUMPS,  ASSOCIATED  PROCESSING,  AND  ANALYSIS  WILL  BE 
ACCOMPLISHED  USING  THE  FOLLOWING  GUIDELINES: 

A.  IF  THE  BFS  IS  RECALLED  FROM  MASS  MEMORY,  THE  ENTIRE 
INVARIANT  MEMORY  CONTENTS  OF  THE  RELOADED  GPC  WILL  BE 
VERIFIED,  TIME  PERMITTING. 

If  a  PASS  RS  GPC  is  re-IPL’ed,  the  verification  of  a  good  IPL  is  essentially  provided  by  its  ability  to  run 
in  a  redundant  set.  Since  the  BFS  is  used  alone,  the  dump  and  compare  is  the  only  complete  verification 
process  available  to  ensure  the  validity  of  the  reload  software. 

B.  IN  GENERAL,  FOR  FAILED  GPC'S,  A  HARDWARE- INI T I ATED  DUMP  WILL 
BE  PERFORMED,  TIME  PERMITTING,  TO  SUPPORT  GROUND  ANALYSIS. 
WHEN  POSSIBLE,  A  SOFTWARE  DUMP  OF  A  LIKE  MEMORY 
CONFIGURATION  GPC  WILL  BE  OBTAINED. 

A  hardware  dump  of  a  failed  GPC  (PASS  or  BFS)  is  taken  because  it  does  not  require  a  good  software 
load  to  obtain  the  dump.  A  software  dump  of  a  nonfailed,  like-configuration  GPC  is  done  because  a 
software  dump  can  be  done  without  affecting  the  ability  of  a  GPC  to  continue  its  operation  after  the 
dump.  The  two  dumps  can  then  be  compared  to  help  find  where  the  problem  that  caused  the  GPC  failure 
occurred.  Although  during  entry  there  will  probably  not  be  enough  time  to  complete  the  dump  analysis 
prior  to  landing,  collecting  the  data  at  the  time  of  the  failure  and  prior  to  any  GPC  reconfiguration 
allows  the  greatest  probability  of  being  able  to  determine  the  cause  of  the  GPC  failure.  Also,  in  the  event 
of  a  day(s)  waveoff,  the  dumps  can  be  analyzed  to  determine  possible  impacts  to  the  subsequent  entry 
attempt.  These  impacts  may  include,  but  are  not  limited  to,  GPC  reconfigurations  and/or  GPC  memory 
read/writes.  If  the  dumps  are  not  performed  and  the  problem  cannot  be  recreated  during  postflight 
analysis,  the  failure  would  be  treated  as  an  unexplained  anomaly.  With  TDRS  coverage  for  entry, 
downlist  interruption  by  a  GPC  dump  is  no  longer  a  concern  as  it  once  was  with  STDN  only  coverage. 
(Ref.  Rule  {A2-203E},  DEORBIT  DELAY  GUIDELINES. )  ®[i  21 593-1 585A] 

C.  INABILITY  TO  OBTAIN,  PROCESS,  OR  COMPLETE  GROUND  ANALYSIS  OF 
MEMORY  DUMP  DATA  IS  NOT  CAUSE  TO  DELAY  RECOVERY  OF  A  FAILED 
GPC. 

Recovery  procedures  should  not  be  dependent  upon  the  results  of  ground-based  memory  dump  processing 
since  ground-based  processing  can  be  delayed  by  numerous  external  factors. 

®[1 21 593-1 585A] 
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A7-51  BFS  DPS  FAILURE 

BFS  DPS  FAILURES  ARE  DECLARED  BY  THE  FOLLOWING  GUIDELINES: 

A.  THE  BFS  WILL  BE  DECLARED  FAILED  IF  NO  FORWARD  DEU  INTERFACE 
EXISTS  (POSSIBLY  CONCURRENT  WITH  "SELF  FAIL"  COMPUTER 
ANNUNCIATION  MATRIX  (CAM)  LIGHT)  .  ®[ED  ]  ®[040899-2459B] 

If  no  forward  DEU  interface  exists,  the  crew  has  no  insight  or  interface  with  the  BFS.  The  CAM  light 
may  blink  for  some  BFS  GPC  hardware  failures  where  the  BFS  is  restarting  on  multiple  major  cycles. 

One  point  worth  noting  is  that  the  CAM  light  will  not  illuminate  for  the  total  GPC  power  loss  failure. 
Reference  Rule  { A7-52AJ ,  ASCENT/ENTRY  BFS  MANAGEMENT  GUIDELINES.  ®[040899-2459B] 

B.  THE  BFS  WILL  BE  "NO-GO  FOR  ENGAGEMENT"  FOR  THE  FOLLOWING: 

BFS  is  no-go  if  it  cannot  be  relied  upon  to  back  up  the  PASS  because  it  either  (1)  cannot  be  engaged  or 
(2)  the  hardware/software  of  the  BFS  GPC  cannot  control  the  vehicle  subsequent  to  engage. 

1.  BFS  HAS  OPERATED  IN  STANDALONE  MODE  (WILL  NOT  TRACK 
PASS)  IN: 

a.  MM  102,  103,  AND  601  FOR  10  SECONDS. 

b.  MM  304,  305,  602,  AND  603  FOR  45  SECONDS. 

The  BFS  is  NO-GO  when  sensor  data  are  lost  due  to  not  listening  to  any  PASS-initiated  input 
transactions  because  the  BFS  has  lost  the  ability  to  accurately  update  the  vehicle’s  state  vector.  GNC 
degradation  rate  is  not  exactly  known;  however,  10  seconds  in  ascent  powered  flight  and  45  seconds  in 
entry  dynamic  flight  were  estimated  pre-STS-1.  Reference  Rule  { A7-52B },  ASCENT/ENTRY  BFS 
MANAGEMENT  GUIDELINES. 

2.  CONTROL  CA1  BUS  FAILED. 

If  CNTL  CA1  is  lost  and  BFS  resides  in  GPC’s  3  or  5,  the  BFS  will  not  receive  engage  discretes.  (For 
BFS  in  GPC’s  1,  2,  or  4,  failure  of  CNTL  AB3  bus  will  cause  the  loss  of  engage  discretes.)  It  is  important 
to  note,  if  the  engage  is  attempted,  BFS  will  not  recognize  the  engage  and  part  of  the  PASS  set  will  go  to 
software  halt.  Reference  Rule  {A7-52CJ,  ASCENT/ENTRY  BFS  MANAGEMENT  GUIDELINES. 

3.  LOSS  OF  ESS  3AB . 

For  loss  of  ESS  3AB  power,  the  BFS  select  capability  is  lost  and  no  GPC’s  can  be  selected  as  the  BFS.  If 
an  engage  is  attempted,  BFS  will  not  recognize  the  engage,  and  all  of  the  PASS  set  will  go  to  software 
halt.  Reference  Rule  {A7-52CJ,  ASCENT/ENTRY  BFS  MANAGEMENT  GUIDELINES. 
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A7-51  BFS  DPS  FAILURE  (CONTINUED) 

4.  IF  THE  BFS  I/O  TERM  B  FAILS  HIGH. 

If  the  BFS  I/O  TERM  B  is  failed  high,  then  the  BFS  cannot  be  engaged  since  this  input  must  be  low  for 
the  BFS  to  recognize  an  engage.  If  an  engage  is  attempted  with  the  BFS  I/O  TERM  B  failed  high,  the 
BFS  will  not  recognize  the  engage  and  PASS  will  go  to  software  halt.  Since  the  I/O  TERM  B  is  normally 
high  for  the  BFS  pre-engage,  this  failure  will  probably  not  be  recognized  unless  the  BFS  in  ternal  receiver 
2  of  hybrid  receiver  4  failed.  The  “half-hybrid”  failure  will  cause  the  BFS  I/O  TERM  A  to  go  high  since 
the  I/O  TERM  B  and  I/O  TERM  A  are  paired  together  on  interned  receiver  2  of  hybrid  4  (ref.  paragraph 
C7  and  Rule  {A7-52DJ,  ASCENT/ENTRY  BFS  MANAGEMENT  GUIDELINES). 

5.  BOTH  BFS  BFC  CRT  SEL  DISCRETES  AND  THE  BFS  I/O  TERM  B 
DISCRETE  FAIL  LOW  SIMULTANEOUSLY. 

The  simultaneous  failure  of  both  the  BFS  BFC  CRT  SEL  discretes  and  the  BFS  I/O  TERM  B  discrete  is 
indicative  of  a  5  volt  power  supply  failure  in  the  BFS  BFC  module.  The  BFS  BFC  module  will  not 
respond  to  the  engage  with  the  5-volt  power  supply  failed,  and  the  BFS  will  not  engage.  PASS  will 
recognize  the  engage  and  go  to  software  halt. 

C.  THE  BFS  WILL  BE  DECLARED  "SUSPECT"  FOR  THE  FOLLOWING: 

An  operating  BFS  (GNC  and  SM)  is  considered  suspect  when  its  ability  to  respond  to  an  engage  or  to 
con  trol  the  vehicle  subsequen  t  to  engage  is  in  doubt  due  to  a  hardware/ software  failure. 

1.  BFS  HAS  EVER  ENTERED  THE  HALT  STATE  WITHOUT  FIRST 
EXECUTING  AN  OPS  000  PRO  AND  HAS  SUBSEQUENTLY  BEEN 
RETURNED  TO  STANDBY  OR  RUN. 

The  BFS  performs  a  cleanup  when  an  OPS  000  PRO  is  performed.  Without  proper  cleanup,  the  BFS  may 
not  be  initialized  correctly  when  placing  the  mode  switch  back  to  standby  (User  Note  B04524C).  This 
same  situation  can  occur  after  the  BFS  experiences  a  transient  halt  state  and  subsequently  returns  to 
standby  or  run. 

2.  BFS  HAS  BEEN  RE-IPL'D  DURING  ASCENT  PER  RULE  {A7-52E}, 
ASCENT/ENTRY  BFS  MANAGEMENT  GUIDELINES.  A  BFS  RE-IPL'D 
DURING  ASCENT  WILL  NOT  BE  USED  FOR  GNC  PURPOSES. 

@[071494-1641  ] 

A  BFS  which  failed  and  was  re-IPL  ’d  during  ascent  should  not  be  used  for  GNC  purposes.  Since  the 
GPC  has  failed  once,  the  hardware  and  software  in  tegrity  of  the  BFS  cannot  be  assured.  Therefore,  a 
BFS  so  ‘recovered’  should  only  be  used  for  systems  monitoring  and  should  not  be  engaged  except  as  a 
last  resort  in  the  event  of  loss  of  vehicle  control. 
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A7-51  BFS  DPS  FAILURE  (CONTINUED) 

3.  BFS  HAS  EXPERIENCED  SOFT  ERRORS  AGAINST  THE  LOWER  PAGE 
OF  MEMORY  AT  A  CONSTANT  RATE  OR  EXPERIENCED  AN 
INSTANTANEOUS  SOFT  ERROR  COUNT  OF  7F .  @[041896  1872] 

Random  single-memory  hits  are  expected  to  occur  at  a  rate  of  several  per  day  or  in  single  bursts  of 
several  errors.  A  constant  incrementing  of  the  error  count  is  indicative  of  a  hcird-memory  failure.  Errors 
in  the  upper  page  of  memory  are  not  reflective  of  errors  in  the  lower  page  of  memory.  Currently,  the 
upper  page  of  memory  is  not  used  for  BFS  and;  therefore,  soft  errors  in  this  portion  of  memory  will  have 
no  impact  to  the  operating  ability  of  the  BFS.  ®[041 1 96  1 872  ] 

4.  UNEXPLAINED  "GPC  BITE"  FAULT  MESSAGE. 

The  BFS  generates  a  GPC  BITE  fault  message  when  it  encounters  a  condition  requiring  a  software 
restart  for  error  recovery.  This  could  also  point  to  a  software  or  hardware  problem.  The  BFS  may  not 
function  properly  in  the  event  that  a  BFS  engage  is  required. 

5.  UNEXPLAINED  "GPC  PWR"  FAULT  MESSAGE. 

A  GPC  PWR  fault  message  is  an  indication  that  the  BFS  GPC  has  experienced  a  power  transient.  The 
BFS  may  not  function  properly  in  the  event  that  a  BFS  engage  is  required.  Rules  {A7-53},  ON-ORBIT 
BFS  MANAGEMENT  GUIDELINES,  and  (A7-9J,  REDUNDANT  SET  SPLIT,  reference  this  rule. 

6.  IF  THE  BFS  I/O  TERM  B  FAILS  LOW. 

The  I/O  TERM  B  and  the  engage  discrete  inputs  to  the  BFS  are  generated  by  logic  contained  within  the 
BFC.  The  BFC  depends  on  power  to  and  the  configuration  of  the  GPC  OUTPUT  switches  on  panel  06. 

If  the  fuse  leading  to  the  output  switches  fails  or  if  the  BFC  experiences  an  internal  power  failure,  the  I/O 
TERM  B  will  go  low  at  the  BFS.  While  the  lack  of  an  I/O  TERM  B  discrete  input  to  the  BFS  will  not 
prevent  the  BFS  from  recognizing  an  engage,  it  does  cast  doubt  on  the  inputs  to  the  BFC  and/or  its  ability 
to  properly  process  the  engage  discretes  and  I/O  TERM  B.  If  the  problem  is  within  the  BFC  module 
serving  the  BFS  or  the  inputs  to  this  module,  then  the  PASS  set  will  go  to  software  halt  upon  engage  and 
the  BFS  may  not  engage.  Since  the  source  of  the  problem  cannot  be  determined,  the  BFS  should  be 
declared  suspect. 

7.  IF  THE  BFS  I/O  TERM  A  FAILS  HIGH. 

The  I/O  TERM  A  and  the  I/O  TERM  B  share  a  common  interned  receiver  in  GPC  hybrid  receiver  4.  An 
I/O  TERM  A  failure  could  be  indicative  of  a  single  discrete  failure  on  hybrid  receiver  4  or  could  indicate 
the  loss  of  both  the  I/O  TERM  A  and  I/O  TERM  B  if  the  common  in  terned  receiver  hasfedled.  Since  the 
pre-engage  state  of  the  BFS  I/O  TERM  B  is  high,  it  is  not  possible  to  determine  the  health  of  the  I/O 
TERM  B  discrete  without  moding  the  BFS  OUTPUT  switch  to  NORMAL.  If  the  common  receiver  has 
failed  high,  then  the  BFS  cannot  be  engaged  since  the  I/O  TERM  B  must  be  low  for  the  BFS  to  recognize 
the  engage.  If  an  engage  is  attempted  with  the  common  receiver  failed  high,  the  BFS  will  not  recognize 
the  engage  and  PASS  will  go  to  software  halt.  The  BFS  should  be  declared  suspect  until  the  status  of  the 
I/O  TERM  B  can  be  verified  (ref.  paragraph  B,4). 
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A7-52  ASCENT/ENTRY  BFS  MANAGEMENT  GUIDELINES 

DURING  ASCENT  (POST-MECO)  AND  ENTRY  (POST-TIG) ,  THE  FOLLOWING 
GUIDELINES  WILL  BE  FOLLOWED: 

A.  FOR  LOSS  OF  FORWARD  DEU  INTERFACE,  MODE  THE  BFS  GPC  TO 
"HALT"  AND  PLACE  THE  OUTPUT  SWITCH  IN  "TERMINATE".  ©[040899-2459B] 

If  no  forward  DEU  interface  exists  after  the  crew  performs  BFS/DEU  recovery  procedures,  they  will  have 
no  interface  with  the  BFS;  hence,  the  BFS  is  unusable.  As  a  cleanup  item,  the  BFS  GPC  will  be  moded  to 
HALT  to  cease  software  execution,  and  the  output  switch  will  be  placed  in  the  TERMINATE  position  to 
protect  the  PASS  from  going  to  software  halt  in  the  event  of  an  inadvertent  engage.  The  TERMINATE 
position  will  be  used  instead  of  NORMAL  for  consistency  with  BFS  standalone  actions  (ref.  paragraph  B). 
©[040899-2459B] 

B.  FOR  BFS  STANDALONE  MODE,  MODE  THE  BFS  GPC  TO  "STANDBY",  AND 
PLACE  THE  BFS  OUTPUT  SWITCH  IN  "TERMINATE". 

If  the  BFS  continues  in  a  standalone  mode  after  the  crew  performs  BFS  recovery  procedures,  the  BFS 
will  be  unable  to  perform  SM  antenna  management.  In  addition,  the  ground  will  be  unable  to  command 
via  the  payload  buses.  Moding  the  mode  switch  to  STANDBY  causes  the  BFS  to  relinquish  the  PL  buses 
to  the  PASS.  In  the  STANDBY  position,  the  BFS  can  continue  to  perform  FDA  processing  on  orbiter  01 
subsystems.  The  output  switch  in  the  TERMINATE  position  will  protect  the  PASS  from  going  to  software 
halt  in  the  event  of  an  inadvertent  engage.  The  switch  is  placed  in  TERMINATE  rather  than  NORMAL  to 
keep  the  I/O  TERM  B  discrete  input  high  at  the  BFS,  thus  preventing  a  single-point  BFS  GPC  failure 
(either  full  or  half  hybrid  receiver  10  failing  high)  from  causing  the  BFS  to  self-engage. 

C.  FOR  LOSS  OF  CONTROL  CA1  ( AB3 )  OR  ESSENTIAL  3AB  BUS,  PLACE 
THE  BFS  OUTPUT  SWITCH  IN  "TERMINATE". 

The  loss  of  control  CA1  prevents  the  BFS  from  processing  engage  discretes  for  GPC’s  3  and  5.  If  the 
BFS  is  in  one  of  these  GPC’s,  then  it  cannot  be  engaged  and  it  is  necessary  to  protect  the  PASS  from 
going  to  software  halt  in  the  event  of  an  inadvertent  engage.  This  is  accomplished  by  placing  the  BFS 
output  switch  in  TERMINATE.  The  switch  is  placed  in  TERMINATE  rather  than  NORMAL  to  keep  the 
I/O  TERM  B  discrete  input  high  at  the  BFS,  thus  preventing  a  single-point  BFS  GPC  failure  (either  full  or 
half  hybrid  receiver  10  failing  high)  from  causing  the  BFS  to  self-engage.  The  same  rationale  can  be 
applied  to  the  loss  of  con  trol  AB3  if  the  BFS  is  in  GPC  1,  2,  or  4. 

The  loss  of  essential  3AB  prevents  any  GPC  from  properly  processing  the  engage  discretes  as  a  BFS  (ref. 
Rule  (A  7-5 1 B).  3,  BFS  DPS  FAILURE).  This  also  places  the  BFS  one  failure  away  from  self-  engage  by 
removing  the  I/O  TERM  B  input  to  the  BFS  GPC.  If  the  BFS  is  in  GPC  1,  2,  4,  or  5,  the  I/O  TERM  B  can 
be  reapplied  by  placing  the  BFS  output  switch  in  TERMINATE  since  this  position  is  powered  by  a 
different  bus.  The  I/O  TERM  B  cannot  be  recovered  if  the  BFS  is  in  GPC  3  since  the  TERMINATE 
position  is  also  powered  by  ESS3AB.  However,  placing  the  switch  in  TERMINATE  for  this  case  will 
maintain  procedural  consistency  without  placing  the  BFS  or  PASS  in  a  worse  configuration. 
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A7-52  ASCENT/ENTRY  BFS  MANAGEMENT  GUIDELINES 

(CONTINUED) 

D.  FOR  BFS  GPC  I/O  TERM  B  FAIL  HIGH,  PLACE  THE  BFS  OUTPUT 
SWITCH  IN  "TERMINATE". 

If  the  BFS/I/O  TERM  B  is  failed  high,  then  the  BFS  cannot  recognize  cm  engage  and  it  is  necessary  to 
protect  the  PASS  from  going  to  software  halt  in  the  event  of  an  inadvertent  engage.  This  is  accomplished 
by  placing  the  BFS  output  switch  in  TERMINATE.  The  switch  is  placed  in  TERMINATE  rather  than 
NORMAL  for  consistency  with  other  BFS  NO-GO  actions. 

E.  FOR  BFS  GPC  FAIL  DURING  ASCENT,  A  BFS  IPL  MAY  BE  ATTEMPTED 
IN  GPC  5  POST  ET  SEP. 

BFS  IPL  during  ascent  is  an  MCC  call  to  regain  crew  insight  into  critical  systems. 

BFS  IPL  will  only  be  requested  when  there  is  adequate  time  to  complete  the  procedure  before  the  OMS-2 
burn,  and  it  would  not  interfere  with  other  activities.  A  GPC  5  hardware  dump  will  normally  be 
performed  before  IPL’ing. 

The  BFS  IPL  is  performed  only  on  GPC  5  because  we  are  unwilling  to  give  up  a  good  PASS  GPC  during 
ascent. 

DPS  will  not  recommend  a  BFS  IPL  in  GPC  5  if  GPC  5  has  exhibited  symptoms  of  erroneous  output  or 
degraded  IOP  functions. 

Even  if  GPC  5  recovers  via  IPL,  the  BFS  will  be  moved  on  orbit  per  Rule  {A7-53},  ON-ORBIT  BFS 
MANAGEMENT  GUIDELINES. 

F.  IF  DECLARED  "SUSPECT",  THE  BFS  WILL  BE  CONSIDERED  "NOT 
AVAILABLE"  FOR  ASCENT/ENTRY  RESTRING  PURPOSES  (RULE  {A2-63}, 
ASCENT  STRING  REASSIGNMENT,  AND  RULE  {A2-254},  ENTRY  STRING 
REASSIGNMENT)  AND  WILL  ONLY  BE  ENGAGED  AS  A  LAST  RESORT. 

The  difference  between  a  “NO-GO  for  engagement”  call  and  a  “suspect”  call  is  that  in  “  NO-GO  for 
engagement”  the  BFS  will  not  fly  the  vehicle.  In  the  “suspect”  case,  the  BFS  mayfly  the  vehicle  but  it 
cannot  be  guaranteed. 

Rule  { A7-51 },  BFS  DPS  FAILURE,  references  this  rule. 
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A7-53  ON-ORBIT  BFS  MANAGEMENT  GUIDELINES 

ON  ORBIT  (POST-OPS  2  THROUGH  PRE-TIG) ,  FOR  ANY  BFS  INDICATION 
DETERMINED  TO  BE  A  FAULT  CONDITION  INCLUDING  THOSE  LISTED  BELOW, 
THE  BFS  WILL  BE  RELOADED  INTO  A  GPC  THAT  HAS  NOT  EXPERIENCED  ANY 
FAILURES.  @[101096-4516] 

A  reload  of  the  BFS  (into  a  PASS  GPC)  regains  the  BFS  function  and  provides  a  backup  means  during 
entry  to  assume  control  of  the  vehicle  in  the  event  the  PASS  set  can  no  longer  maintain  vehicle  control. 
Reassignment  of  the  BFS  should  be  performed  as  soon  as  practical  to  protect  for  contingency  deorbit. 

The  BFS  GPC  is  the  last  means  of  recovery  for  loss  of  the  PASS  set  and  is  therefore  critical  to  vehicle 
safety  if  it  is  engaged.  The  BFS  will  always  be  main  tained  in  a  GPC  without  any  previous  failures. 
@[101096-4516] 

A.  BFS  GPC  HAS  BEEN  DECLARED  FAILED. 

B.  BFS  HAS  BEEN  DECLARED  NO-GO  FOR  ENGAGEMENT  DUE  TO  LOSS  OF 
CONTROL  CA1  BUS . 

For  loss  of  control  CA1  bus,  the  BFS  engage  capability  can  be  regained  by  reloading  the  BFS  into 
another  GPC  except  GPC  3  (or  5 ). 

C.  THE  BFS  HAS  BEEN  DECLARED  SUSPECT. 

BFS  “suspect”  is  defined  in  Rule  ( A7-51 j,  BFS  DPS  FAILURE. 

D.  BFS  GPC  HAS  AN  INSTRUMENTATION  PCMMU  (IP)  BUS  CONTROL 
ELEMENT  (BCE)  FAILURE  (LOSS  OF  DOWNLIST),  TIME  PERMITTING. 

An  IP  BCE  failure  results  in  a  loss  of  downlist  and  results  in  loss  of  01  data  to  the  crew.  With  this  type  of 
failure,  the  MCC  has  no  insight  into  orbiter  systems  performance.  In  addition,  insight  on  two-stage 
command  feedback  is  not  available.  It  is  highly  desirable  to  have  insight  into  the  BFS;  hence,  the  BFS 
will  be  reloaded  time  permitting.  @[101096-4516  ] 

E.  BFS  GPC  HAS  A  PL1  OR  PL2  BCE  FAILURE,  TIME  PERMITTING. 

A  loss  ofci  PL1  or  PL2  BCE  failure  results  in  a  loss  of  redundancy  for  antenna  management.  It  is 
preferred  to  have  redundancy  for  SM  antenna  management;  hence,  the  BFS  will  be  reloaded  into  another 
GPC. 
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A7-53  ON-ORBIT  BFS  MANAGEMENT  GUIDELINES  (CONTINUED) 

F.  BFS  GPC  HAS  ONE  OR  MORE  FC  BCE  RECEIVER  FAILURES,  TIME 
PERMITTING. 

Loss  of  one  flight-critical  BCE  receiver  results  in  loss  of  data  from  the  associated  MDM/BTU’s  to  the 
BFS.  Upon  a  BFS  engage,  the  BFS  would  start  without  a  full  flight-critical  redundancy.  It  is  desirable  to 
have  the  BFS  track  all  PASS  strings  upon  an  engage;  consequently,  the  BFS  will  be  reloaded  into  another 
GPC  time  permitting. 

Rules  (A2-301J  (NOTE  71),  CONTINGENCY  ACTION  SUMMARY;  and  (A7-52J,  ASCENT/ENTRY  BFS 
MANAGEMENT  GUIDELINES,  reference  this  rule. 
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A7-101  POWER  CYCLING/MANAGEMENT 

A.  FAILURES 

GPC'S,  MMU '  S ,  DEU/DU'S,  AND  MDM' S  WILL  BE  POWERED  OFF  IF 
THEY  INCUR  HARD  FAILURES.  MDM' S  WILL  BE  CYCLED  "OFF"  THEN 
"ON"  TO  RESET  OUTPUTS  FOLLOWING  A  DATA  PATH  FAILURE.  MDM' S 
MAY  BE  CYCLED  "OFF"  THEN  "ON"  FOR  GPC  FAILURES.  ©[040899-2459B] 

LRU’s  experiencing  hard  failures  may  be  powered  off  to  save  power  if  they  are  nonfunctional. 

B.  POWER  MANAGEMENT 

MMU '  S ,  DEU/DU'S,  AND  MDM' S  MAY  BE  POWERED  OFF  FOR  POWER 
MANAGEMENT.  GPC'S  (101S)  WILL  NOT  NORMALLY  BE  POWERED  OFF 
FOR  POWER  MANAGEMENT.  ©[040899-2459B] 

LRU’s,  except  for  the  new  GPC’s  (101S),  may  be  powered  off  for  power  management.  Mission  extensions 
or  unique  flights  may  require  minimization  of  power  consumption.  The  101S  GPC’s  power  consumption 
in  the  sleep  mode  is  56  watts,  less  than  one  tenth  of  its  operating  power  consumption.  Since  removing 
power  from  the  10  IS  GPC  causes  loss  of  memory  integrity,  a  10  IS  GPC  will  only  be  powered  off  under 
extreme  powerdown  conditions.  @[092701-4872  ] 

A7-102  PASS  DATA  BUS  ASSIGNMENT  CRITERIA 

PASS  GPC  DATA  BUSES  WILL  BE  ASSIGNED  USING  THE  FOLLOWING 
GUIDELINES : 

A.  DISPLAY/KEYBOARD  (DK)  BUSES: 

1.  FOR  RS  OPERATION,  THE  CDR' S  (PLT'S)  DEU  AND  DDU  WILL  NOT 
BE  ASSIGNED  TO  THE  SAME  GPC.  DISTRIBUTION  OF  THE  DEU' S 
AND  DDU' S  PREVENTS  LOSS  OF  CDR' S  (PLT'S)  INSTRUMENTATION 
AND  DEU  DISPLAYED  DATA  FOR  A  SINGLE  GPC  FAILURE  (N/A 
FOR  MEDS  VEHICLES)  .  ©[040899-2459B] 

Three  DEU’s  and  two  DDU’s  are  available  during  RS  operation.  The  DEU’s  are  nominally  assigned  to 
different  GPC’s  {ref.  paragraph  A. 2).  The  DDU’s  are  driven  from  a  flight-critical  bus  as  selected  by  the 
data  bus  switches  on  panels  F6  and  F8.  By  proper  data  bus  selection,  the  CDR’s  (PLT’s)  DEU  and  flight 
instruments  can  be  driven  by  different  GPC’s  providing  protection  against  total  data  loss  for  a  single 
GPC  failu  re. 
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A7-102  PASS  DATA  BUS  ASSIGNMENT  CRITERIA  (CONTINUED) 

2.  FOR  RS  OPERATION  IN  A  MEDS  ENVIRONMENT,  ALL  OF  THE  CDR' S 
(PLT'S)  DISPLAYS  WILL  NOT  BE  DRIVEN  BY  THE  SAME  GPC . 

The  DPS  displays  are  driven  via  the  DK  buses  that  are  nominally  assigned  to  different  GPC’s.  The  flight 
instrument  displays  are  driven  from  flight  critical  buses  selected  by  the  edge  keys.  By  proper  data  bus 
selection,  the  CDR’s  (PLT’s)  DPS  displays  and  flight  instrument  displays  can  be  driven  by  different 
GPC’s  and  IDP's  providing  protection  against  total  data  loss  for  a  single  GPC  or  IDP  failure. 

3.  ALL  DEU'S  IN  A  PASS  COMMON  SET  WILL  NOT  BE  ASSIGNED  VIA 
MAJOR  FUNCTION  SWITCH  OR  GPC/CRT  KEY  TO  ANY  ONE  GPC. 

If  all  DEU’s  were  assigned  to  a  single  GPC,  and  this  GPC  failed,  the  crew  would  lose  insight  into  healthy 
GPC’s  and  would  be  unable  to  communicate  with  the  GPC’s.  ©[040899-2459B] 

B.  MMU  BUSES  WILL  BE  ASSIGNED  TO  DIFFERENT  GPC'S  FOR  RS  OPERATION. 

The  MMU  buses  will  be  distributed  via  NBAT  assignment  to  different  redundant  set  GPC’s  to  provide 
different  commanding  GPC’s  on  each  MMU  bus.  This  provides  redundant  GPC-to-MMU  data  paths. 

C.  FLIGHT  CRITICAL  (FC)  BUSES: 

1.  ALL  STRINGS  WILL  BE  USED  BY  THE  RS  REGARDLESS  OF  THE 
NUMBER  OF  GPC'S  IN  THE  SET. 

All  strings  will  be  used  by  the  redundant  set  to  maintain  full  flight-critical  systems  redundancy  except  for 
cases  of  non-universal  I/O  errors  (ref.  Rule  {A7-104J,  NONUNIVERSAL  I/O  ERROR  ACTION). 

2.  ORBIT  STRINGING  @[082593-1538] 

a.  NORMAL  STRINGING  FOR  ORBIT  OPERATIONS  WHEN  THERE  ARE 
TWO  GNC  GPC'S  WILL  BE  STRINGS  1  AND  3  ASSIGNED  TO 
ONE  GPC  AND  STRINGS  2  AND  4  ASSIGNED  TO  THE  OTHER. 

This  stringing  provides  optimal  redundancy;  it  will  provide  continuous  uninterrupted  vehicle  control 
(assuming  no  other  failures)  even  if  one  GNC  GPC  fails.  This  string  combination  will  provide  jet 
redundancy  for  translation  and  LO  Z  rotation. 
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A7-102  PASS  DATA  BUS  ASSIGNMENT  CRITERIA  (CONTINUED) 

b.  NORMAL  STRINGING  FOR  ORBIT  OPERATIONS  WHEN  THERE  ARE 
THREE  GNC  GPC'S  WILL  BE  STRING  1  TO  ONE  GPC,  STRING 
2  TO  ANOTHER  GPC,  AND  STRINGS  3  AND  4  TO  THE  THIRD 
GPC. 

For  a  rendezvous/prox  ops  with  three  GPC’s,  pairing  strings  3  and  4  together  provides  the  best  jet  authority 
protection  against  a  GPC  failure.  If  a  GPC  fails,  there  is  no  jet  authority  requirement  that  forces  an 
immediate  restring.  There  is  no  other  LRU  failure  that  will  force  a  restring.  This  is  true  whether  norm-Z  or 
low-Z  is  being  used.  This  stringing  also  keeps  the  three  IMU’s  separated.  @[082593-1538] 

3.  FOR  HARD  OR  TRANSIENT  FLIGHT-CRITICAL  (FC)  BCE 

TRANSMITTER-ONLY  FAILURES  IN  GPC'S,  STRING  REASSIGNMENT 
MAY  BE  UTILIZED  TO  REGAIN  THE  DATA  PATH. 


A  GPC  BCE  transmitter-only  failure  results  in  a  data  path  loss;  reassigning  the  bypassed  BTU’s/  LRU’s 
to  a  GPC  with  a  healthy  transmitter  will  restore  communications  with  the  bypassed  BTU’s/ LRU’s. 
Because  the  GPC  with  the  BCE  transmitter-only  failure  will  continue  to  operate  in  the  redundant  set  and 
is  capable  of  commanding  a  different  string,  it  will  be  assigned  a  different  string  and  full  flight-critical 
systems  redundancy  is  maintained. 

4.  DURING  ASCENT,  STRING  REASSIGNMENT  WILL  BE  PERFORMED  PER 
RULE  { A2 - 63 } ,  ASCENT  STRING  REASSIGNMENT. 

Reference  Rule  {  A2-63J,  ASCENT  STRING  REASSIGNMENT. 

5.  FOLLOWING  GPC  FAILURES,  THE  CRITERIA  FOR  ASCENT  STRING 
ASSIGNMENTS  IN  ORDER  OF  PRIORITY  ARE  (ASSUMES  NO  LRU 
FAILURES) : 


To  maintain  a  fail-safe  operational  configuration,  a  set  of  priorities  was  established  for  string 
assignments. 


a.  STRINGS  1,  2,  AND  3  WILL  NOT  BE  ASSIGNED  TO  THE  SAME 
GPC  TO  PROTECT  IMU  REDUNDANCY. 

Self-explanatory. 

b.  STRINGS  1  AND  3  WILL  NOT  BE  ASSIGNED  TO  THE  SAME  GPC 
TO  PROTECT  NSP  REDUNDANCY. 


Assign  ing  strings  1  and  3  together  causes  a  poten  tial  for  loss  of  command  and  commun  ication  with  the 
crew  if  the  commanding  GPC  failed. 
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A7-102  PASS  DATA  BUS  ASSIGNMENT  CRITERIA  (CONTINUED) 

6.  FOR  A  PASS  SET  OF  FOUR  GPC'S,  A  TRANSIENT  GPC  WILL  BE 
ASSIGNED  STRING  4  DURING  ENTRY.  @[101096-4516] 

A  transient  GPC  may  fail  again  during  entry.  Because  string  4  has  fewer  LRU’s,  loss  of  string  4  is  of  less 
significance  than  loss  of  other  strings.  @[101096-451 6  ] 

7.  ENTRY  STRINGING  WILL  BE  ESTABLISHED  PRE-TIG  AND  WILL  NOT 
BE  CHANGED  POST-TIG  UNLESS  REQUIRED  BY  SUBSEQUENT 
FAILURES  AS  SPECIFIED  IN  RULE  {A2-254},  ENTRY  STRING 
REASSIGNMENT . 


An  NBAT  assignment  is  agreed  on  prior  to  MM  302  to  maximize  flight-critical  redundancy  for  entry 
control.  A  string  assignment  criteria  has  been  established  for  a  redundant  set  with  less  than  four  PASS 
GPC’s.  Reference  paragraph  C.8for  additional  details. 

8.  FOR  DEORBIT  BURN  AND  ENTRY,  IF  LESS  THAN  FOUR  PASS  GPC'S 

ARE  AVAILABLE,  THE  STRINGS  WILL  BE  DISTRIBUTED  TO  MINIMIZE 
THE  LOSS  OF  CRITICAL  FUNCTIONS  FOR  A  SUBSEQUENT  GPC 
FAILURE.  THE  PRIORITIZED  LIST  OF  FUNCTIONS  TO  BE 
PROTECTED  BY  SELECTING  THE  STRING  ASSIGNMENTS  IS  SHOWN 
BELOW,  STARTING  WITH  THE  HIGHEST  PRIORITY.  STRING 
ASSIGNMENTS  WILL  BE  BASED  ON  DISTRIBUTION  CONSIDERATIONS 
FIRST  (DISTRIBUTING  STRINGS  AS  EVENLY  AS  POSSIBLE  OR 
AVOIDING  CERTAIN  STRING  COMBINATIONS) .  AFTER  DISTRIBUTION 
CONCERNS  ARE  MET,  FINAL  STRING  ASSIGNMENT  SELECTION  WILL 
BE  BASED  ON  AVOIDING  ASSIGNMENT  TO  ANY  TRANSIENT  GPC'S,  IF 
POSSIBLE . 


a . 

ONE 

IMU  (TRANSIENT  GPC  CONCERN  ONLY) 

b . 

TWO 

ASA'  S 

c . 

TWO 

RGA'  S 

d . 

TWO 

AA'  S 

e . 

TWO 

IMU'  S 

f . 

TWO 

YAW  JETS 

g. 

PITCH  JETS  (ONE  FAULT  TOLERANT) 

h . 

RHC 

CONTACTS  (ONE  FAULT  TOLERANT) 
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PASS  DATA  BUS  ASSIGNMENT  CRITERIA  (CONTINUED) 


i.  THREE  ASA'S 

j.  VENT  DOORS  @[071494-1638] 

k.  NWS  (FOR  RTLS /TAL/AOA  (KSC)  OR  ANY  SITE  WITH  KNOWN 
DIRECTION  CONTROL  PROBLEMS)  [1] 

l .  THREE  RGA' S 

m.  THREE  AA' S 

n.  FOUR  ASA'S  (FCS  CRITERIA)  (REF.  RULE  {A8-107},  FCS 
CHANNEL  MANAGEMENT)  AVOID  ASSIGNING  STRINGS  1  AND  2, 
1  AND  3,  OR  2  AND  3  TOGETHER 

O.  THREE  YAW  JETS 

p.  THREE  ADTA'S  (ONE  FAULT  TOLERANT) 

q.  RHC  CONTACTS  (TWO  FAULT  TOLERANT) 

r.  THREE  IMU' S 

s.  L  RHC  CONTACTS 

t.  NWS  FOR  EOM  LANDING 

U.  L  OMS  IGNITION  (ONE  FAULT  TOLERANT)  (DEORBIT  BURN 
CONSIDERATION  ONLY) 

v.  R  OMS  IGNITION  (ONE  FAULT  TOLERANT)  (DEORBIT  BURN 
CONSIDERATION  ONLY) 

w.  OMS  TVC  (DEORBIT  BURN  CONSIDERATION  ONLY) 

x.  FOUR  AFT  FIRING  PRIMARY  RCS  JETS  (DEORBIT  BURN 
CONSIDERATION  ONLY) 

y.  ONE  OR  TWO  NSP'S 
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A7-102  PASS  DATA  BUS  ASSIGNMENT  CRITERIA  (CONTINUED) 


NOTE  : 

[1]  CURRENT  CHANNELIZATION  FOR  NWS  IS  THE  SAME  AS  FOR 
VENT  DOOR  FUNCTION,  I.E.,  PROTECTING  ONE  COVERS 
BOTH. 


Rationale  TBS. 


9.  IF  THERE  ARE  MULTIPLE  STRINGING  COMBINATIONS  WHICH 

SATISFY  THE  ABOVE  CRITERIA,  THE  COMBINATION  CLOSEST  TO 
NOMINAL  WILL  BE  SELECTED. 


It  is  preferred  to  stay  close  to  nominal  because  it  reduces  the  risk  of  inducing  errors  when  the  crew 
responds  to  subsequent  failures. 

Rules  (A7-3BJ,  GPC  FAILURE;  { A7-6B },  DATA  PATH  FAILURE;  {A7-5Aj  and  B,  PASS  GPC  BCE 
FAILURE  MANAGEMENT;  and  {A8-55J,  ET  SEPARATION  RCS  REQUIREMENTS,  reference  this  rule. 

A7-103  I/O  RESET 

I/O  RESET  KEY  MAY  BE  USED  ANYTIME  IN  PASS  AND  BFS  TO  ATTEMPT 
RESTORATION  OF  NOMINAL  I/O,  EXCEPT  FOR  CASES  OF  NONUNIVERSAL  I/O 
ERROR.  (REF.  RULE  {A7-104},  NONUNIVERSAL  I/O  ERROR  ACTION.) 


An  I/O  reset  provides  resetting  of  hardware  electronics  that  reinitiates  I/O  and  may  clear  transien  t  I/O 
functions.  Reinitiating  I/O  if  a  nonuniversal  I/O  error  condition  has  occurred  could  cause  a  FTS  or  set 
split.  Reference  Rule  {A7-104},  NONUNIVERSAL  I/O  ERROR  ACTION  (ref.  FRCB  meeting  # 49  held  on 
January  23,  1991). 
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A7-104  NONUNI VERSAL  I/O  ERROR  ACTION 

RESTRINGING  OR  I/O  RESETS  WILL  NOT  BE  PERFORMED  FOR  RECOVERY  OF 
A  BCE  ELEMENT  BYPASS  NOR  WILL  AN  OPS  TRANSITION  BE  PERFORMED  IF 
A  NON-UNIVERSAL  I/O  ERROR  CONDITION  HAS  OCCURRED  ON  ANY  BUS 
UNLESS  CRITICAL  CAPABILITY  RECOVERY  IS  BEING  ATTEMPTED,  OR  UNTIL 
THE  STRING  ASSOCIATED  WITH  THE  NON-UNIVERSAL  CONDITION  HAS  BEEN 
SAFED.  PORT  MODING  WILL  NOT  BE  ATTEMPTED  ON  A  STRING  WITH  A 
NON-UNIVERSAL  I/O  ERROR  UNLESS  THE  BUS  WITH  THE  ERROR  HAS  BEEN 
SAFED  OR  CRITICAL  RECOVERY  IS  BEING  ATTEMPTED.  ©[121296-4564A] 

When  an  elemen  t  bypass  occurs,  if  the  I/O  error  condition  is  not  logged  equally  in  the  I/O  error  logs  by 
each  GPC  in  the  RS,  then  a  nonuniversal  I/O  error  has  occurred.  This  could  be  caused  by  a  GPC 
problem,  an  unterminated  data  bus,  or  a  loquacious  BTJJ.  If  only  a  single  GPC  in  an  RS  logs  an  error 
associated  with  this  condition,  then  that  GPC  will  fail-to-sync.  If  more  than  one  GPC,  but  not  all 
GPC’s  log  an  error,  then  the  condition  is  more  properly  called  a  nonuniversally  detected  error 
condition  (as  defined  by  the  software  developers ).  Upmoding  of  a  bypassed  element  under  conditions 
of  nonuniversal  I/O  error  by  the  use  of  port  moding,  restringing  or  I/O  resets,  can  result  in  an  FTS  or  in 
a  redundant  set  split.  Therefore,  these  actions  should  be  avoided  (user  note  101757 )  until  the  string 
associated  with  the  nonuniversal  I/O  error  has  been  safed,  unless  critical  capability  recovery  is  being 
attempted.  ©[121296-4564A] 

Safing  of  a  string  associated  with  a  non-universal  I/O  error  condition  is  guaranteed  by  deassigning  the 
string  from  the  NBAT  and  performing  an  OPS  mode  recall  or  OPS  transition.  Also,  a  string  may  be  safed 
by  ensuring  that  all  LRU’s  (except  GPC’s )  capable  of  transmitting  on  the  affected  bus  are  powered  off.  If 
this  can  be  done,  then  the  nonuniversal  I/O  error  condition  becomes  a  universally  detected  error  since 
there  is  no  longer  any  LRU  remaining  that  can  respond  to  a  request  from  the  GPC  for  data.  For  the 
entry  phase  of  flight,  the  only  active  LRU’s  on  the  flight  critical  buses  are  the  FF  and  FA  MDM’s.  The 
MFC’s  and  EIU’s  are  also  connected  to  flight  critical  buses,  but  these  LRU’s  are  powered  off  during 
entry.  If  the  MDM  associated  with  the  bus  having  the  nonuniversal  I/O  error  condition  is  powered  off, 
the  error  is  made  universal,  and  the  bus  has  been  safed.  During  ascent,  the  MEC’s  and  EIU’s  are 
powered  on.  Since  the  MEC’s  arid  EIU’s  cannot  be  powered  off  during  OPS  1  or  6,  the  only  viable 
method  of  safing  flight  critical  buses  five  through  eight  is  to  deassign  the  affected  string.  Flight  critical 
buses  one  through  four  (used  by  FF  MDM’s  while  on  primary  ports)  only  have  the  FF  MDM’ s  (or  FA 
MDM  if  port  moded  to  secondary  ports)  that  can  transmit  on  the  bus.  Therefore,  for  ascent,  only  buses 
one  through  four  could  be  safed  by  powering  off  the  associated  MDM.  ®[121296-4564A] 

If  fault  messages  indicate  that  not  all  GPC’s  are  annunciating  the  error,  then  a  nonuniversal  I/O  error 
has  occurred  and  the  crew  will  be  aware  of  the  condition.  If  the  fault  messages  indicate  universal 
annunciation  of  the  error,  there  still  may  be  a  nonuniversal  error  condition,  but  the  crew  will  not  be  able 
to  detect  it  since  the  I/O  error  logs  are  the  only  absolute  indicator  of  the  condition. 

Given  no  evidence  of  nonuniversal  I/O  errors  or  no  advice  from  flight  controllers,  the  crew  will  follow 
normal  procedures  which  use  I/O  reset,  port  moding,  and  in  some  cases,  restring,  as  part  of  the  recovery 
attempts  for  bypasses. 
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A7-104 


NONUNI VERSAL  I/O  ERROR  ACTION  (CONTINUED) 


Because  the  port  moding  operation  only  upmodes  the  string  being  port  inoded,  a  port  inode  can  be  done 
to  recover  a  bypassed  element  under  nonuniversal  I/O  error  conditions  if  the  nonuniversal  error  is 
associated  with  a  different  string  than  the  one  being  port  moded. 

If  recovery  of  critical  capability  is  needed,  then  I/O  reset,  port  mode  and  restringing  may  be  attempted 
even  if  nonuniversal  error  conditions  exist  in  an  attempt  to  recover  the  bypassed  elemen  t  with  the 
knowledge  that  a  FTS  or  set  split  may  occur. 

For  cases  where  a  nonuniversal  I/O  error  condition  exists  prior  to  execution  of  an  OPS  transition,  the 
string  with  the  nonuniversal  I/O  error  condition  should  not  be  assigned  in  the  NBAT  for  the  OPS  being 
entered  unless  the  string  has  been  safed.  ©[121296-4564A] 


Rules  {A7-102CJ.  1,  PASS  DATA  BUS  ASSIGNMENT  CRITERIA;  {A7-103J,  I/O  RESET;  and  { A7-105 }, 
MDM  PORT  MODING,  reference  this  rule. 


A7-105 


MDM  PORT  MODING 


MDM  PORT  MODING  WILL  BE  PERFORMED  ACCORDING  TO  THE  FOLLOWING 
GUIDELINES : 

A.  MM  102  -  PORT  MODING  OF  FLIGHT-CRITICAL  OR  PAYLOAD  MDM' S 
WILL  NOT  BE  ATTEMPTED  UNLESS  IT  IS  NECESSARY  TO  REGAIN 
CRITICAL  SYSTEM  CAPABILITY. 

For  port  dependent  MDM  failures,  port  moding  may  be  attempted  to  regain  the  required  MDM  redundancy 
by  giving  up  port  redundancy  in  the  bypassed  MDM.  During  MM  102,  system  reconfiguration  is  not 
routinely  done  due  to  the  dynamic  nature  of  this  flight  phase.  For  multiple  failures  that  impact  critical 
systems  capability,  port  moding  may  be  done. 

B.  POST-MM  102  TO  PRE-MECO  -  PORT  MODING  OF  FLIGHT-CRITICAL  AND 
PAYLOAD  MDM'S  MAY  BE  PERFORMED  TO  REGAIN  CRITICAL  SYSTEM 
CAPABILITY  OR  AFTER  ANY  SECOND  FAILURE.  NONCRITICAL 
RECOVERY  WILL  NOT  BE  ATTEMPTED  FOR  CASES  OF  NONUNIVERSAL  I/O 
ERROR  (REF.  RULE  {A7-104},  NONUNIVERSAL  I/O  ERROR  ACTION). 

For  noncritical  recovery,  port  moding  is  not  performed  until  another  failure  has  occurred.  The  other 
failure  is  any  other  failure  and  does  not  have  to  be  avionics  related,  but  a  failure  that  sufficiently  adds 
complexity  to  the  overall  vehicle  system  to  warrant  taking  action. 
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A7-105  MDM  PORT  MOPING  (CONTINUED) 

C.  POST-MECO,  FOR  FLIGHT-CRITICAL  OR  PAYLOAD  MDM  FAILURES, 
RECOVERY  ATTEMPTS  BY  PORT  MODING  MAY  BE  PERFORMED  IN  ANY 
MAJOR  MODE  OF  ANY  VALID  OPS  VIA  DISPLAY  ITEM  ENTRIES  ON  THE 
DPS  UTILITY  DISPLAY  EXCEPT  FOR  CASES  OF  NONUNIVERSAL  I/O 
ERROR  (REF.  RULE  {A7-104},  NONUNIVERSAL  I/O  ERROR  ACTION). 

FC  or  PL  MDM' s  communicate  on  one  of  two  redundant  ports  that  are  selectable  via  software.  If  an 
MDM  is  bypassed  due  to  a  port  failure,  communication  on  the  redundant  port  may  be  attempted  via  an 
item  entry  to  the  available  user  SPEC  to  attempt  recovery  of  the  MDM. 

D.  WHEN  A  CHOICE  EXISTS  BETWEEN  THE  LOSS  OF  AN  FF  OR  FA  MDM  AND 
NO  OTHER  CRITICAL  SYSTEM  FAILURES  EXIST,  FA1 ,  2,  OR  3  WILL 
BE  GIVEN  UP  IN  FAVOR  OF  FF 1 ,  2,  OR  3 .  FF4  WILL  BE  GIVEN  UP 
IN  FAVOR  OF  FA4 . 

For  certain  multiple  MDM  failure  scenarios  ( i.e.,  FFX  primary  port  failure  card  FAX  secondary  port 
failure)  only  one  FC  MDM  per  string  can  be  selected  at  any  given  time.  Using  the  port  mode  capability, 
system  optimization  can  be  achieved  with  respect  to  protecting  for  the  next  failure.  FF1,  2,  and  3  are 
selected  for  IMU  capability.  FA4  is  desired  for  insight  into  OMS  systern/FCS  channel  capability,  since 
giving  up  FF4  costs  a  minimum  of  capability.  FA3  is  given  up  even  though  it  provides  insight  into  the  left 
OMS.  It  is  believed  that  losing  an  IMU  is  more  probable  and  critical  than  the  loss  of  insight  into  an  OMS 
system. 

Rule  IA2-5),  PORT  MODING/RESTRINGING  GUIDELINES,  references  this  rule. 
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A7-106  MMU  OPERATIONS 

MMU  OPERATIONS  WILL  BE  ACCOMPLISHED  USING  THE  FOLLOWING 
GUIDELINES : 

A.  SM  CHECKPOINTS  WILL  BE  MAINTAINED  ON  ALL  OPERATIONAL  TAPE- 
DRIVEN  MASS  MEMORY  UNITS  AND  SOLID  STATE  MASS  MEMORY  (SSMM) 
UNITS.  @[012402-5017] 

B.  IF  ONE  SSMM  HAS  FAILED,  OPERATIONS  ON  THE  REMAINING  SSMM 
WILL  NOT  BE  RESTRICTED. 

The  Modular  Memory  Unit  (MMU)  houses  both  the  SSMM  and  the  Solid  State  Recorders  (SSR).  The 
SSMM  is  a  replacement  for  the  tape-driven  Mass  Memory  Unit.  The  SSR  is  a  replacement  for  the 
Payload  Recorder  and  OPS  Recorders.  This  rule  is  only  applicable  to  the  SSMM  portion  of  the  Modular 
Memory  Unit. 

SSMM  units  are  initially  loaded  with  exactly  the  same  data,  and,  procedurally,  this  redundancy  is 
maintained  throughout  a  flight.  Since  SSMM's  are  not  mechanical  devices,  failure  susceptibility  of  the 
remaining  SSMM  does  not  significantly  increase  when  that  SSMM  is  utilized  for  nominal  shuttle 
operations.  Therefore,  if  one  SSMM  fails  or  is  inaccessible,  the  remaining  SSMM  will  still  have  a 
complete  copy  of  all  data.  A  single  failed  or  inaccessible  MMU  should  not  impact  the  utilization  of  the 
remaining  SSMM. 

C.  IF  ONE  MMU  HAS  FAILED,  OPERATIONS  ON  THE  REMAINING  MMU  WILL 
PRECLUDE  ROUTINE  SM  CHECKPOINTS.  IN  ADDITION,  USE  OF  SM 
ROLL-IN  DISPLAYS  AND  TFL/DFL  OPTIONS  WILL  BE  MINIMIZED  (NOT 
APPLICABLE  FOR  VEHICLES  WITH  SSMM'S). 

If  one  tape-driven  MMU  fails  or  is  inaccessible,  the  remaining  MMU  will  still  have  a  complete  copy  of  all 
data.  However,  tape-driven  MMU’s  (because  of  their  mechanical  nature  and  tape  wear)  are  more 
susceptible  to  a  subsequent  failure  of  the  remaining  unit.  Therefore,  use  of  the  remain  ing  tape-driven 
MMU  will  preclude  routine  SM  checkpoints  and  all  other  MMU  transactions  will  be  strictly  minimized  to 
help  protect  against  the  subsequent  loss  of  the  remaining  MMU.  Reducing  MMU  access  will  help  to 
min  imize  the  possibility  of  a  subsequen  t  loss  of  the  remaining  MMU.  @[012402-5017  ] 
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A7-107  TIME  MANAGEMENT 

ONBOARD  TIME  MANAGEMENT  WILL  BE  ACCOMPLISHED  USING  THE  FOLLOWING 
GUIDELINES : 

A.  MTU/GPC  GMT  ERROR  WILL  BE  MAINTAINED  AT  OR  BELOW  100  MS  WHEN 
SPEC  2  "TIME"  IS  AVAILABLE.  A  15-MS  UPDATE  WILL  BE 
PERFORMED  ANYTIME  THE  ERROR  EXCEEDS  THAT  THRESHOLD. 

The  MTU  provides  a  stable  frequency  output  that,  over  the  course  of  a  7 -day  mission,  should  never  be  in 
error  more  than  100  milliseconds.  However,  due  to  an  MTU  failure,  GMT  may  be  in  error.  A  greater 
variance  in  GMT  may  impact  navigation,  thus  the  GMT  will  be  maintained  within  ±100  milliseconds  of  true 
GMT.  Since  the  onboard  computers  are  processing  in  a  redundant  and/or  common  set,  a  software 
limitation  of  a  maximum  of  15  milliseconds  per  update  precludes  a  GPC failure  caused  by  a  time  change.  A 
time  update  can  only  be  performed  using  the  SPEC  2  “time”  display.  SPEC  2  is  not  available  in  the  BFS 
or  during  PASS  GNC  OPS  1/6/3. 

B.  THE  ONBOARD  TIME  MANAGEMENT  SYSTEM  (MTU/GPC)  WILL  NOT  BE 
UPDATED  IN-FLIGHT  TO  INCORPORATE  ADJUSTMENTS  TO  THE  WORLD 
WIDE  TIME  BASE  REFLECTED  BY  WWV . 

Because  of  variations  in  the  Earth’s  orbit,  leap  seconds  are  incorporated  into  true  GMT.  Leap  seconds 
are  added  or  subtracted  from  GMT  and  are  reflected  in  WWV  GMT.  Since  the  vehicle  is  not  connected  to 
WWV  GMT,  the  crew  would  have  to  make  multiple  15 -millisecond  updates  to  correct  onboard  time. 

(Note:  It  takes  1  to  2  minutes  for  one  update.)  Therefore,  orbiter  GMT  will  not  be  updated  for  leap 
seconds. 

C.  FOR  YEAR  END  ROLLOVER  OF  MTU  GMT,  THE  MTU  WILL  BE 
REINITIALIZED  WITH  GPC  GMT. 

The  onboard  GPC’s  do  not  roll  over  ( reset  to  GMT  day  1 )  at  year-end;  the  MTU  does.  For  the  GPC’s  to 
accept  the  MTU  time,  they  must  be  taken  to  STBY  and  reinitialized.  This  results  in  a  period  of  no  vehicle 
control,  no  navigation  updates,  and  no  payload  support.  Since  this  is  unacceptable,  the  MTU  is  forced  to 
accept  GPC  time.  When  this  is  done,  the  orbiter  no  longer  reflects  true  GMT  as  reflected  by  WWV. 
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A7-107  TIME  MANAGEMENT  (CONTINUED) 

D.  A  MANUAL  MTU  OSCILLATOR  SWITCH  WILL  BE  PERFORMED  POST-MECO 
UP  UNTIL  HAC  INTERCEPT  FOR  EITHER  OF  THE  FOLLOWING 
CONDITIONS : 

1.  THE  MTU  BITE  BIT  4  (OSCILLATOR  1/2  FREQ  DIFFERENCE)  IS 
SET  AND  THE  MCC  OBSERVES  STEADILY  INCREASING  MTU  DELTA 
TIMES . 

2.  IF  THE  BFS  LOSES  TRACK  WITHIN  1  MINUTE  OF  THE  MTU  BITE 
BIT  4  BEING  SET  AND  BFS  I/O  RESETS  ARE  UNSUCCESSFUL  IN 
RECOVERING  THE  BFS. 

If  the  MTU  BITE  bit  4  is  set,  this  indicates  a  frequency  difference  between  the  two  oscillators;  this  bit 
does  not  tell  which  oscillator  is  malfunctioning  and  is,  therefore,  not  used  by  the  auto  switch  logic. 
Therefore,  the  MCC  must  use  the  MTU  1  and  MTU  2  delta  times  ( the  difference  between  the  onboard 
MTU  referenced  GMT  and  the  ground  GMT )  and/or  the  state  of  the  BFS  to  determine  if  a  manual 
oscillator  switch  needs  to  be  made. 

The  BFS  will  lose  track  if  the  HFE  listen  command  is  late  by  more  than  180  microseconds  for  24 
consecutive  minor  cycles.  Because  of  perturbations  in  the  HFE  listen  cycle,  the  engineering  community 
feels  the  BFS  may  not  lose  track  immediately.  However,  best  engineering  judgment  dictates  that  the  BFS 
will  lose  track  within  1  minute.  Therefore,  if  the  BFS  loses  track  of  the  PASS  when  the  MTU  BITE  bit  4  is 
set,  it  is  a  good  indication  that  the  selected  oscillator  is  drifting  and  is  the  cause  of  the  BITE  indication. 

In  the  event  of  launch  with  the  BITE  bit  indicator  already  set  (either  because  of  a  false  BITE  indication 
due  to  a  BITE  circuitry  failure  or  because  of  a  failed  oscillator),  consideration  should  be  given  to 
performing  a  manual  oscillator  switch  after  BFS  loses  track  before  declaring  the  BFS  failed  and 
performing  a  BFS  IFF. 

If  a  manual  oscillator  switch  is  made  to  the  bad  oscillator,  the  worst  outcome  would  be  that  the  PASS 
would  fault  down  to  interned  time  (which  testing  has  verified  causes  no  serious  degradation  of 
performance).  If  this  happened,  the  PASS  could  not  be  switched  back  to  MTU  time  until  SPEC  2  is 
available. 

In  general,  reach  and  visibility  constraints  do  not  cdlow  the  crew  to  reach  the  MTU  oscillator  select 
switch  until  post-MECO.  There  is  a  time  shortly  after  SRB  SEP,  however,  when  the  G-forces  have 
decreased  enough  for  the  crew  to  reach  the  switch.  Therefore,  a  manual  MTU  oscillator  switch  post-SRB 
SEP  could  be  attempted  and  will  be  a  real-time  call.  Ref.  Ascent/Entry  Flight  Techniques  Panel  #69 
(7/20/90)  minutes,  and  the  5/15/90  and  6/21/90  SARS  minutes. 
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A7-108  DEU  EQUIVALENT  CRITERIA 

(REFERENCE  RULE  {A2-111},  DPS  COMMAND  CRITERIA.)  @[072595-1 775A] 

A.  ALL  DEU  EQUIVALENT  LOADS  SHOULD  BE  COORDINATED  WITH  THE 
CREW.  DEU  EQUIVALENT  LOADS  DURING  CREW  SLEEP  MUST  BE 
COORDINATED  WITH  THE  CREW  PRIOR  TO  THE  START  OF  THE  SLEEP 
SHIFT  UNLESS  THE  LOADS  ARE  REQUIRED  TO  AVOID  POTENTIAL 
NUISANCE  ALARMS. 

In  order  for  the  crew  to  maintain  situational  awareness  of  all  orbiter  activities,  they  need  to  be  informed 
of  all  planned  DEU  equivalen  ts  loads.  An  long  as  the  crew  has  been  informed  of  a  general  plan  prior  to 
going  to  sleep,  it  is  acceptable  to  alter  the  specifics  of  the  plan  without  notifying  the  crew  of  the  changes. 
If  the  need  arises  for  a  DEU  equivalen  t  load  after  the  crew  has  gone  to  sleep,  it  will  not  be  uplinked 
unless  it  is  required  to  prevent  waking  up  the  crew. 

B.  OPS  TRANSITIONS,  MAJOR  MODE  TRANSITIONS,  AND  OPS  MODE 
RECALLS  WILL  NOT  BE  PERFORMED  VIA  DEU  EQUIVALENT  LOADS. 

THE  ONLY  EXCEPTION  TO  THIS  IS  FOR  THE  G1  TO  G9  OPS 
TRANSITION  DURING  PAD  ABORTS/HOLDS  TO  PROVIDE  A  BACKUP  TO 
THE  CREW  OR  KSC  LDB  COMMANDING.  @[042502-531 7B] 

Although  OPS  transitions,  major  mode  transitions,  and  OPS  mode  recalls  can  be  performed  via  a  DEU 
equivalent  load,  a  program  level  decision  was  made  to  avoid  such  commands  based  on  the  high  level  of 
risk  associated  with  them.  Due  to  the  complexity  of  performing  these  types  of  software  operations,  there 
exists  the  possibility  of  annunciating  fault  messages  or,  worse  case,  not  successfully  completing  the 
transition.  For  pad  aborts/holds,  the  LPS  safing/recovery  procedure  allows  the  MCC  to  control  the 
transition  from  G1  to  G9  in  the  event  KSC  and  the  crew  are  both  unable  to  perform  the  transition. 
Allowing  MCC  to  perform  this  transition  in  the  event  of  an  LPS  loss  will  potentially  minimize  vehicle 
turn-around  time  and  risks  from  unexpected  command  outputs  and/or  system  failures.  @[072795-1 775A] 
@[042502-531 7B] 

C.  DEU  EQUIVALENT  LOADS  WILL  NOT  BE  CHAINED.  @[072595-1 775A] 

DEU  equivalent  loads  will  not  be  chained  because  the  successful  execution  of  one  load  cannot  be  verified 
before  subsequent  commands  are  executed.  Although  not  necessarily  recommended,  it  is  acceptable  to 
link  multiple  item  entries  on  a  specific  page  together  via  separator  keys  as  long  as  a  separate  command  is 
required  to  invoke  the  loaded  data  ( i.  e. ,  arm  and  fire). 
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A7-108  DEU  EQUIVALENT  CRITERIA  (CONTINUED) 

D.  IF  A  SPEC  OTHER  THAN  THE  OPS  DISPLAY  IS  REQUIRED  FOR  DEU 
EQUIVALENT  LOADS,  IT  WILL  NOT  BE  CALLED  UP  UNTIL  REQUIRED. 
THE  SPEC  WILL  THEN  BE  RESUMED  AS  SOON  AS  PRACTICAL. 

In  order  to  avoid  the  possibility  of  accidentally  trapping  a  SPEC  due  to  certain  GPC  and  CRT  failures,  it 
is  best  to  always  RESUME  SPEC’s  when  not  in  use.  The  crew  is  trained  to  place  the  CRT’s  in  a  specific 
configuration  prior  to  sleep,  and  they  expect  them  to  be  in  this  same  configuration  when  they  wake  up. 
Therefore,  leaving  the  OPS  display  up  on  all  CRT’s  will  coincide  with  what  the  crew  expects. 

E.  DUE  TO  GROUND  LIMITATIONS,  THE  FOLLOWING  KEYSTROKES  CANNOT 
BE  USED  IN  ANY  DEU  EQUIVALENT  LOAD. 

1 .  FAULT  SUMM 

2 .  SYS  SUMM 

3.  GPC/ CRT 

4.  MSG  RESET 

5 .  CLEAR 

6.  ACK  @[072795-1 775A] 

Although  the  onboard  software  allows  the  above  keystrokes,  the  ground  command  processing  software 
prohibits  DEU  equivalent  loads  from  containing  them.  Since  the  FAULT  SUMM  and  SYS  SUMM 
displays  do  not  contain  any  ITEM  entries,  the  MCC  does  not  benefit  from  uplinking  these  keystrokes. 

The  other  four  keystrokes  can  interfere  with  the  crew’s  CRT  configuration  or  fault  message  recognition. 
Therefore,  it  was  decided  prior  to  STS-1  to  prohibit  the  ground  from  uplinking  these  specific  keystrokes. 
@[072795-1 775A] 
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A7-109  IN-FLIGHT  MAINTENANCE  ( IFM) 

IN-FLIGHT  REPLACEMENT  OF  LRU'S  WILL  BE  PERFORMED  FOR  THE 
FOLLOWING  EQUIPMENT  FAILURE  DEFINITIONS: 

In-flight  replacement  (IFM)  will  be  done  to  regain  LRU  redundancy  and/or  lost  capabilities. 

A.  IF  A  KEYBOARD  FAILURE  CAN  BE  ISOLATED  TO  A  SPECIFIC  KEY,  THE 
KEY  WILL  BE  REPLACED  WITH  THE  AFT  KEYBOARD  "ACK"  KEY; 
OTHERWISE,  A  FAILED  FORWARD  KEYBOARD  WILL  BE  REPLACED  BY  THE 
AFT  KEYBOARD. 

Keyboard  failures  can  occur  on  specific  keys  or  the  entire  keyboard.  IFM  on  such  failures  associated 
with  the  forward  keyboard  will  be  to  replace  it  with  the  aft  keyboard,  since  it  is  not  used  during  entry. 

B.  ANY  FORWARD  CRT  MAY  BE  REPLACED  BY  CRT  4  IF  THE  SCREEN  BLANKS 
OR  IS  UNREADABLE  AND  THE  GROUND  VERIFIES  THE  CRT  IS  THE  FAILED 
ELEMENT  VIA  DISPLAY  UNIT  BITE  (N/A  FOR  MEDS  VEHICLES) . 
@[021397-4763]  ®[040899-2459B] 

CRT  4  has  been  selected  as  a  replacement  CRT  for  any  forward  CRT  because  it  is  not  used  during  entry. 

C.  ANY  FAILED  MDU  MAY  BE  REPLACED  BY  ANOTHER  MDU .  AT  LEAST  ONE 
CDR  MDU  AND  ONE  PLT  MDU  MUST  BE  MAINTAINED  FOR  ENTRY.  AN  MDU 
IS  CONSIDERED  FAILED  IF  IT  HAS  A  BLANK  DISPLAY,  AN  INOPERATIVE 
1553  DATA  PORT,  OR  AN  INTERNAL  PROBLEM  THAT  PREVENTS  THE  MDU 
FROM  BEING  USEFUL  AS  A  DISPLAY  DEVICE.  @[111501-4949] 

a.  Failed  forward  MDU  @[031 500-71 72D] 

A/7  IFM  to  replace  any  failed  forward  MDU  with  an  aft  MDU  will  regain  full  redundancy  for  entry. 

When  replacing  a  forward  MDU  with  an  aft  MDU,  AFD1  MDU  is  the  preferred  MDU  since  CRT4  MDU 
is  used  during  entry. 

b.  Failed  AFT  MDU 

If  it  is  desired  to  replace  a  failed  aft  MDU  with  a  forward  MDU,  MFD2  MDU  is  the  preferred  MDU. 

MFD2  MDU  is  preferred  based  on  the  following:  CRT  MDU’s  should  be  left  in  place,  CDR2  and  PLT1 
MDU's  are  used  for  the  primary  flight  instrument  displays,  and  removing  CDR1  or  PLT2  MDU’s  would 
make  their  respective  side  of  the  cockpit  vulnerable  to  single-point  electrical  bus  failures.  Because  of  the 
large  number  of  MDU’s  (11)  and  the  simple  and  low  risk  MDU  IFM  (45  minutes),  an  IFM  to  replace  a 
failed  aft  MDU  with  a  forward  MDU  could  aid  the  crew  in  critical  aft  station  operations  (RNDZ, 
dock/undock)  without  losing  any  capability  in  the  forward  cockpit.  In  addition,  the  MDU  can  be 
reinstalled  in  the  forward  cockpit  after  the  critical  aft  operations  are  complete.  @[031 500-71 72D] 
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A7-109  IN-FLIGHT  MAINTENANCE  ( IFM)  (CONTINUED) 

c.  MDU failures  ®[i  1 1 501  -4949  ] 

There  are  multiple  failures  that  may  cause  an  MDU  to  be  declared  failed.  The  most  obvious  is  a  blank  or 
unusable  display.  Loss  of  one  of  the  two  1553  data  ports  by  itself  is  not  a  problem  for  non-CRT  MDU’s 
since  switching  to  the  alternate  port  provides  full  functionality.  CRT  MDU’s  have  only  one  1553  data  bus 
connected.  Therefore,  loss  of  that  data  port  to  a  CRT  MDU  renders  it  useless.  Combinations  of  failures 
may  cause  a  non-CRT  MDU  with  a  single  failed  port  to  be  declared  failed  such  as  the  case  of  a  failed  IDP 
on  the  other  port.  Other  internal  failures  may  still  prevent  the  MDU  from  being  a  useful  display  device.  A 
failed  edge  key  could  preclude  the  ability  to  navigate  to  the  desired  display.  ®[i  11501-4949  ] 

D.  DEU  1,  2,  3  MAY  BE  REPLACED  WITH  DEU  4  IF  THE  DEU  FAILS  TO 

FUNCTION  FOLLOWING  AN  IPL  AND  THE  GROUND  VERIFIES  THE  DEU  IS 
THE  FAILED  ELEMENT  VIA  DEU  BITE  (N/A  FOR  MEDS  VEHICLES) . 

®[040899-2459B] 

DEU’s  1,  2,  3  will  be  replaced  with  DEU  4  because  DEU  4  is  not  used  during  entry. 

E.  IDP  1,  2,  3  MAY  BE  REPLACED  WITH  IDP  4  IF  THE  IDP  FAILS  TO 

FUNCTION. 

IDP’s  1,  2,  3  will  be  replaced  with  IDP  4  because  sacrificing  IDP4  to  regain  IDP1,  2,  or  3  regains  full 
capability  for  the  forward  flight  stations.  If  an  IDP  only  loses  interface  to  the  flight  critical  buses,  an 
IFM  is  not  required  due  to  IDP  redundancy.  ®[040899-2459B] 

F.  A  PL  MDM  WILL  BE  SWAPPED  WITH  THE  OTHER  PL  MDM  ONLY  AFTER 
POWER  CYCLING  AND  PORT  MODING  FAILS  TO  CLEAR  A  NON-GPC 
CAUSED  "I/O  ERROR  PL"  AND  THERE  HAS  BEEN  A  FAILURE  OF  ANY 
PLBD  MCA  (EXCEPT  MCA  2)  CONTROLLED  BY  THE  GOOD  MDM.  @[040899- 
2459B] 

Payload  MDM  will  be  swapped  to  allow  payload  bay  door  closure.  MCA  2  is  an  exception  because 
swapping  PL  MDM  will  not  recover  all  the  necessary  functions,  and  pin  kit  IFM  procedures  would  still 
be  required  to  close  and  latch  the  doors.  For  this  case,  Rule  (A2-105CJ.16,  IN-FLIGHT 
MAINTENANCE  {IFM),  will  be  implemented. 
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A7-109  IN-FLIGHT  MAINTENANCE  ( IFM)  (CONTINUED) 

G.  AN  FF  MDM  l,  2,  OR  3  MAY  BE  REPLACED  BY  FF4  ONLY  AFTER  POWER 
CYCLING  AND  PORT  MODING  FAILS  TO  CLEAR  A  NON-GPC  CAUSED  "I/O 
ERROR  FFX"  OR  TOTAL  OUTPUT  CARD  FAILURE  AND  IT  RESULTS  IN 
THE  LOSS  OF: 

1.  A  SECOND  IMU 

2.  A  SECOND  AA  ( AA4  MUST  BE  FAILED) 

Where  previous  LRU  failures  would  cause  a  loss  of  at  least  fail-safe  redundancy  in  an  entry-critical 
system,  it  is  considered  viable  to  replace  FF1,  2,  or  3  with  FF4.  This  operation  would  be  accomplished 
to  recover  an  IMU  for  redundancy  in  onboard  navigation  for  entry.  The  same  is  true  for  an  AA  to  regain 
redundancy  for  entry  control. 

H.  AN  MMU  CONTINGENCY  POWERUP  MAY  BE  PERFORMED  TO  RECOVER  AN 
MMU  THAT  IS  DOWN  DUE  TO  POWER  LOSS.  @[101096-4516] 

The  IFM  may  be  performed  at  a  convenient  time  when  it  will  not  interfere  with  higher  priority  mission 
operations  or  crew  activities.  If  the  remaining  MMU  fails,  this  IFM  will  be  performed  ASAP.  A 
successful  IFM  will  return  power  to  the  MMU  that  in  turn  can  be  used  for  GNC/SM  transitions,  and 
GPC/DEU  reload  capabilities. 

Rule  {A7-13EJ.l.a,  GPC  MAJOR  FUNCTION  CONFIGURATION,  references  this  rule.  ©[040899-2459B] 
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PAYLOAD-SPECIFIC  DPS  SYSTEMS  MANAGEMENT 

A7-151  CONSTRAINTS  ON  PORT  MOPING  OR  I/O  RESETS 

THERE  ARE  NO  SPACEHAB-RELATED  CONSTRAINTS  ON  PAYLOAD  MDM  PORT 
MODING  OR  SM  I/O  RESETS.  @[092701-4872] 

Both  port  moding  and  I/O  resets  are  transparent  to  Spacehab.  ®[ED  ]  @[092701-4872  ] 
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A7-201  DPS  REDUNDANCY  REQUIREMENTS 

THE  MINIMUM  DPS  REDUNDANCY  REQUIREMENTS  TO  CONTINUE  TO  EOM  ARE: 

This  rule  provides  a  guideline  for  continuing  nominal  mission  activities  with  less  than  afullup  complement 
of  DPS  resources,  equipment,  and  capabilities.  The  objective  is  to  maintain  sufficient  resources  such  that 
one  additional  failure  can  be  sustained  withou  t  jeopardizing  vehicle  safety,  while  protecting  against  a 
generic  failure  in  both  the  primary  and  redundant  systems  (either  hardware  or  software). 

A.  NO  MORE  THAN  ONE  GPC  HAS  BEEN  DECLARED  UNRECOVERABLE.  @[101096-4516] 

If  one  GPC  fails,  the  DPS  system  is  still  fail-operational.  With  one  GPC  failed,  there  is  no  reason  to 
believe  the  failure  is  more  than  an  isolated  incident;  there  is  no  increased  risk  to  the  orbiter  or  crew 
safety  associated  with  staying  to  the  nominal  end  of  mission.  @[092195-1798  ]  @[101096-4516  ] 

A  second  GPC  failure  may  indicate  a  generic  problem  with  an  increase  in  risk  to  orbiter  and  crew  safety. 
For  this  reason,  a  second  GPC  failure  is  reason  for  not  going  to  nominal  end  of  mission  even  though  the 
orbiter  would  still  be  fail-operational  for  entry.  @[0921 95-1 798  ]  ®[1 01 096-451 6  ] 

B.  DATA  PATHS  NECESSARY  TO  SUPPORT  REQUIRED  LRU  AND  DISPLAY 
REDUNDANCY . 

Each  discipline  has  LRU  and  display  redundancy  requirements  for  continuing  nominal  mission  activities; 
consequently,  this  was  written  to  provide  data  bus  capability  if  they  require  it  to  maintain  critical  systems 
redundancy. 

C.  TWO  INDEPENDENT  SOURCES  OF  DEORBIT  PASS  SOFTWARE  ARE 
REQUIRED  AND  ARE  DEFINED  AS  ONE  OF  THE  FOLLOWING: 

1.  TWO  MASS  MEMORY  UNITS  (MMU'S) 

2.  ONE  GNC  MAJOR  FUNCTION  GNC  3  ARCHIVE  GPC  (FREEZE  DRIED 
GNC-3  GPC) AND  ONE  MMU 

The  PASS  deorbit  software  (GNC  OPS  3)  is  available  from  the  following  sources:  MMU  1,  MMU  2,  a 
previously  G3  archived  GPC,  or  a  freeze-dried  GNC  3  GPC  on  orbit.  The  allowable  combinations  of 
sources  always  include  one  MMU. 

Rules  (A2-120B),  RNDZ/PROX  OPS  DPS  SYSTEMS  MANAGEMENT;  and  {A7-13E}.l.d,  GPC  MAJOR 
FUNCTION  CONFIGURATION,  reference  this  rule. 
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A7-201  DPS  REDUNDANCY  REQUIREMENTS  (CONTINUED) 

D.  AT  LEAST  ONE  MMU  TO  PROVIDE  GPC  INITIAL  PROGRAM  LOAD  (IPL) 
AND  DEU  LOAD  CAPABILITY. 

This  rule  provides  software  reload  capability  for  maintaining  GPC  and  DEU  redundancy,  and  recovery 
for  failed  GPC’ s. 
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DPS  GO/NO-GO  MATRIX 


A7-1001  DPS  GO/NO-GO  MATRIX 


DPS  SYSTEMS 

CONTINUE 
NOMINAL 
ASCENT  IF: 

INVOKE 

MDF 

IF: 

ENTER  NEXT 
PLS 

IF 

A.  GPC’S:  (51 

2  ?  [4] 

3? 

B.  MOM'S: 

[1]  FF1-4  (4) 

2  ? 

[2]  FA1  -4  (4) 

2  ? 

[3]  PF1-2  (2) 

2?  [5] 

C.  MODS: 

[1]  DEU/CRT  (4) 

2?  [7] 

2  FWD  ?  [3][7] 

[2]  FWD  KEYBOARD  (2) 

1  ?  [3] 

[3]  AFT  KEYBOARD  (1) 

D.  MEDS 

[1]  IDP  (4)  DPS  FUNCTION 

2  ?  [8]  [9] 

2  FWD  ?  [3][8][9] 

[2]  IDP  (4)  FLIGHT  INSTRUMENT  FUNCTION 

2  FWD  ?  [3][8][9] 

[3]  MDU  (1 1)  [6] 

[4]  ADC  (4) 

E.  MMU  1-2 :  (21  Ml 

2  ? 

F.  COMPUTER  STATUS/COMPUTER  C&W:  (2) 

G.  TIMING: 

[1]  MTU  (1)  [2] 

[2]  EVENT  TIMER 

[3]  MISSION  TIMER 

@[101096-4516]  ©[121296-4595C]  ©[040899-2459B]  @[031 500-71 72D] 

LEGEND: 

NO  REQUIREMENT 
REQUIRED 

(  )  QUANTITY 

[  ]  NOTE  REFERENCE 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  DATA  SYSTEMS  7-52 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A7-1001  DPS  GO/NO-GO  MATRIX  (CONTINUED) 

NOTES: 

[1]  ASSUMES  G3  ARCHIVE  OR  G3  FREEZE-DRY  CAPABILITY  IS  AVAILABLE. 

[2]  LOSS  OF  MTU  PRECLUDES  BFS  MET/GMT  INITIALIZATION  CAPABILITY. 

[3]  SWAP  OUT  MAY  BE  USED  TO  SATISFY  THE  MINIMUM  REQUIREMENTS. 

[4]  ASSUMES  TWO  OPERATIONAL  MMU’S  OR  ONE  MMU  AND  GNC  3  ARCHIVE  CAPABILITY  IS  AVAILABLE. 

[5]  ASSUMES  IFM  CAPABILITY  FOR  PAYLOAD  BAY  DOOR  CLOSURE. 

[6]  BECAUSE  OF  THE  LARGE  NUMBER  OF  MDU'S  AND  SYSTEM  FLEXIBILITY,  THE  MINIMUM  DURATION 
REQUIREMENTS  ARE  COVERED  IN  RULE  {A2-102},  MISSION  DURATION  REQUIREMENTS,  WHICH  ADDRESSES 
GENERIC  FAILURES.  ©[040899-2459B  ] 

[7]  IF  TWO  FORWARD  CRT’S,  PERFORM  IFM  ASAP. 

[8]  IF  TWO  FORWARD  IDP'S,  PERFORM  IFM  ASAP.  ©[04082459A  ] 

[9]  LOSS  OF  EITHER  FUNCTION,  DPS  OR  FLIGHT  INSTRUMENT,  IN  ANY  3  SEPARATE  IDP’S  IS  PLS. 

®[031 500-71 72D] 

The  DPS  GO/NO-GO  CRITERIA  matrix  reflects  the  MDF/PLS  criteria  (ref.  Rules  (A2-102BJ.2, 

MISSION  DURATION  REQUIREMENTS,  and  (A2-1001J,  ORBITER  SYSTEMS  GO/NO-GO). 

MDF  -  Multiple  failures  in  an  avion  ics  system,  even  though  it  remains  single-fault  toleran  t,  may  be 
indicative  of  a  generic  failure;  consequently,  cm  MDF  is  invoked  for  loss  of  two  GPC’s,  loss  of  two 
DEU/CRT’s,  or  for  MEDS  flights,  two  IDP’s.  ®[040899-2459B] 

Although  a  nominal  end  of  mission  can  be  accomplished  with  no  accessible  mass  memory  units  (MMU’s), 
the  loss  of  two  MMU’s  would  result  in  the  inability  to  recover  subsequent  GPC  and/or  DEU  failures,  loss 
ofTFL’s  and  DFL’s,  and  loss  of  system  management  (SM)  roll-in  displays.  Loss  of  SM  roll-in  displays 
contributes  to  a  loss  of  additional  insight  into  systems  status  in  the  event  of  a  significant  failure. 

Therefore,  because  of  the  loss  of  the  above  capability,  an  MDF  is  invoked  for  failure  of  two  MMU’s. 

Loss  of  flight-critical  and  payload  MDM’s  is  an  exception  to  the  single-fault  tolerant  rule  because  loss  of 
a  single  MDM  reduces  redundancy  in  multiple  systems  increasing  the  risk  that  a  single  LRU  failure  in 
any  one  of  several  systems  could  put  the  orbiter  at  a  zero-fault  tolerant  level. 

A  risk  assessment  presented  at  the  AEFTP  # 131  concluded  that  the  combination  of  LRU’s  lost  with  FF4 
does  not  warrant  early  mission  termination.  There  is  no  systems  requirement  for  cm  MDF  after  the  loss 
ofFF4.  In  addition,  mission  length  for  the  loss  ofFFl,  2,  3  and  FA  MDM’s  should  correspond  to  the 
IMU  and  FCS  mission  length,  respectively.  Mission  length  for  the  first  IMU  and  FCS  failure  was 
changed  to  NEOM.  The  probability  of  losing  a  second  PL  MDM,  thereby  requiring  cm  IFM  to  close  the 
PLBD’s  and  latch  gangs,  is  extremely  low.  Therefore,  NEOM  is  acceptable  after  the  loss  of  one  PL 
MDM.  ®[1 21 296-4595C] 

PLS  -  A  next  PLS  deorbit  will  be  executed  at  the  earliest  practiced  time  for  failures  which  place  the 
orbiter  system  at  the  zero-fault  tolerant  level  or  results  in  a  condition  where  one  more  failure  causes  a 
severe  orbiter  configuration  management  condition. 
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A7-1001  DPS  GO/NO-GO  MATRIX  (CONTINUED) 

Loss  of  three  GPC’s  may  be  indicative  of  a  generic  problem.  If  another  GPC  failure  occurred,  this  would 
result  in  entry  on  a  single  PASS  GPC.  Therefore,  a  next  PLS  is  invoked. 

If  two  CRT’s  are  lost  in  the  forward  station,  for  non  -MEDS  vehicles,  a  next  PLS  will  be  invoked  because 
it  will  place  the  orbiter  in  a  fail-critical  situation  for  entry.  The  aft  CRT  may  be  used  as  a  replacemen  t 
CRT  for  the  forward  station.  ®[i  21 296-4595C]  ®[040899-2459B] 

One  remaining  keyboard  (following  an  IFM)  will  place  the  orbiter  in  a  zero-fault  tolerant  situation. 

If  two  IDP's  are  lost  in  the  forward  station,  a  next  PLS  will  be  invoked  because  it  will  place  the  orbiter  in 
a  fail  critical  situation  for  entry.  The  aft  IDP  may  be  used  as  a  replacement  IDP  for  the  forward  station. 

If  two  forward  MDU’s  are  failed,  they  can  be  replaced  with  the  two  aft  MDU’s.  If  additional  MDU’s 
fail,  display  flexibility  allows  the  other  MDU’s  to  support  DPS  displays,  Flight  Instrument  displays,  and 
Subsystem  Status  displays.  The  loss  of  eight  MDU’s  places  the  orbiter  in  a  zero-fault  tolerant  entry 
configuration:  one  MDU  for  PASS  software  control,  one  for  BFS  insight,  and  one  for 
ADI/ AMI/ AWI/HSI  capability.  ®[040899-2459B]  ®[031 500-71 72D] 

@[092701-4872  ] 
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SECTION  8  -  GUIDANCE,  NAVIGATION,  AND  CONTROL  (GN&C) 


GENERAL 


A8-1  FCS  DOWNMODE 

A.  FOR  CONTROL  PROBLEMS,  FCS  DOWNMODE  (CSS  AND  BFS  ENGAGE)  IS  AN 
ONBOARD  DECISION  AND  MAY  RESULT  FOR  ANY  OF  THE  FOLLOWING: 

1.  IMPENDING  LOSS  OF  CONTROL  (LOC) . 

2.  NO  VEHICLE  RESPONSE  TO  EXPECTED  MANEUVERS. 

3.  ANY  UNEXPLAINED  ATTITUDE/RATE  EXCURSIONS  OR  UNDAMPED 
OSCILLATORY  MOTIONS.  WITH  THIS  IN  MIND,  THE  FOLLOWING 
GUIDELINES  ARE  PROVIDED: 

a.  ASCENT  -  FIRST  STAGE:  ANY  UNEXPLAINED  VEHICLE  RATE  OR 
UNDAMPED  OSCILLATION  GREATER  THAN  3  DEG/SEC. 

b.  ASCENT  -  SECOND  STAGE:  ATTITUDE  ERRORS  (3  DEGREES 
IN  PITCH  OR  YAW;  OR  10  DEGREES  IN  ROLL)  WITHOUT 
CONVERGING  RATES  OR  RATES  GREATER  THAN  3  DEG/SEC 
WITHOUT  CORRESPONDING  ATTITUDE  ERRORS. 

B.  CREW  DOWNMODING  PROCEDURE  FOR  LOSS  OF  CONTROL  IN  FIRST  STAGE 
THROUGH  LOAD  RELIEF  (90  SECONDS  MET)  SHOULD  BE  TO  ENGAGE  THE 
BFS.  POST  LOAD  RELIEF  AND  THROUGHOUT  SECOND  STAGE,  THE 
DOWNMODING  SEQUENCE  SHOULD  BE,  CONDITIONS  PERMITTING,  TO  FLY 
CSS  CONTROL  FOLLOWED,  IF  NECESSARY,  BY  BFS  ENGAGE. 


FCS  downmoding  (CSS  and  BFS  engagement)  is  an  onboard  decision.  The  crew  is  ultimately  responsible  for 
the  safety  of  the  vehicle  and  onboard  personnel.  The  types  of  situations  requiring  downmode  action  include 
impending  loss  of  control,  lack  of  vehicle  response  to  expected  maneuvers  or  trajectory  changes,  or  any 
unexplained  vehicle  attitude/rate  excursions  or  undamped  oscillations. 
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A8-1  FCS  DOWNMODE  (CONTINUED) 

Guideline  limits  are  given  which  reflect  our  flight  experience  and  simulation  data  base  or,  in  the  case  of 
second  stage,  bound  vehicle  behavior  such  that  an  acceptable  MECO  target  is  achieved.  The  following 
sources  were  used  to  develop  these  criteria: 

a.  R&E  ascent  flight  control  system  certification  tests  show  vehicle  rates  no  greater  than  2  to  3  deg/sec. 

b.  Flight  Design  and  Dynamics  Division  range  safety  simulation  cases  of  flight  control  disturbances 
(stuck  SRB  actuators,  etc.)  show,  for  survivable  cases,  that  vehicle  rates  and  oscillations  typically 
did  not  exceed  3  deg/sec.  In  addition,  these  oscillations  had  periods  on  the  order  of  6  to  10  seconds 
and  were  fairly  well  damped. 

c.  Rockwell  simulations  cases  (refer  to  RI  Internal  Letter  FSD&P/IGN&C87,  November  25,  1987)  with 
an  attitude  error  bias  in  the  digital  autopilot  concluded  that  proper  MECO  targets  could  be  met  and 
good  flight  control  maintained  when  a  3 -degree  attitude  error  in  any  axis  was  applied  and  when  a 
10-degree  attitude  error  in  roll  was  applied.  These  runs  included  RTLS,  TAL,  and  ATO  abort 
scenarios. 

Av  a  result,  downmoding  action  is  warran  ted  when  vehicle  response  is  outside  this  flight  envelope. 

For  violation  of  any  of  the  criteria  in  paragraph  A,  the  downmoding  action  is  dependen  t  upon  the  phase 
of  flight.  During  first  stage,  loss  of  control  may  occur  rapidly  due  to  the  control  authority  of  the  SRB’s. 
In  addition,  the  crew  cannot  adequately  control  the  vehicle  in  CSS  during  load  relief.  Moding  to  the  BFS 
in  this  timeframe  changes  the  en  tire  flight  software  which  may  recover  con  trol  of  the  vehicle.  (Note,  auto 
flight  control  is  the  only  mode  available  during  powered  flight  in  the  BFS.)  Post  load  relief,  dynamic 
pressure  is  diminished  (and  in  second  stage  control  authority  is  decreased)  which  allows  the  crew  to 
attempt  CSS  control  for  unusual  vehicle  behavior  and  then  engage  the  BFS  if  necessary.  Typically,  CSS 
provides  greater  rate  command  authority  than  auto.  In  any  phase  of  flight,  however,  conditions  may  be 
such  (e.g.,  rapid  LOC)  to  preclude  the  use  of  CSS  prior  to  BFS  engage.  Note,  for  vehicle  rate  excursions 
or  oscillations,  CSS  without  RHC  inputs  will  command  attitude  hold  (zero  rate  command  with  attitude 
error  command  coming  from  integrated  RGA  data)  and  eliminate  guidance,  auto  steering  (and  effectively 
IMU  data)  from  the  command  loop.  Vehicle  displays,  however,  will  reflect  guidance  parameters. 
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A8-2  SSME  THRUST  VECTOR  CONTROL  (TVC)  HARD OVER 

AN  SSME  WITH  A  CONFIRMED,  UNCOMMANDED  HARDOVER  TVC  ACTUATOR  WILL 
BE  MANUALLY  SHUT  DOWN  IN  ACCORDANCE  WITH  THE  FOLLOWING  TABLE: 


ACTUATOR,  DIRECTION 

FAILURE  OCCURS: 

FIRST  STAGE 

SECOND  STAGE 

LEFT  -YAW,  RIGHT  +YAW  * 

CENTER  +  PITCH  * 

CENTER +Y AW 

LEFT  &  RIGHT +PITCH 

PRIOR  TO  1:40 

N/A 

LEFT  +YAW,  RIGHT  -YAW 

PRIOR  TO  1:40 

SINGLE  ENG  PRESS 

CENTER  -PITCH 

PRIOR  TO  7:00 

PRIOR  TO  7:00 

*  BELL  COLLISION  CONCERN 

“  Confirmed”  hardovers  imply  that  multiple  independent  sources  of  information  indicate  that  an 
actuator  is  stuck  hardover.  These  sources  include  01  position  indications  for  all  actuators,  multiple  FCS 
channel  bypasses  (same  actuator),  and  vehicle  control  problems.  Only  the  MCC  can  confirm  that  an 
actuator  is  hardover,  and  the  MCC  will  inform  the  crew  immediately  upon  recognition  of  the  failure. 

Failure  of  the  lower  engines  hardover  inboard  in  yaw  (left  -Y,  right  +Y)  result  in  immediate  bell  collision 
in  first  or  second  stage.  The  MCC  will  attempt  to  recommend  shutdown  of  the  affected  engine  prior  to 
MET  1:40  after  which  SRB  thrust  tailoff  would  further  increase  the  amount  of  bell  collision.  In  second 
stage,  the  MCC  will  not  offer  a  recommended  action  (listed  as  N/A)  because  of  the  expected  immediate 
bell  collision. 

Failure  of  the  cen  ter  engine  hardover  in  positive  pitch  (toward  lower  engines)  in  first  stage  results  in  bell 
collision  during  SRB  tailoff.  Engine  shutdown  prior  to  MET  1:40  will  prevent  collision.  In  second  stage, 
the  case  is  listed  as  N/A  because  of  the  expected  immediate  bell  collision. 

Hardovers  of  the  center  engine  ±  yaw  and  lower  engines  ±  pitch  are  controllable  in  first  stage  until  SRB 
thrust  tailoff.  Shutdown  of  the  affected  engine  prior  to  MET  1:40  will  preven  t  LOC.  These  same  failures 
in  second  stage  cause  vehicle  control  to  be  lost  immediately.  These  cases  are  listed  as  N/A  because  of 
the  expected  immediate  LOC. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A8-2  SSME  THRUST  VECTOR  CONTROL  (TVC)  HARD OVER 

(CONTINUED) 


Failures  of  the  lower  engines  outboard  in  yaw  (left  +Y,  right  -Y)  during  first  stage  result  in  vehicle 
sideslip  (beta)  angles  of  more  than  25  degrees  as  SRB  thrust  tails  off.  This  is  well  above  the  limits 
established  to  protect  external  tank  (ET)  heating  constraints.  Maximum  ET  heating  occurs  in  the  MET 
100-  to  120-second  timeframe.  The  hardover  engine  should  be  shut  down  no  later  than  MET  1:40  to 
allow  control  transients  (specifically  beta)  to  damp  so  as  to  not  violate  ET  heating  constraints.  The 
same  hardover s  during  second  stage  result  in  control  transients  ( expected  to  be  recoverable )  at  the  time 
of  the  hardover.  Depending  on  the  time  of  the  second  stage  failure,  less  than  desirable  MECO 
conditions  can  result  if  the  affected  engine  is  allowed  to  run  until  MECO.  This  occurs  because  con  trol 
perturbations  caused  by  failures  later  in  second  stage  may  not  have  sufficient  time  to  damp  out.  Thus, 
the  recommended  action  is  to  shut  down  the  affected  engine  at  single  engine  press  to  MECO. 

Failure  of  the  center  engine  hardover  in  negative  pitch  (bell  up  away  from  the  lower  engines)  is 
controllable  until  late  in  ascent.  As  the  vehicle  center  of  gravity  changes,  the  good  actuators  gimbal  to 
maintain  a  trimmed  vehicle.  By  approximately  MET  7:00,  the  good  actuators  reach  their  software 
command  limits  and  loss  of  control  follows. 

The  actions  presented  in  this  rule  summarize  the  results  of  SMS  runs  and  an  ascen  t  thrust  vector  con  trol 
hardover  failure  study  using  the  Space  Shuttle  Functional  Simulator.  The  study  was  performed  using  the 
STS-26  mission  design.  The  recommended  shutdown  actions  apply  to  all  flights.  (Ref.  Lockheed 
Correspondence  No.  46-88,  04/11/88,  and  Ascent  Flight  Techniques  Panel  Meeting  #44,  05/17/88.) 

Rule  { A2-301J ,  CONTINGENCY  ACTION  SUMMARY,  references  this  rule. 

A8-3  LOSS  OF  GNC  SYSTEM 

REGARDLESS  OF  GNC  SYSTEMS  PROBLEMS  DURING  ASCENT,  THE  MOST 
DESIRABLE  ACTION  IS  TO  CONTINUE  TO  ORBIT.  FOR  CONFIRMED, 
PERMANENT  LOSS  OF  ALL  FAULT  TOLERANCE  IN  ANY  ENTRY-CRITICAL 
GNC  SYSTEM,  A  FIRST  DAY  PLS  RETURN  WILL  BE  INVOKED. 

Failures  in  an  entry-critical  GNC  system  will  not  cause  aborts  (RTLS,  TAL,  ATO,  AO  A)  during  the 
ascent  phase.  However,  for  the  confirmed  loss  of  all  fault  tolerance  in  an  entry-critical  system  during 
ascent,  a  first  day  PLS  should  be  performed  to  reduce  the  time  available  for  any  subsequent  system 
failures  which  may  affect  deorbit/entry.  Continuing  the  mission  with  no  system  redundancy  constitutes 
unreasonable  risk  and  deorbit  should  be  performed. 

Rule  (A8-1001  j,  GNC  GO/NO-GO  CRITERIA,  references  this  rule. 
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A8-4  FAULT  TOLERANCE  PHILOSOPHY 

A.  EARLY  MISSION  TERMINATION  WILL  BE  SCHEDULED  AT  THE  NEXT  PLS 
OPPORTUNITY  IF  ANY  ENTRY-CRITICAL  GNC  SYSTEM  HAS  LOST  ALL 
FAULT  TOLERANCE. 

Continuing  the  mission  with  no  fault  tolerance  in  a  critical  system  would  result  in  unreasonable  risk. 

By  performing  a  next  PLS  deorbit,  we  reduce  the  exposure  to  a  subsequent  failure  which  would 
preclude  a  safe  deorbit/entry  (ref  Rule  {A8-1001},  GNC  GO/NO-GO  CRITERIA). 

Several  GNC  systems  have  zero-fault  tolerance  during  entry  with  two  LRU’s  remaining.  The  system 
can  still  support  entry  if  one  of  these  LRU’s  fails  on  orbit.  For  these  systems,  remaining  on  orbit  is 
acceptable,  since  the  next  on  -orbit  failure  does  not  preclude  a  safe  entry.  Reference  EFTP  #45, 

06/17/88. 

B.  THE  FLIGHT  WILL  CONTINUE  TO  NOMINAL  END  OF  MISSION  FOR  THE 
FIRST  FAILURE  WHICH  IMPACTS  AN  ENTRY-CRITICAL  SYSTEM.  IF  THE 
SYSTEM  IS  NO  LONGER  SINGLE-FAULT  TOLERANT  (FAIL-SAFE) ,  A 
REVIEW  OF  THE  FAILURE  MODE  AND  REMAINING  SYSTEMS  CAPABILITY 
WILL  BE  CONDUCTED  TO  DETERMINE  WHETHER  NEOM  IS  APPROPRIATE. 
@[121296-4610  ] 

REFERENCE  RULES  {A8-1001},  GNC  GO/NO-GO  CRITERIA,  AND 
{ A2-102 } ,  MISSION  DURATION  REQUIREMENTS. 

In  general,  it  is  an  acceptable  configuration  to  continue  to  nominal  EOM  after  a  single  failure  in  an 
avionics  system  which  leaves  that  system  with  single-fault  tolerance.  The  systems  which  fall  into  this 
category  are  the  four-LRU  systems  ( i.  e. ,  AA’s,  RGA’s,  and  FCS  channel  position  feedbacks).  The  risk 
of  staying  on  orbit  until  nominal  EOM  is  acceptable  after  one  failure  because  these  systems,  after  the 
second  failure  regardless  of  the  cause  for  the  failure  ( i.  e. ,  LRU,  MDM,  or  GPC),  are  only  vulnerable  to 
the  next  LRU  failure  (third  failure  overall)  while  in  MM  304  to  305.  Prior  to  entry,  a  failure  in  the 
AA’s,  RGA’s,  or  position  feedbacks  can  be  deselected  via  SPEC  53,  ENTRY  CONTROLS  display. 

The  Flight  Control  System  (FCS)  command  channels  and  the  IMU  system  are  single-fault  tolerant  (fail¬ 
safe)  after  the  first  failure,  with  the  exception  of  certain  “smart  failures”  during  specific  windows  of 
deorbit  and  entry.  Neither  the  IMU  system  nor  the  FCS  command  channels  can  sustain  greater  than  two 
failures  and  still  be  able  to  fly  entry.  However,  a  risk  assessment  completed  by  the  AEFTP  in  1996  (Ref. 
AEFTP  #131  and  6/96  AEFTP  Splinter  Meeting)  concluded  that  the  relative  risk  of  remaining  on-orbit  to 
NEOM  rather  than  returning  at  the  minimum  duration  flight  (MDF)  point  after  the  first  failure  (in  the 
FCS  or  IMU  system)  is  an  order  of  magnitude  less  than  the  launch  risks  and  orbital  debris  risks.  For  an 
IMU  or  FCS  command  channel  failure,  the  risk  will  be  re-assessed  in  real  time  based  on  the  latest  run¬ 
time  and  failure  history.  ®[1 21 296-461 0  ] 

In  addition  (per  Rule  {A2-102},  MISSION  DURATION  REQUIREMENTS),  for  multiple  failures  in  an 
entry-critical  system  which  results  in  loss  of  two-fault  tolerance  but  still  retains  single-fault  tolerance,  an 
MDF  will  be  declared.  The  MDF  is  performed  due  to  the  loss  of  confidence  in  the  integrity  of  the  system 
(ref.  Rule  {A2-102},  MISSION  DURATION  REQUIREMENTS). 
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A8-5  ACCELEROMETER  ASSEMBLIES  (AA)  FAULT  TOLERANCE 

IF  FAIL-SAFE  REDUNDANCY  (THREE  OF  FOUR)  DOES  NOT  EXIST  IN  NORMAL 
AA'S,  THEN  THE  PITCH  AXIS  AUTO  MODE  WILL  NOT  BE  USED  IN  MM  305, 
MM  602  (Nz  HOLD  PHASE),  OR  MM  603.  MCC  CALL  MAY  BE  REQUIRED. 

Fail-safe  redundancy  of  normal  accelerometers  is  required  to  engage  the  pitch  axis  auto  mode  in 
MM  305,  MM  602,  and  MM  603.  MCC  call  may  be  required  since  RM  terminates  after  first  failure. 

The  flight  control  auto  pitch  channel  receives  normal  acceleration  commands  from  guidance  in  MM  305, 
MM  602,  and  MM  603.  If  two  normal  accelerometers  have  failed,  then  the  AA  selection  filter  will  be 
midvalue  selecting  bad  Nz  data  if  a  third  normal  axis  accelerometer  fails.  If  the  first  two  accelerometer 
failures  are  due  to  commfaults,  the  selection  filter  will  average  the  remaining  two. 

The  pitch  channel  uses  Nz  feedback  to  close  the  auto  flight  control  loop  and,  if  bad  data  concerning 
vehicle  response  is  fed  back,  loss  of  control  can  occur.  CSS  removes  Nz  feedback  from  the  flight  control 
loop. 

During  the  Nz  hold  phase  of  MM  602,  the  ADI  pitch  error  needle  displays  Nz  error,  and  the  ACCEL  tape 
on  the  AMI  displays  Nz  in  g’s.  If  a  third  normal  axis  accelerometer  failure  occurs,  it  may  be  difficult  to 
maintain  the  target  Nz  ( approximately  2.1  g’s)  while  flying  manually,  since  these  displays  will  be  driven 
with  bad  feedback.  The  crewmember  may  have  only  the  G-meter  and  the  energy  profile  on  the  ENTRY 
TRAJ  display  as  cues  for  maintaining  target  Nz.  Although  it  may  be  difficult  to  maintain  the  precise  Nz 
in  the  event  of  a  third  failure,  pitch  CSS  is  required  after  two  failures  to  prevent  a  loss  of  control. 

Testing  in  the  SMS  has  shown  that  if  the  pitch  axis  AUTO  mode  is  used  and  the  third  failure  occurs,  a 
loss  of  control  can  result  during  MM602  Nz  hold. 

Rule  {A2-261J,  ENTRY DTO/AUTO  MODE/CROSSWIND  DTO  GO/NO-GO,  references  this  rule. 

A8-6  CONTROLLERS /FCS  SWITCHING  FAULT  TOLERANCE 

EXCEPT  FOR  RHC'S,  REQUIRED  FAILURE  TOLERANCE  FOR  ALL  CONTROLLERS 
OR  FCS  SWITCHING  FUNCTIONS  CAN  BE  SATISFIED  FROM  EITHER  SIDE  OR 
BOTH  SIDES  OF  THE  COCKPIT.  RECONFIGURATION  IN  GNC  8  IS  ALLOWED 
TO  MEET  CONTROLLER  AND  SWITCH  REDUNDANCY  REQUIREMENTS. 

Existence  of  station  processing  and  system  redundancy  ensures  availability  of  functions  from  either  side 
of  the  cockpit.  However,  because  of  their  use  during  entry  (especially  the  CDR’s  RHC),  RHC’s  require  a 
higher  priority  for  system  reconfiguration  which  can  be  done  in  OPS  2  or  8. 

Rule  (A8-1001  j,  GNC  GO/NO-GO  CRITERIA,  references  this  rule. 
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A8-7  ENTRY  SYSTEMS  SINGLE-FAULT  TOLERANCE  VERIFICATION 

A.  A  FAILURE  IN  ANY  ENTRY-CRITICAL  SYSTEM  THAT  WILL  PRECLUDE 
SINGLE-FAULT  TOLERANCE  DURING  ENTRY  WILL  BE  VERIFIED  PRIOR 
TO  DEORBIT  BURN.  IF  THE  FAILURE  IS  RECOVERABLE  (TRANSIENT), 
ENTRY  WILL  BE  DELAYED  ONE  ORBIT,  IF  AVAILABLE,  TO  ALLOW 
RECONF I GURAT I ON . 


A  one-orbit  deorbit  delay  will  be  called  to  allow  system  failure  compensation/reconfiguration  to  be 
performed  since  most  can  be  handled  in  one  orbit.  Delaying  an  entire  extra  day  unnecessarily  increases 
the  exposure  to  further  system  failures. 

B.  THE  DEORBIT  BURN  WILL  BE  DELAYED  UP  TO  1  DAY  TO  ALLOW 
RECONFIGURATION  TO  RECOVER  THE  FUNCTION  OF  EITHER  RHC . 


Due  to  the  RHC  requiremen  ts  during  entry,  a  1-day  delay  will  be  performed  if  multiple  failu  res  cause  the 
loss  of  function  of  one  RHC.  The  1-day  delay  will  allow  the  implementation  of  an  RHC/DDU IFM  (ref. 
Rule  { A2-105C.7 },  IN-FLIGHT  MAINTENANCE  {IFM))  in  order  to  recover  the  RHC  capability.  The 
1-day  delay  is  needed  due  to  the  amount  of  time  required  to  perform  the  RHC  or  DDU  IFM.  Both 
hardware  changes  take  at  least  3  hours  to  perform. 

Rules  { A2-301 },  CONTINGENCY  ACTION  SUMMARY;  and  (A8-8J,  ENTRY  SYSTEMS  RM  DILEMMA, 
reference  this  rule. 


A8-8  ENTRY  SYSTEMS  RM  DILEMMA 

FOR  FAILURES  RESULTING  IN  LOSS  OF  AN  ENTRY-CRITICAL  FUNCTION 
DUE  TO  RM  DILEMMA,  ENTRY  WILL  BE  DELAYED  TO  ALLOW  THE  SINGLE 
REMAINING  SYSTEM  TO  BE  PRIME  SELECTED. 

If  an  entry-critical  function  has  been  lost  due  to  an  RM  dilemma,  delaying  entry  allows  the  crew  to 
perform  any  recovery  procedures  necessary  to  recover  the  function  by  prime-selecting  the  single 
remaining  system.  The  systems  which  could  annunciate  a  dilemma  prior  to  deorbit  burn  are  the  hand 
controllers  and  IMU’s.  However,  of  the  hand  controllers,  only  the  RHC  would  cause  a  deorbit  delay  to 
recover  the  function  of  the  RHC  (ref.  Rule  {. A8-7B j  ENTRY  SYSTEMS  SINGLE-FAULT  TOLERANCE 
VERIFICATION).  For  most  of  the  systems,  prime  selection  can  be  done  in  OPS  2  or  3. 

Rule  (A2-30I  j,  CONTINGENCY  ACTION  SUMMARY,  references  this  rule. 
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A8-9  AFT  STATION  GNC  REDUNDANCY 

LOSS  OF  AFT  STATION  GNC  SYSTEMS  SHALL  NOT  BE  A  CAUSE  FOR  EARLY 
FLIGHT  TERMINATION.  NO  IFM  WILL  BE  DONE  TO  REPLACE  AN  AFT  GNC 
SYSTEM  WITH  A  FORWARD  SYSTEM. 

Aft  station  systems  are  not  required  for  safe  entry.  There  are  no  on-orbit  activities  that  would  require 
risking  the  loss  of  an  entry-critical  forward  system. 

Rule  {A8-1001E},  GNC  GO/NO-GO  CRITERIA,  references  this  rule. 

A8-10  POWER/DATA  PATH  REDUNDANCY 

LOSS  OF  POWER  REDUNDANCY  OR  DATA  PATH  REDUNDANCY  TO  A  GNC  LRU 
IS  NOT  CONSIDERED  LOSS  OF  THE  LRU  REDUNDANCY. 

Loss  of  power  or  data  path  redundancy  to  an  LRU  does  not  indicate  a  generic  systems  failure.  A  single 
external  failure  should  not  imply  impending  LRU-related  failures.  The  LRU  should  be  considered 
operational  as  long  as  power  and  a  communications  path  exist  to  the  LRU. 

A8-11  LOSS  OF  BFS 

LOSS  OF  BFS  BECAUSE  OF  LOSS  OF  GNC  SYSTEMS  WILL  NOT  BE  CAUSE  TO 
TERMINATE  THE  FLIGHT  EARLY. 

The  role  of  the  BFS  GNC  software  is  a  protection  against  generic  errors  in  the  prime  GNC  software. 
The  level  of  BFS  GNC  fault-tolerance  is  not  considered  a  requirement  for  on-orbit  stay  time.  Given  the 
present  early  termination  rules  for  GNC  systems  loss,  only  the  loss  of  the  BFS  engage  switches  would 
invoke  this  rule.  If  the  BFS  GNC  is  lost  by  BFS  hardware  or  software  problems,  then  the  generic 
protection  is  already  lost  and  no  extra  risk  is  involved  in  staying  on  orbit  until  nominal  end-of -flight. 

Rule  { A8-1001 },  GNC  GO/NO-GO  CRITERIA,  references  this  rule. 
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A8-12  HEAD  UP  DISPLAY  (HUD)  AND  CREW  OPTICAL  ALIGNMENT 

SIGHT  (COAS)  ALIGNMENT 

A  CALIBRATED  HUD/-Z  COAS  IS  AN  ADEQUATE  BACKUP  TO  THE  STAR 
TRACKERS  FOR  ENTRY  IMU  ALIGNMENT.  ®[1 11 094-1 723A] 

A  3-sigma  COAS  IMU  alignment  and  a  HAINS  IMU  drifting  at  1  sigma  in  all  axes  result  in  a  total 
platform  misalignment  of  0.25  degrees  at  El  which  meets  the  navigation  requirement  of  no  more  than 
0.5  degrees  (ref.  Rule  {A4-151},  IMU  ALIGNMENT).  The  KT-70  IMU  represents  the  worse  case,  since 
the  HAINS  IMU  1  sigma  drift  rate  is  significantly  low.  The  0.25  degree  misalignment  is  based  on 
SODB  data  (SODB  para.  4. 5. 1.2. 3. e. 3. d)  for  a  COAS  calibrated  immediately  following  a  star  tracker 
IMU  alignment  and  an  entry  alignment  that  is  done  2.5  hours  prior  to  the  deorbit  burn  with  a  time  of 
approximately  30  minutes  from  burn  to  EL  Based  on  flight  calibration  data,  it  is  assumed  that  a  HUD 
IMU  alignment  will  be  as  good  as,  if  not  better  than,  a  COAS  IMU  alignment.  As  backups  to  the  star 
trackers  for  IMU  alignmen  ts,  the  CDR  HUD  is  the  primary  station  and  the  PET  HUD/-Z  COAS  is  the 
secondary  station.  The  +X  COAS  performance  during  flights  has  not  been  adequate  to  support  an 
entry  IMU  alignment  and  should  not  be  used  as  a  backup  to  the  star  trackers  (ref.  On-Orbit  FTP 
meeting  #133,  October  9,  1992,  HUD/COAS  CALIBRATION,  and  On-Orbit  FTP  meeting  #148, 
September  9,  1994,  HUD/COAS  CALIBRATION  STATUS).  ®[i  1 1094-1723A] 

Rule  (A8-108J,  HUD/COAS  SYSTEM  MANAGEMENT ,  references  this  rule. 
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A8-13  RTLS  ET  SEPARATION 

FOR  RTLS  ET  SEPARATION,  CREW  ACTION  SHALL  BE  AS  FOLLOWS: 

A.  DURING  MATED  COAST,  COMMAND  A  FAST  SEPARATION  IF  ALPHA 
?  -4  ±  2  DEGREES  AND  DIVERGING  OR  BETA?  0  ±  2  DEGREES 
AND  DIVERGING. 

During  RTLS  mated  coast,  MM  601,  G/C  steer  is  commanding  attitude  hold  in  all  axes  in  either  CSS 
(while  the  RHC  is  in  detent)  or  auto  flight  control  mode.  Due  to  the  time  limitations  of  performing  RTLS 
ET  separation,  a  fast  separation  should  be  commanded  anytime  the  vehicle  attitude  is  diverging  from  the 
RTLS  ET  separation  structural  release  constraints.  All  of  the  RTLS  ET  separation  design  staging 
conditions  are  documented  in  JSC-07700,  volume  X,  figure  3.2.1.1.10.4. 

B.  DURING  -Z  TRANSLATION,  SELECT  CSS  IF  ALPHA  DECREASING  OR  ANY 
RATE  ?  2  DEG/SEC  WITH  DIVERGING  ATTITUDE  ERRORS.  THE  CREW 
SHOULD  DELAY  1  SECOND  AFTER  SEPARATION  PRIOR  TO  DOWNMODING  TO 
ENSURE  ADEQUATE  ORBITER/ET  CLEARANCE. 

During  -Z  translation,  decreasing  alpha  may  cause  recontact  with  the  ET.  Rates  greater  than  2  deg/sec 
with  a  diverging  attitude  indicate  a  control  problem  in  the  auto  mode  which  may  lead  to  loss  of  control 
during  recovery  phase  and  entry.  When  performing  an  auto  separation,  the  DAP  will  inhibit  automatic 
rotational  control  for  1  second.  CSS  rotational  commands  are  allowed  anytime  but  should  be  avoided 
until  adequate  orbiter/ET  clearance  exists.  One  second  was  established  as  the  optimum  time  to  prevent 
propagation  of  initial  disturbances  resulting  in  loss  of  con  trol  but  yet  allow  sufficient  clearance  from  the 
ET  (ref.  Rockwell  ET  SEP  Panel  meeting,  12/2/82). 
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A8-14  POWER  MANAGEMENT 

A.  SYSTEMS  REQUIRED  FOR  GNC  6  OR  GNC  3  WILL  BE  ON  FOR  ASCENT  AND 
LEFT  ON  UNTIL  THE  END  OF  AOA  OPPORTUNITY. 

Should  an  AOA  be  necessary,  the  crew  will  be  busy  preparing  for  the  maneuver  and  should  not  be 
burdened  with  a  requirement  to  power  up  equipment  in  this  time-critical  phase. 

The  MLS  is  the  only  GNC  system  not  powered  for  the  launch.  However,  the  MLS  will  be  powered  for  the 
abort  (entry)  per  the  FDF  checklist. 

B.  DURING  ENTRY  DAY,  THE  OPS  3  CRITICAL  LRU'S  (RGA'S,  AA'S,  AND 
ASA'S)  WILL  BE  POWERED  PRIOR  TO  MCC  GO/NO-GO  FOR  OPS  3 
TRANSITION.  MCC  TELEMETRY  VERIFICATION  IS  HIGHLY  DESIRABLE. 

Additional  time  could  be  required  for  adequate  MCC  telemetry  verification  since  it  will  not  be  obvious  to 
the  crew  that  all  LRU’s  have  been  powered.  The  RGA’s  are  powered  prior  to  the  OPS-3  transition  in 
order  to  provide  vehicle  rate  feedback  to  flight  control  (TRANS  DAP).  The  ASA 's  are  powered  prior  to 
the  OPS-3  transition  to  preclude  possible  damage  to  the  rudder/speed  brake  power  drive  unit  (PDU)  at 
APU  start.  The  AA’s  are  powered  prior  to  the  OPS-3  transition  because  of  the  proximity  of  these 
switches  to  the  other  LRU  switches. 


A8-15  GNC  PARAMETERS /LRU  FAILURES 

GNC  PARAMETERS/LRU'S  THAT  PERMANENTLY  FAIL  RM  LIMITS  OR  GNC  8 
SELF-TEST  WILL  BE  INHIBITED  FROM  FURTHER  USE. 


Once  an  LRU  has  been  identified  as  faulty  by  self-test  or  RM,  it  is  no  longer  considered  reliable. 


A8-16  GNC  SYSTEMS  FAILURES 

GNC  SYSTEMS  DECLARED  FAILED  BY  RM  WILL  BE  CONSIDERED  FAILED  UNLESS 
SUBSEQUENT  VERIFICATION  INDICATES  THAT  THE  SYSTEM  IS  RECOVERABLE. 
WHEN  TIME  PERMITS,  RECOVERY  WILL  BE  ATTEMPTED  FOR  ANY  GNC  SYSTEMS 
TRANSIENT  FAILURE. 

FOR  SOME  SYSTEMS,  THE  CREW  HAS  VERY  LITTLE  VISIBILITY  INTO  THE 
REASON  FOR  RM  DECLARED  FAILURES.  IN  MOST  CASES,  THE  FAILURES  ARE 
CAUSED  BY  SYSTEM  DEGRADATION  WHICH  CAN  BE  COMPENSATED  BY  THE  MCC, 
THEREBY  RECOVERING  THE  FUNCTION  OF  THAT  LRU. 
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A8-17 


EQUIPMENT  REQUIRED  FOR  EMERGENCY  AUTOLAND 


THE  FOLLOWING  EQUIPMENT  IS  REQUIRED  TO  ALLOW  USE  OF  AUTOLAND 
CAPABILITY  TO  TOUCHDOWN  IN  EMERGENCY  SITUATIONS: 


A. 

ONE 

-  NORMAL  AA. 

B. 

ONE 

-  MSBLS. 

C. 

ONE 

-  ADTA. 

Situations  that  may  require  emergency  autoland  include  crew  incapacitation,  window  contamination,  or 
any  contingency  landing  below  weather  minimums. 

Normal  axis  accelerometer  data  is  required  for  the  Aerojet  DAP  auto  mode  in  MM  305. 

MLS  is  the  only  navigation  LRU  with  sufficient  accuracy  to  guide  the  orbiter  to  a  precision  runway 
landing  in  the  auto  mode.  Autoland  cannot  be  flown  on  default  air  data.  The  availability  of  these 
systems  shou  ld  not  be  considered  as  part  of  GO/NO-GO  for  deorbit. 

Rule  {A8-1001 },  GNC  GO/NO-GO  CRITERIA,  references  this  rule. 

A8-18  LANDING  SYSTEMS  REQUIREMENTS 

A.  FOR  THE  GIVEN  CONDITIONS  AND  LANDING  SITES,  THE  FOLLOWING  ARE 
THE  NUMBER  OF  ONBOARD  MSBLS  REQUIRED: 


LAKEBED 

CONCRETE  RUNWAY 

DAYLIGHT  LANDING: 

CEILINGS  >  10K  FEET 

0 

0 

CEILINGS  <  10K  FEET 

i 

2 

NIGHT  LANDING: 

CEILINGS  >  15K  FEET 

i 

2 

CEILINGS  <  15K  FEET 

2 

2 

For  lower  ceilings  (8,000  to  10,000 feet)  or  night  operations,  redundant  MSBLS  (single-fault  tolerance) 
is  required  for  landing  on  a  concrete  runway.  This  is  due  to  the  fact  that  longitudinal  and  lateral 
concrete  run  way  environmen  ts  are  limited  and  less  forgiving  of  navigation  errors  when  adequate  visual 
cues  are  not  available  ( i. e. ,  lower  ceilings  or  night  landings).  MSBLS  provides  accurate  azimuth, 
elevation,  and  range  information  that  allow  a  precise  approach  to  the  runway. 

MSBLS  is  also  mandatory  for  daylight  landings  on  the  lakebed  with  reduced  ceilings  but  is  not  required 
to  be  redundant  due  to  the  increased  margin  for  error  on  the  lakebed. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A8-18  LANDING  SYSTEMS  REQUIREMENTS  (CONTINUED) 

For  a  night  landing  and  the  loss  of  redundant  MSBLS,  a  lakebed  runway  is  required.  In  addition, 
ceilings  must  be  greater  than  15,000 feet  for  a  night  landing  to  a  lakebed  runway  without  redundant 
MSBLS  to  allow  early  acquisition  ofPAPI  lights  and  aimpoint  should  a  single  point  failure  causing  loss 
of  MSBLS  occur.  This  increased  ceiling  requirement  allows  more  time  for  glide  slope  and  runway 
centerline  corrections.  The  15,000 feet  altitude  is  based  on  extensive  analysis  conducted  in  the  Shuttle 
Mission  Simulator  (SMS)  and  Shuttle  Training  Aircraft  (ST A)  by  Flight  Design  and  Dynamics  personnel 
and  crew  representatives  (ref.  Rule  {A2-6j,  LANDING  SITE  WEATHER  CRITERIA  [HC]).  @[111094- 

1622B] 

MSBLS  redundancy  is  maintained  with  two  onboard  MSBLS  remaining  (one  MSBLS  failed)  assuming  the 
MCC  is  available  to  solve  dilemmas.  A  dilemma  occurs  for  an  erroneous  output  failure  of  one  of  the 
remaining  two  units.  The  only  information  used  to  solve  the  dilemma  (outside  of  MCC  assistance)  is 
built-in  test  equipment  (BITE),  which  is  limited  in  its  ability  to  detect  failures.  The  MCC  requires 
ground  radar  along  with  telemetry  data  to  isolate  the  bad  MSBLS  in  the  event  of  a  dilemma. 

Rule  ( A2-6} ,  LANDING  SITE  WEATHER  CRITERIA  [HC],  references  this  rule.  ®[111094-1622B] 

B.  A  DAYLIGHT  LANDING  WILL  BE  REQUIRED,  IF  AVAILABLE,  FOR  LOSS 
OF  ANY  OF  THE  FOLLOWING: 

1.  THREE  MSBLS. 

2.  TWO  FORWARD  ADI'S  (N/A  FOR  MEDS  VEHICLES)  .  ®[040899-2459B] 

MSBLS  is  required  at  night  to  maintain  an  accurate  approach  path  to  a  lower  altitude  before 
transitioning  to  visual  cues  (PAPI’s,  ball  bar,  and  runway  markings).  For  the  loss  of  all  three  onboard 
MSBLS,  enter  to  a  daylight  landing,  if  available. 

One  ADI  is  required  to  commit  to  a  night  landing  in  order  to  fly  bank  angle  around  the  HAC  in  the  event 
of  guidance  problems. 

A  requirement  for  the  HSI  was  considered  for  night  landings  due  to  the  need  for  accurate  heading  and 
course  information;  however,  such  a  requirement  was  not  levied  since  MSBLS  and  the  HUD  were 
required  and  should  supply  sufficient  information  during  the  approach  phase. 

C.  FOR  LOSS  OF  THE  LEFT  HUD,  A  DAYLIGHT  LANDING  IS  HIGHLY 
DESIRABLE . 

The  left  HUD  is  highly  desirable  for  night  landings  in  order  to  reduce  approach  and  landing  workload, 
mon  itor  touchdown  critical  parameters,  and  offset  the  loss  of  ou  tside  visual  references.  Therefore,  the 
left  HUD  is  desired  to  commit  to  a  night  landing,  situation  permitting  ( e. g. ,  weather,  etc.).  Reference 
Memorandum  CB-89-265,  and  Rule  [ A2-105 },  IN-FLIGHT  MAINTENANCE  (IFM).  @[072398-6646  ] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A8-18  LANDING  SYSTEMS  REQUIREMENTS  (CONTINUED) 

D.  RA  ALTITUDE  DATA  IS  HIGHLY  DESIRABLE  FOR  NIGHT  LANDINGS. 
@[072398-6646  ] 

Due  to  the  lack  of  visual  depth  perception  during  night  landings,  the  RA’s  and  ball  bar  become  the 
primary  source  for  altitude  and  altitude  rate  information  from  approximately  50  feet  until  mean  gear 
touchdown.  IfRA  data  is  not  available,  the  bcdl  bar  is  considered  sufficient  under  normal  circumstances 
to  cdlow  the  pilot  to  achieve  acceptable  touchdown  conditions.  In  the  event  of  cm  RA  failure(s), 
consideration  should  be  given  to  landing  site  conditions  (e.g.,  winds,  turbulence,  ceiling,  lighting 
conditions,  visibility,  landing  ground  speed,  vehicle  mass  properties,  touchdown  point,  runway  lighting, 
mission  duration,  etc.)  as  they  relate  to  pilot  workload  and  usefulness  of  the  ball  bar.  Of  particular 
concern  are  conditions,  which  if  combined  with  no  RA  data,  will  increase  the  probability  of  exceeding 
landing  gear/tire  limits.  Consideration  should  be  given  to  selecting  the  landing  site  that  offers  the  more 
benign  landing  conditions.  This  consideration  should  focus  on  which  of  the  sites’  landing  conditions 
would  result  in  minimum  pilot  workload  and/or  impact  to  the  usefulness  of  the  ball  bar.  @[072398-6646  ] 

Rules  { A8-58J ,  ADI  LOSS;  and  {A8-1001},  GNC  GO/NO-GO  CRITERIA,  reference  this  rule. 
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A8-19  YAW  JET  DOWNMODE 

A.  IF  NO  YAW  JETS  ARE  AVAILABLE  ON  EITHER  LEFT  OR  RIGHT  SIDE, 

THE  NO-YAW- JET  DAP  MODE  WILL  BE  SELECTED  IF  ABOVE  MACH  =  1. 

The  no-yaw-jet  mode  for  emergencies  is  a  certified  flight  control  mode  from  Q-bar  =  20  psf  through 
landing.  This  mode  should  be  selected  between  Q-bar  =  20  psf  and  Mach  1  ( yaw  jets  inhibited)  if  no¬ 
yaw-jets  are  available  on  a  side.  In  the  low  Q-bar  regime  (Q-bar  <  20),  vehicle  response  will  be 
sluggish  and  pilot  workload  increased,  but  control  will  be  better  than  with  the  baseline  DAP.  Once 
selected,  it  is  not  necessary  to  deselect  the  no-yaw-jet  mode.  Flight  Rule  {A6-305}.,  AFT  RCS 
REDLINES,  defines  when  to  engage  no-yaw-jet  based  on  aft  RCS  quantity.  Reference  DA8-88-20  (FT), 
Entry  Flight  Techniques  Meeting  #41. 

B.  IN  OPS  3,  IF  THE  AEROJET  DAP  BASELINE  MODE  IS  SELECTED  AND 
ADDITIONAL  LATERAL  CONTROL  MARGIN  IS  REQUIRED,  THE  WRAPAROUND 
DAP  MODE  WILL  BE  ENABLED  IF  ABOVE  MACH  1.  ®[021998-6485B] 

The  aerojet  DAP  wraparound  mode  is  normally  enabled  for  EOM,  AOA/ATO,  and  contingency  payload 
return  entry  but  is  not  enabled  for  TAL  abort  entries,  due  to  lack  of  certification  for  TAL  aborts.  The 
wraparound  DAP  is  not  available  in  OPS  6.  If  lateral  control  margin  is  reduced  due  to  three  yaw  jets 
failed  on  one  side  or  aileron  trim  saturation,  a  loss  of  control  may  occur.  In  addition,  ifLVAR  9 
aerodynamic  uncertainties  are  experienced  (a  low-probability  potential  below  Mach  6),  excessive  jet 
firings  and  high  RCS  propellant  usage  may  result.  Enabling  wraparound  mode  eliminates  these 
problems  by  providing  increased  aileron  authority.  Reference  DA8-88-20  (FT),  Entry  Flight  Techniques 
Meeting  #41,  and  Ascent/Entry  Flight  Techniques  Panel  meeting  #141  minutes.  ®[021998-6485B] 

Rules  { A6-206J ,  RCS  MANIFOLD/LEG  LEAK  REPRESSURIZATION,  and  {A8-1001},  GNC  GO/NO-GO 
CRITERIA,  reference  this  rule.  ®[ED  ] 
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A8-20  ENTRY  ELEVON  SCHEDULE  SELECTION  CRITERIA 

THE  AUTO  ELEVON  SCHEDULE  WILL  NOMINALLY  BE  SELECTED  INDEPENDENT 
OF  X-AXIS  CENTER-OF -GRAVITY  (X  CG)  LOCATION  WITH  THE  FOLLOWING 
EXCEPTIONS : 

A.  THE  FIXED  ELEVON  SCHEDULE  WILL  BE  SELECTED  AS  REQUIRED  ON  A 
FLIGHT-SPECIFIC  BASIS  IN  ORDER  TO  SUPPORT  AERODYNAMIC  PTI'S. 
IF  AERO  PTI'S  ARE  SCHEDULED  AND  IT  IS  SUBSEQUENTLY  DECIDED 
NOT  TO  EXECUTE  THEM,  THEN  THE  AUTO  SCHEDULE  WILL  BE  SELECTED. 

B.  IF  THE  NO-YAW- JET  MODE  OF  THE  AEROJET  DAP  IS  REQUIRED  DURING 
ENTRY,  THE  FIXED  SCHEDULE  WILL  BE  SELECTED  IF  IT  IS  I -LOADED 
WITH  THE  AFT  SCHEDULE.  IF  EITHER  THE  FORWARD  OR  MID  SCHEDULE 
IS  LOADED,  THE  AUTO  SCHEDULE  WILL  BE  SELECTED. 

The  smart  body  flap  logic  incorporated  with  01-20  software  eliminates  the  need  for  selecting  elevon 
schedules  based  on  the  X  CGfor  entry.  The  smart  body  flap  is  enabled  anytime  the  auto  schedule  is 
selected  and  will  maintain  the  elevons  on  a  schedule  that  is  similar  to  the  previous  mid-CG  schedule  but 
will  allow  the  elevons  to  move  off-schedule,  within  limits,  in  order  to  thermally  protect  the  body  flap  and 
main  engines. 

The  fixed  elevon  schedule  main  tains  the  body  flap  logic  used  prior  to  01-20  and  allows  one  of  the  three 
previously  used  schedules  (fwd,  mid  or  aft)  to  be  loaded  into  this  slot.  It  is  planned  to  use  this  schedule 
to  support  aero  PTI’s  as  required  on  a  flight-specific  basis. 

Low  RCS  propellant  quantity  or  loss  of  yaw  jets  may  require  that  the  no-yaw-jet  mode  of  the  Aerojet 
DAP  be  selected  during  entry.  Selecting  a  schedule  with  more  positive  elevon  deflection  (down) 
increases  the  control  authority  of  the  elevons  by  moving  them  into  the  air  stream.  For  flights  in  which 
aero  PTI’s  are  not  planned,  the  aft  schedule  will  be  loaded  into  Prefixed  slot  and  this  schedule  will  be 
selected  if  the  no-yaw-jet  mode  is  required  even  though  this  may  thermally  impact  the  main  engine 
nozzles  (turnaround  issue).  The  auto  elevon  schedule  is  certified  for  use  with  the  no-yaw-jet  mode; 
however,  the  aft  schedule  provides  better  control  authority  (ref.  A/E  FTP  #76,  held  3/15/91).  The  fwd 
schedule  is  not  certified  for  use  with  the  no-yaw-jet  mode.  The  RCS  critical  entry  cue  card  contains  the 
procedural  callou  t  for  selecting  the  correct  schedule  to  be  used  with  the  no-yaw-jet  mode. 


A8-21  THROUGH  A8-50  RULES  ARE  RESERVED 
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FAILURE  DEFINITIONS 


A8-51  PHILOSOPHY 

A  GNC  PARAMETER  WILL  BE  CONSIDERED  FAILED  WHEN  IT  DIFFERS  WITH 
COMMON  REDUNDANT  OUTPUTS  BY  A  VALUE  GREATER  THAN  THE  I -LOADED  RM 
TRACKING  TEST  LIMITS.  IF  AN  LRU  DOES  NOT  PROVIDE  REDUNDANT  OUTPUTS 
(IMU,  TACAN,  MSBLS ,  ETC.),  PARAMETER  LOSS  WILL  CONSTITUTE  LRU  LOSS. 
FOR  THOSE  LRU'S  WITH  REDUNDANT  OUTPUTS,  (RHC,  RPTA,  SBTC,  SWITCHES, 
ETC.),  THE  LRU  WILL  NOT  BE  CONSIDERED  FAILED  UNTIL  MULTIPLE  FAILURES 
HAVE  CAUSED  THE  SELECTION  FILTER  TO  OUTPUT  BAD  DATA.  REDUNDANT 
LRU'S  MAY  BE  REGAINED  BY  RECONFIGURING  RM  TO  "PRIME  SELECT"  A  SINGLE 
OUTPUT  PARAMETER.  SUBSEQUENT  FAILURE  OF  THE  PRIME  SELECT  PARAMETER 
WILL  CONSTITUTE  LOSS  OF  THE  LRU. 


An  LRU  with  redundant  outputs  may  still  be  usable  as  long  as  the  SF  outputs  good  data.  Deselection  of 
failed  parameters,  allowing  the  SF  to  prime  select  the  good  parameter,  regains  use  of  that  LRU.  When 
this  final  good  parameter  fails,  the  LRU  is,  therefore,  unusable. 


A8-52  SENSOR  FAILURES 

SENSOR  FAILURES  DETECTED  BY  COMPARISON  WITH  GROUND  RADAR  DATA: 

A.  IMU  -  AFTER  ONBOARD  RM  HAS  DECLARED  A  DILEMMA,  THE  FAULT  IS 

ISOLATED  TO  THE  LRU  WITH  THE  MOST  NON-ZERO  SLOPE  ON  THE 

RADAR/ IMU  VELOCITY  PLOTS. 

B  .  TACAN : 

1.  AFTER  ONBOARD  RM  HAS  DECLARED  A  DILEMMA,  THE  FAULT  IS 
ISOLATED  TO  THE  LRU  WHOSE  RANGE  OR  BEARING  EXHIBITS  THE 
LARGEST  DELTA  FROM  GROUND  RADAR. 

2.  IF  THE  GROUND  RADAR/TACAN  COMPARISON  INDICATES  A 
SIMILAR  ERROR  ON  ALL  LRU'S  GREATER  THAN  0 . 3  NM  (RANGE) 
OR  1 . 0  DEGREE  (BEARING),  THEN  THE  ALTERNATE  TACAN 
GROUND  STATION  WILL  BE  SELECTED  (IF  AVAILABLE) . 

3.  AT  THE  TACAN  2-LRU  LEVEL,  IF  THE  AVERAGE  GROUND 
RADAR/TACAN  DELTA  IS  GREATER  THAN  0 . 3  NM  (RANGE)  OR 
1.0  DEGREE  (BEARING),  THEN  THE  LRU  WITH  THE  LARGER 
ERROR  WILL  BE  DESELECTED. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A8-52  SENSOR  FAILURES  (CONTINUED) 

C.  ADTA  -  AFTER  ONBOARD  RM  HAS  DECLARED  A  DILEMMA,  THE  FAULT  IS 
ISOLATED  TO  THE  LRU  WHOSE  ALTITUDE  IS  FURTHEST  FROM  THE 
RADAR-COMPUTED  ALTITUDE  ON  THE  RADAR/ADTA  PLOTS. 

D.  MLS  -  AFTER  ONBOARD  RM  HAS  DECLARED  A  DILEMMA,  THE  FAULT  IS 
ISOLATED  TO  THE  LRU  WHOSE  RANGE /AZ IMUTH/ELEVAT ION  EXHIBITS 
THE  LARGEST  DELTA  WITH  RESPECT  TO  RADAR-COMPUTED  VALUES  ON 
THE  MCC  MLS  PLOTS. 

This  rule  applies  to  ascent/entry  only. 

A  dilemma  occurs  at  the  two-level  when  a  disagreement  greater  than  the  RM  threshold  occurs. 

Onboard  RM  may  not  be  able  to  correctly  isolate  a  dilemma.  The  ground  can  determine  more  readily 

and  accurately  which  unit  has  failed  by  comparing  the  orbiter  parameters  to  the  ground  radar.  The 

crew  has  no  insight  into  radar  data. 

a.  For  the  IMU,  the  onboard  state  vector  (PASS  and  BFS)  may  be  compared  to  ground  vector  to 
resolve  the  dilemma.  Onboard  velocity  data  is  a  function  of  platform  alignment  as  well  as 
accelerometer  accuracy.  When  accelerations  are  large  ( i.  e. ,  during  powered  flight  or  entry),  the 
onboard  velocity  data  is  compared  with  radar  data  to  determine  which  unit  is  providing  the  most 
accurate  data,  thus  breaking  the  dilemma.  During  orbit  operations,  accelerometer  output  is  read 
directly  to  reveal  the  IMU  with  incorrect  velocity  output. 

b.  A  TACAN  dilemma  will  occur  for  a  range  disagreement  of  3000 feet  or  for  a  bearing  disagreement  of 
6  degrees.  Analysis  shows  that  selected  TACAN  errors  greater  than  0.3  nm  in  range  or  1.0  degree  in 
bearing  can  result  in  violation  of  position  delta  state  limits.  Rule  {A4-206},  NAVIGATION  FILTER 
MANAGEMENT  AUTO/INHIBIT/FORCE  (AIF),  references  this  rule.  (Ref.  Rule  {A4-204J,  DELTA 
STATE  POSITION  UPDATES,  and  Ascent/Entry  Flight  Techniques  #80.) 

c.  At  the  four-level,  a  side-to-side  dilemma  can  occur  if  there  is  a  data  miscompare  between  the  two 
sides. 

d.  For  the  MLS,  the  data  good  flag  will  be  reset  for  a  disagreement  of  0.329  nm  in  range,  0.5  degree 
azimuth,  or  0.4  degree  elevation.  In  this  case,  navigation  will  default  to  IMU  data.  For  an  azimuth 
or  range  dilemma,  MLS  data  should  not  be  processed.  For  an  elevation  dilemma,  do  not  process 
elevation  data,  but  process  azimuth  or  range  data  if  good.  Processing  of  bad  MLS  data  can  be 
inhibited  by  powering  off  the  appropriate  LRU,  by  changing  the  channel  thumbwheel  selection,  or 
by  forcing  TACAN  data. 

Rule  (A4-206A),  NAVIGATION  FILTER  MANAGEMENT  AUTO/INHIBIT/FORCE  (AIF), 
references  this  rule. 
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A8-53  QMS  TVC  LOSS 

A.  AN  OMS  ENGINE  IS  CONSIDERED  FAILED  IF  TVC  CAPABILITY  (BOTH 
PRIMARY  AND  SECONDARY)  IS  LOST  IN  EITHER  AXIS  AND  THE  ENGINE 
DOES  NOT  MEET  THE  REQUIREMENT  AS  SPECIFIED  IN  PARAGRAPH  D. 

TVC  capability  is  required  in  both  axes  of  the  OMS  gimbal  for  proper  vehicle  control.  It  is  possible  to 
burn  an  engine  with  TVC  power  off  if  the  position  mistrim  with  respect  to  the  vehicle  CG  is  acceptable. 
RCS  usage  will  increase  in  proportion  to  the  magnitude  of  the  mistrim.  The  maximum  amount  of  mistrim 
acceptable  ( determined  by  RCS  constraints)  is  documented  in  paragraph  D. 

B.  THE  PRIMARY  OR  SECONDARY  OMS  TVC  IS  CONSIDERED  FAILED  IF 
THE  GIMBAL  DRIVE  CHECK  INDICATES  A  DRIVE  RATE  OF  LESS  THAN 
2.9  DEG/SEC  BETWEEN  A  GIMBAL  POSITION  OF  ±3  DEGREES. 

The  limit  of  2.9  deg/sec  is  sufficient  to  provide  adequate  vehicle  control,  but  this  rate  is  well  below 
average  rate  of  all  actuators  in  the  field.  The  spec  ( Aerojet  Rocket  Company  ALRC  42483-J)  is  2.9 
deg/sec  and  thus  the  lower  limit  for  drive  rate  was  established  in  accordance  with  the  spec. 

C.  ENGINE  BELL  MOVEMENT  DURING  ASCENT: 

1.  AN  OMS  ENGINE  WILL  NOT  BE  FIRED  IF  IT  HAS  BEEN  CONFIRMED, 
BY  BOTH  THE  PRIMARY  AND  SECONDARY  POSITION  TRANSDUCERS, 
THAT  THE  ENGINE  BELL  MOVED  INBOARD  OR  UP  MORE  THAN  1 . 5 
DEGREES  IN  EITHER  AXIS  FROM  THE  PRELAUNCH  NORMAL  ENGINE 
STOW  POSITION  (ENGINE  BELL  DOWN  AND  OUTBOARD)  DURING  THE 
TIME  BETWEEN  LIFTOFF  +40  TO  70  SECONDS. 

During  the  time  between  liftoff  plus  40  to  70  seconds,  the  vehicle  experiences  maximum  dynamic 
pressure.  Movement  of  the  OMS  engine  into  the  air  stream  during  this  region  of  ascent  could  expose  the 
engine  to  windstream  pressures  great  enough  to  cause  damage  to  the  nozzle/throat.  Both  the  primary 
and  secondary  position  transducers  must  confirm  that  the  engine  moved  1.5  degrees  in  either  axis  into 
the  air  stream.  If  such  movement  occurs,  the  nozzle  may  be  deformed  and/or  the  throat  may  be  cracked. 
Firing  an  engine  in  this  condition  is  potentially  catastrophic.  The  constraints  in  this  rule  apply  to  both 
the  thin-  and  thick-walled  engine  bells.  (Ref.  SODB,  volume  III,  paragraph  4. 3. 3.6,  CA8-82-05  (FT), 
EH12-81-99,  and  EH12-82-030.) 

2.  FOR  SUSPECTED  MOVEMENT  (ONE  OF  TWO  TRANSDUCERS)  INBOARD 
OR  UP  MORE  THAN  1.5  DEGREES  IN  EITHER  AXIS,  THE  ENGINE 
WILL  ONLY  BE  FIRED  DURING  ABORT  DUMPS  IN  ACCORDANCE  WITH 
RULE  {A6-101},  OMS  ENGINE  BELL  MOVEMENT  DURING  ASCENT. 

Suspected  movement  is  movement  indicated  by  only  one  transducer.  PROP  Rule  { A6-101 },  OMS 
ENGINE  BELL  MOVEMENT  DURING  ASCENT,  explains  the  risks  incurred  by  not  firing  an  engine 
during  ascent  abort  dumps. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A8-53  QMS  TVC  LOSS  (CONTINUED) 

D.  AN  OMS  ENGINE  MAY  BE  USED  FOR  OMS  BURNS  WITH  TVC  POWER  OFF  IF 
THE  NO-BACK  DEVICE  HELD  POSITION,  ±0.2  DEGREES,  FOR  THE 
ASCENT  PHASE  OF  FLIGHT  AND  ALL  SUBSEQUENT  OMS  BURNS  WITH  THE 
TVC  POWER  OFF.  THE  PROPELLANT  COST  (ADDITIONAL  POUNDS  OF  RCS 
PROPELLANT  PER  SECOND  OF  COMPUTED  BURN  TIME)  FOR  BURNING 
ENGINES  WITH  THE  TVC  POWER  OFF  (FIXED  TVC)  IS  AS  FOLLOWS: 

1.  FOR  A  TWO-ENGINE  OMS  BURN,  ONE  ENGINE  FIXED  TVC,  A 
PROPELLANT  COST  OF  0.9  LB/SEC  (100  PERCENT  ARCS)  WILL 
PROTECT  FOR  AN  ENGINE  TRIMMED  THROUGH  THE  CG  WITHIN 
1.0  DEGREE  IN  PITCH  AND  WITHIN  0.5  DEGREES  IN  YAW. 

2.  FOR  A  SINGLE  ENGINE  OMS  BURN  WITH  FIXED  TVC,  THE 
PROPELLANT  COST  WILL  BE  (72  PERCENT  ARCS,  28  PERCENT 
FRCS ) : 

a.  1.5  LB/SEC,  FOR  TOTAL  MISTRIM  (|P|  +  |Y|)  ?  2.0  DEGREES 

b.  0.75  LB/SEC  PER  DEGREE  MISTRIM,  FOR  TOTAL  MISTRIM 
>2.0  DEGREES 

SODB  paragraph  4.3.3.4.6.1.2e  specifies  that  the  minimum  operating  life  of  a  no-back  device  is 
unknown.  It  further  specifies,  however,  that  if  the  no-back  device  holds  ±0.2  degrees  for  the  boost  phase 
of  flight,  it  will  hold  an  engine  in  position  for  subsequent  OMS  burns  for  the  remainder  of  that  mission 
and  is  acceptable  for  a  subsequen  t  mission. 

The  propellant  cost  figures  for  fixed  TVC  burns  are  taken  from  studies  in  which  data  from  Trans  DAP 
OMS  TVC  burns  was  gathered/generated  and  analyzed  from  the  following  sources:  SSFS  (1983),  SAIL 
(1984,  1985),  and  Draper  SLS  Simulator  (1987,  1988).  The  data  was  analyzed  separately  for  the  two- 
engine  burns  (one  fixed  TVC)  and  for  the  single-engine  fixed  TVC  burns. 

For  the  two-engine  cases,  the  pre-deorbit  burn  mass  properties  were  used  from  STS  61-C;  delta-V 
toted  =  227.7 ft/sec  and  vehicle  weight  =  216,520  lb  (ref.  SODB,  volume  II).  These  cases  involved 
combinations  of  eg  mistrims  on  the  fixed  TVC  of  pitch  =  -1.0,  0.0,  +1.0  and  yaw  =  -0.5,  0.0,  +0.5.  It 
should  be  noted  that  uncertainties  in  the  eg  estimate  contribute  to  the  expected  toted  mistrim  error 
(RSS  of  3 -sigma  mistrim  estimates)  of  approximately  0.6  degrees  (ref.  Charles  Stark  Draper 
Laboratory,  Inc.  memo  no.  SSV-88-50).  The  data  indicated  that  a  propellant  cost  of  0.9  Ib/sec  of 
computed  burn  time  would  protect  for  all  combinations  ofP  and  Y  mistrims  as  stated  above. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A8-53  QMS  TVC  LOSS  (CONTINUED) 

For  the  single-engine  cases,  the  pre-deorbit  burn  mass  properties  were  used  from  STS-6,  STS  41-D,  and 
STS  61-C.  The  delta-V  total  ranged  from  227.7  to  284.7 ft/sec,  and  the  vehicle  weight  ranged  from 
197,500  to  216,520  lb  (ref.  SODB,  volume  II. ).  Other  pertinent  assumptions  include  the  trimming  of 
residuals  and  data  normalization.  In  cdl  cases,  if  the  X  and  Z  residuals  were  more  than  2.0  ft/sec,  the 
propellant  cost  to  trim  them  to  less  than  2.0  ft/sec  [  +X  (25  Ib/fps),  -X  (30  Ib/fps),  +Z  (24  Ib/fps),  -Z  (35 
lb/fps)]  was  included  in  the  total  propellant  cost  figure.  In  order  to  account  for  the  differences  in  mass 
properties  and  delta  V  of  the  burns,  the  data  was  normalized  using  computed  burn  time. 

The  propellant  cost  for  total  mistrims  flPI  +  I  FI)  less  than  or  equal  to  2.0  degrees  is  1.5  Ib/sec  of 
computed  burn  time.  However,  even  in  this  range  where  the  cost  is  a  constant,  one  can  expect  that  the 
lower  the  total  mistrim,  the  lower  the  propellant  cost,  especially  for  single  axis  mistrims.  Therefore, 
mistrim  should  still  be  minimized.  The  data  is  noisy  in  this  regime  and  it  was  necessary  to  assume  a  cost 
of  1.5  Ib/secfor  all  cases  less  than  2.0  degrees  in  order  to  safely  blanket  all  data  points. 

The  cost  for  a  total  mistrim  of  greater  than  2.0  degrees  was  determined  to  be  0.75  Ib/sec  of  computed 
burn  time,  per  degree  of  toted  mistrim.  This  is  the  linear  function  that  safely  covers  all  data  points  for 
toted  mistrims  greater  them  2.0  degrees.  The  0. 75  Ib/sec  per  degree  of  mistrim  is  conservative  and  the 
actual  amoun  t  of  mistrim  in  each  axis  (and  the  direction  of  the  mistrim)  determines  the  more  exact 
propellant  cost.  Due  to  the  general  dependence  on  the  given  combination  of  pitch  and  yaw  mistrims  and 
the  differences  in  mass  properties  and  burn  delta  V,  it  is  recommended  that,  time  permitting,  the  actual 
case  is  simulated  to  supplement  the  results  shown  here.  This  data  and  all  other  data  from  the  mentioned 
studies  is  documented  (ref.  Lockheed  Engineering  and  Management  Services  Co.  memo  LEMSCO- 
19176;  Charles  Stark  Draper  Laboratory,  Inc.,  memos  SSV-87-10,  SSV-87-18,  and  SSV-88-14;  and  G&C 
Systems  Briefs  12.0,  OMS  TVC). 

Rules  {A6-101A},  OMS  ENGINE  BELL  MOVEMENT  DURING  ASCENT;  {A8-113A.4,  A.5  and  Bj,  OMS 
TVC  SYSTEM  MANAGEMENT;  and  ( A8-1001 },  GNC  GO/NO-GO  CRITERIA,  reference  this  rule. 
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A8-54  FIRST  STAGE  LOSS  OF  CONTROL  DEFINITION 

FOR  THE  PURPOSES  OF  RANGE  SAFETY  DECISIONS,  LOSS  OF  VEHICLE  CONTROL 
DURING  FIRST  STAGE  POWERED  FLIGHT  IS  DEFINED  AS  PITCH  OR  YAW  RATES 
GREATER  THAN  5  DEG/SEC  SUSTAINED  FOR  MORE  THAN  5  SECONDS. 

This  rule  defines  vehicle  loss  of  control  during  first  stage,  for  the  purposes  of  range  safety,  as  sustained 
rates  in  pitch  or  yaw  of  larger  than  5  deg/sec.  For  large  oscillations  where  the  rates  are  returning  to 
less  than  5  deg/sec  ( within  5  seconds),  the  vehicle  will  not  be  defined  as  out  of  control  in  order  to  allow 
the  flight  control  system  the  opportunity  to  arrest  the  perturbations. 

Flight  control  system  certification  tests  showed  pitch  and  yaw  rates  no  greater  than  2  to  3  deg/sec.  An 
additional  limited  set  of  simulation  runs  by  FDDD  of  stuck  SRB  actuators  showed  that,  for  the  cases 
where  intact  abort  capability  and  vehicle  structural  integrity  were  maintained,  the  vehicle  pitch  and  yaw 
rates  did  not  exceed  3  deg/sec  (ref  Range  Safety  Panel  Minutes  from  August  27,  1987).  Typical  periods 
of  these  oscillations  were  on  the  order  of  6  to  10  seconds.  (In  other  words,  the  flight  control  system 
responded  in  only  a  few  seconds.) 

It  is  postulated  that  a  disturbance  resulting  in  vehicle  rate  oscillations  of  greater  than  5  deg/sec  may  be 
arrested  by  the  flight  control  system.  Hence,  the  flight  control  system  should  be  given  the  opportunity 
(up  to  5  seconds)  to  arrest  such  a  disturbance  (ref.  Rule  {A4-256D},  CONTROLLABILITY,  and  Ascent 
Flight  Techniques,  4/24/87). 

A8-55  ET  SEPARATION  RCS  REQUIREMENTS 


JET 

GROUP 

MINIMUM  REQUIREMENTS 

NOMINAL  RTLS 

FWD  DOWN 

1 

3 

AFT  LEFT 

1 

3 

AFT  RIGHT 

1 

3 

AFT  UP 

1/SIDE 

2/SIDE 

AFT  DN 

1/SIDE 

2/SIDE 

FWD  YAW 

- 

1/SIDE 

These  requirements  represent  the  minimum  jets  required  to  maintain  vehicle  control  during  mated  coast, 
prevent  contact  between  the  ET  and  the  vehicle  during  ET  separation,  and  to  meet  the  required  staging 
conditions  post  RTLS  ET  separation.  Nominal  ET  separation  occurs  at  a  lower  dynamic  pressure  such 
that  fewer  jets  are  required  to  achieve  satisfactory  separation.  These  requirements  were  determined 
from  JSC  Engineering  Directorate  studies  (ref.  SODB,  paragraph  4. 5. 1. 1.6.1).  (Ref.  Rules  { A2-63J , 
ASCENT  STRING  REASSIGNMENT;  {A2-254},  ENTRY  STRING  REASSIGNMENT;  and  {A7-102C.4}, 
PASS  DATA  BUS  ASSIGNMENT  CRITERIA. ) 

Rules  (A2-69J  REGAIN  RCS  JETS  FOR  RTLS  ET  SEPARATION;  and  { A6-61A.2 },  RCS 
MANIFOLD/OMS  CROSSFEED  LINE  REPRESSURIZATION  [CIL],  reference  this  rule. 
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A8-56  BFS  LRU  REQUIREMENTS 

THE  FOLLOWING  DOUBLE  LRU  FAILURES  (ERROR  >  PASS  RM  LIMIT)  WHICH 
COULD  RESULT  IN  LOSS  OF  CONTROL  WILL  CAUSE  THE  BFS  TO  BE  NO-GO 
UNTIL  THE  LRU'S  ARE  DESELECTED  BY  THE  CREW.  DUAL  NULL  FAILURES 
ARE  ACCEPTABLE  FOR  ALL  LRU'S  EXCEPT  SRB  RGA' S . 

There  is  no  FDI  in  the  BFS.  To  determine  if  the  LRU  is  failed  in  the  BFS,  the  same  criteria  that  is  used 
by  FDI  in  the  PASS  to  declare  an  RM  failure  must  be  applied. 

Interchangeable-mid-value-select  (IMVS)  is  used  for  all  AA  ’s  and  RGA ’s,  the  same  as  in  the  PASS.  The 
aerosurface  feedback  selection  scheme  utilizes  IMVS  that  functions  like  quad-mid-value-select  ( QMVS) 
due  to  an  I-load  which  is  unique  to  the  BFS.  QMVS  and  IMVS  protect  against  dual  null  failures,  but 
neither  protect  against  dual  null  failures  greater  than  RM.  In  either  case,  the  crew  will  deselect  the 
failed  LRU’s  in  the  BFS  in  order  to  maintain  an  engageable  BFS.  The  BFS  has  the  same  manual 
deselect  capability  as  the  PASS  for  AA’s,  RGA’s,  and  aerosurface  feedbacks.  There  is  no  automatic 
downmoding  for  comm  faults,  so  deselection  is  also  needed  for  these  cases.  The  SRB  RGA  selection 
filter  uses  a  mid-value-select  (MVS)  scheme  for  LRU’s  1,  2,  and  3  only,  with  no  deselect  capability. 

A.  OPS  1: 

1.  ANY  TWO  LATERAL  AA' S  PRIOR  TO  THE  END  OF  FIRST  STAGE 
(LATERAL  AA's  NOT  USED  IN  OPS  1  POST-MM  102) . 

2.  ANY  TWO  NORMAL  AA's  PRIOR  TO  END  OF  LOAD  RELIEF  (90 
SECONDS  MET) . 

The  lateral  axis  feedback  is  used  in  first  stage  from  load  relief  through  SRB  tailoff,  but  the  normal  axis 
feedback  is  not  used  in  OPS  1  after  load  relief  is  complete.  The  normal  axis  feedback  is  gained  to  zero  at 
Vrel  =  2628 fps,  which  correlates  to  approximately  90  seconds  MET.  Double  failures  of  AA  feedback  in 
the  same  axis  would  cause  the  BFS  selection  filter  to  output  bad  data. 

3.  ANY  TWO  ORB I TER  RGA's,  SAME  AXIS. 

4.  ANY  TWO  OF  SRB  RGA's  1,  2,  OR  3,  SAME  AXIS  (MM  102  ONLY) . 

The  RGA’s  are  used  all  through  ascent  to  provide  vehicle  rate  data  to  guidance  and  flight  control. 

Like  the  AA’s,  a  double  failure  in  RGA  feedback  in  the  same  axis  could  cause  the  BFS  selection  filter  to 
provide  bad  data  to  flight  control.  The  SRB  RGA  selection  filter  uses  a  MVS  scheme  for  LRU’s  1,  2, 
and  3  only,  with  no  deselect  capability. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A8-56  BFS  LRU  REQUIREMENTS  (CONTINUED) 

B.  OPS  3  OR  6: 

1 .  ANY  TWO  LATERAL  AA'  S . 

2.  ANY  TWO  ELEVON  OR  BODY  FLAP  POSITION  FEEDBACKS,  SAME 
SURFACE . 

3.  ANY  TWO  RGA's,  SAME  AXIS. 

In  general,  it  is  assumed  that  the  crew  will  not  engage  the  BFS  unless  absolutely  required.  The 
philosophy  is  that,  if  it  is  considered  usable,  the  BFS  is  GO  for  engage  after  committing  to  entry, 
even  though  it  may  require  off-nominal  crew  procedures. 

Double  failures  ofRGA,  lateral  AA,  body  flap,  or  elevon  position  feedbacks  could  cause  the  BFS 
selection  filter  to  provide  bad  data  to  flight  con  trol.  This  may  result  in  loss  of  vehicle  con  trol. 

AA  lateral  (Ny)  feedback  was  originally  added  to  the  flight  control  system  to  control  beta  ( sideslip ) 
dispersions  as  a  result  of  alpha  errors.  A  post-STS-4  R&E  study  (which  assumed  no  Ny  feedback,  LVAR 
20  elliptical  uncertainties,  FAD  4  aero,  and  only  two  RCS  yaw  jets  available  per  pod)  concluded  that 
alpha  errors  (as  a  result  ofIMU  errors  and  winds )  resulted  in  a  beta  buildup  and  subsequent  reduction 
of  stability  margins. 

Sensitivity  to  alpha  errors  was  especially  noted  during  bank  maneuvers  since  these  maneuvers  are 
performed  about  the  vehicle  stability  axis  (alpha  is  used  in  flight  control  to  determine  the  stability  axis). 

A  reduction  in  both  the  aerodynamic  variations  and  in  the  severity  of  wind  environmen  t  since  the  STS-1 
development  program  increase  the  capability  of  the  flight  control  system  with  Ny  feedback  failed  to  null. 

A  quick  look  R&E  study  performed  in  1987  using  the  STS-26  conditions  and  nominal  aero  revealed  that 
with  Ny  feedback  failed  to  null,  alpha  errors  up  to  4  degrees  were  acceptable  assuming  all  RCS  yaw  jets 
were  available.  As  a  result,  the  EFTP  concluded  that  the  BFS  flight  control  system  should  be  considered 
GO  with  null  Ny  feedback. 

It  is  also  important  to  note  that  the  incorporation  of  air  data  into  GNC  essen  tially  eliminates  alpha  error 
and  reduces  the  requirement  for  Ny  feedback.  Reference  EFTP  #39,  12/11/87. 

AA  normal  (Nz)  feedback  is  not  as  critical  in  the  BFS.  It  is  removed  from  the  command  loop  in  CSS 
(BFS  is  CSS  only).  However,  with  bad  Nz  feedback,  the  crew  displayed  ADI  pitch  error  will  be 
erroneous.  This  presents  an  increased  flying  challenge  since  the  crew  is  not  well  trained  to  fly  in  this 
configuration. 

For  body  flap  (BF)  feedback  failures,  loss  of  control  is  a  concern  if  the  failures  cause  the  BF  to  drive  full 
DOWN  and  stay  there.  The  elevons  will  be  driven  up  to  maintain  pitch  axis  trim.  This  causes  a  degradation 
of  aileron  control  authority  which  significan  tly  impacts  lateral/directional  vehicle  control.  SES  studies 
(September  4,  1990)  showed  that  loss  of  control  can  occur  with  the  BF  stuck  full  DOWN.  A  full  UP  BF  does 
not  create  flight  control  problems,  but  this  may  have  significant  thermal  impacts. 
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Rule  {A2-59B),  BFS  ENGAGE  CRITERIA,  references  this  rule. 


A8-57  PRELAUNCH  IMU  HOLD 

PRELAUNCH  IMU  HOLD  DOES  NOT  APPLY  PRIOR  TO  T  MINUS  4  MINUTES 
(EVENT  11  TIME)  WHEN  CONTINUOUS  IMU  ALIGNMENT  IS  COMPLETE  AND  THE 
IMU'S  GO  INERTIAL.  AFTER  T  MINUS  4  MINUTES,  THE  FOLLOWING 
CRITERIA  APPLY: 

A.  THE  JSC  MISSION  EVALUATION  ROOM  (MER)  WILL  PROVIDE  THE  IMU 

INERTIAL  REFERENCE  MISALIGNMENT  LAUNCH  GO/NO-GO  RECOMMENDATION 
TO  THE  JSC  FLIGHT  CONTROL  TEAM.  KSC  WILL  SERVE  AS  A  BACKUP  TO 
THE  MER. 


The  inertial  reference  alignment  monitor  system  (IRAMS)  is  required  to  monitor  individual  IMU 
prelaunch  misalignment.  IRAMS  is  available  at  the  JSC  MER  and  at  KSC.  All  MER  calls  relating  to  the 
IMU  system  will  be  coordinated  with  the  GNC  officer.  The  MER  is  responsible  for  coordination  with  all 
elements  (KSC,  RI,  etc.)  (ref.  AFTP  #40). 

B.  THE  LAUNCH  WILL  BE  NO-GO  FOR  THE  FOLLOWING: 

1.  THE  INERTIAL  REFERENCE  MISALIGNMENT  OF  ANY  IMU  AXIS,  AS 
MEASURED  BY  THE  IRAMS,  EXCEEDS  THE  APPLICABLE  REDLINE  AS 
SHOWN  BELOW: 


The  redlines  have  been  developed  as  limits  on  the  IMU  inertial  reference  misalignment  as  measured  by 
IRAMS.  Redlines  are  applicable  for  standard  and  direct  insertion  flights  (ref.  AFTP  #40). 

a.  FOR  A  28.5-DEGREE  INCLINATION  (DUE  EAST)  LAUNCH,  THE 
GENERIC  REDLINES  FOR  A  SAFE  AOA  TO  EDWARDS  ARE: 

®[011 295-1 752A] 

-243  ARC  SECONDS  ?  ?N  ?  330  ARC  SECONDS 
|  0 . 4 3?W  +  ?U  |  ?  821  ARC  SECONDS 

b.  FOR  A  28.5-DEGREE  INCLINATION  (DUE  EAST)  LAUNCH,  THE 
GENERIC  REDLINES  FOR  A  SAFE  AOA  TO  NORTHRUP  ARE: 

®[01 1 295-1 752A] 

-203  ARC  SECONDS  ?  ?N  ?  279  ARC  SECONDS 
|  0 . 4 3?W  +  ?U  |  ?  841  ARC  SECONDS 
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A8-57 

c . 


d . 


e . 


f . 


VOLUME  A 


_ FLIGHT  RULES _ 

PRELAUNCH  I MU  HOLD  (CONTINUED) 

FOR  A  39-DEGREE  INCLINATION  LAUNCH,  THE  GENERIC 
REDLINES  FOR  A  SAFE  AOA  TO  EDWARDS  ARE: 

-251  ARC  SECONDS  ?  ?N  +  0.513?W  +  0.102?U  ?  334  ARC 
SECONDS 

828  ARC  SECONDS  ?  |  -  0 . 2 0 6?N  +  0.348?W  +  ?U  | 

FOR  A  39-DEGREE  INCLINATION  LAUNCH,  THE  GENERIC 
REDLINES  FOR  A  SAFE  AOA  TO  NORTHRUP  ARE: 

-232  ARC  SECONDS  ?  ?N  +  0.516?W  +  0.098?U  ?  310  ARC 
SECONDS 

853  ARC  SECONDS  ?  |  -  0.201?N  +  0.338?W  +  ?U  | 

FOR  A  51.6-DEGREE  INCLINATION  (MIR  RENDEZVOUS) 
LAUNCH,  THE  GENERIC  REDLINES  ARE: 

-287  ARC  SECONDS  ?  ?N  +  0 . 992?W  -  0.184?U 

373  ARC  SECONDS  ?  ?N  +  0 . 992?W  -  0.184?U 

855  ARC  SECONDS  ?  |  -0.307?N  +  0.2  62?W  +  ?U  |  ®[0i  1295- 

1752 A] 

FOR  A  57-DEGREE  INCLINATION  LAUNCH,  THE  GENERIC 
REDLINES  ARE: 

-266  ARC  SECONDS  ?  0 . 82?N  +  ?W  -  0.18?U 
322  ARC  SECONDS  ?  0.73?N  +  ?W  -  0.04?U 
847  ARC  SECONDS  ?  |  -  0.33?N  +  0.23?W  +  ?U  | 
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A8-57  PRELAUNCH  I MU  HOLD  (CONTINUED) 

g.  FOR  RENDEZVOUS  MISSIONS  (EXCEPT  FOR  MIR  RENDEZVOUS), 
REDLINES  ARE  SPECIFIED  IN  THE  FLIGHT-SPECIFIC  ANNEX 
WHEN  REQUIRED:  ®[011 295-1 752A] 

WHERE : 

?n  =  MISALIGNMENT  ABOUT  THE  NORTH  AXIS 
?w  =  MISALIGNMENT  ABOUT  THE  WEST  AXIS 
?u  =  MISALIGNMENT  ABOUT  THE  UP  AXIS 

NOTE:  REF.  FLIGHT  RULES  ANNEX  FOR  FLIGHT-SPECIFIC  MISALIGNMENT 

REDLINES . 

The  01-22  software  upgrades  added  the  capability  to  continuously  align  IMU’s  in  OPS  1,  up  to  T-4 
minutes.  With  this  change,  the  probability  of  violating  the  above  redlines  is  extremely  low.  The  scenario 
to  in  voke  this  part  of  the  rule  would  generally  in  volve  counting  down  past  T-4  minutes,  where  the  OPS  1 
continuous  align  software  is  terminated,  and  then  recycling  back  for  a  later  launch  attempt  while 
remaining  in  OPS  1.  (Note:  at  least  1  hour  of  holdtime  is  required  for  ET  propellant  conditioning  and 
APU  cooldown.)  If  the  recycle  requires  returning  to  G9,  then  the  IMU  preflight  alignment  will  have  to 
be  reaccomplished  ( time  permitting,  ref.  paragraph  E.l.a  of  this  rule)  and  the  likelihood  of  violating  this 
part  of  the  rule  will  be  negligible.  For  51.6-degree  inclination  missions  (Mir  and  Station  flights),  the 
extremely  small  launch  window  makes  the  probability  of  violating  the  redlines  (without  failing  an  IMU) 
negligible.  ®[01 1 295-1 752A] 

Historically,  the  redlines  were  written  to  protect  for  a  safe  launch  and  abort  (RTLS,  TAL,  ATO,  AOA) 
(ref.  AFTP's  #35,  #37,  #39,  #40,  and  #44).  The  constraining  case  is  the  AOA.  With  the  OPS  1 
continuous  IMU  alignment,  it  is  very  unlikely  that  the  redlines  could  be  violated.  Effectively,  this  rule 
now  protects  for  cm  IMU  failure  occurring  after  T-4  minutes  (no  BITE  or  RM  FL  annunciated)  and  thus 
precludes  launching  into  cm  early  mission  termination.  ®[011 295-1 752A] 
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A8-57  PRELAUNCH  I MU  HOLD  (CONTINUED) 

The  redlines  protect  for  99.74  percent  (3  sigma)  probability  for  a  safe  AO  A  based  on  the  following 
assumptions  and  groundrules: 

a.  A  single  IMJJ  was  assumed  as  the  baseline  configuration  in  redline  determination. 

b.  A  3-sigmci  IMJJ  postlaunch  performance  based  on  previous  flight  experience  is  equal  to  2/3  of  the 
3-sigma  IMU  specification. 

c.  OPS  1/3  transition  will  be  accomplished  per  procedure  at  least  10  minutes  before  OMS-2  ignition. 

d.  An  AOA  requires  EI-5  downtrack  navigation  to  protect  the  following  constraints: 

1.  375  psfQ-bar  vehicle  structural  limit  with  worst  case  aerodynamics  at  TACAN  update 
(constraint  drives  the  negative  north  tilt  misalignment  redline  for  28.5-degree  inclination 
launch  and  contributes  to  the  redlines  for  a  57-degree  inclination  launch). 

2.  TACAN  low  energy  stretch  maneuver  capability  assuming  TACAN  is  forced  at  130k  feet  altitude 
(constraint  drives  the  positive  north  tilt  misalignment  redline  for  a  28.5-degree  inclination 
launch;  not  a  driver  for  57-degree  inclination  launch  redlines). 

3.  Leading  edge  temperature  limit  of  3100°  F  with  no  heat  rate  limit  (constraint  contributes  to 
57-degree  inclination  launch  redlines;  not  a  driver  for  28.5-degree  inclination  launch  redlines). 

e.  A  ground  state  vector  uplink  or  GCA  is  not  required. 

f.  Launch  is  from  KSC. 

g.  AOA  landing  site  is  Edwards  or  Northrup  for  28.5-degree  or  39-degree  inclination  launch  and 
Northrup  for  57-degree  inclination  launch  (ref.  CSDL  Memo  Shuttle  -  90-035).  The  AOA  landing 
site  is  51.6-degree  inclination  launch  (ref.  CSDL  MEMO  Shuttle-94-025).  ®[on 295-1 752A] 

h.  KT-70  IMU. 

i.  245 fps  maximum  MECO  underspeed. 

j.  Prelaunch  and  postlaunch  IMU  performance  are  independent. 

k.  Maximum  El  minus  5  crosstrack  dispersion  16. 7  run  to  protect  trajectory  control  and  autoland 
transition  criteria  (constraint  drives  the  west  and  up  misalignment  redlines  for  a  28.5-degree 
inclination  launch;  not  a  driver  for  57.0-degree  inclination  launch  redlines).  ®[011 295-1 752A] 

/.  The  Onboard  Navigation  Systems  Characteristics  (ONSC)  model  was  used  in  developing  the  redlines. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  GUIDANCE,  NAVIGATION  &  8-28 

CONTROL  (GN&C) 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A8-57  PRELAUNCH  I MU  HOLD  (CONTINUED) 

m.  IRAMS  1-sigmci  azimuth  measurement  error  is  40  arc  seconds. 

n.  Worst  case  vehicle  AOA  mass  properties  of  heavyweight  and  forward  CG  (240k  lb,  1080  inches). 

2.  IF  THE  IRAMS  MISALIGNMENT  COMPUTATION  IS  NOT  AVAILABLE  AT 
EITHER  JSC  OR  KSC,  THE  LAUNCH  GO/NO-GO  CALL  WILL  BE  MADE 
BASED  ON  THE  FOLLOWING  GUIDELINES: 

LAUNCH  WILL  BE  NO-GO  IF  MCC  IMU  RELATIVE  DRIFT 
COMPUTATIONS  INDICATE  THAT  ANY  IMU  CLUSTER  AXIS  IS 
DRIFTING  AT  A  RATE  >  0.05  DEG/HR.  IMU  PREFLIGHT 
CALIBRATION  AND  ALIGNMENT  WILL  BE  REQUIRED  BEFORE  A 
SUBSEQUENT  LAUNCH  ATTEMPT.  ®[011 295-1 752A] 

Individual  IMU  misalignment  cannot  be  observed  if  IRAMS  is  unavailable  at  both  KSC  and  JSC.  MCC 
relative  drift  computations  ( between  IMU’s)  provide  the  only  remaining  method  of  monitoring  IMU 
prelaunch  drift.  Since  relative  drift  only  indicates  the  rate  at  which  IMU’s  are  drifting  apart  and  does 
not  indicate  individual  IMU  performance,  it  can  only  serve  as  a  rough  health  check  of  the  IMU’s.  An 
IMU  axis  drift  rate  greater  than  0.05  deg/hr  (HAINS)  in  the  IMU  cluster  reference  frame  (ref.  SODB 
4. 5. 1.2. 3. p.  2)  indicates  cm  anomalous  condition.  Interpretation  of  relative  drift  data  and  implementation 
of  this  rule  is  dependen  t  on  engineering  judgment.  A  preflight  calibration  is  required  before  a 
subsequent  launch  attempt  to  calculate  gyro  drift  compensation  terms  and  correct  excessive  drift,  or 
verify  an  IMU  failure.  This  will  require  a  minimum  of  approximately  3.6  hours  and  exceed  the  3 -hour 
crew  hold-time  limit  (ref.  Rule  {A2-4A},  LAUNCH  DAY  CREW  TIME  CONSTRAINTS),  causing  the 
launch  to  be  scrubbed.  The  limit  senses  only  as  a  health  check  of  the  IMU  (ref.  AFTP  #40).  Derivation  of 
the  limit  follows: 


a.  1-Sigma  Acceleration  Sensitive  Drift  Specification  At  lg 

b.  1 -Sigma  Bias  Drift  Specification 

(Up  To  17  Hours  From  Start  Of  Preflight  Calibration) 

c.  1 -Sigma  Total  Prelaunch  Drift  (RSS  Of  Above) 

d.  3-Sigma  Total  Prelaunch  Drift 

®[011 295-1 752A] 


HAINS 
0.015  Deg/Hr 
0.006  Deg/Hr 

0.016  Deg/Hr 
0.05  Deg/Hr 
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A8-57  PRELAUNCH  I MU  HOLD  (CONTINUED) 

C.  A  PERIOD  OF  30  MINUTES  AFTER  THE  IMU' S  GO  INERTIAL  (T  MINUS 
4  MINUTES)  IS  REQUIRED  PRIOR  TO  USING  THE  IRAMS  LAUNCH  HOLD 
PREDICTION  CAPABILITY. 


IRAMS  requires  30  minutes  to  generate  an  accurate  hold  time.  The  time  required  for  cm  accurate  hold 
time  prediction  is  dependen  t  on  actual  IMU  performance  and  may  vary,  but  30  minutes  is  used  as  a 
guideline.  If  a  prediction  is  required  before  30  minutes,  it  will  be  accompanied  by  cm  estimated  accuracy 
of  the  prediction.  In  this  case,  the  predicted  hold  time  cmd  the  estimated  accuracy  of  that  prediction  are 
heavily  dependent  on  engineering  judgment  (ref.  AFTP  #40). 

D.  THE  IMU'S  MAY  BE  REALIGNED  IF  EITHER  OF  THE  FOLLOWING  WILL 
OCCUR  PRIOR  TO  T-0  (THE  NEW  T-0  FOR  UNPLANNED  HOLDS),  OR 
PRIOR  TO  THE  END  OF  THE  LAUNCH  WINDOW  IF  A  NEW  T-0  IS 
UNCERTAIN: 

1.  IMU  RELATIVE  DATA  INDICATES  THREE-SIGMA  OR  GREATER  DRIFT 
RATES . 

2.  IRAMS  HOLD  PREDICTION  PROGRAM  DETERMINES  THAT  A 
MISALIGNMENT  REDLINE  WILL  BE  VIOLATED. 

NOTE:  REFERENCE  PARAGRAPHS  B.l,  B.2,  AND  E  OF  THIS  RULE. 

If  it  is  predicted  that  the  IMU  relative  drift  will  exceed  three  sigma  or  if  the  IRAMS  prediction  program 
indicates  that  a  violation  will  occur,  then  the  IMU’s  should  be  realigned,  time  permitting,  to  attempt  a 
launch  within  the  window.  If  the  IMU’s  are  not  realigned  cmd  a  redline  violation  occurs  without 
sufficient  time  for  realignment,  then  the  launch  may  be  scrubbed  unnecessarily. 

E.  PRELAUNCH  IMU  REALIGNMENT  MAY  BE  ACCOMPLISHED  BY  THE 
FOLLOWING  METHODS: 

1.  G9  IMU  PREFLIGHT  ALIGNMENT  MAY  BE  USED  SUBJECT  TO  THE 
FOLLOWING  CONSTRAINTS: 

a.  THE  LAUNCH  WINDOW  MUST  SUPPORT  THE  90  MINUTES 

REQUIRED  TO  RECYCLE  TO  G9  FOR  IMU  REALIGNMENT  AND 
COUNTDOWN  TO  T-0. 


After  a  recycle  to  G9,  the  IMU  alignment  cmd  nominal  GI  prelaunch  timeline  requires  90  minutes.  Some 
additional  time  may  be  required  in  GI  prior  to  transition  to  G9. 
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A8-57  PRELAUNCH  I MU  HOLD  (CONTINUED) 

2.  G1  GYRO  BIAS  UPLINK  MAY  BE  USED  FOR  IMU  REALIGNMENT 
SUBJECT  TO  THE  FOLLOWING  CONSTRAINTS: 

a.  IRAMS  IS  REQUIRED  TO  CALCULATE  GYRO  BIAS  UPLINK 
TERMS . 


IRAMS  is  required  to  monitor  individual  IMU  prelaunch  misalignment  and  calculate  gyro  bias  uplink 
values  to  correct  the  misalignment. 

b.  THE  LAUNCH  WINDOW  MUST  SUPPORT  THE  15  MINUTES 

REQUIRED  TO  GENERATE  AND  VERIFY  THE  GYRO  BIAS  UPLINK. 
THE  GYRO  BIAS  TERMS  (AS  COMPUTED  BY  THE  IMU  PREFLIGHT 
CALIBRATION)  WILL  BE  ON-BOARD,  AND  THE  PERFORMANCE 
WILL  BE  VERIFIED  PRIOR  TO  LIFT-OFF.  IT  IS  HIGHLY 
DESIRABLE  TO  VERIFY  THE  PERFORMANCE  PRIOR  TO  RESUMING 
THE  COUNT  AT  T  MINUS  5  MINUTES. 


Five  minutes  is  required  for  the  uplink  decision  and  implementation  process.  This  process  consists  of  the 
MERJMCC  decision  that  an  uplink  is  required;  coordination  of  required  compensation  values  between 
MER  and  MCC;  uplink  load  generation;  uplink  load  verification;  coordination  between  MER,  MCC  and 
KSC  prior  to  uplink  execution;  uplink  execution;  and  I  minute  for  torquing  out  IMU  misalignmen  t.  An 
additional  10-minute  monitoring/verification  period  is  required  after  the  realignment  is  complete  prior 
to  committing  to  launch. 


A8-58  ADI  LOSS 

AN  ADI  IS  CONSIDERED  FAILED  ONLY  IF  THE  ATTITUDE  BALL  IS  FAILED 
(N/A  FOR  MEDS  VEHICLES)  .  ©[040899-2459B] 

The  entry-critical  parameters  required  by  the  crew  can  be  monitored  using  the  attitude  ball  (or  sphere). 
While  rate  and  error  needles  are  desirable  (especially  for  monitoring  vehicle  control),  the  attitude  ball  is 
sufficient  in  providing  the  required  information.  As  a  result,  an  ADI  will  be  considered  failed  only  if  the 
attitude  sphere  is  not  providing  accurate  or  stable  attitude  reference.  This  rule  is  needed  for  making 
decisions  regarding  early  flight  termination,  night  landings,  and  IFM.  (Ref.  Rules  {A8-1001E},  GNC 
GO/NO-GO  CRITERIA,  for  dedicated  displays  and  {A8-18},  LANDING  SYSTEMS  REQUIREMENTS.) 
(Ref.  Entry  Flight  Tech.  Panel  #34,  8/21/87.) 
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A8-59  I MU  BITE  FAILURE  DEFINITION 

FOR  PURPOSES  OF  EARLY  MISSION  TERMINATION  AND  LANDING  SITE 
DOWNMODING,  AN  IMU  WITH  A  BITE  SHOULD  BE  CONSIDERED  FAILED  WITH 
THE  FOLLOWING  EXCEPTIONS: 


A. 

TRANSMISSION 

WORD 

2 

BITE 

B. 

TRANSMISSION 

WORD 

1 

BITE 

C. 

TEMPERATURE 

SAFE  BITE 

D  . 

TEMPERATURE 

READY 

BITE  ®[011 295-1 752A] 

IF  REAL-TIME  ASSESSMENT  DETERMINES  THE  BITE  TO  BE  FALSE  OR  NO 
IMPACT,  THEN  THE  IMU  WILL  NO  LONGER  BE  CONSIDERED  FAILED. 

At  the  three-level,  redundancy  management  (RM)  will  not  downmode  an  IMU  with  a  BITE  because  there 
is  no  risk  of  incorporating  bad  data.  At  the  two-level,  RM  will  downmode  the  IMU  with  the  BITE  should 
the  attitude  or  velocity  disagree  by  more  than  the  RM  threshold. 

A  BITE  is  an  indication  that  the  IMU  has  experienced  a  failure  and  may  be  operating  outside  of  spec. 
BITE  will  almost  always  indicate  an  actual  problem  with  the  IMU.  In  most  cases,  data  can  be  used  to 
determine  whether  or  not  the  BITE  is  real.  There  is,  however,  the  possibility  of  a  failure  in  the  BITE 
circuitry  itself  -  termed  false  BITE.  Also,  it  cannot  necessarily  be  determined  whether  or  not  an  IMU  will 
continue  to  operate  in  a  consistent  manner  while  outside  of  spec.  For  several  BITE’s,  performance  will 
remain  unknown  until  data  is  observed  during  entry.  It  is  logical,  therefore,  to  assume  that  the  BITE 
logic  has  correctly  identified  a  real  failure  and  to  consider  the  unit  failed.  Since  RM  provides  for 
BITE’s,  there  is  no  requirement  for  manned  deselection  of  the  affected  IMU. 

A  next  PLS  should  be  declared  after  the  second  BITE  (or  the  first  BITE  at  the  two-level)  to  reduce  the 
risk  of  losing  the  last  IMU.  Reference  Rule  {A2-207},  LANDING  SITE  SELECTION,  for  runway 
priorities.  ®[1 02402-5804C] 

The  Transmission  Word  2  Fail  BITE  (loss  of  slew)  only  impacts  the  IMU  if  an  IMU/IMU  alignment  is 
required.  Even  if  an  IMU/IMU  is  required,  other  options  exist  to  fully  recover  the  IMU. 
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A8-59  I MU  BITE  FAILURE  DEFINITION  (CONTINUED) 

A  Transmission  Word  1  Fail  BITE  (loss  of  pulse  torquing)  indicates  that  the  IMJJ  has  detected  an  error 
in  the  GPC  transmitted  pulse  torquing  commands.  The  IMU  will  not  use  these  commands  and  will  drift 
at  its  uncompensated  rate.  Since,  the  internal  compensations  of  the  HAINS  are  not  updated  on  a  flight - 
to-flight  basis,  the  uncompensated  drift  rates  can  vary.  For  a  real  Transmission  Word  1  BITE,  real-time 
assessment  will  be  required  to  determine  if  drifts  are  within  acceptable  limits  to  support  entry.  Matrix 
alignments  can  be  performed  to  keep  the  IMU  aligned  and  not  appreciably  alter  the  relative  skew 
between  the  IMU  platforms.  ®[011 295-1 752A] 

A  false  BITE  has  no  impact  to  IMU  performance  except  in  the  case  of  a  false  Transmission  Word  1  BITE. 
If  the  Transmission  Word  1  Fail  BITE  is  false,  the  GPC  will  overtorque  the  IMU.  The  impact  of  this 
false  BITE  can  be  minimized  by  zeroing  the  uplinked  gyro  drift  compensation  command,  mocling  the  IMU 
to  standby  and  back  to  operate,  and  then  performing  a  matrix  alignment.  ®[011 295-1 752A] 

The  Temperature  Safe  and  Temperature  Ready  BITE’s  do  not  indicate  temperature  problems,  but  rather 
power  supply  failures.  These  discretes  are  driven  directly  by  the  +5  V  dc  isolated  power  supply  on  the 
input  power  conditioner  (IPC)  card  and  are  used  only  to  maintain  transparency  between  the  current 
HAINS  and  the  previous  KT-70  IMU’s.  If  only  one  of  these  BITE’s  is  annunciated,  it  is  probably  a  false 
indication.  If  both  BITE’s  are  set  together,  then  the  +5  V  dc  isolated  power  supply  is  suspect.  Failure  of 
this  power  supply  would  also  result  in  Platform  Temperature  Safe,  Platform  Temperature  Ready,  and 
Communication  Good  BITE’s.  The  In-operate  Mode  and  Operate  command  would  also  be  set  false, 
resulting  in  the  IMU  moding  to  standby.  ®[01 1 295-1 752A] 

A8-60  LOSS  OF  VERNIER  RCS  DAP  MODE 

THE  VERNIER  RCS  DAP  MODE  IS  CONSIDERED  LOST  IF: 

A.  ANY  SINGLE  DOWN-FIRING  VRCS  JET  (F5L,  F5R,  L5D ,  R5D )  IS  LOST. 

For  the  loss  of  a  down-firing  VRCS  jet,  closed-loop  (i.e.,  AUTO,  INRTL-DISC,  LVLH-DISC)  DAP 
stability  and  controllability  usually  cannot  be  maintained,  and  the  VRCS  system  will  not  be  used  in  this 
mode.  The  DAP  will  downmode  to  free  drift  when  any  VRCS  jet  is  lost,  but  the  software  will  not  preven  t 
reselection  of  a  VRCS  closed-loop  mode,  even  though  this  mode  could  result  in  an  unstable  DAP 
configuration.  Open-loop  VRCS  control  (INRTL-PULSE,  FREE)  will  also  be  significantly  degraded,  and 
the  use  of  this  mode  should  be  assessed  on  a  case  by  case  basis.  ®[i  1 0900-7259  ] 
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A8-60  LOSS  OF  VERNIER  RCS  DAP  MODE  (CONTINUED) 

B.  EITHER  SIDE-FIRING  VRCS  JET  (R5R,  L5L )  IS  LOST  WHILE  A 

PAYLOAD  IS  ATTACHED  TO  THE  ORBITER  IN  ANY  NON-ENTRY 

CONFIGURATION. 

EXCEPTIONS  IN  WHICH  DAP  PERFORMANCE  IS  KNOWN  TO  BE  ACCEPTABLE 

FOR  THE  LOSS  OF  EITHER  SIDE-FIRING  JET  INCLUDE: 

1.  ALL  SPACELAB  MISSIONS  IN  WHICH  LOADED  RMS  OPERATIONS  ARE 
NOT  BEING  PERFORMED. 

2.  ALL  CONFIGURATIONS  FOR  INERTIAL  UPPER  STAGE  (IUS) 

DEPLOYS . 

3.  THE  PORTIONS  OF  THE  HUBBLE  SPACE  TELESCOPE  (HST)  REVISITS 
IN  WHICH  THE  PAYLOAD  IS  ATTACHED  DIRECTLY  TO  THE  PAYLOAD 
BAY  . 

4.  ALL  FLIGHTS  FOR  WHICH  MISSION-SPECIFIC  DAP  STABILITY 
ANALYSES  HAVE  FOUND  DAP  PERFORMANCE  TO  BE  ACCEPTABLE  FOR 
THIS  CONFIGURATION. 

Stable  VRCS  DAP  performance  has  been  verified  for  the  loss  ofL5L  or  R5R  with  either  an  empty 
payload  bay  or  payloads  berthed  in  the  bay.  The  DAP  will  still  downmode  to  free  drift  when  any  VRCS 
jet  is  lost,  but  the  software  will  not  prevent  reselection  of  a  VRCS  closed-loop  mode,  even  though  this 
mode  could  result  in  an  unstable  DAP  configuration.  If  payloads  are  attached  to  the  orbiter  in  a 
non-entry  configuration  (e.g.,  on  the  remote  manipulator  system  (RMS)  or  deployed  on  the  stabilized 
payload  deploymen  t  system  (SPDS)),  the  stability  and  con  trollability  of  the  orbiter/pciyload  system  must 
be  uniquely  verified  for  each  payload  position  and  each  combination  of  operable  VRCS  jets.  This  type  of 
study  is  necessitated  by  the  influence  on  DAP  performance  of  both  payload  CG  offsets  and  the  flexibility 
of  the  attached  mechanisms.  ®[1 1 0900-7259  ] 

A  study  has  already  been  performed  on  several  payloads  which  are  commonly  flown  (Spacelcib  and  all 
payloads  deployed  using  an  IUS),  as  well  as  the  portions  of  the  HST  maintenance  missions  in  which  HST  is 
attached  directly  to  the  payload  bay.  It  was  found  during  the  study  that  DAP  stability  will  be  adequate 
with  these  payloads  in  these  configurations  (ref.  Draper  Memo  SSV-90-027 ,  Controllability  of  Orbiter  With 
Vernier  Jet  Failures  During  Attached  Payload  Operations).  For  any  other  non-entry  orbiter/paylocid 
configuration,  the  loss  of  a  side-firing  vernier  should  be  cause  to  NO-GO  the  VRCS  DAP  mode  unless  an 
applicable  study  has  been  performed  which  indicates  that  the  given  configuration  will  result  in  adequate 
DAP  performance.  If  such  a  study  is  performed,  it  will  be  documen  ted  in  Section  A3. 12  of  the  mission- 
specific  Flight  Rules  Annex  (JSC-18308).  Rule  {A6-154},  RCS  VERNIER  OPERATION  TERMINATION, 
references  this  rule. 
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A8-61  SSME  SHUTDOWN  DUE  TO  HYDRAULIC  SYSTEM  FAILURES 

THE  FAILURE  OF  TWO  HYDRAULIC  SYSTEMS  DURING  ASCENT  WILL  RESULT  IN 
THE  LOSS  OF  TVC  ON  ONE  SSME  AND  THE  LOSS  OF  THROTTLE  CAPABILITY 
ON  TWO  SSME ' S .  IF  TWO  HYDRAULIC  SYSTEMS  FAIL,  THE  FOLLOWING 
ACTION  WILL  BE  TAKEN: 

A.  WITH  TWO  ENGINES  RUNNING  (NOM/ATO/TAL/RTLS ) ,  ONE  OF  THEM 
NONGIMBALLING,  SINGLE  ENGINE  ROLL  CONTROL  (SERC)  WILL  BE 
INVOKED  IMMEDIATELY  BY  THE  CREW.  THE  NONGIMBALLING  ENGINE 
WILL  BE  SHUT  DOWN  WHEN  SINGLE-ENGINE  PRESS  CAPABILITY  FOR  THE 
CURRENT  TRAJECTORY  IS  ACHIEVED,  BASED  ON  THE  THROTTLE  LEVEL 
OF  THE  GIMBALLING  ENGINE  AND  WITHOUT  ABORT  GAP  CLOSURE 
TECHNIQUES  APPLIED. 

Simulator  testing  has  verified  that  a  loss  of  control  is  almost  certain  to  occur,  usually  very  quickly,  when 
one  of  the  two  remaining  engines  has  lost  gimbal  capability  and  SERC  is  not  active.  Even  if  SERC  is 
invoked  (TRAJ  display,  Item  6),  a  loss  of  vehicle  control  is  still  possible,  especially  during  very  dynamic 
vehicle  maneuvers  such  as  powered  pitcharound  (PPA)  on  an  RTLS.  However,  if  SERC  is  invoked  within 
a  few  seconds  of  the  failure  that  results  in  this  configuration,  it  will  often  provide  good  vehicle  control 
until  SSME  gimbal  saturation  occurs.  Gimbal  saturation  generally  does  not  occur  prior  to  single-engine 
capability,  but  will  usually  occur  prior  to  MECO,  resulting  in  rapid  degradation  of  vehicle  control. 
Shutting  down  the  nongimballing  engine  at  single-engine  press  eliminates  the  possibility  of  gimbal 
saturation  occurring  after  that  point.  Single-engine  capability  calls  ( “single-engine  press,  ”  “single- 
engine  TAL,  ”  etc.  depending  on  curren  t  trajectory )  should  be  based  on  the  throttle  level  of  the 
gimballing  engine  with  no  abort  gap  closure  techniques  applied  (ref.  Rule  {A4-56I},  PERFORMANCE 
BOUNDARIES).  The  risk  of  a  few  more  seconds  of  exposure  to  potential  gimbal  saturation  is  considered 
small  compared  to  the  risks  of  flying  gap  closure  techniques.  If  single-engine  capability  has  already 
been  achieved  when  this  failure  scenario  occurs,  the  nongimballing  engine  should  be  shut  down 
immediately.  ®[082593-i  464C] 

B.  THREE  ENGINES  RUNNING: 

1.  NOMINAL/ ATO  -  THE  NONGIMBALLING  ENGINE  WILL  BE  SHUT  DOWN 
AT  SINGLE-ENGINE  PRESS  TO  MECO. 

SES  testing  has  verified  that  vehicle  control  is  acceptable  with  three  engines  running  and  one 
nongimballing  (two-engine  control  laws  are  utilized).  To  minimize  the  time  to  single-engine  press,  the 
nongimballing  engine  will  be  allowed  to  continue  to  run.  The  risk  incurred  in  this  period  is  that  a 
gimballing  engine  will  shut  down  and  immediate  action  (invoking  SERC,  ref.  Paragraph  A  above)  will 
be  required  to  maintain  vehicle  control.  ®[082593-l 464C] 
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A8-61  SSME  SHUTDOWN  DUE  TO  HYDRAULIC  SYSTEM  FAILURES 

(CONTINUED) 


After  single-engine  capability  is  achieved,  the  performance  risk  incurred  due  to  a  good  engine  failing 
following  shutdown  of  the  nongimballing  engine  is  minimized.  At  the  same  time,  the  loss  of  con  trol  risk 
associated  with  allowing  the  nongimballing  engine  to  continue  to  run  remains.  Therefore,  the  non¬ 
gimballing  engine  should  be  shut  down  at  single-engine  press  to  minimize  the  next  failure  impact. 

If  two  engine  throttles  are  stuck  at  a  high  power  level,  3.5g  may  be  exceeded  near  MECO.  Shutting  cm 
engine  down  at  cm  operationally  convenient  point  such  as  single-engine  press  will  eliminate  this 
problem. 

2.  TAL  -  THE  NONGIMBALLING  ENGINE  WILL  BE  SHUT  DOWN  AT 
SINGLE-ENGINE  TAL.  MANUAL  THROTTLES  WILL  BE  ENABLED 
PRIOR  TO  ABORT  SELECTION  IN  ORDER  TO  MAINTAIN  THE 
THROTTLES  AT  THE  NOMINAL  POWER  LEVEL.  @[082593-1 464C] 


For  a  three-engine  TAL,  the  same  rationale  as  paragraph  1  above  applies  for  engine  shutdown.  There 
are  severed  reasons  why  it  is  undesirable  to  throttle  down  the  good  engine:  It  may  result  in  guidance 
transients,  flight  control  would  not  be  as  good  during  the  roll  to  heads  up  (although  it  would  still  be 
acceptable),  little  time  would  be  gained  to  perform  the  abort  dump,  and  the  time  to  single-engine  press 
would  be  increased.  Therefore,  manned  throttles  will  be  selected  to  prevent  an  automatic  throttle  down 
when  TAL  is  declared.  This  action  is  not  required  if  TAL  is  declared  early  enough  that  automatic 
throttling  will  not  occur  at  abort  selection.  However,  since  there  is  no  disadvantage  to  selecting  manual 
throttles  for  this  short  period  of  time,  manned  throttles  will  always  be  selected,  for  consistency.  AUTO 
throttle  will  be  reselected  after  TAL  is  declared.  @[082593-1 464C] 

3.  RTLS : 

a.  IF  ONE  OR  BOTH  OF  THE  ENGINES  WITH  STUCK  THROTTLES 
ARE  AT  85  PERCENT  OR  LESS,  THEN  THE  NONGIMBALLING 
ENGINE  WILL  BE  ALLOWED  TO  RUN  TO  MECO. 

b.  IF  BOTH  ENGINES  WITH  STUCK  THROTTLES  ARE  AT  MORE  THAN 
85  PERCENT,  THEN  THE  NONGIMBALLING  ENGINE  WILL  BE 
SHUT  DOWN  2  MINUTES  PRIOR  TO  MECO. 

NOTE:  BEFORE  SELECTING  RTLS,  MANUAL  THROTTLES  WILL  BE 

ENABLED  AND  MINIMUM  THROTTLES  SELECTED.  AT  LEAST 
10  SECONDS  OF  MINIMUM  THROTTLE  LEVEL  IS  DESIRED 
PRIOR  TO  RTLS  SELECTION.  AUTO  THROTTLES  WILL  BE 
RESELECTED  ANYTIME  PRIOR  TO  PPA.  @[082593-1 464C] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  GUIDANCE,  NAVIGATION  &  8-36 

CONTROL  (GN&C) 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A8-61  SSME  SHUTDOWN  DUE  TO  HYDRAULIC  SYSTEM  FAILURES 

(CONTINUED) 

Av  with  the  NOM/ATO/TAL  cases,  it  is  preferable  to  leave  the  nongunballing  engine  running  through 
single-engine  press  to  MECO  and  accept  the  risk  of  the  loss  of  a  gimballing  engine  to  this  point.  Due  to 
the  possibility  of  SSME  failures  resulting  from  valve  drift  on  the  engines  in  hydraulic  lockup,  the  time  to 
single-engine  press  should  be  minimized,  since  engine  failures  prior  to  this  point  can  result  in  loss  of 
vehicle  and  crew  bailout.  Unfortunately,  shutting  an  engine  down  at  single-engine  press  on  an  RTLS 
with  two  stuck  throttles  can  lead  to  undesirable  results. 

For  the  con  tingency  case  in  which  two  hydraulic  system  failures,  in  addition  to  another  independen  t 
failure,  result  in  a  three-engine  RTLS  with  two  SSME  throttles  stuck  high,  it  is  possible  for  g  forces  to 
get  as  high  as  3.9g.  Therefore,  if  both  stuck  throttles  are  above  85  percent,  an  engine  must  be  shut 
down  before  MECO-20  seconds  in  order  to  avoid  the  possibility  of  exceeding  3.5g.  However,  analysis 
has  shown  that  shutting  down  the  nongimballer  with  85  seconds  of  MECO  in  this  scenario  leaves  more 
than  2  percent  propellant  remaining  in  the  ET  at  MECO,  resulting  in  orbiter/ET  recontact  after  ET 
SEP.  Therefore,  MECO-2  minutes  was  selected  as  an  operationally  convenient  shutdown  cue  that 
would  eliminate  both  the  recontact  and  the  g-load  concerns.  One  drawback  to  shutting  down  at  this 
point  (or  any  later  point)  is  that  guidance  commands  a  large  pitch-up.  Although  the  vehicle  adequately 
follows  the  guidance  commands,  this  pitch  transient  causes  the  dedicated  displays  to  pass  through  the 
singularity  point,  degrading  the  crew’s  capability  to  monitor  vehicle  control.  The  only  way  to  avoid  this 
pitch  transien  t  would  be  to  shut  the  engine  down  just  after  powered  pitcharound  (PPA),  which  would 
extend  the  time  to  single-engine  press  by  more  than  1  minute,  compared  to  shutting  down  at  MECO-2 
minutes.  Since  the  pitch  transient  is  due  to  a  guidance  command  and  not  a  control  problem  and  since 
the  risk  of  engine  failure  due  to  valve  drift  was  considered  to  be  a  greater  concern  than  the  momentary 
loss  of  crew  monitoring  capability,  it  was  decided  that  MECO-2  minu  tes  is  the  optimal  shutdown  time. 
(Reference  Ascent/Entry  Flight  Techniques  Panel  #105,  10/22/93.) 

For  the  case  in  which  at  least  one  throttle  is  stuck  at  or  below  85  percent,  there  is  no  threat  of  exceeding 
3.5 g.  Depending  on  the  throttle  levels  of  the  stuck  engines,  it  also  may  not  be  acceptable,  from  a 
performance  standpoint,  to  shut  down  the  nongimballing  engine  before  single-engine  press.  Since 
shutting  down  after  single-engine  press  can  result  in  an  undesirable  pitch  transient  and  is  not  required  to 
protect  for  excessive  g-loads,  it  is  preferable  to  leave  all  three  engines  running  to  MECO  for  this  case. 
The  only  risk  incurred  with  this  philosophy  is  that  the  window  of  exposure  to  the  failure  of  a  gimballing 
engine  remains  open  until  MECO  for  this  case. 

The  85-percent  throttle  level  provides  an  operationally  convenient  breakpoint  which  ensures  that  a 
shutdown  will  never  be  performed  if  the  engine  is  needed  to  achieve  the  desired  MECO  targets,  while 
also  ensuring  that  an  engine  will  always  be  shut  down  if  any  threat  of  exceeding  3.5g  exists.  For 
scenarios  in  which  engines  are  stuck  at  intermediate  throttle  settings,  acceptable  results  can  sometimes 
be  obtained  regardless  of  whether  or  not  an  engine  is  shut  down. 
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A8-61  SSME  SHUTDOWN  DUE  TO  HYDRAULIC  SYSTEM  FAILURES 

(CONTINUED) 


For  all  RTLS  cases  with  two  stuck  throttles,  minimum  throttles  will  be  selected  prior  to  abort  selection. 
Doing  so  will  allow  guidance  to  converge  on  the  correct  average  thrust  level  and  will  reduce  the 
probability  of  a  early  PPA.  For  guidance  to  have  enough  time  to  converge,  minimum  throttle  levels  must 
be  achieved  at  least  10  seconds  prior  to  RTLS  selection.  If  not,  an  early  PPA  may  occur,  resulting  in 
MECO  conditions  that  are  not  optimized.  AUTO  throttles  should  be  reselected  at  some  point  prior  to 
PPA,  but  are  not  mandatory  prior  to  RTLS  selection.  ®[082593-l464C] 

C.  SHUTDOWN  MATRIX: 


FAILED 

NONGIMBALLING 

ENGINES  WITH 

HYDRAULIC  SYSTEM 

ENGINE 

STUCK  THROTTLES 

1  AND  3 

CENTER 

CENTER  AND  RIGHT 

1  AND  2 

LEFT 

CENTER  AND  LEFT 

2  AND  3 

RIGHT 

LEFT  AND  RIGHT 

The  failure  of  two  hydraulic  systems  will  cause  two  engines  to  lock  up  hydraulically  and  eliminate  TVC 
capability  on  one  of  these  two  engines.  The  engine  shutdown  matrix  identifies  which  engines  have  lost 
TVC  and/or  throttle  capability. 

Rules  (A4-59J,  MANUAL  THROTTLE  SELECTION ;  {A5-109},  MANUAL  SHUTDOWN  FOR  TWO 
STUCK  THROTTLES  (NOT  DUAL  APU  FAILURES);  {A5-103},  LIMIT  SHUTDOWN  CONTROL;  and 
{A2-301},  CONTINGENCY  ACTION  SUMMARY,  reference  this  rule.  ©[092195-1770A]  ®[ED  ] 

A8-62  THROUGH  A8-100  RULES  ARE  RESERVED 
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MANAGEMENT 


A8-101  BEEP  TRIM  DEROTATION 

A.  THE  RHC  BEEP  TRIM  SWITCH  WILL  NOMINALLY  BE  USED  TO  PERFORM 
ORBITER  DEROTATION.  THE  RHC  WILL  BE  USED  AS  A  BACKUP  IF  THE 
BEEP  TRIM  IS  INOPERABLE.  ®[1 20894-1 722A]  @[110900-3780] 

The  RHC  beep  trim  switch  provides  a  smooth  and  predictable  orbiter  pitch  derotation  rate.  Use  of  this 
switch  eliminates  the  derotation  rate  dispersions  in  troduced  during  the  initiation  of  derotation  when 
using  the  RHC.  The  improved  derotation  characteristics  provided  by  the  beep  trim  switch  reduces  tire 
and  main  landing  gear  peak  loads.  This  in  turn  allows  derotation  to  be  performed  at  higher  airspeeds 
than  it  can  be  performed  using  the  RHC.  Derotating  at  higher  airspeeds  reduces  the  time  in  the  two- 
point  attitude  where  less  lateral  control  authority  is  available. 

Beginning  with  01-28,  PASS  software  was  modified  to  provide  effectively  two-fault  tolerance  to  an 
uncommanded  rate  input  by  using  WOW  and  EAS  as  the  enable  function  for  the  Beep  Trim  derotation 
( beep  trim  is  a  two-contact  switch ).  This  eliminated  a  requirement  to  reconfigure  the  PANEL  power 
and  RHC/PANEL  enable  switches  at  M  2. 7,  and  closes  a  window  of  exposure  where  a  failed 
contact/ commfaidt  combination  resulted  in  an  undesired  rate  command.  On  the  first  pass  after  WOW 
is  set,  the  software  polls  the  left  and  right  beep  trim  contacts,  and  no-ops  contacts  indicating  “1”  (vote 
to  initiate  a  negative  pitch  rate )  by  latching  the  failed  high  contacts  to  “0” .  If  both  contacts  on  one 
RHC  indicate  “1”  during  the  first  pass,  only  one  contact  is  set  to  “0” .  Additionally,  a  commfaulted 
contact  is  considered  to  be  “0”  by  the  logic.  Post  WOW,  while  greater  than  195  KEAS  ( I-load ),  both 
contacts  of  either  the  left  or  right  beep  trim  are  required  to  indicate  “1”  prior  to  a  derotation 
command  being  honored.  Less  than  or  equal  to  195  KEAS,  only  one  contact  is  required  to  initiate  a 
derotation.  If  both  contacts  are  failed  open  or  commfaulted,  or  if  one  con  tact  is  failed  high  prior  to 
WOW  and  the  other  contact  commfaulted,  a  manual  derotation  using  the  RHC  is  required.  There  are 
specific  failures  which  will  result  in  an  auto-derotation  anytime  the  orbiter  airspeed  is  less  than  or 
equal  to  195  KEAS.  These  are  1)  failure  of  a  single  contact  high  after  WOW,  and  2)  two  contacts 
failed  high  pre-WOW. 

B.  IF  THE  BFS  IS  ENGAGED,  THE  CDR' S  PANEL  TRIM  POWER  WILL  BE 
TURNED  OFF  AND  THE  RHC/PNL  TRIM  INHIBIT/ENABLE  SWITCH  WILL  BE 
PLACED  IN  ENABLE  TO  PROVIDE  BEEP  TRIM  DEROTATION  CAPABILITY. 

This  action  will  provide  beep  trim  derotation  capability  for  the  CDR  only;  there  is  no  PET  capability  in 
the  BFS.  ®[1 1 0900-3780  ] 


VOLUME  A  06/20/02  FINAL  GUIDANCE,  NAVIGATION  &  8-39 

CONTROL  (GN&C) 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A8-102  RGA  SYSTEM  MANAGEMENT  [CIL] 

IF  FOUR  ORBITER  RGA' S  ARE  AVAILABLE  AND  A  KNOWN  FAILURE  CONDITION 
EXISTS  WHERE  ONE  ADDITIONAL  FAILURE  WOULD  CAUSE  TWO  ORBITER  RGA' S 
TO  SIMULTANEOUSLY  LOSE  POWER,  ONE  OF  THE  AFFECTED  RGA' S  WILL  BE 
DESELECTED  IN  THE  BFS  [CIL] . 

Test  data  indicates  that  when  power  is  removed  from  an  orbiter  RGA  or  SRB  RGA  the  RGA  output 
electronics  generate  a  false  rate  approximately  equal  to  18  deg/sec  in  roll  and  10  deg/sec  in  pitch  and 
yaw.  This  false  rate  signature  decreases  linearly  to  zero  approximately  10  seconds  after  the  power  is 
removed  from  the  RGA.  Since  interchangeable  midvalue  selection  (IMVS)  is  used  for  the  RGA  selection 
filter  in  the  BFS  when  four  RGA’ s  are  available,  a  simultaneous  power  fail  of  two  RGA’s  would  feed  the 
bad  rate  signature  directly  into  BFS  flight  control.  This  is  not  a  concern  in  the  PASS,  since  PASS 
redundancy  management  automatically  deselects  power  failed  RGA’s.  The  effect  of  this  transient  and 
subsequent  bad  rate  feedback  on  flight  control  may  be  catastrophic  during  any  dynamic  flight  phase. 

(Ref.  Configuration  Control  Board,  January  22,  1991,  Power  Loss  Characteristics  for  FCS  RGA’s.) 

If  it  is  known  that  one  electrical  bus  failure  will  remove  power  simultaneously  from  two  RGA’s  (requires 
previous  failure),  one  of  those  RGA’s  can  be  deselected  in  the  BFS  to  protect  for  that  bus  failure. 
Deselecting  an  RGA  will  downmode  the  selection  filter  to  a  MVS  scheme  and  thus  regain  full  single-fault 
tolerance. 

If  less  than  four  RGA’ s  are  available,  deselecting  an  RGA  to  protect  for  the  next  bus  failure  would  leave 
the  system  at  risk  to  any  RGA  LRU  or  power  failure  (while  averaging  or  prime  selecting),  so  no  action 
will  be  taken. 
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A8-103  PRIORITY  RATE  LIMITING  (PRL)  SYSTEMS  MANAGEMENT 

A.  MANUAL  SYSTEMS  MANAGEMENT  WILL  BE  REQUIRED  ANY  TIME  THE  PRL 
SOFTWARE  DOES  NOT  REFLECT  THE  CURRENT  STATUS  OF  THE  HYDRAULIC 
SYSTEMS . 

Self-explanatory. 

B.  DURING  ENTRY,  SINGLE  APU  PRL  RATES  ARE  REQUIRED  WHEN  ONE 
HYDRAULIC  SYSTEM  IS  DRIVING  THREE  OR  MORE  ELEVONS . 

One  hydraulic  system  cannot  support  the  flow  rate  required  to  move  three  elevons  at  the  maximum 
commanded  rate  of  30  degrees  per  second  {ref  SODB  4. 2. 7. 1.1).  Short  term  pressure  degradations  ( due 
to  the  high  hydraulic  fluid  flow  rate)  would  have  an  adverse  effect  on  vehicle  flight  control  due  to 
sluggish  or  stalled  elevon  movement. 

There  are  no  concerns  with  the  hydraulic  flow  required  to  support  single  APU  rates  with  two  hydraulic 
systems,  regardless  of  how  many  elevons  are  being  driven  by  one  of  the  two  systems. 

The  areas  of  concern  for  vehicle  flight  control  are  during  the  final  flare  maneuver  and  vehicle  derotation, 
when  actuator  rates  are  at  the  highest.  The  risks  associated  with  single  APU  drive  rates  during  this 
timeframe  are  less  than  those  associated  with  unequal  elevon  movemen  t.  Ascent  load  relief  and  entry 
prior  to  Mach  0.6  are  not  of  concern  for  this  case,  since  the  nominal  actuator  rates  are  not  high  enough 
to  cause  significant  pressure  degradation.  (Ref.  A/E  Flight  Techniques  Panel  #69,  July  20,  1990.) 
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A8-104  FCS  CHECKOUT 

THE  FCS  CHECKOUT  PART  1  (SECONDARY  ACTUATOR  CHECK)  WILL  BE 
PERFORMED,  IF  POSSIBLE,  PRIOR  TO  THE  DEORBIT  BURN  (PREFERABLY  IN 
OPS  8) .  IF  THE  ACTUATOR  CHECK  CANNOT  BE  PERFORMED  PRIOR  TO  THE 
BURN,  IT  WILL  BE  PERFORMED,  IF  POSSIBLE,  IN  MM  303.  THE  ACTUATOR 
CHECK  WILL  BE  DONE  UTILIZING  AN  APU  OR  HYDRAULIC  SYSTEM 
CIRCULATION  PUMP  ACCORDING  TO  THE  FOLLOWING  PRIORITY: 

A.  AN  APU  PREBURN. 

B.  A  CIRCULATION  PUMP  PREBURN. 

C.  AN  APU  POSTBURN. 

The  primary  purpose  of  the  secondary  actuator  check  is  to  test  the  aerosurface  servo  amplifiers  (ASA’s) 
for  null  driver  failures.  Two  undetected  null  failures  on  an  elevon  could  cause  loss  of  vehicle  control 
because  the  two  good  channels  could  be  bypassed  during  a  request  for  high  surface  rate  (CIL  05-1- 
FC60402-1 ).  The  secondary  purpose  of  the  check  is  to  test  the  secondary  pressure  transducers  and  the 
fault-detection  circuitry  in  the  ASA  that  issues  channel  bypass  commands.  (This  test  requires  hydraulic 
system  pressure  greater  than  2025  psi  to  be  completely  accomplished.) 

It  is  preferable  to  perform  the  complete  FCS  checkout  pre-deorbit  burn  to  allow  time  to  fully 
troubleshoot  any  flight  control  system  failures.  The  first  priority  is  to  use  an  APU  if  possible.  If  one  or 
more  APU’s  have  failed,  MMACS  will  determine  if  it  is  safe  to  attempt  starting  a  failed  APU.  If  an  APU 
cannot  be  used  for  the  actuator  check,  then  a  hydraulic  system  circulation  pump  will  be  used,  if  possible, 
to  do  the  check  preburn. 

When  using  an  APU,  the  checkout  procedure  has  the  crew  bypass  any  port  that  does  not  bypass  when 
the  stimulus  is  applied.  A  port  may  not  bypass  because  of  either  a  null  driver  failure  ( 1R/2)  or  a  fault 
detection  circuit  failure  ( 1R/3).  Without  insight  into  secondary  delta  pressures,  the  crew  must  assume 
the  worst  case  driver  failure  and  manually  bypass  the  port.  Given  time  to  review  the  data  (i.e.,for 
checks  done  preburn),  the  MCC  can  confirm  which  failure  exists.  For  a  fault-detection  circuitry 
failure,  the  channel  is  considered  to  be  good  and  the  port  will  be  reset. 

When  using  a  circulation  pump,  two  things  are  given  up  because  the  hydraulic  system  pressure  is  not 
great  enough.  The  rudder  and  speedbrake  drivers  cannot  be  checked  because  brakes  will  not  allow  these 
surfaces  to  move,  and  the  fault-detection  circuitry  for  all  surfaces  cannot  be  tested.  These  two  things 
considered,  it  is  still  preferable  to  accomplish  the  check  for  null  elevon  drivers  before  committing  to 
entry  rather  than  to  wait  until  after  the  deorbit  burn  to  accomplish  a  more  complete  check. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A8-104  FCS  CHECKOUT  (CONTINUED) 

If  the  situation  does  not  permit  the  actuator  check  to  be  accomplished  with  either  an  APU  or  circulation 
pump  prior  to  the  burn,  the  check  will  be  performed  in  MM  303  if  it  is  possible  to  do  so.  An  APU  will  be 
used  with  its  hydraulic  pump  in  normal  pressure  even  if  only  one  APU  is  available  for  entry. 

One  polarity  stimulus  is  sufficient  to  test  for  null  failures;  both  polarity  stimuli  are  required  to  fully  test 
the  fault-detection  circuitry.  If  the  check  is  done  using  a  circulation  pump  or  if  it  is  done  postburn,  it 
will  be  abbreviated  in  that  only  one  stimulus  will  be  used.  The  abbreviated  check  is  appropriate 
postburn  because  it  minimizes  the  time  required  to  perform  the  check. 

The  priorities  are  the  same  for  early  mission  termination  scenarios  (AOA,  next  PLS,  MDF)  with  or 
without  APU /hydraulic  systems  failures.  Considerations  of  whether  to  perform  the  check  when  en  tering 
early  include  crew  workload,  other  systems  failures,  and  APU  hot  restart  constrain  ts. 

Reference  Rules  {A10-21},  LOSS  OF  APU /HYDRAULIC  SYSTEM(S)  ACTIONS;  { A10-29J ,  FCS 
CHECKOUT  APU  OPERATIONS;  and  Ascent/Entry  Flight  Techniques  Panel  Meeting  #47,  Continuation, 
August  29,  1988. 

Rules  { A10-21} ,  LOSS  OF  APU/HYDRAULIC  SYSTEM(S)  ACTIONS,  and  {A10-29},  FCS  CHECKOUT 
APU  OPERATIONS,  reference  this  rule. 
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A8-105  CONTROLLERS 

IF  TWO  CHANNEL  FAILURES  OCCUR  ON  AN  RHC,  THE  REMAINING  TRANSDUCER 
WILL  BE  PRIME  SELECTED,  IF  POSSIBLE,  TO  REGAIN  THE  CONTROLLER 
FUNCTION  AND  THE  RHC  WILL  THEN  BE  POWERED  OFF.  THE  RHC  MAY  BE 
POWERED  AT  ANY  TIME  IF  REQUIRED  FOR  VEHICLE  CONTROL.  IF  THE 
FAILED  RHC  IS  ON  THE  CDR' S  SIDE,  THE  CDR  WILL  FLY  THE  VEHICLE 
DURING  APPROACH  AND  LANDING  AS  LONG  AS  THERE  HAS  BEEN  NO  MORE 
THAN  ONE  TRANSDUCER  FAILURE. 

If  two  channels  of  an  RHC  fail,  prime-selecting  the  one  remaining  transducer  permits  use  of  that  RHC. 

The  RHC  is  powered  off  to  preclude  a  failure  of  the  remaining  good  transducer  which  could  cause 
inadvertent  jet  firings,  incorrect  aerosurface  commands,  or  loss  of  vehicle  control.  This  implies  that  if 
the  left  (CDR)  RHC  is  failed,  then  the  vehicle  must  be  flown  using  the  right  (PLT)  RHC,  either  by  the 
PLT  or  by  the  CDR  after  changing  seats.  Since  the  CDR  and  PLT  are  most  proficient  in  systems 
knowledge  and  operation  on  their  respective  sides  of  the  cockpit  and  the  CDR  is  more  highly  trained  to 
fly  the  vehicle,  it  is  strongly  desired  that  the  CDR  fly  the  vehicle  whenever  possible  and  only  from  the  left 
seat.  The  on  ly  danger  in  using  the  remaining  channel  (pitch  and  roll  transducer)  is  if  it  should  fail  when 
the  orbiter  is  extremely  close  to  the  ground.  This  would  be  a  third  failure  and  would  have  to  be  a  smart 
failure  as  well,  since  it  would  have  to  occur  in  a  very  narrow  bandwidth  of  time  after  having  successfully 
functioned  for  most  of  the  approach.  Since  each  member  of  the  crew  is  highly  trained  to  perform  specific 
functions  during  the  approach  and  landing,  there  is  a  much  greater  risk  involved  with  altering  these 
functions  just  to  protect  for  a  highly  unlikely  smart,  third  failure.  If  there  is  no  reason  to  suspect  the 
reliability  of  the  remaining  channel  (pitch  and  roll  transducer),  i.  e. ,  its  outputs  are  normal  and  both 
previous  failures  were  not  due  to  transducer  problems,  then  there  is  an  acceptable  risk  in  using  that  RHC 
(two  transducer  failures  could  indicate  a  possible  generic  problem).  Therefore,  as  long  as  the  last 
remaining  channel  (pitch  and  roll  transducer)  on  the  CDR’s  RHC  has  good  outputs  and  is  believed  to  be 
reliable,  the  CDR  will  fly  the  vehicle  during  approach  and  landing. 

Rules  {A2-261},  ENTRY DTO/AUTO  MODE/CROSSWIND  DTO  GO/NO-GO,  and  (A8-1001J,  GNC 
GO/NO-GO  CRITERIA,  reference  this  rule. 
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A8-106  TVC-SSME  STOW/ACTUATOR  FLUID  FILL 

(REPRESSURIZATION) 


A.  IF  SSME  STOW  PROBLEMS  OCCUR  AT  THE  END  OF  ASCENT,  THE  APU' S 
WILL  BE  SHUT  DOWN  ON  TIME  AND  THE  STOW  OPERATION  WILL  BE 
COMPLETED  ON  ENTRY  DAY. 


It  is  possible,  under  certain  conditions,  to  not  achieve  SSME  stow  during  ascent.  Because  the  last 
commands  issued  are  carried  across  OPS  transitions,  if  the  stow  commands  are  not  sent  before  the  stow 
sequence  is  halted  in  OPS  1,  the  SSME's  will  not  be  commanded  to  stow  in  OPS  3.  Thus,  a  transition  to 
OPS  8  is  required  since  the  stow  commands  are  issued  upon  transition.  If  the  stow  commands  are  sent 
before  the  sequence  is  halted,  the  stow  commands  will  carry  over  across  the  OPS  3  transition. 

B.  SSME  ACTUATOR  FLUID  FILL  USING  FULL  HYDRAULIC  PRESSURE  WILL 
BE  PERFORMED  ON  ENTRY  DAY  ON  ALL  ACTUATORS  OF  ALL  THREE 
ENGINES  EXCEPT  FOR  THE  FOLLOWING  CONDITIONS: 

1.  THE  DIFFERENCE  BETWEEN  ANY  COMMAND  (AVERAGE  OF  THE  ACTIVE 
ATVC  DRIVER  OUTPUTS)  AND  THE  INDICATED  POSITION  IS 
GREATER  THAN  2  DEGREES.  FOR  ACTUATORS  THAT  ARE  SUSPECTED 
TO  HAVE  A  BIASED  POSITION  TRANSDUCER  (SINGLE  STRING), 

DATA  FROM  PAST  FLIGHTS  OF  THAT  ACTUATOR  WILL  BE  USED  TO 
ASSESS  THE  LIKELIHOOD  OF  ACTUALLY  MOVING  THE  ACTUATOR 
MORE  THAN  2  DEGREES. 

2.  MAIN  ENGINE  POSITION  DATA  IS  NOT  AVAILABLE  AND  DATA 
BEFORE  THE  LOSS  INDICATES  THAT  A  STEP  OF  2  DEGREES  OR 
MORE  IS  POSSIBLE. 

EVERY  ATTEMPT  WILL  BE  MADE  TO  AVOID  VIOLATING  THE  2-DEGREE 
STEP  CONSTRAINT,  INCLUDING  STARTING  AN  APU  ON  ORBIT  TO 
PERFORM  SSME  FLUID  FILL. 


Fluid  fill  and  engine  repositioning  is  required  due  to  hydraulic  fluid  shrinkage  after  cooling  down  which 
may  result  in  engine  movement  of  2  to  3  degrees  in  each  axis.  A  2-  to  3 -degree  movement  from  the  stow 
position  would  result  in  exceeding  the  design  nozzle  temperature  limits  (aerodynamic  heating)  on 
engines  2  and  3  ( left  and  right  ME’s).  Two  APU’s  will  repressurize  all  three  engines.  One  APU  will 
repressurize  two  ME’s  (ref.  Rule  {A10-21B},  LOSS  OF  APU /HYDRAULIC  SYSTEM  (S)  ACTIONS ). 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A8-106  TVC-SSME  STOW/ACTUATOR  FLUID  FILL 

(REPRESSURIZATION)  (CONTINUED) 


SSME  steps  greater  than  2  degrees  (indicated)  under  full  hydraulic  pressure  risk  damage  (possible 
rupture )  to  the  hydraulic  lines  and  subsequent  loss  of  that  hydraulic  system.  The  average  of  the  active 
ATVC  driver  outputs  are  used  in  the  differencing  scheme  (as  opposed  to  the  software  command)  to 
eliminate  the  uncertainties  in  the  command  path.  The  2-degree  constraint  takes  into  account  the 
transducer  uncertainty  (ref.  SODB  3.4.5.1h.l).  Since  some  SSME  TVC  actuator  position  transducers 
have  shown  biases  and  scale  factors  in  the  position  output,  a  false  indication  of  the  command/position 
delta  could  lead  to  multiple  APU  starts  and  SSME  represses.  For  a  suspected  bias  in  the  transducer 
(single  transducer  through  MDM  OA1 ),  data  from  the  post-MECO  stow  position  and  past  hydraulic 
represses  of  that  actuator  will  be  used  to  assess  the  likelihood  of  actually  moving  the  actuator  more  than 
2  degrees.  The  flight  history  data  will  be  obtained  from  the  SSME  actuator  and  hydraulics  subsystem 
managers  through  a  SPAN-MER  chit. 

Main  engine  position  data  are  used  by  the  MCC  to  ensure  the  2-degree  constraint  will  not  be  violated.  If 
position  data  is  lost,  an  attempt  will  be  made  to  determine  if  a  2-degree  step  is  likely.  The  command/position 
delta  at  the  time  of  loss  of  data,  the  drift  rate  at  the  time  of  loss  of  data,  and  previous  flight  history  are 
factors  that  will  be  used  to  aid  in  this  determination. 

Wind  tunnel  testing  indicates  that  movement  of  a  mean  engine  nozzle  from  its  stow  position  during  entry 
increases  aerodynamic  heating  on  that  nozzle.  Not  performing  SSME  fluid  fill  increases  the  possibility 
that  nozzle  damage  will  occur  during  entry. 

This  rule  is  referenced  by  Rule  {A8-107},  FCS  CHANNEL  MANAGEMENT. 
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A8-107  FCS  CHANNEL  MANAGEMENT 

A.  FOR  RESTRING  CASES  DUE  TO  GPC  FAILURES,  ASA  AVAILABILITY  (VIA 
FCS  CHANNEL  SWITCHES)  WILL  BE  MANAGED  SO  THAT  EACH  GPC  IN  THE 
REDUNDANT  SET  WILL  BE  ASSIGNED  AN  EQUAL  NUMBER  OF  ASA'S. 

WITH  NO  ADDITIONAL  FAILURES,  THE  GPC/FCS  CHANNEL  ASSIGNMENTS 
WILL  BE: 

FOUR  GPC ' S  -  FOUR  CHANNELS  IN  AUTO,  ONE  CHANNEL  PER  GPC. 

THREE  GPC' S  -  THREE  CHANNELS  IN  AUTO,  ONE  CHANNEL  PER  GPC, 

ONE  CHANNEL  OFF. 

TWO  GPC' S  -  FOUR  CHANNELS  IN  OVERRIDE,  TWO  CHANNELS  PER  GPC. 

ONE  GPC  -  FOUR  CHANNELS  IN  AUTO. 

If  each  GPC  does  not  control  an  equal  number  of  FCS  channels,  subsequent  failure  of  the  GPC  that  has 
the  larger  number  of  channels  could  cause  good  ports  to  be  bypassed  resulting  in  a  loss  of  vehicle 
control.  Ports  are  taken  offline  by  taking  the  FCS  channel  power  to  OFF. 

To  equalize  channels  for  the  three  GPC-four  FCS  channel  case,  one  FCS  channel  must  be  turned  off.  It 
is  desirable  to  turn  off  FCS  channel  4  since  both  the  bodyflap  and  the  BFS  use  channels  1-3.  On 
OV-102,  this  will  result  in  the  loss  of  high  rate  ACIP  data,  but  low  rate  data  is  considered  acceptable. 

For  the  two-GPC  case,  having  all  channels  in  override  will  prevent  loss  of  good  ports  for  the  next  GPC 
failure.  In  this  case,  rapid  crew  action  will  still  be  required  to  turn  off  the  channels  on  the  failed  GPC, 
but  this  is  the  safest  configuration  of  all  of  the  options.  With  one  GPC,  the  next  GPC  failure  cannot  be 
accepted,  but  the  auto  system  will  operate  properly  for  FCS  channel  problems. 

B.  FOR  AN  FA  MDM  OR  GPC  FAILURE  DURING  ASCENT  OR  ENTRY,  THE 
CORRESPONDING  FCS  CHANNEL  WILL  BE  TURNED  OFF. 

When  an  FA  MDM  fails  or  a  GPC  fails  to  halt  or  sync,  its  actuator  commands  are  no  longer  valid.  The 
FCS  channel,  if  left  powered,  would  cause  a  force  fight  with  the  other  good  channels.  It  is  appropriate  to 
turn  the  FCS  channel  OFF,  which  will  bypass  that  channel.  It  will  also  eliminate  the  possibility  of  a 
subsequent  failure  causing  a  two-on-two  force  fight. 
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A8-107  FCS  CHANNEL  MANAGEMENT  (CONTINUED) 

C.  DURING  OPS  1,  3,  OR  6  IF  ANY  OF  THE  FIRST  THREE  FCS  CHANNELS 

ARE  TURNED  OFF,  THE  CORRESPONDING  POSITION  FEEDBACKS  WILL  BE 
DESELECTED.  IF  FCS  CHANNEL  4  IS  TURNED  OFF,  THE 
CORRESPONDING  FEEDBACKS  WILL  NOT  BE  DESELECTED  UNLESS  THERE 
IS  A  POSITION  FEEDBACK  FAILURE  ON  ONE  OF  THE  FIRST  THREE  FCS 
CHANNELS . 

Deselection  of  feedbacks  is  performed  on  CONTROLS  SPEC  53,  which  is  available  in  OPS  1,  3,  and  6. 
Crew  item  deselection  removes  all  feedbacks  on  the  associated  FCS  channel.  For  the  first  three  FCS 
channels,  feedbacks  should  be  deselected  any  time  the  channel  is  turned  off.  This  action  allows  FCS 
channel  4  feedbacks  to  be  used  and  protects  against  failing  the  position  feedbacks  on  the  unpowered 
channel  if  the  failure  that  caused  the  channel  to  be  turned  off  is  subsequently  recovered.  If  there  are  no 
other  FCS  channel  position  feedback  problems,  position  feedbacks  should  not  be  deselected  on  FCS 
channel  4  when  it  is  turned  off.  This  action  will  allow  FDIR  to  isolate  a  problem  on  FCS  channels  1,  2, 
or  3  without  requiring  the  position  feedbacks  to  be  deselected  on  all  aerosurfaces  of  the  affected  channel. 
It  is  not  critical  to  protect  the  rudder  or  speedbrake  position  feedbacks.  The  rudder  feedback  is  only 
used  for  crew  display  on  the  surface  position  indicator  (SPI).  The  speedbrake  position  is  used  to  set  a 
pitch  trim  rate  gain  in  the  AEROJET  DAP  and  for  crew  display  on  the  SPI.  Since  the  body  flap  uses  a 
QMVS  selection  filter,  no  action  is  required  for  the  bodyflcip  position  feedbacks.  Feedbacks  are 
deselected  in  OPS  1  to  ensure  a  good  feedback  configuration  is  available  should  an  abort  be  required. 

D.  IF  A  SINGLE  CHANNEL  IS  FAILED  BUT  NOT  BYPASSED,  THE  REMAINING 
CHANNELS  WILL  BE  PLACED  IN  "OVERRIDE". 

This  action  protects  for  the  next  GPC/MDM/LRU  failure.  If  the  channels  are  left  in  auto,  the  next  failure 
could  cause  both  good  channels  to  be  bypassed  resulting  in  loss  of  vehicle  control.  By  placing  the 
remaining  channels  in  override,  we  inhibit  port  popping  of  the  good  channels.  The  FCS  system  must  now 
be  managed  manually,  using  ground  calls.  Reference  RI-Downey  Interned  Letter  283-430-81-075. 

E.  WHEN  ONLY  TWO  GOOD  FCS  CHANNELS  REMAIN  ON  A  SINGLE  ACTUATOR, 
BOTH  WILL  BE  PLACED  IN  "OVERRIDE". 

This  action  protects  for  the  next  GPC/MDM/LRU  failure.  If  the  channels  are  left  in  AUTO,  the  next 
failure  could  cause  the  good  channel  to  be  bypassed  resulting  in  loss  of  vehicle  control.  In  override,  the 
next  failure  will  result  in  a  one-on-one  force  fight  which  is  preferred  because  it  may  allow  the  crew  time 
to  secure  the  bad  channel  and  engage  BFS  to  recover  good  channels.  One  channel  control  is  not 
certified.  The  FCS  channels  in  override  must  be  managed  manually.  Reference  RI-Downey  Interned 
Letter  283-430-81-075. 
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A8-107  FCS  CHANNEL  MANAGEMENT  (CONTINUED) 

F.  WHEN  MOVING  MULTIPLE  FCS  CHANNEL  SWITCHES  FROM  "AUTO"  TO 
"OVERRIDE"  OR  "OVERRIDE"  TO  "AUTO",  A  2-SECOND  DELAY  BETWEEN 
INDIVIDUAL  SWITCH  ACTUATIONS  WILL  BE  MAINTAINED. 

The  FCS  switches  are  of  the  break-before-make  type.  When  moved  from  one  position  to  another,  power 
to  the  FCS  channel  is  temporarily  interrupted.  When  power  is  interrupted,  logic  inside  the  ASA  causes 
power  to  remain  off  for  at  least  510  msec  and  for  as  long  as  1370  msec  regardless  of  how  fast  the  FCS 
switch  is  moved  (ref.  RI-Downey  Interned  Letter  283-220-86-009).  The  affected  channel  is  bypassed 
during  the  time  that  the  ASA  power  is  off.  If  multiple  channel  switches  are  actuated  at  the  same  time,  an 
aerosurface  may  have  no  active  ports  controlling  it  because  all  ports  have  been  bypassed  due  to  previous 
failures  and/or  switch  actuations.  This  could  cause  the  surface  to  go  handover  which  would  cause  a 
transient  in  the  flight  control  system. 

G.  IN  OPS  3  OR  6,  AN  AEROSURFACE  PORT  WILL  BE  MANUALLY  BYPASSED 
IF  IT  IS  FORCE  FIGHTING  OTHER  CHANNELS  WITH  A  SECONDARY  DELTA 
PRESSURE  OF  1400  PSI  OR  GREATER. 

The  ASA  hardware  has  built-in  fault  detection  that  will  bypass  a  port  if  its  secondary  delta  pressure  is 
greater  than  2025  psi.  This  limit  is  a  compromise;  it  is  high  enough  to  avoid  transient  failures  of  good 
channels  yet  low  enough  that  a  bad  channel  will  likely  be  isolated.  Also,  the  ASA  has  a  redundant 
channel  equalization  function  designed  to  compensate  for  variation  of  hardware  tolerances.  By  design, 
equalization  should  prevent  a  port  with  no  hardware  failure  from  being  bypassed.  The  effect  of 
equalization  is  fully  realized  when  the  secondary  delta  pressure  for  the  affected  port  has  reached  about 
1400  psi  (ref.  SODB  volume  III,  par.  4.5. 1.1.1). 

The  intent  of  this  rule  is  to  allow  for  manual  isolation  of  a  port  that  has  a  failure  below  the  hardware 
fault  detection  limit  of  2025  psi,  but  above  equalization  (1400  psi).  This  action  protects  for  the  next 
worst  failure  which  could  result  in  a  two-on-two  force  fight.  A  two-on-two  is  cm  uncertified  FCS 
configuration  and  could  cause  bypass  of  the  two  good  FCS  channels  resulting  in  loss  of  control  during 
entry.  No  action  is  required  in  OPS  1  because  aerosurfaces  are  not  used  for  control.  ( The  capability  to 
manually  bypass  a  port  exists  in  OPS  1,  3,  6,  and  8.) 

H.  DURING  OPS  3,  FCS  CHANNEL  MANAGEMENT  TO  REGAIN  ATVC 
REDUNDANCY  WILL  NOT  BE  PERFORMED  IF  IT  RESULTS  IN  A  LOSS  OF 
ASA  SINGLE  FAULT  TOLERANCE. 

FCS  channel  managemen  t  to  optimize  ATVC’ s  in  OPS  3  would  only  be  performed  to  provide  fault 
tolerance  for  drag  chute  reposition  ing.  Aerosurface  con  trol  redundancy  will  not  be  jeopardized  to 
reposition  SSME  bells  for  drag  chute  deploymen  t  since  the  drag  chute  can  be  deployed,  if  required, 
without  SSME  repositioning.  Reference  Ascent/Entry  Flight  Techniques  Panel  meeting  #84, 

November  15,  1991,  DRAG  CHUTE  IMPACTS. 

@[041196  1883] 
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This  rule  references  Rule  {A8-106B},  TVC-SSME  STOW/ACTUATOR  FLUID  FILL 
(REPRESSURIZATION). 

A8-108  HUD/COAS  SYSTEM  MANAGEMENT 

A.  IF  EITHER  STAR  TRACKER  IS  SUSPECTED  OF  BEING  FAILED,  THE 
CALIBRATION  PROCEDURE  FOR  THE  CDR  HUD  WILL  BE  PERFORMED 
WITHIN  24  HOURS.  IF  AN  UPDATE  IS  REQUIRED,  THE  PROCEDURE 
WILL  BE  RUN  AGAIN  WITHIN  24  HOURS  TO  VERIFY  THE  CALIBRATION 
®[1 11 094-1 723A] 

If  a  star  tracker  is  lost  and  the  CDR  HUD  is  not  calibrated,  the  capability  to  perform  an  entry 
alignment  is  zero-fault  toleran  t.  The  calibration  procedure  should  be  run  for  the  CDR  HUD  to  ensure 
the  SODB  specified  COAS IMU  alignment  accuracy  for  entry  is  met.  During  the  procedure ,  if  the  delta 
bias  is  large  enough  that  an  update  is  required,  the  procedure  should  be  run  again  within  24  hours  to 
verify  the  accuracy  of  the  calibration.  Although  the  HUD  flight  data  has  shown  no  significan  t  in-flight 
line-of- sight  (LOS)  shifts,  it  is  prudent  to  ensure  it  will  provide  the  best  possible  IMU  alignment 
capability  if  required.  (Ref.  Rule  { A8-12 j,  HEAD  UP  DISPLAY  (HUD)  AND  CREW  OPTICAL 
ALIGNMENT  SIGHT  (COAS)  ALIGNMENT).  (Ref.  On-Orbit  FTP  meeting  #133,  October  9,  1992, 
HUD/COAS  CALIBRATION  and  On-Orbit  FTP  meeting  #148,  September  9,  1994,  HUD/COAS 
CALIBRATION  STATUS.) 

B.  THE  SECONDARY  STATION  CALIBRATION  WILL  BE  PERFORMED  AS  SOON 
AS  PRACTICAL  UPON  LOSS  OF  THE  PRIMARY  STATION  IF  A  STAR 
TRACKER  IS  FAILED. 

A  calibrated  device  at  one  station  is  required.  If  it  has  been  determined  that  the  calibrated  device  has 
been  lost  ( e.  g. ,  loss  of  power  or  an  obstructed  window),  the  other  station  will  be  calibrated  to  meet  the 
requiremen  ts  in  paragraph  A  of  this  rule.  Av  backups  to  the  star  trackers  for  IMU  alignments,  the  CDR 
HUD  is  the  primary  station  and  the  PUT  HUD/-Z  COAS  is  the  secondary  station.  (Ref.  On-Orbit  FTP 
meeting  #148,  September  9,  1994,  HUD/COAS  CALIBRATION  STATUS.) 

C.  THE  SECONDARY  STATION  WILL  BE  CALIBRATED  IF  THE  CABIN  IS  AT  A 
PRESSURE  DIFFERENT  FROM  THE  PRIMARY  STATION  CALIBRATION  AND  A 
STAR  TRACKER  IS  FAILED. 

There  is  insufficient  data  to  state  that  a  decrease  in  cabin  pressure  to  10.2  psi  will  or  will  not  cause  a 
HUD/COAS  line-of-sight  shift  large  enough  to  violate  the  0.5  degree  El  IMU  alignment  accuracy 
requirement  for  entry  (ref.  Rule  (A4-151},  IMU  ALIGNMENT).  Therefore,  if  a  star  tracker  is  lost,  a 
HUD/-Z  COAS  calibration  is  required  for  fail-safe  redundancy  to  perform  an  entry  IMU  alignment.  Using 
the  CDR  or  PLT  HUD  and  the  alternate  software  location  for  the  calibrated  vector  is  acceptable  to  meet 
the  intent  of  this  rule  which  is  to  provide  a  calibrated  device  at  both  cabin  pressures.  ®[111 094-1 723A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A8-108  HUD/COAS  SYSTEM  MANAGEMENT  (CONTINUED) 

D.  IT  IS  HIGHLY  DESIRABLE  THAT  HUD/COAS  CALIBRATIONS  BE 
IMMEDIATELY  PRECEDED  BY  A  STAR  TRACKER  IMU  ALIGNMENT. 

@[111 094-1 723A] 

HUD/COAS  calibration  accuracy  is  directly  dependent  on  IMU  misalignment.  This  is  a  controllable 
error  source  and  should  be  minimized. 

E.  IF  BOTH  STAR  TRACKERS  ARE  SUSPECTED  OF  BEING  FAILED,  THE 
SECONDARY  STATION  WILL  BE  CALIBRATED  AS  SOON  AS  POSSIBLE. 

If  both  star  trackers  are  failed,  the  CDR  HUD  will  be  the  primary  device  for  performing  IMU 
alignments.  Since  the  HUD  is  zero  fault  tolerant  (e.g.,  power  failure),  a  PUT  HUD/-Z  COAS  calibration 
is  required  for  fail-safe  redundancy  to  perform  an  entry  IMU  alignment.  The  PUT  HUD/-Z  COAS 
calibration  should  be  performed  as  soon  as  possible  to  minimize  IMU  misalignment  error  and  improve 
the  accuracy  of  the  calibration.  ®[1 1 1 094-1 723A] 

A8-109  STAR  TRACKER  SYSTEM  MANAGEMENT  [CIL] 

A.  BOTH  STAR  TRACKERS  WILL  BE  CONTINUOUSLY  POWERED  FOR  THE  ON- 
ORBIT  PORTION  OF  THE  FLIGHT  TO  OBTAIN  STAR-OF-OPPORTUNI T Y 
DATA.  TRACKERS  MAY  BE  POWERED  OFF  IF  A  PARTICULAR  LONG 
DURATION  ATTITUDE  PRECLUDES  GATHERING  STAR-OF-OPPORTUNI TY 
DATA. 

B.  ONE  STAR  TRACKER  DOOR  WILL  BE  CLOSED  IF  A  KNOWN  FAILURE 
CONDITION  EXISTS  WHERE  ONE  ADDITIONAL  FAILURE  WOULD  CAUSE 
BOTH  DOORS  TO  BE  FAILED  OPEN.  [CIL] 

Star-of-opportunity  alignments  can  decrease  or  eliminate  the  need  to  repeatedly  perform  maneuvers  for 
IMU  alignment,  saving  crew  effort,  time,  and  propulsion  consumables. 

Rockwell  thermal  studies  (ref.  SAS-TA-TPS-87-238,  IL  294-400-87-071,  and  IL  SAS-TA-RCC-78-160) 
have  shown  that  entry  with  one  star  tracker  door  open  results  only  in  minor  local  damage  due  to 
stagnation  conditions  in  a  single  opening  cavity.  In  the  absence  of  further  studies  showing  that  a  tw’o- 
door-open  entry  is  also  safe,  conservative  engineering  judgment  must  assume  that  a  plasma  flow  between 
the  two  doors  could  cause  potentially  catastrophic  damage  to  the  airframe,  crew  cabin,  and/or 
navigation  base. 

Therefore,  if  the  next  electrical  failure  results  in  the  loss  of  the  last  motor  function  on  both  doors,  one 
door  will  be  closed  immediately  to  eliminate  the  potential  for  a  two-door-open  entry.  Additionally,  if  one 
door  is  already  stuck  open,  the  other  door  will  be  closed  immediately  (even  if  redundan  t  motor  capability 
is  available)  in  order  to  protect  for  a  mechanical  failure  (e.g.,  door  jam)  that  could  result  in  a  two-door- 
open  entry  (ref.  CIL  02-4F-032001-1). 
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A8-110  IMU  SYSTEM  MANAGEMENT 

A.  A  PRE-DEORBIT  IMU-TO-IMU  ALIGNMENT  WILL  BE  PERFORMED  AT 
DEORBIT  TIG  -  70  MINUTES  TO  RESET  THE  IMU  RM  THRESHOLDS. 

The  pre-deorbit  IMU /IMU  alignment  is  required  to  reset  the  IMU  RM  thresholds.  If  the  thresholds  are 
not  reset,  then  the  IMU  RM  two-level  attitude  failure  coverage  during  entry  is  drastically  reduced.  For 
no  pre-deorbit  IMU /IMU  alignment,  the  probability  of  isolation  for  XY  plane  IMU  errors  at  the  two- 
level  is  64  percent  to  46  percent  (decreasing  with  time)  between  El  and  touchdown.  The  probability  of 
isolation  for  Z-axis  IMU  errors  (corresponds  to  critical  orbiter  vertical  and  down-range  position  and 
velocity  errors)  is  0  percent  between  El  and  touchdown.  In  contrast,  having  performed  the  pre-deorbit 
IMU /IMU  alignment,  the  probability  of  isolation  for  XY  plane  IMU  errors  at  the  two  level  is 
approximately  68  percent  (reaching  a  max  of  70  percent)  between  El  and  touchdown.  The  probability 
of  isolation  for  Z-axis  (critical)  IMU  errors  is  100  percent  between  El  and  touchdown. 

For  deorbit  wave-off  cases,  the  pre-deorbit  IMU /IMU  alignment  can  be  waved  and  performed  one  time 
only  at  the  TIG  -  70-minute  point  of  the  actual  deorbit.  For  a  wave-off  declared  after  the  IMU /IMU 
alignment  has  been  performed,  the  alignment  will  be  performed  again  at  the  next  TIG  -  70-minute  point. 

B.  THE  PRE-DEORBIT  STAR  ALIGNMENT  ON  ENTRY  DAY  IS  DEFINED  AS 
CRITICAL . 

IMU  accuracy  needs  to  be  determined  during  the  entry  alignment  and  verification  to  assure  that  the 
IMU’s  will  be  within  0.5  degrees  of  desired  attitude  (RSS  at  El)  in  order  to  protect  the  vehicle  and  crew 
during  the  entry  phase  (ref.  Rule  (A4-151J,  IMU  ALIGNMENT).  The  pre-deorbit  alignment  is  currently 
the  only  identified  critical  alignment. 

C.  ONBOARD  ALIGNMENT  VERIFICATION  IS  REQUIRED  FOLLOWING  ANY 
CRITICAL  ALIGNMENT.  DEORBIT  WILL  BE  DELAYED  ONE  ORBIT,  IF 
AVAILABLE,  TO  ALLOW  THE  OPS  3  STAR  ALIGNMENT  VERIFICATION  TO 
BE  COMPLETED. 

The  time  element  here  is  crucial.  Any  noncritical  alignment  results  can  be  observed  over  some  extended 
time  period  and  verified  by  the  MCC.  Any  problems  discovered  can  then  be  corrected.  However,  a 
critical  alignment  must  be  as  accurate  as  possible  at  that  point  in  time,  as  the  future  provides  little  or  no 
opportunity  for  correction. 

D.  ONBOARD  VERIFICATION  IS  NOT  REQUIRED  FOLLOWING  NONCRITICAL 
ALIGNMENTS.  VERIFICATION  WILL  BE  ACCOMPLISHED  BY  THE  MCC 
USING  TELEMETERED  STAR-OF-OPPORTUNITY  AND  RELATIVE 
MISALIGNMENT  DATA. 

Rationale  same  as  for  paragraph  C. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A8-110  I MU  SYSTEM  MANAGEMENT  (CONTINUED) 

E.  IMU  GYRO  DRIFT  TERMS  WILL  BE  UPDATED  WHEN  THE  DRIFT  EXCEEDS 
3  SIGMA  IN  ANY  AXIS.  COMPENSATIONS  LESS  THAN  3  SIGMA  WILL 
BE  DONE  AS  REQUIRED  TO  MINIMIZE  LONG  TERM,  STABLE  DRIFT. 

Correcting  large  (3  sigma)  gyro  drift  errors  will  maintain  the  IMU’s  in  the  best  possible  position  to 
support  contingency  deorbit  and  orbiter  and  payload  operations.  An  IMU  drifting  at  3  sigma  (0.02 
deg/hr)  will  not  jeopardize  the  0.5  degree  entry  misalignment  constraint  for  over  25  hours  but  does 
indicate  significant  out-of-spec  performance,  which  should  be  corrected.  Gyro  drifts  of  this  magnitude 
need  not  be  compensated  immediately  but  should  wait  for  reliable  drift  measurements.  Gyro  drifts  of 
less  than  3  sigma,  but  which  are  stable  and  of  long  duration  (typically  8  hours  or  more),  should  be 
corrected  to  place  the  IMU’s  in  the  best  possible  configuration  to  support  orbiter  and  payload  activities, 
sleep  periods,  IMU  align  wave-offs,  entry,  and  any  contingencies.  The  1-sigma  drift  value  is  0.006 
deg/hr  (ref.  SODB  4.5.1.2.3.q.2.a-2).  ®[011291752A  ]  ©[081497-4060A] 

F.  IMU  ACCELEROMETER  BIAS  TERMS  WILL  BE  UPDATED  WHEN  THE  ERROR 
EXCEEDS  3  SIGMA  IN  ANY  AXIS.  COMPENSATIONS  LESS  THAN  3  SIGMA 
WILL  BE  DONE  AS  REQUIRED  TO  MINIMIZE  LONG  TERM,  STABLE  ERRORS. 

Correcting  large  (3  sigma)  accelerometer  errors  will  maintain  the  IMU’s  in  the  best  possible  position  to 
support  orbiter  and  payload  activities  and  entry.  A  3-sigma  error  indicates  significant  out-of-spec 
performance  which  should  be  corrected  when  a  reliable  error  measurement  is  available.  Accelerometer 
errors  of  less  than  3  sigma,  but  which  are  stable  and  of  long  duration  (typically  4  hours  or  more),  should 
be  corrected  to  place  the  IMU  in  the  best  possible  position  to  support  entry  as  well  as  to  provide  an  extra 
margin  of  safety  on  orbit.  The  1 -sigma  value  is  50pG’s  (ref.  SODB  4.5.l.2.3.q.I-b).  ®[01 1 295-1 752A] 

®[081 497-4060A] 

G.  THE  IMU'S  NEED  NOT  BE  REALIGNED  WITH  STAR  DATA  TO  SUPPORT  A 
DEORBIT  ON  ORBITS  2  OR  3 . 

A  worse  case  IMU  (3  sigma  in  all  axes)  results  in  a  total  platform  misalignment  of  0.125  degrees  (RSS)  at 
El  for  an  orbit  3  deorbit  which  meets  navigation’ s  requirement  of  0.5  degrees  (RSS)  (ref.  Rule  {A4-151}, 
IMU  ALIGNMENT).  An  orbit  2  or  3  deorbit  would  be  an  emergency  action,  and  an  IMU  alignmen  t  using 
stars  would  impact  the  crew  timeline.  This  rule  does  not  preclude  the  use  of  cm  IMU /IMU  alignment  to 
regain  a  failed  IMU. 
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A8-110  IMU  SYSTEM  MANAGEMENT  (CONTINUED) 

H.  IMU  ALIGNMENTS  WILL  BE  PERFORMED  FOR  LAUNCH  DAY  DEORBITS  AFTER 
ORBIT  3  TO  OPTIMIZE  ENTRY  NAVIGATION. 

A  3 -sigma  HAINS  IMU  drift  (in  all  axes)  results  in  a  total  platform  misalignment  of  0.312  degrees  (RSS) 
at  El  for  orbit  7  deorbit.  This  meets  navigation's  requirement  of  0.5  degree  (RSS)  but  is  worse  than  the 
desired  0.25  deg  at  El  (ref.  Rule  {A4-151},  IMU  ALIGNMENT).  Using  the  scheduled  alignment  for  these 
deorbit  opportunities  has  no  impact  on  the  crew  timeline  workload  and  the  align  will  be  performed  as 
required  to  optimize  entry  navigation.  ®[011 295-1 752A] 

I.  THE  CRITICAL  ENTRY  IMU  STAR  ALIGNMENT  WILL  BE  REACCOMPL I SHED 
AS  REQUIRED  IN  ORDER  TO  PROTECT  THE  0.5  DEGREE  (RSS)  ATTITUDE 
ERROR  LIMIT  (REF.  RULE  {A4-151},  IMU  ALIGNMENT).  IF  A  "NO- 
GO"  FOR  DEORBIT  IS  GIVEN  PRIOR  TO  THE  IMU  ALIGNMENT,  THEN, 
TIMELINE  PERMITTING,  THE  ALIGNMENT  WILL  SLIP  TO  THE  SAME 
RELATIVE  PLACE  AS  NOMINAL  WITH  RESPECT  TO  THE  NEW  BACKUP 
DEORBIT  OPPORTUNITY. 

From  the  time  of  critical  alignment  for  entry  to  the  one  orbit  late  backup  orbit  deorbit  time,  the  IMU  drift 
is  still  within  requiremen  ts  to  support  an  entry  without  a  realignmen  t.  If  a  NO-GO  for  deorbit  is  called 
prior  to  the  entry  alignment,  it  is  best  to  move  the  alignment  to  the  nominal  pre-entry  time  to  maximize 
IMU  accuracy  for  entry  (ref.  A/E  Flight  Techniques  If  5,  Sept.  9,  1983).  ®[011 295-1 752A] 

J.  IMU  STAR  ALIGNMENTS  WILL  BE  PERFORMED  AS  REQUIRED  TO  MAINTAIN 
THE  ENTRY  INTERFACE  (El)  IMU  ALIGNMENT  CRITERIA.  STAR 
ALIGNMENTS  WILL  BE  SCHEDULED  APPROXIMATELY  ONCE  PER  FLIGHT 
DAY.  ®[011 295-1 752A] 

IMU  star  alignments  will  be  performed  periodically  on  orbit  to  ensure  that  the  0.5  degree  (RSS)  El  IMU 
alignment  criteria  is  satisfied  for  contingency  situations  (ref.  Rule  j A4-151 j,  IMU  ALIGNMENT).  For 
nominal  circumstances,  the  desired  0.25  degree  alignment  criteria  will  be  maintained  to  ensure  the  best 
possible  navigation  performance  during  entry.  IMU  star  alignments  will  be  performed  using  either  star- 
of-opportunity  (SOO)  data  or  star  data  acquired  from  dedicated  orbiter  maneuvers. 

Scheduling  star  alignments  once  per  flight  day  accounts  for  the  expected  IMU  performance  to  ensure 
that  the  El  criteria  is  satisfied,  while  minimizing  crew  time  and  RCS  propellant  usage  for  alignments. 

®[01 1 295-1 752A] 
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A8-110  I MU  SYSTEM  MANAGEMENT  (CONTINUED) 

K.  IMU  GYRO  CALIBRATION  WILL  BE  BASED  ON  A  SET  OF  TORQUING 
ANGLES  MEASURED  AT  LEAST  3  HOURS  FROM  THE  TIME  THE  PREVIOUS 
SET  OF  TORQUING  ANGLES  WAS  MEASURED. 

For  several  hours  postalignment,  the  misalignment  uncertainty  is  as  large  as  the  actual  platform 
misalignment.  Therefore,  reliable  drift  rates  cannot  be  computed  from  torquing  angles  generated  shortly 
after  an  alignment.  Av  IMU  misalignment  grows  with  time,  one  can  more  accurately  determine  the  true 
drift  rate  of  the  platform. 

L.  CALIBRATION  DATA  WILL  BE  UPLINKED  TO  THE  BFS ,  IF  REQUIRED,  AS 
SOON  AS  PRACTICAL  ON  ENTRY  DAY.  ®[011 295-1 752A] 

Av  the  BFS  has  not  been  running  on  orbit,  the  gyro  drift  and  accelerometer  changes  have  only  been 
made  in  the  PASS.  Thus,  the  BFS  machine  needs  to  be  brought  up  to  date  with  the  PASS  machine  bias 
alterations  by  uplink  as  soon  as  practical  on  entry  day. 

M.  G-SENSITIVE  TERMS  WILL  BE  UPDATED  IN-FLIGHT  VIA  UPLINK,  BASED 
ON  ANALYSES  OF  ASCENT  PERFORMANCE  AND  PREDICTED  CHANGES  AS 
REQUIRED  TO  MAINTAIN  3  SIGMA  LRU  PERFORMANCE.  ®[01 1 295-1 752A] 

Analysis  of  ascent  data  may  indicate  a  scale  factor  problem  (G-sensitive  term)  in  an  IMU.  An  uplink  will 
be  done  to  maximize  performance.  Due  to  the  granularity  ofMCC  programs,  it  will  not  be  possible  to 
guarantee  any  level  of  LRU  performance. 

@[111501-4906] 
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A8-111  GNC  AIR  DATA  SYSTEM  MANAGEMENT  [CIL] 

A.  AIR  DATA  WILL  BE  INCORPORATED  INTO  G&C  BASED  ON  A  REASONABLENESS 
ASSESSMENT  OF  h,  M,  AND  ALPHA  ONBOARD,  AND  A  REASONABLENESS 
ASSESSMENT  OF  THE  ALTITUDE  (H-GROUND  COMPUTED)  AND  RAW  PRESSURES 
ON  THE  GROUND . 

The  crew  is  able  to  read  h,  M,  and  alpha  onboard  on  their  override  SPEC.  They  can  compare  this  to 
navigation  data  as  we  can  on  the  ground.  If  the  data  agrees,  within  reason  (reasonableness  assessment), 
then  the  crew  will  pass  the  air  data  information  into  the  flight  control  system.  This  assessment 
opportunity  is  used  in  solving  dilemmas  as  well. 

B.  IF  ONLY  ONE  GOOD  ADTA  REMAINS,  AIR  DATA  INPUT  TO  G&C  WILL  BE 
INHIBITED  AND  VEHICLE  WILL  BE  FLOWN  WITH  "DEFAULT/NAVDAD"  AIR 
DATA  EXCEPT  FOR  THE  FOLLOWING  CONDITIONS  WHEN  A  SINGLE  GOOD 
ADTA  WILL  BE  INCORPORATED  INTO  G&C: 

1.  BFS  ENGAGE. 

2 .  BAD  NAV  STATE . 

3.  HIGH  WINDS  ON  THE  HAC  (?  80  KNOTS). 

4.  ANYTIME  THE  ADDITIONAL  BURDEN  OF  FLYING  THETA  LIMITS 
PRESENTS  AN  UNSATISFACTORY  RISK  OF  LOSING  CONTROL  OR  THE 
ABILITY  TO  MAINTAIN  A  SATISFACTORY  GROUNDTRACK  (CDR'S 
DISCRETION) . 

Incorporating  air  data  (AD)  to  G&C  when  only  a  single  ADTA  remains  may  result  in  loss  of  vehicle 
control  if  that  last  remaining  ADTA  should  fail.  Numerous  AD  parameters  (dynamic  press,  TAS,  EAS, 

M,  and  alpha)  are  being  used  by  the  flight  control  system.  Should  the  last  remaining  ADTA  fail,  no  fault 
detection  exists  to  identify  or  isolate  this  bad  ADTA  and  loss  of  vehicle  control  could  result  before  the 
crew  or  MCC  can  react.  While  a  high  piloting  task,  use  of  default  AD/NAVD AD  (flying  “theta  limits”) 
is  considered  an  acceptable  flight  control  mode  and  should  be  used  when  only  a  single  good  ADTA 
remains. 

The  BFS,  however,  does  not  have  default  AD  and,  thus,  resorts  to  NAVDAD  alone  for  no  AD.  Also,  the 
BFS  itself  is  only  single  string.  Therefore,  when  the  BFS  is  engaged,  incorporating  the  last  ADTA  into 
G&C  is  preferred. 

In  the  even  t  of  a  bad  navigational  state,  air  data  incorporation  would  be  required  to  G&C.  Since 
NAVDAD /default  air  data  utilizes  navigation  parameters  (Vrel,  altitude,  drag  decel,  alpha,  and  vehicle 
mass),  a  bad  navigation  state,  and  in  particular  a  bad  Vrel,  would  be  reason  to  incorporate  AD  to  G&C 
when  only  a  single  ADTA  remains. 
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A8-111  GNC  AIR  DATA  SYSTEM  MANAGEMENT  [CIL]  (CONTINUED) 


High  winds  on  the  HAC  would  be  another  circumstance  for  which  air  data  will  be  incorporated  into 
G&C.  For  winds  on  the  HAC  ?  80  knots,  the  risk  ofLOC  or  excessive  loss  of  energy  due  to  the  difficulty 
of  the  theta  limits  task  exceeds  the  risk  of  utilizing  the  last  remaining  ADTA. 

A  single  ADTA  will  be  incorporated  into  G&C,  at  the  CDR  's  discretion,  in  the  event  conditions  arise 
which  would  significantly  increase  the  possibility  of  loss  of  vehicle  control  or  result  in  an  unsatisfactory 
groundtrack  if  theta  limits  were  flown.  The  crew  task  of  flying  “theta  limits”  should  be  avoided  when 
circumstances  arise  such  that  the  crew  is  not  able  to  devote  the  attention  required  for  this  task.  These 
circumstances  include,  but  are  not  limited  to,  numerous  other  systems  failures,  health  problems,  etc.  Av 
a  result,  under  these  conditions,  the  risk  associated  with  using  a  single  ADTA  will  be  accepted. 

Reference  Entry  Flight  Techniques  Panel  meetings  #39  and  #43. 

C.  IF  AIR  DATA  IS  BEING  INPUT  TO  G&C  BELOW  TAEM  INTERFACE  (< 

MACH  2.5),  THE  PITCH  AXIS  "CSS"  MODE  WILL  BE  SELECTED. 

"AUTO"  MAY  BE  RESELECTED  FOLLOWING  INCORPORATION. 

Dynamic  pressure  (Q-bar)  and  dynamic  pressure  rate  (Q-bar  dot )  are  currently  not  reinitialized  for  all 
ADTA  SOP  dynamic  pressure  source  selection  changes.  Large,  falsely  derived  Q-bar  dot  rates  can  occur 
during  NAVDAD-to-air-dcita  mode  changes.  In  TAEM  (M  ?  2.5),  cm  increase  in  Q-bar  of  the  order  that 
can  occur  during  the  NAVDAD-to-air-dcita  mode  change  will  result  in  a  step  in  the  normal  acceleration 
command  (Nzc).  Pitch  axis  CSS  mode  will  preven  t  the  step  Nzc  change. 

D.  WHEN  ALL  AIR  DATA  IS  LOST  OR  NOT  INCORPORATED  INTO  FLIGHT 
CONTROL,  THETA  LIMITS  WILL  BE  ENFORCED.  [CIL]  ®[041 1 96  1 870A ] 

If  air  data  is  not  incorporated  into  G&C,  flight  control  defaults  to  use  a  fixed  value  of  alpha  (7.5  degrees). 
Q-bar  is  derived  from  an  I-locided  table  as  a  function  of  navigation  ground  relative  velocity  (Vrej).  Since 
guidance  no  longer  limits  alpha  by  protecting  the  low  Q-bar  boundary,  it  is  necessary  for  the  crew  to  follow 
theta  limits  on  the  vertical  situation  display.  In  this  situation,  the  displayed  alpha  is  not  reliable.  Keeping 
theta  between  the  NOSE  HI  and  NOSE  LO  region  will  ensure  that  the  vehicle  alpha  is  within  acceptable 
limits.  Allowing  theta  to  exceed  NOSE  HI  increases  the  chances  of  stall  while  allowing  theta  to  fall  below 
NOSE  LO  could  cause  Q-bar  to  increase  to  unacceptable  limits.  Keeping  theta  within  limits  also  reduces 
energy  dispersions.  Although  the  speedbrake  setting  during  Approach  and  Landing  is  affected  by  the  lack 
of  air  data  to  G  &  C,  off-line  simulations  have  shown  that  when  the  speedbrake  is  left  in  auto,  performance 
is  generally  better  than  when  it  is  set  to  a  predetermined  position  (reference  AEFTP  #128,  12/8/95). 
Therefore,  the  speedbrake  will  be  left  in  auto  and  the  setting  evaluated  for  reasonableness.  If  the 
speedbrake  setting  is  unreasonable,  the  crew  may  select  manual  speedbrake  and  set  it  as  necessary. 

@[041196  1870A  ] 

Rules  { A2-261J ,  ENTRY DTO/AUTO  MODE/CROSSWIND  DTO  GO/NO-GO,  and  {A8-1001},  GNC 
GO/NO-GO  CRITERIA,  reference  this  rule. 
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A8-112  AEROSURFACE  ACTUATOR  PROTECTION 

TO  PRECLUDE  DAMAGE  TO  AEROSURFACE  ACTUATORS,  APU' S  WILL  NOT  BE 
STARTED  IN  OPS  2.  ALSO,  ALL  AVAILABLE  AEROSURFACE  AMPLIFIERS 
MUST  BE  "ON"  PRIOR  TO  APU  START  (REF.  RULE  {A10-22G},  APU 
START/RESTART  LIMITS) . 

By  turning  the  APU’s  on  while  in  OPS  2,  we  run  the  risk  of  damaging  the  aerosurface  actuators  by 
applying  hydraulic  pressure  to  the  systems.  Since  OPS  1,  the  aero  surfaces  may  have  drifted  from  their 
last  commanded  position  such  that,  if  the  position  delta  is  great  enough  at  APU  start,  it  could  be  possible 
to  generate  such  a  command  force  on  the  actuator  that  damage  may  occur.  If  the  APU’s  have  to  be 
started  on  orbit,  it  is  prudent  to  turn  the  ASA’s  on  prior  to  transition  to  OPS  8  and  APU  start.  The  OPS 
8  software  for  aerosurface  control  will  be  active  so  that  at  transition  to  OPS  8  the  aerosurface 
commands  will  be  made  equal  to  their  present  position. 

Rule  { A10-22G },  APU  START/RESTART  LIMITS,  references  this  rule. 


A8-113  QMS  TVC  SYSTEM  MANAGEMENT 

A.  FOR  LOSS  OF  AN  OMS  TVC: 

1.  DURING  PERIODS  OF  INACTIVITY,  THAT  OMS  ENGINE  WILL  BE 
PARKED  THOUGH  THE  NOMINAL  EOM  DEORBIT  BURN  CG  AND  THE  TVC 
WILL  BE  POWERED  OFF  AS  SOON  AS  PRACTICAL. 

Parking  the  affected  OMS  engine  through  the  eg  and  powering  off  the  TVC  protects  against  loss  of  that 
OMS  engine  for  numerous  single-point  failures  in  the  OMS  TVC,  failure  of  an  FA  MDM,  or  power 
failure.  (Note:  Loss  of  an  FA  MDM  can  result  in  loss  of  the  remaining  TVC  on  that  engine,  ignition 
redundancy  on  the  other  engine,  arid  two  +X  RCS  jets.)  Given  that  the  other  OMS  engine  is  usable,  the 
procedure  for  parking  that  engine  should  be  performed  when  practical. 

2.  OMS-1,  OMS -2 ,  AND  THE  DEORBIT  BURN  WILL  BE  PERFORMED 
TWO-ENGINE  WITH  TVC  ACTIVE  ON  BOTH  ENGINES. 

Av  long  as  the  other  OMS  engine  is  usable,  sufficient  redundancy  exists  to  permit  use  of  the  remaining 
TVC  for  OMS  burns.  This  is  especially  true  for  OMS-1,  OMS-2,  and  the  deorbit  burn  due  to  the 
criticality  and  time  constraints  of  these  burns. 

3.  IT  IS  PREFERABLE  TO  PERFORM  ALL  ON-ORBIT  BURNS  SINGLE 
ENGINE,  USING  THE  OMS  ENGINE  WITH  REDUNDANT  TVC. 

Given  that  OMS  TVC  redundancy  is  lost  on  one  engine,  it  is  preferable  to  perform  all  on-orbit  burns 
single  engine,  using  the  OMS  engine  with  redundant  TVC.  It  is  desired  to  leave  the  OMS  engine  with 
only  a  single  TVC  parked  and  powered  off  as  much  as  possible  to  presence  it  as  a  safe  deorbit  capability. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A8-113  QMS  TVC  SYSTEM  MANAGEMENT  (CONTINUED) 

4.  IF  THE  REMAINING  TVC  ON  THE  OMS  ENGINE  WITH  THE  FAILED 
TVC  IS  SUSPECT,  POST-OMS-2  THAT  OMS  ENGINE  WILL  BE  PARKED 
THROUGH  THE  NOMINAL  EOM  DEORBIT  BURN  CG  ASAP  AND  POWERED 
OFF  UNTIL  AFTER  THE  DEORBIT  BURN. 

The  purpose  of  this  rule  is  to  preserve  the  engine  as  a  safe  deorbit  method.  The  engine  should  remain 
parked  and  powered  off  through  the  deorbit  burn.  The  deorbit  burn  will  be  accomplished  with  that 
engine  parked  through  the  CG  and  TVC  powered  off.  Post-deorbit  burn,  the  engine  should  be  powered 
on  and  driven  to  the  entry  stow  position.  (Ref.  Rule  {A8-53},  OMS  TVC  LOSS.) 

5.  IF  THE  AFFECTED  CMS  ENGINE  IS  THE  LAST  REMAINING  OMS 
ENGINE : 

a.  OMS-1  WILL  BE  PERFORMED  SINGLE  ENGINE  WITH  TVC 
ACTIVE . 

b.  POST-OMS-1  THE  OMS  ENGINE  WILL  BE  PARKED  THROUGH  THE 
CG  ASAP  AND  POWERED  OFF.  OMS-2  AND  ALL  SUBSEQUENT 
OMS  BURNS  WILL  BE  PERFORMED  SINGLE  ENGINE,  TRIMMED 
THROUGH  THE  CG  WITH  TVC  OFF. 

If  the  last  OMS  engine  has  only  one  TVC  remaining,  that  engine  should  be  parked  through  the  CG  and 
powered  off  as  soon  as  possible  to  preserve  it  as  a  safe  deorbit  method.  The  first  opportunity  to  park  the 
engine  is  post-OMS-1  due  to  the  time  constrain  ts  and  criticality  of  that  burn.  Since  that  engine  is  the  last 
remaining  engine,  all  OMS  burns  post-OMS-1  should  be  performed  with  the  engine  parked  through  the 
CG  and  TVC  powered  off.  Even  ifRCS  deorbit  capability  exists,  parking  the  engine  protects  against  the 
requirement  for  a  next  PLS  entry  for  failure  of  the  TVC.  (Ref.  Rule  { A8-53J ,  OMS  TVC  LOSS.) 

B.  FOR  TWO-ENGINE  BURNS  WHERE  ONE  ENGINE  IS  TO  BE  BURNED  WITH 

THE  TVC  POWER  OFF,  THE  BURN  WILL  BE  PERFORMED  USING  CG  TRIMS. 

For  two-engine  burns  where  one  engine  is  to  be  burned  with  TVC  power  off,  CG  trims  are  required  to 
protect  for  the  loss  of  the  engine  with  TVC  on.  Using  CG  trims  places  the  OMS  engine  without  TVC 
through  the  CG  and  enables  the  use  of  that  engine  if  the  engine  with  active  TVC  fails  during  the  burn. 

(Ref.  Rule  {A8-53},  OMS  TVC  LOSS.) 
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A8-113  QMS  TVC  SYSTEM  MANAGEMENT  (CONTINUED) 

C.  OMS  TVC  GIMBAL  CHECKS 

1.  THE  NOMINAL  OMS  GIMBAL  CHECK  PLAN  IN  OPS  1  AND  OPS  3  WILL 
CONSIST  OF  PERFORMING  ONE  GIMBAL  CHECK  OF  BOTH  PRIMARY  AND 
SECONDARY  SYSTEMS  POST-OMS-2  AND  IN  MM  301  (PRE  DEORBIT 
BURN) . 

IN  OPS  2,  POSTBURN  GIMBAL  CHECKS  WILL  BE  PERFORMED  ON  THE 
GIMBALS  THAT  ARE  PLANNED  TO  BE  USED  DURING  THE  NEXT  BURN. 
ONLY  GIMBALS  THAT  WILL  BE  USED  FOR  TWO-ENGINE  CRITICAL 
BURNS  OR  ANY  SINGLE-ENGINE  BURN  NEED  BE  CHECKED. 

A  full  system  gimbal  check  performed  post-OMS-2  and  prior  to  deorbit  burn  will  always  be  performed  in 
order  to  assess  the  status  of  the  TVC  system.  The  gimbals,  nominally,  will  not  be  checked  prior  to  OMS- 
2  due  to  the  time  constraints  and  ground  coverage  available. 

It  is  desirable  to  minimize  gimbal  checks  on  orbit  to  increase  the  lifetime  of  the  TVC’s.  Hence,  for  any 
single-engine  or  two-engine  critical  burn,  only  the  system(s)  that  have  not  been  checked  since  their  last 
active  use  will  be  checked.  During  single-engine  burns,  the  nonburning  engine  TVC  is  still  active  (unless 
powered  off  and  being  driven  arid  so  must  be  checked  before  subsequent  selection  as  an  engine  to  be 
burned,  per  the  criteria  above  ( two-engine  critical  or  single-engine  burn).  Checking  the  gimbals 
immediately  after  the  previous  burn  provides  the  maximum  amount  of  time  to  troubleshoot  any  problem 
uncovered  during  the  check. 

2.  UNSCHEDULED  GIMBAL  CHECKS  WILL  BE  PERFORMED  AS  REQUIRED 
BY  MCC  FOR  SYSTEM  ANALYSIS  TO  TROUBLESHOOT  ANY  INDICATED 
OMS  SYSTEMS  ANOMALIES. 

Gimbal  checks  will  be  performed  on  a  system  anytime  the  MCC  believes  there  may  be  a  problem  with  a 
gimbal  system. 


A8-114  ENTRY  BODY  BENDING  FILTER  SELECTION 

THE  PAYLOAD  BODY  BENDING  FILTER  WILL  BE  SELECTED  FOR  RETURNING 
PAYLOADS  GREATER  THAN  10,000  LB. 

Selection  of  the  payload  body  bending  filter  for  returning  payloads  greater  than  10,000  lb  precludes  the 
flex  body  high  frequency  oscillations  which  creates  greater  elevon  deflections  and  increased  APU  fuel 
consumption.  The  10,000-lb  weight  is  representative  of  the  weight  for  primary  payloads  ( i.  e. ,  PAM’s, 
IUS,  Syncom,  etc.). 
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A8-115  GPS  SYSTEM  MANAGEMENT 


CERTIFIED  SINGLE  STRING  GPS  WILL  BE  CONSIDERED  TO  BE  FUNCTIONING 
PROPERLY  AND  AVAILABLE  FOR  USE  DURING  ON-ORBIT  AND  ENTRY 
OPERATIONS  GIVEN  THE  FOLLOWING  CRITERIA:  @[092602-5643] 


A. 

NO 

COMMFAULT,  HARDWARE,  OR 

POWER 

FAILURES 

B. 

NO 

EXTENDED  PERIODS  OF  HIGP 

[  FOM 

1  . 

ORBIT  FOM  LIMITS  -  CAN 

THAN  5  MIN. 

BE  > 

175 

FT 

(FOM  > 

2) 

FOR 

NO 

MORE 

2  . 

ENTRY  FOM  LIMITS  -  CAN 
THAN  3  MIN. 

BE  > 

650 

FT 

(FOM  > 

5) 

FOR 

NO 

MORE 

C.  PERIODS  OF  TRACKING  LESS  THAN  FOUR  SATELLITES  LIMITED  TO  NO 
MORE  THAN  5  MIN. 

GPS  is  certified  to  be  used  for  on  orbit  as  well  as  an  additional  entry  navaid  with  the  consideration  given 
to  the  above  criteria  for  evaluating  the  status  and  availability  of  GPS.  The  above  limits  for  FOM  and 
periods  of  tracking  less  than  four  satellites  were  established  to  meet  the  requirements  for  on-orbit  state 
vector  maintenance  as  well  as  loss  of  service  requiremen  ts  for  entry  certification.  An  tenna  poin  ting, 
structural  blockage,  and  other  constellation  and  environmental  surroundings  should  be  considered  as 
having  a  possible  impact  on  the  GPS’s  ability  to  track  satellites  and  maintain  low  FOM  conditions. 

These  specifications  will  be  used  to  consider  mission  duration  impacts,  single-fault  tolerance,  and  zero- 
fault  tolerance  for  orbit  and  entry  operations.  ( Ref.  AEFTP  #176  July  27,  2001,  #185  June  28,  2002 ) 
@[092602-5643  ] 
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A8-1001  GNC  GO/NO-GO  CRITERIA 


SYSTEMS 

INVOKE 

MDF  IF: 

ENTER  NEXT 
PLS  IF: 

ENTER  FIRST 
DAY  PLS  IF: 

A.  CONTROLLER  AND  SWITCHES: 

1.  LH  RHC  (3) . 

2.  RH  RHC  (3) . 

3.  AFT  RHC  (3) . 

4.  LH  THC  (3) . 

5.  AFT  THC  (3) . 

6.  LH  RPTA  (3) . 

7.  RH  RPTA  (3) . 

8.  LHSBTC  (3) . 

9.  RH  SBTC  (3) . 

10.  LH  BF  UP  &  DN  SW  (2) . 

11.  RH  BF  UP  &  DN  SW  (2) . 

12.  LH&RH  RHC  TRIM  SW  (2) . 

13.  LH  PANEL  TRIM  SW  (2) . 

14.  RH  PANEL  TRIM  SW  (2) . 

15.  LH  &  RH  BFS  ENG  SW  (3) . 

16.  LH  FCS  MODE  AUTO  SW  (3) . 

17.  RH  FCS  MODE  AUTO  SW  (3) . 

18.  LH  &  RH  FCS  MODE  CSS  SW  (3) . 

19.  LH  FCS  MODE  BF  A/M  SW  (3) . 

20.  RH  FCS  MODE  BF  A/M  SW  (3) . 

21.  LH  &  RH  FCS  MODE  SB  A/M  (3) . 

22.  LH  SBTC  TAKEOVER  SW  (3) . 

23.  RH  SBTC  TAKEOVER  SW  (3) . 

24.  ENTRY  MODE  (4) . 

25.  ABORT  MODE  SW  (3) . 

26.  ORBIT  DAP  PBI'S  (2) . 

[2] 

2  ?  SAME  SIDE 
[5] 

[16]  [2] 

5  ? 

[5] 

[3]  3  ?  [2] 

3  ?  SAME  SIDE 

1  ?  OTHER  SIDE 

[4] 

2  ? 

[4] 

3  ?  SAME  SIDE 

1  ?  OTHER  SIDE 

[6] 

[6] 

®[1 02402-5804C] 
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A8-1001  GNC  GO/NO-GO  CRITERIA  (CONTINUED) 


SYSTEMS 

INVOKE 

MDF  IF: 

ENTER  NEXT 
PLS  IF: 

ENTER  FIRST 
DAY  PLS  IF: 

B.  TVC  AND  DRIVERS: 

1.  SSME  ACT  CHNL  (4) . 

2.  SSME  SEC  ?P  (4) . 

3.  SRB  ACT  CHNL  (4) . 

4.  SRB  SEC  ?P  (4) . 

5.  LOMS  PITCH  TVC  (2) . 

6.  L  OMS  YAW  TVC  (2) . 

7.  R  OMS  PITCH  TVC  (2) . 

8.  ROMS  YAW  TVC  (2) . 

9.  FORWARD  RCS  JETS  (16) . 

10.  LEFT  RCS  JETS  LEFT  (4) . 

11.  RIGHT  RCS  JETS  RIGHT  (4) . 

12.  L/R  RCS  JETS  VERNIER  (4) . 

13.  LEFT  RCS  JETS  UP  (3) . 

14.  LEFT  RCS  JETS  DOWN  (3) . 

15.  RIGHT  RCS  JETS  UP  (3) . 

16.  RIGHT  RCS  JETS  DOWN  (3) . 

17.  LEFT  RCS  JETS  AFT  (2) . 

18.  RIGHT  RCS  JETS  AFT  (2) . 

[7]  [8] 

[7]  [8] 

[7]  [8] 

[7]  [8] 

[7  [8] 

[7]  [8] 

[7]  [8] 

[7]  [8] 

2  ?  [11] 

2?  [11] 

2  ? 

2  ? 

2  ? 

2  ? 

2  ? 

2  ? 

2  ? 

2  ? 

[8] 

[8] 

[8] 

[8] 
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A8-1001  GNC  GO/NO-GO  CRITERIA  (CONTINUED) 


SYSTEMS 

INVOKE 

MDF  IF: 

ENTER  NEXT 
PLS  IF: 

ENTER  FIRST 
DAY  PLS  IF: 

C.  AEROSURFACES: 

1.  FCS  CHNL  (4)  . 

2.  BF  ACT  CHNL  (3) . 

3.  ELEVON/BF  POS  FDBK  (4) . 

4.  RUDDER  POS  FDBK  (4) . 

5.  SPDBK  POS  FDBK  (4) . 

6.  ELEVON  PRI  ?P  (4) . 

7.  SEC  ?P  (4) . 

D.  SENSORS 

1.  AA  (LATERAL)  (4) . 

2.  AA  (NORMAL)  (4) . 

3.  RGA-ORB  (4) 

4.  RGA-SRB  (4) . 

5.  IMU  (3) . 

6.  STAR  TRACKER  (2)  &  HUD  (2) . 

7.  -ZCOAS  (1) . 

8.  ATT  REF  PB  (3) . 

9.  TACAN  (3)  &  SINGLE  STRING  GPS  (1) . 

10.  TACAN  MODE  SW  (3) . 

11.  TACAN  ANT  SEL  (3) . 

12.  TACAN  CHNL  SEL  (3) . 

13.  ADTA  (4) . 

14.  MSBLS  (3) . 

15.  RA  (2) . 

[16]  2  ?  [9] 

[16]  2  ?  [9] 

[16]  2  ? 

[12]  2  ?  [9] 

[12]  3  ?  [9] 

[12]  3  ?  [9] 

[12] 

[12] 

[12] 

[12] 

2  ?  [9] 

3  ?  [9] 

[16]  2  ? 

[16]  3  ? 

[16]  3  ? 

[16]  2  ? 

[16]  3  ? 

[16]  3  ? 

[16]  2  ? 

[16]  2  ? 

[6]  4  ? 

[19] 

[6]  3  ? 

[19] 

AND 

1  ? 

[10] 

[10]  2  ? 

[14]  3  ?  [21] 

[15]  4  ?  [21] 

[16]  2  ? 

[16]  3  ? 

[16]  3  ? 

@[121296-4610]  ®[ED  ]  @[111298-6750]  @[092602-5718] 
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A8-1001  GNC  GO/NO-GO  CRITERIA  (CONTINUED) 


SYSTEMS 

INVOKE 

MDF  IF: 

ENTER  NEXT 
PLS  IF: 

ENTER  FIRST 
DAY  PLS  IF: 

DEDICATED  DISPLAYS: 

1.  LH  &  RH  ADI  (2) . 

2.  AFT  ADI  (1) . 

3.  HUD/AMI  (4) . 

4.  HUD/A VVI  (4) . 

5.  HUD/FWDADI  (4) . 

6.  HUD  (2) . 

7.  HSI  (2) . 

8.  SPI  (1) . 

9.  G-METER  (1) . 

[20]  1  ?  [2] 

[20] 

[20]  2  ?  [2] 

[20]  3  ?  [2] 

[20]  2  ?  [2] 

[20]  3  ?  [2] 

[20]  2  ?  [2] 

[20]  3  ?  [2] 

[20] 

[20] 

[20] 

©[040899-2459B] 


LEGEND:  NO  REQUIREMENT 


REQUIRED 


QUANTITY  (  ) 

NOTE  REFERENCE  [  ] 
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A8-1001  GNC  GO/NO-GO  CRITERIA  (CONTINUED) 

NOTES: 

[1]  RESERVED 

[2]  THE  AVAILABILITY  OF  A  GOOD  REPLACEMENT  UNIT  MAY  BE  USED  TO  SATISFY  THE  MINIMUM  REQUIREMENTS 
FOR  NEXT  PLS  OPPORTUNITY.  (REPLACEMENT  MAY  OCCUR  SUBSEQUENT  TO  NEXT  PLS  DECISION  POINT.) 

[3]  +  X  ONLY.  REQUIRED  ONLY  IF  RCS  DEORBIT  REQUIRED. 

[4]  EITHER  TWO  OF  THREE  PER  SIDE  OR  THREE  OF  THREE  ON  EITHER  SIDE  IS  REQUIRED. 

[5]  FOR  FOUR  OR  MORE  CHANNELS  DOWN,  REQUIRE  ALL  SYSTEMS  NEEDED  FOR  AN  EMERGENCY  AUTOLAND 
(ADTA,  MLS,  AA-NZ).  REF.  RULE  {A8-1 7},  EQUIPMENT  REQUIRED  FOR  EMERGENCY  AUTOLAND. 

[6]  ROTATIONAL  PULSE  OR  DISC  RATE  DAP  MODE  IS  REQUIRED  IN  APPROPRIATE  AXES  FOR  -Z  COAS  (PITCH  AND 
ROLL)  AND  HUDS  (PITCH  AND  YAW).  ®[1 11298-6750  ] 

[7]  ENGINE  IS  NO-GO  IF  TVC  CAPABILITY  IS  LOST  AS  DEFINED  IN  RULE  {A8-53},  OMS  TVC  LOSS. 

[8]  REF.  RULE  {A6-1001},  OMS/RCS  GO/NO-GO  CRITERIA  [CIL],  FOR  MDF  AND  NEXT  PLS. 

REF.  RULE  {A2-301 },  CONTINGENCY  ACTION  SUMMARY,  FOR  FIRST  DAY  PLS. 

[9]  SAME  SURFACE. 

[10]  REQUIRED  ONLY  IF  COAS  AND/OR  HUD  IS  REQUIRED.  ANY  LOCATION  ACCEPTABLE. 

[11]  ONE  FAILED  YAW  JET  AND  ORBITER  CG  OUTSIDE  NOMINAL  EOM  BOUNDARY  IS  CAUSE  FOR  NEXT  PLS  ENTRY 
PROVIDED  THAT  THE  CG  CANNOT  BE  RESTORED  BY  RECONFIGURATION,  PAYLOAD  DEPLOYMENT,  ETC. 

[12]  ENTER  PLS  IF  POSITION  FEEDBACK  FAILURE(S)  RESULTS  IN  TWO  FCS  CHNLS  FAILED.  ®[1 02402-5804C] 

[13]  RESERVED 

[14]  MDF  IF  SINGLE-FAULT  TOLERANCE  CAPABILITY  EXISTS  WITH  THE  REMAINING  ENTRY  NAVAIDS  (TACAN  OR 
SINGLE  STRING  GPS)  AND  COMMAND  DELTA  STATE  CAPABILITY.  IF  HIGH-SPEED  C-BAND  RADAR  IS  NOT 
SCHEDULED  AND  NOT  AVAILABLE  TO  BE  SCHEDULED  FOR  ENTRY  (REF.  RULE  [A3-1],  GROUND  AND  NETWORK 
DEFINITIONS)  THEN  DEORBIT  NEXT  PLS.  @[041196-1914]  @[092602-5718] 

[15]  ENTER  NEXT  PLS  (NOT  FIRST  DAY  PLS)  IF  ALL  FOUR  ENTRY  NAVAIDS  (THREE  TACANS  AND  SINGLE  STRING  GPS) 
ARE  FAILED  AND  COMMAND  DELTA  STATE  CAPABILITY  EXISTS. 

[1 6]  REFERENCE  RULE  [A2-207],  LANDING  SITE  SELECTION,  FOR  RUNWAY  PRIORITIES. 

[17]  RESERVED 

[18]  RESERVED  ®[1 02402-5804C] 

[19]  THIS  ASSUMES  MANUAL  CALIBRATION  INSTRUMENTS  ARE  CALIBRATED  AND  VERIFIED.  ANY 
UNCALIBRATED/UNVERIFIED  INSTRUMENT  SHOULD  BE  CONSIDERED  FAILED  FOR  MISSION  DURATION 
DETERMINATION.  @[111298-6750] 

[20]  N/A  FOR  MEDS  CONFIGURED  VEHICLES.  ©[040899-2459B] 

[21]  REFERENCE  RULE  {A8-1 15},  GPS  SYSTEM  MANAGEMENT  @[092602-5718] 

Reference  Rule  { A2-102 },  MISSION  DURATION  REQUIREMENTS. 

Rules  (A8-4J,  FAULT  TOLERANCE  PHILOSOPHY;  {A2-301 },  CONTINGENCY  ACTION  SUMMARY; 
and  {A8-58},  ADI  LOSS,  reference  this  rule. 

When  failure(s)  require  a  next  PLS  entry  but  do  not  require  a  first  day  PLS  entry,  the  rationale  is  that  the 
risks  associated  with  performing  a  first  day  PLS  entry  are  greater  than  those  associated  with  remaining 
on  orbit  until  the  next  PLS  opportunity. 
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A8-1001  GNC  GO/NO-GO  CRITERIA  (CONTINUED) 

A.  CONTROLLERS  and  SWITCHES 

If  necessary  or  desirable ,  most  entry-critical  con  trollers  and  switches  can  be  reconfigured  in  OPS  8 
and/or  OPS  2  ( ref  Rule  {A8-6J  CONTROLLERS/FCS  SWITCHING  FAULT  TOLERANCE). 

LH,  RHRHC 

For  the  loss  of  two  RHC  channels  on  the  same  controller ,  MDF  is  required.  Subsequent  failures  can  be 
tolerated  on  orbit,  either  by  RM  or  by  channel  reconfiguration.  For  four  or  more  RHC  channels  failed, 
the  next  failure  results  in  the  loss  of  at  least  one  RHC,  and  possibly  both.  For  five  channels  failed,  a  next 
PLS  is  required  since  the  RHC’s  are  zero-fault  tolerant  for  manual  flight  of  the  vehicle.  There  are  no 
first  day  PLS  requiremen  ts  for  RHC  channel  failu  res,  since  an  IFM  will  be  done  to  recover  the  failed 
RHC. 

LHTHC 

There  are  no  first  day  PLS  requiremen  ts  for  the  left  THC  since  an  IFM  will  be  performed  to  regain  RCS 
deorbit  capability,  if  required. 

AFT  RHC,  THC 

Loss  of  aft  station  capability  does  not  require  early  mission  termination  since  these  systems  are  not 
available  for  entry  (ref.  Rule  { A8-9 },  AFT  STATION  GNC  REDUNDANCY). 

LH.  RHRPTA 

There  are  no  mission  duration  impacts.  Although  manual  control  capability  is  desirable,  RPTA  control 
is  not  required  for  a  safe  entry. 

LH,  RH  SBTC 

For  three  SBTC  channels  foiled  on  one  side  (loss  of  that  SBTC)  and  one  foaled  on  the  other  side,  MDF  is 
required.  The  next  failure,  unless  a  commfault,  will  result  in  the  loss  of  manned  speedbrake  operations. 
Reference  A/E  FTP  #128,  12/8/95.  ®[i  02402-5804C] 

LH.  IIH  BF  UP  and  DN  SW 

There  are  no  mission  duration  impacts  since  the  body  flap  can  be  manually  driven  UP  for  any  number  of 
body  flap  UP/DOWN  switch  failures.  Manual  control  is  only  required  for  off-nominal  CG  or  aero 
conditions,  to  use  the  body  flap  as  a  trim  device  and  allow  better  elevon  control  authority. 
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A8-1001  GNC  GO/NO-GO  CRITERIA  (CONTINUED) 

LH  RH  PANEL  and  RHC  TRIM  SW 

These  switches  are  not  considered  critical  for  entry  and  do  not  impact  mission  duration. 

LH.  RH  BFS  ENGAGE  SW 

Failures  associated  with  the  BFS  engage  switches  do  not  require  early  mission  termination  ( ref.  Rule 
{A8-11},  LOSS  OF  BFS). 

LH,  RHFCS  MODE  AUTO  SWITCH 

For  three  or  more  FCS  MODE  AUTO  switch  ( PITCH  and  ROLL/YAW)  contacts  failed  (at  least  two 
failed  one  side,  one  failed  other  side),  a  next  PLS  is  required.  The  system  is  zero-fault  tolerant  since  the 
next  failure  results  in  no  capability  to  mode  the  flight  control  system  to  AUTO. 

LH,  RH  FCS  MODE  CSS  SW 

Failures  in  these  switches  are  not  considered  critical  and  do  not  require  early  mission  termination.  RHC 
hot  stick  (to  manned  control)  is  available  any  time  in  OPS  3. 

LH.  RH  FCS  MODE  BF  A/M  SW 

The  body  flap  will  be  in  AUTO  under  most  flight  conditions,  but  manual  (MAN)  may  be  required  ( off- 
nominal  CG  or  aero  conditions).  For  two  BF  AUTO/MAN  (A/M)  switch  contacts  failed,  changing  the 
body  flap  flight  control  mode  is  single-fault  tolerant,  and  MDF  is  required.  For  three  or  more  contacts 
failed  (at  least  two  failed  one  side,  one  failed  other  side),  a  next  PLS  is  required.  At  least  two  con  tacts 
on  each  side,  or  cdl  three  contacts  on  one  side,  are  required  to  maintain  single-fault  tolerance  on  these 
switches. 

LH.  RH  FCS  MODE  SB  A/M  SW 

The  SB  A/M  switch  is  used  to  mode  the  speedbrcike  from  MAN  to  AUTO  only,  since  MAN  is  achieved  with 
the  SBTC  takeover  switch.  If  the  crew  is  required  to  take  over  MAN  speedbrcike  and  subsequen  t  failures 
result  in  the  loss  of  capability  to  mode  back  to  AUTO,  the  crew  can  remain  in  manual  with  no  added 
workload. 

LH  RH  SBTC  TAKEOVER  SW 

Reference  rationale  for  LH,  RH  SBTC  rationale. 
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ENTRY  MODE 

This  switch  is  not  considered  critical  for  entry.  For  a  failure  of  the  switch  during  entry  (LO  GAIN  or 
NO-YAW-JET ’),  the  AUTO  position  can  be  selected  on  SPEC  51,  OVERRIDE,  in  MM  304/305. 

ABORT  MODE  SW 

This  switch  is  used  to  select  the  bailout  function  and  early  mission  termination  is  not  required. 

ORBIT  DAP  PBTs 

If  the  CO  AS  is  required  for  entry  IMU  alignment,  then  MDF  is  required  by  definition  of  COAS/STAR 
TRACKER  requirements.  If  any  of  the  required  switches  is  zero-fault  tolerant  (and  the  CO  AS  is  required 
for  entry  IMU  alignment),  then  a  next  PLS  will  be  declared. 

B.  TVC  and  DRIVERS 

SSME  ACT  CHNL  and  SSME  SEC  DELTA  P 

These  systems  are  not  required  for  performing  a  safe  entry  (impacts  to  postlanding  configuration  and 
turnaround  activities  only). 

SRB  ACT  CHNL  and  SRB  SEC  DELTA  P 

These  systems  are  not  used  for  entry,  and  mission  duration  impacts  do  not  apply. 

L.  R  QMS  PITCH  and  YAW  TVC 

The  two  OMS  engines  and  the  four  +X  RCS  jets  constitute  three  means  of  deorbit  capability.  If  failures 
of  the  left  and/or  right  OMS  TVC  in  combination  with  failures  of  the  +X  RCS  jets  result  in  the  loss  of  two 
out  of  three  deorbit  methods,  then  a  next  PLS  (or  first  day  PLS)  is  required  (ref.  Rule  {A6-1001  j, 
OMS/RCS  GO/NO-GO  CRITERIA  [CIL],  and  Rule  {A8-3J,  LOSS  OF  GNC  SYSTEM). 

FORWARD  RCS  JETS 


The  forward  RCS  jets  are  not  considered  critical  for  entry.  Reduction  of  mission  duration  is  not  required 
for  failures  of  these  jets. 
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L,  R  RCS  JETS  LEFT  and  RIGHT  ( YAW  JETS ) 

For  one  yaw  jet  failed  and  the  orbiter  CG  outside  of  the  nominal  EOM  boundary  (ref  Rule  {A4-153},  CG 
PLANNING),  a  next  PLS  is  required  due  to  the  potential  for  elevon  saturation.  A  full  complement  of  yaw  jets 
is  required  to  ensure  vehicle  control  within  the  contingency  CG  envelope.  The  loss  of  three  yaw  jets  on  the 
same  side  results  in  significantly  degraded  flight  control  in  the  low  Q-bar  regime  (Q-bar  <  20  psf). 

Therefore,  a  next  PLS  is  required  after  two  yaw  jet  failures,  without  regard  to  vehicle  CG.  There  are  no  first 
day  PLS  requirements  for  the  loss  of  these  jets  because  the  no-yaw-jet  mode  is  certified  ( Q-bar  >  20  psf)  for 
flight  control  (ref.  Rule  {A6-1001},  OMS/RCS  GO/NO-GO  CRITERIA  [CIL];  Rule  {A8-19},  YAW  JET 
DOWNMODE;  and  EFTP,  1/15/88). 

L,  R  RCS  VERNIER  JETS 

The  loss  of  these  jets  has  no  impact  on  mission  duration. 

L,  R  RCS  JETS  UP  and  DOWN 

For  the  loss  of  any  two  jets  on  the  same  side  that  fire  in  the  same  direction  (two  LEFT  UP  firing,  for 
example),  a  next  PLS  (or  first  day  PLS)  is  required.  These  jets  are  critical  for  vehicle  pitch  and  roll  control 
during  entry,  and  entering  next  PLS  reduces  the  risk  for  the  next  failure  which  could  impact  vehicle  control 
(ref.  Rule  {A6-1001},  OMS/RCS  GO/NO-GO  CRITERIA  [CIL]). 

L.R  RCS  JETS  AFT  ( +X  JETS ) 

If  failures  of  the  left  and/or  right  OMS  TVC  in  combination  with  failures  of  +X  RCS  jets  result  in  the  loss  of 
two  out  of  three  deorbit  methods,  then  a  next  PLS  (or  first  day  PLS)  is  required.  There  are  no  mission 
duration  requiremen  ts  for  loss  of  these  jets  alone  (ref.  Rule  [A6-1001 },  OMS/RCS  GO/NO-GO  CRITERIA 
[CIL]). 
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C.  AEROSURFACES 
FCS  CHANNELS 


For  one  channel  failed  (any  surface)  the  FCS  is  single-fault  toleran  t,  with  the  exception  of  certain  “smart 
failures”  during  specific  windows  of  entry,  and  there  are  no  mission  duration  impacts  (ref  Rule  { A8-4J , 
FAULT  TOLERANCE  PHILOSOPHY).  The  risk  of  sustaining  a  second  failure  in  the  FCS  affecting  the  same 
aerosurface  (ASA,  MDM,  or  actuator)  while  on-orbit  for  the  remainder  of  the  mission  (NEOM)  will  be 
assessed  in  reed  time  as  required  per  Rule  { A2-102J ,  MISSION  DURATION  REQUIREMENTS.  After  the 
first  failure,  there  are  certain  failures  in  the  FCS  command  channels  (ASA,  sen’o  valve,  actuator)  which 
could  reduce  flight  control  margins  (2-on-l  force  fight)  for  short  periods  during  entry  until  the  MCC  and 
crew  can  isolate  the  bad  channel.  However,  the  risk  of  sustain  ing  one  of  these  failures  at  the  three-level  on 
the  FCS  command  channels  during  entry  is  the  same  regardless  of  when  entry  occurs  (i.e.,  the  window-of- 
exposure  is  the  same  regardless  of  flight  duration).  For  two  channels  failed  on  the  same  aerosurface,  a  next 
PLS  (or  first  day  PLS)  will  be  declared.  PLS  landing  site  selection  will  be  determined  per  Rule  { A2-207 }, 
LANDING  SITE  SELECTION.  Loss  of  three  command  channels  on  any  aerosurface  is  cm  uncertified  flight 
mode.  @[121296-4610]  ®[1 02402-5804C] 

BE  ACT  CHNL 


For  one  of  three  bodyflap  (BF)  channels  failed,  BF  con  trol  is  single-fault  toleran  t,  and  there  are  no  mission 
duration  impacts  (ref.  Rule  { A8-4J ,  FAULT  TOLERANCE  PHILOSOPHY).  The  risk  of  sustaining  a  second 
BF  channel  failure  while  on-orbit  for  the  remainder  of  the  mission  (NEOM)  will  be  assessed  in  real  time  as 
required  per  Rule  {A2-102},  MISSION  DURATION  REQUIREMENTS.  For  two  channels  failed,  next  PLS  is 
required  since  BF  control  is  zero-fault  toleran  t.  It  is  required  to  main  tain  con  trol  of  the  BF  in  order  to  avoid 
off-nominal  flying  configurations  and  to  prevent  damage  to  the  mean  engine  bells  and/or  the  bodyflap  itself. 
There  are  no  first  day  PLS  requirements  for  BF  channel  failures.  @[121296-4610  ] 

ELEVON/BF  POS  FDBK 

For  two  elevon  or  bodyflap  position  feedbacks  failed  on  the  same  surface,  MDF  is  required  since  the  system 
is  single-fault  toleran  t.  For  three  feedbacks  failed  on  the  same  surface,  the  system  is  fail  critical  and  a  next 
PLS  (or  first  day  PLS)  is  required.  However,  if  the  affected  port  is  bypassed,  then  the  FCS  channel  loss 
criteria  will  apply  (ref.  A/E  FTP  #45,  6/17/88). 

RUDDER  and  SPDBK  POS  FDBK 

The  position  feedbacks  for  these  surfaces  are  not  used  in  the  aerojet  DAP  but  are  used  for  surface  position 
indications  on  the  SPI.  Although  desirable,  these  indications  are  not  considered  critical  for  entry  and  there 
are  no  mission  duration  impacts  associated  with  them.  However,  if  the  affected  port  is  bypassed,  then  the 
FCS  channel  loss  criteria  will  apply  (ref.  A/E  FTP  #45,  6/17/88). 
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ELEVON  PRI  DELTA  P 

For  two  elevon  primary  delta  pressure  indications  failed  on  the  same  surface,  MDF  is  required  since  the 
system  is  single-fault  toleran  t.  For  three  failed,  a  next  PLS  is  required  because  the  system  is  zero-fault 
toleran  t.  The  effector  system  requires  at  least  one  primary  pressure  feedback  loop  in  an  actuator  since  the 
ASA  relies  on  these  pressure  indications  to  provide  command  stability  (ref.  SODB,  volume  I,  paragraph 
3.4.5. 1-4). 

SECONDARY  DELTA  P 

The  aerosurface  and  SSME/SRB  actuator  secondary  delta  pressure  transducers  provide  fault  detection  (RM ) 
in  the  ASA ’s  and  ATVC’s,  respectively.  IfRM  is  lost,  the  system  can  still  be  managed  (MCC  required)  and 
any  failed  channels  can  be  manually  bypassed  if  required.  FCS  channel  loss  criteria  will  apply  for 
transducer  failures  that  degrade  the  FCS  performance/redundancy. 

D.  SENSORS 

LATERAL  AA 


For  two  lateral  axis  AA ’s  failed,  cm  MDF  is  required  and,  for  three  failed,  a  next  PLS  ( or  first  day  PLS), 
is  required  .  Landing  site  selection  will  be  determined  per  Rule  {A2-207},  LANDING  SITE  SELECTION. 
The  lateral  axis  AA  feedback  is  used  in  the  aerojet  DAP  for  turn  coordination  by  preventing  rolloff 
during  bank  maneuvers.  The  lettered  feedback  is  also  used  for  NWS  control  during  rollout  (ref.  A/E  FTP 
#45,  6/1 7/88).  ®[1 02402-5804C] 

NORMAL  AA 


The  normal  AA  feedback  is  used  for  ADI  pitch  error  and  alpha  error  indications  only  prior  to  MM  305. 
In  MM  305,  the  normal  AA  feedback  is  used  by  guidance  to  provide  Nz  commands  to  the  flight  control 
system.  However,  failures  in  these  feedbacks  do  not  require  reduction  in  mission  duration  because  the 
crew  can  fly  CSS  in  the  pitch  axis  in  MM  305,  thereby  removing  the  normal  feedback  from  the  command 
loop. 

ORBITER  RGA 


For  two  orbiter  RGA’ s  failed,  MDF  is  required  because  the  system  is  single-fault  tolerant  on  orbit.  For 
three  failed,  a  next  PLS  (or  first  day  PLS)  is  required  because  the  system  is  zero-fault  tolerant  on  orbit. 
Landing  site  selection  will  be  determined  per  Rule  { A2-207J ,  LANDING  SITE  SELECTION,  (ref.  A/E 
FTP  #45,  6/1 7/88).  ®[1 02402-5804C] 

SRB  RGA 


These  systems  are  not  used  for  entry,  and  mission  duration  impacts  do  not  apply. 
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IMU 


For  the  loss  of  one  IMU,  the  system  is  single-fault  toleran  t,  with  the  exception  of  certain  “smart 
failures”  during  specific  windows  of  deorbit  and  entry,  and  there  are  no  mission  duration  impacts  (ref 
Rule  {A8-4},  FAULT  TOLERANCE  PHILOSOPHY).  The  risk  of  sustaining  a  second  IMU  failure  while 
on-orbit  for  the  remainder  of  the  mission  (NEOM)  will  be  assessed  in  real  time  as  required  per  Rule 
{A2-102},  MISSION  DURATION  REQUIREMENTS.  Also,  high-speed  C-band  radar  is  mandatory  for 
entry  at  the  IMU  two-level  ( ref  Rule  {A3-1 },  GROUND  AND  NETWORK  DEFINITIONS ).  There  are 
single-point  failures  that  can  result  in  either  an  unresolvable  dilemma  at  the  two-level,  or  bad  selected 
data  due  to  a  transient  output  which  is  not  presen  t  long  enough  for  IMU  RM  to  operate  and  declare  a 
failure.  For  these  cases,  the  onboard  state  vector  and/or  vehicle  flight  control  could  be  significantly 
impacted  during  critical  deorbit  or  entry  phases.  However,  the  risk  of  sustaining  one  of  these  failures 
at  the  two-level  during  entry  is  the  same  regardless  of  when  entry  occurs  (i.e.,  the  window-of-exposure  is 
the  same  regardless  of  flight  duration).  Additionally,  it  is  expected  that  the  IMU  entry  two-level 
redundancy  managemen  t  (RM),  including  the  use  of  BITE,  will  correctly  isolate  and  reconfigure  the 
system  (prime  selecting  the  good  IMU)  for  at  least  98  percent  of  all  failures.  For  two  IMU’s  failed,  a 
next  PLS  (or  first  day  PLS)  is  required.  The  system  is  zero-fault  tolerant  because  navigation  and  flight 
control  require  one  IMU  for  entry.  Landing  site  selection  will  be  determined  per  Rule  {A2-207J, 
LANDING  SITE  SELECTION.  ®[041 196-191 4]  ®[1 21 296-461 0  ]  ®[ED  ]  ®[1 02402-5804C] 

STAR  TRACKER/COAS/HUD  ®[i  1 1 298-6750  ] 

If  only  one  instrument  for  aligning  the  IMU’s  remains,  enter  next  PLS.  It  is  important  to  note  that  in 
considering  the  availability  of  manual  alignmen  t  in  strumen  ts,  an  instrumen  t  can  only  be  considered 
available  if  it  has  been  calibrated  and  verified.  An  instrument  that  is  not  calibrated  and  verified  should 
not  be  used  to  perform  IMU  alignments.  Only  the  CDR  HUD  is  considered  calibrated  at  launch  (except 
on  OV-104).  This  calibration  should  be  verified  before  using  the  HUD  to  perform  IMU  alignments. 
Refer  to  Flight  Rule  { A8-108 },  HUD/CO  AS  SYSTEM  MANAGEMENT. 

The  only  exception  to  the  PLS  rule  is  the  case  where  the  -Z  COAS  is  the  only  instrumen  t  remaining  for 
performing  IMU  alignmen  ts.  Since  the  probability  of  a  COAS  failu  re  is  considered  extremely  remote 
(COAS  is  a  simple  mechanical  apparatus),  the  mission  can  be  extended  beyond  next  PLS  to  MDF. 

If  a  manual  alignment  instrument  is  required,  it  is  necessary  to  have  the  appropriate  digital  auto  pilot 
(DAP)  modes  available.  The  DAP  modes  are  required  to  allow  the  crew  to  mark  accurately  on  a  star. 
@[111298-6750] 
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ATT  REF  PB 


The  ATT  REF  PB  is  required  for  IMU  alignments  using  the  COAS  or  FlUD.  If  the  CO  AS  and/or  HUD  is 
required  for  the  entry  and  only  a  single  ATT  REF  PB  remains,  a  next  PLS  is  required.  It  should  be  noted 
that  only  the  forward  station  ATT  REF  PB’s  are  supported  in  OPS  3;  and,  if  only  the  aft  PB  remains,  the 
alignment  will  have  to  be  performed  in  OPS  2.  ®[1 11298-6750  ] 

TACAN  AND  SINGLE  STRING  GPS 


For  three  of  four  Entry  Navaids  (TACAN’ s  and/or  Single  String  GPS)  failed,  the  system  is  single-fault 
tolerant  (assuming  command  delta  state  capability  exists),  and  MDF  is  required.  For  three  of  four  LRU’s 
failed,  enter  next  PLS  if  high-speed  C-band  radar  is  not  scheduled  and  not  available  to  be  scheduled  for 
entry  (ref.  Rule  {A3-1},  GROUND  AND  NETWORK  DEFINITIONS).  For  all  four  Entry  Navaids  failed,  a 
next  PLS  is  required  to  protect  for  the  loss  of  CONUS  site  capability.  Entry  with  no  TACAN’ s  or  GPS 
could  require  a  GCA  and/or  a  command  delta  state  uplink  to  correct  navigation  errors,  and  declaring 
next  PLS  minimizes  exposure  to  landings  that  do  not  have  these  options.  Consideration  must  be  given  to 
Data  and  Power  Bus  configurations  to  ensure  that  fault  tolerance  exists  for  remaining  TACAN  and  GPS 
LRU’s.  If  fault  tolerance  does  not  exist,  then  a  PLS  landing  is  required  (ref.  EFTP  #28,  #29,  #30,  #176, 
#185).  @[041196-1914]  @[092602-5718] 

TACAN  MODE  SW,  ANT  SEL,  CHNL  SEL 

The  TACAN  mode  switch,  antenna  select,  and  channel  select  are  not  critical  for  entry.  If  the  switch 
failures  render  the  TACAN(s)  unusable,  then  the  TACAN  loss  criteria  will  apply. 

ADTA 


For  two  ADTA’ s  failed,  the  system  is  zero-fault  tolerant  and  MDF  is  required.  With  the  next  failure 
(three  ADT A’ s  failed),  air  data  (AD)  will  not  be  incorporated  into  G&C  except  for  specific  off-nominal 
circumstances,  and  a  next  PLS  (or  first  day  PLS)  is  required.  Landing  site  selection  will  be  determined 
per  Rule  {A2-207J,  LANDING  SITE  SELECTION.  The  incorporation  of  AD  to  G&C  is  required  for  auto 
flight  control  and  very  desirable  for  manual.  It  is  highly  desirable  to  protect  against  the  last  ADTA 
failure  so  that  it  can  be  used  if  necessary.  Without  AD,  the  crew  will  fly  theta  limits  for  pitch  control 
(ref.  A/E  FTP  #45,  6/1 7/88,  ENTRY  FTP  #34,  8/21/87,  and  A/E  FTP  #187,  9/20/02 ).  ®[i  02402-5894C] 

®[1 02402-5804C]  ®[1 02402-5804C] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  11/21/02  FINAL,  PCN-1  GUIDANCE,  NAVIGATION  &  8-73 

CONTROL  (GN&C) 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A8-1001  GNC  GO/NO-GO  CRITERIA  (CONTINUED) 

MSBLS 


There  are  no  requirements  for  early  mission  termination  for  MLS  failures,  since  in  most  cases  a  safe 
landing  can  be  performed  without  the  use  of  MLS  (ref.  Rule  (A8-18},  LANDING  SYSTEMS 
REQUIREMENTS ).  However,  for  one  MLS  failed  and  MLS  redundancy  required  (ref  Rule  {A3-202}, 
MLS),  high-speed  C-band  radar  should  be  scheduled  as  required  (ref  Rule  {A3 -I},  GROUND  AND 
NETWORK  DEFINITIONS).  ®[04i  196-191 4]  ®[ED  ] 

RA 

The  radar  altimeters  are  used  for  altitude  source  from  5k  feet  to  the  ground  and  are  highly  desirable  for 
night  landings  and/or  low  ceilings.  However,  there  are  no  mission  duration  impacts  for  RA  failures. 

(Ref.  Rule  / A8-18 j,  LANDING  SYSTEMS  REQUIREMENTS.)  @[072398-6646  ] 

E.  DEDICATED  DISPLAYS 

LH&RHADI 

Declare  MDF  when  only  one  forward  ADI  remains  since  only  a  single  display  source  of  bank  angle  (phi) 
and  vehicle  rates  and  errors  remains.  Bank  angle  is  required  during  MM  304 for  controlling  drag  and 
H-dot  in  the  event  of  bad  guidance.  Similarly,  vehicle  rates  and  attitude  errors  are  required  in  the  event 
of  guidance  or  flight  control  problems.  Given  the  availability  of  replacement  units  for  both  the  ADI  and 
DDU  (aft  station),  two  failures  are  required  in  order  to  have  only  a  single  remaining  ADI  in  the  forward 
station. 

AFT  ADI 

There  is  no  requirement  for  this  display  during  entry.  (Ref.  Rule  { A8-9) ,  AFT  STATION  GNC 
REDUNDANCY. ) 

HUD/AMI 

Equivalent  air  speed  (EAS),  displayed  on  the  HUD  and  AMI,  is  a  critical  parameter  from  TAEM  to 
touchdown.  As  a  result,  declare  PLSfor  loss  of  three  of  the  four  sources  for  this  parameter,  and  MDF 
for  loss  of  two  of  the  four  sources  for  this  parameter. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A8-1001  GNC  GO/NO-GO  CRITERIA  (CONTINUED) 

HUD/AWI 

Altitude  (H),  displayed  only  on  the  HUD  and  AWIfrom  TAEM  to  touchdown,  is  a  critical  parameter 
required  by  the  pilot  during  the  approach  and  landing  phases  of  the  entry.  Thus,  declare  PLS  for  loss  of 
three  of  the  four  sources  for  this  parameter,  and  MDF  for  loss  of  two  of  the  four  sources  for  this 
parameter. 

While  H-dot,  displayed  only  on  the  AWI  in  MM  304,  is  an  important  parameter,  early  flight  termination 
will  not  be  declared  for  the  loss  of  one  AWI.  It  is  not  reasonable  to  declare  early  flight  termination  to 
protect  for  the  extremely  remote  scenarios  (if  they  exist  at  all )  where  H-dot  would  be  required  to  fly  a 
manual  MM  304  entry. 

HUD/FWD  ADI 

Phi  ( bank  angle)  and  one  of  gamma  ( flight  path  angle)  or  theta  (pitch)  are  required  from  TAEM  through 
the  approach  phase  of  entry.  These  parameters  are  only  available  to  the  pilot  on  the  HUD  and  forward 
ADI.  Thus,  declare  PLS  for  loss  of  three  of  the  four  sources  for  these  parameters,  and  MDF  for  loss  of 
two  of  the  four  sources  for  these  parameters. 

HUD 


The  HUD  is  highly  desirable  but  not  mandatory  for  night  landings;  therefore,  an  MDF  is  not  required. 
@[111298-6750] 

HSI 

For  low  ceilings  ( <10kfeet )  or  night  landings,  the  HSI  is  desirable,  but  not  required,  for  accurate 
heading  and  course  information.  Since  MLS  is  required  under  both  of  these  situations,  accurate 
approach  information  is  available.  In  addition,  rough  course  alignment  and  heading  is  provided  by  the 
Horizontal  Situation  Display  (HSD).  As  a  result,  early  flight  termination  is  not  required  for  loss  of 
HSI(s).  (Ref.  Rules  { A8-18 j,  LANDING  SYSTEMS  REQUIREMENTS;  { A3-202 j,  MLS;  and  {A2-6j, 
LANDING  SITE  WEATHER  CRITERIA  [ HC J.) 

SPI  and  G-METER 


Though  desirable,  these  displays  are  not  required. 


VOLUME  A  06/20/02  FINAL  GUIDANCE,  NAVIGATION  &  8-75 

CONTROL  (GN&C) 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


VOLUME  A 


FLIGHT  RULES 


THIS  PAGE  INTENTIONALLY  BLANK 


06/20/02  FINAL  GUIDANCE,  NAVIGATION  &  8-76 

CONTROL  (GN&C) 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


SECTION  9  -  ELECTRICAL 

LOSS/FAILURE  DEFINITIONS 

A9-1  FUEL  CELL  (FC)  LOSS  [CIL] . 9-1 

A9-2  FC  ALTERNATE  H20  SYSTEM  LOSS . 9-6 

A9-3  ELECTRICAL  POWER  DISTRIBUTION  AND  CONTROL 

(EPDC )  SYSTEM  [CIL]  .  9-7 

A9-4  CAUTION  AND  WARNING  (C&W) . 9-9 

A9-5  THROUGH  A9-50  RULES  ARE  RESERVED . 9-9 

FUEL  CELL  SYSTEMS  MANAGEMENT 

A9-51  FC  POWER  LEVEL  CONSTRAINTS . 9-10 

A9-52  FC  PURGE . 9-11 

A9-53  FC  H20  SYSTEM  HEATERS . 9-14 

A9-54  FC  STANDBY  DEFINITION . 9-14 

A9-55  FC  SHUTDOWN  DEFINITION  [CIL]  .  9-15 

A9-56  FC  SAFING . 9-16 

A9-57  REUSABLE  FC . 9-17 

A9-58  FC  SUSTAINER  HEATER . 9-19 

A9-59  FC  -  CELL  PERFORMANCE  MONITOR  [CIL] . 9-19 

A9-60  FC  COOLANT  PUMP  FAILURE  MANAGEMENT  [CIL] . 9-21 

A9-61  ACTIONS  FOR  FUEL  CELL  PH  INDICATIONS . 9-22 

A9-62  FUEL  CELL  MONITORING  SYSTEM  DATA  TAKE . 9-24 

A9-63  THROUGH  A9-100  RULES  ARE  RESERVED . 9-24 

DC  POWER  DISTRIBUTION  AND  CONTROL  SYSTEMS 
MANAGEMENT 

A9-101  DC  BUS  VOLTAGE  LIMITS . 9-25 

A9-102  ESSENTIAL  BUS . 9-25 

A9-103  POWER  REDUCTION  GUIDELINES . 9-25 

A9-104  MAIN  BUS  SHORT . 9-26 

A9-105  CB/RPC  RESET  .  9-27 


VOLUME  A  06/20/02  FINAL  ELECTRICAL  9-i 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


_ FLIGHT  RULES _ 

A9-106  CONTROL  BUS . 9-28 

A9-107  MAIN  BUS  TIE  [OIL] . 9-30 

A9-108  CRITICAL  PHASE  BUS  MANAGEMENT . 9-31 

A9-109  PRIMARY  PAYLOAD  BUS  MANAGEMENT . 9-32 

A9-110  PREFLIGHT  TEST  BUS  MANAGEMENT . 9-33 

A9-111  THROUGH  A9-150  RULES  ARE  RESERVED . 9-36 

AC  POWER  DISTRIBUTION  AND  CONTROL  SYSTEMS 
MANAGEMENT 

A9-151  AC  INVERTER  MANAGEMENT  .  9-37 

A9-152  AC  BUS  SENSORS  SWITCH  MANAGEMENT . 9-37 

A9-153  AC  BUS  LOADING . 9-37 

A9-154  AC  LOAD  MANAGEMENT  DURING  ASCENT . 9-38 

A9-155  AC  INVERTER  THERMAL  LIFE . 9-41 

A9-156  LOSS  OF  SINGLE-PHASE  AC . 9-44 

A9-157  LOSS  OF  TWO-PHASE  AC . 9-45 

A9-158  AC  POWER  TRANSFER  CABLE  .  9-45 

A9-159  MOTOR  CONTROL  ASSEMBLY  (MCA)  .  9-46 

A9-160  CAUTION  AND  WARNING  (C&W)  [CIL]  .  9-46 

A9-161  HYDRAULIC  CIRCULATION  PUMP  OPERATION . 9-47 

A9-162  THROUGH  A9-200  RULES  ARE  RESERVED . 9-47 

CRYOGENIC  LOSS/FAILURE  DEFINITIONS 

A9-201  02  (H2)  MANIFOLD . 9-48 

A9-202  CRYO  TANK . 9-49 

A9-203  CRYO  TANK  ANNULUS  VACUUM . 9-50 

A9-204  CRYO  HEATER . 9-51 

A9-205  O2  DELTA  CURRENT  SENSOR . 9-52 

A9-20  6  THROUGH  A9-250  RULES  ARE  RESERVED . 9-52 


VOLUME  A  06/20/02  FINAL  ELECTRICAL  9-ii 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


_ FLIGHT  RULES _ 

CRYOGENIC  SYSTEMS  MANAGEMENT 

A9-251  CRYO  HEATER  MANAGEMENT  FOR  ASCENT . 9-53 

A9-252  CRYO  HEATER  MANAGEMENT  FOR  ORBIT  [CIL] .  9-54 

A9-253  CRYO  TANK  HEATER  TEMPERATURE  MANAGEMENT . 9-58 

A9-254  CRYO  HEATERS  DEACTIVATION . 9-58 

A9-255  02  DELTA  CURRENT  SENSOR . 9-59 

A9-256  CRYO  02/H2  TANK  QUANTITY  BALANCING . 9-60 

A9-257  POWER  REACTANT  STORAGE  AND  DISTRIBUTION 

(PRSD )  H2  AND  02  REDLINE  DETERMINATION . 9-62 

A9-258  CRYO  02  AND  H2  PRESSURE  MANAGEMENT . 9-63 

A9-259  CRYO  02/H2  MANIFOLD  VALVES . 9-65 

A9-260  CRYO  SYSTEM  LEAKS  [CIL]  .  9-67 

A9-261  IMPENDING  LOSS  OF  ALL  CRYO . 9-70 

A9-262  EDO  PALLET  MANAGEMENT . 9-71 

A9-263  THROUGH  A9-300  RULES  ARE  RESERVED . 9-71 

SPACEHAB  SUPPORT 

A9-301  SPACEHAB  DC  BUSES  .  9-72 

A9-302  SPACEHAB  AC  INVERTER . 9-72 

A9-303  THROUGH  A9-350  RULES  ARE  RESERVED . 9-72 

SPACEHAB  ELECTRICAL  POWER  SUBSYSTEM  (EPS) 
MANAGEMENT 

A9-351  ELECTRICAL  POWER  SUBSYSTEM  (EPS)  CONSTRAINTS.  9-73 

A9-352  SPACEHAB  MAIN  BUS  MANAGEMENT . 9-74 

A9-353  SPACEHAB  EMERGENCY  BUS  LOSS . 9-75 

A9-354  SPACEHAB  AC  MANAGEMENT . 9-76 

A9-355  FUSE/CIRCUIT  BREAKER  MANAGEMENT . 9-80 

A9-356  FUEL  CELL  FAILURE  MANAGEMENT . 9-81 

A9-357  SPACEHAB  SURVIVAL  POWER  CONFIGURATION . 9-81 

A9-358  CAUTION  AND  WARNING  (C&W)  .  9-81 

A9-359  THROUGH  A9-400  RULES  ARE  RESERVED . 9-81 


VOLUME  A  06/20/02  FINAL  ELECTRICAL  9-iii 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


A9-1001 


_ FLIGHT  RULES 

ELECTRICAL  GO/NO-GO  CRITERIA 

ELECTRICAL  GO/NO-GO  CRITERIA 


9-82 


VOLUME  A  06/20/02  FINAL  ELECTRICAL  9-iv 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


SECTION  9  -  ELECTRICAL 


LOSS/FAILURE  DEFINITIONS 


A9-1  FUEL  CELL  (FC)  LOSS  [CIL] 

A  FUEL  CELL  (FC)  IS  CONSIDERED  LOST  IF: 

A.  AN  ABNORMAL  OR  UNEXPLAINED  VOLTAGE  VERSUS  CURRENT  PERFORMANCE 
LOSS  OF  ?  0.5  VOLT  FOR  A  SINGLE  FC  BASED  ON  PREDICTED 
PERFORMANCE  DATA.  ®[ED  ] 

For  a  three  substack  FC,  the  loss  of  1  of  96  cells  will  result  in  a  performance  drop  of  approximately 
0.5  volt.  This  assumes  the  FC  is  thermally  stable  with  no  internal  heaters  on.  For  each  flight, 
predicted  nominal  performance  curves  are  provided  for  each  FC  by  Rockwell  International  Corp. 
via  R&E  subsystem  manager.  In-flight  nominal  performance  is  defined  by  the  cue  card  curve 
selected  after  the  first  purge  (reference  back  of  the  FC  cue  card). 

DOCUMENTATION:  SODB  3.4.4. 1.6. b. 

B.  THE  COOLANT  PUMP  OR  H2  PUMP/H20  SEPARATOR  IS  LOST.  [CIL] 

Loss  of  coolant  pump  results  in  loss  ofFC  cooling  and  cryogenic  O2/H2  preheating  capability.  With 
ascent  electrical  loads,  excessive  heating  of  the  FC  power  section  can  occur  within  9  minutes  of  pump 
failure.  Excessive  heating  of  the  FC  results  in  loosening  of  the  stack  due  to  loss  of  tie-rod  tension 
resulting  in  the  uncontrolled  mixing  of  O2  and  H2  that  is  a  catastrophic  failure.  Since  the  FC  coolant 
loop  is  no  longer  circulating,  the  cryogenic  preheaters  are  no  longer  warming  the  cold  reactants.  This 
results  in  excessive  cooling  of  the  dual-gas  regulator  and  possible  loss  of  pressure  regulation.  Loss  of 
H2  pump  results  in  loss  of  water  removal  capability  from  the  FC.  A  FC  without  water  removal 
capability  has  a  predicted  lifetime  of  about  110  amp-hrs.  (See  paragraph  Efor  110  amp-hr 
explanation .)  ®[ED  ] 

DOCUMENTATION:  SODB,  3.4.4.1.15. 

Rules  (A9-1001J,  ELECTRICAL  GO/NO  GO  CRITERIA,  and  (A9-160J,  CAUTION  AND  WARNING 
(C&W)  [CIL],  reference  this  rule.  ®[ED  ] 
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A9-1  FUEL  CELL  (FC)  LOSS  [CIL]  (CONTINUED) 

C.  THE  FC  STACK  COOLANT  TEMPERATURE  IS  >  250  DEG  (242.5  DEG)  F 
OR  <  175  DEG  (182.5  DEG)  F.  ®[ED  ] 

At  a  stack  temp  >  250  deg  F,  FC  tie-rods  lose  tension  causing  loosening  of  the  FC  stack  and  seat/ seal 
softening  occurs  allowing  direct  O2/H2  reactant  mixing,  or  possible  FC  failure  due  to  reactant  gas 
crossover  through  a  dry  electrolyte  matrix  resulting  from  excessive  water  removal.  At  a  stack  temp 
<175  deg  F,  water  removal  capability  is  degraded  sufficiently  to  allow  FC  failure  due  to  dilution  of 
KOH  electrolyte  to  the  point  where  it  will  no  longer  support  adequate  reaction  within  the  cell.  This 
flooding  is  caused  by  the  reduced  vapor  pressure  ofH20  at  lower  temperatures.  Normally  the  water 
is  removed  from  the  power  section  as  a  vapor.  It  cannot  be  removed  as  a  liquid.  ®[ED  ] 

DOCUMENTATION:  SODB,  3.4.4.1.11.  ®[ED  ] 

D.  THE  COOLANT  PRESSURE  IS  >  75  (71.4)  PSIA  AND  INCREASING. 

®[ED  ] 

Normal  coolan  t  pressure  range  is  55  to  70  psia.  All  insight  into  coolant  pressure  is  lost  at  100  psia. 

No  real  constraint  at  up  to  100  psia  has  been  identified.  The  upper  limit  comes  from  O2/H2  dual-gas 
regulator  relief  valve  crack  pressures  plus  instrumentation  error.  Likely  causes  of  increased  coolan  t 
pressure  are  preheater  leak  which  would  probably  be  confirmed  by  coolant  pump  cavitation  causing 
delta  P  to  fluctuate  and  eventually  remain  low,  O2/H2  ducd-gas  regulator  shift  high,  regulator  stage 
failed  open,  or  thermal  expansion  of  an  overfilled  coolant  loop  (STS  61 -A). 

DOCUMENTATION:  SODB,  4.4.1.6A. 

E.  THE  FC  IS  UNABLE  TO  DISCHARGE  WATER.  [CIL] 

Inability  to  relieve  product  water  from  a  FC  results  in  loss  of  the  FC  due  to  flooding  within 
approximately  110  amp-hr.  The  110  cimp-hr  figure  assumes  a  healthy  FC  with  a  KOH  concentration  of 
32  percent  at  the  time  water  removal  capability  is  lost.  With  a  water  production  rate  of  0.02371  lb 
H20/amp-hr,  the  KOH  concentration  falls  to  26  percen  t  ( flooded  condition )  within  approximately  110 
amp-hr s.  Actual  FC  lifetime  after  loss  of  water  removal  capability  depends  on  KOH  concentration  at  the 
time  of  the  failure.  Even  temporary  water  line  blockage  can  result  in  an  H2  pump/water  separator  motor 
stall  due  to  water  buildup.  Once  stalled,  the  motor  may  not  restart  even  if  the  blockage  is  removed.  In  a 
flooded  cell,  water  electrolysis  and  O2  generation  in  the  H2  system  can  occur.  Therefore,  a  flooded  fuel 
cell  must  be  shut  down  and  scifed.  ®[ED  ] 

DOCUMENTATION:  SODB,  4. 4. 1.3. 
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A9-1  FUEL  CELL  (FC)  LOSS  [CIL]  (CONTINUED) 

F.  LOCAL  KOH  CONCENTRATION  IS  >  48  PERCENT  (45  PERCENT)  DRY 
OR  <  24  PERCENT  (29  PERCENT)  WET  AS  INDICATED  BY  FC 
STACK  TEMPERATURE,  CONDENSER  EXIT  TEMPERATURE,  AND 
CURRENT  RELATIONSHIP.  ®[ED  ] 

A  KOH  concentration  >  48  percent  indicates  that  a  FC  is  drying  out.  This  condition  can  lead  to 
uncontrolled  mixing  of  Oj  cmd  H2  ( crossover )  through  a  dry  electrolyte  matrix,  which  is  a  hazardous 
situation.  A  KOH  concentration  <  24  percen  t  indicates  a  wet  FC  which  leads  to  a  flooded  condition  ; 
i.  e. ,  fluid  covering  the  O2  and  H2  reaction  sites  to  the  point  that  it  will  no  longer  support  adequate 
reaction  within  the  FC.  If  the  H2/H2O  separator  is  running,  flooding  a  FC  can  lead  to  the  leaching  of 
KOH  from  the  FC  matrix  and  expulsion  into  the  FC  manifold  and  the  orbiter  potable  H2O  supply. 

This  con  taminated  H2O  is  unsuitable  for  crew  consumption  and  FES  usage.  KOH  in  the  FC  man  ifold 
is  a  possibly  catastrophic  situation  inside  the  FC  since  the  discissociation  ofH20  could  occur, 
generating  O2  in  the  H2  manifold.  ®[ED  ] 

DOCUMENTATION:  SODB.  3.4.4. 1.8.a. 

G.  A  FC  REACTANT  VALVE  FAILS  CLOSED.  ®[ED  ] 

FC  is  unable  to  produce  electricity  without  reactants. 

H.  THE  FC  CANNOT  BE  CONNECTED  TO  A  MAIN  BUS.  [CIL] 

An  FC  capable  of  producing  power  cannot  be  utilized  if  it  cannot  be  connected  to  mean  bus  A,  B.  or  C. 

I.  CONFIRMED  PRESENCE  OF  KOH  IN  THE  FC  PRODUCT  WATER  DOES  NOT 
CLEAR  IN  1  HOUR.  ®[070899-6892A] 

KOH  in  the  fuel  cell  product  water  is  a  hazardous  situation.  KOH  can  be  transported  to  the  H2 
manifold  in  the  humidified  H2  stream  that  can  create  a  conductive  path  providing  a  mechan  ism  for  the 
disassociation  ofH20  into  O2  cmd  H2  through  electrolysis,  producing  a  potentially  explosive 
environment  in  the  fuel  cell.  KOH  is  a  highly  corrosive  material,  exposure  of  the  FES  to  KOH  can 
lead  to  FES  core  damage  resulting  in  leakage  and/or  blockage.  Purging  a  FC  in  which  this  leaching 
has  occurred  can  deposit  KOH  into  the  common  H2  purge  line  causing  possible  clogging  of  the  line 
and  preventing  over  pressure  relief  and  H2  purge  capability  from  all  three  fuel  cells.  A  FC  should  be 
scifed  for  this  failure.  ®[070899-6892A]  ®[ED  ] 
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A9-1  FUEL  CELL  (FC)  LOSS  [CIL]  (CONTINUED) 

The  1-hour  limit  is  based  on  flight  experience  and  engineering  judgment.  Flight  experience  has  shown 
that,  on  occasion,  some  fuel  cells  have  residual  KOFI  (either  from  a  new  stack  build  or  from  being  in 
storage  for  extended  periods  of  time)  that  is  expelled  into  the  product  water.  Small  amounts  of  residual 
KOH  in  FC  product  water  will  not  lead  to  a  hazardous  O2  concentration  in  the  H2  manifold;  therefore, 
the  1-hour  time  will  allow  for  the  intermittent  pH  condition  to  clear.  During  STS-79,  KOH  was  expelled 
from  a  fuel  cell  (new  stack  build)  for  a  period  lasting  approximately  20  minutes.  In  addition,  STS-2 
flight  experience  and  vendor  tests  have  shown  that  if  hazardous  amounts  of  KOH  are  being  expelled  from 
the  FC,  other  signs  of  degradation  will  be  present.  ®[070899-6892A] 

Methods  of  confirming  KOH  in  the  product  water  after  cm  initial  fuel  cell  pH  indication  include:  cm 
indication  from  the  pH  sensor  in  the  common  product  H2O  line,  litmus  test  of  the  product  water 
confirming  pH>9,  unexplained  FC  performance  degradation,  or  by  FC  flooding.  Confirming  cues  for 
FC  flooding  may  be  seen  in  FC  performance  degradation,  FC  temperatures,  H2  pump  status  cmd 
associated  AC  curren  ts,  and  the  Delta  Amps  when  FC  is  bus  tied.  Substack  delta  volts  cmd  the  Fuel  Cell 
Monitoring  System  (FCMS)  may  also  be  useful  in  confirming  flooding  or  performance  degradation  in  a 
fuel  cell. 

DOCUMENTATION:  SODB,  3.4.4.1.13.,  STS-2  flight  experience,  STS-79  flight  experience,  engineering 
judgment,  cmd  vendor  testing. 

Reference:  Rule  {A9-61  j,  ACTIONS  FOR  FUEL  CELL  PH  INDICATIONS.  ®[070899-6892A] 

J.  THE  FC  SUBSTACK  DELTA  VOLTS  CHANGES  BY  150  MV  FROM  THE 

BASELINE  PREFLIGHT  VALUE,  IS  INCREASING,  AND  MEASUREMENT  OF 
SINGLE  CELL  VOLTAGES  HAS  NOT  BEEN  PERFORMED.  [CIL]  ®[070899-6893A] 

The  failure  that  the  cell  performance  monitor  ( CPM )  is  designed  to  detect;  i.e.,  reactant  crossover,  can 
be  hazardous  if  allowed  to  progress  uncon  trolled.  If  time  permits,  the  FCMS  will  be  activated,  data 
recorded,  downlinked,  and  analyzed  to  verify  FC  health.  If  health  cannot  be  verified  before  a  change  of 
150  mv  has  occurred,  the  FC  will  be  scifecl.  If  single  cell  voltages  clearly  show  that  crossover  is  not 
present  (i.e.,  small  degradation  in  multiple  cells  or  CPM  malfunction)  fuel  cell  operation  can  continue. 
Since  the  FCMS  requires  use  of  Portable  General  Support  Computers  (PGSC’s),  it  will  not  be  available 
during  Ascent/Entry  and  may  not  be  available  during  other  mission  critical  timeframes.  Baseline 
prelaunch  values  are  obtained  once  the  fuel  cells  have  been  started,  reached  thermal  equilibrium,  and 
are  operating  at  the  nominal  prelaunch  load  of  150  amps.  ®[070899-6893A] 

DOCUMENTATION:  SODB,  3.4.4. 1.6.a. 
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A9-1  FUEL  CELL  (FC)  LOSS  [CIL]  (CONTINUED) 

K.  ITS  VOLTAGE  CANNOT  BE  MAINTAINED  ?  2  7.5  VOLTS.  ®[ED  ] 

This  voltage  is  required  to  assure  that  orbiter  equipment  requiring  dc  power  is  maintained  at  a  voltage 
no  lower  than  24  volts.  Below  27.5  volts,  the  capability  to  maintain  voltage  at  all  equipment  above 
24  volts  is  not  possible  due  to  line  losses. 

DOCUMENTATION:  SODB,  3.4. 5.6.2. 

L.  ANY  SINGLE  CELL  OPEN  CIRCUIT  VOLTAGE  IS  BELOW  1100  MV. 

©[070899-6893A] 

It  is  the  engineering  judgmen  t  of  the  FC  vendor  and  has  been  confirmed  through  testing  that  individual 
cells  with  voltages  below  1100  mv  at  open  circuit  are  most  probably  experiencing  reactant  crossover. 

It  should  be  kept  in  mind  that  CPM  readings  are  not  valid  for  fuel  cells  that  are  at  open  circuit.  There 
are  single  point  wiring  failures  that  could  affect  both  the  CPM  and  FCMS  measuremen  ts.  Single  cell 
voltages  <  1100  mv  may  be  measured  on  cells  whose  voltage  measurement  pin  connection  has  high 
resistance.  High  resistance  in  a  cell  pin  connection  manifests  itself  as  a  low  voltage  reading  on  a 
single  cell  and  a  high  voltage  reading  on  an  adjacen  t  cell.  Verification  of  the  health  of  cells  with  high 
resistance  in  the  pin  connection  may  not  be  possible. 

DOCUMENTATION :  Engineering  judgment  and  Fuel  Cell  Lifetime  testing  ( serial  #  122)  at 
International  Fuel  Cells.  ©[070899-6893A] 
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A9-2  FC  ALTERNATE  H2Q  SYSTEM  LOSS 

THE  FC  ALTERNATE  H20  SYSTEM  IS  CONSIDERED  LOST  IF: 

A.  BOTH  SYSTEM  A  AND  B  HEATER  SYSTEMS  ON  THE  FC  ALTERNATE  B£0 
SYSTEM  ARE  LOST. 

Loss  of  both  heater  systems  will  allow  the  stagnant  H2O  in  the  alternate  H2O  lines  to  freeze,  resulting  in 
a  disabled  alternate  system. 

B.  TWO  OR  MORE  FC' S  RELIEVING  OVERBOARD. 

Any  FC  relieving  H2O  overboard  indicates  either  a  possible  alternate  and  primary  H2O  system  failure 
or  an  overboard  relief  valve  failed  open.  More  than  one  FC  relieving  H2O  overboard  indicates  a 
probable  generic  FC  H2O  system  problem. 

C.  ALTERNATE  H20  SYSTEM  PRESSURE  NOT  TRACKING  THE  EVCSS  (EMU 
WATER  SUPPLY  PRESSURE)  H20  SUPPLY  PRESSURE  (WHILE  TANK  B 
INLET  AND  OUTLET  VALVES  ARE  OPEN) . 

Normal  on-orbit  alternate  H2O  pressure  will  track  the  EVCSS  H2O  supply  pressure.  Alternate  H2O 
pressure  not  tracking  indicates  a  probable  alternate  common  path  failure. 
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A9-3  ELECTRICAL  POWER  DISTRIBUTION  AND  CONTROL  (EPDC) 

SYSTEM  [CIL] 


A.  MAIN  BUS  IS  CONSIDERED  LOST  IF  THE  BUS  VOLTAGE  CANNOT  BE 

MAINTAINED  >  27.0  (27.2)  V  DC  AND  <  32.0  (31.8)  V  DC.  [CIL]. 

®[ED  ] 

B.  FORWARD  PCA  BUS  IS  CONSIDERED  LOST  IF  THE  BUS  VOLTAGE  CANNOT 

BE  MAINTAINED  >  26.2  (26.4)  V  DC  AND  <  32.0  (31.8)  V  DC. 

®[ED  ] 

C.  AFT  PCA  BUS  IS  CCNS IDERED  LOST  IF  THE  BUS  VOLTAGE  CANNOT  BE 

MAINTAINED  >  26.1  (26.3)  V  DC  AND  <  32.0  (31.8)  V  DC.  ®[ED  ] 

D.  CONTROL  BUS  IS  CONSIDERED  LOST  IF  THE  BUS  VOLTAGE  CANNOT  BE 

MAINTAINED  >  24.8  (25.0)  V  DC  AND  <  32.0  (31.8)  V  DC,  OR  THE 

CONTROL  BUS  IS  DETERMINED  TO  HAVE  A  SHORT  BY  THE  MCC .  ®[ED  ] 

E.  ESSENTIAL  BUS  IS  CONSIDERED  LOST  IF  THE  BUS  VOLTAGE  CANNOT  BE 

MAINTAINED  >  25.5  (25.7)  V  DC  AND  <  38.0  (37.8)  V  DC.  ®[ED  ] 

Orbiter  equipment  is  qualified  to  operate  at  23  V  dcfor  intermittent  loads  and  at  24  V  dcfor  continuous 

loads.  Considering  line  losses  from  the  orbiter  buses  to  the  user  equipment,  the  lower  voltage  limits  for 
the  buses  listed  above  guarantee  24  V  dc  at  the  equipment  interface.  The  upper  voltage  for  most  orbiter 
equipment  is  32  V  dc;  however,  the  equipment  on  the  essential  buses  is  qualified  to  38  V  dc  due  to  the 
requirement  to  operate  at  near  FC  open  circuit  voltage.  If  a  control  bus  is  shorted,  it  will  be  unpowered 
even  though  its  voltage  measurement  may  be  >  24.8  V  dc.  ®[ED  ] 


Rule  {A9-101J,  DC  BUS  VOLTAGE  LIMITS,  references  this  rule. 


Reference  rule  {A9-106J,  CONTROL  BUS,  for  additional  control  bus  loss  rationale.  ®[ED  ] 

DOCUMENTATION :  SODB,  3. 4. 5. 6.2;  Lockheed  memo  #EP5-M10-215,  Shuttle  Control  Bus 
Kapton  Wire  Arc  Tracking  Test  Summary,  10-12-90;  and  LEMSCO-25658,  Summary  of  the  Control 
Bus  Re-power  Test,  May  1988. 
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A9-3  ELECTRICAL  POWER  DISTRIBUTION  AND  CONTROL  (EPDC) 

SYSTEM  [CIL]  (CONTINUED) 

F.  AN  AC  SINGLE-PHASE  BUS  IS  CONSIDERED  LOST  IF: 

1.  THE  BUS  VOLTAGE  IS  <  110  (110.7)  VAC  OR  >  120  (119.3) 

V  AC.  ®[ED  ] 

Orbiter  ac  equipment  was  designed  to  operate  between  110  and  120  V  ac. 

DOCUMENTATION:  SODB,  3.4.5.6.3.a. 

2.  THE  POWERED  SINGLE-PHASE  BUS  CURRENT  EXCEEDS: 

a.  14.4  (13.4)  AMPS  -  (GROUND  CALL  ONLY)  LAUNCH  THROUGH 

MPS  POWERDOWN  . 

b.  7.7  (6.7)  AMPS  -  CONTINUOUS  LOAD  FROM  MPS  POWERDOWN 

PROJECTED  THROUGH  ENTRY. 

NOTE:  AC  BUS  CURRENT  VALUES  BASED  ON  BUS  LOAD  POWER  FACTOR  OF 

0.8  LAGGING. 

These  numbers  represent  the  output  power  capability  of  the  inverter  under  both  a  continuous  normal 
100  percent  load,  7.7  amps,  and  at  200  percent  rated  load  for  2  minutes,  14.4  amps  with  cooling.  An 
inverter  operated  above  these  limits  could  fail  due  to  overheating. 

DOCUMENTATION:  SODB,  4.5. 6.3. 1.8. 

G.  AN  AC  THREE-PHASE  BUS  IS  CONSIDERED  FAILED  IF  THE  BUS  CANNOT 
SATISFY  USER  REQUIREMENTS. 

Self-explanatory. 

H.  MCA  THREE-PHASE  AC  BUS  IS  CONSIDERED  LOST  IF  ANY  TWO  PHASES 
ARE  FAILED,  OR  IF  ANY  SINGLE  AC  PHASE  IS  SHORTED. 

MCA  buses  power  three-phase  motors  that  cannot  operate  with  two  phases  lost.  Also,  the  MCA  three- 
phase  buses  use  “ganged”  circuit  breakers,  so  all  three  phases  are  lost  when  the  single  cb  is  opened  to 
isolate  a  short  circuit. 

Rule  {A9-101},  DC  BUS  VOLTAGE  LIMITS,  references  this  rule. 
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A9-4  CAUTION  AND  WARNING  (C&W) 

A.  ALL  C&W  LIGHTS  AND  TONES  ARE  CONSIDERED  LOST  (PRIMARY, 

BACKUP,  AND  SM)  IF  POWER  SUPPLIES  A  AND  B  ARE  LOST. 

Without  power,  the  hardwire  C&W,  C&W  tones,  and  SM  tones  are  inoperable. 

B.  PRIMARY  C&W  IS  CONSIDERED  LOST  IF: 

1.  POWER  SUPPLY  A  IS  LOST. 

2.  FAILS  SELF-TEST. 

3.  FALSE  ALARMS  ARE  GENERATED  TO  EXTENT  IT  IS  UNUSABLE. 

4.  NEITHER  LIGHT  NOR  TONE  WILL  ANNUNCIATE. 

For  any  of  the  above  failure  modes,  the  system  is  either  totally  inoperable  or  suspect  to  the  point  of  being 
unreliable. 

C.  BACKUP  C&W  IS  CONSIDERED  LOST  IF: 

1.  NEITHER  LIGHT  NOR  TONE  WILL  ANNUNCIATE. 

2.  FALSE  ALARMS  ARE  GENERATED  TO  EXTENT  IT  IS  UNUSABLE. 

For  any  of  the  above  failure  modes,  the  system  is  either  totally  inoperable  or  suspect  to  the  point  of  being 
unreliable. 

A9-5  THROUGH  A9-50  RULES  ARE  RESERVED 
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FUEL  CELL  SYSTEMS  MANAGEMENT 


A9-51  FC  POWER  LEVEL  CONSTRAINTS 

A.  THE  FC'S  CAN  BE  OPERATED  AT  ANY  POWER  LEVEL  BETWEEN  2  AND 
12  KW  CONSISTENT  WITH  SATISFACTORY  DC  BUS  VOLTAGE  AND  FC 
TEMPERATURE  MAINTENANCE.  TO  SATISFY  MISSION  OBJECTIVES  AND 
FC  LIFETIME  CONSTRAINTS,  FC  POWER  LEVELS  SHOULD  BE  MANAGED 
AS  FOLLOWS: 

1.  2-10  KW  -  CONTINUOUSLY 

2.  10-12  KW  -  NOT  MORE  THAN  15  MINUTES  EVERY  3  HOURS 

B.  IN  THE  EVENT  OF  A  FC  FAILURE,  FC  LOADING  IMBALANCE  BECAUSE  OF 
UNEVEN  FC  PERFORMANCE  CHARACTERISTICS,  OR  OTHER  SYSTEM 
FAILURE,  THE  REMAINING  FC' S  MAY  BE  OPERATED  AT:  ®[ED  ] 

1.  2-12  KW  -  CONTINUOUSLY 

2.  12-13  KW  -  FOR  LESS  THAN  4  HOURS 

3.  UP  TO  16  KW  FOR  10  MINUTES  CONSISTENT  WITH  SATISFACTORY 
BUS  VOLTAGE  AND  FC  TEMPERATURES 


At  <2  kW  the  FC  voltage  may  exceed  32  volts.  Most  orbiter  equipment  is  only  certified  to  32  volts.  At  > 
12  kW,  the  FC  thermal  control  system  capability  may  become  unable  to  maintain  the  FC  at  safe 
operating  temperatures.  Due  to  lifetime  considerations,  FC  power  should  be  limited  to  less  than  8  kW 
for  normal  operations.  However,  continuous  operation  between  8  and  10  kW  is  allowable  as  long  as 
accelerated  lifetime  decay  is  accepted.  ®[ED  ] 

DOCUMENTATION:  SODB,  Volume  I,  3.4.4. 1.2,  and  Volume  III,  4.4.1.1.15.  ®[ED  ] 
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A9-52  FC  PURGE 

A.  THE  FC'S  WILL  BE  PURGED  SEQUENTIALLY  WITH  C£  AND  H2  ON  A 
SCHEDULED  BASIS  NOT  TO  EXCEED  96  HOURS  BETWEEN  PURGES.  THE 
FREQUENCY  OF  PURGES  WILL  BE  BASED  UPON  FC  PERFORMANCE  LOSS 
OF  0.2  VOLTS  BETWEEN  EACH  PURGE.  FC  LOAD  SHOULD  NOT  EXCEED 
10  KW  OR  350  AMPS  DURING  PURGES.  HOWEVER,  FOR  CONTINGENCY 
CASES,  A  NORMAL  2-MINUTE  PURGE  CAN  BE  DONE  AT  12  KW  OR  430 
AMPS.  @[090894-1681] 

Both  the  Oj  and  H2  paths  through  an  FC  must  be  purged  to  rid  the  FC  of  inerts  that  dilute  reactant, 
thereby  reducing  FC  performance.  Fuel  cell  degradation  of  0.2  volts  is  based  on  engineering  judgment 
as  the  minimum  performance  change  that  can  be  accurately  assessed  in  real  time.  The  96-hour  duration 
is  based  upon  flight  experience  of  the  average  maximum  time  before  fuel  cell  degradation  reaches  0.2 
volts.  Should  the  onboard  cryogenic  O2  and  H2  contain  excessive  inerts,  faster  than  normal  voltage 
degradation  would  occur  necessitating  more  frequent  purges.  @[090894-1681  ] 

During  a  purge,  the  preheater  capability  to  warm  the  cryogenic  reactants  coming  into  the  dual-gas 
regulator  is  marginal.  Regulator  freeze-up  and  subsequent  lockup  of  the  regulator  is  possible  if  purged 
too  long  at  >  350  amps  (430  amps  for  contingency  operations  provided  purge  is  continuous  for  only  2 
minutes).  ®[ED  ] 

DOCUMENTATION:  SODB,  3.4.4. 1.4. c.  @[080894-1681  ] 

B.  FC'S  WILL  NOMINALLY  BE  PURGED  USING  THE  AUTOMATIC  SEQUENCE 
(SM  OPS  2).  THE  MANUAL  SEQUENCE  WILL  BE  USED  AS  A  BACKUP. 
ONE  MANUAL  PURGE  WILL  BE  PERFORMED  PER  FLIGHT.  AUTO  PURGES 
WILL  NORMALLY  BE  INITIATED  BY  MCC  TMBU .  @[050400-71 88A] 

MCC  initiation  of  purges  via  TMBU  allows  real-time  detailed  analysis  of  fuel  cell  purge  data  by  the 
MCC  while  relieving  the  flightcrew  from  housekeeping  duties.  The  manual  purge  will  normally  be 
performed  early  in  the  flight  to  verify  operational  backup  capability  and  to  satisfy  ground 
turnaround  activities.  @[050400-71 88A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A9-52  FC  PURGE  (CONTINUED) 

C.  A  FC  THAT  HAS  LOST  O2  PURGE  CAPABILITY  AND  ITS  PREDICTED 
PERFORMANCE  WILL  NOT  SUPPORT  NOMINAL  EOM  PLUS  2  DAYS  WILL  BE 
BUS  TIED  TO  A  HEALTHY  FC,  AND  THEN  EITHER  PLACED  IN  STANDBY 
OR  SHUTDOWN  IN  ORDER  TO  SUPPORT  NOMINAL  EOM  PLUS  2  DAYS.  THE 
DECISION  TO  PLACE  THE  FC  IN  STANDBY  OR  SHUTDOWN  WILL  DEPEND 
ON  LIFETIME  PREDICTIONS  BASED  ON  DEGRADATION  TO  THAT  POINT 
AND  THE  RESULTING  FC  TERMINAL  VOLTAGE.  IF  THE  FC  IS  SHUT 
DOWN,  RESTART  CAPABILITY  MUST  BE  DEMONSTRATED  TO  CONTINUE 
PAST  MDF  .  ®[ED  ] 

Except  during  purge  operations  the  FC  O2  system  is  not  a  flowthrough  design.  O2  gas  flows  directly  to 
the  reaction  sites  where  it  is  consumed.  Contained  within  the  O2  reactant  gas  are  minute  quantities  of 
other  gases  which  accumulate  in  the  reaction  chambers.  With  time,  inerts  begin  to  dilute  the  O2  gas, 
effectively  reducing  the  partied  pressure  of  O 2  in  the  area  of  the  electrolyte/catalyst  reaction  sites.  As 
FC  performance  is  a  direct  function  of  reactant  partied  pressure,  FC  output  decays  as  inert  content 
builds.  The  O2  system  is  more  sensitive  to  performance  loss  them  the  H2  system  since  the  H2  system  has 
a  large  volume  circulating  loop  to  distribute  the  inerts.  Remaining  lifetime  depends  upon  gas  purity,  FC 
load,  and  initial  FC  performance. 

DOCUMENTATION:  SODB,  4.4.1. 3r„  4.4.1.4.o,  and  flight  data. 

D.  FOR  THE  LOSS  OF  THE  CAPABILITY  TO  PURGE  EITHER  THE  C£  OR  H2 
REACTION  CHAMBERS  FOR  ALL  THREE  FC'S,  A  NEXT  PLS  IS  REQUIRED. 

The  single-point  failure  causing  the  loss  ofedl  O2  or  all  H2  purge  capability  from  all  FC’s  is  a  blockage 
in  the  common  purge  vent  line.  With  the  blockage  in  the  common  purge  ventline,  all  FC’s  are  no  longer 
fail-safe  (see  paragraph  E  rationale).  In  addition,  all  FC’s  have  no  means  to  recover  from  performance 
degradation,  so  their  useful  lifetime  remain  ing  is  limited;  therefore,  the  pruden  t  action  is  to  prepare  for 
a  PLS  at  the  next  opportunity. 

DOCUMENTATION:  SODB,  4.4.1. 3r,  4.4.1. 4.0,  and  flight  data. 
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A9-52  FC  PURGE  (CONTINUED) 

E.  A  FC  THAT  HAS  LOST  EITHER  O2  OR  H2  PURGE  CAPABILITY  DUE  TO  A 
SUSPECTED  BLOCKED  VENT/PURGE  LINE  WILL  NOT  BE  SHUTDOWN  UNLESS 
DICTATED  BY  PERFORMANCE  DEGRADATION  (REF.  PARAGRAPH  C) . 

®[ED  ] 

With  a  blocked  vent/purge  line  the  dual-gas  regulator  in  the  fuel  cell  can  no  longer  vent  overboard 
should  a  failure  occur  in  the  regulator.  This  can  result  in  overpressurization  of  the  fuel  cell.  The  worst- 
case  scenario,  undetected  rapid  pressure  increase,  could  cause  fuel  cell  rupture.  For  vent/purge  line 
blockage,  shu  tting  down  the  fuel  cell  would  appear  to  be  the  appropriate  action.  However,  this  would 
result  in  a  two-FC  entry  which  exposes  the  program  to  potentially  greater  risks;  therefore,  the  rule  is  to 
leave  the  fuel  cell  running.  These  risk  trades  were  made  when  arriving  at  this  decision: 

a.  Evaluation  of  regulator  failure  history  for  18  units  with  a  total  of 30,000  hours  of  operation 

( through  STS  51-L )  have  indicated  that  the  only  failures  involving  internal  leakage/  pressurization 
were  seal  or  seat  leakage  at  a  rate  well  below  normal  flow  (consumption). 

b.  Seal  leakage  would  not  be  significant  during  normal  operation  because  the  reactant  being  leaked  is 
consumed  as  part  of  the  normal  flow. 

c.  Shutting  down  the  fuel  cell  for  seed  leakage  could  result  in  a  pressure  increase  as  the  consumption 
goes  to  zero,  assuming  the  upstream  reactant  valve  also  leaks  when  closed.  For  this  case  continued 
operation  of  the  fuel  cell  would  be  the  proper  action. 

d.  Postulating  a  significant  decrease  in  fuel  cell  load  (50  amps)  with  a  regulator  that  sticks  at  the 
higher  demand  setting,  a  pressure  increase  of  approximately  20  psi/min  could  result.  For  this  case 
the  crew  would  have  greater  than  5  minutes  to  respond  to  the  COOP  P  alert  and  shut  down  the  fuel 
cell. 

e.  Shutting  down  a  fuel  cell  for  a  blocked  vent  line  and  flying  a  two-fuel  cell  entry  exposes  the  program 
to  any  number  of  failures  during  entry  on  either  of  the  remaining  fuel  cells  that  could  result  in  a 
single  fuel  cell  operation. 

Rule  { A9-1001J ,  ELECTRICAL  GO/NO-GO  CRITERIA,  references  this  rule. 
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A9-53  FC  H2Q  SYSTEM  HEATERS 

ONE  SET  OF  FC  H20  RELIEF  SYSTEM  HEATERS  AND  WATER  LINE  HEATERS 
WILL  BE  ENABLED  AT  ALL  TIMES. 

Capability  to  dump  FC  product  water  overboard  must  be  immediately  available  in  the  event  the  FC  can 
no  longer  deliver  product  water  into  the  potable  water  tanks.  Without  this  backup  H2O  removal 
capability,  the  FC’s  will  be  lost  due  to  flooding.  To  preclude  any  blockage  in  the  nonredundant  dump 
line  due  to  freezing,  thermal  control  of  this  dump  line  and  nozzle  is  required  continuously.  Similarly,  the 
FC  alternate  water  lines  are  normally  nonflowing  and  require  thermal  control  to  preclude  freezing  and 
line  blockage. 

DOCUMENTATION :  SODB,  3. 4. 4. 1.9. a.  Also  see  System  Thermal  Control  Design  and  Analysis  (RI), 

SD  77-SH-0284,  Dec.  1977,  and  Electrical  Power  Generation  Water  Relief  Nozzle  Development  Test 
Final  Report  (RI)  EPST-03,  6  Oct.  1976. 

Rule  (A18-301AJ,  TCS  HEATER  CONFIGURATION,  references  this  rule. 

A9-54  FC  STANDBY  DEFINITION 

FC  IN  STANDBY  IS  DEFINED  AS  DISCONNECTION  FROM  ITS  MAIN  AND 
ESSENTIAL  BUSES.  THE  ELECTRONIC  CONTROL  UNIT  (ECU)  REMAINS 
POWERED  AND  THE  REACTANT  VALVES  REMAIN  OPEN. 

With  the  FC  in  standby,  the  disconnection  of  the  FCfrom  the  buses  removes  all  external  load  from  the 
FC.  By  leaving  the  ECU  powered  and  the  reactant  valves  open,  the  FC  remains  thermally  controlled  by 
the  internal  sustaining  heater  and  the  coolant  loop,  which  maintains  it  for  immediate  use. 
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A9-55  FC  SHUTDOWN  DEFINITION  [CIL] 

A.  FC  SHUTDOWN  IS  DEFINED  AS  DISCONNECTION  FROM  BUSES,  FC  TO 

"STOP",  AND  REACTANT  VALVES  CLOSED.  IF  THE  FC  IS  STILL 

CONSIDERED  USABLE  IN-FLIGHT,  THE  REACTANT  VALVES  NEED  NOT  BE 
CLOSED  AFTER  THE  FC  IS  STOPPED. 

In  the  shutdown  procedure,  disconnection  of  the  FC  from  the  buses  removes  all  external  electrical  load 
from  the  FC.  FC  to  STOP  removes  any  normal  load  on  the  FC  caused  by  the  thermostatically-controlled 
FC  heaters  and  unpowers  the  coolant  and  FI2  pumps.  Closing  the  reactant  valves  precludes  the 
possibility  of  providing  the  reactants  in  a  possible  crossover,  internal  short,  or  failed-on  heater 
situation. 

B.  ANY  FC  THAT  IS  SHUT  DOWN,  BUT  CONSIDERED  AVAILABLE  FOR 

REUSE,  WILL  BE  MAINTAINED  >  40  DEG  F  (48  DEG  F) .  THE 

SHUTDOWN  FC  WILL  BE  CONSIDERED  "GO"  FOR  GO/NO-GO  PURPOSES 
PROVIDED  RESTART  CAPABILITY  IS  DEMONSTRATED  WHEN  THE  FC  HAS 
REACHED  THERMAL  EQUILIBRIUM  WITH  ITS  ENVIRONMENT.  (RESTART 
APPROXIMATELY  48  HOURS  AFTER  SHUTDOWN  FOR  -ZLV  ATTITUDE.) 
@[071494-1659] 

On-orbit  restart  capability  of  the  FC's  was  a  design  consideration;  however,  this  capability  has  not  been 
verified  at  thermal  equilibrium.  Therefore,  in  order  to  confirm  this  capability,  it  is  necessary  to  attempt 
a  restart  during  which  the  FC  will  be  put  through  as  realistic  of  a  thermal  transient  as  it  will  see  when  it 
is  called  upon  later  in  the  flight  to  support  entry.  For  planning  purposes,  the  FC  will  be  considered  GO 
until  this  restart  capability  can  be  verified.  It  is  the  intent  of  this  rule,  that  should  a  FC  at  ambient 
temperature  be  successfully  restarted  on  orbit,  the  requirement  to  verify  restart  capability  for  any  future 
FC  shutdowns  will  not  be  required  and  that  this  rule  will  be  modified  accordingly. 

The  thermal  data  in  paren  theses  is  based  on  FC  shutdown  data  from  STS-2,  STS-54,  and  STS-51  (All 
-ZLV  attitude).  On  STS-2,  FC1  was  shut  down  due  to  internal  flooding  and  not  restarted.  The  cooling 
characteristics  of  the  STS-2  fuel  cell  was  different  than  the  existing  3-substack  fuel  cells  because  it  had 
only  2  substacks  and  less  thermal  blanketing.  On  STS-54,  FC2  was  shut  down  for  9  hours  and  then 
successfully  restarted  (DTO).  The  thermal  data  is  based  on  accessory  section  of  the  FC  since  no  direct 
power  section  insight  exists. 

DOCUMENTATION:  JSC-26545,  FC  ON-ORBIT  SHUTDOWN /RESTART  DTO.  @[071 494-1 659  ] 
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A9-56  FC  SAFING 

FC  SAFING  WILL  BE  PERFORMED  UNDER  THE  FOLLOWING  CIRCUMSTANCES: 

A.  CONFIRMED  PRESENCE  OF  KOH  IN  FC  PRODUCT  WATER  THAT  DOES  NOT 
CLEAR  IN  1  HOUR.  @[070899-6891  A] 

B.  CROSSOVER  OF  REACTANTS  WITHIN  THE  FC 

C.  A  SHORT  CIRCUIT  WITHIN  THE  FC 

D.  CONFIRMED  COOLANT  PRESSURE  >  75  (71.4)  PSIA 

FC  SAFING  IS  DEFINED  AS  EVACUATION  OF  THE  FC  REACTANT  CHAMBERS 
BY  OPERATING  THE  FC  WHILE  ITS  REACTANT  VALVES  ARE  CLOSED.  FC 
SAFING  IS  COMPLETE  WHEN  THE  FC  COOLANT  PRESSURE  IS  <  15  PSI. 

ONCE  SAFING  IS  COMPLETE,  THE  FC  WILL  BE  DISCONNECTED  FROM  THE 
ASSOCIATED  ESSENTIAL  AND  MAIN  BUSES  AND  THEN  TAKEN  TO  STOP. 

IF  THE  FC  CURRENT  EQUALS  0  AMPS  BEFORE  THE  COOLANT  PRESSURE  IS 
<  15  PSI,  THE  FC  WILL  BE  DISCONNECTED  FROM  THE  ASSOCIATED 
ESSENTIAL  AND  MAIN  BUSES  TO  ALLOW  THE  SUSTAINING  HEATERS  TO 
COMPLETE  FC  SAFING. 

The  onboard  FC  safing  procedures  close  the  reactant  valves,  and  for  all  cases  except  a  short  within  the 
FC,  use  the  Main  Bus  loads  to  rapidly  consume  the  reactants.  This  shortens  the  time  a  crossover 
situation  or  a  FC  internal  short  could  sustain  itself.  Also,  for  the  case  of  KOH  in  the  manifold  (pH 
high),  safing  evacuates  the  manifold  of  reactants  to  prevent  electrolysis  due  to  thin  films  of  KOH  across 
two  or  more  cells.  With  KOH  and  water  in  the  reactant  chamber,  electrolysis  can  occur  that  would 
disassociate  H2O  into  H2  and  O2,  allowing  for  recombination  and  resultant  heat.  At  <  15  psi,  the 
density  of  the  reactan  ts  is  so  small  that  a  catastrophic  event  is  unlikely.  Getting  much  below  15  psi  may 
be  difficult  due  to  the  continuing  out  gassing  of  reactants  and  H2O  vapor  pressure.  Also,  the  dual-gas 
regulator  is  designed  such  that  the  O2  side  always  remains  5  psi  above  the  H2  side.  In  case  of  high 
coolant  pressure,  FC  safing  will  relieve  the  FC  stack  overpressure.  During  on-orbit  safing  scenarios,  it 
is  unlikely,  but  possible,  that  FC  current  will  reach  0  amps  before  the  coolant  pressure  reaches  15  psi. 
At  a  FC  current  telemetry  output  ofO  amps,  the  healthy  fuel  cell,  in  parallel  with  the  failed  fuel  cell, 
could  drive  cells  in  the  failed  fuel  cell  in  the  negative  direction,  resulting  in  the  evolution  of  free  O2  and 
H2  molecules.  These  free  O2  and  H2  molecules  could  end  up  on  either  the  O2  or  H2  side  of  the  cell 
resulting  in  extra  heat  and  H2O  production.  Therefore,  when  FC  safing  is  complete,  the  fuel  cell  will  be 
disconnected  from  the  associated  essential  and  main  buses  and  then  taken  to  stop.  ®[ED  ] 

Documentation:  STS-2  and  STS-83  flight  experience,  vendor  electrochemical  analysis,  and  engineering 
judgment.  @[070899-6891  A] 
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A9-57  REUSABLE  FC 

A  FC  WILL  BE  SHUT  DOWN  AND  WILL  BE  CONSIDERED  REUSABLE  FOR  THE 
FOLLOWING  CASES:  ®[ED  ] 

A.  INABILITY  TO  MAINTAIN  BUS  VOLTAGE  <32  VOLTS. 

All  orbiter  equipment  requiring  dc  power  is  qualified  to  a  maximum  of  32  volts.  A  main  bus  voltage 
is  >  32  only  when  the  FC  is  lightly  loaded  ( i.  e. ,  due  to  a  powerdown ).  The  FC  is  reusable  when  it  is 
sufficiently  loaded  to  drop  its  voltage  below  32  V  dc.  ®[ED  ] 

DOCUMENTATION:  SODB ,  3.4. 5.6.2. b. 

B.  ANY  FC  WITH  A  COOLANT  PRESSURE  THAT  IS  NOT  AT  LEAST 

10  PSIA  ABOVE  THE  SUPPLY  H20  TANK  PRESSURE  WILL  BE  SHUT 
DOWN  IMMEDIATELY.  THE  FC  MAY  BE  RESTARTED  AFTER  t£0 
TANK  A  HAS  BEEN  VENTED  PROVIDED  THE  COOLANT  PRESSURE  IS 
AT  LEAST  6  PSIA  ABOVE  THE  SUPPLY  B£0  TANK  PRESSURE  IF 
ONLY  TANK  A  VENTED,  OR  1 0  PSIA  ABOVE  THE  SUPPLY  t£0  TANK 
PRESSURE  IF  ALL  TANKS  VENTED,  AND  ULLAGE  EXISTS  IN  THE 
VENTED  TANK  (  S  )  .  @[090894-1680] 

A  FC  with  a  low  coolant  pressure  that  is  not  at  least  10  psia  above  the  supply  H2O  tank  pressure  cannot 
be  guaranteed  to  have  its  product  H2O  removed.  Without  the  H2O  removal  capability,  the  FC  H2  pump 
will  be  irrecoverably  lost  within  a  few  min  utes  resulting  in  FC  flooding.  If  the  FC  is  shut  down  quickly, 
it  may  be  used  after  supply  water  tank  A  has  been  vented  to  allow  the  FC  coolant  pressure  to  be  at  least 
6  psia  greater  than  supply  H2O  pressure  if  tank  A  is  the  only  tank  ven  ted,  or  at  least  10  psia  greater  than 
supply  H2O  pressure  if  all  tanks  are  vented.  The  10  psia  differential  pressure  requirement  is  due  to  the 
measuremen  t  error  of  the  pressure  transducer  (3.6  psia)  plus  worst  case  tolerances  on  three  check  valves 
between  the  FC’s  and  the  ECLSS  supply  H2O  tanks  (2  psia  each).  With  supply  H2O  tank  A  vented,  all 
three  FC’s  will  be  filling  tank  A  since  it  has  the  lowest  tank  pressure.  Therefore,  tank  A  ullage  must  be 
managed.  @[090894-1680]  ®[ED  ] 

C.  UNABLE  TO  PURGE  02  OR  H2  REACTANT  SYSTEM  AND  PREDICTED  FC 
PERFORMANCE  WOULD  NOT  BE  ABOVE  THE  LAUNCH  COMMIT  V-I  CURVE 
AT  NOMINAL  EOM . 

It  is  advisable  to  save  the  FCfor  critical  mission  phases  such  as  entry. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A9-57  REUSABLE  FC  (CONTINUED) 

D.  LOSS  OF  FC  PUMP  PACKAGE  THAT  IS  RECOVERABLE  BY  AN  IFM 

REQUIRING  CONTINUOUS  POWER  FROM  AN  ASSOCIATED  PREFLIGHT  TEST 
BUS.  IN  ADDITION  TO  THE  PREFLIGHT  TEST  BUS  CONSTRAINTS  (REF 
RULE  { A9-1 1 0 } ,  PREFLIGHT  TEST  BUS  MANAGEMENT),  THE  FOLLOWING 
CONSTRAINTS  WILL  BE  USED  FOR  THE  IFM  IMPLEMENTATION: 

1.  THIS  IFM  IS  NOT  CONSIDERED  FEASIBLE  FOR  LOSS  OF  THE  MAIN 
DISTRIBUTION  BOX  ESSENTIAL  BUS. 

2.  ORBIT  -  USE  TO  RECOVER  FC  ON  FIRST  FAILURE.  THE  FC  WILL 
BE  CONSIDERED  LOST  FOR  GO/NO-GO  PURPOSES  AND  WILL  BE 
POWERED  DOWN  FOR  ENTRY  UNLESS  REQUIRED  TO  PROVIDE  SFT . 
MISSION  IMPACT  -  MDF . 

3.  IFM  USED  ONLY  TO  RESTORE  ENTRY  SFT  (TWO  FC  ENTRY). 

The  IFM  procedure  to  restore  power  to  the  FC  pump  package  takes  1  hour  to  perform.  The  FC  can  be 
operated  a  maximum  of  9  minutes  without  the  coolant  pump;  therefore,  the  FC  must  be  shut  down  while 
the  IFM  procedure  is  performed.  Each  essential  bus  has  three  power  sources.  The  single  failure  that 
would  cause  loss  of  a  main  distribution  box  essen  tial  bus  is  a  bus  short.  Since  the  preflight  test  bus 
powers  the  essential  bus,  the  short  would  probably  cause  the  pre-flight  test  bus  fuse  to  open.  On  orbit, 
the  IFM  will  be  performed  for  the  first  FC  failure,  since  single  failures  associated  with  powering  the 
preflight  test  bus  are  recoverable  without  placing  the  crew/vehicle  in  a  critical  situation.  To  be 
consistent  with  the  preflight  test  bus  Flight  Rule  (A9-110J,  PREFLIGHT  TEST  BUS  MANAGEMENT, 
concerning  entry  operations,  only  SFT  entry  critical  functions  are  recovered  since  use  of  the  preflight 
test  bus  may  expose  the  crew  to  problems  not  as  easily  recoverable  as  during  orbit  operations.  The 
mission  impact  for  first  FC  failure  will  be  MDF  since  the  FC  will  not  be  used  for  entry.  ®[ED  ] 

Reference  Rule  { A9-110 },  PREFLIGHT  TEST  BUS  MANAGEMENT,  for  additional  rationale.  ®[ED  ] 
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A9-58  FC  SUSTAINER  HEATER 

A  SUSTAINER  HEATER  FAILED  ON  IS  NOT  CAUSE  TO  SHUT  DOWN  THE 
AFFECTED  FC .  HOWEVER,  IF  FC  SHUTDOWN  IS  REQUIRED  FOR  OTHER 
REASONS,  IT  WILL  BE  SAFED  BY  CLOSING  ITS  REACTANT  VALVES  PRIOR 
TO  UNPOWERING  THE  FC  PUMPS. 


Thermal  analysis  by  International  Fuel  Cells  (IFC)  indicates  that  afailed-on  sustainer  heater  does  not 
overheat  a  FC  and  that  the  FC  would  be  usable  for  the  normal  mission  duration.  If  the  FC  is  shut  down, 
the  failed-on  sustainer  heater  will  remain  powered  as  long  as  there  are  reactants  to  power  the  FC.  To 
prevent  excessive  localized  heating,  the  reactants  will  be  depleted  prior  to  unpowering  the  coolant  pump. 
®[ED  ] 

DOCUMENTATION:  SODB.  4.4. LI. 1. 

A9-59  FC  ~  CELL  PERFORMANCE  MONITOR  [CIL] 

FOR  A  FUEL  CELL  THAT  HAS  LOST  ANY  CELL  PERFORMANCE  MONITOR 
(CPM)  TELEMETRY  OR  HAS  EXPERIENCED  A  CPM  CHANGE  OF  GREATER  THAN 
50  MV  FROM  THE  BASELINE  PRELAUNCH  VALUE,  THE  AFFECTED  FC  WILL: 
®[070899-6893A] 

A.  TIE  BUS  TO  ANOTHER  FC.  A  PERFORMANCE  SHIFT  SUFFICIENT  TO 
CAUSE  A  DELTA  AMPS  CHANGE  OF  >  12  AMPS  AND  DIVERGING  THAT  IS 
NOT  RELATED  TO  REACTANT  PRESSURE  CHANGE,  THERMAL  CONTROL, 
INERTS,  OR  NORMAL  V-I  PERFORMANCE  DIFFERENCES  (DERIVED  FROM 
BASELINE  PERFORMANCE  CURVES) ,  COULD  BE  INDICATIVE  OF  AN 
INTERNAL  CELL  FAILURE,  AND  UNLESS  THE  FC  HEALTH  CAN  VERIFIED, 
THE  FUEL  CELL  WILL  BE  SAFED.  IF  FC  PERFORMANCE  HAS  NOT 
VIOLATED  THE  ABOVE  CRITERIA,  THE  BUSES  WILL  BE  UNTIED  PRIOR 
TO  THE  DEORBIT  BURN. 

B.  HAVE  ITS  SINGLE  CELL  VOLTAGES  RECORDED,  DOWNLINKED,  AND 
ANALYZED  AT  LEAST  ONCE  PER  DAY.  IF  ANY  INDIVIDUAL  CELL 
VOLTAGE  IS  LESS  THAN  910  MV  WITH  FC  LOAD  BETWEEN  4  AND  8  KW, 
THE  FUEL  CELL  WILL  BE  TAKEN  OPEN  CIRCUIT,  AND  SINGLE  CELL 
VOLTAGES  WILL  BE  RECORDED,  DOWNLINKED,  AND  ANALYZED.  FOR  AN 
OPEN  CIRCUIT  SINGLE  CELL  READING  OF  LESS  THAN  1100  MV,  THE  FC 
WILL  BE  SAFED.  ®[070899-6893A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A9-59  FC  ~  CELL  PERFORMANCE  MONITOR  [CIL]  (CONTINUED) 

For  loss  ofCPM,  a  viable  procedure  to  regain  insight  into  possible  crossover  in  a  FC  is  to  tie  the 
affected  FC  to  an  adequately  instrumented  healthy  FC  and  note  any  change  in  the  delta  amps  between 
the  FC’s  once  an  equilibrium  delta  amp  has  been  identified.  A  performance  shift  of  12  amps  is 
equivalent  to  an  approximate  300  mV  degradation  in  one  of  the  96  cells  of  the  FC.  It  is  the  engineering 
judgment  of  the  FC  vendor  that  this  degree  of  performance  change  might  indicate  cm  internal  cell 
problem  and,  if  allowed  to  con  tin  ue,  could  lead  to  a  crossover  condition.  The  time  period  between 
deorbit  TIG  and  touchdown  is  considered  short  enough  not  to  require  the  insight  afforded  by  the  bus  tie. 
Also,  it  is  advisable  to  isolate  the  three  mean  buses  whenever  possible  for  EPDC  redundancy.  ®[ED  ] 

Using  the  FCMS  provides  insight  into  individual  cell  voltages.  Testing  at  International  Fuel  Cells  on 
FC  serial  number  122  showed  that  during  the  beginning  stages  of  crossover,  changes  to  individual  cell 
voltages  will  be  small  and  may  be  difficult  to  detect  while  the  fuel  cell  is  under  load.  During  testing, 
cells  known  to  have  crossover  were  consistently  below  910  mv  while  under  load.  When  taken  to  open 
circuit,  the  voltage  degradation  due  to  crossover  was  clearly  evident  and  the  cell  voltages  were 
consistently  below  1100  mv.  A  change  of  50  mvfrom  the  established  baseline  prelaunch  value  indicates 
that  something  off  nominal  may  be  occurring  in  the  fuel  cell  and  the  FCMS  will  be  utilized  to  ensure 
safety  of  the  crew  and  vehicle.  In  addition,  the  FCMS  may  provide  additional  insight  whenever  the 
health  of  the  fuel  cell  is  in  question.  There  are  single  point  wiring  failures  which  could  affect  both  the 
CPM  and  FCMS  measuremen  ts.  Single  cell  voltages  <  1100  mv  may  be  measured  on  cells  whose 
voltage  measurement  pin  connection  has  high  resistance.  High  resistance  in  a  cell  pin  connection 
manifests  itself  as  a  low  voltage  reading  on  a  single  cell  and  a  high  voltage  reading  on  an  adjacent  cell. 
Verification  of  the  health  of  cells  with  high  resistance  in  the  pin  connection  may  not  be  possible. 
®[070899-6893A] 

DOCUMENTATION:  Rule  {A9-107},  MAIN  BUS  TIE  [CIL],  references  this  rule.  ®[070899-6893A] 
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A9-60  FC  COOLANT  PUMP  FAILURE  MANAGEMENT  [CIL] 

A.  THE  FC  MUST  BE  SHUT  DOWN  WITHIN  9  MINUTES  (AT  7  KW)  FOR  LOSS 
OF  COOLING.  FC  SAFING  IS  NOT  REQUIRED. 

After  the  loss  of  cooling,  the  FC  must  be  shut  down  to  preclude  catastrophic  failure  due  to  overheating. 
Overheating  will  result  in  expansion  of  the  stack,  leaking  of  reactants  into  the  PBD,  and  uncontrolled 
mixing  of  O2  arid  H2  resulting  in  potential  explosion.  Testing  and  analysis  indicate  that  the  FC  will 
reach  the  redline  stack  temperature  of  250  deg  F  in  approximately  9  minutes  at  7  kW. 

DOCUMENTATION:  SODB,  3.4.4.1.15. 

B.  FUEL  CELL  OPERATION  WITHOUT  COOLING  MAY  BE  EXTENDED  BEYOND 
9  MINUTES  IF  THE  MCC  CALCULATED  FC  STACK  TEMPERATURE  IS 
PREDICTED  TO  BE  LESS  THAN  250  DEG  F.  FC  OPERATIONS  BEYOND 
9  MINUTES  WILL  ONLY  BE  ALLOWED  DURING  CRITICAL  MISSION 
PHASES  TO: 

1.  MAINTAIN  TWO  FUEL  CELLS,  OR 

2.  MAINTAIN  THREE  MAIN  BUSES  (I.E.,  BUS  TIE  CAPABILITY  LOST) 

At  the  FC  power  load  of  7  kW,  a  FC  can  be  operated  for  9  minutes  before  the  FC  stack  temperature 
reaches  250  deg  F.  However,  if  the  power  level  can  be  reduced  quickly  after  the  loss  ofFC  cooling,  FC 
operation  may  be  extended  beyond  9  minutes  since  a  lower  power  level  lowers  the  heating  rate.  FC 
operations  would  be  extended  when  absolutely  necessary  to  maintain  two  FC’s  or  three  main  buses  to 
allow  critical  equipment  to  remain  powered,  provide  extra  time  to  reconfigure  safely,  or  to  get  past  a 
critical  event  ( i.  e. ,  ascent/entry).  The  250  deg  F  limit  of  the  FC  stack  temperature  is  required  to 
maintain  integrity  of  the  FC  power  stack.  Based  upon  analysis  and  testing  conducted  by  IFC  and  JSC 
E&D,  the  predicted  FC  stack  temperature  can  be  calculated  from  the  FC  stack  temperature  at  the  time  of 
the  failure  and  the  affected  FC  subsequent  power  levels  (reliable  FC  stack  temperature  measurement  is 
lost  following  the  loss  of  coolant  flow). 

DOCUMENTATION :  RI  Internal  Letter,  287 -EPS-88-074,  FC  Operating  Time  Following  Loss  of 
Coolant,  May  24,  1988;  JSC-23091,  Internal  Note  for  FC  X708  Thermal  System  Off-Limits  Test, 
November  25,  1988;  and  SODB,  3.4.4.1.15. 
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A9-61  ACTIONS  FOR  FUEL  CELL  PH  INDICATIONS  ®[121296-4737B] 

A  FUEL  CELL  THAT  HAS  RECEIVED  A  "PH"  INDICATION  WILL  BE  HANDLED 
IN  THE  FOLLOWING  MANNER: 

A.  THE  FUEL  CELL'S  ASSOCIATED  MAIN  BUS  WILL  BE  BUS  TIED  TO  A 
GOOD  FUEL  CELL'S  MAIN  BUS.  THE  SUPPLY  B£0  TANKS  WILL  BE 
MANAGED  TO  ISOLATE  KOH  FROM  UNDESIRED  TANKS.  IF  CONFIRMING 
INDICATIONS  OF  FUEL  CELL  FLOODING  OR  CROSSOVER  ARE  RECEIVED 
AT  ANY  TIME,  THE  FUEL  CELL  WILL  BE  SAFED  AND  CONSIDERED  LOST. 
®[070899-6892A] 

Reception  of  a  fuel  cell  pH  indication  can  be  the  result  of  a  new  stack  build  or  from  being  in  storage 
for  extended  periods,  flooding,  crossover,  or  other  mechanisms  that  cause  the  KOH  to  escape  from  a 
fuel  cell.  If  KOH  is  escaping,  fuel  cell  failure  may  occur.  The  bus  tie  is  performed  to  protect  the  fuel 
cell’s  associated  main  bus  should  the  fuel  cell  completely  fail  and  also  to  monitor  the  fuel  cell’s 
performance.  Aside  from  a  new  stack  build,  fuel  cell  flooding  is  the  most  probable  cause  of  KOH  in 
the  product  water.  Flooding  may  be  the  result  of  improper  condenser  temperature  maintenance, 
coolant  pressure  imbalance,  or  degraded  or  failed  water  removal  system.  Confirming  cues  for  FC 
flooding  may  be  seen  in  FC  performance  degradation,  FC  temperatures,  H2  pump  status  and 
associated  AC  currents,  and  the  Delta  Amps  when  the  FC  is  bus  tied.  Confirming  indications  of 
crossover  may  be  changing  substack  delta  volts  or  unexplained  performance  degradation.  The  Fuel 
Cell  Monitoring  System  (FCMS)  may  also  be  useful  in  confirming  crossover,  flooding,  or  performance 
degradation  in  a  fuel  cell. 

H2O  tank  management  should  consider  effects  of  KOH  on  crew  drinking  supply,  FES  usage,  water 
transfers,  and  any  other  poten  tial  uses  of  the  fuel  cell  product  water. 

DOCUMENTATION :  SODB  Volume  1,  Section  3.4.4. 1  (13),  STS-2  and  STS-79  flight  experience,  and 
Rule  { A9-1}} ,  FUEL  CELL  (FC)  LOSS  [CIL],  references  this  rule. 

B.  FOR  RECEPTION  OF  THE  FUEL  CELL  AND/OR  COMMON  B^O  LINE  PH 
INDICATION,  A  LITMUS  TEST  OF  THE  FUEL  CELL  PRODUCT  WATER  WILL 
BE  PERFORMED  WITHIN  1  HOUR  TO  VERIFY  THE  PRESENCE  OF  KOH. 

It  is  imperative  that  the  litmus  test  be  expedited.  Continued  operation  of  a  fuel  cell  with  KOH 
discharge  could  result  in  a  hazardous  condition.  The  fuel  cell  pH  and  common  H2O  line  pH  sensors 
measure  conductivity  of  the  fuel  cell  product  water  and  are  not  specifically  measurements  of  KOH 
content.  A  litmus  test  of  the  water  must  be  performed  to  conclusively  determine  if  KOH  is  present. 

Av  much  as  20  minutes  transport  time  from  the  affected  fuel  cell  to  the  galley  QD  may  be  required 
(8-9  minutes  between  the  affected  fuel  cell  pH  indication  and  the  common  H2O  line  indication). 
®[070899-6892A] 
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A9-61  ACTIONS  FOR  FUEL  CELL  PH  INDICATIONS  (CONTINUED) 

1.  IF  BOTH  FUEL  CELL  AND  COMMON  H20  LINE  PH  INDICATIONS  ARE 
PRESENT  AND  THE  LITMUS  TEST  CANNOT  BE  PERFORMED  WITHIN  1 
HOUR,  THE  FUEL  CELL  WILL  BE  SAFED  AND  CONSIDERED  LOST. 
©[070899-6892A] 

With  both  FC  and  common  pH  sensors  indicating  a  high  pH,  the  likelihood  that  the  fuel  cell  is  releasing 
KOH  is  high.  Con  tinued  operation  of  a  fuel  cell  with  a  KOH  discharge  could  result  in  a  hazardous 
condition.  The  1-hour  operational  constraint  is  based  upon  engineering  judgment.  It  was  chosen  to 
allow  the  pH  indications  (from  residual  KOH)  to  clear,  thus  preventing  premature  fuel  cell  scifing  (fuel 
cell  historical  flight  data  STS-79  FC2  pH  indication  only  lasted  about  20  minutes).  Sustained  pH 
indications  for  1  hour  would  represen  t  a  continuing  problem  and  an  eminently  hazardous  condition 
requiring  the  FC  to  be  safed. 

2.  FUEL  CELL  OPERATION  FOR  CONFIRMED  KOH  RELEASE  PH  >  9  (BY 
A  LITMUS  TEST)  WITHOUT  SIGNS  OF  FLOODING  OR  CROSSOVER  IS 
ALLOWABLE  FOR  1  HOUR.  IF  THE  INDICATIONS  ARE  SUSTAINED 
FOR  GREATER  THAN  1  HOUR,  THE  FUEL  CELL  WILL  BE  SAFED  AND 
CONSIDERED  LOST. 

The  1-hour  limit  is  based  on  flight  experience  and  engineering  judgment.  Flight  experience  has  shown 
that,  on  occasion,  some  fuel  cells  have  residual  KOH  (either  from  a  new  stack  build  or  from  being  in 
storage  for  extended  periods  of  time)  that  is  expelled  into  the  product  water.  Small  amounts  of  residual 
KOH  in  FC  product  water  will  not  lead  to  a  hazardous  O2  concentration  in  the  H2  manifold;  therefore, 
the  1-hour  time  will  allow  for  the  intermittent  pH  condition  to  clear. 

3.  FUEL  CELL  OPERATION  MAY  CONTINUE  WITH  BOTH  SENSORS  ON  IF 
PH  <  9  (BASED  UPON  A  LITMUS  TEST)  AND  THERE  ARE  NO 
INDICATIONS  OF  FLOODING  OR  CROSSOVER.  THE  BUS  TIE  WILL 
BE  MAINTAINED  TO  MONITOR  FUEL  CELL  PERFORMANCE.  THE  BUS 
TIE  WILL  BE  BROKEN  FOR  ENTRY.  AN  FCMS  DATA  TAKE  AND  AN 
H20  LITMUS  TEST  WILL  BE  PERFORMED  DAILY. 

A  fuel  cell  whose  pH  sensors  continue  to  indicate  a  high  pH  but  whose  product  water  is  verified  to  have  a 
pH  level  <  9  and  whose  performance  is  nominal,  will  be  allowed  to  continue  operation.  Flight  experience 
has  shown  that  some  fuel  cells  may  have  residual  KOH,  either  from  a  new  stack  build  or  from  being  in 
storage  that  is  intermittently  expelled  into  the  product  water.  The  sensor  indications  are  possibly  due  to 
very  minute  amounts  of  KOH  that  the  litmus  test  cannot  verify.  Because  this  is  still  cm  off-nominal 
situation,  the  bus  tie  will  be  maintained  so  that  fuel  cell  performance  can  be  monitored.  If  performance 
degradation  or  indications  of  flooding  are  received,  the  fuel  cell  will  be  safed.  An  FCMS  data  take  and  an 
H2O  litmus  test  will  be  performed  daily  to  verify  FC  health. 
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A9-61  ACTIONS  FOR  FUEL  CELL  PH  INDICATIONS  (CONTINUED) 

DOCUMENTATION :  SODB  Volume  1,  Section  3.4.4. 1  (13)  and  STS-79  flight  experience.  Rule  [A9-1J, 
FUEL  CELL  (FC)  LOSS  [  CIL],  references  this  rule.  ®[121296-4737B]  ®[070899-6892A] 

C.  A  FUEL  CELL  PURGE  WILL  NOT  BE  PERFORMED  WHEN  EITHER  A  FUEL 
CELL  INDIVIDUAL  OR  COMMON  H20  LINE  PH  INDICATION  IS  PRESENT, 
UNLESS  FUEL  CELL  PRODUCT  WATER  PH  IS  CONFIRMED  <  9.0  USING  A 
LITMUS  TEST.  ®[070899-6892A] 

Purging  a  FC  that  is  expelling  KOH  can  result  in  KOH  being  deposited  in  the  common  H2  purge  line 
causing  possible  clogging  of  this  line  and  preven  ting  over-pressure  relief  of  all  three  fuel  cells.  With  the 
common  H2  purge  line  plugged,  the  H2  purge  capability  from  all  three  fuel  cells  is  also  lost. 

DOCUMENTATION:  SODB  Volume  1,  Section  3. 4. 4.1  (13).  Rule  (A9-IJ,  FUEL  CELL  (FC)  LOSS 
[CIL],  references  this  rule.  ®[070899-6892A] 

A9-62  FUEL  CELL  MONITORING  SYSTEM  DATA  TAKE 

A  MINIMUM  OF  ONE  FCMS  DATA  TAKE  WILL  BE  PERFORMED  EACH  FLIGHT. 
®[070899-6893A] 

The  FCMS  data  take  will  nominally  be  scheduled  as  early  as  is  practical  in  the  mission  timeline  to 
establish  a  fully  operational  on  orbit  baseline  and  to  verify  system  capability.  Performing  a  data  take 
each  flight  adds  to  the  historical  data  base  of  inflight  single  cell  voltages.  In  the  event  of  a  fuel  cell 
problem,  this  data  base  will  be  used  to  help  evaluate  fuel  cell  health.  The  only  time  to  verify  operation  of 
the  entire  FCMS,  including  data  interfaces,  onboard  PGSC’s,  and  downlink  capability,  is  during  flight. 
Since  the  PGSC  configurations  are  constantly  being  upgraded,  it  becomes  imperative  to  do  a  data  take 
every  flight  to  ensure  FCMS  capability  is  available  when  required.  ®[070899-6893A] 
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DC  POWER  DISTRIBUTION  AND  CONTROL  SYSTEMS  MANAGEMENT 

A9-101  DC  BUS  VOLTAGE  LIMITS 

DC  BUS  VOLTAGE  WILL  BE  MAINTAINED  AS  FOLLOWS: 

A.  MAIN  BUS  VOLTS  >  27.0  (27.2)  V  DC  AND  <  32.0  (31.8)  V  DC. 

B.  CONTROL  BUS  VOLTS  >24.8  (25.0)  V  DC  AND  <32.0  (31.8)  V  DC. 

C.  ESSENTIAL  BUS  VOLTS  >  25.5  (25.7)  V  DC  AND  <  38.0  (37.8)  V 

DC. 

D.  FORWARD  PCA  VOLTS  >  26.2  (26.4)  V  DC  AND  <  32.0  (31.8)  V  DC. 

E.  AFT  PCA  VOLTS  >  26.1  (26.3)  V  DC  AND  <  32.0  (31.8)  V  DC. 

Rationale  same  as  for  Rules  jA9-3}A  through  E,  ELECTRICAL  POWER  DISTRIBUTION  AND 
CONTROL  (EPDC)  SYSTEM  [CIL]. 

A9-102  ESSENTIAL  BUS 

EACH  ESSENTIAL  BUS  WILL  BE  CONNECTED  TO  ALL  THREE  OF  ITS  POWER 
SOURCES . 

The  highest  level  of  power  redundancy  will  be  maintained  to  the  essential  buses.  They  power  orbiter 
critical  equipment  such  as  GPC’s. 

A9-103  POWER  REDUCTION  GUIDELINES 

IF  AN  ELECTRICAL  POWER  SYSTEM  PROBLEM  REQUIRES  AN  IMMEDIATE  POWER 
REDUCTION,  POWER  TO  MADS  AND/OR  PAYLOAD  EQUIPMENT  MAY  BE 
TERMINATED . 

Those  electrical  loads  not  required  for  orbiter  systems  operations  while  in  a  situation  requiring 
immediate  reduction  in  electrical  load  to  prevent  FC  overloading  and/or  equipment  undervoltage  will  be 
terminated. 
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A9-104  MAIN  BUS  SHORT 

IF  A  CONFIRMED  MAIN  BUS  SHORT  RESULTS  IN  A  TOTAL  BUS  CURRENT 
GREATER  THAN  500  AMPS  (OFF-SCALE  HIGH)  AND  DOES  NOT  CLEAR 
AUTOMATICALLY : 

A.  PRE-MECO,  THE  MAIN  BUS  WILL  REMAIN  POWERED  AS  LONG  AS  THE 
ASSOCIATED  AC  BUS  VOLTAGE  IS  >  95  V  AC  OR  UNTIL  MCC  CONFIRMS 
SSME  CONTROLLER  SWITCHOVER  HAS  OCCURRED. 

The  orbiter  EPDC  system  is  designed  for  self-isolation  of  shorted  circuitry.  In  reality,  a  sustained 
short  of  this  magnitude  is  highly  unlikely.  Should  it  occur,  however,  main  engine  controller  power 
requirements  will  not  be  jeopardized.  The  crew  has  no  insight  into  SSME  controller  switchover. 

Once  the  ground  confirms  switchover  or  MECO  has  occurred,  the  uncleared  short  will  be  isolated. 

As  long  as  the  ac  voltage  remains  above  95  volts,  controller  switchover  will  not  take  place. 

B.  DURING  OMS  MANEUVERS  CRITICAL  FOR  CREW  SAFETY,  DEORBIT  BURN, 

AND  TAEM,  THE  MAIN  BUS  WILL  REMAIN  POWERED  AS  LONG  AS  BUS 
VOLTAGE  DOES  NOT  DROP  BELOW  26.4  (26.6)  V  DC. 

During  OMS  maneuvers  critical  for  crew  safety  (as  defined  in  the  Flight  Rule  Annex),  deorbit  burn,  and 
TAEM,  it  is  highly  desirable  that  the  maximum  level  of  electrical  power  redundancy  to  orbiter  equipmen  t 
be  maintained  and  that  single  power  source  equipment  not  be  lost.  The  crew  should  take  action  at  the 
C&W  limit  of  26.4  V  dc. 
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A9-105  CB/RPC  RESET 

A.  A  CB  OR  RPC  WILL  NOT  BE  RESET  IMMEDIATELY  UNLESS  THE  FUNCTION 

OR  SYSTEM  LOST  IS  CRITICAL  TO  MAINTAIN  SAFE  ORBITER  OPERATIONS. 

THE  MCC  WILL  REVIEW  ASSOCIATED  DATA  FOR  CAUSE  OF  THE  OPEN 

CIRCUIT . 

1.  IF  A  SHORT  OR  OVERLOAD  CAUSED  THE  TRIP,  IT  WILL  NOT  BE 
RESET  UNLESS  THE  AFFECTED  LRU(S)  WOULD  BE  THE  LAST  METHOD 
TO  PERFORM  A  CRITICAL  FUNCTION.  IT  WILL  NOT  BE  RESET  TO 
REGAIN  REDUNDANCY  FOR  A  CRITICAL  FUNCTION  OR  TO  REGAIN 
MISSION  SUCCESS  ITEMS. 

2.  IF  THERE  IS  CONCLUSIVE  EVIDENCE  THAT  NO  SHORT /OVERLOAD 
EXISTS,  IT  CAN  BE  RESET  (DURING  MCC  COVERAGE) .  RESET 
SHOULD  ONLY  BE  PERFORMED  IF  THE  LRU  IS  NEEDED.  CONCLUSIVE 
EVIDENCE  IS  TELEMETRY  INDICATING  THE  EXACT  TIME  OF  POWER 
LOSS  AND  ADEQUATE  RESOLUTION  AND  SAMPLE  RATE  FOR  THE  BUS 
CURRENTS  AT  THAT  TIME.  IF  THE  LRU  IS  REGAINED  DURING  A  CB 
RESET  AND  NO  SHORT  IS  SEEN,  BUT  THE  CB  FAILS  TO  HOLD,  THE 
IFM  CB  RETENTION  DEVICE  CAN  BE  INSTALLED  IMMEDIATELY  FOR 
CREW  SAFETY  ISSUES  ONLY.  INSTALLATION  OF  THE  RETENTION 
DEVICE  FOR  MISSION  SUCCESS  SHOULD  BE  AVOIDED,  BUT 
INDIVIDUAL  CASES  WILL  BE  CONSIDERED  BASED  UPON  IMPACT  OF 
LRU  LOSS,  LENGTH  OF  TIME  THAT  RETENTION  DEVICE  IS  NEEDED, 
MOST  PROBABLE  FAILURE  MODE,  ETC. 

3.  IF  DATA  IS  INCONCLUSIVE  (E.G.,  INADEQUATE  RESOLUTION  OR 
TIME  NOT  KNOWN)  CB/RPC  RESET  WILL  BE  BASED  UPON  IMPACT 
OF  LRU  LOSS,  WIRE  TYPE  (KAPTON  TWISTED  PAIR  IS  HIGHEST 
RISK),  DEGREE  OF  UNCERTAINTY  IN  DATA  ANALYSIS,  ETC. 


Laboratory  tests  on  Kapton  wiring  indicate  that  “arc  tracking  ”  can  cause  extensive  damage  to  wire 
harnesses.  Loss  of  a  wire  harness  in  itself  could  be  catastrophic.  Reset  of  the  circuit  protection  in  many 
cases  caused  more  damage  than  the  original  occurrence.  However,  if  it  is  known  that  the  open  circuit  was 
not  caused  by  a  short,  the  cause  is  most  likely  mechanical  failure  or  the  con  trol  was  inadvertently  bumped. 
Installation  of  the  cb  retention  device  should  be  avoided  since  there  have  been  instances  where  the  cb  is 
damaged  in  such  a  manner  that  it  will  not  latch,  nor  would  it  be  able  to  trip  if  held  closed.  Under  some 
circumstances,  it  will  be  impossible  to  verify  that  no  short  occurred.  Examples  include:  loss  of  data, 
circuit  protection  trip  characteristics  in  noise  level  of  bus  currents,  low  data  sample  rates,  unable  to 
determine  exact  time  of  event,  etc.  Since  these  present  varying  degrees  of  uncertainty  and  since  wire  type 
plays  an  importan  t  role  in  the  risk  of  reset,  cases  falling  into  this  category  will  be  addressed  based  on  real- 
time  conditions. 
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A9-105  CB/RPC  RESET  (CONTINUED) 

DOCUMENTATION :  Testing  performed  at  KSC  Malfunction  Analysis  Laboratory  and  at  the  JSC  EPDC 
Laboratory.  Also  CAR  #  AC 1737-0 10. 

B.  A  CIRCUIT  OR  LRU  WHICH  IS  PROTECTED  BY  A  CB  (NOT  TRIPPED)  AND 
WHICH  HAS  FAILED  TO  FUNCTION  FOR  AN  UNDETERMINED  REASON,  MAY 
HAVE  ITS  CB  CYCLED  ONCE.  IF  NO  SHORT  IS  SEEN,  IT  MAY  BE 
CYCLED  FIVE  TIMES. 

Corrosion  conform  on  the  contacts  of  cb  ’s.  Troubleshooting  experience  has  shown  that  this  corrosion 
can  be  removed  by  cycling  the  cb  while  under  load.  Five  cycles  have  been  sufficient.  In  case  the  cb  has 
popped  internally  due  to  a  short,  MCC  must  review  data  after  the  first  cycle. 

DOCUMENTATION :  CF  NOI53  (STS-3  and  subs),  CF7/82-19,  Orbiter  Circuit  Breaker  Contact 
Oxidation. 


A9-106  CONTROL  BUS 

A.  A.  A  CONTROL  BUS  THAT  IS  DETERMINED  TO  HAVE  A  SHORT  BY  THE 

MCC  WILL  BE  UNPOWERED  USING  THE  FOLLOWING  GUIDELINES. 

1.  IF  A  SHORT  CAUSES  THE  LOSS  OF  A  CONTROL  BUS  RPC,  THE 
CONTROL  BUS  CENTER  POWER  SOURCE  CIRCUIT  BREAKER  (ON  PANEL 
R15)  WILL  BE  OPENED  AND  THE  REMAINING  RPC  WILL  BE  DISABLED 
BY  CONTINUOUSLY  HOLDING  THE  CONTROL  BUS  RPC  RESET  SWITCH 
(ON  PANEL  Rl)  IN  THE  RESET  POSITION  WHILE  AN  IFM  IS 
PERFORMED  TO  UNPOWER  THE  DESIRED  RPC. 

2.  IF  A  SHORT  DOES  NOT  CAUSE  LOSS  OF  ANY  CONTROL  BUS  RPC'S, 
BOTH  OF  THE  ASSOCIATED  CONTROL  BUS  RPC  RESET  SWITCHES  WILL 
BE  ACTUATED  CONTINUOUSLY  TO  DISABLE  BOTH  CONTROL  BUS  RPC'S 
UNTIL  AN  IFM  IS  PERFORMED  TO  UNPOWER  THE  DESIRED  RPC'S. 

IF,  AFTER  DISABLING  BOTH  RPC'S,  THE  CREW  REPORTS  VISIBLE 
ARCING  OR  SMOKE,  THE  R15  CENTER  SOURCE  CB  WILL  BE  PULLED. 
THIS  WILL  DISABLE  THREE  CONTROL  BUSES  (E.G.,  CNTL  AB1/2/3) 
UNTIL  THE  IFM  CAN  BE  PERFORMED. 
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A9-106  CONTROL  BUS  (CONTINUED) 

B.  A  CONTROL  BUS  WHICH  HAS  FAILED  DUE  TO  A  SHORT  MAY  HAVE  ONE 
OF  ITS  RPC'S  RESET  (DURING  GROUND  COVERAGE  ON  MCC  REQUEST) 

TO  ATTEMPT  POSITIONING  OF  VALVES  OR  RELAYS  (POWERED  BY  THE 
CONTROL  BUS  THROUGH  MOMENTARY  SWITCHES)  WHEN  THE  ATTEMPT  IS 
CONSIDERED  MANDATORY  FOR  FLIGHT  SAFETY. 

Breadboard  testing  in  May  1988  determined  that  a  control  bus  short  would  not  open  all  three  circuit 
protection  devices  due  to  bus  wire  size  and  length.  The  result  would  be  a  partied  control  bus  loss  with  the 
short  still  being  supplied  power.  ( The  maximum  power  possible  from  a  5-amp  RPC  source  is  7.5A  *  30V  = 
225  watts). 

If  a  control  bus  is  determined  to  have  a  short,  it  will  be  unpowered  as  soon  as  possible  to  prevent  further 
damage  due  to  localized  heating  and/or  possible  arc  tracking.  Kapton  wire  arc-tracking  tests  performed  in 
1990  indicate  that  initiation  of  arc  tracking  on  a  single  conductor  wire  (as  used  for  control  buses)  is 
unlikely.  However,  if  it  did  occur,  testing  indicates  that  the  entire  bundle/  harness  could  be  damaged.  Since 
con  trol  bus  wires  are  rou  ted  in  bundles  and  harnesses  containing  other  control  buses  and  critical  functions, 
damage  affecting  multiple  wires  could  be  catastrophic. 

If  a  con  trol  bus  is  shorted,  one  of  the  power  sources  will  most  likely  be  lost. 

a.  If  a  control  bus  RPC  is  lost  due  to  a  short,  the  quickest  way  to  remove  the  other  two  power  sources 
is  to  use  the  RPC  reset  switch  and  open  the  center  source  circuit  breaker.  This  action  will  cause 
four  other  con  trol  buses  to  lose  one  of  three  power  sources,  and  two  other  con  trol  buses  to  lose  two 
of  three  power  sources.  After  the  IFM  is  performed  to  unpower  the  “reset  RPC,  ”  two  RPC’s  will  be 
regained  by  releasing  the  RPC  reset  switch.  This  will  result  in  one  control  bus  ( the  one  with  the 
short)  with  no  power  sources,  four  control  buses  with  two  of  three  power  sources,  and  all  others 
with  all  three  power  sources. 

b.  If  a  control  bus  short  does  not  cause  the  loss  of  an  RPC,  the  center  source  5-amp  fuse  (downstream 
of  the  10-amp  cb)  is  probably  open.  The  only  quick  method  of  removing  the  other  two  power 
sources  is  to  use  the  two  associated  RPC  reset  switches.  This  action  will  cause  six  other  control 
buses  to  lose  one  of  three  power  sources,  and  two  other  control  buses  to  lose  two  of  three  power- 
sources.  After  the  IFM  is  performed  to  unpower  the  associated  “reset  RPC’s,  ’’four  RPC’s  will  be 
regained  by  releasing  the  RPC  reset  switches.  This  results  in  one  control  bus  ( the  one  with  the 
short)  with  no  power  sources,  two  con  trol  buses  with  two  of  three  power  sources,  and  all  others  with 
all  three  power  sources.  Continued  arcing  and  smoke  may  require  the  center  feed  cb  to  be  pulled  to 
ensure  no  power  is  available  to  the  shorted  bus. 
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A9-106  CONTROL  BUS  (CONTINUED) 

The  IFM  unpowers  individual  RPC’s  using  the  appropriate  LF MDM  cable  pins.  The  IFM  does  not 
power  the  LF  MDM  or  the  preflight  test  bus. 

With  respect  to  resetting  a  control  bus  RPC  to  attempt  positioning  of  valves  or  relays,  depending  on  the 
location  and  magnitude  of  the  short,  tests  have  indicated  that  it  may  be  possible  to  power  momentary  (2 
to  3  seconds)  loads  by  resetting  one  of  the  control  bus  RPC’s. 

DOCUMENTATION :  SODB  3.4. 5.6.2;  Lockheed  memo  #EP5-M10-215,  Shuttle  Control  Bus  Kapton 
Wire  Arc  Tracking  Test  Summary,  10-12-90;  and  LEMSCO-25658,  Summary  of  the  Control  Bus 
Repower  Test,  May  1988. 


A9-107  MAIN  BUS  TIE  [CIL] 

A.  NORMALLY  THE  MAIN  BUSES  WILL  BE  ISOLATED  FROM  EACH  OTHER. 

TWO  OR  THREE  MAIN  BUSES  WILL  BE  TIED: 

1.  TO  REGAIN  INSIGHT  INTO  AN  FC  PERFORMANCE  DUE  TO  SUSPECT 
OR  FAILED  INSTRUMENTATION  (I.E.,  CPM)  AND  WILL  BE  UNTIED 
PRIOR  TO  DEORBIT  TIG.  FOR  PAYLOAD  DEPLOYS  OR  PROX  OPS,  A 
MAXIMUM  OF  TWO  MAIN  BUSES  WILL  BE  TIED.  WHILE  TIED,  FC 
MANAGEMENT  WILL  BE  PERFORMED  PER  RULE  {A9-59},  FC  -  CELL 
PERFORMANCE  MONITOR  [CIL] . 


It  has  been  determined  that  a  viable  alternative  to  adequate  FC  instrumentation  is  to  tie  the  FC  to  a 
healthy,  adequately  instrumen  ted  FC.  For  critical  flight  phases  during  which  the  temporary  loss  of  all 
GPC’s  would  be  unacceptable,  only  two  buses  will  remain  tied. 

DOCUMENTATION:  SODB,  4.4. 1.1.1. 


2.  FOR  CELL  FAILURE  OR  DEGRADATION  IN  ORDER  TO  MAINTAIN 
THREE  POWERED  MAIN  BUSES. 


It  is  highly  desirable  to  always  maintain  the  highest  level  of  power  redundancy  to  all  orbiter  equipment. 

3.  IN  PERFORMANCE  OF  MALFUNCTION  PROCEDURES  TO  MINIMIZE  LOAD 
TRANSIENTS  ON  THE  FC'S. 

It  is  highly  desirable  that  no  FC  be  stressed  unnecessarily  by  excessive  loading.  Therefore,  for  total 
vehicle  electrical  loads  of  >18  kW,  all  three  buses  will  be  tied  during  periods  of  troubleshooting.  The 
FC  malfunction  procedures  reflect  this  philosophy. 

DOCUMENTATION:  SODB,  3.4.4. 1.2. 
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A9-107  MAIN  BUS  TIE  [CIL]  (CONTINUED) 

4.  FOR  EXTENDED  ON-ORBIT  OPERATION  OF  PAYLOADS  REQUIRING 
>4  KW  (TWO  BUSES  TIED.) 

It  is  used  to  preclude  one  FCfrom  being  overstressed  by  excessive  electrical  load  caused  from 
supporting  a  main  bus  and  the  high  power  requiremen  t  of  the  payload.  @[092701-4872  ] 

After  a  powerdown  of  orbiter  equipment  to  accommodate  the  payload  power  requirements,  the  orbiter 
will  still  require  approximately  4  kW  power  per  FC.  With  the  addition  of  a  payload  power  demand  of 
4  kW  on  a  single  fuel  cell,  about  1  kW  of  the  total  load  will  shift  to  the  other  FC  due  to  the  dioded  load 
sharing.  The  total  load  remaining  on  the  fuel  cell  will  be  approximately  7  kW  that  is  the  SODB 
maximum  limit  for  continuous  power  from  a  fuel  cell.  Therefore,  payload  power  demands  greater 
than  4  kW  require  two  buses  tied  so  that  additional  load  can  be  shared  between  two  FC’s. 

DOCUMENTATION :  SODB,  3. 4. 4. 1.2  and  engineering  judgment. 

B.  BUS  TIEING  DURING  ASCENT/ENTRY  WILL  ONLY  BE  PERFORMED  IF  THE 
TOTAL  FC  ELECTRICAL  LOAD  IS  ?27  KW  OR  930  AMPS  AND  THE 
REMAINING  FC  PERFORMANCE  (V-I)  HAS  BEEN  NOMINAL. 

A  bus  tie  to  a  decaying  FC  during  powered  flight  is  acceptable  provided  the  remaining  FC’s  have 
adequate  performance  margins  available  to  support  two  buses. 

C.  BUS  TIEING  TO  A  DEAD  BUS  (I.E.,  BUS  VOLTS  <20  V  DC)  PRIOR  TO 
SRB  SEPARATION  WILL  NOT  BE  PERFORMED. 

The  voltage  transient  on  a  good  bus  while  tieing  to  an  unpowered  bus  may  cause  an  undervoltage 
condition  on  the  SRB  buses  resulting  in  the  loss  of  two  of  three  power  sources  to  the  SRB’s.  All  critical 
equipment  will  remain  powered  with  loss  of  one  main  bus  (volts  <  20).  Therefore,  only  the  switching 
absolutely  necessary  should  be  performed  pre-SRB  separation,  and  the  bus  tie  steps  when  main  volts 
are  <  20  Vdc  should  not  be  performed. 


A9-108  CRITICAL  PHASE  BUS  MANAGEMENT 

ELECTRICAL  BUSES  NOT  REQUIRED  FOR  ASCENT  AND/OR  ENTRY  (E.G., 
PAYLOAD  BUSES  NOT  REQUIRED  FOR  THESE  PHASES)  WILL  NORMALLY  BE 
POWERED  OFF  PRIOR  TO  THE  CRITICAL  PHASE. 

Unpowered  circuitry  cannot  provide  a  site  for  a  short.  This  affords  more  protection  to  the  orbiter  during 
critical  mission  phases. 


This  rule  is  referenced  by  Rule  {A9-262},  EDO  PALLET  MANAGEMENT. 
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A9-109  PRIMARY  PAYLOAD  BUS  MANAGEMENT 

ELECTRICAL  POWER  TO  MAJOR  PAYLOADS  IN  THE  ORBITER  PLB  IS 
PROVIDED  VIA  THE  ORBITER  PRIMARY  PAYLOAD  BUS.  THE  PRIMARY 
PAYLOAD  POWER  SOURCES  TO  THE  ORBITER  PLB  WILL  BE  MANAGED  AS 
FOLLOWS : 

A.  PRIMARY  PAYLOAD  MNC  -  8  KW  CONTINUOUS,  12  KW  PEAK  FOR 

15  MINUTES  EVERY  3  HOURS. 

B.  PRIMARY  PAYLOAD  FC3  -  8  KW  CONTINUOUS,  12  KW  PEAK  FOR 

15  MINUTES  EVERY  3  HOURS. 

C.  PRIMARY  PAYLOAD  MNB  -  7  KW  CONTINUOUS,  AND  PEAK  ®[071 494-1 658A] 

By  design,  the  power  level  constraints  noted  above  must  be  observed.  The  orbit er  MNC  bus  feed  is  the 

normal  source  of  power  to  the  primary  payload  bus  to  maximize  the  amount  of  power  delivered  to  a 
payload.  Although  the  FC3  feed  has  the  same  power  constraints  as  the  orbit  er  MNC  bus  feed,  it  has 
always  been  the  philosophy  to  feed  the  payloads  from  orbiter  buses  rather  than  directly  from  the  FC, 
when  possible.  The  MNC  and  FC3  feeder  constraint  is  based  upon  FC  power  limitations.  The  existing 
fuel  cells  cannot  supply  the  full  power  capabilities  of  the  four  feeders  ( each  with  200  amp  fuses)  without 
violating  the  FC  power  constrain  ts.  The  orbiter  MNB  feed  does  not  have  the  power  capabilities  of  the 
other  feeds  due  to  the  fuse  sizing  between  the  orbiter  MNB  bus  and  the  primary  payload  bus.  The  MNB 
feeder  constraint  was  based  on  a  detailed  analysis  completed  by  the  subsystems  managers.  It  was 
determined  for  a  worst  case  of  26.8  volts  and  a  10  percent  difference  between  the  two  feeders,  that  7  kW 
continuous  and  peak  was  to  be  the  highest  level  that  the  MNB  bus  should  operate  at  and  still  maintain 
the  integrity  of  the  feeder  arid  provide  a  slight  margin  of  safety.  Payload  power  includes  all  ac  and  dc 
power  provided  to  the  payload.  Primary  payload  power  is  measured  at  the  FC  output  terminals. 

®[071 494-1 658A] 

DOCUMENTATION:  SODB  4. 5. 6.8.1 . 
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A9-110  PREFLIGHT  TEST  BUS  MANAGEMENT 

IF  NECESSARY  TO  REGAIN  A  CRITICAL  FUNCTION,  THE  PREFLIGHT  TEST 
BUS  MAY  BE  POWERED  MOMENTARILY  OR  CONTINUOUSLY  FOR  ORBIT  OR 
ENTRY.  THE  PRELAUNCH  MDM' S  WILL  NOT  BE  POWERED.  SPECIFIC  LRU'S 
OR  SITUATIONS  THAT  USE  THE  PREFLIGHT  TEST  BUS  WILL  BE  IDENTIFIED 
IN  THE  RULES  SECTION  FOR  EACH  DISCIPLINE. 

A.  USAGE  OF  THE  PREFLIGHT  TEST  BUS  WILL  BE  CONSTRAINED  AS 

FOLLOWS : 

1.  ORBIT  -  RESTORE  CRITICAL  EQUIPMENT  AFTER  FIRST  FAILURE. 

2.  ENTRY  -  RESTORE  CRITICAL  EQUIPMENT  FOR  ENTRY  SINGLE-FAULT 
TOLERANCE  ( SFT)  . 

B.  THE  FOLLOWING  CONSTRAINTS  MUST  BE  FOLLOWED  IF  THE  PREFLIGHT 

TEST  BUS  IS  POWERED  CONTINUOUSLY. 

1.  ORBIT  -  A  MAIN  BUS  TIE  WILL  BE  PERFORMED  TO  PROTECT 
AGAINST  AN  INADVERTENT  MAIN  BUS  DISCONNECT  PRIOR  TO 
PREFLIGHT  TEST  BUS  POWERUP : 

a.  FOR  PREFLIGHT  BUS  1  USAGE  -  BUS  TIE  MNA  TO  MNB . 

b.  FOR  PREFLIGHT  BUS  2  USAGE  TO  RECOVER  FC3  -  TO 
PRECLUDE  POSSIBLE  LOSS  OF  TWO  MAIN  BUSES,  BUS  TIE 
MNA  TO  MNC  WHILE  THE  PREFLIGHT  BUS  IS  POWERED  AND 
FC3  IS  NOT  YET  RECOVERED.  ONCE  FC3  IS  RECOVERED, 
RECONFIGURE  THE  BUS  TIE  MNB  TO  MNC  AND  CONNECT  FC3 
AND  MNC  TO  THE  PRIMARY  PAYLOAD  BUS. 

c.  FOR  PREFLIGHT  BUS  2  USAGE  IN  ALL  OTHER  CASES  -  BUS 
TIE  MNB  TO  MNC  AND  CONNECT  FC3  AND  MNC  TO  THE  PRIMARY 
PAYLOAD  BUS . 
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A9-110  PREFLIGHT  TEST  BUS  MANAGEMENT  (CONTINUED) 

2.  ENTRY  -  FOR  FUEL  CELL  (ECU)  RECOVERY,  THE  PREFLIGHT  TEST 
BUS  WILL  BE  USED  TO  PROVIDE  A  TWO  FC  ENTRY  (REF.  RULE 
{A9-57D},  REUSABLE  FC) .  TO  PRECLUDE  POSSIBLE  LOSS  OF  TWO 
MAIN  BUSES  DUE  TO  A  PREFLIGHT  TEST  BUS  DRIVER  FAILURE, 

THE  FOLLOWING  MAIN  BUS  TIE/PRIMARY  PAYLOAD  BUS 
CONFIGURATION  SCHEDULE  WILL  BE  IMPLEMENTED: 


a . 

FC1 

RECOVERED, 

FC2 

(3) 

FAILED : 

BUS  TIE 

MNB 

TO 

MNC 

b . 

FC2 

RECOVERED, 

FC1 

FAILED : 

BUS  TIE 

MNC 

TO 

MNA 

CONNECT 

FC3 

TO 

PRI 

PL 

BUS 

CONNECT 

MNC 

TO 

PRI 

PL 

BUS 

c . 

FC2 

RECOVERED, 

FC3 

FAILED : 

BUS  TIE 

MNC 

TO 

MNA 

d . 

FC3 

RECOVERED, 

FCli 

(2) 

FAILED : 

BUS  TIE 

MNA 

TO 

MNC 

(MNB) 

CONNECT 

FC3 

TO 

PRI 

PL 

BUS 

CONNECT 

MNC 

TO 

PRI 

PL 

BUS 

FOR  ALL  OTHER  USES,  FOLLOW  THE  MAIN  BUS  TIE  GUIDELINES  IN 
PARAGRAPH  B.l. 

NOTE:  A  CREWMEMBER  MUST  BE  ABLE  TO  UNPOWER  THE  PREFLIGHT 

TEST  BUS  WHILE  SECURED  IN  SEAT. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  ELECTRICAL  9-34 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A9-110  PREFLIGHT  TEST  BUS  MANAGEMENT  (CONTINUED) 

C.  MOMENTARY  USE  OF  THE  PREFLIGHT  TEST  BUS  CONSTRAINTS  ARE  AS 
FOLLOWS : 

IF  MOMENTARY  USE  IS  POSSIBLE  DURING  ENTRY,  ON-ORBIT  PREFLIGHT 
TEST  BUS  POWERUP  IS  REQUIRED  TO  VERIFY  NO  DRIVER  FAILURES. 

IF  POSSIBLE,  THE  MOMENTARY  FUNCTION  WILL  BE  EXERCISED  ON 
ORBIT. 

Powering  the  preflight  test  bus  enables  circuits  that  use  the  single-string  launch  MDM’s  and  data  bus 
system  to  operate  most  orbiter  systems  equipment  during  ground  turnaround.  Due  to  the  design,  a  single 
driver  failure  could  cause  equipment  to  be  inadvertently  commanded  whenever  the  preflight  test  bus  is 
powered.  A  study  prepared  by  the  Electrical  Systems  Section,  Systems  Division,  Mission  Operations 
Directorate,  showed  that  the  results  of  each  driver  failure  is  recoverable  and  would  not  place  the  orbiter 
or  crew  in  a  critical  situation.  Therefore,  while  on  orbit,  the  preflight  test  bus  may  be  used  to  restore 
critical  redundancy  beyond  SFT.  Due  to  entry  being  a  critical  phase  of  flight,  use  of  the  preflight  test 
bus  is  limited  to  restore  only  single-fault  tolerance  to  entry-critical  systems.  Note  that  at  no  time  would 
the  prelaunch  MDM’s  be  powered  during  a  mission  since  a  single  card  failure  could  send  multiple, 
conflicting  commands  to  orbiter  systems  and  alter  vehicle  configuration  severely  (e.g.,  simultaneous 
FC/main  bus  disconnect/connect,  etc.).  The  three  most  significant  single  driver  failures  that  were  noted 
were  the  FC/main  bus  disconnect,  three-phase  ac  in  verter  and  bus  disconnect,  and  APU  fuel  valve 
closure. 

During  the  orbit  phase,  if  the  preflight  bus  is  to  be  powered  con  tinuously,  a  bus  tie  is  performed  to 
prevent  loss  of  a  mean  bus  due  to  an  inadvertent  disconnect  caused  by  a  preflight  test  bus  driver  failure. 
For  the  recovery  of  FC3,  toted  prevention  of  the  loss  of  a  mean  bus  cannot  be  met.  However,  to  avoid 
losing  two  mean  buses,  the  bus  tie  configuration  is  modified  so  MNC  is  tied  to  MNA  during  the  relatively 
brief  time  when  the  preflight  test  bus  is  powered,  but  FC3  is  not  yet  recovered.  This  configuration  covers 
the  case  for  the  un  tied  FC2/MNB  bus  system  having  a  failed  driver  when  the  preflight  test  bus  is  first 
powered  which  results  in  the  temporary  loss  ofMNB.  The  prevention  of  the  loss  of  a  main  bus  can  be 
met  once  FC3  is  recovered  and  connected  to  its  main  bus  by  reconfiguring  the  bus  tie  between  MNB  and 
MNC.  In  addition,  while  FC3  is  operating,  the  primary  payload  bus  can  be  used  to  provide  a  redundant 
electrical  path  between  FC3  and  MNC  which  will  preven  t  FC3  from  inadvertently  disconnecting  from  its 
main  bus. 

During  entry,  the  bus  tie  configuration  depends  upon  the  reason  the  preflight  test  bus  is  being  used.  For 
the  case  where  it  is  used  to  recover  a  FC,  the  bus  tie  configuration  depends  upon  which  FC  is  recovered 
and  which  FC  has  failed.  The  reason  for  this  is  to  protect  the  electrical  system  from  losing  more  them 
one  mean  bus  due  to  a  driver  failure.  Again,  the  primary  payload  bus  can  be  used  to  provide  a 
redundant  electrical  path  between  FC3  and  MNC  which  will  prevent  FC3  from  inadvertently 
disconnecting  from  its  mean  bus. 
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A9-110  PREFLIGHT  TEST  BUS  MANAGEMENT  (CONTINUED) 

A  disconnect  of  either  ac  inverter  power  or  ac  buses  can  be  corrected  during  either  orbit  or  entry  phase 
of  flight  by  unpowering  the  preflight  bus  and  using  the  panel  switches  to  restore  the  affected  ac  system. 
Unpowering  the  preflight  test  bus  will  result  in  the  loss  of  the  system  it  recovered. 

Since  avionics  bay  fire  suppression  can  be  inhibited  by  an  undetectable  DISCHARGE  CMD  driver 
failure  (one  driver  per  avionics  bay),  as  well  as  other  undesirable  driver  failures  affecting  vehicle 
configuration,  the  crew  must  be  able  to  unpower  the  preflight  test  bus  while  seated  for  entry.  If  fire 
suppression  is  required  for  an  avionics  bay  while  on  orbit,  either  the  preflight  test  bus  can  be  unpowered 
momentarily  to  recover  the  A  V  bay  built-in  system  or  a  handheld  bottle  can  be  discharged.  Preflight  test 
bus  1  can  affect  avionics  bay  3  fire  suppression,  and  preflight  test  bus  2  can  affect  avionics  bays  1  and  2 
fire  suppression. 

Momentary  use  of  the  preflight  test  bus  would  require  only  a  few  seconds  of  operations  ( <5  seconds )  to 
accomplish  most  switching  or  reconfiguration  tasks,  so  exposure  to  driver  failures  is  limited.  The  only 
constraint  is  that  on-orbit  verification  of  preflight  test  bus  capability  be  performed  which  will  ensure  the 
in  tegrity  of  the  test  bus  and  the  IFM  procedure  prior  to  its  use  during  entry. 

DOCUMENTATION :  On-Orbit/Entry  Usages  of  Preflight  Test  Bus,  Electrical  Systems  Section  -  Mission 
Operations  Directorate.  Presented  to  Orbit  Flight  Techniques  on  November  18,  1988. 

Rule  (A9-57DJ,  REUSABLE  FC,  references  this  rule. 
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AC  POWER  DISTRIBUTION  AND  CONTROL  SYSTEMS  MANAGEMENT 


A9-151  AC  INVERTER  MANAGEMENT 

NORMALLY,  ALL  AC  INVERTERS  AND  BUSES  WILL  BE  POWERED  DURING 
FLIGHT.  IF  AN  INVERTER  FAILS,  IT  WILL  BE  DISCONNECTED  FROM 
BOTH  THE  AC  AND  DC  BUSES. 

All  nine  ac  inverters  are  utilized  by  orbiter  equipment.  The  dc  power  to  a  failed  inverter  will  be 
disconnected  since  the  inverter  could  act  as  a  load.  Also,  the  output  capacitor  acts  as  a  load  of 
2.95  amps  on  the  other  two  phases  of  the  ac  bus  supplying  power  to  coupled  three-phase  loads 
(ac  motors). 


A9-152  AC  BUS  SENSORS  SWITCH  MANAGEMENT 

TO  PRECLUDE  INADVERTENT  AC  BUS  DISCONNECT,  THE  AC  BUS  SENSORS 
WILL  BE  PLACED  IN  THE  "MONITOR"  POSITION  DURING  ASCENT  (UNTIL 
MM  105) .  ALSO,  DURING  ASCENT  PRIOR  TO  MECO,  IF  ANY  AC  PHASE 
BUS  FAILS,  OR  IF  A  MAIN  ENGINE  SHUTS  DOWN,  OR  IF  AN  SSME 
CONTROLLER  LOSES  REDUNDANCY,  THEN  ALL  THREE  AC  BUS  SENSOR 
SWITCHES  WILL  BE  PLACED  TO  "OFF".  POST  OMS-1,  THE  AC  BUS 
SENSORS  WILL  NOMINALLY  BE  PLACED  IN  "AUTO  TRIP"  AND  REMAIN  IN 
THAT  POSITION  FOR  THE  REMAINDER  OF  THE  FLIGHT  (THROUGH  WHEEL 
STOP)  .  @[110900-3510] 

AC  sensors  are  put  to  MONITOR  during  powered  flight  to  prevent  an  inadvertent  tripoff  that  would 
cause  SSME  controller  auto  switchover  from  the  affected  bus  to  a  secondary  SSME  controller  on  another 
ac  bus.  If  a  main  engine  shuts  down,  or  SSME  controller  redundancy  is  lost,  or  a  failure  occurs  in  the 
AC  system,  the  ac  sensor  switches  will  be  put  to  OFF  so  that  no  failure  in  the  ac  bus  sensor  could  cause 
further  complications.  If  a  failure  occurs  in  an  AC  system  during  the  entry  timeframe,  the  affected  AC 
bus  sensor  can  be  taken  “  OFF”  to  protect  for  critical  equipment  redundancy.  @[110900-3510] 

Rule  { A5-111A },  AC  BUS  SENSOR  ELECTRONICS  CONTROL  [CIL]  references  this  rule.  ®[ED  ] 

A9-153  AC  BUS  LOADING 

WHEN  POSSIBLE,  AC  BUS  LOADING  WILL  BE  SELECTED  TO  PROVIDE 
SEPARATE  POWER  SOURCES  TO  REDUNDANT  EQUIPMENT  AND  TO  BALANCE 
BUS  LOADS. 


The  highest  level  of  power  redundancy  should  be  maintained.  It  is  advisable  to  maintain  near  equal 
loading  on  all  buses  in  the  event  that,  if  a  single  FC  powers  two  main  buses,  it  will  not  be  overstressed. 


VOLUME  A  11/21/02  FINAL,  PCN-1  ELECTRICAL  9-37 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A9-154  AC  LOAD  MANAGEMENT  DURING  ASCENT 

A.  ONLY  THE  FOLLOWING  AC  SWITCHABLE  LOADS,  WHOSE  RECOVERY  CANNOT 

BE  DELAYED  UNTIL  POST-MECO,  MAY  BE  RECONFIGURED  PRE-MECO: 

1.  FREON  PUMPS  (IF  ONLY  ONE  FREON  LOOP  AFFECTED,  SWITCH 
WITHIN  6  MINUTES;  IF  BOTH  FREON  LOOPS  AFFECTED,  SWITCH 
ASAP) 

2.  RAD  BYPASS  VALVES  (ONLY  FOR  LOSS  OF  FES  OR  FREON  LOOP(S) 
AFFECTED) 

3.  RAD  ISOLATION  VALVES  (FOR  AN  UNEXPLAINED  LEAKING  LOOP 
ATTEMPT  ISOLATION  ASAP;  IF  LEAK  RATE  CAN  SUPPORT  MECO  AND 
AC  CRITICAL,  DELAY  ACTION  UNTIL  POST-MECO)  ®[040899-2568A] 

4.  AVIONICS  BAY  FANS  (SWITCH  WITHIN  3  MINUTES  IF  A  POWERED 
GOULD  TACAN  IS  LOCATED  IN  AFFECTED  AV  BAY.  IF  AV  BAY  3A 
UPGRADED  FOR  ENHANCED  COOLING,  THE  FAN  WILL  NOT  BE 
SWITCHED . ) 

5.  OMS/RCS  VALVES 

6.  APU/HYD  WSB  CONTROLLER  (ONLY  AFTER  HIGH  TEMP  FDA  ALERT) 

7.  H20  LOOP  PUMPS  (ONLY  IN  THE  EVENT  OF  AVIONICS  AIR  TEMP 
FDA) 

8.  CREW  SEAT  OPERATIONS  (ONLY  IF  CONSIDERED  MANDATORY  BY 
THE  CREW)  ®[040899-2568A] 

B.  AC  CIRCUIT  BREAKERS  WHICH  HAVE  OPENED  WILL  NOT  BE  RESET 

PRE-MECO  UNLESS  THE  FUNCTION  IS  CRITICAL  AND: 

1.  THE  MCC  HAS  CONFIRMED  THAT  THE  CB(S)  DID  NOT  OPEN  BECAUSE 
OF  A  SHORT,  OR: 

2.  THE  MCC  CONFIRMS  THAT  BOTH  SSME  CONTROLLERS  ON  THE 
AFFECTED  BUS  HAVE  BEEN  LOST,  OR: 

3.  LOSS  OF  THE  FUNCTION  IS  CONSIDERED  TO  BE  A  GREATER  RISK 
THAN  LOSS  OF  THE  TWO  AFFECTED  SSME  CONTROLLERS. 
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A9-154  AC  LOAD  MANAGEMENT  DURING  ASCENT  (CONTINUED) 

C.  FOR  A  SHORTED  OR  STALLED  AC  LRU,  WHEN  RECONFIGURATION  IS 
DELAYED  UNTIL  POST-MECO,  THE  POWER  WILL  BE  REMOVED  PRE-MECO. 

D.  AC  EQUIPMENT  WITH  MULTIPLE  POWER  SOURCES  WILL  NOT  BE 
RECONFIGURED  TO  AN  ALTERNATE  SOURCE  PRE-MECO. 

E.  IF  PRE-MECO  AND  A  SSME  HAS  LOST  SSMEC  REDUNDANCY,  SWITCHING 
OF  REDUNDANT  HARDWARE  ON  TO  A  CRITICAL  AC  BUS  WILL  BE  DELAYED 
AS  LONG  AS  POSSIBLE. 

F.  IF  NEEDED,  ANY  UNSHORTED  EQUIPMENT  THAT  HAS  BECOME  UNPOWERED 
MAY  BE  REPOWERED  PRE-MECO. 

Under  normal  circumstances,  the  startup  transients  of  three-phase  motors  will  not  introduce  a  voltage 
transient  on  an  ac  bus  that  would  affect  a  Space  Shuttle  main  engine  controller  (SSMEC).  However, 
switching  such  equipmen  t  increases  the  risk  of  causing  severe  voltage  transients  since  cm  unknown  short 
circuit  may  be  presen  t  on  the  previously  unpowered  circuitry.  By  limiting  the  reconfiguration  of  ac  loads 
to  those  absolutely  required,  this  risk  can  be  minimized. 

Those  loads  that  may  be  reconfigured  prior  to  MECO  include  the  Freon  pumps  since  they  provide 
vehicle  cooling,  radiator  bypass  valve  motors  to  obtain  radiator  flow  for  cooling  if  toted  FES  fails  or  to 
determine  if  there  is  blockage  in  the  bypass  leg  of  the  Freon  loop  when  Freon  flow  is  low,  avionics  bay 
fans  since  they  are  required  to  provide  cooling  to  the  Gould  TACAN’s  (an  ac  powered  LRU  that  has  been 
shown  to  short-circuit  within  5  min  utes  following  loss  of  cooling),  OMS/RCS  valves  since  they  are 
required  in  malfunction  cases,  leak  isolation  or  propellant  dump  operations,  and  the  crew  seat  motors 
since  they  may  be  needed  due  to  reach  or  visual  problems.  Reconfiguration  of  these  items  cannot  wait 
until  MECO. 

With  one  Freon  loop  down  and  one  good  Freon  loop,  corrective  actions  can  be  delayed  for  6  minutes  (at 
ascen  t  power  loads)  without  any  violation  of  any  orbiter  thermal  limits  (ref.  RI  Analysis  SEH-ITA-80-055T). 

However,  if  both  Freon  loops  are  affected,  troubleshooting  of  the  Freon  loops  will  occur  ASAP.  The  loss 
of  both  Freon  loops  is  cm  RTLS/TAL  abort.  Switching  of  Freon  pumps  and  moving  the  Rad  bypass  valves 
or  RAD  isolation  valves  may  be  required  to  determine  the  status  of  the  Freon  loops  before  cm  abort  call 
can  be  made.  Additionally,  a  Freon  loop  leak  that  is  obsen’cible  during  ascent  is  a  large  leak  and  will 
require  first  day  PLS  if  no  action  is  taken.  The  radiator  isolation  valve  may  isolate  the  leak  and  allow 
mission  extension  to  MDF.  ®[040899-2568A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  ELECTRICAL  9-39 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A9-154  AC  LOAD  MANAGEMENT  DURING  ASCENT  (CONTINUED) 

The  SODB  indicates  the  Gould  TACAN’s  are  the  only  avionics  bay  equipment  that  may  be  expected  to 
fail  because  of  the  loss  of  cm  avionics  bay  fan  during  the  powered  flight  time  period.  When  the  Gould 
TACAN  fails  due  to  the  loss  of  cooling,  the  ac  transien  t  generated  could  cause  loss  ofSSMEC 
redundancy  on  two  SSME’s.  The  TACAN’ s  could  be  unpowered  for  ascent  since  ample  time  exists,  even 
during  an  RTLS,  for  their  activation  before  they  are  required.  However,  access  to  TACAN’ s  would 
require  an  MS  to  unbuckle  to  reach  the  switches  since  they  are  located  beyond  the  reach  of  the  crew 
while  seated.  The  redundant  avionics  bay  fans  are  checked  about  12  hours  prior  to  launch.  Therefore, 
switching  to  the  redundant  avionics  bay  fan  appears  to  be  of  less  risk  than  having  a  crewmember 
unrestrained  in  an  attempt  to  turn  on  the  TACAN’s  during  an  abort.  The  avionics  fan  will  be  switched 
within  3  min  u  tes  after  loss  of  origin  al  fan  (ref.  SODB  Table  34.32-1,  note  h). 

The  Enhanced  Middeck  Cooling  modification  will  place  cabin  fans  in  Av  Bay  3 A  vice  the  normal 
avionics  fans.  Because  of  the  large  startup  AC  transient  associated  with  these  type  fans,  the  Av  Bay 
3 A  fans  will  not  be  switched,  in  powered  flight,  if  the  modification  is  in  place.  Vehicles  with  cabin 
fans  installed  in  Av  Bay  3A  will  also  have  Collins  TACAN’s  which  are  free  air  cooled.  Switching 
fans  pre-MECO  will  not  be  necessary.  ®[040899-2568A] 

Following  the  loss  of  a  water  loop  pump  or  APU/HYD  WSB  controller,  reconfiguration  can  wait  until 
post-MECO  without  great  risk  to  the  equipment.  Should  real-time  data  indicate  that  the  temperatures 
are  out  of  limits,  then  action  will  be  taken  in  order  to  preserve  the  necessary  equipmen  t  prior  to  MECO. 
Reconfiguring  of  affected  ac  equipmen  t  prior  to  MECO  may  be  attempted  since  this  action  may  reduce 
the  risk  of  further  problems.  Temperature  violations  are  not  expected  pre-MECO.  Cabin  fan,  IMU  fan, 
and  humidity  separator  reconfiguration  is  not  required  until  post-MECO. 

If  a  circuit  breaker  has  opened,  it  could  very  well  be  due  to  a  short  circuit.  If  both  SSME  con  trollers 
have  been  lost  (due  to  the  short),  or  if  a  short  was  not  the  problem,  then  the  cb(s)  may  be  reset  if  needed 
to  regain  a  critical  function.  Resetting  a  cb  that  has  opened  due  to  a  short  would  further  expose  SSME 
con  trollers  (if  not  already  lost)  while  the  chance  of  a  successful  reset  would  be  min  imal. 

AC  LRU’s  with  alternate  power  sources  should  not  be  reconfigured  since  an  electrical  short  in  the 
LRU  will  place  the  short  on  the  affected  ac  bus;  and,  by  switching  the  source  power,  the  short  will  be 
transferred  to  another  ac  bus.  During  ascen  t,  this  could  result  in  the  loss  of  one  SSME  and  total  loss 
of  redundancy  for  the  two  remaining  SSME’s. 

If  Pre-MECO  and  a  SSME  has  lost  con  troller  redundancy,  switching  of  redundan  t  hardware  on  to  a 
critical  ac  bus  bill  be  delayed  as  long  as  possible.  By  delaying  switching  to  after  “Press  to  MECO ”  or 
“Single  Engine  Press”  (if  possible),  even  in  the  unlikely  event  the  alternate  fan  or  pump  is  stalled  and 
causes  a  transien  t  on  a  critical  bus,  the  orbiter  could  still  make  it  to  orbit  with  the  loss  of  a  SSME. 

If  an  LRU  is  not  shorted  and  was  operating  nominally,  but  somehow  became  deactivated,  then  it  can  be 
repowered  pre-MECO,  if  it  is  required.  Since  the  shutdown  and  startup  of  the  LRU  would  be  on  the 
same  ac  bus,  multiple  SSMEC’s  could  not  be  affected. 

DOCUMENTATION:  SODB  3.4. 5.2-1. 
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AC  INVERTER  THERMAL  LIFE 

INVERTER/AC  BUS  WILL  BE  DISCONNECTED  IMMEDIATELY  IF: 

THE  AC  VOLTAGE  IS  CONFIRMED  >130,  OR 

THE  AC  VOLTAGE  IS  <95  AS  CAUSED  BY  A  S HORT/ OVERLOAD ,  OR 

BOTH  MAIN  ENGINE  CONTROLLERS  POWERED  BY  THAT  BUS  ARE 
NONFUNCTIONAL  (POST-MECO  OR  MCC  VERIFIED  FAILED  PRE-MECO) 
AND  : 

a.  THE  AC  VOLTAGE  IS  CONFIRMED  <108,  OR 

b.  THE  AC  VOLTAGE  IS  CONFIRMED  >123,  OR 

C.  A  SHORT /OVERLOAD  CONDITION  EXISTS. 

AC  equipment  is  only  guaranteed  to  operate  from  110  to  120  volts.  If  the  voltage  is  >  123  ( C&W  high 
limit),  the  potential  exists  to  damage  LRU’s  on  the  bus.  If  the  voltage  is  <  108  ( C&W  low  limit),  leaving 
the  inverter  connected  to  the  bus  can  result  in  a  load  on  the  remaining  two  phases,  or  maintaining  power 
to  a  short  circuit  if  an  overload  exists.  These  risks  will  be  accepted  for  a  short  duration  of  time  (until 
MECO)  providing  that  at  least  one  of  the  affected  main  engine  con  trollers  is  still  functioning.  Only  the 
MCC  can  verify  controller  operation.  If  the  voltage  is  >  130,  then  the  main  engine  controllers  should 
not  be  functional  and  damage  could  occur  to  other  equipment  on  the  bus.  If  the  voltage  is  <95  and 
caused  by  a  short/overload  condition,  then  the  engine  controllers  will  probably  not  be  functional,  and 
leaving  the  inverter  on  line  and  feeding  the  short  creates  afire  hazard.  This  rule  is  consistent  with  the 
philosophy  expressed  in  Rule  (A9-104AJ,  MAIN  BUS  SHORT. 

DOCUMENTATION:  SODB  4. 5. 6.2. a,  ICD-13M15000,  engineering  judgment. 

B.  MECO  THROUGH  EOM  LANDING  WITH  COOLING: 


.  7 

(6.76) 

AMPS 

CONTINUOUS 

.  6 

(8.6) 

AMPS  ( 

130  PERCENT)  5 

HOURS 

1 .  1 

(10.1 

)  AMPS 

(150  PERCENT) 

30  MINUTES 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


A9-155 

A.  THE 

1  . 

2  . 
3. 


VOLUME  A  06/20/02  FINAL  ELECTRICAL  9-41 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A9-155  AC  INVERTER  THERMAL  LIFE  (CONTINUED) 

4.  14.4  (13.4)  AMPS  (200  PERCENT)  2  MINUTES 

POWERDOWN  WILL  BE  PERFORMED  AS  REQUIRED  TO  MEET  THE 
7.7  (6.7)  AMPS  CONTINUOUS  LOAD  CRITERIA. 

These  values  represent  the  output  power  capability  of  the  inverters  under  various  load  conditions  with 
nominal  orbiter  cooling. 

DOCUMENTATION:  SODB.  4. 5.6. 3. 1.8. 


WITHOUT 

COOLING: 

1  . 
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These  values  represen  t  the  output  power  capability  of  the  inverters  under  various  load  conditions  without 
cooling  (extrapolated  from  test  data). 

DOCUMENTATION:  Westinghouse  Elec.  Corp.,  Aerospace  Elec.  Div.,  Lima ,  Ohio,  Engineering 
Development  Lab,  Report  No.  LY21018,  April,  1980,  Test  Report  on  150  percent  Overload  and  no 
Coolant  Tests,  Space  Shuttle  750  VA  Power  Static  Inverter. 

NOTES:  1.  AC  BUS  CURRENT  VALUES  ARE  BASED  ON  BUS  LOAD  POWER 

FACTORS  OF  0.8  LAGGING  WITH  COOLING  AND  0.85  LAGGING 
WITHOUT  COOLING. 

The  use  of  0.8  power  factor  with  cooling  was  to  be  able  to  give  inverter  output  capability  at  a  specific 
power  factor  so  the  values  could  be  easily  compared.  The  SODB  gives  the  output  capability  at  various 
loads  at  various  power  factors.  The  test  data  for  inverter  capability  with  no  cooling  used  a  power  factor 
of  0.85. 
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A9-155  AC  INVERTER  THERMAL  LIFE  (CONTINUED) 

2.  AC  INVERTER  PHASE  CURRENTS  WILL  BE  USED  TO  PREDICT 
INVERTER  THERMAL  LIFE.  INVERTER  CURRENT  WILL  BE 
CALCULATED  BY  VECTORI ALLY  SUMMING  ITS  AC  BUS  CURRENT 
WITH  A  2.95  AMP  CAPACITOR  LOAD. 

THE  INVERTER  CURRENTS  WILL  BE  CALCULATED  USING  THE 
FOLLOWING  EXPRESSION: 

IL 1 8  7  ?  i;us  ?  «I„S%FIVIW 

WHERE:  liNV  =  INVERTER  CURRENT 
lBUS  =  AC  BUS  CURRENT 

PF  =  PREDICTED  BUS  POWER  FACTOR  (MINUS  FOR  LAGGING) 


The  ac  current  transducer  is  located  downstream  from  the  inverter  output  capacitor.  Inverter 
thermal  constraints  are  based  on  its  output  amperage  upstream  of  the  capacitor  (no  temperature 
readout  is  available).  Due  to  the  ac  V-I  phase  shift  with  reactive  loads,  the  measured  amps  must  be 
vectorially  summed  with  the  output  capacitor  load  to  determine  the  actual  inverter  load.  This 
calculation  differentiates  a  theoretical  inverter  load  which  is  covered  by  specifications  from  a  bus 
load  by  a  10-microfcirad  capacitor  located  on  the  output  of  the  inverter. 

DOCUMENTATION:  Information  provided  by  Westinghouse  Elect.  Corp. 
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A9-156  LOSS  OF  SINGLE-PHASE  AC 

A.  IF  ANY  SINGLE-PHASE  BUS  IS  SHORTED,  IT  WILL  BE  ISOLATED  FROM 
BOTH  THE  INVERTER  AND  ITS  THREE-PHASE  AC  LOADS.  THE  AFFECTED 
THREE-PHASE  "GANGED"  CB'S  WILL  BE  OPENED  TO  ISOLATE  THESE 
LOADS  FROM  THE  SHORTED  BUS.  THE  SUB-BUSES  POWERED  BY  THESE 
CB'S  WILL  BE  CONSIDERED  LOST. 


Single-phase  shorts  will  be  isolated  from  the  three-phase  loads  so  that  the  remaining  two  phases  will  not 
be  loaded  by  the  short  by  motor  transformer  coupling. 

B.  IF  ANY  SINGLE-PHASE  BUS  IS  LOST,  BUT  NOT  SHORTED,  ONLY  THE 
AFFECTED  SINGLE-PHASE  LOADS  WILL  BE  ISOLATED  FROM  THE  BUS. 
ALL  THREE-PHASE  LOAD  CB'S  WILL  REMAIN  CLOSED. 


Single-phase  loads  will  be  isolated  from  the  lost  ac  bus  so  that  the  remaining  two  phases  will  not  be 
loaded  by  motor  transformer  coupling. 

C.  IF  A  SINGLE-PHASE  BUS  IS  LOST  FROM  AC2  OR  AC3  AND  A 
DEACTIVATED  CABIN  FAN  IS  AFFECTED,  THEN  IT  MUST  BE 
DEMONSTRATED  ON  THE  AFFECTED  CABIN  FAN  THAT  IT  CAN 
SUCCESSFULLY  START  ON  THE  REMAINING  TWO  PHASES  IN  ORDER  TO 
CONTINUE  TO  NOMINAL  EOM .  OTHERWISE,  THE  CABIN  FAN  IS 
CONSIDERED  TO  BE  LOST. 


Ground  tests  of  the  start  capability  of  the  cabin  fan  on  two  phases  was  marginal.  Therefore,  start 
capability  on  two  phases  should  be  demonstrated  on  orbit  before  continuing  to  nominal  EOM. 

D.  AFTER  ALL  REQUIRED  BUS  ISOLATION  HAS  BEEN  PERFORMED,  THREE- 
PHASE  EQUIPMENT  WILL  BE  ALLOWED  TO  OPERATE  ON  THE  TWO 
REMAINING  PHASES,  WITH  THE  EXCEPTION  OF  THE  0  AND  FREON 
PUMPS  WHICH  WILL  BE  SWITCHED  TO  AN  ALTERNATE  POWER  SOURCE  OR 
PUMP  . 


The  two-phase  operation  of  the  Freon  and  H2O  pumps  results  in  loss  of  flow  capability  that  is  significant 
enough  to  warrant  switching  pumps  or  power  sources.  All  other  motors  are  capable  of  operating  on  two 
phases. 

Rule  {A9-1001},  ELECTRICAL  GO/NO-GO  CRITERIA,  references  this  rule. 
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A9-157  LOSS  OF  TWO-PHASE  AC 

IF  TWO  PHASES  OF  A  THREE-PHASE  ARRAY  ARE  LOST,  MULTIPLE  PHASE  AC 
LOADS  WILL  BE  DISCONNECTED  SO  THAT  THE  REMAINING  SINGLE  AC  PHASE 
CAN  REMAIN  POWERED . 


Attempted  operation  of  three-phase  equipment  with  only  one  good  phase  results  in  stall  currents  on  the 
good  remaining  phase.  The  multiphase  loads  will  be  removed  so  that  normal  operation  of  single-phase 
loads  can  be  resinned. 


A9-158  AC  POWER  TRANSFER  CABLE 

A.  THE  AC  POWER  TRANSFER  CABLE  WILL  BE  USED  TO  REPOWER  A  THREE- 
PHASE  BUS  WHEN  TWO  OR  MORE  OF  ITS  INVERTERS  ARE  FAILED.  ALL 
INVERTERS  WILL  BE  DISCONNECTED  FROM  THE  FAILED  THREE-PHASE 
BUS  BEFORE  CONNECTING  THE  CABLE.  CRITICAL  EQUIPMENT  WILL  BE 
POWERED  THROUGH  THE  CABLE;  HOWEVER,  AC  CURRENT  PER  PHASE  WILL 
BE  LIMITED  TO  3  AMPS.  A  THREE-PHASE  AC  BUS  REGAINED  BY  USE 
OF  THIS  CABLE  WILL  BE  CONSIDERED  ACCEPTABLE  FOR  MDF  PROVIDED 
CRITICAL  LRU'S  CAN  BE  POWERED. 

The  IFM  procedure  describes  the  concept  of  using  an  “extension  cord”  from  a  reliable  ac  bus  utility 
outlet  to  power  another  ac  bus  through  its  utility  outlet.  A  maximum  of  3  amps  per  phase  is  due  to  the 
size  of  the  utility  outlet  circuit  breakers.  This  load  will  always  include  the  FC  pumps  (coolan  t  and  FI 2) 
and  may  include  any  other  required  equipment  as  long  as  the  total  continuous  load  does  not  exceed  3 
amps.  An  MDF  will  be  declared  for  this  failure  since  the  next  worst  failure  (loss  of  the  FPC  bus 
powering  the  inverters  used  to  recover  the  lost  ac  system)  would  result  in  the  loss  of  two  ac  systems  and 
the  associated  fuel  cells.  (The  ac  power  transfer  cable  would  be  used  to  regain  one  ac  system,  if  the 
second  failure  occurred  on  orbit.) 

B.  FOR  LOSS  OF  TWO  OF  THREE  PHASES  ON  AN  AC  BUS  (UNSHORTED),  A 
ONE  ORBIT  DELAY  PRIOR  TO  A  DEORBIT  BURN  WILL  BE  INVOKED,  IF 
NECESSARY,  TO  INSTALL  THE  AC  TRANSFER  CABLE,  REGAINING  THE  AC 
BUS.  A  1-DAY  DELAY  IS  ACCEPTABLE  IF  INSTALLATION  OF  THE  AC 
TRANSFER  CABLE  IS  REQUIRED  TO  MAINTAIN  TWO-FC  ENTRY 
CAPABILITY. 


Loss  of  the  ac  bus  causes  loss  of  a  fuel  cell  and  some  critical  ac  loads.  It  is  preferable  to  delay  to  install 
the  cable  and  regain  the  fuel  cell  and  critical  ac  loads. 

DOCUMENTATION :  FDF,  IFM  Checklist,  All  Vehicle,  AC  Power  Transfer  Cable  Installation,  pg.  A-3. 
Also,  a  list  of  possible  loads  to  repower  is  in  the  FPC  bus  loss  SSR’s  in  the  Orbiter  Malfunction 
Procedures  Book. 

Rule  (A- 1001},  ELECTRICAL  GO/NO-GO  CRITERIA,  references  this  rule. 
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A9-159  MOTOR  CONTROL  ASSEMBLY  (MCA) 

INDIVIDUAL  MCA  BUS  POWER  MAY  BE  CYCLED  AS  REQUIRED  TO  PROTECT  A 
BUS  FROM  SHORTED  MOTOR  LOADS  OR  TO  REMOVE  A  "FAILED  ON"  MOTOR 
LOAD  FROM  A  BUS . 


Shorts  will  always  be  isolated  from  the  rest  of  the  electrical  power  and  distribution  system.  It  also  may 
be  necessary  to  remove  power  to  a  failed-on  motor  to  protect  the  motor  for  future  use  during  the  flight. 


A9-160  CAUTION  AND  WARNING  (C&W)  [CIL] 

A.  PRIMARY  C&W  SYSTEM  PARAMETERS  THAT  ARE  NOT  OPERATIONALLY 
FUNCTIONING  WILL  BE  INHIBITED  TO  EXTINGUISH  ANNUNCIATION 
LIGHTS . 

Primary  C&W  system  parameters  that  are  not  operationally  functioning  will  be  inhibited  to  extinguish 
annunciation  lights  so  that  they  will  not  mask  other  parameters  using  the  same  light  for  alarm 
annunciation  or  in  terfere  with  recognition  of  new  malfunctions. 

B.  BACKUP  C&W  PARAMETERS  THAT  GENERATE  NUISANCE  ALARMS  WILL  BE 
INHIBITED . 

Backup  C&W  parameters  that  generate  nuisance  alarms  will  be  inhibited  because  by  definition  the 
nuisance  alarms  provide  no  new  information  for  system  operations  and  distract  the  flight  crew  from 
other  activities. 

C.  THE  PRIMARY  AND  BACKUP  C&W  LIMIT  VALUES  WILL  BE  MAINTAINED 
THE  SAME . 

The  primary  C&W  limits  and  backup  C&W  limits  will  be  the  same  to  ensure  fail-safe  operations  in 
alerting  the  flight  crew  to  perform  necessary  safing  reconfiguration. 

D.  A  FAILED  PRIMARY  C&W  SYSTEM  MAY  REMAIN  POWERED  AND  ENABLED 
TO  RETAIN  TONE  CAPABILITY  PROVIDED  NO  NUISANCE  ALARMS  ARE 
GENERATED . 

A  failed  primary  C&W  system  may  remain  powered  and  enabled  to  retain  tone  capability  if  no 
nuisance  alarms  are  generated  in  order  to  provide  redundancy  in  audio  tones  for  the  backup  C&W 
system.  Redundant  alarm  tones  are  not  required  when  they  are  a  nuisance  and  distract  the  flight  crew 
from  other  activities. 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A9-160  CAUTION  AND  WARNING  (C&W)  [CIL]  (CONTINUED) 

E.  FOLLOWING  THE  LOSS  OF  C&W  POWER  SUPPLY  A  OR  B,  ONE  OF  THE 
FOLLOWING  ACTIONS  WILL  BE  PERFORMED: 

1 .  REDUNDANTLY  POWER  THE  REMAINING  C&W  POWER  SUPPLY  SO  THAT 
LOSS  OF  ANY  ESSENTIAL  BUS  WILL  TRIGGER  AN  AUDIBLE  ALARM. 

2.  DEDICATE  A  CREWMEMBER  TO  CONTINUOUSLY  MONITOR  CRT 
MESSAGES  FOR  LOSS  OF  ESS2CA  DA2  AFTER  LOSS  OF  C&W  SYSTEM 
A  OR  ESS1BC  DAI  AFTER  LOSS  OF  C&W  SYSTEM  B  (NO  AUDIBLE 
ALARMS) . 

3.  PLACE  AFFECTED  FC  IN  STANDBY  AFTER  LOSS  OF  C&W  SYSTEM  A 
(FC  2)  OR  AFTER  LOSS  OF  C&W  SYSTEM  B  (FC  1) . 


Failure  of  ESS1BC  DAI  (ESS2CA  DA2)  after  loss  of  C&W  power  supply  B(A)  will  not  be  aurally 
annunciated.  The  FC  1(2)  coolant  pump  will  stop,  and  the  flight  crew  must,  within  a  few  minutes,  shut 
down  the  fuel  cell  to  prevent  a  catastrophic  failure  due  to  overheating.  The  flight  crew  must 
continuously  monitor  displays  so  that  a  failure  will  be  detected  and  appropriate  actions  to  safe  the 
orbiter  can  be  taken.  Restoration  of  power  to  a  lost  C&W  power  supply  or  establishment  of  redundant 
power  to  the  remaining  power  supply  may  be  accomplished  by  performing  C&W  ELECTRONICS  UNIT 
CONTINGENCY  POWER  IFM  procedure  and  will  allow  audible  alarms  if  an  essential  bus  is  lost. 

Standby  operation  of  the  associated  FC  will  preclude  the  time-critical  ESS  bus/coolant  pump  failure 
mode.  (Ref.  Rules  { A9-1B j,  FUEL  CELL  (FC)  LOSS  [CIL];  [A2-104]  A.5.b  and  { A2-104A}.6 ,  SYSTEMS 
RED  UNDANCY  REQ  UIREMENTS. ) 

A9-161  HYDRAULIC  CIRCULATION  PUMP  OPERATION 

NORMALLY,  A  HYDRAULIC  CIRC  PUMP  WILL  NOT  BE  STARTED  ON  A  MAIN  BUS 
THAT  POWERS  THE  PRIMARY  PAYLOAD  BUS  WHILE  SPACEHAB  IS  ACTIVATED. 
AN  EXCEPTION  WOULD  BE  IF  REACTION  TO  PREVENT  LOSS  OF  A  HYDRAULIC 
SYSTEM  DID  NOT  PERMIT  TIME  FOR  POWER  RECONFIGURATION,  IF 
REQUIRED.  @[092701-4872] 

The  voltage  ripple  caused  by  the  startup  of  a  hydraulic  circ  pump  is  greater  than  the  Spacehab  interface 
control  document  (ICD)  requirements.  Critical  orbiter  systems  take  precedence  over  payload  systems  if 
those  orbiter  systems  are  in  jeopardy. 

Reference:  Spacehab  PIP.  ®[ED  ]  @[092701-4872] 

A9-162  THROUGH  A9-200  RULES  ARE  RESERVED 
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CRYOGENIC  LOSS/FAILURE  DEFINITIONS 


A9-201  02  (H2)  MANIFOLD 

AN  C>2  (H2)  MANIFOLD  IS  CONSIDERED  LOST  IF  UNABLE  TO  ISOLATE  A 
PRSD  SYSTEM  LEAK  OF  >  10  LB/HR  (C£)  OR  1  LB/HR  (H2)  TO  THE 
MANIFOLD  ASSOCIATED  TANK ( S ) ,  FUEL  CELL,  OR  PCS  SYSTEM. 

The  O2  manifold  leak  rate  at  which  the  manifold  would  be  considered  failed  was  derived  to  cover  the 
worst  case  in  which  a  tank  near  residual  quantities  of  approximately  10  percent  could  be  required  to 
supply  the  leak  and  two  fuel  cells  at  entry  power  levels.  Entry  power  levels  will  require  about  5  Ib/hr  per 
fuel  cell  or  10  Ib/hr  total.  The  flow  capacity  of  an  O2  tank  ( with  single  heater)  near  10  percent  quantity 
is  approximately  20  Ib/hr.  Therefore  the  maximum  leak  rate  that  can  be  tolerated  on  top  of  the  required 
fuel  cell  flow  is  10  Ib/hr. 

DOCUMENTATION :  SODB  figure  4.4.2-16  and  engineering  judgment. 

The  H2  manifold  leak  rate  at  which  the  manifold  would  be  considered  failed  was  derived  from  a  study 
which  concluded  that  the  isolation  or  reduction  of  an  H2  leak  to  less  than  2  Ib/hr  before  entry  is 
mandatory  to  eliminate  a  possible  hazardous  concentration  during  entry /landing.  Additionally,  H2 
leaks  less  than  1  Ib/hr  result  in  nonflammable  H2  concentrations  throughout  entry.  Therefore,  1  Ib/hr 
leak  rate  was  chosen  to  provide  a  margin  of  safety. 

DOCUMENTATION :  Engineering  judgment. 
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A9-202  CRYO  TANK 

A  CRYO  TANK  IS  CONSIDERED  LOST  IF: 

A.  ALL  CRYO  HEATERS  IN  THE  AFFECTED  TANK  ARE  DEFINED  AS  LOST. 

The  addition  of  heat  into  the  cryogenic  reactant  is  the  method  used  to  extract  fluid  from  the  tank.  With 
the  loss  of  tank  heaters,  the  only  flow  available  from  a  tank  is  that  corresponding  to  tank  heat  leak  which 
is  negligible  compared  to  normal  requirements.  Therefore ,  the  tank  is  considered  lost  for  all  practical 
purposes. 

DOCUMENTATION:  SODB ,  H2  figure  4.4. 1-6,  4.4.2-9  and  02  figure  4.4.1-11,  4.4.2-17. 

B.  ELECTRICAL  POWER  DEMAND  CANNOT  BE  SUPPORTED  BY  THE  TANK. 

If  the  cryo  tank  cannot  be  depended  on  to  support  normal  electrical  power  levels,  declaring  it  lost  guards 
against  the  next  tank  failure  for  GO/NO-GO  rule  implementation  purposes.  The  management  philosophy 
that  consumables  will  determine  mission  duration  for  a  single  tank  loss  still  applies;  therefore,  the  tank 
can  be  used  to  extend  the  mission  as  long  as  practical,  but  a  subsequent  tank  failure  would  be  considered 
two  tanks  lost  for  entering  the  GO/NO-GO  matrix  to  determine  the  appropriate  action.  This  rule  is 
intended  to  cover  the  blocked  filter  and  the  failed  closed  check  valve  scenarios. 

DOCUMENTATION :  Engineering  judgment. 

C.  CRYO  TANK  PRESSURE  CANNOT  BE  MAINTAINED  ABOVE  THE  TWO-PHASE 
SATURATION  PRESSURE  OF  THE  FLUID. 

If  the  pressure  goes  significantly  below  the  saturation  pressure,  there  is  a  possibility  that  the  fluid  would 
go  two-phase  ( under  normal  operating  pressures  the  fluid  is  always  single  phase).  The  tank  can  be 
repressurized  with  the  tank  heaters;  however,  the  danger  is  that,  if  the  fluid  is  two-phase,  some  areas  of 
the  heater  surface  may  be  in  the  gaseous  region  and  localized  overtemperatures  could  occur  that  would 
not  necessarily  be  indicated  by  the  heater  surface  temperature.  Overtemperature  in  the  02  tank  could 
result  in  ignition  of  Teflon  in  the  tank.  Overtemperature  in  the  H2  tank  could  result  in  damage  to  the 
tank  structure. 

DOCUMENTATION :  SODB,  paragraph  3. 4.4.2,  and  EGIL  Console  Handbook,  SCP  2.8.6. 

Rule  {A2-205},  EMERGENCY  DEORBIT,  references  this  rule. 
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A9-203  CRYO  TANK  ANNULUS  VACUUM 

A  CRYO  TANK  ANNULUS  VACUUM  IS  CONSIDERED  LOST  IF: 

A.  A  TANK  LEAK  OF  ANY  SIZE  HAS  BEEN  IDENTIFIED. 

Leakage  from  the  pressure  vessel  into  the  annulus  vacuum  will  cause  the  burst  disk  to  open  on  the  girth 
ring  of  the  tank  assembly  when  the  pressure  difference  exceeds  60  ±25  psid.  Very  small  leaks  into  the 
annulus  resulting  in  total  gas  in  the  annulus  of  as  little  as  0.1  Ibm  H2  or  0.7  Ibm  O2  (at  gas  temperature 
of  70  deg  F)  will  result  in  this  pressure  differential.  Since  the  exact  location  of  a  pressure  vessel  leak 
cannot  be  identified,  it  must  be  assumed  for  worst-case  purposes  that  the  leak  is  from  the  pressure  vessel 
into  the  annulus. 

DOCUMENTATION :  Engineering  judgment. 

B.  EXCESSIVE  HEAT  LEAK  INTO  THE  TANK  HAS  BEEN  IDENTIFIED  WHEN 
THE  HEATERS  ARE  UNPOWERED. 

In  atmospheric  flight,  air  entering  the  annulus  will  increase  the  heat  transfer  into  the  tank.  In  orbit, 
small  pressure  vessel  leaks  into  the  annulus,  prior  to  the  burst  disk  opening,  will  result  in  increased  heat 
leak  into  the  tank  from  the  outer  shell  because  of  conduction  through  the  gas  in  the  annulus.  This  heat 
leak  into  the  tanks  may  not  always  be  readily  detectable. 

DOCUMENTATION :  Orbiter  Hazard  Reassessment  ORBI 281,  Qualification  Test  Report  for  PRSD 
Vacuum  Lost  Test,  Ball  Aerospace  Division  (TM06,BR16425),  and  engineering  judgment. 

Rule  (A9-252GJ,  CRYO  HEATER  MANAGEMENT  FOR  ORBIT  [CIL],  references  this  rule. 
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A9-204  CRYO  HEATER 

A  CRYO  HEATER  IS  CONSIDERED  LOST  IF: 

A.  O2/H2  CRYO  HEATER  TEMPERATURE  CANNOT  BE  MAINTAINED  BELOW 
350  DEG/200  DEG  F  (INSTRUMENTATION  ERROR  INCLUDED) . 

The  O2  heater  temperature  was  set  on  the  basis  of  the  auto  ignition  temperature  of  Teflon  (700  deg  F) 
contained  in  the  quantity  probe.  The  350  deg  includes  a  200  deg  F  margin  and  takes  into  account  sensor 
lag  (50  deg  F),  analytical  and  instrumentation  error  (50  deg  F),  and  the  delta  T  between  the  temperature 
sensor  and  the  maximum  point  (50  deg  F).  The  FI 2  tank  maximum  heater  temperature  is  200  deg  F  to 
prevent  potential  damage  to  the  tank  structure.  ®[ED  ] 

DOCUMENTATION :  SODB,  paragraph  3. 4. 4.2;  and  NASA  memo,  Oxygen  tank  heater  temperature 
limit,  02/04/71. 

Rule  { A9-252F ),  CRYO  HEATER  MANAGEMENT  FOR  ORBIT  [CIL],  references  this  rule. 

B.  AN  O2  DELTA  CURRENT  SENSOR  TRANSITIONS  TO  "TRIP"  WHILE  ITS 
HEATER  IS  RECEIVING  POWER. 

If  a  delta  current  sensor  trips  while  a  heater  is  receiving  power,  it  is  considered  highly  possible  that  a 
short  had  developed  in  the  heater.  The  consequences  of  repowering  a  shorted  heater  elemen  t  are  so 
grave  that  it  would  not  be  considered  for  mission  success. 

DOCUMENTATION :  Flight  experience,  Apollo  13,  and  engineering  judgment. 

C.  BOTH  O2  DELTA  CURRENT  SENSORS  TO  THE  HEATER  ARE  LOST. 

Without  a  delta  current  sensor,  a  heater  short  would  be  a  single  point  catastrophic  failure.  This  is  not 
an  acceptable  risk  to  accomplish  mission  objectives. 

DOCUMENTATION :  Flight  experience,  Apollo  13,  and  engineering  judgment. 
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A9-205  O?  DELTA  CURRENT  SENSOR 

AN  C>2  DELTA  CURRENT  SENSOR  IS  CONSIDERED  LOST  IF: 

A.  THE  O2  DELTA  CURRENT  SENSOR  DOES  NOT  INHIBIT  THE  A  OR  B 
HEATER  WHEN  TESTED. 

If  a  sensor  test  does  not  inhibit  the  heater  when  tested,  it  is  assumed  that  the  sensor  would  not  function  if 
an  actual  heater  short  were  to  occur.  @[061297-6005  ] 

DOCUMENTATION :  Engineering  judgment. 

B.  THE  O2  DELTA  CURRENT  SENSOR  TRANSITIONS  TO  "TRIP"  WHEN  NO 
POWER" IS  BEING  APPLIED  TO  THE  HEATER  ELEMENT,  AND  A  RESET 
DOES  NOT  REMOVE  THE  "TRIP"  STATUS. 

A  “trip”  due  to  an  actual  heater  short  cannot  occur  unless  a  heater  is  being  powered.  The  inability  to 
reset  the  “trip”  status  indicates  a  failed  sensor. 

DOCUMENTATION :  Engineering  judgment. 

C.  THE  O2  DELTA  CURRENT  SENSOR  LATCHING  LOGIC  WILL  NOT  REMAIN 
TRIPPED  ONCE  THE  SENSOR  HAS  TRANSITIONED  TO  "TRIP". 

The  delta  current  sensor  will  automatically  shut  down  the  defective  heater  circuit  in  less  than  5 
milliseconds  if  a  differential  current  of  greater  than  0.91  ampere  is  sensed,  but  once  the  sensor  has 
tripped,  the  short  has  been  removed  and  the  sensor  will  allow  heater  reactivation.  The  function  of  the 
latching  logic  is  to  ensure  that  the  heater  remains  disabled  after  it  has  been  shut  down  or  tripped 
offline.  A  heater  element  with  a  short  that  could  not  be  automatically  shut  down  would  be  a  single 
poin  t  catastrophic  failure.  This  is  not  an  acceptable  risk  to  accomplish  mission  objectives. 

DOCUMENTATION :  Engineering  judgment. 


A9-206  THROUGH  A9-250  RULES  ARE  RESERVED 
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CRYOGENIC  SYSTEMS  MANAGEMENT 


A9-251  CRYO  HEATER  MANAGEMENT  FOR  ASCENT 

A.  THE  A  HEATERS  IN  CRYO  TANKS  1  AND  2  WILL  BE  ENABLED  FOR 
LIFT-OFF.  THE  B  HEATERS  IN  CRYO  TANKS  1  AND  2  WILL  BE 
ENABLED  POST-OMS-1 . 

Tank  heaters  will  be  enabled  for  launch  in  an  attempt  to  maintain  system  pressurization.  Only  one 
heater  per  tank  is  used  to  minimize  power  load  transients.  In  the  event  of  a  fuel  cell/main  bus  loss  during 
ascent,  electrical  power  usage  is  critical.  Since  cryo  heaters  are  normally  not  required,  it  is  desirable  to 
lose  as  many  cryo  heaters  as  possible  with  loss  of  a  fuel  cell  or  main  bus  during  ascen  t.  Since  the  A 
heaters  are  more  susceptible  to  bus  failures  (loss  of  either  of  two  main  buses  causes  loss  of  heater)  than 
the  B  heaters  (requires  loss  of  particular  main  bus  to  lose  heater ),  the  A  heaters  will  be  used  for  launch. 

DOCUMENTATION :  Engineering  judgment. 

B.  SHOULD  AN  RTLS  BE  REQUIRED  FOR  A  CABIN  LEAK,  BOTH  HEATERS  IN 
CRYO  O2  TANKS  1  AND  2  SHOULD  BE  ACTIVATED. 

In  an  RTLS  case,  the  O2  tanks  have  to  supply  flow  to  both  the  LES  and  fuel  cell  demand.  Since  the  LES's 
are  used  through  touchdown,  all  heaters  in  O2  tanks  1  and  2  are  activated  to  assure  adequate  flow 
capability  in  this  circumstance.  (Refer  to  Rule  ( A17-201A  j,  CABIN  PRESSURE  INTEGRITY. ) 
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A9-252  CRYO  HEATER  MANAGEMENT  FOR  ORBIT  [CIL] 

A.  CRYO  HEATER  AND  CONTROLLER  OPERATION,  IN  ALL  TANKS,  WILL 
BE  VERIFIED  AS  SOON  AS  PRACTICAL,  BASED  UPON  BALLAST/CG 
REQUIREMENTS  AND  STANDARD  CRYOGENIC  MANAGEMENT  PLAN. 

®[071 494-1 653A] 

A  system  health  check  on  all  tanks  is  required  to  determine  flight  duration  and  to  formulate  any  off- 
nominal  cryo  management  plan.  Should  a  cryo  controller  be  discovered  to  be  failed,  and  AUTO  cryo 
heater  control  capability  be  lost  in  a  tank,  MANUAL  heater  operations  would  be  required.  This  may 
place  constraints  on  crew  activities.  Therefore,  it  is  desirable  to  discover  controller  failures  early  in 
the  mission  when  latitude  is  available  for  timeline  replanning.  There  is  no  safety  of  flight  requirement 
to  check  out  cryo  controllers.  Normally,  Orbiter  Tank  Sets  1-5  will  be  checked  out  during  the  first 
24  hours  of  the  flight.  Heaters  in  the  EDO  Tank  Sets  will  be  enabled  per  the  cryo  management  plan. 

®[071 494-1 653A] 

DOCUMENTATION :  Engineering  judgment  and  flight  data. 

B.  A  DELTA  CURRENT  SENSOR  CHECK  WILL  BE  PERFORMED  ONCE  PER 
FLIGHT  EXCEPT  IN  A  TANK  WHERE  A  REAL  CURRENT  SENSOR  TRIP 
(HEATER  SHORT)  HAD  OCCURRED.  IF  A  SENSOR  FAILS,  A  SENSOR 
CHECK  WILL  BE  PERFORMED  ON  THE  REDUNDANT  SENSOR  EACH  DAY  THAT 
THE  AFFECTED  HEATERS  ARE  USED.  @[061297-6005] 

The  purpose  of  the  delta  current  sensors  is  to  protect  against  heater  shorts  internal  to  the  tank.  The 
delta  current  sensors  are  tested  to  ensure  that  a  trip  and  heater  inhibit  will  occur  if  a  heater  is  shorted. 

If  the  sensors  fail  the  test,  the  affected  heater(s)  will  not  be  used.  @[061297-6005  ] 

Flight  Rule  {A9-255A},  O2  DELTA  CURRENT  SENSOR,  states  that  a  delta  current  sensor  that  had 
transitioned  to  “trip”  while  its  associated  heater  is  receiving  power  will  not  be  reset,  ensuring  that  the 
heater  will  not  be  operated.  If  the  remaining  heater  in  that  tank  is  required  for  use,  it  will  not  be 
possible  to  test  and  reset  the  delta  current  sensor  in  the  operating  heater  without  also  resetting  the 
tripped  sensor  ( one  switch  tests  and  resets  all  delta  current  sensors  in  a  tank).  Therefore,  no  current 
sensor  tests  will  be  conducted  in  that  tank. 

DOCUMENTATION :  Engineering  judgment. 

C.  IF  AUTO  CRYO  HEATER  CONTROL  IS  LOST,  THE  HEATERS  IN  THE 
AFFECTED  TANK  OR  TANK  SET  WILL  BE  MANUALLY  CYCLED  DURING  CREW 
AWAKE  PERIODS.  TANK  QUANTITY  BALANCING  WILL  BE  MAINTAINED. 
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A9-252  CRYO  HEATER  MANAGEMENT  FOR  ORBIT  [CIL] 

(CONTINUED) 


If  auto  heater  control  is  lost ,  the  crew  must  manually  cycle  the  heaters  in  order  to  use  the  tank.  The 
management  plan  is  followed  in  order  to  balance  quantities  in  the  tanks  and  to  minimize  the  impact  of  a 
single  failure  on  consumables  and  mission  duration. 


DOCUMENTATION :  Engineering  judgment. 

D.  A  CRYO  HEATER  THAT  IS  DEFINED  AS  LOST  WILL  BE  DEACTIVATED  BY 
PLACING  ITS  CORRESPONDING  SWITCH  IN  THE  "OFF"  POSITION.  IF 
POSSIBLE,  CRYO  MANAGEMENT  WILL  BE  MODIFIED  TO  EXPEDITE 
DEPLETION  OF  THE  AFFECTED  TANK.  THE  EXPEDITED  TANK  DEPLETION 
WILL  BE  TERMINATED  WHEN  THE  NOMINAL  MISSION  DURATION  PLUS  TWO 
EXTENSION  DAYS  CAN  BE  ACCOMPLISHED  IF  THE  REMAINING  HEATER 
FAILS  (LOSS  OF  TANK) .  IN  ANY  CASE,  THE  TANK  WILL  NOT  BE 
DEPLETED  PAST  THE  FOLLOWING  POINTS: 

1.  FOR  TANK  1  AND  2:  MINIMUM  QUANTITY  TO  GUARANTEE  USAGE  TO 
SUPPORT  ITS  ASSOCIATED  FC/MN  BUS  FOR  A  NEXT  PLS  IN  THE 
EVENT  THAT  ITS  MANIFOLD  BECOMES  ISOLATED. 

2.  MINIMUM  QUANTITY  WHICH  WILL  ALLOW  CLOSURE  OF  ONE  MANIFOLD 
VALVE  FOR  EACH  SLEEP  PERIOD  FOR  THE  NOMINAL  MISSION 
DURATION  PLUS  TWO  EXTENSION  DAYS,  IF  REQUIRED.  IF  TANK  1 
OR  2  IS  THE  AFFECTED  TANK,  ITS  ASSOCIATED  MANIFOLD  VALVE 
WILL  NOT  BE  CLOSED  FOR  SLEEP  PERIODS,  IF  POSSIBLE,  TO 
PROTECT  AGAINST  A  FAILED  MANIFOLD  VALVE. 


The  reference  to  the  switch  position  is  made  so  cm  O2  delta  current  sensor  “trip"  will  not  be  considered 
as  a  way  of  heater  deactivation  without  further  action.  If  the  failure  occurs  in  tank  1  or  2,  the  affected 
tank  will  be  used  until  the  total  quantity  remaining  in  the  unaffected  tanks  will  support  the  nominal 
mission  duration  plus  two  extension  days.  However ,  tank  1  or  2  will  not  be  depleted  because  the  next 
worst  failure  (center  manifold  leak)  could  result  in  loss  of  two  fuel  cells.  If  the  failure  occurs  in  any  one 
of  tanks  3  through  9,  the  same  next  failure  would  result  in  loss  of  one  fuel  cell.  If  the  failure  occurs  in 
tanks  3  through  9,  the  affected  tank  will  be  immediately  depleted.  Also,  sufficient  quantity  must  remain 
in  the  tank  so  that  a  manifold  valve  may  be  closed  during  crew  sleep.  However,  if  other  tanks  can  be 
used  ( e.  g. ,  modified  ctyo  management),  then  the  sufficient  quantity  requiremen  t  is  met  by  the  other  tanks. 
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A9-252  CRYO  HEATER  MANAGEMENT  FOR  ORBIT  [CIL] 

(CONTINUED) 


E.  AN  C>2  CRYO  HEATER  WITH  ONE  OF  TWO  DELTA  CURRENT  SENSORS  LOST 
WILL  BE  DEACTIVATED  BY  PLACING  ITS  CORRESPONDING  SWITCH  IN 
THE  "OFF"  POSITION,  UNLESS  DOING  SO  WOULD  RESULT  IN  LOSS  OF 
THE  TANK. 


If  mission  success  can  be  performed  without  the  use  of  the  affected  heater,  then  it  is  an  unnecessary  risk 
to  continue  to  operate  that  heater  with  loss  of  the  current  sensor  redundancy.  With  loss  of  a  current 
sensor  on  each  string  in  a  tank  (failure  of  the  cb  powering  both  current  sensors ),  normal  operation  will 
continue  since  there  is  one  current  sensor  left  on  each  string  and  this  sensor  will  be  verified  operational 
at  least  once  a  day  ( ref.  paragraph  B).  The  old  ideology  of  depleting  the  tank  is  considered  to  be  an 
unnecessary  increase  of  risk,  due  to  operation  of  the  heaters  more  often  than  normal. 

Rule  {A9-205},  O2  DELTA  CURRENT  SENSOR,  references  this  rule. 

F.  A  CRYO  HEATER  THAT  CONTINUES  TO  BE  POWERED  AFTER  PLACING 
ITS  CORRESPONDING  SWITCH  IN  THE  "OFF"  POSITION  WILL  BE 
DEACTIVATED  BY  PERFORMING  THE  FOLLOWING:  [CIL] 

1.  AN  ATTEMPT  WILL  BE  MADE  TO  DEACTIVATE  AN  C£  HEATER  BY 

PERFORMING  A  CURRENT  LEVEL  DETECTOR  TEST.  IF  REQUIRED, 
THE  HEATER  CAN  STILL  BE  USED  MANUALLY  BY  OPERATION  OF  THE 
CURRENT  LEVEL  DETECTOR  SWITCH  (TEST/RESET  FOR  HEATER 
OFF/ON) . 


An  O2  heater  that  fails  on  for  more  than  9  hours  after  depletion  of  the  tank  to  residual  levels  will  risk 
exceeding  the  thermal  limits  of  the  tank.  Prior  to  this  though,  the  heater  surface  temperature  will  exceed 
the  flight  rule  limit  of 350  deg  F  for  O2  ( ref  Rule  {A9-204A},  CRYO  HEATER). 

DOCUMENTATION:  FMEAJC1L  No.  M5-6MB-2029M1-2. 

2.  IF  REQUIRED,  AN  H2  HEATER  OR  AN  02  HEATER  WILL  BE 

DEACTIVATED  BY  DROPPING  THE  MAIN  BUS  THAT  POWERS  THE 
HEATER.  THE  MAIN  BUS  MAY  BE  BROUGHT  UP  FOR  ENTRY  IF  THE 
TANK  QUANTITY  ALLOWS  CONTINUOUS  HEATER  OPERATION  WITHOUT 
VIOLATING  HEATER  TEMPERATURE  LIMITS. 


If  the  use  of  the  current  level  detector  function  for  O2  or  any  potential  IFM  for  either  O2  or  H2  is  not 
successful,  dropping  a  main  bus  is  the  only  option. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  ELECTRICAL  9-56 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A9-252  CRYO  HEATER  MANAGEMENT  FOR  ORBIT  [CIL] 

(CONTINUED) 


An  H2  heater  that  fails  on  for  more  than  35  hours  after  depletion  of  the  tank  to  residual  levels  will  risk 
exceeding  the  thermal  limits  of  the  tank.  Prior  to  this,  however,  the  heater  surface  temperature  will 
exceed  the  flight  rule  limits  of 350  deg/200  deg  F for  O2/FI2  (ref  Rule  {A9-204A},  CRYO  HEATER). 
Based  on  quantity  and  fuel  cell  flowrate,  the  heater  could  pressurize  the  tank  and  manifold  until  relieved 
by  the  overboard  relief  valve.  Cracking  of  the  relief  valve  could  cause  ingestion  of  cry o  into  the 
midbody,  which  is  a  hazardous  condition.  However,  the  alternative  is  performing  entry  with  two  main 
buses  that  could  put  the  orbiter/crew  at  greater  risk. 

DOCUMENTATION :  Engineering  judgment,  FMEA/CIL  No.  M5-6MB-2027M1-2,  and  SODB  paragraph 
4. 4. 2. 6. 2/4. 4. 2. 7. 2. 

G.  AN  O2  (H2)  TANK  THAT  HAS  LOST  ITS  ANNULUS  VACUUM  WILL  BE 
DEPLETED  PRIOR  TO  ENTRY. 

Loss  of  annulus  vacuum  in  a  PRSD  02  (H2)  (ref.  Rule  {A9-203J,  CRYO  TANK  ANNULUS  VACUUM) 
tank  would  result  in  overboard  venting  of  O2  (H2)  through  the  relief  ports  near  compartment  vent  doors. 
In  atmospheric  flight,  atmosphere  will  enter  the  annulus  and  increase  the  heat  transfer  to  the  tank.  An 
uncontrollable  pressure  rise  would  result  until  the  overboard  relief  opens.  Ingestion  of  vented  H2 
through  open  vent  doors  may  result  in  the  accumulation  of  a  flammable/explosive  environment  in  orbiter 
compartments  during  entry.  The  possible  H2  flowrates,  as  determined  by  testing,  vary  from  120  Ib/hr 
(100  percent  quantity)  to  240  Ib/hr  (40  percent  quantity)  to  2.5  Ib/hr  (10  percent  quantity).  Depletion  of 
the  affected  H2  tank  will  reduce  the  H2  available  to  be  vented  and  minimize  venting  flowrates.  If  the 
relief  valve  is  opened  during  en  try  due  to  an  O2  tank  vacuum  loss,  verification  of  that  valve  will  have  to 
be  performed  during  ground  turnaround.  Depletion  of  the  affected  O2  tank  prior  to  en  try  will  reduce  the 
chance  of  opening  the  relief  valve. 

DOCUMENTATION :  Orbiter  Hazard  Reassessment  ORBI 281,  Qualification  Test  Report  for  PRSD 
Vacuum  Lost  Test,  Ball  Aerospace  Systems  Division  (TM06,  BR16425 ),  FMEA/CIL  No.  04-1B-TK010-2, 
04-1B-TK0  30-2. 
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A9-253  CRYO  TANK  HEATER  TEMPERATURE  MANAGEMENT 

CRYO  HEATERS  WILL  BE  MANAGED  TO  PRECLUDE  HEATER  TEMPERATURES 
EXCEEDING  350  DEG  FOR  O2  (INSTRUMENTATION  ERROR  INCLUDED)  AND  200 
DEG  F  FOR  H2 .  O2/H2  FLUID  TEMPERATURES  WILL  BE  MANAGED  TO 

PRECLUDE  EXCEEDING  160  DEG.  @[052401-4643] 

The  O2  heater  temperature  was  set  on  the  basis  of  the  auto  ignition  temperature  of  Teflon  (700  deg  F) 

(in  the  quantity  gauging  probe).  The  350  deg  includes  a  200  deg  F  margin  and  takes  into  account  sensor 
lag  (50  deg  F),  analytical  and  instrumentation  error  (50  deg  F),  and  the  delta  T  between  the  temperature 
sensor  and  the  maximum  point  (50  deg  F).  The  FI 2  tank  maximum  heater  temperature  is  200  deg  F  to 
prevent  potential  damage  to  the  tank  structure. 

DOCUMENTATION :  SODB.  paragraph  3. 4. 4.2,  and  NASA  memo,  Oxygen  Tank  Heater  Temperature 
Limit,  02/04/71. 

A9-254  CRYO  HEATERS  DEACTIVATION 

AT  APPROXIMATELY  50  (53)  PERCENT  QUANTITY,  ONE  SET  OF  G»  CRYO 

HEATERS  WILL  BE  DEACTIVATED  IN  THE  AFFECTED  TANK. 

With  both  heater  sets  activated  in  an  02  tank,  the  heater  surface  temperature  will  begin  to  increase 
exponentially  at  lower  quantities  and  could  exceed  350  deg  F.  Therefore,  below  about  50  percent 
quantity,  one -half  of  the  heaters  in  each  tank  are  disabled  to  minimize  heater  temperature. 

DOCUMENTATION:  SODB,  3.1. 4.2-7,  and  flight  data. 
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A9-255  02  DELTA  CURRENT  SENSOR 

A.  IF  AN  O2  DELTA  CURRENT  SENSOR  TRANSITIONS  TO  "TRIP"  WHILE 
ITS  HEATER  IS  RECEIVING  POWER,  IT  WILL  NOT  BE  RESET  AND 
THE  HEATER  WILL  NOT  BE  USED  UNLESS  REQUIRED  FOR  PREVENTION 
OF  LOSS  OF  CREW  AND  VEHICLE. 

THE  REDUNDANT  HEATER  IN  THE  TANK  WILL  BE  UNPOWERED  AND  USED 
ONLY  TO:  COMPLETE  THE  NOMINAL  MISSION  DURATION,  PROVIDE  AUTO 
HEATER  CONTROL  WHEN  THE  MANIFOLD  VALVE (S)  CLOSES,  OR  ALLOW 
USE  OF  TANKS  1  AND  2  FOR  ENTRY. 

The  purpose  of  the  heater  delta  current  sensors  is  to  provide  automatic  protection  against  O2  tank 
internal  electrical  shorts  that  could  cause  explosions.  In  the  event  of  a  sensor  trip,  a  reset  of  the  sensor 
will  not  be  attempted  and  the  heater  will  be  deactivated  for  safety.  A  reset  and  heater  use  would  be 
allowed  if  the  vehicle  encountered  extreme  circumstances. 

The  unaffected  heater  in  the  tank  will  be  unpowered  because,  although  it  is  not  considered  likely,  a  short 
on  one  of  two  heater  elemen  ts  in  an  O2  heater  assembly  could  poten  tially  damage  an  adjacent  heater.  It 
is  prudent  to  unpower  all  heaters  which  could  be  affected  if  loss  of  the  tank  does  not  impact  the  mission 
duration.  The  unaffected  heater  may  also  be  used  to  allow  manifold  valves  to  be  closed  during  crew 
sleep  and  for  entry,  if  required. 

DOCUMENTATION :  Flight  experience  and  Apollo  13. 

B.  RESET  OF  A  TRIPPED  DELTA  CURRENT  SENSOR  ON  AN  UNPOWERED 
CIRCUIT  CAN  BE  PERFORMED.  THE  ASSOCIATED  HEATER  WILL  BE 
LEFT  OFF  UNLESS  REQUIRED  TO  PREVENT  LOSS  OF  THE  TANK.  IF  THE 
HEATER  MUST  BE  POWERED,  THE  SUSPECT  SENSOR  WILL  BE  UNPOWERED. 

Two  reasons  exist  for  the  reset:  to  allow  determination  of  failure  status  (hard  fail  or  inadvertent  trip); 
and  performing  the  daily  sensor  test  (no  reset  would  lock  out  rest  of  tank).  It  is  undesirable  to  use  a 
heater  string  with  a  failed  sensor  (see  Rule  {A9-252E},  CRYO  HEATER  MANAGEMENT  FOR  ORBIT 
[  CIL]).  Loss  of  the  tank  is  considered  to  be  a  greater  impact  than  operation  of  a  heater  string  with 
only  one  delta  current  sensor. 

DOCUMENTATION :  Engineering  judgment. 
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A9-256  CRYO  02 /H2  TANK  QUANTITY  BALANCING 

TANK  MANAGEMENT  WILL  BE  PERFORMED  IN  A  MANNER  WHICH  WOULD 

MINIMIZE  THE  IMPACT  OF  A  TANK  OR  MANIFOLD  LOSS. 

A.  FOR  THREE  TANK  SET  MISSIONS,  TANK  HEATERS  AND  MANIFOLD  VALVES 
WILL  BE  CONFIGURED  DURING  THE  PRE /POSTSLEEP  PERIODS  TO 
MAINTAIN  QUANTITY  BALANCE  AMONG  ALL  TANKS.  @[082593-1532] 

B.  FOR  MISSIONS  WITH  FOUR  OR  MORE  TANK  SETS,  ONE  TANK  IN  THE 

CENTER  MANIFOLD  (PREFERABLY  TANK  3)  WILL  BE  HELD  IN  RESERVE, 
AND  THE  ADDITIONAL  CENTER  MANIFOLD  TANKS  (TANKS  4,  5,  AND  6-9) 

WILL  BE  DEPLETED  AS  SOON  AS  PRACTICAL. 

1.  FOR  OV-102  WHERE  TANK  5  IS  PRESENT,  TANKS  4  AND  5  WILL  BE 
DEPLETED  FIRST,  FOLLOWED  BY  EQUAL  DEPLETION  OF  ANY  EDO 
TANKS  (6-9) . 

2.  FOR  OV-105,  OR  OV-102  WITHOUT  TANK  5,  THE  ADDITIONAL 
CENTER  MANIFOLD  TANKS  WILL  BE  MANAGED  TO  PROVIDE  QUANTITY 
BALANCE  AMONG  THEMSELVES  AS  THEY  ARE  DEPLETED. 

C.  FOR  FORWARD  CG  PROBLEMS  PREDICTED  DURING  NEOM  OR  EARLY  ENTRY, 
CONSIDERATION  WILL  BE  GIVEN  TO  THE  FOLLOWING: 

1.  FOR  MISSIONS  WITH  ADDITIONAL  MARGIN,  CONSIDERATION  WILL 
BE  GIVEN  TO  LEAVING  CRYO  IN  THE  CENTER  MANIFOLD  TANKS 
(4-9)  AS  OPPOSED  TO  DEPLETING  THE  TANKS.  THE  AMOUNT 
AVAILABLE  TO  REMAIN  IN  THE  TANKS  (4-9)  IS  THE  DIFFERENCE 
BETWEEN  THE  CURRENT  TOTAL  QUANTITY  MINUS  THE  MISSION 
REQUIREMENTS  AND  REDLINE  QUANTITIES.  THIS  DIFFERENCE 
SHOULD  BE  THE  CURRENT  MARGIN  AVAILABLE. 
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A9-256  CRYO  02 /H2  TANK  QUANTITY  BALANCING  (CONTINUED) 

2.  FOR  MISSIONS  WITHOUT  MARGIN,  TANKS  1,  2,  AND  3  WILL  BE 
USED  AS  NECESSARY,  EARLIER  THAN  NORMALLY  PLANNED,  IN 
COMBINATION  WITH  THE  CENTER  MANIFOLD  TANKS  TO  MAINTAIN 
THE  REQUIRED  CG .  MINIMUM  TANK  QUANTITY  AS  DEFINED  IN 
RULE  { A9-252D } . 1 ,  2,  CRYO  HEATER  MANAGEMENT  FOR  ORBIT 
[CIL] ,  WILL  NOT  BE  VIOLATED. 

When  flying  with  four  or  more  tank  sets,  a  manifold  leak  could  cause  loss  of  all  tanks  in  the  cen  ter 
manifold  (as  many  as  seven  tanks).  Depletion  of  these  tanks  first  minimizes  the  time  exposure  where  a 
large  number  of  tanks  could  be  lost.  While  depleting  these  tanks,  their  quantity  will  be  balanced  to 
minimize  the  impact  of  a  single  tank  loss.  The  exception  to  this  philosophy  is  OV-102,  where  a  five-tank 
configuration  leaves  O2  tanks  4/5  with  single  heaters,  and  H2  tanks  4/5  with  a  common  check  valve. 

This  makes  it  desirable  to  deplete  these  tanks,  followed  by  equal  depletion  of  any  EDO  tanks.  Tank  3  is 
the  preferred  center  manifold  tank  to  hold  in  reserye  since  its  switches  are  accessible  during  entry. 

For  the  forward  CG  missions,  the  mission  margin  may  be  used  to  adjust  the  CG.  This  will  be 
accomplished  by  leaving  the  margin  in  the  center  manifold  tanks,  which  are  normally  depleted. 

Tanks  1  and  2  will  be  held  in  reserye  for  entry.  For  extension  requiremen  ts,  if  the  margin  is 
required,  the  quantity  reserved  in  the  center  tanks  will  be  used  and  the  tanks  will  be  depleted.  A 
cryo  managemen  t  plan  that  allows  quan  tity  balancing  between  the  forward  cryo  tanks  and  the 
center  manifold  tanks  will  alleviate  the  necessity  to  carry  additional  ballast  to  control  forward  CG. 

DOCUMENTATION :  Engineering  judgment. 

Rule  {A9-262},  EDO  PALLET  MANAGEMENT  references  this  rule. 
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A9-257  POWER  REACTANT  STORAGE  AND  DISTRIBUTION  (PRSD)  H2 

AND  02  REDLINE  DETERMINATION 

THE  REDLINE  (AMOUNT  CONSIDERED  UNAVAILABLE  FOR  NORMAL  MISSION 
OPERATIONS)  CONSISTS  OF: 

A.  TANK  RESIDUALS  (H2  =  4  PERCENT  IN  EACH  OF  TWO  TANKS, 

2.5  PERCENT  IN  REMAINING  H2  TANKS,  02  =  6.5  PERCENT  IN 
ALL  TANKS) . 

B.  MEASUREMENT  ERROR  RSS ' ED  FOR  THE  NUMBER  OF  TANKS.  INDIVIDUAL 
TANK  ERROR  IS  2.6  PERCENT. 

C.  A  2-DAY  MISSION  EXTENSION  PAST  THE  PLANNED  LANDING.  THE 
ON-ORBIT  POWER  LEVEL  DURING  THESE  2  DAYS  WILL  BE  BASED  ON 
A  PRIORITY  POWERDOWN  GROUP  C  CONFIGURATION  (REF.  RULE 

{ A2-108 } ,  CONSUMABLES  MANAGEMENT),  PLUS  ANY  PAYLOAD 
SURVIVAL  POWER.  ONE  DEORBIT  PREP  ON  EACH  EXTENSION  DAY 
(IN  ADDITION  TO  THE  TWO  NORMAL  EOM  DEORBIT  OPPORTUNITIES) 

WILL  BE  BUDGETED  DURING  THESE  2  DAYS.  ©[092800-7247A] 

The  2.5  percent  and  6.5  percent  numbers  are  the  minimum  quantities  guaranteed  to  be  obtainable  prior 
to  reaching  maximum  tank  heater  temperature  limits.  The  4  percent  requirement  in  two  H2  tanks  protect 
for  entry  fuel  cell  flow  demands.  This  assumes  dual  heaters  in  each  of  two  tanks  (400  watts  total)  which 
yields  a  flow  capacity  of 400  x  3.41/750  =  1.8  Ib/hr,  or  approximately  20  kW.  750  is  the  approximate 
dQ/dMfor  the  4  percent  density  fluid  at  200  psia. 


DOCUMENTATION :  Flight  Design  Level  B  Groundrules  and  Constraints  (NSTS  21075);  SODB  3. 4. 4.2, 
4.4.2,  Table  4. 4.2-6;  Rockwell  Internal  Letter  #287 -100-91-MMS-019;  and  NBS  Technical  Note  617. 
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A9-258  CRYO  02  AND  H2  PRESSURE  MANAGEMENT 

CRYO  C>2  AND  H2  PRESSURES  WILL  BE  MANAGED  ACCORDING  TO  THE 
FOLLOWING  CONSTRAINTS: 

A.  MANIFOLD  PRESSURE  UPPER  LIMIT  OF  950  (890)  PSIA  FOR  C£  AND 

270  (250)  PSIA  FOR  H2  . 

Maximum  absolute  pressure  should  be  such  that  the  manifold  relief  valves  do  not  crack.  If  the  manifold 
relief  valves  open  inflight,  a  retest  is  required  before  the  next  flight.  This  is  not  normally  a  planned  test. 
Crack  pressures  are  975  psigfor  oxygen  and  290  psigfor  hydrogen.  The  recommended  maximum 
operating  pressures  are  chosen  to  allow  some  margin  for  pressure  overshoot  and  transducer  error. 

DOCUMENTATION :  Engineering  judgment  and  SODB  4.4.2. 

B.  PEAK-TO-PEAK  PRESSURE  EXCURSIONS  SHALL  NOT  EXCEED  375  PSI  FOR 
OXYGEN  AND  150  PSI  FOR  HYDROGEN. 

Pressure  excursions  of  greater  than  these  values  represent  a  structural  pressure  cycle  on  the  tank.  The 
tanks  are  designed  to  accommodate  a  lifetime  total  of 300  such  pressure  cycles.  With  a  total  lifetime 
requirement  of  100  flights,  only  three  structural  cycles  can  be  experienced  per  flight.  One  cycle  is  used 
during  initial  loading  and  pressurization.  The  other  two  cycles  per  flight  are  intended  for  any  required 
ground  testing  or  checkout. 

DOCUMENTATION:  SODB  3. 4. 4. 2. 9. 

C.  OPERATION  OF  THE  CRYO  TANK  HEATERS  IN  A  TWO-PHASE  FLUID  WILL 
BE  AVOIDED. 

1.  FOR  MANUAL  HEATER  OPERATIONS,  THE  TANK  PRESSURE  WILL  BE 
MAINTAINED  ABOVE  THE  Oz/H-2  CRITICAL  PRESSURES  OF 
731 . 4/187 . 5  PSIA. 

Flight  data  from  STS-51D  shows  that  a  two-phase  condition  existed  in  a  tank  during  manual  operation  of 
the  heaters.  The  expected  condition  of  the  fluid  in  the  tank,  based  on  quantity  and  pressu  re  measure¬ 
ments,  indicated  a  single-phase  condition.  This  situation  possibly  existed  because  the  heaters  boiled  the 
liquid  around  the  elemen  ts  faster  than  the  pressure  rise  could  keep  the  fluid  liquefied.  The  danger  of  this 
is  that  some  areas  of  the  heater  surface  may  be  in  the  gaseous  region  and  localized  overtemperature 
could  occur  that  would  not  necessarily  be  indicated  by  the  heater  temperature  transducer.  For  this 
reason,  operating  heaters  in  this  condition  for  long  periods  of  time  is  unacceptable.  Overtemperature  in 
the  O2  tank  could  result  in  ignition  of  Teflon  in  the  tank.  Overtemperature  in  the  H2  tank  could  result  in 
structural  tank  damage.  Maintaining  super-critical  pressurization  ensures  that  the  fluid  is  single-phase 
at  any  temperature  or  density. 

DOCUMENTATION :  SODB,  paragraph  3.4.4.2,  and  flight  data. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  ELECTRICAL  9-63 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A9-258  CRYO  02  AND  H2  PRESSURE  MANAGEMENT  (CONTINUED) 

2.  FOR  SITUATIONS  IN  WHICH  THE  TANK  PRESSURE  GOES  BELOW 
THE  CRITICAL  PRESSURE  BUT  IS  STILL  ABOVE  THE  TWO-PHASE 
SATURATION  PRESSURE,  HEATERS  MAY  BE  USED  (DUAL  HEATERS 
ARE  PREFERRED)  TO  RAISE  THE  PRESSURE  BACK  ABOVE  THE 
CRITICAL  PRESSURE. 

A  two-phase  condition  may  still  exist  depending  on  the  degree  of  stratification  in  the  tank.  Dual  heater 
operation  will  increase  the  pressure  of  the  tank  at  a  faster  rate  and  lessen  the  possibility  of  creating  a 
two-phcise  condition.  This  was  evident  from  the  flight  data  of  STS-51D.  Initially,  when  operating 
manual  heaters,  dual  heaters  were  used  and  no  phase  change  was  observed.  Later  in  the  flight,  single 
heaters  were  used  and  the  pressure  plateaued  at  the  critical  pressure  of  the  fluid.  Once  the  phase  change 
was  complete,  the  pressure  continued  to  rise  at  a  slower  rate  than  before. 

DOCUMENTATION :  Engineering  judgment  and  flight  data. 

3.  IF  THE  TANK  PRESSURE  FALLS  BELOW  THE  TWO-PHASE  SATURATION 
PRESSURE,  THE  HEATERS  WILL  BE  DISABLED  UNTIL  NORMAL  HEAT 
TRANSFER  INTO  THE  TANK  RAISES  THE  PRESSURE  ABOVE  THE  TWO- 
PHASE  SATURATION  PRESSURE.  THE  HEATERS  MAY  BE  OPERATED 
ONLY  IN  A  CONTINGENCY  SITUATION. 

When  the  pressure  falls  below  the  two-phcise  saturation  pressure,  two-phcise  fluid  is  located  throughout 
the  tank.  The  amount  could  be  considerably  more  than  the  situation  created  in  paragraph  2.  The  reason 
for  the  deactivation  is  the  same  as  paragraph  2,  except  that  greater  risk  is  thought  to  be  involved. 

DOCUMENTATION :  Engineering  judgment. 
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A9-259  CRYO  02 /H2  MANIFOLD  VALVES 

MANIFOLD  VALVE  CONFIGURATION  WILL  BE  MANAGED  AS  FOLLOWS: 

A.  AT  LEAST  ONE  MANIFOLD  VALVE  (PER  SYSTEM)  WILL  REMAIN  OPEN, 
EXCEPT  DURING  ISOLATION  PROCEDURES  FOR  LEAKS  EXCEEDING  THE 
CURRENTLY  CONFIGURED  TANK  HEATER  FLOW  CAPACITY.  FOR  THESE 
MAJOR  LEAKS,  BOTH  MANIFOLD  VALVES  WILL  BE  CLOSED.  IF 
NECESSARY,  THE  REACTANT  VALVES  ON  THE  AFFECTED  FUEL  CELL 
WILL  BE  CLOSED  TO  TROUBLESHOOT  THE  LEAK.  A  MANIFOLD  VALVE 
WILL  BE  REOPENED  AS  SOON  AS  POSSIBLE  ONCE  MANIFOLD  INTEGRITY 
IS  RESTORED  OR  VERIFIED. 

The  PRSD  system  was  designed  without  a  relief  valve  in  the  crossover  manifold.  Closure  of  both 
manifold  valves  induces  a  potential  hazard  if  reactant  flow  to  fuel  cell  3  is  stopped  ( e.  g. ,  reactant  valve 
fails  closed).  This  is  due  to  pressure  buildup  from  environmental  heat  flow  into  a  dense  fluid  contained 
within  a  fixed  volume.  An  open  man  ifold  valve  will  provide  relief  through  its  associated  hardware. 

It  is  not  considered  acceptable  to  induce  this  potential  hazard  with  a  normal  manifold  valve 
configuration.  However,  in  the  event  of  a  major  system  leak,  it  is  desirable  to  isolate  as  many  fuel  cells 
from  the  leak  as  quickly  as  possible.  If  the  leak  is  in  manifold  1  or  2,  no  risk  is  induced  by  closure  of  the 
associated  fuel  cell  reactant  valves.  If  the  leak  is  in  the  crossover  manifold,  then  closure  of  the  fuel  cell  3 
reactant  valves  for  a  short  time  period  is  considered  to  be  a  smaller  risk  then  exposing  a  second  fuel  cell 
to  the  leak,  or  performing  an  unorthodox  fuel  cell  shutdown  procedure.  Analytical  and  test  date  indicate 
that  more  than  1  minute  could  elapse  before  the  pressure  in  the  closed  manifold  reaches  the  advertised 
PRSD  component  burst  pressure.  Manifold  valve  testing  at  JSC  indicated  that  the  valves  do  relieve 
overpressures.  However,  relief  pressure  was  in  excess  of  the  advertised  manifold  valve  and  check  valve 
burst. 
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A9-259  CRYO  Q2/H2  MANIFOLD  VALVES  (CONTINUED) 

B.  ASCENT/ENTRY:  ALL  MANIFOLD  VALVES  WILL  NORMALLY  BE  OPEN. 

The  risk  of  pressure  buildup  in  not  considered  to  be  an  acceptable  trade-off  for  protecting  (by  closing 
both  manifold  valves )  against  a  major  PRSD  system  leak.  The  crew  response  time  to  the  leak  is 
considered  to  be  roughly  the  same  as  the  response  time  required  for  the  overpressure  concern  (30  to 
60  seconds ).  Since  closure  of  any  manifold  valve  can  result  in  loss  of  a  fuel  cell  due  to  a  tank  leak, 
both  valves  open  is  considered  to  be  the  best  configuration. 

C.  ORBIT:  ONE  MANIFOLD  VALVE  PER  SYSTEM  WILL  NORMALLY  BE  CLOSED 
FOR  CREW  SLEEP  PERIODS  (SINGLE  SHIFT  OPS) . 

During  sleep,  a  major  PRSD  system  leak  could  cause  loss  of  fuel  cell  pressurization  before  the  crew 
could  respond.  Closure  of  one  valve  will  protect  at  least  one  fuel  cell,  while  not  inducing  a  safety 
hazard.  The  vehicle  can  be  scifed  and  reconfigured  on  orbit  starting  with  a  single  main  bus. 

DOCUMENTATION :  Rockwell  informed  desktop  analysis  on  tank  pressure  blowdown,  SODB  volume  I, 
tables  4.4. 1-2,  4.4. 1-3,  and  4.4. 1-5;  and  engineering  judgmen  t. 
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A9-260  CRYO  SYSTEM  LEAKS  [CIL] 

THE  PRSD  SYSTEM  WILL  BE  MANAGED  AS  FOLLOWS  FOR  SYSTEM  LEAKS: 

A.  ASCENT  (PRE-MECO)  -  ISOLATION  PROCEDURES  WILL  BE  INITIATED  IF 
A  LEAK  CAUSES  THE  PRESSURE  TO  DECAY  BELOW  THE  HEATER  CONTROL 
RANGE.  THE  PRSD  SYSTEM  WILL  BE  CONFIGURED  TO  MAINTAIN  FULL 
CELL  POWER  OUTPUT  BY: 

1.  CLOSING  BOTH  MANIFOLD  VALVES. 

2.  ACTIVATING  ALL  TANK  HEATERS  IN  THE  LEAKING  LEG. 

3.  CLOSING  THE  AFFECTED  PCS  O2  SUPPLY  VALVE  (IF  AN  O2  LEAK). 

By  the  time  that  leak  isolation  procedures  could  be  accomplished,  the  vehicle  is  no  longer  in  atmospheric 
flight.  Therefore,  feeding  the  leak  only  amounts  to  a  loss  of  consumables  and  is  not  a  flammability 
concern.  The  above  actions  are  considered  to  be  the  best  compromise  to  prevent  loss  of  pressurization  to 
two  fuel  cells,  while  still  trying  to  maintain  pressure  to  the  fuel  cell  in  the  leaking  leg. 

B.  ENTRY  (POST-DEORBIT  TIG)  -  ISOLATION  PROCEDURES  WILL  BE 
INITIATED  IF  A  LEAK  CAUSES  THE  PRESSURE  TO  DECAY  BELOW  THE 
HEATER  CONTROL  RANGE.  FOR  H2  LEAKS  WHERE  NO  FUEL  CELLS  HAVE 
PREVIOUSLY  FAILED,  THE  PRSD  SYSTEM  WILL  BE  CONFIGURED  TO 
ISOLATE  OR  REDUCE  THE  LEAK  RATE  BY: 

1.  CLOSING  BOTH  MANIFOLD  VALVES. 

2.  USING  ONLY  THE  STANDARD  HEATER  CONFIGURATION  IN  THE 
LEAKING  LEG  TO  MAINTAIN  PRESSURE. 

3.  SHUTTING  DOWN  THE  AFFECTED  FUEL  CELL. 

FOR  02  LEAKS  OR  FOR  H2  LEAKS  WHERE  ONE  FUEL  CELL  HAS  PREVIOUSLY 
FAILED,  THE  PRSD  SYSTEM  WILL  BE  CONFIGURED  TO  MAINTAIN  FUEL  CELL 
POWER  OUTPUT  IN  ACCORDANCE  WITH  THE  ASCENT  GROUNDRULES. 


Since  a  hydrogen  leak  during  entry  can  result  in  fire  or  explosion,  it  is  considered  less  of  a  risk  to  shut 
down  the  first  fuel  cell  than  to  attempt  hydrogen  leak  isolation.  Consequently,  extra  heat  will  not  be  used 
in  the  leaking  leg  (as  done  for  ascent)  to  overpower  the  leak.  However,  after  TIG,  if  isolation  of  the  leak 
requires  a  fuel  cell  shutdown  leaving  the  orbiter  with  only  one  fuel  cell,  then  the  leak  will  be  allowed  to 
continue  and  extra  heaters  activated.  This  is  because  the  risk  of  recovering  from  the  loss  of  one  main 
bus  and  further  powerdown  (for  loss  of  the  second  fuel  cell)  is  considered  greater  than  the  chance  of  fire 
or  explosion  in  the  midbody. 
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A9-260  CRYO  SYSTEM  LEAKS  [CIL]  (CONTINUED) 


Increased  oxygen  concentrations  from  leaks  are  not  considered  a  significant  enough  risk  to  warrant  fuel 
cell  shutdown  to  attempt  leak  isolation. 


DOCUMENTATION:  Engineering  judgment  and  FMEAJCIL  04-1B-A01FSH-1/FSO-1. 

C.  ORBIT  (MECO  TO  DEORBIT  TIG) : 

1.  TANK  LEAKS  -  CONSUMPTION  OUT  OF  THE  LEAKING  TANK  WILL  BE 
MAXIMIZED.  THE  CONFIGURATION  OPTIONS  ARE  CONTINGENT  ON 
HEATER  FLOW  CAPACITY  (FUNCTION  OF  TANK  QUANTITY)  AND  THE 
SIZE  OF  THE  LEAK.  IN  ORDER  OF  PREFERENCE,  THEY  ARE: 

a.  DEACTIVATE  ALL  OTHER  TANK  HEATERS  (LEAVE  TANKS  1  AND 
2  ACTIVE  IF  LEAK  IS  IN  TANK  3/4/5)  AND  FEED  ALL  FUEL 
CELLS  FROM  THE  LEAKING  TANK.  IF  NECESSARY,  DEORBIT 
WILL  BE  DELAYED  IN  ORDER  TO  DEPLETE  A  LEAKING  H>  TANK 
(FOR  ANY  SIZE  LEAK) .  MANUAL  HEATERS  CAN  BE  USED  TO 
CRACK  THE  TANK  RELIEF  VALVE  IF  NECESSARY  TO  EXPEDITE 
DEPLETION  FOR  A  DEORBIT  OPPORTUNITY. 

b.  FOR  A  TANK  1  OR  2  LEAK,  IF  SUPERCRITICAL  PRESSURE 
CANNOT  BE  MAINTAINED  WITH  OPTION  A,  ISOLATE  TANK  TO 
ITS  MANIFOLD  AND  FEED  ITS  ASSOCIATED  FUEL  CELL. 

C.  IF  SUPERCRITICAL  PRESSURE  CANNOT  BE  MAINTAINED  WITH 

OPTIONS  A  OR  B,  DEACTIVATE  THE  TANK  HEATERS  AND  ALLOW 
THE  PRESSURE  TO  BLEED  DOWN.  THIS  MUST  BE  PERFORMED 
PRIOR  TO  ENTRY.  IF  INSUFFICIENT  TIME  EXISTS  PRIOR  TO 
DEORBIT  TIG  TO  REDUCE  AN  H2  LEAK  TO  <  1  LB/HR,  THEN 
ENTRY  WILL  BE  DELAYED  IF  ADEQUATE  CONSUMABLES  ARE 
AVAILABLE . 


Maximizing  consumption  from  the  leaking  tank  will  minimize  the  amoun  t  of  consumables  lost  due  to  the 
leak.  H2  leaks  >  1  Ib/hr  create  flammable  concentrations  in  the  midbody  during  portions  of  entry  and 
are  considered  to  be  of  more  risk  than  delaying  entry.  Depleting  the  tank  and  allowing  its  pressure  to 
bleed  down  can  aid  in  minimizing  the  leak  rate  and  flammability  concern  during  entry.  If  the  leak 
rate/heater  flow  capacity  will  allow  depletion,  then  deorbit  can  be  waived  off,  if  required,  for  any  size 
leak.  This  is  because  the  smallest  of  leaks  can  fill  the  vacuum  annulus,  pop  the  burst  disk,  and  allow 
convective  heat  transfer  during  entry  to  cause  extremely  high  venting  overboard  (200-300  lb).  It  is 
possible  that  the  ven  ted  H2  could  be  ingested  into  the  midbody  through  the  vents,  creating  a  flammable 
condition. 
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A9-260  CRYO  SYSTEM  LEAKS  [CIL]  (CONTINUED) 


DOCUMENTATION :  Engineering  judgment,  FMEA/CIL  04-1B-A01FSH-1/FSO-1,  and  JSC  Structures 
and  Mechanics  Division  informed  analysis. 


Rule  {A2-301},  CONTINGENCY  ACTION  SUMMARY,  references  this  rule. 

2.  MANIFOLD  OR  FUEL  CELL  LEAKS: 

a.  ORBIT  RECONFIGURATION  -  AT  LEAST  ONE  GOOD  MANIFOLD/ 
FUEL  CELL  WILL  BE  PROTECTED  FROM  THE  LEAK  BY  CLOSURE 
OF  A  MANIFOLD  VALVE  OR  THE  LEAKING  FUEL  CELL  REACTANT 
VALVES.  FOR  MANIFOLD  LEAKS,  THE  ASSOCIATED  TANK ( S ) 
WILL  BE  DEPLETED  AS  SOON  AS  PRACTICAL.  IF  ADEQUATE 
CONSUMABLES  ARE  NOT  AVAILABLE  TO  FEED  THE  LEAK  FOR  AN 
MDF  +  24  HOURS  (PLS  +  24  HOURS  IF  ONE  FUEL  CELL  HAS 
PREVIOUSLY  FAILED) ,  OR  IF  SUPER-CRITICAL 
PRESSURIZATION  CANNOT  BE  MAINTAINED,  THEN  THE  LEAK 
WILL  BE  ISOLATED  (REQUIRING  FUEL  CELL  SHUTDOWN) . 

b.  ENTRY  RECONFIGURATION  -  SEVERAL  OPTIONS  ARE 
AVAILABLE,  BASED  ON  THE  SIZE  OF  THE  LEAK  AND  WHICH 
SYSTEM  (O2  OR  H2 )  IS  AFFECTED: 

FOR  AN  H2  LEAK  <  1  LB/HR  OR  O2  LEAK  OF  ANY  SIZE, 

ENTRY  WILL  BE  PERFORMED  WHILE  FEEDING  THE  LEAK, 
PROVIDING  THAT  SUPER-CRITICAL  PRESSURIZATION  CAN  BE 
MAINTAINED  USING  NORMAL  HEATER  MANAGEMENT.  AT  LEAST 
ONE  GOOD  MANIFOLD/FUEL  CELL  WILL  BE  PROTECTED  FROM 
THE  LEAK  BY  CLOSURE  OF  A  MANIFOLD  VALVE. 

FOR  AN  H2  LEAK  >  1  LB/HR  WHERE  NO  FUEL  CELL  HAS  PRE¬ 
VIOUSLY  FAILED,  THE  LEAK  WILL  BE  ISOLATED  (REQUIRING 
FUEL  CELL  SHUTDOWN)  AND  ENTRY  PERFORMED  ON  TWO  FUEL 
CELLS.  IF  INSUFFICIENT  TIME  EXISTS  PRIOR  TO  DEORBIT 
TIG  TO  REDUCE  THE  LEAK  RATE  TO  <1  LB/HR,  THEN  ENTRY 
WILL  BE  DELAYED  IF  ADEQUATE  CONSUMABLES  ARE  AVAILABLE 

FOR  AN  H2  LEAK  >  1  LB/HR  WHERE  ONE  FUEL  CELL  HAS 
PREVIOUSLY  FAILED,  THE  LEAK  WILL  BE  ISOLATED  (AND 
FUEL  CELL  SHUT  DOWN)  ONLY  IF  SUPER-CRITICAL 
PRESSURIZATION  CANNOT  BE  MAINTAINED.  THE  REMAINING 
FUEL  CELL  WILL  BE  PROTECTED  FROM  THE  LEAK  BY  CLOSURE 
OF  A  MANIFOLD  VALVE. 
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A9-260  CRYO  SYSTEM  LEAKS  [CIL]  (CONTINUED) 

Since  the  plumbing  in  the  affected  manifold  or  fuel  cell  is  no  longer  reliable,  it  must  be  isolated  from  the 
other  manifolds  and  fuel  cells  to  protect  against  rapid  loss  of  pressurization  affecting  all  fuel  cells. 

Since  the  tanks  themselves  do  not  have  isolation  valves,  then  the  only  method  of  stopping  or  minimizing  a 
manifold  leak  is  to  isolate  it  by  closing  one  or  both  manifold  valves,  and  then  depleting  its  associated 
tank(s).  After  this  is  done,  the  manifold  can  be  repressurized/isolated  by  opening/closing  a  manifold 
valve. 

Since  shutdown  of  a  fuel  cell  requires  the  mission  to  be  shortened  to  an  MDF  (PLSfor  loss  of  the 
second  fuel  cell),  and  if  consumables  will  support  the  abbreviated  mission  plus  a  24-hour  extension 
while  feeding  the  leak,  then  no  gain  is  achieved  by  shu  tting  down  the  fuel  cell  while  on  orbit. 

Hydrogen  leaks  of  >  1  Ib/hr  create  flammable  concentrations  during  portions  of  entry  and  are 
considered  to  be  a  greater  risk  than  loss  of  the  first  fuel  cell,  but  not  the  second. 

DOCUMENTATION :  Engineering  judgment,  FMEA/CIL  04-1B-A01FSH-1/FS0-1,  and  JSC  Structures 
and  Mechanics  Division  informal  analysis. 


A9-261  IMPENDING  LOSS  OF  ALL  CRYO 

IN  THE  EVENT  THAT  ALL  RECONFIGURATION  PROCEDURES  HAVE  BEEN 
PERFORMED  FOR  CRYOGENIC  SYSTEMS  FAILURES  AND  THAT  A  CONDITION 
STILL  EXISTS  WHERE  ALL  TANK  AND  MANIFOLD  PRESSURES  ARE 
DECREASING,  THE  EARLIEST  ASCENT  ABORT  MODE  AVAILABLE  WILL  BE 
SELECTED  (REF.  RULE  {A2-54},  RTLS ,  TAL,  AND  AOA  ABORTS  FOR 
SYSTEMS  FAILURES  [CIL]). 


If  the  pressure  cannot  be  maintained  in  at  least  one  cryo  tank  and  manifold,  the  fuel  cells  will  eventually 
stop  producing  electrical  power,  no  matter  what  the  quantity  is  in  the  cryo  tanks.  Since  the  amount  of 
time  available  before  “blowdown  ”  of  the  tanks  is  dependent  on  a  large  number  of  variables,  specific 
numbers  cannot  be  defined  for  the  purpose  of  selecting  the  most  preferred  abort  mode.  Therefore,  this 
condition  warrants  the  selection  of  the  earliest  abort  opportunity. 

DOCUMENTATION :  Engineering  judgment. 

Rules  (A2-54AJ.4,  RTLS,  TAL,  AND  AOA  ABORTS  FOR  SYSTEMS  FAILURES  [CIL];  and  (A2-205AJ.2.b, 
EMERGENCY  DEORBIT.  ®[ED  ] 
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A9-262  EDO  PALLET  MANAGEMENT 

A.  ACTIVATION/DEACTIVATION  -  THE  MAIN  DC  POWER  TO  THE  PALLET 
WILL  BE  ACTIVATED  SHORTLY  AFTER  POST  INSERTION  AND 
DEACTIVATED  IN  DEORBIT  PREP.  INSTRUMENTATION  POWER  WILL  BE 
ACTIVE  FOR  LAUNCH  AND  ENTRY  FOR  THE  PURPOSES  OF  TANK  QUANTITY 
GAUGING  AND  LEAK  DETECTION. 

Since  the  pallet  tanks  are  not  required  for  ascent/entry,  the  main  power  will  be  removed  to  eliminate 
an  unnecessary  path  for  an  electrical  short.  Reference  rule  {A9-108},  CRITICAL  PHASE  BUS 
MANAGEMENT.  The  pressure  and  quantity  instrumentation  was  intentionally  placed  on  a  separate 
power  source  to  allow  quantity  gauging  and  leak  detection. 

B.  TANK  HEATER  MANAGEMENT  -  TANK  QUANTITY  BALANCING  WILL  BE 
PERFORMED  PER  RULE  {A9-256},  CRYO  C£/H2  TANK  QUANTITY 
BALANCING.  IF  THE  SPARE  MDCA-1  (100-AMP  FUSE  SIZE)  IS  USED, 
NORMALLY  ONLY  ONE  SET  OF  HEATERS  WILL  BE  ACTIVATED  WHEN  USING 
A  TANK. 

The  original  design  modification  to  MDCA-1  included  a  100-amp  fuse  to  the  EDO  bus  A  power  feed. 

A  subsequent  design  change  was  performed  which  made  it  possible  to  exceed  100  amps  if  all  the  tank 
heaters  were  activated  simultaneously.  The  second  of  two  units  built  has  a  200-amp  fuse  to  correct 
this  problem.  The  first  unit  (used  as  a  spare)  will  retain  the  100-amp  fuse  until  the  unit  requires 
further  modification.  Single-string  tank  heaters  will  be  used  to  provide  a  margin  of  safety  if  that  box 
is  ever  flown. 


A9-263 


THROUGH  A9-300 


RULES  ARE 
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SPACEHAB  SUPPORT 


A9-301  SPACEHAB  DC  BUSES  ®[iii50i-4986A] 

LOST  IF: 

VOLTAGE  CANNOT  BE  MAINTAINED  ?  24  AND  ?  32  VOLTS  DC.  ®[1 11699-71 13] 

Spacehab  DC  equipment  was  designed  to  operate  within  these  values.  Spacehab  DC  buses  include  Main, 
Emergency,  Subsystem,  and  Inverter  DC.  ®[1 1 1 501 -4986A] 

A9-302  SPACEHAB  AC  INVERTER  ®[i 1 1501 -4986A] 

LOST  IF: 

OUTPUT  VOLTAGES  CANNOT  BE  MAINTAINED  =  105  AND  =  125  VOLTS  AC. 

Spacehab  AC  equipment  was  designed  to  operate  within  these  values.  Spacehab  RDM  has  a  forward  and 
aft  inverter.  ®[1 11501 -4986A] 

A9-303  THROUGH  A9-350  RULES  ARE  RESERVED  ®[i 1 1 501 -4986A] 


VOLUME  A  06/20/02  FINAL  ELECTRICAL  9-72 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


SPACEHAB  ELECTRICAL  POWER  SUBSYSTEM  (EPS)  MANAGEMENT 


A9-351  ELECTRICAL  POWER  SUBSYSTEM  (EPS)  CONSTRAINTS 

A.  POWER  MANAGEMENT  -  ON-ORBIT  SPACEHAB  POWER  LEVELS  WILL  BE 
MANAGED  BY  THE  SPACEHAB  OPERATIONS  DIRECTOR  (SHOD)  AND 
WILL  BE  MAINTAINED  WITHIN  PREFLIGHT  ALLOCATED  QUANTITIES. 

®[1 1 1501 -4975 A] 

Spacehab  is  allotted  a  specific  quantity  of  energy  preflight  in  the  Carrier  Integration  Plan  ( CIP)  and  may 
use  this  energy  as  long  as  the  Spacehab  operations  do  not  compromise  normal  orbiter  operations. 

B.  WHEN  SPACEHAB  IS  REQUIRED  TO  BE  POWERED  DURING  ASCENT /ENTRY , 
THE  ASCENT/ENTRY  ORBITER  CONFIGURATION  WILL  INCLUDE: 

1.  FUEL  CELLS  CONNECTED  TO  THEIR  RESPECTIVE  BUSES 

2.  PRIMARY  PAYLOAD  POWER  -  ON  (PROVIDING  POWER  TO  SPACEHAB) 

3.  PAYLOAD  AUX  A  -  ON  AND  PAYLOAD  AFT  MN  B  -  ON  (PROVIDING 
EMERGENCY  POWER  IN  THE  SPACEHAB  FOR  SMOKE 

DETECT ION/ SUPPRESS  ION) 

4.  PAYLOAD  CABIN  -  MN  A  (B)  (PROVIDING  POWER  TO  THE  STANDARD 
SWITCH  PANEL  (SSP) ) 


Payload  Primary  provides  power  to  the  Spacehab  power  subsystem;  this  subsystem  then  provides  power 
to  subsystems  and  experiments  requiring  power  on  ascent/entry  as  negotiated  in  the  CIP.  The  Payload 
AUX  A  and  Payload  AFT  MN  B  orbiter  buses  provide  redundant  power  to  Spacehab ’s  emergency  buses. 
The  emergency  buses  are  required  on  ascent/entry  for  fire/smoke  detection,  fire  suppression,  and  the 
Caution  and  Warning  ( C&W)  system.  ®[1 11501 -4975A] 

C.  THE  ON-ORBIT  ORBITER  CONFIGURATION  FOR  THE  ORBITER  TO 
SPACEHAB  WILL  BE:  ®[1 11501 -4975A] 

1.  FUEL  CELLS  CONNECTED  TO  THEIR  RESPECTIVE  BUSES 

2.  PAYLOAD  PRIMARY  POWER  -  ON  (PROVIDING  POWER  TO  SPACEHAB) 

3.  AUX  A  AND  PAYLOAD  AFT  MN  B  -  ON  (PROVIDING  EMERGENCY 
POWER  IN  THE  SPACEHAB  FOR  SMOKE  DETECTION/FIRE 
SUPPRESSION) 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A9-351  ELECTRICAL  POWER  SUBSYSTEM  (EPS)  CONSTRAINTS 

(CONTINUED) 

4.  PAYLOAD  CABIN  -  MSI  A  (B)  (PROVIDING  POWER  TO  THE  SSP) 

5.  PAYLOAD  AC  3  POWER  -  ON  (PROVIDING  POWER  TO  SPACEHAB) 

6.  (RDM  ONLY)  PAYLOAD  AC  2  POWER  -  ON  (PROVIDING  POWER  TO 
SPACEHAB) 


Payload  Primary  provides  power  to  the  Spacehab  power  subsystem;  this  subsystem  then  provides  DC 
power  to  subsystems  and  experiments.  The  payload  AUX  A  and  payload  AFT  MN  B  orbiter  buses 
provide  redundant  power  for  fire/smoke  detection,  C&W  sensors,  and  fire  suppression.  Items  1  through 
5  are  applicable  to  all  Spacehab  module  configurations.  Item  6  is  only  applicable  to  the  RDM 
configuration.  ®[1 11501 -4975A] 


A9-352  SPACEHAB  MAIN  BUS  MANAGEMENT  ®[i 1 1 501 -4986A] 

ELECTRICAL  POWER  TO  THE  SPACEHAB  MAIN  BUS  IS  PROVIDED  VIA  THE 
PRIMARY  PAYLOAD  BUS.  THE  LOADS  ON  THE  PRIMARY  PAYLOAD  BUS  MUST 
BE  MANAGED  TO  KEEP  TOTAL  POWER  WITHIN  THE  CONSTRAINTS  SPECIFIED 
IN  ALL  FLIGHTS  RULE  {A9-109},  PRIMARY  PAYLOAD  BUS  MANAGEMENT. 

Total  payload  bus  power  limitations  are  due  to  the  Fuel  Cell  limitations  and  not  on  the  individual 
SMCH  fuse  and  wire  ratings.  The  ICD  specifies  a  power  limit  on  each  SCMH  feed  to  2  kW 
continuous  and  allow  a  3  kW  peak  for  15  minutes  every  3  hours  (a  total  excess  energy  of  0.25  kWH). 
The  ICD  is  written  to  ensure  that  total  payload  power  constraints  are  not  violated  on  a  mission 
where  there  are  four  independent  payloads,  each  using  its  own  dedicated  SCMH  feed.  Manifested 
payloads  generally  meet  the  ICD  requirement.  This  drives  the  operational  constraint  to  be  based  on 
the  total  payload  power  and  not  on  the  physical  wire  and  fuse  ratings  of  the  individual  SMCH  feed. 

In  the  case  where  multiple  SMCH  feeds  fail,  the  power  on  each  SMCH  will  be  managed  to  stay  within 
its  physical  wire  and  fuse  ratings. 

Reference:  All  Flights  Rule  {A9-109},  PRIMARY  PAYLOAD  BUS  MANAGEMENT;  ICD-A-21095  and 
ICD-A-21426-RDM.  ®[i  1 1501 -4986A] 
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A9-353  SPACEHAB  EMERGENCY  BUS  LOSS  ®[i 1 1 501 -4986A] 

A.  IF  EITHER  ORBITER  DC  SOURCE,  PL  AUX  A  OR  PL  AFT  B,  SUPPLYING 
POWER  TO  THE  SPACEHAB  EMERGENCY  BUS  IS  LOST,  SPACEHAB 
ACTIVITIES  WILL  CONTINUE. 


PL  AUX  A  and  PL  AFT  B  provide  redundant  power  to  the  Spacehab  emergency  bus.  The  emergency  bus 
sources  are  cross-strapped  and  the  Spacehab  emergency  bus  is  still  powered. 

B.  IF  THE  SPACEHAB  EMERGENCY  BUS  IS  LOST,  THE  SPACEHAB  WILL  BE 
DEACTIVATED  AND  ALL  POWER  REMOVED. 


All  fire  detection/suppression  capability  has  been  lost  as  well  as  power  to  the  water  line  heaters. 
Therefore ,  orbiter  attitude  control  will  be  required  to  prevent  water  line  freezing. 

Reference  Rule  (A1 8-555 f  WATER  LINE  HEATER  MANAGEMENT.  ®[i  1 1 501 -4986A] 
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A9-354  SPACEHAB  AC  MANAGEMENT  ®[iii50i-4986A] 

A.  THE  SPACEHAB  INVERTER  WILL  BE  THE  MODULE'S  NOMINAL  AC  POWER 
SOURCE  DURING  ASCENT  AND  ENTRY. 


Orbiter  AC  power  is  not  available  to  payloads  during  the  ascent  mission  phase  in  order  to  protect 
critical  orbiter  systems  ( i.  e. ,  Space  Shuttle  Main  Engine  Controllers).  Orbiter  AC  may  be  used  during 
entry  for  a  Spacehab  AC  system  failure  provided  the  total  AC  load  ( Orbiter  +  Spacehab)  can  be 
managed  to  stay  within  limits  specified  in  All  Flights  Rule  { A9-155 },  AC  INVERTER  THERMAL  LIFE. 


B 


FOR  LOSS  OF  SPACEHAB  INVERTER (S),  AC  EQUIPMENT  SHALL  BE 


MANAGED 

AS 

1 .  ASCENT 

a . 

AC 

BE 

b . 

AC 

AND 

PROVIDED  THE  TOTAL  AC  LOAD  (ORBITER  +  SPACEHAB)  CAN 
BE  MANAGED  TO  STAY  WITHIN  LIMITS  SPECIFIED  IN  RULE 
{ A9-155 } ,  AC  INVERTER  THERMAL  LIFE. 


If  the  Spacehab  inverter  fails  during  ascent,  module  heat  rejection  and  smoke  detection  are  lost.  To 
protect  critical  orbiter  systems  ( i.  e. ,  Space  Shuttle  Main  Engine  Controllers)  during  ascent,  orbiter  AC 
power  is  not  available  to  payloads  prior  to  MECO  (AC  PL  3?  circuit  breaker(s)  open).  Therefore, 
orbiter  AC  power  cannot  be  applied  to  Spacehab  until  the  crew  closes  the  AC  PL  31  circuit  breaker  and 
the  SM  GPC  is  available  to  change  the  power  source  from  Spacehab  inverter  to  orbiter  AC  ( the 
exception  is  the  Spacehab  subsystem  water  pump  2  which  does  have  contingency  commands  to  change 
the  power  source  and  therefore,  does  not  require  the  SM  GPC).  If  telemetry  indicates  thermal  limits  will 
be  violated  before  power  can  be  restored  post  MECO,  consideration  will  be  given  to  issuing  the  Main 
Power  Kill  command  by  arming  the  FSS.  This  will  remove  all  power  to  the  Spacehab,  except  PL  ALT 
MN  B,  which  is  required  to  power  the  Spacehab  water  line  heaters.  ®[1 1 1 501 -4986A] 
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A9-354  SPACEHAB  AC  MANAGEMENT  (CONTINUED) 

2.  ON-ORBIT  ®[1 1 1501-4986A] 

AC  EQUIPMENT  POWERED  BY  THE  FAILED  INVERTER (S)  WILL  BE 
POWERED  OFF,  RECONFIGURED  TO  ORBITER  POWER,  AND  REPOWERED 
AS  SOON  AS  PRACTICAL  PROVIDED  THE  TOTAL  AC  LOAD  (ORBITER 
+  SPACEHAB)  CAN  BE  MANAGED  TO  STAY  WITHIN  LIMITS 
SPECIFIED  IN  ALL  FLIGHTS  RULE  {A9-155},  AC  INVERTER 
THERMAL  LIFE. 

Orbiter  AC  power  can  be  utilized  if  the  Spacelmb  inverter(s)  fail  as  long  as  AC  loads  can  be  managed 
within  orbiter  power  capabilities. 

3 .  ENTRY 

a.  AC  EQUIPMENT  POWERED  BY  THE  FAILED  INVERTER (S)  WILL 
BE  POWERED  OFF  VIA  INCO  COMMAND . 

b.  BACKUP  AC  EQUIPMENT  CONFIGURED  TO  ORBITER  POWER 
WILL  BE  POWERED  AS  SOON  AS  PRACTICAL  PROVIDED  THE 
TOTAL  AC  LOAD  (ORBITER  +  SPACEHAB)  CAN  BE  MANAGED 
TO  STAY  WITHIN  LIMITS  SPECIFIED  IN  ALL  FLIGHTS  RULE 
{ A9-155 } ,  AC  INVERTER  THERMAL  LIFE. 

During  entry,  if  there  is  a  failure  in  the  Spacehcib  AC  system  that  precludes  its  use,  orbiter  AC  may  be 
used  provided  the  total  AC  load  can  be  managed  within  limits,  the  AC  PL  31  circuit  breaker  is  closed, 
and  backup  subsystem  equipment  (pump  or  fan)  was  configured  to  orbiter  AC  during  Spacehcib  Entry 
Prep  ( the  exception  is  the  Spacehcib  subsystem  water  pump  2  which  does  not  need  to  be  pre-configured  to 
orbiter  AC  since  contingency  commands  are  available  to  change  the  power  source).  A  contingency 
command  can  then  be  sent  by  INCO  to  reconfigure  cmd  activate  the  backup  fan  or  pump  on  orbiter  AC 
power.  If  telemetry  indicates  thermal  limits  will  be  violated  before  power  can  be  restored  during  entry 
when  the  crew  is  unable  to  respond  to  the  failure,  the  Main  Power  Kill  command  will  be  issued  by 
arming  the  FSS  to  remove  all  power  to  the  Spacehcib,  except  PL  AFT  MN  B,  which  is  required  to  power 
the  Spacehcib  water  line  heaters.  ®[i  1 1 501 -4986A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  ELECTRICAL  9-77 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A9-354  SPACEHAB  AC  MANAGEMENT  (CONTINUED) 

C.  IF  ORBITER  AC  POWER  IS  THE  NOMINAL  POWER  SOURCE  AND  BECOMES 
UNAVAILABLE,  AFFECTED  SPACEHAB  AC  EQUIPMENT  WILL  BE  POWERED 
OFF  AND  RECONFIGURED  TO  SPACEHAB  INVERTER  POWER  IF  SPACEHAB 
AC  LOADS  PERMIT.  ®[1 1 1501-4986A] 


On  orbit,  both  the  Spacehcib  inverter  and  orbit er  AC  power  are  used. 

D.  SUBSYSTEM  AC  EQUIPMENT  WHICH  CAN  BE  SWITCHED  BETWEEN  SPACEHAB 
INVERTER  AND  ORBITER  AC  POWER  SOURCES  WILL  NORMALLY  BE 
DEACTIVATED  BEFORE  SWITCHING  SOURCES. 


Hot  switching  equipment  will  lead,  over  time,  to  degraded  relay  contacts  in  the  Power  Distribution  Unit 
(PDU)  and  APDU  ( RDM  only);  however ,  in  an  off-nominal  condition,  hot  switching  can  be  performed 
without  significantly  damaging  Spacehcib  hardware. 

E.  APPLYING  POWER  TO  UNPOWERED  SPACEHAB  SUBSYSTEM  AC  EQUIPMENT 
CONFIGURED  ON,  BUT  NOT  OPERATING,  IS  ACCEPTABLE,  PROVIDED  NO 
MORE  THAN  A  SINGLE  SUBSYSTEM  COMPONENT  IS  CONFIGURED  TO  DRAW 
ORBITER  AC  POWER  AT  INITIAL  BUS  ACTIVATION. 


In  order  to  protect  for  failures  (i.e„  SM  GPC  not  available  for  commanding)  that  could  delay  or  inhibit 
Spacehcib  Activation  or  crew  initial  ingress  into  the  module,  some  Spacehcib  subsystem  components  can 
be  configured  to  turn  ON  when  the  orbiter  AC  PL  31  circuit  breaker  is  closed.  This  configuration  is 
normally  used  for  Spacehcib  RDM  or  when  the  Spacehcib  SM/LDM  is  unpowered  for  ascent.  Having  only 
one  subsystem  component  activated  at  a  time  minimizes  stcirt-up  transients  that  could  exceed  orbiter 
inverter  ccipcibi l i ties. 

F.  WHEN  POWER  IS  INTERRUPTED  TO  SUBSYSTEM  AC  EQUIPMENT,  THE 
EQUIPMENT  WILL  BE  DEACTIVATED  BEFORE  POWER  IS  REAPPLIED. 

If  Spacehcib  subsystem  AC  equipmen  t  using  orbiter  or  Spacehcib  AC  power  are  not  deactivated  after 
losing  power,  the  orbiter’ s  or  Spacehcib ’s  inverter  capabilities  may  be  exceeded  if  power  is  reapplied 
simultaneously  to  all  of  the  previously  operating  AC  equipment.  @[092800-7114  ]  ®[1 1 1501-4986A] 
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A9-354  SPACEHAB  AC  MANAGEMENT  (CONTINUED) 

G.  IN  ORDER  TO  PREVENT  EXCEEDANCE  OF  THE  SPACEHAB  INVERTER'S 
CAPABILITIES:  ®[1 11501 -4986A] 

1.  NO  LOADS  SHALL  BE  APPLIED  UNTIL  THE  INVERTER  HAS  BEEN 
VERIFIED  OPERATIONAL. 

2 .  TURN  ON  FANS  BEFORE  THE  WATER  PUMP  IF  TWO  FANS  ARE  TO  BE 
POWERED  BY  INVERTER  AC. 

3.  MCC  APPROVAL  MUST  BE  OBTAINED  BEFORE  USING  THE  AC  VACUUM 
CLEANER.  @[092800-7114] 

Verifying  that  the  Spacehab  inverter  is  operational  before  applying  AC  loads  minimizes  possible  failure 
of  the  inverter  or  damage  to  Spacehab  hardware. 

Turning  two  fans  on  before  the  pump  avoids  potential  in-rush  problems,  since  the  fans  have  a  higher 
in- rush  current.  In  the  SM/LDM,  the  Spacehab  inverters  are  capable  of  providing  power  to  the  ARS  fan, 
cabin  fan,  and  Subsystem  Water  Pump.  In  the  RDM,  the  forward  inverters  are  not  a  concern  since  the 
ARS  fan  is  the  only  fan  that  can  be  powered  via  the  forward  inverters.  The  RDM  aft  inverters  are 
capable  of  providing  power  to  the  two  HFAfans,  CEWL  pump,  and  WSA.  Two  fans  can  be  powered  on 
with  the  WSA  operational  since  the  WSA  has  a  low  power  draw  ( approximately  40  watts).  ©[111501-4986A] 

The  orbiter  vacuum  cleaner  has  a  high  in-rush  current  of  4.5  cimps/phase.  Due  to  the  mission  unique 
experiment  configuration  and  other  ac  power  concerns  that  are  timeline  dependent,  the  MCC  must  be 
contacted  to  perform  an  ac  analysis  to  ensure  inverter  capability. 
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A9-355  FUSE/CIRCUIT  BREAKER  MANAGEMENT 

A.  APPLICABLE  EXPERIMENTS  AND  SUBSYSTEM  EQUIPMENT  WILL  BE 

DEACTIVATED  PRIOR  TO  REPLACING  A  FUSE  OR  RESETTING  A  CIRCUIT 
BREAKER. 


This  action  is  required  to  prevent  in-rush  current  or  the  original  cause  of  the  failure  from  opening  the 
fuse  or  tripping  the  breaker  again  during  the  reset/replacement  activity. 

B.  A  CIRCUIT  BREAKER  SHALL  ONLY  BE  RESET  OR  FUSE  REPLACED  AFTER 
MCC  REVIEW  OF  THE  ASSOCIATED  DATA.  IT  IS  MANDATORY  TO  HAVE 
MCC  REAL-TIME  COVERAGE  WHEN  A  CIRCUIT  BREAKER  RESET  ATTEMPT 
OR  FUSE  REPLACEMENT  IS  MADE.  REPEATED  CIRCUIT  BREAKER  RESETS 
OR  FUSE  REPLACEMENTS  WILL  NOT  BE  ALLOWED. 


A  known  short  will  not  be  repowered  due  to  safety  concerns.  Real-time  coverage  is  required  in  order  to 
provide  systems  experts  the  opportunity  to  monitor  the  action  and  the  associated  response.  Repeated 
circuit  breaker  trips  or  fuse  failures  indicate  a  hardware  problem  and  for  safety  reasons,  the  repeated 
actions  will  not  be  allowed. 

C.  A  CIRCUIT  BREAKER  MAY  BE  RESET,  IN  ACCORDANCE  WITH  PARAGRAPH 
B,  TO  REGAIN  SUBSYSTEM  OR  EXPERIMENT  EQUIPMENT  FUNCTIONS 
AFTER  REMOVING  UNNECESSARY  LOADS  AND  THE  EQUIPMENT  CAUSING 
THE  FAILURES.  ®[1 11501 -4986A] 

Circuit  breakers  often  feed  more  than  one  piece  of  equipment;  therefore,  if  unnecessary  loads  or 
troublesome  equipment  is  removed,  the  circuit  breaker  may  be  successfully  reset  and  the  remaining 
loads  used. 

D.  NO  CIRCUIT  BREAKER  RETENTION  DEVICE  SHALL  BE  USED  IN  THE 
SPACEHAB  ELECTRICAL  SUBSYSTEM. 


The  circuit  breaker  reten  tion  device  is  only  used  to  recover  emergency  or  crew  safety  related  items. 
Mission  success  does  not  justify  use  of  the  retention  device.  Failure  modes  exist  where  the  reten  tion 
device  can  override  circuit  protection. 

Reference:  NASA/DF  Note  Of  Interest,  DF7/83-45,  June  14,  1983. 
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A9-356  FUEL  CELL  FAILURE  MANAGEMENT 

A.  FOR  THOSE  MISSIONS  REQUIRING  A  POWERED  SPACEHAB  MODULE 
DURING  ASCENT/ENTRY,  IF  A  FUEL  CELL  FAILS  DURING  ASCENT, 

THE  SPACEHAB  WILL  NOT  REMAIN  POWERED  EXCEPT  PL  AFT  MN  B. 

®[1 1 1501-4986A] 

There  is  not  adequate  power  margin  for  Spacehab  operations  with  only  two  orbiter  fuel  cells  available 
during  ascent.  During  orbit  and  entry,  power  margins  may  potentially  allow  payload  power.  PL  AFT 
MN  B  provides  power  to  Spacehab  water  line  heaters. 

B.  FOR  A  FUEL  CELL  FAILURE  ON  ORBIT,  THE  SPACEHAB  POWER  WILL  BE 
MANAGED  WITHIN  THE  18  KW  LIMIT  FOR  TOTAL  ORBITER  POWER. 


In  the  event  of  a  fuel  cell  failure,  the  18  kW  limit  prevents  overloading  of  the  last  remaining  fuel  cell. 
®[1 1 1 501 -4986A] 


A9-357  SPACEHAB  SURVIVAL  POWER  CONFIGURATION  ®[i 1 1 501 -4986A] 

SPACEHAB  SURVIVAL  POWER  IS  DEFINED  AS  THE  POWER  LEVEL  REQUIRED 
TO  MAINTAIN  THE  SPACEHAB  IN  A  CONFIGURATION  THAT  ENSURES  CREW 
SAFETY,  INTEGRITY  OF  SCIENCE  RESULTS /SAMPLES  ALREADY  OBTAINED, 
AND  PROTECTION  OF  HARDWARE.  REFERENCE  FLIGHT  SPECIFIC  ANNEX  FOR 
SURVIVAL  POWER  REQUIREMENT. 


A  known  minimum  power  level  is  required  to  provide  for  a  case  in  which  the  crew’s  full  attention  would 
have  to  be  turned  to  an  orbiter  problem.  The  Spacehab/experiments  would  need  to  be  placed  in  a 
condition  which  would  draw  the  least  amount  of  both  crew  time  and  orbiter  resources.  The  survival 
configuration  for  the  Spacehab/experiments  needs  to  be  clearly  defined  pre-mission  so  that  this 
configuration  can  be  achieved  quickly  and  without  ambiguity.  ®[1 1 1 501 -4986A] 


A9-358  CAUTION  AND  WARNING  (C&W) 

CAUTION  AND  WARNING  SYSTEM  AND  SYSTEM  MANAGEMENT  PARAMETERS  WHICH 
GENERATE  FALSE  OR  NUISANCE  ALARMS  WILL  BE  INHIBITED. 

Inhibiting  the  alarms  prevents  reaction/response  to  nuisance  and/or  erroneous  failure  indications. 
@[092701-4872  ] 
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ELECTRICAL  GO/NO-GO  CRITERIA 


A9-1001  ELECTRICAL  GO/NO-GO  CRITERIA 


SYSTEM/COMPONENTS/FUNCTIONS 


CONTINUE 
NOMINAL 
ASCENT  IF: 

INVOKE 

MDF 

IF: 

ENTER  NEXT 
PLS 

IF: 

2/3  ? 

[2] 

2/2  ? 

2/3  ? 

[2] 

2/2  ? 

1  ?  [3] 

2  ?  [3] 

2  ? 

1  ?  [4] 

2?  [5] 

2  ?  [6] 

3  ?  [6] 

[7] 

[8] 

[8] 

[9] 

[10]  [11] 

[10]  [22] 

[13] 

[22] 

[15] 

[22] 

A.  CRYO: 

1.  02  TANKS  (3/4)  . [1] 

2.  H2  TANKS  (3/4)  . [1] 

3.  02,  H2  MANIFOLDS  (6)  . 

B.  FUEL  CELLS: 

FUEL  CELLS  (3)  . 

FC  PRIMARY  H20  FLOW 

TO  ECLSS  (3)  . 

FC  OVERBOARD  RELIEF 

SYSTEM  . 

FC  ALTERNATE  H20 

SYSTEM  . 

FC  VENT  LINE  BLOCKAGE 

(02  OR  H2)  . 

FC  02  PURGE  . 

FC  H2  PURGE  . 

C.  ELECTRICAL  PWR  DIST  &  CNTL: 

1.  MAIN  DC  BUSES 

a.  MNA 

DAI  . 

FPC1  . 

FLC1  . 

FMC1  . 

MPC1  . 

MMC1  . 

@[032802-481 4A] 
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A9-1001  ELECTRICAL  GO/NO-GO  CRITERIA  (CONTINUED) 


SYSTEM/COMPONENTS/FUNCTIONS 

CONTINUE 
NOMINAL 
ASCENT  IF: 

INVOKE 

MDF 

IF: 

ENTER  NEXT 
PLS 

IF: 

ELECTRICAL  PWR  DIST  &  CNTL:  (CONTI 

4.  AC  BUSES  (CONT) 

d.  AC  3 

AC3(3?  )  . 

AC3?  A  . 

AC3?  B  . 

AC3?  C  . 

AC3 FMC3  . 

AC3  MMC2  . 

AMC  MMC4  . 

AC3 AMC3  . 

D.  CAUTION  AND  WARNING: 

C&W  -  PRIMARY  AND  BACKUP  (2) . 

[33] 

[22] 

[34]  [36] 

[34] 

[34]  [36] 

[34] 

[34]  [36] 

[34] 

[22] 

[15] 

[22] 

2  ?  [37] 

i  @[032802-481 4A] 


LEGEND: 


NO  REQUIREMENT 

REQUIRED 


(  )  QUANTITY 
[  ]  NOTE  REFERENCE 
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A9-1001  ELECTRICAL  GO/NO-GO  CRITERIA  (CONTINUED) 


[1]  IF  A  FIVE-TANK  SET  IS  FLOWN,  TANKS  4  AND  5  ARE  CONSIDERED  AS  ONE  TANK. 

[2]  FOR  SINGLE  TANK  FAILURES,  CONSUMABLES  DETERMINE  FLIGHT  DURATION. 

[3]  MAY  REQUIRE  FUEL  CELL  SHUTDOWN  PRIOR  TO  ENTRY. 

[4]  SINGLE  FAULT  TOLERANT.  REF.  RULE  {A2-1 02B},  MISSION  DURATION  REQUIREMENTS.  @[101796-4561  A] 

[5]  ZERO  FAULT  TOLERANT.  REF.  RULE  {A2-102C},  MISSION  DURATION  REQUIREMENTS. 

[6]  LOSS  OF  PRIMARY  SYSTEM  FOR  MULTIPLE  FC'S  MAY  HAVE  RESULTED  FROM  FREEZING  OF  F^O  RELIEF  PANEL 
WHICH  COULD  ALSO  CAUSE  LOSS  OF  OVERBOARD  RELIEF  AND  LEAVE  ONLY  THE  ALTERNATE  SYSTEM  FOR  F^O 
REMOVAL.  REF.  RULE  {A2-102C},  MISSION  DURATION  REQUIREMENTS.  @[101 796-4561  A] 

[7]  LOSS  OF  PURGE  CAPABILITY  ON  ALL  THREE  FC'S.  ALSO,  ALL  THREE  FC’S  UNABLE  TO  VENT  C£  (H2)  FOR  A  DUAL 
GAS  REGULATOR  FAILURE.  ALL  THREE  FC’S  NO  LONGER  FAIL-SAFE.  REF.  RULES  [A9-1 J},  FUEL  CELL  (FC)  LOSS 
[CIL];  AND  {A9-52C},  D,  AND  E,  FC  PURGE. 

[8]  FUEL  CELL  PREDICTED  PERFORMANCE  DETERMINES  MISSION  DURATION. 

[9]  LOSE  ALL  MNA  SUB-BUSES  AND  ASSOCIATED  EQUIPMENT. 

[10]  IF  AC  BUS  NOT  SHORTED,  AN  MDF  MAY  BE  COMPLETED  BY  THE  USE  OF  THE  AC  POWER  TRANSFER  CABLE  TO 
REGAIN  CRITICAL  AC  LRU'S.  NEXT  PLS  REQUIRED  IF  AC  BUS  NOT  REGAINED.  REF.  RULE  {A9-158},  AC  POWER 
TRANSFER  CABLE.  ®[ED  ] 

[11]  LOSE  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY,  FUEL  CELL  1  PUMPS.  REF.  RULES  [A9-1 B},  FUEL  CELL  (FC) 
LOSS  [CIL],  AND  {A10-209H},  PLBD  RULE  REFERENCE  MATRIX. 

[12]  LOSE  ONE  MOTOR  IN  MULTIPLE  PLBD  CENTERLINE/BULKHEAD  LATCH  GANGS.  REDUNDANCY  MAY  BE 
REGAINED  BY  PERFORMING  THE  PLBD  SYS  ENABLE  RECOVERY  IFM.  REF.  RULE  [A1 0-209},  PLBD  RULE 
REFERENCE  MATRIX.  @[011801-3851]  @[032802-481 4A] 

[13]  LOSE  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY,  FUEL  CELL  1  PURGE  VALVES.  REF.  RULES  {A9-52C}  AND  D, 
FC  PURGE,  AND  {A10-209H},  PLBD  RULE  REFERENCE  MATRIX. 

[14]  LOSE  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY.  REDUNDANCY  MAY  BE  REGAINEDBY  PERFORMING  THE 
PLBD  SYS  ENABLE  RECOVERY  IFM,  ASSUMING  THERE  ARE  NO  OTHER  SYSTEMS  GO/NO-GO  CRITERIA 
VIOLATED.  REF.  RULE  {A10-209},  PLBD  RULE  REFERENCE  MATRIX. 

[15]  LOSE  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY.  REF.  RULE  [A1 0-209},  PLBD  RULE  REFERENCE  MATRIX. 

[1 6]  LOSE  OMS  X-FEED  AND  REPRESS  CAPABILITY.  A  G-MEM  CAN  BE  SENT  TO  RECOVER  THESE  FUNCTIONS. 

[17]  FAILURE  OF  ANOTHER  BUS  RESULTS  IN  LOSS  OF  CAPABILITY  TO  OPEN  FUEL  TANK  VALVES  ON  AN  APU  AND 
CAPABILITY  TO  DEPRESS  ANOTHER  HYD  SYSTEM.  REF.  RULE  {A10-21A},  LOSS  OF  APU/HYDRAULIC  SYSTEM(S) 
ACTIONS.  @[082593-1530]  @[032802-481 4A] 

[18]  LOSE  ALL  MNB  SUB-BUSES  AND  ASSOCIATED  EQUIPMENT. 

[19]  LOSE  FUEL  CELL  2  PUMPS,  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY,  S-BAND  SYSTEM  1  (INCLUDES  NSP 

1) ,  CABIN  FAN  B.  REF.  RULES  {A9-1B},  FUEL  CELL  (FC)  LOSS  [CIL];  {A9-1001},  ELECTRICAL  GO/NO-GO  CRITERIA; 
{A10-209H},  PLBD  RULE  REFERENCE  MATRIX;  AND  {All-1001},  COMMUNICATIONS  GO/NO-GO  CRITERIA. 

®[ED  ] 

[20]  LOSE  S-BAND  SYSTEM  1  (INCLUDES  NSP  1).  REF.  RULE  [A1 1 -1001},  COMMUNICATIONS  GO/NO-GO  CRITERIA. 

[21]  LOSE  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY,  FUEL  CELL  2  PURGE  VALVES.  REF.  RULES  {A9-52C}  AND  D, 
FC  PURGE,  AND  {A10-209H},  PLBD  RULE  REFERENCE  MATRIX. 

[22]  LOSE  ONE  MOTOR  IN  MULTIPLE  PLBD  CENTERLINE/BULKHEAD  LATCH  GANGS.  REF.  RULE  {A10-209},  PLBD  RULE 
REFERENCE  MATRIX.  @[011801-3851] 

[23]  LOSE  ALL  MNC  SUB-BUSES  AND  ASSOCIATED  EQUIPMENT. 

[24]  LOSE  FUEL  CELL  3  PUMPS,  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY,  S-BAND  SYSTEM  2  (INCLUDES  NSP 

2) ,  CABIN  FAN  A.  REF.  RULES  {A9-1B},  FUEL  CELL  (FC)  LOSS  [CIL];  {A9-1001},  ELECTRICAL  GO/NO-GO  CRITERIA; 
{A10-209H},  PLBD  RULE  REFERENCE  MATRIX;  AND  {All-1001},  COMMUNICATIONS  GO/NO-GO  CRITERIA. 

[25]  LOSE  S-BAND  SYSTEM  2  (INCLUDES  NSP  2).  REF.  RULE  {All-1001},  COMMUNICATIONS  GO/NO-GO  CRITERIA. 

®[ED  ] 
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A9-1001  ELECTRICAL  GO/NO-GO  CRITERIA  (CONTINUED) 


[26]  LOSE  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY,  FUEL  CELL  3  PURGE  VALVES,  RGA  3.  REF.  RULES  [A8- 
1001D},  GNC  GO/NO-GO  CRITERIA;  {A9-52C}  AND  D,  FC  PURGE;  AND  {A10-209H},  PLBD  RULE  REFERENCE 
MATRIX.  ®[ED  ] 

[27]  LOSE  ADTA  3  AND  4.  REF.  RULE  [A8-1 001 D},  GNC  GO/NO-GO  CRITERIA. 

[28]  LOSE  S-BAND  SYSTEM  1  (INCLUDES  NSP  1).  RGA  2.  REF.  RULES  [A1 1 -1001},  COMMUNICATIONS  GO/NO-GO 
CRITERIA;  AND  {A8-1001D},  GNC  GO/NO-GO  CRITERIA.  ®[ED  ] 

[29]  LOSE  FUEL  CELL  1  ECU  PUMP  PRIMARY  RELAYS.  REF.  RULE  [A9-1 B},  FUEL  CELL  (FC)  LOSS  [CIL], 

[30]  LOSE  FUEL  CELL  2  ECU  PUMP  PRIMARY  RELAYS.  REF.  RULE  [A9-1 B},  FUEL  CELL  (FC)  LOSS  [CIL], 

[31]  LOSE  FUEL  CELL  3  ECU  PUMP  PRIMARY  RELAYS.  REF.  RULE  [A9-1 B},  FUEL  CELL  (FC)  LOSS  [CIL], 

[32]  LOSE  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY,  FUEL  CELL  2  PUMPS,  CABIN  FAN  B.  REF.  RULES  {A9- 

1 B},  FUEL  CELL  (FC)  LOSS  [CIL];  SECTION  B;  AND  [A1 0-209H},  PLBD  RULE  REFERENCE  MATRIX. 

[33]  LOSE  PLBD  CLOSE  FUNCTION  MOTOR  REDUNDANCY,  FUEL  CELL  3  PUMPS,  CABIN  FAN  A.  REF.  RULES 
{A9-1 B},  FUEL  CELL  (FC)  LOSS  [CIL];  SECTION  B;  AND  1  [A1 0-209H},  PLBD  RULE  REFERENCE  MATRIX. 

[34]  IF  BUS  SHORT-CIRCUITED,  INVOKE  CRITERIA  FOR  FMC,  MMC,  AMC  SUB-BUSES,  UNLESS  SHORTED  PHASE 
CAN  BE  ISOLATED  FROM  GANGED  CB  ASSEMBLY.  REF.  RULE  {A9-156},  LOSS  OF  SINGLE-PHASE  AC. 

®[ED  ] 

[35]  LOSE  1  AC  ?  OF  CABIN  FAN  B.  CONTINUE  IF  DEMONSTRATED  IN  FLIGHT  THAT  CABIN  FAN  CAN  BE  STARTED 
ON  TWO  REMAINING  AC?'S. 

[36]  LOSE  1  AC  ?  OF  CABIN  FAN  A.  CONTINUE  IF  DEMONSTRATED  IN  FLIGHT  THAT  CABIN  FAN  CAN  BE  STARTED 
ON  TWO  REMAINING  AC?'S. 

[37]  LOSS  OF  ALL  C&W  ALARM  TONES  AND  LIGHTS.  FLIGHT  CREW  MUST  MONITOR  CRT  MESSAGES  FOR 
CRITICAL  SYSTEM  FAULT  ANNUNCIATION.  REF.  RULES  {A2-102C},  MISSION  DURATION  REQUIREMENTS;  AND 
{A2-104AJ.6,  SYSTEMS  REDUNDANCY  REQUIREMENTS.  @[101796-4561  A] 

[38]  LOSE  POWER  TO  PCS  02  CROSSOVER  VALVE  1  MDF  UNTIL  IFM  TO  RESTORE  FULL  MANIFOLD  CAPABILITY  IS 
INSTALLED  OR  UNTIL  REAL-TIME  TEST  VERIFIES  ADEQUATE  02  SUPPLY  TO  CREW.  REF.  RULE  [A1 7-1 001 D},  LIFE 
SUPPORT  GO/NO-GO  CRITERIA.  @[050400-7189  ] 

[39]  LOSE  POWER  TO  PCS  02  CROSSOVER  VALVE  2  MDF  UNTIL  IFM  TO  RESTORE  FULL  MANIFOLD  CAPABILITY  IS 
INSTALLED  OR  UNTIL  REAL-TIME  TEST  VERIFIES  ADEQUATE  02  SUPPLY  TO  CREW.  REF.  RULE  [A1 7-1 001 D},  LIFE 
SUPPORT  GO/NO-GO  CRITERIA.  @[050400-7189  ] 

[40]  NEXT  WORST  FAILURE  (CNTLAB2  AND  APC5  COMBINATION)  RESULTS  IN  LOSS  OF  CAPABILITY  TO  OPEN  THE 
TANK  VALVES  ON  APU  2  AND  LOSS  OF  BOTH  WSB  1  CONTROLLERS.  REF.  RULE  {A10-21  A},  LOSS  OF 
APU/HYDRAULIC  SYSTEM(S)  ACTIONS.  @[032802-481 4A] 


CRYO 


a.  Continue  Nominal  Ascent 

If  all  but  one  of  the  cryo  tanks  fails  during  ascent,  an  abort  is  not  required  because  the  remaining 
tank  will  support  a  first  day  PLS  entry. 

b.  Invoke  Minimum  Duration  Flight 

If  a  single  tank  fails,  the  amount  of  consumables  will  determine  the  length  of  the  mission.  After  a 
single  tank  failure,  at  least  two  more  failures  are  required  before  loss  of  crew/  vehicle. 

c.  Enter  Next  PLS 

If  two  tanks  fail,  a  PLS  is  called  because  the  risk  has  increased  that  similar  failures  will  occur  in  the 
remaining  tanks.  Loss  of  cryo  is  loss  of  crew/vehicle. 
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SECTION  10  -  MECHANICAL 

AUXILIARY  POWER  UNIT  (APU)  LOSS 
FAILURE /DEFINITION 

A10-1  APU  LOSS  DEFINITIONS . 10-1 

A10-2  THROUGH  A10-20  RULES  ARE  RESERVED . 10-7 

APU  SYSTEMS  MANAGEMENT 

A10-21  LOSS  OF  APU/HYDRAULIC  SYSTEM(S)  ACTIONS . 10-8 

A10-22  APU  START/RESTART  LIMITS . 10-11 

A10-23  APU  ENTRY  START  TIME . 10-15 

A10-24  APU  OIL/GEARBOX  TEMPERATURE/PRESSURE . 10-20 

A10-25  APU  HIGH  SPEED  SELECTION/SHIFT . 10-22 

A10-2  6  APU  AUTO  SHUTDOWN  INHIBIT  MANAGEMENT . 10-24 

A10-27  APU  FUEL  LEAKS  [CIL] . 10-28 

A10-28  AOA  APU/HYDRAULIC  SYSTEM  OPERATIONS . 10-31 

A10-29  FCS  CHECKOUT  APU  OPERATIONS . 10-32 

A10-30  LOSS  OF  APU  HEATERS/ INSTRUMENTATION  [CIL]...  10-34 

A10-31  APU  FREEZE/THAW . 10-36 

A10-32  APU/HYD  CONSUMABLES  .  10-38 

A10-33  APU  DEFINITIONS . 10-40 

A10-34  THROUGH  A10-50  RULES  ARE  RESERVED . 10-40 

HYDRAULIC  SYSTEMS  LOSS/FAILURE  DEFINITIONS 

A10-51  HYDRAULIC  LOSS  DEFINITIONS  .  10-41 

A10-52  THROUGH  A10-70  RULES  ARE  RESERVED . 10-43 


VOLUME  A  06/20/02  FINAL  MECHANICAL  10-1 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


_ FLIGHT  RULES _ 

HYDRAULIC  SYSTEMS  MANAGEMENT 

A10-71  HYDRAULIC  SYSTEMS  CONFIGURATION . 10-44 

A10-72  HYDRAULIC  LEAKS . 10-46 

A10-73  HYDRAULIC  SYSTEMS  PRESSURE /TEMPERATURE  [CIL]  10-48 

A10-74  HYDRAULIC  CIRCULATION  PUMP  OPERATION  [CIL] . .  10-51 

A10-75  THROUGH  A10-100  RULES  ARE  RESERVED . 10-56 

WATER  SPRAY  BOILER  (WSB)  LOSS/FAILURE 
DEFINITIONS 

A10-101  WSB  LOSS  DEFINITIONS . 10-57 

A10-102  THROUGH  A10-120  RULES  ARE  RESERVED . 10-58 

WSB  SYSTEMS  MANAGEMENT 

A10-121  WSB  CONFIGURATION  .  10-59 

A10-122  LOSS  OF  WSB(S)  ACTIONS . 10-59 

A10-123  THROUGH  A10-140  RULES  ARE  RESERVED . 10-60 

LANDING/DECEL  SYSTEMS  MANAGEMENT 

A10-141  NOSE  WHEEL  STEERING  (NWS)  .  10-60 

A10-142  TIRE  PRESSURE  [CIL]  .  10-63 

A10-143  DRAG  CHUTE  DEPLOY  TECHNIQUES . 10-72 

A10-144  DRAG  CHUTE  DEPLOY  CONSTRAINTS . 10-74 

A10-145  UNCOMMANDED  BRAKE  PRESSURE  [CIL]  .  10-76 

A10-146  BRAKING  .  10-77 

A10-147  THROUGH  A10-160  RULES  ARE  RESERVED . 10-78 

MECHANICAL  SYSTEMS  LOSS/FAILURE  DEFINITIONS 

A10-161  DRIVE  MECHANISMS  LOSS  DEFINITIONS . 10-79 

A10-162  THROUGH  A10-180  RULES  ARE  RESERVED . 10-80 
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GENERAL  MECHANISMS  SYSTEMS  MANAGEMENT 

A10-181  DRIVE  MECHANISMS . 10-81 

A10-182  THROUGH  A10-200  RULES  ARE  RESERVED . 10-81 

PAYLOAD  DOOR  (PLBD)  SYSTEMS  MANAGEMENT 

A10-201  PLBD  GENERAL . 10-82 

A10-202  PLBD  VISUAL  CUES . 10-84 

A10-203  PLBD  CRITICAL  LATCHES  .  10-85 

A10-204  FAILED  PLBD  GPC  SEQUENCE . 10-86 

A10-205  PLBD  CLEARANCE  CONSTRAINTS . 10-86 

A10-206  PLBD  CLOSE  GO/NO-GO . 10-87 

A10-207  PLBD  OVERLAP . 10-92 

A10-208  CONTINGENCY  PLBD  CLOSURE . 10-93 

A10-209  PLBD  RULE  REFERENCE  MATRIX . 10-94 

A10-210  THROUGH  A10-220  RULES  ARE  RESERVED . 10-99 

RADIATOR  SYSTEMS  MANAGEMENT 

A10-221  RADIATOR  MECHANICAL . 10-100 

A10-222  RADIATOR  VISUAL  CUES  .  10-102 
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SECTION  10  -  MECHANICAL 


AUXILIARY  POWER  UNIT  (APU)  LOSS  FAILURE/DEFINITION  ®[ED  ] 


A10-1  APU  LOSS  DEFINITIONS 

A.  AN  APU  IS  CONSIDERED  LOST  IF: 

1.  THERE  IS  A  CONFIRMED  OR  SUSPECTED  HYDRAZINE  LEAK.  LEAKS 

MUST  BE  CONFIRMED  BY  THE  GROUND.  HYDRAZINE  LEAKS  CAN  BE 

DETECTED  BY  ANY  OF  THE  FOLLOWING: 

a.  UNEXPLAINED  DECAY  IN  FUEL  TANK  OR  FUEL  FEED  LINE 
PRESSURE.  @[040899-6824  ] 

b.  UNEXPLAINED  COOLING  OF  HYDRAZINE  TANKS,  LINES,  AND 
VALVES,  OR  ON-ORBIT  HEATER  DUTY  CYCLES. 

C.  WHILE  THE  FUEL  ISOLATION  VALVES  ARE  OPEN,  A  PUMP  SEAL 
CAVITY  PRESSURE  INCREASE  TO  ABOVE  40  PSIA  FOLLOWED  BY 
A  DROP  IN  PRESSURE  (INDICATING  THAT  THE  BURST  DISK 
HAS  RUPTURED)  AND  EITHER: 

(1)  REPEATED  PUMP  SEAL  CAVITY  EXCURSIONS  TO  THE 
RELIEF  VALVE  CRACKING  PRESSURE  OF  APPROXIMATELY 
28  TO  42  PSIA,  OR 

(2)  SUSTAINED  FUEL  PUMP  SEAL  CAVITY  PRESSURE  ABOVE 
THE  VALVE  RESEAT  PRESSURE  OF  16.8  TO  25.2  PSIA. 

d.  UNEXPLAINED  DECAY  IN  SEAL  CAVITY  DRAIN  LINE  PRESSURE 
WHEN  FUEL  PUMP  SEAL  LEAKAGE  HAS  BEEN  DETECTED. 


A  hydrazine  leak  into  the  aft  compartment  is  afire  and  corrosion  hazard  that  could  lead  to  loss  of 
crew/vehicle. 

There  are  cases  where  a  hydrazine  leak  cannot  be  confirmed.  For  example,  a  decay  in  fuel  tank  pressure 
could  be  the  result  of  a  GN2  leak.  The  only  way  to  distinguish  between  a  fuel  leak  and  a  GN2  leak 
(without  other  confirming  cues)  is  to  run  the  APU  until  the  fuel  is  depleted.  The  fuel  tank  pressure  will 
stabilize  around  80  psiafor  a  hydrazine  leak  (the  GN2  precharge  pressure)  and  0  psiafor  a  GN2  leak. 
The  flight  rules  assume  the  worst  case  scenario  of  a  fuel  leak.  @[040899-6824  ] 
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A10-1  APU  LOSS  DEFINITIONS  (CONTINUED) 

Due  to  a  combination  of  transducer  placement  and  the  large  thermal  mass  of  the  tank  and  fuel,  a  fuel 
tank  heater  cycle  causes  the  tank  temperature  to  rise  much  faster  than  the  corresponding  rise  in  tank 
pressure.  Before  equilibrium  is  established,  the  onboard  and  ground  fuel  quantity  computations  show  a 
decrease  in  quantity  similar  to  a  leak,  followed  by  a  rise  in  quantity  to  the  original  pre-heater  cycle 
value.  Since  the  crew  cannot  always  distinguish  between  an  actual  leak  and  a  heater  cycle  or  transducer 
failure,  the  ground  must  confirm  whether  or  not  a  leak  exists.  @[040899-6824  ] 

A  cooling  effect  may  be  seen  if  fuel  is  leaking  near  a  temperature  transducer.  During  STS-9  entry,  cm 
APU  injector  stem  leak  was  indicated  by  a  20  degree  F  drop  in  GGVM  temperature.  However,  a  drop 
in  GGVM  temperatu  re  shortly  after  liftoff  can  be  the  result  of  normal  H2O  condensation  in  the  aft 
compartment  (the  temperature  decreased  will  be  present  for  only  about  1  minute;  this  signature  was 
seen  on  STS  41-C). 

An  increased  heater  duty  cycle  could  result  from  the  cooling  effect  of  leaking  fuel  or  the  loss  in  fuel 
line  thermal  mass  caused  by  the  vacated  fuel.  However,  attitude  effects  and  thermostat  debonding  can 
show  a  similar  signature. 

An  in  ternal  hydrazine  leak  occurs  when  the  fuel  pump  seal  degrades  and  hydrazine  leaks  into  the  fuel 
pump  seed  cavity  drain  system.  This  is  indicated  by  an  increase  in  drain  line  pressure.  With  continuing 
leakage,  the  pressure  will  increase  to  the  point  that  the  burst  disk  ruptures  (at  45  +5  psid )  and  the  relief 
valve  opens  (at  28  to  42  psia),  causing  hydrazine  to  be  spilled  overboard.  A  leak  of  this  type  occurred  on 
an  ALT  flight  (without  the  burst  disk;  this  modification  first  flew  on  STS-88).  The  relief  valve  will  remain 
open  until  the  reseat  pressure  of  16.8  to  25.2  psia  is  reached  (the  relief  valve  will  not  reseat  for  high 
enough  leak  rates). 

Fuel  pump  seed  leakage  can  be  detected  by  an  increase  in  drain  line  pressure  (not  due  to  heater  cycles ) 
while  the  APU  is  running  (dynamic  leak),  or  by  a  decrease  in  feed  line  pressure  with  a  corresponding 
increase  in  drain  line  pressure  while  the  APU  is  not  running  (static  leak).  However,  fuel  pump  seed 
leakage  by  itself  is  not  sufficien  t  reason  to  declare  an  APU  lost  because  the  hydrazine  is  contained  within 
the  drain  system.  For  the  case  of  a  decay  in  both  feed  line  and  drain  line  pressures,  or  a  decay  in  drain 
line  pressure  following  a  dynamic  leak,  a  small  amoun  t  of  hydrazine  (up  to  1.4  lbs,  from  between  the  fuel 
isolation  valves  and  the  shutoff  valve,  for  the  static  leak  case;  reference  SODB.  vol.  I,  4. 4. 3.2. d. 3)  has 
leaked  into  the  aft  compartment  and  the  APU  should  be  considered  lost. 

Hydrazine  may  also  leak  past  multiple  seeds  into  the  APU  gearbox.  This  would  be  detected  as  an 
increase  in  both  gearbox  and  drain  line  pressures  since,  in  order  to  leak  in  to  the  gearbox,  the  fuel 
has  to  first  leak  into  the  seed  cavity.  No  leakage  of  this  type  has  been  seen  since  the  dual  lip  seals 
were  incorporated  as  part  of  the  IAPU  design  (first  flight  STS-45).  @[040899-6824  ] 

Reference  Rule  (A10-27B},  APU  FUEL  LEAKS  [CIL],  and  SODB,  vol.  I,  4.43.6. 
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A10-1  APU  LOSS  DEFINITIONS  (CONTINUED) 

2.  UNABLE  TO  MAINTAIN  TURBINE  SPEED  BETWEEN  95  (95)  PERCENT 

AND  121  (121)  PERCENT  WHILE  THE  APU  IS  RUNNING. 

The  primary  fuel  valve  controls  turbine  speed  at  103  ±8  percent  (95  to  111  percent)  and  is  the 
one  normally  in  con  trol.  If  HI  SPEED  is  selected ,  the  secondary  valve  will  con  trol  turbine  speed 
at  113  ±8  percent  (105  to  121  percent). 

If  turbine  speed  cannot  be  main  tained  >  95  percen  t,  the  capability  of  that  APU  to  support  high  demand 
is  questionable  and  is  considered  lost. 

If  tu  rbine  speed  cannot  be  main  tained  <  121  percen  t,  then  the  normal  speed  con  trol  circu  it  has  failed 
and  an  automatic  shutdown  for  overspeed  is  likely.  Since  the  length  of  time  the  APU  will  run  is 
unknown,  the  APU  is  considered  lost  for  mission  rule  purposes. 

3.  THE  LUBRICATION  OIL  OUTLET  PRESSURE  IS  >  150  (143)  PSIA 

WHILE  THE  APU  IS  RUNNING.  ©[032802-5345A] 

A  high  lubrication  oil  outlet  pressure  is  indicative  of  severely  restricted  lube  oil  flow.  The  oil  pump  and 
associated  plumbing  are  not  qualified  for  pressures  above  150  psia,  so  component  rupture  is  a  concern. 
Also,  since  oil  flow  is  restricted,  little  or  no  cooling  of  the  gearbox  will  take  place,  resulting  in  bearing 
overheat  and  possible  failure.  Reference  SODB,  Vol.  I,  3. 4. 4. 3. 

Reference  Rule{A10-24D},  APU  OIL/GEARBOX  TEMPERATURE/PRESSURE. 

4.  THE  DELTA  PRESSURE  BETWEEN  THE  GEARBOX  GN2  PRESSURE  AND 

THE  LUBRICATION  OIL  OUTLET  PRESSURE  IS  <  20  PSID  WHILE  THE 

APU  IS  RUNNING. 

A  low  delta  P  across  the  gearbox  is  indicative  of  a  severely  degraded  oil  pump.  If  the  delta  P  is  less  than 
20  psid,  then  not  enough  oil  is  flowing  to  provide  adequate  lubrication/cooling  to  the  gearbox.  If  allowed 
to  continue,  the  gearbox  will  overheat,  resulting  in  possible  bearing  failure.  Reference  SODB,  Vol.  I, 

3.4.4. 3.  ©[032802-5345A] 

Reference  Rule{A10-24C},  APU  OIL/GEARBOX  TEMPERATURE/PRESSURE. 
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A10-1  APU  LOSS  DEFINITIONS  (CONTINUED) 

5.  GEARBOX  PRESSURE  <2.0  (3.1)  PSIA  PRIOR  TO  APU  START. 

®[032802-5345A] 

If  the  gearbox  pressure  is  less  than  2  psia,  the  oil  pump  may  cavitate  at  APU  startup.  The  low  pressure 
may  be  caused  by  a  GN2  leak  or  cm  oil  leak  in  the  gearbox,  which  are  indistinguishable  prior  to  APU 
start.  If  the  low  pressure  is  due  to  a  GN2  leak,  starting  the  APU  will  repressurize  the  gearbox  from  the 
GN2  bottle,  thus  preventing  pump  cavitation.  Once  the  APU  is  running,  this  GN2  will  also  begin  to  leak 
from  the  gearbox,  and  volumetric  inefficiency  with  resulting  degradation  in  lubrication  can  result. 

However,  an  APU  start  attempt  is  safe  as  long  as  the  oil  pressure  is  carefully  monitored  during  startup 
so  the  unit  can  be  shut  down  if  there  is  no  oil  pressure.  The  APU  should  be  considered  lost  in  the 
meantime.  Reference  SODB.  Vol.  I,  3. 4.4. 3. 

Reference  Rules  (A10-23B}.5,  APU  ENTRY  START  TIME,  and  {A10-24C},  APU  OIL/GEARBOX 
TEMPERATURE/PRESSURE. 

6.  THE  LUBRICATION  OIL  OUTLET  TEMPERATURE  >  425  (418)  DEG  F 
OR  GEARBOX  BEARING  TEMPERATURE  >  450  (439)  DEG  F  WHILE  APU 
IS  RUNNING. 

At  high  lube  oil  and  bearing  temperatures,  the  oil  begins  to  break  down  (low  viscosity)  resulting  in 
degraded  lubrication/heat  transfer  capability,  with  high  bearing  and  gear  wear.  Once  all  lubrication 
is  lost,  the  bearings  will  seize  and  the  APU  will  experience  cm  underspeed  shutdown.  Although  a  start 
on  an  APU  that  has  previously  exceeded  these  limits  may  be  attempted  on  entry,  its  condition  is  suspect 
and  should  be  considered  lost  for  planning  purposes.  Reference  Ascent/Entry  Flight  Techniques  #50, 
October  20,  1988. 

Rule  (A10-24AJ,  APU  OIL/GEARBOX  TEMPERATURE/PRESSURE,  references  this  rule. 

7.  UNABLE  TO  MAINTAIN  THE  FOLLOWING  APU  TEMPERATURES  WITHIN 


LIMITS : 

a . 

FUEL  TANK  >35 

(38)  DEG  F 

b . 

FUEL  LINES  >  35 
49)  DEG  F 

(40  DEG,  GGVM  SUPPLY 

LN  45,  BYPASS  LN 

c . 

FUEL  PUMP  >  35 

(41)  DEG  F 

d . 

LUBRICATION  OIL 
TEMPERATURE  7) 

>  0  (INLET  TEMPERATURE  10  DEG,  OUTLET 
DEG  F  ®[011 295-1 736C]  ®[ED  ] 

e . 

GGVM  >  3  5  (41) 

DEG  F  ®[011 295-1 736C]  ®[ED  ] 

©[032802-5345A] 
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A10-1  APU  LOSS  DEFINITIONS  (CONTINUED) 

Hydrazine  freezes  at  35  deg  F  (ref  SODB,  Vol.  I,  tables  3.4.4. 3-1  and  4.4. 3-4).  If  the  fuel  is  frozen, 
then  obviously  the  APU  will  not  operate.  If  the  fuel  cannot  be  thawed,  the  APU  will  be  considered  lost. 
As  hydrazine  freezes,  it  contracts;  when  it  thaws,  it  expands.  Analysis  has  not  been  performed  for  APU 
componen  ts  subjected  to  freeze/thaw  cycles.  Because  of  the  possibility  that  a  fuel  system  componen  t 
could  rupture,  the  APU  is  considered  lost  if  any  of  the  fuel  system  drops  below  35  deg  F.  Below  0  deg  F 
the  lube  oil  will  have  such  a  high  viscosity  that  it  cannot  adequately  lubricate  the  gearbox.  If  the  APU 
is  started,  gear  bearing  temperature  will  rise  much  faster  than  the  oil  temperature,  and  bearing  or  gear 
damage  may  occur  before  the  oil  can  reach  temperature  for  proper  lubrication.  Since  the  APU  may  be 
very  limited  in  run  time,  it  is  considered  lost  for  mission  rule  pu  rposes.  ®[011 295-1 736C]  ®[032802-5345A] 

Because  the  GGVM  temperature  and  GGVM  supply  line  temperature  instrumentation  errors  are  so  large, 
the  temperatures  should  be  compared  to  other  transducers  in  the  area. 

Reference  Rule  {A10-31},  APU  FREEZE/THAW. 

8.  AN  APU  FUEL  LINE  HAS  SUSTAINED  TWO  OR  MORE  FREEZE/THAW 
CYCLES . 

McDonnell  Douglas  and  JSC  have  performed  analyses  that  indicate  that  a  fuel  line  may  rupture  if  it 
sustains  as  few  as  3  freeze/thciw  cycles  (McDonnell  Douglas  Report  TM-950002-02,  December  23, 

1994).  The  theoretical  analysis  addressed  a  straight  section  of  1/2  inch  diameter  fuel  line  that  has 
yielded  as  a  result  of  the  freeze/thaw  cycle.  The  fuel  line  radius  has  permanently  expanded  due  to  the 
yield.  The  line  freezes  again,  and  during  thaw  the  resulting  pressures  further  yield  the  line.  This 
process  continues  until  the  ultimate  strain  of  the  line  has  been  exceeded  resulting  in  rupture. 

RI/Downey  performed  cm  analysis  on  fuel  line  bends  that  coupled  TTA  test  data  with  a  theoretical 
analysis.  The  engineering  community  decided,  after  a  review  of  the  analysis,  that  the  fuel  line  bends 
could  withstand  two  freeze/thaw  cycles.  A  qualitative  review  of  the  fuel  line  welds  and  T’s  found  them 
to  be  less  critical  for  freeze/thciw  then  the  tube  bencl  section.  The  pressures  resulting  from  thaw  are 
directly  related  to  the  density  of  the  frozen  hydrazine.  Av  hydrazine  freezes  the  density  increases 
linearly  as  a  Junction  of  temperature  decrease.  The  analysis  assumed  a  worst  case  temperature  of  the 
solid  hydrazine  at  -45  Deg  F  which  then  warms  up  to  70  Deg  F.  ®[032802-5345A] 

Reference  Rule{A10-31j,  APU  FREEZE/THAW. 
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A10-1  APU  LOSS  DEFINITIONS  (CONTINUED) 

9.  FUEL  TANK  PRESSURE  <  90  (99)  PSIA  PRIOR  TO  ON-ORBIT 

START.  ®[011 295-1 736C]  ©[032802-5345A] 

APU  startup  time  is  a  function  of  tank  pressure.  In  order  for  the  turbine  speed  to  reach  80  percent  in 
10.5  seconds  (to  avoid  cm  underspeed  shutdown),  the  fuel  tank  pressure  must  be  at  least  90  psia.  If 
INHIBIT  is  used  to  defeat  the  10. 5-second  timer,  the  APU  may  start  at  a  lower  tank  pressure,  and  a 
start  attempt  may  be  made  unless  the  pressure  is  <  70  psi.  Below  70  psia,  start  attempts  become 
dangerous.  However,  as  far  as  the  flight  rules  are  concerned,  the  APU  must  be  considered  lost 
because  it  may  not  start  if  the  pressure  is  less  than  90  psia.  Reference  SODB,  Vol.  I,  3.4.4. 3  and  figure 
4.4.3. 

Rules  { A10-22D} ,  APU  START/RESTART  LIMITS;  {A10-24C},  APU  OIL/GEARBOX  TEMPERATURE/ 
PRESSURE;  cmd  {A10-30A},  LOSS  OF  APU  HEATERS/INSTRUMENTATION  [CIL],  reference  this  rule. 

10.  THE  FUEL  PUMP  INLET  PRESSURE  IS  <  15  (34)  PSIA  PRIOR 

TO  OPENING  THE  FUEL  ISOLATION  VALVES.  LOSS  OF  INSTRU¬ 
MENTATION  WILL  NOT  BE  CAUSE  FOR  DECLARING  AN  APU  LOST. 

@[021998-6491  A] 

If  ci  large  delta  pressure  exists  across  the  FIV’s,  a  surge  pressure  could  result  when  the  valves  are 
opened.  Under  normal  conditions,  residual  hydrazine  in  the  fuel  lines  provides  a  damping  force  that 
reduces  this  surge  pressure.  At  low  pressures,  the  rapid  compression  results  in  frothing  which  may 
significantly  reduce  this  damping  force.  When  the  pressure  in  the  fuel  lines  is  less  than  15  psia  prior  to 
opening  the  FIV’s,  surge  pressures  over  2500  psia  could  result  (WSTF  Report  96-30335,  11/14/96). 

White  Sands  straight  tube  cmd  U-tube  testing  showed  that  hydrazine  becomes  unstable  above  2500  psia 
cmd  Adiabatic  Bubble  Compression  Detonation  (ABCD)  could  occur  (RD-WSTF-0002,  2/20/90). 
Reference  SODB,  Vol.  I,  3. 4. 4. 3,  cmd  Rule  (A10-22},  APU  START/RESTART  LIMITS.  ©[032802-5345A] 

Loss  of  the  FPIP  transducer  results  in  loss  of  pressure  monitoring  of  the  portion  of  fuel  line  between  the 
FIV’s  cmd  the  SOV.  Loss  of  instrumentation  alone  is  insufficient  cause  to  declare  cm  APU  lost,  but  other 
factors  (rising  drain  line  pressure,  history  of  leakage,  leakage  trend  prior  to  transducer  loss,  etc.)  in 
conjunction  with  loss  of  instrumentation  may  be  enough  to  declare  loss  of  a  system. 

The  34  psia  limit  accounts  for  transducer  inaccuracies.  Actual  transducer  biases  are  given  for  each 
mission  based  on  data  from  KSC  cmd  should  be  taken  into  accoun  t  for  each  system.  @[021 998-6491  A] 
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A10-1  APU  LOSS  DEFINITIONS  (CONTINUED) 

B.  GG  INJECTOR  COOLING  CAPABILITY  IS  CONSIDERED  LOST  IF  GG 
INJECTOR  COOLING  WATER  TANK  PRESSURE  IS  <55  (62)  PSIA  AT 

70  DEG  F  (GROUND  DETECTION  ONLY)  OR  TANK  OR  LINE 
TEMPERATURES  ARE  <  32  (38)  DEG  F.  ®[ED  ]  ®[032802-5345A] 

As  long  as  at  least  one  restart  capability  remains,  injector  cooling  is  still  usable.  From  the  SODB  curve, 
with  one  restart  remaining  (five  used  already)  and  using  worst  case  temperature  of  70  deg  F,  the 
minimum  pressure  is  55  psia.  Below  this  pressure,  no  hot  restarts  remain  and  injector  cooling  is 
considered  lost.  Reference  SODB,  Vol.  I,  4. 4. 3. 5.  ®[032802-5345A] 
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A10-21  LOSS  OF  APU/HYDRAULIC  SYSTEM (S)  ACTIONS 

A.  EARLY  MISSION  TERMINATION  FOR  APU/HYDRAULIC  SYSTEM  LOSS(ES) 

WILL  BE  AS  FOLLOWS: 

1.  FOR  LOSS  OF  A  SINGLE  APU/HYDRAULIC  SYSTEM,  FLIGHT  WILL 
CONTINUE  TO  NOMINAL  EOM  UNLESS  A  REVIEW  OF  THE  FAILURE 
MODE  AND  THE  REMAINING  APU/HYDRAULIC  SYSTEMS'  CAPABILITY 
DETERMINES  EARLY  MISSION  TERMINATION  IS  APPROPRIATE. 
@[041097-461  IB] 

The  APU/hydraulic  systems  are  essentially  quiescent  while  on-orbit.  Because  a  subsequent  failure  of 
another  APU /hydraulic  system  will  likely  only  occur  when  these  systems  are  operated  for  entry,  there  are 
no  significant  risks  to  continuing  the  flight  until  nominal  EOM.  A  review  of  the  failure  mode  and  the 
remaining  APU/hydraulic  systems  capability  is  required  to  determine  that  there  are  no  generic  or  other 
failure  concerns. 

Rules  {A2-102B},  MISSION  DURATION  REQUIREMENTS;  and  {A2-301},  CONTINGENCY  ACTION 
SUMMARY,  reference  this  rule. 

2.  FOR  LOSS  OF  REDUNDANCY  IN  THE  APU/HYDRAULIC/WSB  SYSTEMS 
WHERE  THE  NEXT  FAILURE  RESULTS  IN  SINGLE  APU/HYDRAULIC 
SYSTEM  OPERATION  AT  ANY  POINT  FROM  El  TO  WHEELSTOP,  A 
NEXT  PLS  WILL  BE  PERFORMED. 


It  is  prudent  to  shorten  the  mission  to  minimize  the  time  of  exposure  to  any  additional  on-orbit  failure 
that  would  result  in  a  single  APU  entry.  Only  detectable  on-orbit  failures,  including  electrical  bus 
failures,  which  may  be  affected  by  increased  time  on  orbit  will  be  considered  as  basis  for  early  mission 
termination.  Examples  of  redundancy  for  APU /hydraulic/WSB  systems  include,  but  are  not  limited  to, 
the  following: 

APU  Controller  RPC,  MPU,  fuel  tank  isolation  valve,  fuel  line  heaters 
HYD  Accumulator  (leak),  circ  pump,  main  pump  depress  RPC 
WSB  Controller,  steam  vent  heater 

Each  of  the  above  components  has  experienced  failure  at  least  once  during  the  history  of  the  program. 
This  rule  is  referenced  by  Rule  {A10-122B},  LOSS  OF  WSB(S)  ACTIONS.  @[041 097-461  IB] 
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A10-21  LOSS  OF  APU/HYDRAULIC  SYSTEM (S)  ACTIONS 

(CONTINUED) 

3.  FOR  LOSS  OF  TWO  APU/HYDRAULIC  SYSTEMS,  ENTRY  WILL  BE 
PERFORMED  AT  THE  NEXT  PLS  OPPORTUNITY  THAT  ALLOWS  FOR 
EXPEDITED  PAYLOAD  DEPLOY/ JETTISON .  FOR  NONDEPLOY 
FLIGHTS,  ENTRY  WILL  BE  PERFORMED  AT  THE  NEXT  PLS 
OPPORTUNITY  (FIRST  DAY  PLS  IF  APPLICABLE)  .  ®[041 097-461 1 B] 

The  loss  of  two  APU/hydraulic  systems  results  in  a  situation  where  a  single  APU  entry  has  to  be  made. 

It  is  desirable  to  stay  on  orbit  in  order  to  deploy  payloads  because  this  will  improve  the  vehicle 
capability  to  maneuver  and  land  safely.  Jettison  of  deployable  payloads  that  for  some  reason  cannot 
be  deployed  should  be  considered  and  used  as  a  means  of  last  resort  to  improve  the  vehicle  entry  and 
landing  capability.  Once  attempts  have  been  made  to  deploy  the  payloads,  the  mission  should  not  be 
extended  beyond  the  next  PLS  opportunity.  Staying  on  orbit  increases  the  vehicle  exposure  time  to  the 
loss  of  the  last  APU.  For  flights  where  nondeployable  payloads  are  onboard,  the  risk  of  staying  on 
orbit  outweighs  the  gain  of  continuing  the  flight;  therefore,  the  mission  should  be  terminated. 

The  PLS  opportunity  should  be  selected  which  provides  the  best  possible  conditions  (i.e.,  trajectory, 
landing  site,  crew  and  vehicle  health,  weather  conditions,  etc.)  for  a  single  APU  entry.  Reference  WX 
placards  in  Rule  {A10-23A},  APU  ENTRY  START  TIME. 

4.  FOR  IMPENDING  LOSS  OF  ALL  APU/HYDRAULIC  SYSTEM  CAPABILITY, 
AN  ABORT  AT  THE  EARLIEST  OPPORTUNITY  WILL  BE  PERFORMED. 

THE  PREFERRED  ABORT  MODE  PRIORITY  IS  RTLS ,  TAL,  AO A,  FIRST 
DAY  PLS,  PLS,  AND  ELS.  ®[041 097-461 1 B]  @[040899-6857] 

Since  at  least  one  operating  APU/hydraulic  system  is  required  for  entry,  a  landing  as  soon  as  possible 
is  required  if  all  APU/hydraulic  system  capability  is  failing.  If  this  failure  situation  develops  during 
ascent,  cm  abort  mode  should  be  selected  that  minimizes  entry  time.  This  rule  assumes  that  at  least  one 
APU/hydraulic  system  will  be  operating  at  any  point  throughout  entry  to  wheelstop.  @[040899-6857  ] 

Rules  (A2-54AJ.1,  RTLS,  TAL,  AND  AOA  ABORTS  FOR  SYSTEMS  FAILURES  [CIL],  and  (A2-205A}.2.c, 
EMERGENCY  DEORBIT,  reference  this  rule. 
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A10-21  LOSS  OF  APU/HYDRAULIC  SYSTEM (S)  ACTIONS 

(CONTINUED) 


B.  DURING  ENTRY,  IF  ONLY  ONE  GOOD  APU/HYDRAULIC  SYSTEM  IS 

AVAILABLE  THE  APU  WILL  NOT  BE  SHUT  DOWN  IF  RUNNING  AND  ITS 
HYDRAULIC  PUMP  WILL  BE  IN  "LOW  PRESS"  UNTIL  MM  304.  IF  NOT 
RUNNING,  THE  APU  WILL  BE  STARTED  AT  TIG  MINUS  5  MINUTES.  AN 
ABBREVIATED  ACTUATOR  CHECK  MAY  BE  PERFORMED  IF  REQUIRED.  NO 
HYDRAULIC  THERMAL  CONDITIONING  OR  SSME  REPRESSURIZATION  WILL 
BE  PERFORMED.  IF  THE  APU/HYDRAULIC  SYSTEM  IS  NOT  NOMINAL,  IT 
WILL  BE  SHUT  DOWN  AND  RESTARTED,  IF  REQUIRED,  TO  MAINTAIN  THE 
SYSTEM  FROM  MM  304  THROUGH  WHEELSTOP  .  @[021199-6814] 


If  an  APU  is  shut  down,  there  is  always  the  risk  that  it  may  not  restart.  This  risk,  however  small,  is 
simply  not  warranted  in  light  of  the  criticality  of  the  single  APU  that  remains.  The  hydraulic  pump  is 
depressurized  not  only  to  save  fuel,  but  also  to  put  minimum  stress  on  the  system  until  absolutely 
required  (MM  304-EI).  However,  if  an  abbreviated  secondary  actuator  check  is  to  be  performed,  the 
system  will  be  taken  to  normal  pressure  in  MM  303  post-deorbit  burn  just  prior  to  the  start  of  the 
check.  If  the  APU  is  not  already  running  ( other  two  APU’s  known  to  be  failed  prior  to  TIG  minus  5 
minutes),  it  will  be  started  at  TIG  minus  5  min  utes.  This  ensures  the  APU  will  be  fully  operational 
before  committing  to  the  deorbit  burn. 

Reference  Rules  {A8-104},  FCS  CHECKOUT,  and  {A10-lj,  APU  LOSS  DEFINITIONS. 
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A10-22  APU  START/RESTART  LIMITS 


A.  AN  APU  START/RESTART  MAY  BE  ATTEMPTED  AT  ANYTIME  IF  THE 
BRANCH  PASSAGE  TEMPERATURE  IS  WITHIN  ACCEPTABLE  LIMITS. 

BRANCH  PASSAGE  TEMPERATURE  IS  ENSURED  TO  BE  WITHIN  ACCEPTABLE 
LIMITS  IF  ANY  OF  THE  FOLLOWING  IS  TRUE:  ©[072398-6685A] 

1.  NO  MORE  THAN  1  SECOND  HAS  ELAPSED  AFTER  TERMINATION  OF  A 
MINIMUM  OF  3.5  MINUTES  OF  CONTINUOUS  ACTIVE  GG  INJECTOR 
COOLING. 


2  . 


GG  BED  TEMPERATURE  <  444  (430)  DEG  F  WITHOUT  ACTIVE  GG 

INJECTOR  COOLING  IF  HIGH  TEMPERATURE  IS  DUE  TO  BED  HEATER 
CYCLING. 


3.  GG  BED  TEMPERATURE  <  415  (401)  DEG  F  WITHOUT  ACTIVE  GG 

INJECTOR  COOLING  IF  HIGH  TEMPERATURE  IS  DUE  TO  HEAT 
SOAKBACK  FROM  APU  OPERATION. 


Branch  passage  temperatures  must  be  below  415  deg  F for  a  safe  restart.  This  temperature  is  not 
necessarily  reflected  by  the  GG  injector  instrumentation;  therefore,  the  only  reliable  method  to  ensure  a 
safe  limit  is  to  cool  the  injector  for  the  3. 5-minute  period  or  to  verify  the  temperature,  as  measured  by 
instrumentation  at  the  injector,  is  below  415  deg  F,  which  will  ensure  that  the  branch  passages  are  also 
below  the  limit.  Once  cooling  has  been  terminated  the  branch  passage  temperature  will  rise  rapidly  with 
the  GG  injector  temperature,  violating  restart  limits,  and  causing  the  APU  to  require  additional  cooling. 

The  A  and  B  GG  bed  heaters  are  located  on  opposite  sides  of  the  bed  and  wrap  160  degrees  around  the 
bed.  The  GG  bed  temperature  transducer  is  located  near  the  B  heater.  If  the  supplied  heat  comes  from 
either  heater,  Sundstrand  thermal  analysis  has  shown  that  the  temperature  of  the  branch  passages  will 
remain  well  below  that  indicated  by  the  bed  temperature  transducer.  However,  if  the  supplied  heat  is 
from  soakback  due  to  APU  operation,  there  are  parts  of  the  bed  that  will  be  much  hotter  than  the 
transducer  and  the  measured  temperature  will  not  be  the  maximum.  See  the  SODB,  vol.  I,  figure  4.4.3 
for  test  data.  If  the  GG  bed  temperature  is  above  specified  limits  and  a  start  attempt  is  made,  the 
hydrazine  fuel  will  begin  decomposing  before  reaching  the  bed.  The  result  will  be  extreme  GG  pressure 
spikes  and  possibly  an  uncon  tained  APU  GG  explosion.  The  danger  of  explosion  increases  with  GG 
temperature  at  the  time  of  restart.  On  a  test  stand  at  Sundstrand,  an  APU  was  successfully  restarted  with 
sea-level  pressure  and  a  hot  bed  19  times.  It  exploded  during  the  20th  try.  Later,  with  near  space 
pressure  in  a  chamber  at  JSC  (TTA),  an  APU  exploded  during  the  first  hot  restart  attempt  without  GG 
cooling  (hot  restart).  Despite  this  test  information,  it  is  not  possible  to  make  a  correlation  between 
altitude  and  the  probability  of  an  explosion  for  a  hot  restart  attempt  (reference  SODB,  vol.  I,  3. 4. 4. 3). 

Rules  (A10-23BJ,  APU  ENTRY  START  TIME,  and  {A10-33},  APU  DEFINITIONS,  reference  this  rule. 

®[072398-6685A] 
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A10-22  APU  START/RESTART  LIMITS  (CONTINUED) 

B.  AN  APU  CAN  BE  RESTARTED  PROVIDED  THE  FUEL  PUMP  TEMPERATURE 

IS  <  210  (204)  DEG  F,  AND  THE  VALVE  MODULE  TEMPERATURE  IS  < 
200  (194)  DEG  F.  ®[032802-5345A] 

Large  bubbles  may  form  in  the  valve  module  or  in  the  fuel  pump  due  to  decomposition.  When  the  APU 
is  started,  the  bubbles  will  collect  in  the  filter  downstream  of  the  pump  or  in  the  valve,  and  the  pump 
output  pressure  will  increase  as  the  pump  comes  up  to  speed  when  the  APU  is  started.  Adiabatic 
compression  of  the  bubbles  will  increase  their  temperature  and  could  cause  the  hydrazine  to  detonate. 

If  allowed  to  cool,  the  bubbles  that  may  have  formed  are  much  less  likely  to  cause  problems  when  the 
APU  is  started.  During  tests,  an  APU  fuel  system  has  detonated  on  a  start  attempt  with  fuel  pump 
temperature  above  240  deg  F  and  GGVM  temperature  above  200  deg  F.  None  have  detonated  during 
starts  below  210  deg  F  on  the  pump  and  200  deg  on  the  valve,  even  if  the  temperature  had  been  higher 
previous  to  the  start  attempt.  While  the  high  temperatures  were  not  absolutely  determined  to  have 
caused  the  APU  detonations,  they  are  still  considered  to  be  the  most  likely  reason  for  the  failures. 
Reference  RI  interned  letter  no.  SSD-287 -400-92-050,  dated  1/6/92. 

Rule  { A10-23B}.4 ,  APU  ENTRY  START  TIME,  references  this  rule. 

C.  AN  APU  WILL  NOT  BE  RESTARTED  THAT  HAS  BEEN  SHUT  DOWN  DUE  TO 
CONFIRMED  OVERSPEED. 

An  APU  overspeed  is  an  extremely  hazardous  situation  as  the  turbine  could  disintegrate,  producing 
shrapnel,  and  if  uncontained,  could  damage  other  equipmen  t  in  the  aft  fuselage.  Once  scifed,  either  by 
manned  or  automatic  shutdown,  the  affected  APU  should  never  be  restarted. 

D.  APU  START  WITH  LOW  FUEL  TANK  PRESSURE: 

1.  AUTO  SHUTDOWN  WILL  BE  INHIBITED  FOR  AN  APU  START  WITH  THE 

FUEL  TANK  PRESSURE  <  90  (99)  PSIA. 

Normal  APU  starts  at  fuel  tank  pressures  >  70  psia  are  not  considered  dangerous  but  may  result  in 
cm  APU  underspeecl  shutdown.  Low  tank  pressures  will  cause  a  slower  than  normal  turbine  spinup 
( violating  the  10. 5-second  startup  criteria);  hence,  auto  shutdown  inhibit  mode  is  recommended. 

Reference  SODB,  Vol.  I,  3.4.43,  and  Rule{A10-lA.8j,  APU  LOSS  DEFINITIONS. 

2.  RESTART  WILL  NOT  BE  PERFORMED  ON  AN  APU  WITH  THE  FUEL 

TANK  PRESSURE  <  100  (109)  PSIA.  ©[032802-5345A] 

Restarts  at  low  fuel  pressures  can  result  in  uncontrolled  hydrazine  decomposition  in  the  APU  bed, 
causing  a  detonation. 
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A10-22  APU  START/RESTART  LIMITS  (CONTINUED) 

E.  AN  APU  WILL  NOT  BE  STARTED  WITH  THE  GAS  GENERATOR  BED 

TEMPERATURE  <  70  (84)  DEG  F,  UNLESS  REQUIRED.  ®[072398-6685A]  @[032802- 

5345A] 

Should  both  GG  bed  heaters  fail  on  orbit,  this  rule  allows  the  affected  APU  to  be  restarted  as  long  as  the 
bed  temperature  remains  above  70  deg  (84  deg)  F.  Testing  at  the  component  GG  level  showed  that  peak 
chamber  pressures  and  catalyst  ignition  time  delays  were  affected  more  by  bed  temperature  than  catalyst 
poisoning  and  both  began  increasing  below  a  temperature  of  100  deg  F.  Below  70  deg  F,  the  peak 
chamber  pressures  and  ignition  time  delays  increased  exponentially,  indicating  a  potential  for 
detonation  at  APU  start. 

Operationally,  the  risk  of  APU  detonation  as  a  result  of  low  GG  bed  temperatures  is  judged  to  be  less 
than  the  risks  associated  with  entry  on  only  one  APU.  An  APU  with  both  GG  bed  heaters  failed  off  will 
not  be  considered  lost  for  mission  planning  purposes  since  it  may  be  used  when  absolutely  necessary. 

Documentation:  SODB,  Vol.  I,  sec.  3. 4. 4. 3  and  Figure  4.4.3-20,  and  ORBITER  APU  REVIEW, 
Sundstrand,  June  28,  1990,  p.  22-25. 

Reference  Rules  (A10-30A},  LOSS  OF  APU  HEATERS/INSTRUMENTATION  [CIL],  and  {A10-33}, 

APU  DEFINITIONS. 

F.  DURING  ASCENT,  IF  AN  APU  LUBE  OIL  OUTLET  TEMPERATURE  EXCEEDS 

375  (368)  DEG  F  OR  GEARBOX  BEARING  TEMPERATURE  EXCEEDS  400 

(389)  DEG  F,  THE  AFFECTED  APU  WILL  NOT  BE  STARTED  FOR  ENTRY 
UNLESS  REQUIRED. 

Above  these  limits,  lubrication  is  degraded,  and  gear/bearing/ APU  damage  will  eventually  occur. 
Engineering  tests  have  not  been  performed  to  determine  APU  life  with  temperatures  above  these  limits. 
However,  based  on  engineering  judgment,  the  APU  should  be  able  to  support  entry,  although  seal  and/or 
lube  oil  degradation  and  increased  APU  temperatures  may  result.  In  addition,  consideration  can  be 
given  to  starting  the  APU  at  TAEM  to  provide  three  APU’s  if  a  real-time  evaluation  of  the  ascent 
temperature  signature  indicates  that  the  oil/bearing  heat  up  rate  will  be  slow  enough  to  prevent 
overheating  from  TAEM  through  wheel  stop.  Reference  SODB,  Vol.  I,  sec.  3.4. 4. 3.  ©[032802-5345A] 

Rule  { A10-23BJ ,  APU  ENTRY  START  TIME  references  this  rule.  Reference  Rule  {A10-33},  APU 
DEFINITIONS.  ©[072398-6685A] 
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A10-22  APU  START/RESTART  LIMITS  (CONTINUED) 

G.  ON  ORBIT,  AN  APU  CAN  ONLY  BE  STARTED  IN  OPS  8  OR  OPS  3.  ALL 
AEROSURFACE  AMPLIFIERS  MUST  BE  ON  TO  PRECLUDE  DAMAGE  TO  THE 
AEROSURFACE  ACTUATORS . 

With  the  APU’ s  and  aerosurface  amplifiers  (ASA’s)  off  (normal  on-orbit  conditions),  the  aerosurfaces, 
over  a  period  of  days,  tend  to  “drift”  from  their  original  positions.  This  is  due  to  a  combination  of 
gravity  torques  and  circulation  pump  operations.  If  an  APU  is  then  started  with  the  ASA 's  off  and  full 
hydraulic  pressure  applied,  the  actuator  will  tty  to  drive  the  aerosurface  to  its  hardstop,  possibly  causing 
damage.  With  the  ASA ’s  on  and  the  software  in  OPS  3  or  OPS  8,  new  commands  are  issued  which  cause 
little  or  no  surface  motion.  Without  OPS  3  or  OPS  8,  the  surfaces  will  drive  at  high  rate  to  the  last 
commanded  position.  Once  an  APU  has  been  started  in  OPS  3  or  OPS  8,  transition  back  to  OPS  2  can 
be  accomplished  without  fear  of  damage  to  an  actuator. 

Reference  Rule  {A8-112},  AEROSURFACE  ACTUATOR  PROTECTION. 

H.  THE  FUEL  ISOLATION  VALVES  WILL  NOT  BE  OPENED  ON  AN  APU  WITH  A 
FUEL  PUMP  INLET  PRESSURE  <  15  (34)  PSIA,  UNLESS  THE  APU  IS 
REQUIRED.  THE  FUEL  ISOLATION  VALVES  MAY  BE  CYCLED  OPEN  ONCE 
TO  REPRESSURIZE  THE  FUEL  LINE  PRIOR  TO  REACHING  THE  LOWER 

LIMIT.  ®[021 998-6491  A]  ®[072398-6685A] 

Starting  an  APU  with  a  low  FPIP  may  result  in  high  surge  pressures  and  introduces  the  possibility  of 
Adiabatic  Bubble  Compression  Detonation  (ABCD).  Reference  SODB,  vol.  I,  3.4. 4. 3,  and  Rules  {A10- 
1 },  APU  LOSS  DEFINITIONS,  and  { A10-33 },  APU  DEFINITIONS.  ®[072398-6685A] 

If  a  corresponding  increase  in  drain  line  pressure  is  noted,  ,  the  fuel  isolation  valves  may  be  opened  to 
repressurize  the  fuel  line  to  prevent  reaching  the  loss  limit.  The  pressure  in  the  drain  line  and  the  fuel 
feed  line  should  equalize  to  a  value  greater  than  16.8  psia  ( the  reseat  pressure  of  the  drain  line 
overboard  relief  valve)  if  leakage  con  tin  ues.  This  should  not  be  done  more  than  once,  since  con  tin  ued 
leakage  below  the  limit  indicates  a  possible  external  leak. 

The  34  psia  limit  accounts  for  transducer  inaccuracies.  Actual  transducer  biases  are  given  for  each 
mission  based  on  data  from  KSC  and  should  be  taken  into  account  for  each  system.  ®[02i  998-6491  A] 
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A10-23  APU  ENTRY  START  TIME 

A.  AT  LEAST  ONE  APU/HYDRAULIC  SYSTEM  MUST  BE  OPERATING  PRIOR  TO 
EXECUTING  THE  DEORBIT  BURN. 

1.  PRIOR  TO  THE  DEORBIT  BURN,  IF  AN  APU/HYDRAULIC  SYSTEM 

FAILS  OR  ITS  CAPABILITY  TO  SUPPORT  TAEM  THROUGH  WHEELSTOP 
IS  SUSPECT,  ANOTHER  APU  WILL  BE  STARTED  IF  THE  FOLLOWING 
WEATHER  PLACARDS  ARE  MET  FOR  THE  TARGETED  LANDING  SITE: 

@[021199-6814] 

a.  CEILING  ?  10K  FEET 

b.  VISIBILITY  ?  7  STATUTE  MILES 

c.  CROSSWIND  ?  10  KNOTS  (PEAK) 

d.  NO  GREATER  THAN  LIGHT  TURBULENCE 

e.  ACCEPTABLE  ROLLOUT  MARGIN/BRAKE  ENERGY  ON  HALF  BRAKES 
WITHOUT  NWS  (DIFFERENTIAL  BRAKING) 

OTHERWISE,  THE  DEORBIT  BURN  WILL  NOT  BE  EXECUTED. 
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A10-23  APU  ENTRY  START  TIME  (CONTINUED) 

2.  IF  AN  APU/HYDRAULIC  SYSTEM  IS  NOT  OPERATING  NOMINALLY 
PRIOR  TO  THE  DEORBIT  BURN,  BUT  IS  NOT  CONSIDERED 
FAILED,  AND  ITS  CAPABILITY  TO  SUPPORT  TAEM  THROUGH 
WHEELSTOP  IS  NOT  SUSPECT,  THE  DEORBIT  BURN  WILL  BE 
EXECUTED.  IF  NECESSARY,  ANOTHER  APU  WILL  BE  STARTED 
AND  THE  FIRST  APU  SHUT  DOWN.  @[021199-6814] 

Starting  an  APU  prior  to  the  deorbit  burn  gives  a  measure  of  confidence  that  at  least  one  APU  will 
support  entry.  Nominally,  more  than  one  APU  is  not  started  prior  to  the  deorbit  burn  in  order  to 
preserve  consumables  for  dynamic  flight  where  operating  APU /hydraulic  systems  are  required.  The 
loss  of  a  second  APU  can  be  sustained  as  long  as  the  weather  placards  are  obsen’ed.  Actual  runway 
priority  depends  on  weight  and  C.G.  (reference  Rule  {A2-207},  LANDING  SITE  SELECTION).  Once 
the  deorbit  burn  begins,  no  action  will  be  taken  to  terminate  above  safe  Hp  for  APU /hydraulic  system 
failures. 

An  APU  that  is  not  operating  nominally,  yet  not  considered  failed  ( e.  g. ,  shift  to  high  speed),  can  still  be 
operated  during  the  critical  portions  of  entry,  though  it  may  be  preferable  to  shut  it  down  until  it  is 
needed.  If  there  is  a  situation  where  it  is  prudent  to  shut  down  the  off-nominal  APU,  the  plan  is  to  start 
another  APU  prior  to  the  deorbit  burn  and  shut  down  the  off-nominal  APU /hydraulic  system.  If  there  is 
not  time  to  start  a  second  APU,  the  deorbit  burn  will  proceed,  and  appropriate  action  will  be  taken 
during  deorbit  coast.  In  this  situation,  starting  a  second  APU  is  acceptable  even  though,  in  some  cases, 
if  the  APU  had  actually  been  failed,  a  second  APU  would  not  have  been  started.  However,  if  the  failure 
mode  is  not  understood,  then  that  APU  capability  to  support  TAEM  through  wheelstop  will  be  considered 
suspect.  @[021199-6814] 

Reference  Rules  (A2-6),  LANDING  SITE  WEATHER  CRITERIA  [HC],  and  { A4-108 },  TIRE  SPEED, 
BRAKING,  AND  ROLLOUT  REQ UIREMENTS.  ®[i  1 1 094-1 622B] 

Rules  {A2-6},  LANDING  SITE  WEATHER  CRITERIA  [HC];  {A2-102B},  MISSION  DURATION 
REQUIREMENTS;  [A2-207],  LANDING  SITE  SELECTION;  {A2-301},  CONTINGENCY  ACTION 
SUMMARY;  and,  [ A10-21 },  LOSS  OF  APU/HYDRAULIC  SYSTEM(S)  ACTIONS,  reference  this  rule. 

@[111 094-1 622B] 
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A10-23  APU  ENTRY  START  TIME  (CONTINUED) 

B.  AN  APU  WILL  HAVE  ITS  ENTRY  START  TIME  DELAYED  FOR  THE 
FOLLOWING: 


FAILURE/CONSTRAINT 

START  TIME 

1. 

LOSS  OF  WSB  COOLING  CAPABILITY 

TAEM 

2. 

APU  LUBE  OIL  OUTLET  OR  GEARBOX  BEARING 
TEMPERATURES  EXCEEDED  LIMITS  SPECIFIED  IN  RULE 
{A10-22F}  ,  APU  START/RESTART  LIMITS,  DURING  ASCENT 

NO  EARLIER  THAN  TAEM  (IF  NEEDED  TO 
MAINTAIN  TWO  SYSTEMS) 

3. 

APU  WILL  ONLY  OPERATE  WITH  THE  AUTO  SHUTDOWN 
FUNCTION  INHIBITED 

TAEM  (UNLESS  NEEDED  EARLIER  TO 
MAINTAIN  TWO  SYSTEMS) 

4. 

APU  DOES  NOT  HAVE  GG  INJECTOR  COOLING  (IF 
APPLICABLE  TO  SINGLE  APU  ONLY) 

El-13 

5. 

GEARBOX  OR  GN2  REPRESS  BOTTLE  HAS  KNOWN 
EXTERNAL  LEAK  WHICH  WILL  NOT  SUPPORT  ENTIRE 

ENTRY  OR  GN2  REPRESS  VALVE  IS  FAILED  CLOSED 

NO  LATER  THAN  MACH  1 .0 

6. 

HYDRAULIC  SYSTEM  LEAK 

NO  EARLIER  THAN  TAEM  BASED  ON 

LEAK  RATE 

7. 

FREON  LEAK  INTO  A  HYDRAULIC  SYSTEM 

TAEM 

8. 

HYDRAULIC  SYSTEM  RESERVOIR  PRESSURE  LOST 

AFTER  OTHER  APU'S  RUNNING  AT 
NORMAL  PRESSURE 

9. 

HYDRAULIC  SYSTEM  RESERVOIR  TEMPERATURE  >  162° 

(1 54°)  F  PRIOR  TO  DEORBIT  APU  START. 

TAEM 

®[051 194-1 61 9B]  ®[ED  ]  ®[ED  ] 


1,  2.  The  loss  of  lube  oil  cooling  will  limit  APU  run  time  to  approximately  11  minutes,  based  on 
data  from  previous  flights.  The  time  period  from  TAEM  through  landing  is  more  critical  for 
APU /hydraulic  system  availability  since  the  system  will  be  needed  for  heavy  aerosurface 
activity,  landing  gear  deployment,  and  braking  during  that  period. 

IfWSB  cooling  was  lost  for  the  hydraulic  fluid  (due  to  a  failure  of  the  bypass  valve),  the  impact  to 
the  system  is  not  so  much  overheating  of  the  hydraulic  system,  but  rather  possible  premature 
depletion  of  the  water  supply  for  the  water  boiler,  resulting  in  the  loss  of  APU  cooling.  Bypass 
valve  failures  during  entry  on  STS-7  and  STS  61-C  caused  significant  depletion  in  the  water 
supply.  The  hydraulic  fluid  temperature  sensors  demanded  spraying,  but  the  bypass  valve  failure 
did  not  allow  the  fluid  to  receive  any  cooling  and  spraying  continued.  The  APU  start  time  should 
be  delayed  to  move  the  time  at  which  the  hydraulic  fluid  temperatures  will  demand  spraying  to  as 
close  to  TAEM  as  possible. 

Reference  Rule  (A10-22FJ,  APU  START/RESTART  LIMITS. 

3.  Since  inhibiting  the  auto  shutdown  logic  does  remove  one  layer  of  protection,  starting  the 
APU  at  TAEM  will  reduce  the  amount  of  time  this  protection  is  not  present.  However,  if 
another  APU/  hydraulic  system  is  failed  or  failing,  this  APU  may  be  started  earlier  than 
TAEM  to  maintain  two  systems.  In  this  case,  it  would  not  be  necessary  to  start  the  APU  any 
earlier  than  El  minus  13  minutes. 
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A10-23  APU  ENTRY  START  TIME  (CONTINUED) 

4.  If  an  APU  is  started  at  TIG  minus  5  minutes  and  then  a  one-orbit  waveojfis  declared,  the  APU  will 
have  to  be  shut  down.  Without  injector  cooling,  this  APU  could  not  be  restarted  to  support  entry 
as  it  would  not  have  had  time  to  cool  (reference  Rule  (A10-22AJ,  APU  START/RESTART  LIMITS). 
For  this  case,  the  APU  should  be  started  after  the  deorbit  burn  as  a  waveojfis  no  longer  a 
possibility. 

5.  If  gearbox  GN2  leakage  occurs,  the  GN2  repressurization  bottle  will  repressurize  the  gearbox  at 
APU  start.  GN2  will  leak,  requiring  further  represses  and  eventually  depleting  the  bottle.  By 
delaying  the  start  of  the  APU  until  Mach  1.0,  atmospheric  pressure  would  prevent  further  leakage 
from  the  gearbox  while  the  APU  is  running  and  actually  would  tend  to  back  pressurize  the 
gearbox.  It  is  not  possible  to  distinguish  between  an  oil  leak  and  a  GN2  leak  when  the  APU  is  not 
running.  If  the  drop  in  pressure  is  due  to  oil  leakage,  low  oil  pressure  will  be  seen  at  startup, 
bearing  temperatures  will  rise  rapidly,  and  the  APU  will  have  to  be  shut  down. 

If  the  GN2  bottle  develops  a  leak  or  the  repress  valve  fails  closed,  typical  GN2  leakage  from  the  gearbox 
may  not  support  the  entire  entry.  In  this  case,  delay  the  start  of  the  APU  until  it  will  support 
through  wheel  stop  or  Mach  1.0,  where  atmospheric  pressure  will  prevent  GN2  leakage  from  the 
gearbox.  With  an  evacuated  repress  bottle,  if  a  gearbox  repress  is  required,  the  valve  will  come 
open  and  the  oil/GN2from  the  gearbox  will  flow  into  the  bottle.  The  pressure  would  equalize  at  a 
lower  value,  the  valve  will  remain  open,  and  the  0U/GN2  will  continue  to  leak.  Below  Mach  1,  the 
repress  valve  most  likely  will  not  be  activated.  If  it  is,  there  will  be  some  atmospheric  pressure  in 
the  bottle  that  will  reduce  the  amount  of  flow  from  the  gearbox.  @[021199-6814] 

Reference  Rules  {A10-lAj.5,  APU  LOSS  DEFINITIONS,  and  (A10-24C},  APU  OIL/GEARBOX 
TEMPERATURE/PRESSURE. 

6.  See  Rule  { A10-72J ,  HYDRAULIC  LEAKS,  for  rationale. 

7.  Analysis  by  RI/Downey  has  determined  that  when  Freon  and  hydraulic  fluid  are  mixed,  the  bulk 
modulus  of  the  hydraulic  fluid  is  main  tained  within  cm  acceptable  range  as  long  as  fluid 
temperatures  are  limited  to  below  150  deg  F.  To  prevent  excessive  temperature  buildup  in  a 
hydraulic  system  with  a  Freon  leak  into  it,  the  associated  APU  start  should  be  delayed  until  no 
earlier  than  TAEM.  The  temperature  rise  from  TAEM  to  wheelstop  is  not  expected  to  exceed 

1 00  deg  F.  @[021 1 99-6814  ] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  MECHANICAL  10-18 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A10-23  APU  ENTRY  START  TIME  (CONTINUED) 

8.  Loss  of  bootstrap  pressure  may  result  in  cavitation  of  the  hydraulic  pump  when  a  start  attempt  is 
made.  Rockwell/Downey  studies  have  shown  that  start  capability  is  questionable  when  reservoir 
pressure  is  below  15  psi.  If  bootstrap  pressure  is  lost  and  cannot  be  maintained  by  the  circulation 
pump,  the  start  attempt  should  be  delayed  until  the  most  favorable  conditions  exist.  Intersystem 
leakage  from  two  other  hydraulic  systems  operating  at  full  pressure  will  provide  some  head 
pressure.  Additional  head  pressure  may  be  obtained  by  starting  the  APU  at  a  lower  altitude,  when 
atmospheric  pressure  and  gravity  will  be  acting  on  the  hydraulic  system.  Once  the  APU  has 
started,  the  mean  pump  should  be  run  in  NORM  pressure.  Reference  Rule  {A10-51A}.5, 
HYDRAULIC  LOSS  DEFINITIONS;  RIC IL  288-503-81-055,  November  10,  1981;  and  STS-7 
SPAN/MER  Action  Request  041,  June  21,  1983. 

9.  Hydraulic  system  temperatures  greater  than  162  deg  F  at  APU  start  will  lead  to  early  water  spray 
boiler  spraying.  The  early  spraying  coupled  with  cool  lube  oil  temperatures  could  lead  to  a  water 
spray  boiler  freeze  up  and  loss  of  the  associated  APU  lube  oil  cooling.  Loss  of  lube  oil  cooling 
would  require  an  APU  shutdown.  The  APU  could  not  be  restarted  until  Mach  1  to  support 
through  wheelstop  (reference  Rule  { A10-24B },  APU  OIL/GEARBOX 

TEMPERATURE/PRESSURE).  To  avoid  this  situation,  starting  cm  APU /hydraulic  system  with 
reservoir  temperature  greater  than  162  (154)  deg  F  should  be  delayed  until  TAEM.  At  reservoir 
temperatures  below  162  (154)  deg  F  the  APU  lube  oil  will  require  cooling  prior  to  hydraulic 
spraying.  The  heat  load  from  the  APU  will  prevent  a  water  spray  boiler  freezeup.  ®[021 199-6814  ] 

Rules  (A10-24CJ,  APU  OIL/GEARBOX  TEMPERATURE/PRESSURE;  { A10-122BJ ,  LOSS  OF  WSB(s) 

ACTIONS;  and  { A10-73E },  HYDRAULIC  SYSTEM  PRESSURE/TEMPERATURE,  reference  this  rule. 

®[051 194-1 61 9B] 
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A10-24  APU  OIL/GEARBOX  TEMPERATURE /PRES SURE 

A.  POST-MECO,  AN  APU  WILL  BE  SHUT  DOWN  IF  THE  LUBE  OIL  OUTLET 
TEMPERATURE  EXCEEDS  325  (318)  DEG  F  OR  IF  THE  GEARBOX  BEARING 
TEMPERATURE  EXCEEDS  350  (339)  DEG  F  (MCC  CALL)  .  ®[032802-5345A] 

The  APU  should  be  shut  down  after  MECO  is  obtained,  since  the  consequences  are  no  longer  severe. 

This  is  done  to  protect  the  APU  for  use  during  entry  and  landing.  At  or  below  these  temperatures,  APU 
reuse  is  guaranteed. 

Reference  Rule  {A10-lAj.6,  APU  LOSS  DEFINITIONS,  and  SODB,  vol.  I,  3.4.43. 

B.  DURING  ENTRY/ABORTS,  FOR  CONFIRMED  LOSS  OF  APU  LUBE  OIL 
COOLING  CAPABILITY,  IF  POST-MECO  AND  MACH  >  1.0,  THE 
AFFECTED  APU  WILL  BE  SHUT  DOWN  ASAP  IF  AT  LEAST  ONE  OTHER 
GOOD  APU/HYDRAULIC  SYSTEM  REMAINS.  A  RESTART  WILL  BE 
PERFORMED  NO  EARLIER  THAN  MACH  1.0,  IF  THE  APU  IS  REQUIRED. 
FOR  MACH  <  1.0,  AN  APU  WILL  NOT  BE  SHUT  DOWN  FOR  LOSS  OF 
LUBE  OIL  COOLING  UNTIL  POST-WHEELSTOP  .  ©[072398-6685A]  ®[ED  ] 

If  all  lube  oil  cooling  capability  has  been  lost  due  to  water  spray  boiler  failure(s),  the  affected  APU  will 
have  only  a  limited  operational  lifetime.  APU  lube  oil  and  bearing  temperature  rise  rates  without 
sufficient  cooling  may  be  higher  than  during  previous  operation.  This  is  due  to  a  continuous  breakdown 
of  lube  oil  viscosity  at  elevated  temperatures  as  well  as  the  high  workload  of  the  APU  in  the  latter 
portions  of  approach  and  landing. 

If  cooling  capability  is  lost  after  the  normal  cooling  control  point  is  reached  (250  deg  F),  the  available 
APU  run  time  is  estimated  to  be  no  more  than  a  few  minutes  before  gearbox  seals  are  lost  and/or  bearing 
seizure  occurs.  For  this  reason,  the  APU  should  be  shut  down  and  the  remaining  run  time  saved  if 
needed  to  provide  a  second  system  operating  during  final  approach  and  landing. 

Once  a  velocity  of  Mach  1  ( approximately  4  minutes  to  touchdown)  is  reached,  an  APU  that  loses  its  lube 
oil  cooling  capability  should  be  left  running  through  wheelstop.  This  is  because  below  Mach  1,  there 
may  not  be  sufficient  time  to  perform  shutdown,  cooldown,  and  restart  before  touchdown.  Though 
continued  operation  through  wheelstop  may  be  questionable,  it  is  preferable  to  have  the  APU  operating 
as  long  as  possible.  @[021199-6814]  ®[ED  ] 

Rules  (A10-23B}.9,  APU  ENTRY  START  TIME,  and  { A1033 },  APU  DEFINITIONS,  reference  this  rule. 

@[0511 94-1 61 9B]  ©[072398-6685A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  MECHANICAL  10-20 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A10-24  APU  OIL/GEARBOX  TEMPERATURE /PRES SURE  (CONTINUED) 

C.  AN  APU  WITH  GEARBOX  PRESSURE  <2.0  (3.1)  PSIA  WILL  ONLY  BE 

USED  FOR  ENTRY.  FOLLOWING  APU  START,  IF  THE  OIL  OUTLET 
PRESSURE  IS  NOT  >  20  (27)  PSIA  AFTER  30  SECONDS  AND  OIL 

OUTLET  TEMPERATURE  IS  NOT  INCREASING,  THE  APU  WILL  BE  SHUT 
DOWN  AND  NOT  RESTARTED.  ®[032802-5345A] 

If  the  APU  gearbox  pressure  is  <  2  psia,  a  leak  is  present  in  the  gearbox  or  associated  plumbing  and 
some  amount  of  lube  0H/GN2  has  been  lost.  Starting  the  APU  will  repressurize  the  gearbox  from  the 
GN2  bottle,  but  it  may  only  be  able  to  do  this  once  (GN2  bottle  may  be  dumped  into  the  gearbox )  and 
this  will  also  begin  to  leak  from  the  gearbox.  Because  of  this  one-shot  potential,  the  APU  should  only  be 
started  to  support  entry.  Once  the  APU  is  started,  if  the  oil  pressure  is  greater  than  20  psia,  then  the 
gearbox  has  been  successfully  repressurized  and  sufficient  lube  oil  is  still  present  to  allow  the  APU  to 
operate. 

D.  DURING  ENTRY/ABORTS,  AN  APU  WILL  BE  SHUT  DOWN  POST-MECO  IF 

THE  OIL  OUTLET  PRESSURE  IS  >  150  (143)  PSIA. 

Structu  ral  damage  could  result  if  the  APU  is  run  with  an  oil  pressure  >  150  psia.  Reference  SODB, 

Vol.  I,  3.4.4. 3.  ®[072398-6685A] 

Rules  {A10-1AJ.4,  5,  and  8,  APU  LOSS  DEFINITIONS,  and  (A10-23B}.5,  APU  ENTRY  START  TIME, 
reference  this  rule. 

E.  POST-MECO  AND  MACH  >  1.0,  AN  APU  THAT  IS  RUNNING  WITH  A 

GEARBOX  PRESSURE  OF  <  2.0  (3.1)  PSIA  WILL  BE  SHUT  DOWN  ASAP 

IF  AT  LEAST  ONE  OTHER  GOOD  APU/HYDRAULIC  SYSTEM  REMAINS.  A 
RESTART  WILL  BE  PERFORMED,  NO  EARLIER  THAN  MACH  =1.0,  IF  THE 
APU  IS  REQUIRED.  FOR  MACH  <  1.0,  AN  APU  WILL  NOT  BE  SHUT 
DOWN  FOR  LOSS  OF  GEARBOX  PRESSURE  UNTIL  POST-WHEELSTOP . 

®[ED  ]  ®[032802-5345A] 

If  an  APU  is  running  with  its  gearbox  pressure  <  2  psia,  a  leak  is  present  in  the  gearbox  or  associated 
plumbing  that  can  no  longer  be  supported  by  repressurizations  from  the  GN2  bottle.  It  is  not  possible  to 
distinguish  between  a  lube  oil  or  GN2  leak.  However,  if  the  leak  is  mostly  GN2,  shutting  down  the  APU 
at  this  point  will  prevent  it  from  seizing  due  to  loss  of  lubrication.  The  APU  can  then  be  restarted,  if 
required,  at  Mach  1.0  since  the  atmospheric  pressure  would  prevent  further  leakage  from  the  gearbox 
while  the  APU  is  running  and  actually  would  tend  to  back  pressurize  the  gearbox.  If  a  significant 
amoun  t  of  oil  is  also  being  lost,  the  bearing  temperatures  will  even  tually  began  to  rise,  indicating  the 
loss  of  lubrication  and  imminent  bearing  seizure.  In  this  case,  the  APU  would  be  shut  down  based  on 
temperature  rise  and  would  be  nonrecoverable. 

Rule  { A10-33 },  APU  DEFINITIONS,  references  this  rule.  ®[072398-6685A] 
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A10-25  APU  HIGH  SPEED  SELECTION/SHIFT 

A.  THE  REMAINING  APU(S)  WILL  BE  RUN  AT  HIGH  SPEED  IF  ONE  OR  MORE 
APU/HYDRAULIC  SYSTEMS  ARE  LOST  DURING  ASCENT  OR  RTLS . 

In  order  to  minimize  the  performance  degradation  resulting  from  APU/hydraulic  system  loss(es),  the 
remaining  APU(s)  are  taken  to  high  speed  as  soon  as  a  system  is  declared  lost. 

B.  DURING  ENTRY/ABORTS  (EXCEPT  RTLS),  HIGH  SPEED  WILL  BE 
SELECTED : 

1.  AT  MM  304  IF  ONLY  A  SINGLE  GOOD  APU/HYDRAULIC  SYSTEM  IS 
OPERATING. 

If  two  APU’ s  have  been  lost,  then  there  is  degradation  in  aerosurface  movement  rate  capability. 

The  remaining  APU  must  be  in  high  speed  in  order  to  obtain  maximum  horsepower  to  minimize 
this  degradation.  Also,  it  is  absolutely  essential  that  the  APU  be  operating  at  maximum  rpm  when 
the  vehicle  first  enters  the  Earth ’s  atmosphere  (MM  304-EI)  to  provide  the  best  chance  of  landing 
the  orbiter  on  one  APU. 

2.  AT  TAEM,  IF  ONLY  TWO  GOOD  APU/HYDRAULIC  SYSTEMS  ARE 
OPERATING. 

If  one  APU  is  lost,  the  two  remain  ing  APU’s  can  still  meet  all  aerosurface  rate  demands  with  no  loss  of 
performance  even  if  they  are  running  at  normal  speed.  They  are  taken  to  high  speed  at  TAEM  as  a 
precautionary  measure  in  the  event  one  of  the  remaining  APU’s  fails  during  the  critical  final  landing 
maneuvers. 

Rule  { A10-72 j,  HYDRAULIC  LEAKS,  references  this  rule. 

C.  AN  APU  WILL  NOT  BE  SHUT  DOWN  PRIOR  TO  MECO,  EXCEPT  FOR 

CONFIRMED  OVERSPEED  >  129  (129)  PERCENT. 

Shutting  down  an  APU  in  powered  flight  will  result  in  the  associated  main  engine  going  into  hydraulic 
lockup.  Test  data  on  SSME  valve  drift  is  very  limited  while  in  the  hydraulic  lockup  condition.  Excessive 
SSME  valve  drift  can  severely  impact  ascent  performance  to  the  point  of  risking  loss  of  orbit  capability.  For 
this  reason,  it  is  highly  desirable  to  avoid  hydraulic  lockup  even  at  the  expense  of  possible  loss  of  an  APU. 

In  addition  to  valve  drift  concerns,  the  failure  of  an  SSME  bypass  valve  prior  to  STS-26  has  also 
con  tributed  to  the  desire  to  avoid  the  SSME  hydraulic  lockup  condition.  Failure  of  the  bypass  valve  in 
combination  with  hydraulic  lockup  ( i.  e. ,  APU  shutdown)  can  result  in  loss  of  hydraulic  and  pneumatic 
engine  shutdown  capability.  A  catastrophic  engine  shutdown  will  result.  Because  the  bypass  valve 
failure  is  not  detectable  ( transparent  to  crew  and  MCC),  manual  shutdown  of  an  APU  in  response  to  any 
failure  except  a  confirmed  overspeed  during  powered  flight  is  not  allowed.  Reference  Ascent/Entry 
Flight  Techniques  #50,  October  20,  1988. 
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A10-25  APU  HIGH  SPEED  SELECTION/SHIFT  (CONTINUED) 

D.  DURING  ASCENT,  AN  APU  WHICH  SHIFTS  TO  HIGH  SPEED  WITH  NORMAL 
SPEED  SELECTED  WILL  BE  SHUT  DOWN  ASAP  POST-MECO. 

An  APU  that  shifts  to  high  speed  ( due  to  a  failure  of  the  pulse  control  valve  to  regulate  speed)  is  a 
single  failure  (failed  open  secondary  valve)  from  a  possible  uncontained  overspeed.  The  risk  of  a 
second  failure  in  that  APU  is  accepted  in  powered  flight  in  order  to  retain  SSME  throttling  capability 
and  SSME  hydraulic  valve  con  trol.  (Shutting  down  one  APU  results  in  hydraulic  lockup  of  one  main 
engine.)  Risk  of  operating  the  APU  after  MECO  is  not  warranted,  and  the  APU  will  be  shut  down. 


Though  it  has  experienced  a  shift  to  high  speed,  the  APU  will  not  be  considered  lost  for  planning 
purposes  since  it  may  be  used  when  absolutely  necessary. 

E.  DURING  ENTRY/ABORTS,  IF  AN  APU  SHIFTS  TO  HIGH  SPEED  WITH 
NORMAL  SPEED  SELECTED  AND  TWO  GOOD  APU/HYDRAULIC  SYSTEMS 
REMAINING,  THE  APU  WILL  BE  SHUT  DOWN  ASAP  POST-MECO.  A 
RESTART  WILL  BE  PERFORMED  IF  THE  APU  IS  REQUIRED  (SHUTDOWN 
WILL  NOT  BE  PERFORMED  FOR  THESE  CASES  IF  INSUFFICIENT  TIME  IS 
AVAILABLE  TO  RESTART  THE  AFFECTED  APU)  .  ©[072398-6685A] 


If  the  other  APU’ s  are  functioning  properly,  the  affected  APU  will  be  shut  down  to  protect  against  a 
possible  uncontained  overspeed.  That  APU  may  be  considered  available  for  restart  after  completion  of 
injector  cooling  should  a  second  APU  be  required. 

If  only  one  other  APU  is  functioning  properly,  the  affected  APU  will  be  left  operating  in  order  to  provide 
dual  APU  flight  control  authority  throughout  entry. 

APU  operations  after  an  uncommanded  shift  to  high  speed  shall  be  performed  with  the  APU  SPEED 
SELECT  switch  in  high  in  order  to  prevent  nuisance  alarms.  This  will  also  enable  the  115  percent 
comparator,  which  will  provide  backup  speed  control  in  the  case  that  the  initial  failure  was  in  the 
103  percent  comparator.  In  addition,  auto  shutdown  shall  remain  enabled  as  long  as  one  other 
good  APU  remains. 

Reference  Rules  (A2-254CJ,  ENTRY  STRING  REASSIGNMENT;  { A10-26} ,  APU  AUTO  SHUTDOWN 
INHIBIT  MANAGEMENT;  and  {A10-33 },  APU  DEFINITIONS.  ®[072398-6685A] 
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A10-26  APU  AUTO  SHUTDOWN  INHIBIT  MANAGEMENT 

A.  AN  APU  WILL  HAVE  ITS  AUTO  SHUTDOWN  FUNCTION  INHIBITED  IF: 

1.  ONE  OTHER  APU/HYDRAULIC  SYSTEM  IS  LOST  OR  FAILING  SUCH 
THAT  SUPPORT  OF  NOMINAL  ASCENT  THROUGH  MECO  IS  SUSPECT 
(SEE  PARAGRAPH  B  FOR  EXCEPTIONS) . 

2.  THE  OTHER  TWO  APU/HYDRAULIC  SYSTEMS  ARE  LOST  OR  FAILING 
SUCH  THAT  SUPPORT  OF  ABORT/ENTRY  THROUGH  WHEELSTOP  IS 
SUSPECT.  @[021199-6814] 

3.  THE  APU  IS  NEEDED  TO  PROVIDE  A  LAST  METHOD  OF  GEAR  DEPLOY 
OR  DIRECTIONAL  CONTROL.  ©[072398-6685A] 

The  purpose  of  the  auto  shutdown  function  is  to  quickly  secure  the  APU  in  the  event  of  a  potentially 
hazardous  situation  (such  as  an  overspeed  condition).  The  auto  shutdown  logic  secures  the  APU  by 
disabling  the  shutoff  valve  commands  and  removing  power  from  the  fuel  tank  isolation  valves  (causing 
the  valves  to  close).  The  auto  shutdown  function  can  be  inhibited  to  protect  against  an  erroneous 
shutdown  of  an  APU,  but  this  also  removes  all  overspeed/underspeed  protection. 

With  the  redundancy  inherent  in  the  digital  controller,  an  erroneous  APU  shutdown  is  highly  unlikely. 

At  least  two  controller  component/magnetic  pickup  unit  (MPU)  failures  are  necessary  to  cause  an 
inadvertent  shutdown  after  the  first  10.5  seconds  of  run  time.  Due  to  their  design,  location,  and  failure 
history,  the  probability  of  two  MPU  failures  is  considered  much  greater  than  that  of  two  controller 
failures.  And  in  INHIBIT,  the  loss  of  two  MPU’s  would  result  in  an  uncontained  overspeed.  Therefore, 
inhibiting  the  auto  shutdown  function  is  not  likely  to  preven  t  a  spurious  shutdown,  and  it  does  increase 
the  risk  of  an  uncontained  overspeed. 

However,  there  are  some  specific  mechanical  failure  scenarios  where  the  APU  would  only  continue  to 
run  if  the  auto  shutdown  was  inhibited.  These  single  mechanical  failures  are  more  likely  than  the  dual 
controller /MPU  failures,  but  the  ability  of  the  affected  APU /hydraulic  system  to  provide  useful  support 
is  highly  questionable. 

Even  though  the  increased  risk  associated  with  running  an  APU  in  INHIBIT  is  relatively  small,  the 
potential  consequences  do  not  warrant  accepting  the  risk  except  for  the  cases  listed.  In  these  cases,  even 
the  small  gains  associated  with  inhibiting  auto  shutdown  are  considered  necessary  to  maintain  critical 
functions.  This  applies  to  the  loss  of  a  single  APU  during  power  flight  due  to  controllability  concerns 
associated  with  the  loss  of  a  second  APU. 
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A10-26  APU  AUTO  SHUTDOWN  INHIBIT  MANAGEMENT  (CONTINUED) 

4.  INHIBIT  IS  NECESSARY  TO  ALLOW  THE  APU  TO  OPERATE  (SEE 
PARAGRAPHS  B  AND  C  FOR  EXCEPTION) . 

There  are  several  component  failure  scenarios  in  the  digital  controller  (e.g.,  false  overspeed),  as  well  as 
severed  mechanical  scenarios  (e.g.,  low  fuel  tank  pressure,  valve  contamination ),  that  would  result  in  an 
erroneous  shutdown  during  APU  startup.  These  situations  would  require  inhibiting  the  auto  shutdown 
function  to  get  the  APU  running.  For  the  controller  failures,  the  auto  shutdown  must  remain  inhibited 
since  the  erroneous  signcd(s)  in  the  controller  would  shut  the  APU  down  if  the  function  were  reenabled. 

In  these  cases,  the  risk  of  running  cm  APU  with  it  auto  shutdown  inhibited  is  considered  less  dangerous 
than  the  risk  of  losing  entry-critical  APU /hydraulic  systems.  Therefore,  the  auto  shutdown  logic  is 
inhibited  to  maintain  afcdl-scife  configuration  for  entry  even  if  two  other  good  APU’s  remain. 

B.  THE  AUTO  SHUTDOWN  FUNCTION  WILL  BE  (RE) ENABLED  FOR  AN  APU 

WHICH  HAS  ONE  OF  THE  FOLLOWING  CONDITIONS  WHEN  AT  LEAST  ONE 
GOOD  APU/HYDRAULIC  SYSTEM  REMAINS: 

1.  THE  APU  TURBINE  SPEED  HAS  SHIFTED  TO  THE  HIGH  SPEED  BAND, 
IS  ERRATIC  WITH  HIGH  SPEED  SELECTED,  OR  IS  LOST  DUE  TO  A 
SUSPECTED  MPU  FAILURE. 

2.  THE  APU  IS  RUNNING  WITH  AN  ISOLATABLE  FUEL  LEAK. 

IF  (RE) ENABLING  THE  AUTO  SHUTDOWN  FUNCTION  WILL  CAUSE  THE  APU 
TO  SHUT  DOWN,  THE  AUTO  SHUTDOWN  MAY  REMAIN  INHIBITED  TO 
MAINTAIN  TWO  APU' S  THROUGH  MECO  OR  WHEELSTOP.  @[021199-6814] 

Auto  shutdown  should  be  enabled  in  situations  where  there  is  a  high  potential  for  an  uncontrolled 
shutdown  which  could  cause  damage  to  other  equipment  in  the  aft  compartment.  If  the  turbine  speed  is 
erratic  and  selecting  high  speed  did  not  clear  the  problem  or  if  turbine  speed  has  shifted  to  the  high 
speed  band,  the  APU  is  one  failure  away  from  an  overspeed  condition.  Similarly,  the  loss  of  a  MPU  ( i.e., 
loss  of  turbine  speed  not  explainable  by  cm  MDM/DSC  or  other  failure),  with  the  auto  shutdown  function 
inhibited,  places  the  APU  one  failure  away  from  an  uncontained  overspeed  condition.  In  these  cases,  the 
risk  of  cm  uncontrolled  shu  tdown  is  considered  greater  than  an  erroneous  shutdown  causing  single  APU 
operations.  If  the  APU  is  in  INHIBIT  to  cdlow  it  to  operate,  taking  it  back  to  ENABLE  will  cause  the 
APU  to  shut  down.  Therefore,  this  should  only  be  done  if  two  good  APU /hydraulic  systems  remain. 

A  fuel  leak  can  lead  to  afire  and  an  explosive  shutdown  such  as  occurred  on  STS-9.  The  auto  shutdown 
logic  is  beneficial  in  this  case  because  it  automatically  closes  the  fuel  tank  isolation  valves  upon  shutting 
down  the  APU.  This  may  isolate  the  leak,  thus  minimizing  the  risk  due  to  hydrazine  in  the  aft 
compartment. 
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A10-26  APU  AUTO  SHUTDOWN  INHIBIT  MANAGEMENT  (CONTINUED) 

C.  DURING  ENTRY/ ABORTS,  FOR  AN  APU  THAT  HAS  SHUTDOWN  DUE  TO  AN 

UNEXPLAINED  UNDERSPEED  WITH  AUTO  SHUTDOWN  ENABLED:  @[062797-4889] 

1.  THE  APU  WILL  BE  RESTARTED  WITH  AUTO  SHUTDOWN  ENABLED  AND 

NORM  SPEED  SELECTED  ONLY  IF  TIME  IS  AVAILABLE  TO  PERFORM 

TWO  APU  RESTARTS  (T/D  >  APPROX  10  MIN)  AND  ANY  OF  THE 

FOLLOWING  ARE  TRUE: 

a.  ANOTHER  APU/HYD  SYSTEM  IS  FAILED  OR  SUSPECT. 

b.  THE  APU  IS  REQUIRED.  ®[072398-6685A] 

C.  SINGLE  APU  WX  PLACARDS  ARE  EXCEEDED. 

2.  IF  A  RESTART  IS  ATTEMPTED  AND  THE  APU: 

a.  STARTS  AND  RUNS,  THE  APU  WILL  CONTINUE  TO  OPERATE 
WITH  AUTO  SHUTDOWN  ENABLED.  THE  APU  WILL  BE 
CONSIDERED  SUSPECT. 

b.  DOES  NOT  START  OR  SUSTAINS  AN  UNDERSPEED  SHUTDOWN 
WITHIN  THE  FIRST  10.5  SECONDS  OF  OPERATION,  THE  APU 
WILL  BE  RESTARTED  AND  OPERATED  WITH  AUTO  SHUTDOWN 
INHIBITED  IF  REQUIRED.  ©[072398-6685A] 

C.  SUSTAINS  AN  UNDERSPEED  SHUTDOWN  AFTER  10.5  SECONDS, 
ANOTHER  RESTART  OF  THE  APU  MAY  BE  ATTEMPTED  IF  TIME 
PERMITS.  THE  APU  WILL  BE  OPERATED  WITH  AUTO  SHUTDOWN 
ENABLED . 

d.  SUSTAINS  AN  OVERSPEED  SHUTDOWN,  THE  APU  WILL  BE 
SHUT  DOWN  AND  NO  FURTHER  TROUBLESHOOTING  WILL  BE 
ATTEMPTED.  @[061297-4889] 
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A10-26  APU  AUTO  SHUTDOWN  INHIBIT  MANAGEMENT  (CONTINUED) 

3.  IF  TIME  IS  NOT  AVAILABLE  TO  ATTEMPT  TWO  RESTARTS,  AN  APU 

COOLDOWN  WILL  BE  PERFORMED  AT  MACH  7.  THE  APU  WILL  BE 
RESTARTED,  WITH  AUTO  SHUTDOWN  INHIBITED,  ONLY  TO  PROVIDE 
A  LAST  APU/HYD  SYSTEM,  LANDING  GEAR  DEPLOY  METHOD,  OR 
BRAKING.  @[061297-4889] 

An  APU  has  sustained  an  “unexplained”  underspeed  shutdown  if  a  dual  magnetic  pickup  unit  (MPU) 
failure  cannot  be  ruled  out  as  the  cause  of  the  shutdown  ( other  than  by  attempting  a  restart  of  the  APU; 
examples  of  explainable  underspeed  shu  tdowns  include  failures  within  the  underspeed  slow  latch 
circuit,  overspeed  slow  latch  circuit,  and  timer  failures).  Analysis  performed  by  JSC  SR&QA  indicates 
that  the  most  probable  APU  electrical  failure  is  an  MPU.  The  APU  has  three  MPU’s  which  provide 
APU  turbine  speed  data  to  the  APU  controller  -  dual  MPU  failures  result  in  APU  shutdown.  The 
signature  for  a  dual  MPU  failure  case  is  closure  of  the  fuel  tank  isolation  valves  (FIV),  illumination  of 
the  F7  APU  underspeed  light,  and  closure  of  the  shutoff  valve  (SOV)  while  the  APU  is  running  in 
NORM  or  HIGH  speed.  This  occurs  because  three  of  the  four  speed  con  trol  channels  indicate  zero 
speed  due  to  the  failed  MPU’s  which  results  in  the  logic  on  these  three  channels  voting  for  underspeed. 
The  same  signature  can  result  with  two  in  termitten  t  MPU’s.  Another  signature  is  also  possible  for  the 
case  of  two  intermittent  MPU’s.  The  signature  for  this  scenario  is  the  APU  spinning  down  from  NORM 
or  HIGH  speed,  and  at  a  turbine  speed  of  80  percent,  the  FIV’s  close  and  the  F7  APU  underspeed  light 
is  illuminated.  The  signature  for  two  intermittent  MPU’s  is  dependent  on  which  of  the  three  MPU’s 
have  failed.  Therefore,  there  is  not  a  specific  shutdown  signature  for  all  MPU  failure  cases. 

During  APU  start,  the  controller  locks  out  the  underspeed  shutdown  logic  for  10.5  seconds  to  allow  the 
APU  adequate  time  to  spin  up.  The  overspeed  shutdown  logic  is  not  affected  during  this  10.5  second 
period.  Since  the  dual  MPU  failure  is  interpreted  as  a  zero  turbine  speed  by  the  APU  controller  on 
three  of  the  four  speed  control  channels,  the  con  troller  does  not  sense  the  APU  spinning  up.  As  a 
result,  the  APU  continues  to  increase  in  RPM  until  the  remaining  MPU  senses  that  the  speed  has 
reached  129  percen  t,  which  triggers  the  overspeed  shutdown  logic  and  shuts  down  the  APU  if  auto 
shutdown  is  enabled.  If  auto  shutdown  was  inhibited,  the  APU  would  experience  an  uncontained 
overspeed  -  the  turbine  could  disintegrate,  producing  shrapnel  that  could  damage  other  equipment  in 
the  aft  fuselage. 

To  determine  if  the  underspeed  was  due  to  a  dual  MPU  failure,  the  APU  is  restarted  with  auto 
shutdown  enabled.  If  the  APU  overspeeds  and  automatically  shuts  down,  then  the  dual  MPU  failure 
case  is  confirmed  -  the  APU  will  be  scifed  and  should  never  be  restarted.  If  the  APU  does  not  start  or 
experiences  cm  underspeed  shutdown  within  the  first  10.5  seconds  of  operation,  a  dual  MPU  failure  is 
not  the  cause  of  the  shutdown  (dual  failures  may  be  in  the  APU  or  the  controller).  If  the  APU  restarts 
and  operates  but  subsequently  fails  after  10.5  seconds,  the  failure  is  transient  (e.g.,  a  single  failed 
MPU  coupled  with  an  intermittent  MPU)  -  the  APU  would  experience  cm  uncontained  overspeed  if  the 
transient  MPU  recurred  with  auto  shutdown  inhibited,  so  the  APU  will  only  be  restarted  and  run  with 
auto  shutdown  enabled.  @[061297-4889  ] 
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A10-26  APU  AUTO  SHUTDOWN  INHIBIT  MANAGEMENT  (CONTINUED) 

Touchdown  minus  10  minutes  is  the  minimum  amount  of  time  needed  to  accomplish  two  APU 
cooldowns  in  order  to  support  APU  operations  no  later  than  approach  and  landing.  Since  hardware 
damage  to  the  affected  APU  may  result  if  an  overspeed  condition  occurs,  troubleshooting  for  an 
unexplained  underspeed  should  only  be  performed  if  critical  redundancy  is  lost.  If  there  is  insufficient 
time  to  perform  two  cooldowns  arid  the  APU  is  needed  to  provide  a  critical  landing  capability,  a  start 
attempt  will  be  made  with  auto  shutdown  inhibited  to  provide  the  best  chance  of  regaining  the  APU. 
@[061297-4889] 

Braking  redundancy  is  defined  as  fault  tolerance  for  50  percent  braking.  This  rule  is  referenced  by 
Rule  {A10-25},  APU  HIGH  SPEED  SELECTION/SHIFT.  Reference  ule  {A10-33},  APU 
DEFINITIONS.  @[061297-4889]  ©[072398-6685A] 

A10-27  APU  FUEL  LEAKS  [CIL] 

A.  DURING  ASCENT,  IF  AN  APU  DEVELOPS  A  FUEL  LEAK,  IT  WILL  BE 
SHUT  DOWN  ASAP  POST-MECO. 

If  the  leak  is  upstream  of  the  tank  valves,  then  the  leak  is  not  isolatable  and  fuel  will  continue  to  leak  into 
the  orbiter  aft  compartment  even  with  the  APU  shut  down.  A  significant  amount  of  free  hydrazine  in  the 
aft  compartments  presents  a  severe  safety  hazard  during  entry.  To  avoid  this,  the  APU  should  be 
restarted  and  allowed  to  run  until  its  fuel  is  depleted.  This  will  ensure  that  most  of  the  hydrazine  is 
burned  and  exhausted  overboard  and  will  minimize  the  amoun  t  of  hydrazine  that  leaks  into  the  aft  bay. 

The  restart  should  only  be  performed  if  fuel  tank  pressure  is  >  100  (107)  psi. 

If  the  fuel  leak  is  downstream  of  the  tank  valves,  the  leak  will  be  isolated  when  the  APU  is  shut  down. 

The  APU  is  still  considered  lost,  however,  and  should  not  be  started  unless  one  of  the  two  remaining 
APU’s  fails  (not  available  for  entry). 

Reference  Rule  {A10-lAj.l.b,  APU  LOSS  DEFINITIONS. 

B.  ON  ORBIT  POST-MECO,  AN  APU  WILL  BE  OPERATED  FOR  THE  PURPOSE 
OF  BURNING  ITS  FUEL  IF  THERE  IS  A  SUSPECTED  OR  CONFIRMED 
NONISOLATABLE  HYDRAZINE  LEAK.  [CIL] 

1.  WITH  TWO  OTHER  GOOD  APU/HYDRAULIC  SYSTEMS,  THIS  TECHNIQUE 
WILL  APPLY  WITHOUT  CONSIDERING  LANDING  OPPORTUNITIES. 
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A10-27  APU  FUEL  LEAKS  [CIL]  (CONTINUED) 

2.  WITH  ONLY  ONE  OTHER  GOOD  APU/HYDRAULIC  SYSTEM  REMAINING, 
THIS  WILL  APPLY  IF  THE  LEAK  RATE  DOES  NOT  SUPPORT  THE 
NEXT  PLS  ASSUMING  THE  AFFECTED  APU  IS  STARTED  AT  TAEM . 


If  the  leak  is  upstream  of  the  fuel  tank  isolation  valves,  then  the  leak  is  not  isolatable  and  fuel  will 
continue  to  leak  into  the  orbiter  aft  compartment  even  with  the  APU  shut  down.  A  significant  amount 
of  free  hydrazine  in  the  aft  compartment  presents  a  severe  safety  hazard  during  entry.  If  two  fully 
operational  APU’s  remain,  the  leaking  APU  will  be  started  and  its  fuel  burned  off  in  order  to  minimize 
the  amount  of  free  hydrazine  that  is  left  to  leak  in  the  aft  compartment.  If  one  APU  has  already  failed, 
however,  the  leak  rate  will  be  assessed  to  see  if  fuel  will  support  a  next  PLS  entry.  If  the  leak  rate  is 
slow  enough  that  the  APU  would  be  able  to  support  a  next  PLS  entry,  then  the  APU  will  not  be  started 
to  burn  off  its  fuel.  Performing  a  single  APU  entry  is  more  hazardous  than  having  free  hydrazine  in 
the  aft  bay.  Start  of  the  APU  will  be  delayed  until  TAEM  to  reduce  entry  usage  requirements  and 
optimize  the  remaining  capability  to  support  the  leak  rate.  If  the  leak  rate  will  not  support  the  next 
PLS,  then  the  APU  will  be  started  and  the  fuel  burned  off  since  it  would  not  be  available  for  entry 
whether  the  APU  was  started  or  not. 

C.  DURING  ENTRY/ABORTS,  FOR  A  FUEL  LEAK,  ACTION  WILL  BE  TAKEN  IN 
ORDER  TO  PROVIDE  AT  LEAST  TWO  APU/HYDRAULIC  SYSTEMS  FROM  TAEM 
THROUGH  WHEELSTOP.  @[021199-6814] 

1.  IF  ONLY  ONE  OTHER  GOOD  APU/HYDRAULIC  SYSTEM  REMAINS  AND 
THE  LEAK  SUPPORTS  CONTINUED  OPERATION  THROUGH  WHEELSTOP, 
THE  APU  WILL  BE  ALLOWED  TO  RUN.  IF  THE  LEAK  WILL  NOT 
SUPPORT  CONTINUED  OPERATION  THROUGH  WHEELSTOP  OR  IF  TWO 
OTHER  GOOD  APU/HYDRAULIC  SYSTEMS  REMAIN,  THE  AFFECTED  APU 
WILL  BE  SHUT  DOWN  IF  IT  IS  DETERMINED  THAT  THE  FUEL  TANK 
PRESSURE  WILL  NOT  FALL  BELOW  100  (109)  PSIA  BEFORE  AN  APU 

RESTART  COULD  BE  PERFORMED.  [CIL]  ©[032802-5345A] 

a.  IF  THE  LEAK  IS  ISOLATED,  THE  AFFECTED  APU  WILL  BE 
RESTARTED  IF  NEEDED  TO  MAINTAIN  TWO  APU/HYDRAULIC 
SYSTEMS  FROM  TAEM  THROUGH  WHEELSTOP,  A  LAST  METHOD  OF 
GEAR  DEPLOY,  OR  DIRECTIONAL  CONTROL  [CIL]  .  ©[072398-6685A] 
@[021199-6814] 
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A10-27  APU  FUEL  LEAKS  [CIL]  (CONTINUED) 

b.  IF  THE  LEAK  IS  NOT  ISOLATED  AND  THE  LEAK  RATE 

WILL  NOT  SUPPORT  APU  OPERATIONS  FROM  TAEM  THROUGH 
WHEELSTOP,  THE  AFFECTED  APU  WILL  BE  RESTARTED 
ASAP.  OTHERWISE,  THE  AFFECTED  APU  WILL  BE 
RESTARTED  WHEN  ABLE  TO  SUPPORT  APU  OPERATIONS 
THROUGH  WHEELSTOP  (NO  LATER  THAN  TAEM) .  [CIL] 

@[021199-6814] 

There  are  two  important  goals  to  achieve  when  troubleshooting  a  leaking  APU:  maintaining  two  good 
APU’s  for  flight  control  and  minimizing  fuel  leakage  into  the  aft  compartment,  which  can  lead  to  fire. 

This  rule  will  minimize  free  hydrazine  in  the  aft  compartment  and  reduce  the  risk  of  a  fire  that  could 
potentially  cause  the  loss  of  a  second  APU.  The  risk  of  fire  damaging  remaining  APU’s  is  considered 
greater  than  APU  detonation  concerns  as  a  result  of  APU  shutdown  and  subsequent  heat  socikback. 
Restarting  a  leaking  APU  risks  a  large  fuel  leak  and  poten  tial  detonation  of  the  GGVM,  but  this  risk 
is  considered  acceptable  when  considering  the  inability  of  the  vehicle  to  land  on  a  single  APU. 
©[032802-5345A] 

We  are  forced  to  accept  the  risk  of  an  aft  compartment  fire  in  order  to  provide  two  APU’s  for  flight 
control.  If  only  two  APU’s  are  operating,  we  do  not  want  to  risk  shutting  one  down  to  tty  and  isolate  the 
leak,  since  it  may  not  restart  when  required  at  TAEM.  If  the  leaking  APU  will  not  support  through 
wheel  stop  in  its  present  condition,  it  is  acceptable  to  shut  it  down  and  try  to  isolate  the  leak.  If  the  leak 
is  isolcitable,  this  may  allow  a  restart  at  TAEM  to  provide  two  APU’s  for  landing. 

If  the  leak  rate  is  large  enough  that  the  fuel  tank  pressure  would  fall  below  100  psia  before  an  APU  restart 
could  be  performed  (in  the  event  shutting  the  APU  down  does  not  isolate  the  leak),  it  should  be  assumed 
that  the  leak  is  nonisolatable;  thus,  the  APU  should  be  allowed  to  run  to  continue  burning  off  fuel. 
Simulation  experience  shows  that  it  takes  approximately  5  minutes  for  the  crew  to  shut  down  and  then 
immediately  restart  an  APU;  this  5  minute  time  should  be  used  when  determining  if  the  tank  pressure  will 
fall  below  100  psia. 

Reference  Rule  {A10-22A},  APU  START/RESTART  LIMITS,  and  SODB,  Vol.  I,  3. 4.4. 3. 

2.  PRIOR  TO  TAEM,  AN  APU  WITH  A  SUSTAINED  OVERBOARD  FUEL 
PUMP  SEAL  CAVITY  DRAIN  SYSTEM  LEAK  WILL  BE  SHUT  DOWN 
ASAP  IF  TWO  OTHER  GOOD  APU/HYDRAULIC  SYSTEMS  REMAIN  AND 
THE  LEAKING  APU  FUEL  TANK  PRESSURE  IS  >  100  a 0 9 )  PSIA. 

THE  APU  WILL  BE  RESTARTED  IF  NEEDED  TO  MAINTAIN  TWO 
APU/HYDRAULIC  SYSTEMS  FROM  TAEM  THROUGH  WHEELSTOP,  A 
LAST  METHOD  OF  GEAR  DEPLOY,  OR  DIRECTIONAL  CONTROL. 
©[072398-6685A]  @[040899-6824  ]  ©[032802-5345A] 
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A10-27 


APU  FUEL  LEAKS  [CIL]  (CONTINUED) 


This  rule  accepts  the  risk  of  aft  compartment  fire  damage  after  TAEM  caused  by  ingestion,  through 
the  aft  vent  doors,  of  the  fuel  leaking  overboard.  A  fuel  pump  seal  leak  may  be  detected  by  repeated 
excursions  in  drain  line  pressure  to  the  relief  valve  cracking  pressure  (28  to  42  psia)  or  sustained 
dram  line  pressure  above  the  relief  valve  reseat  pressure  (16.8  to  25.2  psia).  A  fuel  pump  seal  leak 
will,  by  nature,  be  small;  combined  with  the  low  probability  of  ingestion,  chances  of  catastrophic 
damage  from  such  a  leak  are  small.  There  is  insufficient  time  post-TAEM  for  a  cooldown  and  restart 
of  the  affected  APU,  if  required.  Therefore,  it  is  better  to  allow  the  APU  to  continue  running  so  it 
will  be  available  to  support  operations  through  wheel  stop  in  the  event  another  APU  is  lost.  If  the 
fuel  tank  pressure  has  already  fallen  below  100  psia,  the  APU  should  not  be  restarted  if  it  is  shut 
down.  @[021199-6814]  @[040899-6824]  ®[032802-5345A] 


Reference  Rule  {A10-22A},  APU  START/RESTART  LIMITS,  and  SODB,  Vol.  I,  3.4.4. 3.  ©[032802-5345A] 


AOA  APU/HYDRAULIC  SYSTEM  OPERATIONS 


A10-28 


A.  IF  ORBIT  CAPABILITY  IS  QUESTIONABLE,  THE  APU' S  WILL  REMAIN 
RUNNING  UNTIL  THE  DECISION  IS  MADE  TO  CONTINUE  TO  ORBIT.  THE 
HYDRAULIC  MAIN  PUMPS  WILL  BE  TAKEN  TO  "LOW  PRESS"  FOLLOWING 
MPS  DUMP  COMPLETION. 

If  an  AOA  has  been  declared,  or  is  even  a  strong  possibility,  the  APU’s  should  continue  operating  to 
preclude  the  need  for  a  later  restart  of  all  three  APU’s  in  order  to  support  the  AOA.  Performing  a 
restart  on  an  APU  is  not  something  to  be  done  without  good  reason  and  should  be  avoided  if  at  all 
possible.  A  single  failure  in  the  injector  cool  system  could  cause  the  loss  of  all  restart  capability. 

The  hydraulic  main  pumps  will  be  depressurized  to  minimize  fuel  usage  as  well  as  WSB  H2O  usage. 

Reference  SODB,  vol.  I,  3.4.4.3.5a 

Rule  (A2-66J,  APU  SHUTDOWN  DELAY  CRITERIA,  references  this  rule. 

B.  DURING  AN  AOA,  THE  APU' S  WILL  REMAIN  RUNNING  WITH  HYDRAULIC 
PUMPS  IN  "LOW  PRESS"  UNTIL  MM  304.  AN  APU  WILL  BE  SHUT  DOWN, 
IF  REQUIRED,  TO  MAINTAIN  THE  APU  FOR  ENTRY  REGARDLESS  OF 
OTHER  APU/HYDRAULIC  SYSTEMS  STATUS. 

APU  consumables  are  loaded  to  account  for  continuous  APU  operation  throughout  an  AOA.  However, 
the  margins  are  very  small.  Any  off-nominal  APU  or  WSB  operation  could  result  in  exceeding  these 
margins.  Failure  modes,  such  as  a  MPS/TVC ISOL  valve  failing  to  fully  close  (STS  51-J),  result  in 
additional  loads  and  increased  fuel  and  water  usage  on  the  APU  which  are  not  accounted  for  in  the 
consumable  analyses.  When  required,  an  APU  should  be  shut  down  if  this  will  allow  it  to  be  available 
throughout  entry  and  landing. 
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A10-29  FCS  CHECKOUT  APU  OPERATIONS 

A.  APU  SELECTION  FOR  FCS  CHECKOUT  WILL  BE  DONE  REAL  TIME  BASED 
ON  APU/HYDRAULIC  SYSTEMS  STATUS.  CONSIDERATION  WILL  NOT  BE 
GIVEN  TO  LANDING  GEAR  REDUNDANCY  OR  SWITCHING  VALVE  CYCLING. 

The  overriding  consideration  for  APU  system  management  decisions  during  the  orbit/FCS  checkout 
flight  phase  is  the  upcoming  entry.  The  APU’s  must  be  in  the  best  possible  condition  for  entry. 

Therefore,  the  APU  selected  for  FCS  checkout  must  have  had  no  potentially  serious  anomalies  during 
ascent,  consumables  must  be  adequate  to  meet  redline  criteria,  and  there  must  be  no  major  loss  in 
performance  monitoring  instrumentation. 

If  APU  1  is  selected  for  FCS  checkout  and  should  fail  as  a  result  of  being  selected,  landing  gear  deploy 
redundancy  would  be  lost.  However,  if  APU  1  ran  only  long  enough  for  FCS  checkout,  then  it  probably 
would  not  have  supported  the  entire  entry  anyway.  Thus,  landing  gear  redundancy  will  not  be 
considered  when  selecting  an  APU. 

Certain  hydraulic  switching  valves  will  change  state  during  FCS  checkout  depending  on  which  APU  is 
selected.  Should  they  fail  in  that  state,  hydraulic  redundancy  would  be  lost.  But  some  switching  valves 
must  change  state  no  matter  which  APU  is  selected;  so  switching  valve  cycling  is  not  good  criteria  for 
selecting  an  APU. 

B.  FCS  CHECKOUT  WITH  AN  APU  WILL  BE  PERFORMED  ONLY  IF  IT  IS 
DETERMINED  THAT  TWO  OF  THREE  APU/HYDRAULIC  SYSTEMS  WILL  HAVE 
AT  LEAST  192  LB  APU  FUEL  AND  63  LB  WSB  B£0  FOLLOWING  FCS 
CHECKOUT.  @[012694-1596] 

The  fuel  and  H2O  quantities  above  are  based  on  the  following: 


FCS  CHECKOUT 

APU 

14 . 7 

DEORBIT  COAST 

27 . 1 

ENTRY 

98 . 0 

RESIDUALS 

5 . 4 

LOADING  UNCERTAINTY 

OO 

0 

RESERVES  AND  ALLOWANCES 

53 . 4 

TOTALS 

206.6 

LB 

TOTAL  WITHOUT  FCS  CHECKOUT 

191  .  9 

LB 

@[012694-1596] 
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A10-29  FCS  CHECKOUT  APU  OPERATIONS  (CONTINUED) 

C.  IF  THE  STATUS  OF  AN  APU/HYDRAULIC  SYSTEM  IS  QUESTIONABLE  TO 

SUPPORT  ENTRY,  ATTEMPTS  MAY  BE  MADE  TO  START  AND  OPERATE  THAT 
SYSTEM  FOR  FCS  CHECKOUT  IN  ORDER  TO  VERIFY  ENTRY  CAPABILITY 
PROVIDED  THAT  THE  SYSTEM  CAN  BE  OPERATED  SAFELY  (MCC  CALL) . 


If  only  one  or  two  APU’s  are  nominally  operable,  it  is  un  wise  to  activate  either,  except  to  support  entry. 
If  the  orbit  FCS  checkout  part  1  (secondary  actuator  check)  were  to  be  performed,  one  of  the  two 
remaining  nominal  APU’s  (or  the  last  operational  APU  for  the  single  remaining  APU  case )  would  have 
to  be  activated  twice,  increasing  the  risk  of  loss.  Under  these  conditions,  if  an  APU /hydraulic  system  has 
experienced  suspect  operation  such  that  its  capability  to  support  entry  is  questionable,  its  entry  status 
can  be  verified,  if  determined  safe  to  operate,  by  attempting  to  use  the  system  for  FCS  checkout. 

D.  IF  CONDITIONS  PRECLUDE  OPERATION  OF  ANY  ONE  OF  THE  THREE 
APU/HYDRAULIC  SYSTEMS,  THE  HYDRAULIC  CIRCULATION  PUMP  ON 
A  FAILED  SYSTEM  MAY  BE  ACTIVATED  IN  ORDER  TO  PERFORM  AN 
ABBREVIATED  SECONDARY  ACTUATOR  CHECK.  IF  CONDITIONS  ALSO 
PRECLUDE  USE  OF  A  CIRCULATION  PUMP  ON  A  FAILED  SYSTEM,  A 
CIRCULATION  PUMP  ON  A  NOMINAL  HYDRAULIC  SYSTEM  MAY  BE 
USED  TO  PERFORM  THE  CHECK. 


If  only  one  or  two  APU’s  are  nominally  operable  or  if  it  could  be  determined  that  operating  an  APU 
would  be  unsafe  (isolated  fuel  leak,  etc.),  an  abbreviated  actuator  check  could  be  performed  utilizing 
the  system  circulation  pump.  If  it  would  also  be  un  wise  to  activate  the  hydraulic  system  utilizing  the 
circulation  pump,  a  circulation  pump  on  a  nominal  system  could  then  be  used  to  perform  the 
abbreviated  actuator  check. 

Reference  Rule  10-74E},  HYDRAULIC  CIRCULATION  PUMP  OPERATION.  ®[072398-6686B] 

E.  IF  MISSION  CONSTRAINTS  PRECLUDE  ACCOMPLISHING  EITHER  THE 
FULL  OR  ABBREVIATED  ACTUATOR  CHECK  ON  ORBIT,  THE  NOMINAL 
APU/HYDRAULIC  SYSTEM  WHICH  IS  STARTED  AT  TIG  MINUS  5 
MINUTES  MAY  BE  OPERATED  WITH  THE  HYDRAULIC  MAIN  PUMP  IN 
"NORM  PRESS"  IN  ORDER  TO  SUPPORT  AN  ABBREVIATED  ACTUATOR 
CHECK  IN  MM  303. 


Self-explanatory. 


Reference  Rules  { A8-104 j,  FCS  CHECKOUT,  and  { A10-21B j,  LOSS  OF  APU/HYDRAULIC  SYSTEM(S) 
ACTIONS. 
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A10-30  LOSS  OF  APU  HEATERS/INSTRUMENTATION  [CIL] 

A.  AN  APU  WILL  BE  STARTED  PERIODICALLY  OR  THE  ORBITER  ATTITUDE 
ADJUSTED,  IF  REQUIRED  TO  MAINTAIN  ACCEPTABLE  APU  SYSTEM 
TEMPERATURES.  [CIL] 


If  there  is  a  dual  heater  failure  in  an  APU  subsystem,  orbiter  attitude  adjustment  will  be  considered  to 
prevent  component  freeze-up.  If  this  is  not  practical,  this  rule  allows  an  APU  to  be  started  to  generate 
heat  in  the  system  and,  using  the  heat  soakback,  to  warm  the  surrounding  components. 

Reference  Rules  (A10-1AJ.8,  APU  LOSS  DEFINITIONS,  and  (A1 8-451  j,  ORBITER  THERMAL 
CONSTRAINTS  AND  ATTITUDE  MANAGEMENT. 

Rules  {A8-104},  FCS  CHECKOUT;  { A8-112J ,  AEROSURFACE  ACTUATOR  PROTECTION; 

{AlO-lAj.l,  APU  LOSS  DEFINITIONS;  { A10-21B J,  LOSS  OF  APU/HYDRAULIC  SYSTEMS(S) 

ACTIONS;  and  {A10-22J,  APU  START/RESTART  LIMITS,  reference  this  rule. 

B.  THE  FOLLOWING  ACTIONS  WILL  BE  TAKEN  FOR  AN  APU  WITH  BOTH  FUEL 
LINE  TEMPERATURE  TRANSDUCERS  T1  AND  T2  LOST: 

1.  SIDE/TOP  SUN  SOLAR  INERTIAL  ATTITUDE  WILL  BE  ESTABLISHED 
ASAP  AND  MAINTAINED  SUBJECT  TO  HIGH  PRIORITY  PAYLOAD 
REQUIREMENTS  (?S90  0S45  FOR  APU  3;  ?  S90  0S315  FOR  APU  1,  2 

2.  WHEN  NOT  IN  SIDE/TOP  SUN  ATTITUDE  OR  PRIOR  TO  THERMAL 
STABILIZATION  AFTER  SIDE/TOP  SUN  ATTITUDE  HAS  BEEN 
ESTABLISHED,  MANUAL  HEATER  MANAGEMENT  WILL  BE  PERFORMED 
BY  CYCLING  APU  HEATERS  TANK/FUEL/  LINE/B^O  SYSTEMS  A  AND 
B  SIMULTANEOUSLY  TO  "AUTO"  FOR  18  MINUTES  THEN  "OFF"  FOR 
42  MINUTES.  THE  HEATERS  WILL  BE  TURNED  "OFF"  DURING 
ON-ORBIT  OPERATIONS  WHEN  MANUAL  HEATER  MANAGEMENT  IS  NOT 
REQUIRED  AND  DURING  ENTRY. 

a.  FOR  SIDE/TOP  SUN  ATTITUDE  ESTABLISHED  BEFORE  MET 
=35  HOURS,  MANUAL  HEATER  MANAGEMENT  IS  REQUIRED 
UNTIL  MET  =40  HOURS. 
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A10-30  LOSS  OF  APU  HEATERS/INSTRUMENTATION  [CIL] 

(CONTINUED) 

b.  FOR  SIDE/TOP  SUN  ATTITUDE  ESTABLISHED  AFTER  MET  = 

35  HOURS,  MANUAL  HEATER  MANAGEMENT  IS  REQUIRED  FOR 
5  HOURS  AFTER  SIDE/TOP  SUN  HAS  BEEN  ESTABLISHED. 

Because  APU  fuel  line  heater  operation  cannot  be  verified,  steps  must  be  taken  to  ensure  that  a  failed-on 
heater  does  not  detonate  the  fuel  line,  while  also  ensuring  the  fuel  line  does  not  freeze.  Going  to  a 
side/top  Sun  attitude  will  eventually  provide  a  warm  enough  environment  for  the  fuel  line  that  the  heaters 
can  be  turned  off.  After  an  MET  of  40  hours,  going  to  side/top  Sun  will  provide  a  stable  environment 
within  about  5  hours,  but  before  40  hours,  the  MPS  cryogenic  chilldown  in  the  aft  compartment  hinders 
the  warming  process.  For  the  period  prior  to  the  establishment  of  side/top  Sun  and  thermal  stabilization, 
manual  heater  cycling  must  be  conducted  to  try  to  prevent  the  fuel  from  freezing.  Both  heaters  are 
cycled  on  simultaneously  to  preclude  a  failed-off  heater  from  allowing  fuel  line  freezing,  and  a  manual 
off  cycle  is  required  to  prevent  a  failed-on  heater  from  detonating  the  line.  Once  the  affected  APU  is 
started,  heater  management  is  no  longer  required  and  the  heaters  can  be  powered  off  for  entry. 

Analysis  by  Rockwell -Downey  has  determined  that  as  long  as  the  manual  heater  cycling  is  done  when  the 
aft  compartmen  t  is  not  warm  enough  to  keep  the  heater  off,  the  affected  APU  can  be  considered  good  and 
usable  for  entry.  The  APU  will  be  started  prior  to  the  deorbit  burn  to  preclude  heater  managemen  t 
postburn. 

Reference  Rockwell  IL  SETO  TCS-87-134,  Heater  Duty  Cycles  for  Low/In  termediate  Angle  Top  LV  & 

GG  Attitudes,  and  SODB  submittal  Rl-1371,  December  11,  1987. 

3.  IF  THE  INSTRUMENTATION  IS  LOST  BEFORE  DEORBIT  TIG  - 

5  MINUTES,  THE  AFFECTED  APU  WILL  BE  STARTED  AT  TIG  - 
5  MINUTES. 

Because  a  failed  fuel  line  heater  has  little  or  no  impact  upon  an  APU  that  is  running,  it  is  best  to  start 
this  APU  at  the  “single  APU  start”  time  in  order  to  protect  against  subsequent  heater  failures  and  to 
have  this  APU  for  entry  operations. 

4.  IF  THE  INSTRUMENTATION  IS  LOST  AFTER  DEORBIT  TIG  - 
5  MINUTES,  THE  AFFECTED  APU  WILL  BE  STARTED  ASAP. 

Av  stated  above,  fuel  line  heater  failures  are  not  a  concern  when  the  APU  is  running.  Because  there 
are  sufficient  consumables  margins  in  all  APU’s  to  run  for  the  entire  entry,  the  affected  APU  can  be 
immediately  started. 
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A10-31  APU  FREEZE /THAW 

A.  FOR  AN  APU  THAT  HAS  SUSTAINED  ONE  OR  MORE  FUEL  LINE  FREEZES 
THE  FOLLOWING  ACTIONS  WILL  BE  TAKEN  (UNLESS  THE  FREEZE  IS 
SUSPECTED  TO  BE  THE  RESULT  OF  THE  APU  LEAKING  FUEL) : 

®[011 295-1 736C] 

1.  POWER  BOTH  'A'  AND  'B'  FUEL  LINE  HEATERS  SIMULTANEOUSLY. 
®[011 295-1 736C] 

2.  ESTABLISH  A  SIDE/TOP  SUN  SOLAR  INERTIAL  ATTITUDE  AS  LONG 
AS  NECESSARY  TO  THAW  THE  FROZEN  FUEL  LINE  SEGMENT  (THETA 
S 90  PHI  S45  FOR  APU  3;  THETA  S90  PHI  S315  FOR  APU  1,2). 

B.  FOR  AN  APU  THAT  HAS  SUSTAINED  MULTIPLE  FUEL  LINE  FREEZE/THAW 
CYCLES  AND  NO  FUEL  LEAKAGE  IS  SUSPECTED,  THE  APU  WILL  NOT  BE 
STARTED  UNLESS  REQUIRED.  ®[072398-6685A] 

APU  data  from  STS-62,  TTA  ,  and  McDonnell  Douglas  indicate  that  the  APU  fuel  lines  can  sustain  a 
single  freeze/thaw  cycle  without  rupture.  The  STS-62  fuel  line  freeze  was  a  result  of  aft  water  intrusion 
that  pooled  between  the  fuel  line  insulation  and  the  fuel  line.  The  sublimation  of  the  water  provided 
enough  heat  transfer  from  the  hydrazine  to  overcome  the  effect  of  the  fuel  line  heater  resulting  in  a  line 
freeze  during  the  post  insertion  time  frame.  The  frozen  fuel  line  segment  was  located  near  the  fuel  tank 
isolation  valves  downstream  of  where  the  test  line  attaches  to  the  fuel  line.  This  prevented  pressure  relief 
back  into  the  APU  fuel  tank  during  soakback  and  resulted  in  fuel  line  pressures  of  around  800  psia.  The 
location  of  the  frozen  segment  was  determined  by  the  effect  of  the  fuel  line  and  test  line  heaters  on  the 
fuel  pump  inlet  pressure  trace. 

Although  difficult  to  determine,  the  time  frame  in  which  line  freezing  occurs  may  help  to  indicate  what 
type  of  mechanism  is  causing  the  freeze.  STS-62  data  indicates  that  the  water  intrusion  failure  mode 
should  occur  relatively  shortly  after  post  insertion. 

During  STS-62  the  engineering  community  (JSC  engineering,  RI/Downey,  Sundstrand  and  SR&QA) 
concluded  that  there  were  no  constraints  with  APU  operation  due  to  the  single  freeze/thaw  cycle.  The 
APU  was  started  at  TAEM  due  to  the  slight  possibility  the  fuel  line  freeze  may  have  been  caused  by  an 
external  fuel  leak.  Although  inconclusive  on  the  exact  cause  of  the  failure,  post  landing  examination  of 
the  affected  area  did  not  reveal  any  fuel  leaks  or  line  bulges. 
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A10-31  APU  FREEZE/THAW  (CONTINUED) 

The  published  freezing  point  ofN2H4  is  35  Deg  F.  Av  N2H4  freezes  the  density  increases  resulting  in  a 
decreased  volume.  Superpacking  resu  lts  when  a  line  full  of  liquid  transforms  into  a  line  full  of  solid.  As 
N2H4  expands  during  the  thaw  process  line  yield  may  result  if  the  pressures  can  not  be  relieved.  For  this 
to  occur  the  thaw  would  have  to  occur  in  a  trapped  volume  or  from  the  middle  outward  in  a  frozen  line 
segment. 

TTA  tests  performed  in  1988  ( JSC-22912 )  used  a  3/8  inch  diameter  APU  fuel  line  to  study  the  effects  of 
frozen  N2H4  in  a  superpacked  state.  The  results  indicate  that  line  yield  occurred  in  both  tests,  with  a 
maximum  line  pressure  of  6300  psia.  ®[01 1 295-1 736C] 

A  separate  theoretical  analysis  was  performed  by  McDonnell  Douglas  and  JSC  which  indicate  that  a  fuel 
line  may  ruptu  re  if  it  sustains  as  few  as  3  freeze/thaw  cycles  (McDonnell  Douglas  Report  TM-950002-02, 
December  23,  1994).  The  analysis  addressed  a  straight  1/2  inch  diameter  fuel  line  that  has  yielded  as  a 
result  of  the  freeze/thciw  cycle.  The  fuel  line  radius  has  permanen  tly  expanded  due  to  the  yield.  The  line 
freezes  again,  and  during  thaw  the  resulting  pressures  further  yield  the  line.  This  process  con  tinues  until 
the  ultimate  strain  of  the  line  has  been  exceeded  which  results  in  rupture.  The  engineering  community 
feels  that  this  analysis,  due  to  the  level  of  detail,  is  more  representative  of  the  freeze/thciw  event  as 
compared  with  analysis  performed  du  ring  STS-62.  RI/Downey  performed  an  analysis  on  fuel  line  bends 
that  coupled  TTA  test  data  with  a  theoretical  analysis.  The  engineering  community  decided,  after  a 
review  of  the  analysis,  that  the  fuel  line  bends  could  withstand  two  freeze/thciw  cycles.  A  qualitative 
review  of  the  fuel  line  welds  and  T’s  found  them  to  be  less  critical  for  freeze/thciw  then  the  tube  bencl 
section.  The  McDonnell  Douglas  analysis  also  concluded  that  a  straight  section  of  yielded  fuel  line  has 
infinite  fatigue  life  due  to  fuel  pump  pressure  cycles  and  vibration. 

Establishing  a  vehicle  attitude  will  warm  the  affected  APU  fuel  lines  which  will  accelerate  the 
sublimation  of  the  frozen  fluid  that  may  be  causing  the  line  freeze. 

Reference  Rules  {A10-lAj.8,  APU  LOSS  DEFINITIONS,  and  {A10-33},  APU  DEFINITIONS.  @[011295- 

1736C]  ©[072398-6685A] 


VOLUME  A  06/20/02  FINAL  MECHANICAL  10-37 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A10-32  APU/HYD  CONSUMABLES 

A.  THE  FOLLOWING  MATRIX  DEPICTS  THE  BASIS  FOR  DEFINING  APU  AND 
WSB  CONSUMABLES  REDLINES . 


APU 

N2H4 

(LBS) 

WSB 

H20 

(LBS) 

QUANTITY  AVAILABLE  PER  SYSTEM  (QA) 

TANK 

CORE 

118.3  LB 

3.5  LB 

QUANTITY  (NORMAL  LOAD) 

332.0 

121.8 

RESIDUALS 

5.4 

2.8 

LOADING  UNCERTAINTY 

8.0 

1.0 

USABLE  QUANTITY 

318.6 

118.0 

MISSION  REQUIREMENTS  (MR) 

NOM  FLT 

AOA 

NOM  FLT 

AOA 

SYS  1 

189.4 

221.6 

71.8 

102.0 

SYS  2 

198.1 

221.6 

59.3 

102.0 

SYS  3 

179.6 

221.6 

52.8 

102.8 

MISSION  MARGIN  (MM) 

NOM  FLT 

AOA  [1] 

NOM  FLT 

AOA  [1] 

SYS  1 

129.2 

[2] 

97.0 

62.0 

[2] 

16.0 

SYS  2 

120.5 

[3] 

97.0 

78.8 

[3] 

16.0 

SYS  3 

139.0 

97.0 

80.6 

16.0 

NOTE:  MM=QA-MR 

RESERVES  AND  ALLOWANCES  (RA) 

NOM  FLT 

AOA 

NOM  FLT 

AOA 

SYS  1 

53.4 

30.3 

16.4 

9.0 

[4]  SYS  2 

53.4 

30.3 

32.1 

9.0 

SYS  3 

53.4 

30.3 

32.6 

9.0 

KSC  RESERVES  PER  SYSTEM  (KR) 

NOM  FLT 

AOA 

NOM  FLT 

AOA 

[5]  SYS  1 

65.7 

65.7 

5.0 

7.0 

FLIGHT  PLANNING  MARGIN  (FPM) 

NOM  FLT 

AOA 

NOM  FLT 

AOA 

FLIGHT  SYS  1 

10.1 

1.0 

40.6 

0.0 

PLANNING  SYS  2 

1.4 

1.0 

41.7 

0.0 

MARGIN  (LB)  SYS  3 

19.9 

1.0 

43.0 

0.0 

NOTE:  FPM=MM-RA-KR 

ESTIMATED  USAGE  RATE 

2.0 -3.5  LB/MIN 

0.8 -1.8  LB/MIN 

ASC/ORBIT/ENTRY 

THE  CONSUMABLES  REDLINE  DATA  INCLUDE  ALLOWANCES  FOR: 

[1]  WHEELSTOP,  LANDING  AT  KSC.  ®[ED  ] 

[2]  DEORBIT  COAST  ON  SYSTEM  1 . 

[3]  FCS  CHECKOUT  ON  SYSTEM  2. 

[4]  ONE  APU  FAILURE. 

[5]  19-MINUTE  PRELAUNCH  RUN  TIME  (5-MINUTE  LAUNCH  RECYCLE,  TWO  7-MINUTE  LAUNCH  HOLDS). 

Values  are  based  upon  consumables  budgets  developed  by  the  generic  STS  redline  analysis  performed 
using  composite  APU  and  hydraulic  data  and  generic  trajectory  tapes.  A  detailed  explanation  of  all 
above  data  is  located  in  the  Level  B  Groundrules  and  Constraints  document  (NSTS-21075)  and  the 
Mechanical  and  Crew  Systems  Console  Handbook,  Vol  II  ( JSC-26101 ).  The  SODB  (vol.  I,  sec.  4.4 ) 
also  documents  the  above  data.  The  loading  uncertainty  is  consistent  with  that  of  the  KSC  APU 
“1317”  Fuel  Loading  Cart.  @[012694-1596] 
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A10-32  APU/HYD  CONSUMABLES  (CONTINUED) 

B.  MINIMUM  PRE-DEORBIT  APU  FUEL  AND  WSB  H20  QUANTITY 
REQUIREMENTS  ARE  AS  FOLLOWS: 

1.  WITH  TWO  OR  THREE  APU/HYDRAULIC  SYSTEMS  OPERATIONAL, 
192  LB  APU  FUEL  AND  63  LB  H20  ARE  REQUIRED.  THIS 
ASSUMES  SINGLE  APU/HYDRAULIC  SYSTEM  STARTED  PRIOR  TO 


TIG  AND  APU  SHUTDOWN  AT  WHEELSTOP 

.  @[012694-1596] 

m 

D 

The  fuel  and  H2O  quantities  above  are  based  on  the  following: 

APU 

WSB 

FCS  CHECKOUT 

14 . 7 

0 . 0 

DEORBIT  COAST 

27 . 1 

8 . 9 

ENTRY 

98 . 0 

33.9 

RESIDUALS 

5 . 4 

2 . 8 

LOADING  UNCERTAINTY 

8 . 0 

1 . 0 

RESERVES  AND  ALLOWANCES 

53 . 4 

16.4 

TOTALS 

206.6 

LB 

63.0 

TOTAL  WITHOUT  FCS  CHECKOUT 

191 . 9 

LB 

63.0 

@[012694-1596] 


2.  WITH  ONE  APU/HYDRAULIC  SYSTEM  OPERATIONAL,  203  LB  APU 
FUEL  AND  67  LB  H20  ARE  REQUIRED. 

The  fuel  and  H2O  quantities  above  are  based  on  the  following: 


APU 

WSB 

DEORBIT  COAST 

27 . 1 

8 . 9 

ENTRY 

108 . 9 

37 . 9 

RESIDUALS 

5 . 4 

2 . 8 

LOADING  UNCERTAINTY 

8 . 0 

1 . 0 

RESERVES  AND  ALLOWANCES 

53 . 4 

16.4 

TOTALS 

202.8  LB 

67.0  LB 

@[012694-1596] 
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A10-33  APU  DEFINITIONS 

A.  FOR  ENTRY/ABORTS  AND  PLANNING  PURPOSES,  AN  APU  IS  DEFINED  AS 
"REQUIRED"  IF  IT  IS  NEEDED  TO  PROVIDE  THE  FOLLOWING:  ©[072398-6685A] 

1.  TWO  APU/HYD  SYSTEMS  FOR  AEROSURFACE  ACTUATOR  OPERATION, 

2.  LANDING  GEAR  DEPLOY  REDUNDANCY, 

3.  NWS  (IF  REQUIRED),  OR 

4.  BRAKING  REDUNDANCY  FOR  MAINTAINING  HALF  BRAKES 
CAPABILITY. 


Single  APU/HYD  system  landings  are  uncertified.  The  critical  need  for  gear  deploy  necessitates  having 
deploy  redundancy  when  possible.  NWS  requirements  are  defined  in  Rule  {A10-141AJ,  NOSE  WHEEL 
STEERING  (NWS).  Braking  redundancy  is  satisfied  if  the  next  failure  (following  recovery  of  the 
“required”  APU )  results  in  at  least  single  string,  50  percent  braking. 

This  rule  is  referenced  by  (A10-22E),  F,  H,  APU  START/RESTART  LIMITS;  {A10-24BJ,  D,  E,  APU 
OIL/GEARBOX  TEMPERATURE/PRESSURE;  {A10-25E},  APU  HIGH  SPEED  SELECTION/SHIFT; 
{A10-31B},  APU  FREEZE/THAW;  and  { A10-72E j,  HYDRAULIC  LEAKS. 

B.  AN  APU  "START"  IS  DEFINED  AS  INITIATING  APU  OPERATION  WHILE 
BRANCH  PASSAGE  TEMPERATURE  IS  WITHIN  ACCEPTABLE  LIMITS 
WITHOUT  REQUIRING  ACTIVE  GG  INJECTOR  COOLING. 

C.  AN  APU  "RESTART"  IS  DEFINED  AS  INITIATING  APU  OPERATION  WHEN 
ACTIVE  GG  INJECTOR  COOLING  WAS  REQUIRED  TO  ENSURE  ACCEPTABLE 
BRANCH  PASSAGE  TEMPERATURE . 

D.  AN  APU  "HOT  RESTART"  IS  DEFINED  AS  INITIATING  APU  OPERATION 
WHILE  BRANCH  PASSAGE  TEMPERATURE  IS  ABOVE  ACCEPTABLE  LIMITS. 


These  are  the  definitions  for  “START,  ”  “RESTART,  ”  and  “HOT  RESTART”  used  by  other  flight  rules. 
Reference  Rule  { A10-22A  j,  APU  START/RESTART  LIMITS.  ®[072398-6685A] 
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HYDRAULIC  SYSTEMS  LOSS/FAILURE  DEFINITIONS  ®[ED  ] 


A10-51  HYDRAULIC  LOSS  DEFINITIONS 

A.  A  HYDRAULIC  SYSTEM  IS  CONSIDERED  LOST  IF: 

1.  IT  IS  UNABLE  TO  PROVIDE  HYDRAULIC  PUMP  PRESSURE  OF 
2760-3500  (2860-3400)  PSIA  AT  DEMANDED  FLOW  WITH  THE 
APU  RUNNING  AND  THE  MAIN  PUMP  PRESSURIZED. 

Operation  of  the  hydraulic  actuators  requires  a  minimum  pressure  of  2700  psi.  A  60  psi  safety  margin 
is  given.  Maximum  hydraulic  pressure  is  3500  psia  (reference  SODB,  vol.  I,  3.4.3.1-12  and  4. 2. 4. 8.1.). 

2.  THE  SYSTEM  HAS  A  CONFIRMED  NONISOLATABLE  HYDRAULIC  LEAK: 
@[022201-3989] 

a.  DURING  ASCENT/ORBIT,  THE  SYSTEM  WILL  BE  CONSIDERED 
LOST  FOR  PLANNING  PURPOSES. 

For  planning  purposes,  a  system  with  a  nonisolatable  leak  should  be  considered  lost  since  its  capability 
to  support  entry  from  El  through  wheelstop  in  NORM  PRESS  is  suspect.  ®[ED  ] 

b.  DURING  ENTRY/ABORTS,  THE  SYSTEM  WILL  BE  CONSIDERED 

FAILED  IF  THE  ASSOCIATED  RESERVOIR  QUANTITY  IS  LESS 
THAN  20  (25)  PERCENT  FOR  SYSTEM  1,  OR  5  (10)  PERCENT 

FOR  SYSTEMS  2  AND  3. 

A  reservoir  quantity  of  20  percent  is  required  for  system  1  due  to  the  drop  in  quantity  typically  seen  at 
landing  gear  deploy.  This  quantity  drop  is  15  to  20  percent  for  OV-102,  and  12  to  16  percent  for  all 
other  vehicles  (the  difference  in  quantity  drop  between  the  vehicles  is  due  to  the  larger  diameter  pistons 
in  the  strut  actuators  on  OV-102).  Failure  to  maintain  20  percent  for  landing  gear  deploy  may  lead  to 
pump  cavitation  and  the  loss  of  that  system.  Since  systems  2  and  3  are  prune  for  elevon  operation,  a 
reservoir  quantity  of  5  percent  is  required  to  protect  control  system  operations  during  approach  and 
landing  (reference  SODB,  vol.  I,  3. 4.2. 4. 4.).  @[022201 -3989  ] 

3.  HYDRAULIC  FLUID  TEMPERATURES  CANNOT  BE  MAINTAINED  ABOVE  - 
40  DEGREES  F. 

At  -40  deg  F,  the  hydraulic  fluid  viscosity  will  have  increased  to  a  point  where  it  is  no  longer  possible  for 
the  hydraulic  main  pump  to  push  the  fluid  through  the  system.  Other  hydraulic  system  components  may 
be  damaged  if  their  temperatures  are  less  than  -65  deg  F  (reference  SODB,  vol.  I,  table  3. 4. 2. 4-1.). 
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A10-51  HYDRAULIC  LOSS  DEFINITIONS  (CONTINUED) 

4.  A  SWITCHING  VALVE  WILL  NOT  SELECT  A  HYDRAULIC  SYSTEM  TO 
AN  ACTUATOR  (DUE  TO  A  FAILURE  IN  THE  SWITCHING  VALVE) . 
(FAILURE  OF  PRIMARY/STANDBY  1  VALVE  TO  STANDBY  1  POSITION 
IS  LOSS  OF  ONE  SYSTEM.  FAILURE  OF  STANDBY  2  VALVE  TO 
STANDBY  2  POSITION  IS  LOSS  OF  TWO  SYSTEMS.) 

Switching  valves  are  two-position  valves  which  compare  pressure  between  two  of  the  redundant  hydraulic 
systems  assigned  to  a  control  element  to  ensure  that  the  actuator  receives  flow  from  a  hydraulic  system 
with  adequate  pressure.  Redundant  hydraulic  systems  are  designated  as  primary,  standby  1,  and  standby 
2  systems. 

An  actuator  having  three  redundant  hydraulic  systems  assigned  to  it  will  have  two  switching  valves,  a 
primary/standby  1  valve  and  a  standby  1/standby  2  valve.  A  switching  valve  failu  re  to  one  position  will 
only  allow  pressure  from  the  hydraulic  systems  assigned  to  that  position  to  operate  the  actuator.  The 
hydraulic  system  assigned  to  the  other  position  is  essentially  lost  insofar  as  the  actuator  is  concerned. 

A  failure  in  the  primary/standby  1  valve  to  either  position  results  in  the  loss  of  one  of  the  hydraulic 
systems  to  the  actuator.  A  failure  in  the  standby  1/ standby  2  valve  to  the  standby  1  position  results  in  the 
loss  of  one  system,  the  standby  2  system.  Both  the  primary  and  standby  1  systems  may  still  operate  the 
actuator  through  the  standby  1  port. 

A  failure  of  the  standby  1/standby  2  valve  to  the  standby  2  position  will  allow  only  the  standby  2  system 
to  operate  the  control  element,  resulting  in  the  loss  of  the  primary  and  standby  1  systems. 

5.  UNABLE  TO  MAINTAIN  RESERVOIR  PRESSURE  GREATER  THAN 

15  (28)  PSIA  WITH  THE  APU  NOT  RUNNING.  ®[ED  ] 

Hydraulic  pumps  may  cavitate  with  insufficient  head  pressure  at  startup.  Mean  pumps  require  a 
minimum  15  psici  positive  pressure  to  start.  Reference  SODB.  vol.  I,  3. 4.2. 4-7. 

Rules  {A10-23J,  APU  ENTRY  START  TIME;  { A10-73E} ,  HYDRAULIC  SYSTEM  PRESSURE/ 
TEMPERATURE  [CIL];  and  {A10-74A}.!,  HYDRAULIC  CIRCULATION  PUMP  OPERATION  [CIL], 

reference  this  rule.  ®[051 194-1 61 9B]  ®[070899-6879A] 
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A10-51  HYDRAULIC  LOSS  DEFINITIONS  (CONTINUED) 

B.  A  HYDRAULIC  CIRCULATION  PUMP  WILL  BE  CONSIDERED  LOST  IF  THE 
CIRCULATION  PUMP  BODY  TEMPERATURE  IS  >  230  (222)  DEG  F,  OR 
RESERVOIR  TEMPERATURE  >  230  (222)  DEG  F  WHILE  THE  CIRCULATION 

PUMP  IS  RUNNING.  ®[091 098-6554B] 

Operating  a  circulation  pump  above  230  deg  F  exceeds  the  circulation  pump  electronics  temperature 
limit,  (ref  SODB,  vol.  I,  table  3. 4.2. 4-1).  Testing  has  shown  that  operating  a  circulation  pump  above 
this  limits  significantly  reduces  the  pump  electronics  lifetime.  The  loss  of  a  circulation  pump  alone  is  not 
considered  loss  of  a  hydraulic  system.  If  the  circulation  pump  is  running  to  maintain  accumulator 
pressure  fore  a  leaking  accumulator,  it  is  possible  that  the  accumulator  may  lock  up  (as  it  did  on 
STS-50).  Therefore,  the  loss  of  a  circulation  pump  does  not  require  loss  of  a  hydraulic  system  action  s. 
©[0511 94-1 61 9B] 

Rule  (A10-73EJ,  HYDRAULIC  SYSTEM  PRESSURE/TEMPERATURE  [CIL],  references  this  rule. 

©[051 194-1 61 9B]  ©[091 098-6554B] 

A10-52  THROUGH  A10-70  RULES  ARE  RESERVED 
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HYDRAULIC  SYSTEMS  MANAGEMENT  ®[ED  ] 


A10-71  HYDRAULIC  SYSTEMS  CONFIGURATION  ®[ED  ] 

A.  THE  LANDING  GEAR  EXTEND  ISOLATION  VALVE  WILL  REMAIN  CLOSED 
EXCEPT  WHEN  OPENED  DURING  ENTRY/ABORTS. 

Landing  gear  extend  isolation  valve  remains  closed  to  safeguard  the  hydraulic  system  from  attempting  to 
deploy  the  landing  gear  at  any  time  other  than  landing.  The  landing  gear  cannot  be  retracted  during 
flight  once  it  has  been  deployed.  Landing  gear  extend  isolation  valve  is  opened  when  the  vehicle  reaches 
Vrel  of800fps  to  set  up  gear  deployment. 

B.  THE  BRAKE  ISOLATION  VALVES  WILL  REMAIN  CLOSED  UNTIL  OPENED 
DURING  ENTRY/ABORTS  UNLESS  REQUIRED  FOR  ON  ORBIT  THERMAL 
CONDITIONING. 

Brake  isolation  valves  1,  2,  and  3  remain  closed  when  the  landing  gear  systems  are  not  in  use  to  protect 
the  hydraulic  systems  in  the  event  of  a  leak  downstream  of  one  of  the  isolation  valves.  All  brake  isolation 
valves  open  automatically  at  main  gear  touchdown. 

C.  DURING  ENTRY/ABORTS,  IF  AUTOMATIC  CAPABILITY  TO  OPEN  A  BRAKE 
ISOLATION  VALVE  AT  WOW  IS  LOST,  THE  VALVE  WILL  BE  OPENED 
MANUALLY  AFTER  M=8  TO  PROVIDE  NWS  (IF  REQUIRED)  OR  FULL 
BRAKING.  BRAKE  ISOLATION  VALVE  2  WILL  BE  OPENED  BETWEEN  M=8 
AND  LANDING  GEAR  DEPLOY  IF  REQUIRED  TO  PROVIDE  REDUNDANT  NLG 
DEPLOY . 

To  protect  against  uncommanded  brake  pressure,  brake  isolation  valves  will  only  be  opened  manually 
for  the  cases  listed.  It  is  desirable  to  open  the  valves  during  wings-level  flight  periods  to  reduce  the  risk 
of  vertigo  in  the  PLT.  Manual  valve  open  ing  will  be  delayed  until  after  M=8  to  reduce  the  opportun  ity 
for  silting  of  the  brake  system  (can  lead  to  uncommanded  brake  pressure).  Brake  silting  is  a  function  of 
the  time  the  isolation  valve  is  open  with  the  hydraulic  system  in  NORM  PRESS.  Reference  Ascent/Entry 
Flight  Techniques  Panel  #45  minutes,  June  23,  1988. 

The  risk  of  uncommanded  brake  pressure  is  acceptable  to  gain  redundant  nose  landing  gear  deploy 
capability. 
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A10-71  HYDRAULIC  SYSTEMS  CONFIGURATION  (CONTINUED) 

®[ED  ] 

Opening  brake  isolation  valves  after  WOW  for  braking  and  nosewheel  steering  retains  protection  against 
uncommanded  brake  pressure,  which  is  no  longer  catastrophic  after  wheel  spinup.  However,  manual 
valve  opening  prior  to  landing  is  acceptable,  if  automatic  capability  is  lost,  due  to  the  high  crew  workload 
after  touchdown  and  the  risk  of  inducing  vertigo.  Allowing  the  isolation  valves  to  open  automatically  is 
considered  acceptable  due  to  the  inherent  reliability  of  the  redundant  WOW  cue.  Brake  energy  and 
rollout  margin  calculations  do  not  protect  for  the  loss  of  half  brakes  (reference  Rule  {A4-108},  TIRE 
SPEED,  BRAKING,  AND  ROLLOUT  REQUIREMENTS ).  Half  brakes  are  adequate  for  any  directional 
control  requiremen  ts  between  MGTD  and  NGTD.  For  uncommanded  brake  pressure  actions,  reference 
Rule  / A10-145 },  UNCOMMANDED  BRAKE  PRESSURE  [ CIL],  For  nosewheel  steering  requirements, 
reference  Rule  {A10-141A},  NOSE  WHEEL  STEERING  (NWS). 

D.  THE  MPS/TVC  ISOLATION  VALVES  WILL  BE  CLOSED  ON  ORBIT  AND  WILL 
REMAIN  CLOSED  EXCEPT  FOR  SSME  HYDRAULIC  REPRESSURIZATION  AND 
SSME  REPOSITIONING. 

The  TVC  isolation  valves  are  pressure-actuated  valves  requiring  a  minimum  of  100  psid  positive 
pressure  to  close.  This  pressure  may  be  supplied  by  the  APU  or  the  hydraulic  circulation  pump. 

Closing  the  MPS/TVC  isolation  valve  during  powered  flight  will  cause  the  hydraulically  actuated  mean 
engine  valves  to  lock  up,  so  the  MPS/TVC  isolation  valve  is  left  open  past  MECO. 

The  MPS/TVC  isolation  valves  are  normally  closed  after  SSME  stowage  on  orbit  is  complete. 

Two  isolation  valves  are  normally  opened  for  10  seconds  each  prior  to  El  to  repressurize  the  hydraulic 
fluid  in  the  TVC  actuators  (SSME  HYD  REPRESS).  This  is  done  to  eliminate  any  voids  which  may  be 
fanned  in  the  actuators  due  to  hydraulic  fluid  contraction  as  a  result  of  orbit  cooling.  Eliminating  the 
voids  ensures  that  the  actuators  will  hold  the  engine  bells  in  place  when  subjected  to  aerodynamic  loads 
during  entry. 

The  isolation  valves  will  be  cycled  in  order  to  reposition  the  main  engines  to  preclude  contact  with  the 
drag  chute  during  deploy  and  post-rollout  for  rain  drain. 

E.  THE  HYDRAULIC  MAIN  PUMP  WILL  BE  RUN  IN  "NORM  PRESS"  AFTER  APU 
START  ON  A  HYDRAULIC  SYSTEM  WITH  AN  ACCUMULATOR  LEAK. 

Accumulator  pressure  is  used  to  charge  the  hydraulic  reservoir  and  maintain  the  required  inlet  pressure 
for  the  main  pump  to  operate  without  cavitation.  The  main  pump  must  provide  its  own  inlet  pressure 
through  a  bootstrap  system  when  the  accumulator  has  lost  its  charge.  Operating  the  main  pump  at  low 
pressure  (800  psi)  may  not  provide  sufficien  t  head  pressure  at  the  pump  inlet  (reference  RIC IL  288-503- 
81-055,  November  10,  1 981 ).  The  mean  pump  is  nominally  run  in  low  pressure  after  APU  start  on  an 
APU  started  prior  to  the  deorbit  burn. 
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A10-72  HYDRAULIC  LEAKS 

FOR  A  HYDRAULIC  FLUID  LEAK,  THE  FOLLOWING  ACTIONS  WILL  BE  TAKEN: 

A.  DURING  ASCENT,  NO  ACTION  WILL  BE  TAKEN  UNTIL  POST-MECO.  IF 
THE  APU/HYDRAULIC  SYSTEM  IS  STILL  OPERATING  POST-MECO,  THE 
APPROPRIATE  MPS/TVC  ISOLATION  VALVE  WILL  BE  CLOSED.  IF  THE 
LEAK  IS  NOT  SUBSEQUENTLY  ISOLATED,  THE  SYSTEM (S)  WILL  BE 
TAKEN  TO  "LOW  PRESS"  AND/OR  SHUT  DOWN  AS  REQUIRED  IN  ORDER 
TO  EVALUATE  AND  MAINTAIN  REMAINING  CAPABILITY.  ®[072398-6686B] 

The  MPS/TVC  isolation  valve  is  closed  in  an  attempt  to  isolate  the  leak  if  the  leak  is  downstream  of  the 
isolation  valve.  Closing  the  MPS/TVC  isolation  valve  before  MECO  would  cause  the  main  engine 
hydraulically  actuated  valves  to  lock  up,  resulting  in  a  loss  of  throttle  control  and  TVC  redundancy. 

If  the  leak  is  not  isolated  by  closing  the  MPS/TVC  valve,  the  leaking  hydraulic  system  should  be  taken  to 
low  pressure  to  reduce  the  stress  on  the  system  while  allowing  continued  evaluation  of  the  leak.  Efforts 
within  system  limitations  will  be  made  to  verify  that  the  location  of  leakage  does  not  exist  downstream  of 
an  actuator  switching  valve  where  it  could  potentially  cause  imminent  loss  of  all  three  hydraulic  systems. 
Additionally,  the  leak  could  be  due  to  intersystem  leakage.  It  may  become  necessary  to  depressurize 
additional  hydraulic  systems  to  try  to  pinpoint  the  source  of  the  leak.  If  the  leak  is  determined  to  be 
downstream  of  an  actuator  switching  valve,  a  mission  abort  will  be  required. 

After  all  pertinent  troubleshooting  has  been  completed,  the  APU  should  be  shut  down  as  soon  as 
practical  to  further  reduce  the  pressure  on  the  system  thereby  reducing  the  leak. 

Rule  (A2-54J,  RTLS,  TAL,  AND  AO  A  ABORTS  FOR  SYSTEMS  FAILURES  [CIL],  references  this  rule. 

®[072398-6686B] 

B.  ON  ORBIT,  IF  A  LEAK  IS  DETECTED  AND  THE  ASSOCIATED  HYDRAULIC 
SYSTEM  BRAKE  ISOLATION  VALVE  IS  OPEN,  THE  VALVE  WILL  BE 
CLOSED  ASAP . 


Closing  the  brake  isolation  valve  may  isolate  the  leak.  If  the  leak  is  isolated,  then  the  valve  will  remain 
closed  to  protect  the  system  and  to  limit  the  amoun  t  of  hydraulic  fluid  leaked  into  the  wheel  well.  This 
reduces  the  chance  of  a  fire  at  wheelstop  due  to  hydraulic  fluid  on  hot  brakes.  ®[ED  ] 

C.  DURING  ENTRY/ABORTS,  IF  A  LEAK  IS  DETECTED  PRIOR  TO 

TOUCHDOWN  AND  THE  ASSOCIATED  SYSTEM  BRAKE  ISOLATION  VALVE 
IS  OPEN  AND  THE  LEAK  WILL  NOT  SUPPORT  OPERATIONS  THROUGH 
WHEELSTOP,  THE  VALVE  WILL  BE  CLOSED  ASAP.  THE  VALVE  MAY  BE 
OPENED  AT  TOUCHDOWN  TO  PROVIDE  BRAKING  AND  WILL  BE  CLOSED 
ASAP  POST-WHEELSTOP  .  ®[ED  ] 
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A10-72  HYDRAULIC  LEAKS  (CONTINUED) 

The  brake  isolation  valve  will  be  allowed  to  open  automatically  at  main  gear  touchdown  to  provide 
braking  capability  but  must  be  closed  ASAP  post-wheelstop  to  reduce  the  amount  of  hydraulic  fluid 
leaked  into  the  fuselage  or  wheel  well.  This  will  reduce  the  chance  of  a  tire  fire  due  to  hydraulic  fluid 
on  hot  brakes  if  the  leak  is  in  the  wheel  well.  ®[ED  ] 

D.  DURING  ENTRY/ABORTS,  IF  A  LEAK  IS  DETECTED  AND  THE  LANDING 
GEAR  EXTEND  ISOLATION  VALVE  IS  OPEN  AND  THE  LEAK  WILL  NOT 
SUPPORT  OPERATIONS  THROUGH  WHEELSTOP,  THE  VALVE  WILL  BE 
CLOSED  ASAP.  THE  VALVE  WILL  BE  REOPENED  ONLY  TO  GAIN  NWS  OR 
REDUNDANT  LANDING  GEAR  DEPLOY.  THE  VALVE  WILL  BE  CLOSED  ASAP 
POST-WHEELSTOP.  ®[ED  ] 

Closing  the  landing  gear  extend  isolation  valve  may  isolate  the  leak,  and  hydraulics  for  NWS  and  two 
methods  of  gear  deploy  remain.  If  the  leak  is  isolated,  the  valve  will  remain  closed  to  preserve  the 
system  unless  NWS  or  a  redundant  landing  gear  deploy  method  is  required.  In  these  cases,  the  valve  will 
be  opened  near  the  ground  and  closed  post-wheelstop  to  minimize  the  amount  of  hydraulic  fluid  leaked. 
This  reduces  the  chance  of  a  fire  due  to  hydraulic  fluid  on  hot  brakes  if  the  leak  is  in  the  wheel  well. 

®[ED  ] 

E.  DURING  ENTRY/ABORTS,  A  SYSTEM  WITH  A  NONI SOLATABLE  HYDRAULIC 
LEAK  WILL  HAVE  ITS  MAIN  PUMP  TAKEN  TO  "LOW  PRESS".  IF  THE 
LEAK  RATE  IS  SUCH  THAT,  WITH  "NORM  PRESS"  SELECTED  AT  HAC 
INTERCEPT,  THE  SYSTEM  WILL:  ®[072398-6686B] 

Taking  the  main  hydraulic  pump  to  “low press”  will  likely  slow  the  leak  by  reducing  pressure  in  the 
system.  Even  if  the  leak  rate  as  detected  in  “norm  press”  will  support  to  wheelstop,  there  is  a  possibility 
that  the  leak  will  become  larger,  so  the  system  should  be  depressurized  to  improve  its  chances  of 
supporting  the  later  phase  of  entry.  To  protect  for  a  subsequent  failure  of  one  of  the  good  systems,  the 
leaking  system  should  be  allowed  to  operate  in  “low press”  to  be  ready  to  provide  two  APU /Hydraulic 
systems  during  entry  should  another  APU /Hydraulic  system fail. 

1.  SUPPORT  TO  WHEELSTOP,  THE  SYSTEM,  IF  REQUIRED,  WILL  BE 
TAKEN  BACK  TO  "NORM  PRESS"  AS  SOON  AS  THE  CAPABILITY  TO 
SUPPORT  TO  WHEELSTOP  IS  ACHIEVED  (NO  EARLIER  THAN  TAEM) . 

2.  NOT  SUPPORT  TO  WHEELSTOP,  THE  APU  WILL  BE  SHUTDOWN.  THE 
APU  WILL  BE  RESTARTED  (TIME  PERMITTING) ,  IF  REQUIRED, 

WHEN  THE  LEAKING  SYSTEM  WILL  SUPPORT  TO  WHEELSTOP. 

If  the  leaking  hydraulic  system  will  not  support  entry  at  its  presen  t  leak  rate,  then  the  APU  should  be  shut 
down  to  minimize  fluid  leakage.  It  will  be  restarted  later  to  support  the  final  phase  of  entry  if  there  is 
enough  time  to  perform  a  cooldown  and  restart.  ®[072398-6686B] 
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A10-72  HYDRAULIC  LEAKS  (CONTINUED) 

During  STS-76,  when  a  known  hydraulic  leak  existed,  the  APU  was  started  at  TAEM  with  the  hydraulic 
system  kept  in  “low  press  ” for  the  remainder  of  the  entry.  Remaining  in  “low  press”  affords  support  in 
a  standby  mode  while  minimizing  fluid  leakage.  Additionally,  remaining  in  “low  press”  allows  the  other 
two  good  hydraulic  systems  to  be  in  control  of  all  the  aerosurface  actuators,  hi  the  event  that  the  leaking 
system  fails  at  a  critical  time  while  close  to  the  ground,  the  aerosurface  switching  valves  will  already  be 
set  up  to  use  the  good  system(s)  and  will  not  enter  into  a  “chattering”  mode  whereby  control  could  be 
jeopardized.  ®[072398-6686B] 

Reference  Rule  {A10-33},  APU  DEFINITIONS.  ©[072398-6686B] 

A10-73  HYDRAULIC  SYSTEMS  PRESSURE/TEMPERATURE  [CIL]  ®[ED  ] 

A.  A  HYDRAULIC  SYSTEM  THAT  CANNOT  MAINTAIN  >  200  (300)  PSIA  WILL 

HAVE  ITS  APU  SHUT  DOWN.  DURING  ASCENT,  THE  APU  WILL  BE  SHUT 
DOWN  POST-MECO. 

Running  the  main  pump  at  less  than  200  psi  does  not  support  actuator  performance  and  may  result  in 
cavitation  and/or  overheating  of  the  main  pump  due  to  insufficient  hydraulic  fluid  flow. 

B.  A  HYDRAULIC  SYSTEM  WILL  BE  TAKEN  TO  "LOW  PRESS"  OR  ITS  APU 

SHUT  DOWN  (DURING  ASCENT,  THE  APU  WILL  BE  SHUTDOWN  POST-MECO) , 
IF  PUMP  PRESSURE  FLUCTUATIONS  OCCUR  SUCH  THAT  PUMP  OUTLET 
PRESSURE  REPEATEDLY  FALLS  BELOW  1500  (1600)  PSI.  [CIL] 

Pressure  fluctuations  below  1500  psi  are  indicative  of  a  malfunction  in  the  main  pump  compensator 
system.  This  type  of  failure  will  not  allow  the  pump  to  maintain  system  pressure  on  demand. 

The  pump  supply  pressure  will  decrease  in  response  to  the  demand  from  an  actuator  supplied  by  the  pump. 
The  actuator  will  not  respond  until  the  failed  system  pressure  falls  below  the  switching  valve  pressure 
( 1500  psi).  At  that  pressure,  the  standby  hydraulic  system  cycles  the  switching  valve  and  takes  over  control 
of  the  actuator.  With  the  standby  system  controlling  the  actuator  and  the  demand  gone,  the  failed 
hydraulic  pump  pressure  will  recover  and  eventually  the  switching  valve  will  cycle  back  to  the  failed 
system.  The  switching  valve  will  cycle  in  this  manner  each  time  the  actuator  is  commanded. 

The  switching  valve  cycling  will  cause  the  actuator  response  to  be  slower  due  to  the  time  required  for  the 
switching  valve  to  transfer.  Additionally,  continued  operation  of  the  actuator  could  cause  switching  valve 
cycling  to  occur  at  a  rapid  rate,  which  could  cause  damage  to  the  valve  or  create  undesirable  vibration 
frequencies  due  to  pressure  fluctuations. 

Depressurizing  the  failed  pump  will  drop  its  output  pressure  to  800  to  1000  psi,  which  will  allow  the 
standby  hydraulic  systems  to  cycle  the  switching  valves  and  take  control  of  the  actuators.  If  the  main  pump 
cannot  be  depressurized,  the  APU  will  have  to  be  shut  down. 
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A10-73  HYDRAULIC  SYSTEMS  PRESSURE/TEMPERATURE  [CIL] 

(CONTINUED)  ®[ED  ] 

C.  DURING  ASCENT,  NO  ACTION  WILL  BE  TAKEN  FOR  A  HIGH  HYDRAULIC 
RESERVOIR  TEMPERATURE  UNTIL  AFTER  MECO.  DURING  ENTRY /ABORTS , 
THE  FOLLOWING  ACTIONS  WILL  BE  TAKEN: 

1.  THE  HYDRAULIC  MAIN  PUMP  WILL  BE  TAKEN  TO  "LOW  PRESS"  IF 
THE  RESERVOIR  TEMPERATURE  EXCEEDS  250  DEG  TBD)  F. 

2.  THE  APU  WILL  BE  SHUT  DOWN  IF  THE  RESERVOIR  TEMPERATURE 
EXCEED  275  DEG  (268  DEG)  F. 

The  hydraulic  reservoir  temperature  increases  based  on  the  amount  of  APU  run  time  and  the  load  on  the 
system.  Flight  data  has  shown  that  ascent  conditions  typically  cause  the  hydraulic  reservoir 
temperatures  to  increase  to  150  deg  to  1 75  deg  F  at  APU  shutdown  ( approximately  4  to  8  minutes  after 
MECO).  For  this  reason,  the  reservoir  temperature  is  very  unlikely  to  demand  action  prior  to  MECO, 
except  in  the  case  of  a  pump  compensator  failure.  This  failure  results  in  high  output  pressure  and  flow 
through  the  relief  valve  and  is  considered  unlikely.  The  hydraulic  system  design  is,  therefore,  considered 
to  be  protection  against  exceeding  the  SSME  interface  temperature  requirements  (reference  SODB,  vol.  I, 
3.4.2.4-12.). 

Hydraulic  fluid  temperatures  in  excess  of  275  deg  F  can  cause  degradation  of  the  hydraulic  seals  which 
could  ultimately  lead  to  leakage  (ref.  SODB.  vol.  I,  3.4.2.4.1.d).  Depressurizing  the  main  pump  reduces 
the  heat  input  into  the  hydraulic  system  and  should  allow  the  APU  to  continue  operating.  If 
depressurizing  the  main  pump  fails  to  maintain  the  reservoir  temperature  below  275  deg  F,  the  APU  will 
have  to  be  shut  down. 

D.  DURING  DEORBIT,  HYDRAULIC  THERMAL  CONDITIONING  WILL  BE 
PERFORMED  IF  THE  ACTIVE  HYDRAULIC  SYSTEM  FLUID  LINE 
TEMPERATURES  ARE  PREDICTED  TO  BE  <  35  DEG  F,  OR  THE  FIRST 
STANDBY  SYSTEM  FLUID  LINE  TEMPERATURES  ARE  PREDICTED  TO  BE 
<  0  DEG  F  AT  El . 

The  active  hydraulic  system  fluid  line  temperatures  are  required  to  be  >  35  deg  F  since  this  is  the 
minimum  hydraulic  fluid  temperature  where  optimum  system  performance  can  be  expected.  Standby 
system  temperatures  need  to  be  above  0  deg  F  (per  Rockwell/Downey  thermal  analysis)  by  El  so  they 
may  be  quickly  warmed  up  to  the  full  performance  temperature  if  required.  Preen  try  hydraulic  thermal 
conditioning  involves  cycling  the  aerosurfaces  with  all  three  APU’s  running  before  El  (reference 
SODB.  vol.  I,  table  3.4.2.4.I. ). 
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A10-73  HYDRAULIC  SYSTEMS  PRESSURE/TEMPERATURE  [CIL] 

(CONTINUED)  ®[ED  ] 

E.  ON  ORBIT,  ATTEMPTS  WILL  BE  MADE  TO  MAINTAIN  HYDRAULIC 

RESERVOIR  TEMPERATURE  <162  (154)  DEG  F  PRIOR  TO  APU  START. 

THE  FOLLOWING  ARE  ACCEPTABLE  METHODS  TO  ATTEMPT  TO  MAINTAIN 
RESERVOIR  TEMPERATURES  <  162  (154)  DEG  F. 

1.  MINIMIZE  CIRC  PUMP  RUN  TIME  WHILE  MAINTAINING  RSVR  p 

>  15  (28)  PSIA.  ®[ED  ] 

2.  POWER  DOWN  ORBITER/SPACELAB  EQUIPMENT  OR  RECONFIGURE  THE 
ORBITER  ACTIVE  THERMAL  COOLING  SYSTEM  (ATCS)  TO  LOWER 
FREON  TEMPERATURES  AT  THE  FREON/HYDRAULIC  HEAT  EXCHANGER 
TO  <  95  DEG  F  AS  INDICATED  BY  THE  FREON  COOLANT  RAD  IN 
TEMP  (V63T1209A  AND  V63T1409A) . 

During  STS-50,  hydraulic  system  2  circulation  pump  was  run  for  extended  periods  due  to  an 
accumulator  GN2  leak.  The  hydraulic  system  fluid  temperature  continued  to  increase  during  this  time. 
Post  flight  data  revealed  the  increase  was  due  to  high  Freon  temperatures  ( Freon  temperatures  greater 
than  95  deg  F  at  the  Freon/hydraulic  heat  exchanger).  As  the  hydraulic  fluid  temperature  increased,  the 
Freon/hydraulic  heat  exchanger  bypass  valve  cycled  causing  the  hydraulic  fluid  to  bypass  the  heat 
exchanger.  Heat  from  the  hydraulic  circ  pump  caused  the  hydraulic  fluid  temperature  to  continue  to 
increase  until  the  circulation  pump  was  taken  off.  Flight  data  indicates  that  maintaining  Freon 
temperatures  below  95  deg  F  allows  the  hydraulic  fluid  to  reject  heat  to  the  Freon  loops  and  preven  ts  the 
bypass  valve  from  bypassing  the  Freon/hydraulic  heat  exchanger  ( the  bypass  valve  cycles  when  the 
hydraulic  fluid  reaches  115  deg  F).  Once  the  heat  exchanger  is  bypassed,  the  hydraulic  fluid  will 
continue  to  heat  up  as  long  as  the  circulation  pump  continues  to  run. 

Minimizing  circulation  pump  run  time  will  minimize  the  heat  added  to  the  hydraulic  system.  The 
reservoir  pressure  however  should  not  be  allowed  to  drop  below  15  (24)  psia  (reference  Rule  { A10 - 
51  A}. 5,  HYDRAULIC  LOSS  DEFINITION). 

Powering  down  orbiter  and  Spacelcib  equipment,  deploying  the  radiators,  or  activating  the  FES  can 
lower  the  Freon/hydraulic  heat  exchanger  temperature.  Radiator  deployment  will  not  affect  the 
Freon/hydraulic  heat  exchanger  temperature. 

Excessively  high  hydraulic  systems  temperatures  can  lead  to  a  delayed  APU  start  for  entry  and  loss  of 
the  hydraulic  circulation  pump  (reference  Rules  {A10-23B},  APU  ENTRY  START  TIME,  and  {A10-51B}, 
HYDRA ULIC  LOSS  DEFINITIONS).  ®[05i  194-1619B] 
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A10-74  HYDRAULIC  CIRCULATION  PUMP  OPERATION  [CIL] 

A.  HYDRAULIC  CIRCULATION  PUMPS  WILL  BE  USED  AS  REQUIRED:  [CIL] 

1.  TO  MAINTAIN  BOOTSTRAP  ACCUMULATOR  PRESSURE.  [CIL] 

The  hydraulic  main  pump  requires  a  minimum  positive  inlet  pressure  of  15  psia  to  avoid  cavitation 
during  on-orbit  zero-gravity  starts.  This  pressure  is  provided  by  the  bootstrap  accumulator  acting  on 
the  hydraulic  reservoir.  ®[070899-6879A] 

a.  THE  CIRCULATION  PUMP  WILL  BE  RUN  BEFORE  THE 

ACCUMULATOR  PRESSURE  HAS  DECAYED  TO  THE  PREFLIGHT 
CHARGE  PRESSURE  (1700  (1820)  PSIA  FOR  A  PISTON 

ACCUMULATOR  AND  1715  (1835)  PSIA  FOR  A  BELLOWS 

ACCUMULATOR) .  [CIL] 

The  preflight  charge  pressure  is  the  GNj  pressure  with  the  piston/bellows  bottomed  out  at  the  fluid  end 
of  the  cylinder  ( equivalen  t  to  the  maximum  GN2  volume  and  hence  the  minimum  GN2  pressure  possible, 
assuming  no  GN2  has  leaked).  If  fluid  pressure  falls  below  this  value  ( and  no  GN2  has  leaked),  the  GN2 
pressure  is  pushing  against  the  cylinder  wall  rather  than  against  the  hydraulic  fluid,  and  bootstrap 
pressure  is  lost.  Repressurization  with  the  circulation  pump  is  required  to  prevent  the  piston/bellows 
from  bottoming  out  in  this  manner  ( reference  SODB.  vol.  I,  4.2. 4. 4. c). 

b.  FOR  A  PISTON  ACCUMULATOR,  IF  A  GN2  LEAK  CAUSES  THE 

ACCUMULATOR  PRESSURE  TO  BE  <  2500  (2380)  PSIA  WITH 

THE  CIRCULATION  PUMP  RUNNING,  THE  ACCUMULATOR  WILL  BE 
RECHARGED  BEFORE  THE  PUMP  OFF  PRESSURE  DECAYS  TO  HALF 
THE  PREVIOUS  PUMP  RUNNING  PRESSURE  PLUS  200  PSI.  IF 
THE  ACCUMULATOR  PRESSURE  DECAYS  TO  615  (735)  PSIA, 

THE  CIRCULATION  PUMP  WILL  BE  OPERATED  CONTINUOUSLY 
UNTIL  APU  START. 

A  GN2  leak  is  detectable  on  a  piston  accumulator  since  the  pressure  sensor  is  on  the  GN2  side  of  the 
piston.  Once  enough  GN2  has  leaked,  circulation  pump  pressure  will  push  the  piston  all  the  way  to  the 
GN2  end  of  the  accumulator,  and  no  further  pressure  from  the  circulation  pump  can  be  exerted  on  the 
remaining  GN2  (within  the  hollow  piston).  Therefore,  accumulator  pressure  of  less  than  2500  psia 
with  the  circulation  pump  running  is  evidence  that  the  piston  has  reached  the  GN2  end,  and  GN2  is 
leaking.  Note  that  with  slow  leaks  (such  as  have  been  experienced  on  flights),  for  the  first  two  or  three 
accumulator  represses,  there  is  sufficient  GN2  to  prevent  the  piston  from  reaching  the  GN2  end,  so  this 
signature  will  not  be  seen  until  subsequent  represses  occur.  Accumulator  GN2  leaks  occurred  on 
flights  STS-7  and  STS -50.  ®[070899-6879A] 
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A10-74  HYDRAULIC  CIRCULATION  PUMP  OPERATION  [CIL] 

(CONTINUED) 


Once  a  GN2  leak  is  confirmed,  accumulator  pressure  can  be  allowed  to  drop  below  the  preflight  charge 
value  of  1700  psia.  If  an  internal  hydraulic  leak  (e.g.,  past  the  unloader  or  priority  valve )  occu  rs 
concurrently,  then,  with  the  circulation  pump  off,  the  piston  will  begin  traveling  over  to  the  fluid  end  of 
the  cylinder.  Without  taking  the  GN2  leak  into  accoun  t,  when  the  piston  reaches  the  fluid  end  of  the 
cylinder,  the  pressure  will  decay  to  half  the  value  when  the  piston  was  at  the  GN2  end  (i.e.,  when  the 
circulation  pump  was  running).  Therefore,  the  circulation  pump  must  be  turned  on  before  the  pressure 
indicates  the  piston  has  reached  the  fluid  end.  An  additional  200  psi  is  added  to  account  for  transducer 
error  and  the  effect  of  the  ongoing  GN2  leak.  ©[070899-6879A] 

The  hydraulic  main  pump  requires  a  minimum  positive  pressure  of  15  psia  from  the  hydraulic 
reservoir  to  avoid  cavitation  during  startup.  The  reservoir  is  pressurized  by  the  accumulator  at  a 
41:1  ratio  (accumulator  to  reservoir).  Therefore,  accumulator  pressure  below  615  psia  (due  to  a 
GN2  leak )  will  result  in  reservoir  pressure  below  the  loss  limit  (reference  SODB,  vol.  I,  4.2.4. 3.h). 
Reference  Rule  {A10-51A}.5,  HYDRAULIC  LOSS  DEFINITIONS. 

The  bellows  accumulator  pressure  transducer  is  on  the  fluid  side.  Since  no  GN2  remains  when  the 
bellows  extends  all  the  way  to  the  GN2  end  of  the  cylinder  (unlike  with  the  piston  design),  the  GN2  leak 
signature  described  above  does  not  occur  (i.e.,  represses  will  continue  to  reach  the  expected  >2500  psia 
until  all  the  GN2  has  leaked).  Therefore,  it  is  not  possible  to  distinguish  between  a  fluid  and  a  GN2  leak 
prior  to  possibly  losing  the  system.  Due  to  this,  and  because  the  design  of  the  bellows  accumulator 
makes  a  GN2  leak  much  less  likely  than  with  the  piston  design,  a  leak  is  always  assumed  to  be  on  the 
fluid  side.  ®[070899-6879A] 
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A10-74  HYDRAULIC  CIRCULATION  PUMP  OPERATION  [CIL] 

(CONTINUED) 

2.  FOR  SUPPLEMENTARY  FREON  LOOP  COOLING  FOR  FES  FAILURES. 

The  circulation  pump  can  be  used  to  circulate  hydraulic  fluid  through  the  hydraulic  heat  exchanger  to 
remove  heat  from  the  orbiter  Freon  loops. 

3.  TO  PROVIDE  WARMING  FOR  HYDRAULIC  FLUID,  IF  REQUIRED, 
SHOULD  APU  START  BE  DELAYED  PAST  El  MINUS  13  MINUTES. 

The  hydraulic  fluid  is  warmed  before  entry  to  the  minimum  fluid  temperature  for  system  full  performance, 
which  is  35  deg  F.  This  is  normally  done  by  the  APU  at  nominal  startup  time.  If  APU  startup  is  delayed, 
the  circulation  pump  may  be  used  to  warm  the  hydraulic  fluid  until  APU  start.  This  is  done  to  assure  that 
the  hydraulic  fluid  will  be  warmed  to  35  deg  F  in  time  for  hydraulic  system  performance  (reference 
SODB,  vol.  I,  table  3.4.2.4-1.). 

4.  TO  MAINTAIN  HYDRAULIC  SYSTEM  COMPONENT  AND  LINE 
TEMPERATURES  WITHIN  THE  FOLLOWING  LIMITS:  ®[1 21 296-41 73B] 

COMPONENTS  AND  LINES  TEMPERATURE  LIMIT 

DOWNSTREAM  OF  BRAKE  ISOLATION  VALVES  ABOVE  -20  DEG  F  PRIOR  TO  LANDING 

ELEVON,  BODYFLAP,  AND  RUDDER/SPEEDBRAKE  -  40  DEG  F 

DOWNSTREAM  OF  LANDING  GEAR  EXTEND  ISOLATION  VALVE  NOT  APPLICABLE 
ALL  OTHERS  ABOVE  -4  DEG  F 


Hydraulic  fluid  viscocity  increases  at  low  temperatures.  Maintaining  the  fluid  above  -4  degrees  F  where 
practical  will  keep  fluid  viscosity  at  a  level  where  the  hydraulic  pumps  will  have  no  problem  pumping  the 
fluid.  Reference:  SODB,  vol.  /,  3. 4.2. 4-8.  ®[121 296-41 73B] 

Starting  the  circulation  pump  at  low  fluid  temperatures  will  result  in  a  longer  period  of  time  for  the 
pump  to  reach  operating  speed  and  may  adversely  affect  the  lifetime  of  a  pump.  ®[091 098-6554B] 

The  components  and  line  temperatures  downstream  of  all  the  brake  isolation  valves  should  be  above  -20 
degrees  F  prior  to  landing  due  to  brake  system  limitations.  The  -20  degrees  F  is  the  lower  limit  for  the 
brakes  for  degraded  performance  and  exceeding  that  may  result  in  a  delayed  release  from  a  brake  lockup 
condition.  Reference:  SODB,  vol.  I,  3. 4.2. 4-8.  ®[121 296-41 73B] 
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(CONTINUED) 


The  elevon  bodyflcip  and  rudder/speedbrake  components  typically  get  very  cold  on  orbit  due  to  the 
shading  effects  of  the  vertical  tail.  These  components  experience  highly  localized  temperature  excursions 
and  recover  immediately  as  soon  as  fluid  is  circulated.  There  are  no  adverse  effects  to  the  circulation 
pump  start-up  due  to  these  particular  cold  temperatures  so  these  components  have  lower  allowable 
temperatures.  ®[1 21 296-41 73B] 

Hydraulic  system  1  landing  gear  extend  isolation  valve  is  closed  during  all  flight  phases  (except  entry)  to 
protect  against  deploying  the  landing  gear  inadvertently.  Therefore,  system  1  hydraulic  components 
downstream  of  the  landing  gear  extend  isolation  valve  cannot  be  warmed  by  the  circulation  pump  on 
orbit  and  have  lower  allowable  temperatures.  ®[ED  ] 

5.  TO  CYCLE  MPS/TVC  ISOLATION  VALVES  OR  BRAKE  ISOLATION 
VALVES  WHILE  THE  APU  IS  NOT  RUNNING. 

The  valves  are  pressure-actuated,  requiring  a  minimum  of  100  psid  positive  pressure  to  operate. 
Therefore,  the  circulation  pump  is  required  to  supply  adequate  hydraulic  pressure  to  operate  the  valves 
when  the  APU’s  are  not  running. 

6.  TO  MAINTAIN  CIRCULATION  PUMP  BODY  AND  INLET 

TEMPERATURE  ABOVE  20  (20)  DEG  F  (EXCEPT  IN  POWER- 

CRITICAL  SITUATIONS)  .  ®[091 098-6554B]  @[062801-4522] 

Hydraulic  circulation  pump  starts  with  the  pump  body  temperature  between  240  and  -20  deg  F  were 
performed  during  testing.  Longer  than  nominal  starts  (>  I  second  to  attain  stable  operating  speed) 
occurred  at  0  deg  F,  and  nominal  starts  occurred  at  20  deg  F.  No  further  testing  was  performed  between 
these  two  temperatures,  so  the  20  deg  F  limit  was  conservatively  chosen  as  the  lower  limit.  Longer  starts 
produce  high  stress  on  the  circulation  pump  inverter/motor  transistors  and  possibly  limit  the  lifetime  of 
the  pump  (reference  SODB,  vol  I,  3.4.2.4.8b  and  table  3. 4.2. 4-1,  JSC-14860  Interned.  Note:  Hydraulic 
Circulation  Pump  Test,  July  1979).  There  was  a  concern  that  in  certain  attitudes  the  minimum  20  deg  F 
temperature  at  the  inlet  could  be  violated  while  the  thermal  control  temperatures  remained  above  the 
pump  ‘on’  limits.  Due  to  this  concern  and  the  inability  to  predict  temperatures  in  that  region,  circ pump 
inlet  temperature  measurements  were  added  (reference  CCB,  9/9/97).  @[062801-4522  ] 

The  value  used  in  this  rule  does  not  take  into  account  transducer  error.  The  circ  pump  body  temperature 
transducer  has  proven  reliable  in  accuracy,  and  the  hydraulic  community  has  signed  up  to  not  protecting 
for  transducer  error.  ®[091 098-6554B] 

7.  TO  GENERATE  WATER  FOR  ACTIVE  THERMAL  CONTROL  SYSTEM  USE. 

The  circulation  pumps  may  be  used  to  generate  water  through  consumption  of  fuel  cell  cryogenic  fuel. 
This  was  done  successfully  during  STS  61-C. 
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(CONTINUED) 


B.  CIRCULATION  PUMPS  WILL  NOT  BE  ALLOWED  TO  CYCLE  DURING 
PAYLOAD  DEPLOYMENT  WHEN  THE  DEPLOYMENT  MECHANISM  INVOLVES 
PYROTECHNICS  WHICH  ARE  POWERED  BY  THE  ORBITER.  FOR 
CONDITION  REQUIRING  CONTINUOUS  CIRCULATION  PUMP  OPERATION, 
THE  PUMPS  WILL  BE  PLACED  IN  THE  "ON"  POSITION  VICE  "GPC" 
(REFERENCE  THE  FLIGHT  RULES  ANNEX  FOR  OPERATING  CONSTRAINTS 
DURING  PAYLOAD  ACTIVITIES)  . 

The  startup  transien  t  of  a  circulation  pump  has  a  high  inrush  curren  t,  a  bus  voltage  drop  of  4  to  5  volts, 
and  considerable  EMI.  This  transient  is  only  present  for  less  than  1  second,  but  the  concern  is  that  the 
bus  voltage  spikes  or  EMI  could  trigger  any  armed  pyrotechnics  in  the  vicinity.  There  is  no  concern  with 
a  circulation  pump  that  is  already  running  at  the  start  of  these  types  of  payload  operations  -  only  the 
startup  transient  causes  problems.  Since  in  GPC  mode  the  pump  could  be  commanded  on  at  an 
inopportune  time  caused  by  the  failure  of  control  transducers  or  their  respective  MDM’s  or  DSC’s,  the 
GPC  position  will  not  be  allowed  during  these  operations. 

C.  A  CIRCULATION  PUMP  WILL  NOT  BE  STARTED  ON  A  MAIN  BUS  THAT 
POWERS  THE  PRIMARY  PAYLOAD  BUS  WHILE  A  PAYLOAD  IS  ACTIVATED 
AND  SENSITIVE  TO  CIRCULATION  PUMP  ACTIVATION,  EXCEPT  TO 
PREVENT  LOSS  OF  AN  APU/HYDRAULIC  SYSTEM  IF  REACTION  TIME  DID 
NOT  PERMIT  FOR  POWER  SOURCE  RECONFIGURATION. 


The  voltage  ripple  caused  by  the  startup  of  a  hydraulic  circulation  pump  may  be  greater  than  the 
payload  ICD  requiremen  ts.  Critical  orbiter  systems  take  precedence  over  payload  systems  if  those 
orbiter  systems  are  in  jeopardy. 

DOCUMENTATION:  ICD2- 19001,  NSTS  07700,  Volume  XIV,  Attachment  1. 
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(CONTINUED) 

D.  HYDRAULIC  THERMAL  CONDITIONING  SOFTWARE  WILL  NOT  BE  REQUIRED 
FOR  CONTINUING  ANY  FLIGHT  PHASE. 

For  loss  of  software  con  trol  of  the  hydraulic  circulation  pumps,  the  ground  controllers  will  be 
responsible  for  tracking  the  relevant  temperatures.  The  crew  will  then  control  the  circulation  pumps 
per  ground  instruction.  Since  these  actions  can  be  performed  manually,  there  will  be  no  constraints  to 
continuing  any  flight  phase. 

E.  A  CIRCULATION  PUMP  ON  A  HYDRAULIC  SYSTEM  WITH  A  NON- 

I SOLATABLE  LEAK  WILL  ONLY  BE  USED  FOR  HYDRAULIC 
ACCUMULATOR/RESERVOIR  PRESSURE  MANAGEMENT  AND  TO  MAINTAIN 
SYSTEM  COMPONENTS  AND  LINES  ABOVE  THEIR  MINIMUM  OPERATING 
TEMPERATURES.  THE  CIRCULATION  PUMP  WILL  NOT  BE  USED  FOR  FCS 
CHECKOUT  .  ©[072398-6686B] 

Circulation  pump  cycles  on  a  hydraulic  system  with  a  non-isolatable  leak  may  potentially  degrade  that 
system  or  possibly  decrease  the  available  run  tune  for  en  try.  Therefore,  the  use  of  this  circ  pump  should 
be  minimized.  It  is  acceptable  to  run  circ  pumps  for  accumulator/reservoir  pressure  management  to 
preclude  the  loss  of  that  hydraulic  system.  Additionally,  thermally  conditioning  this  particular  system  in 
order  to  protect  for  optimal  hydraulic  performance  is  not  warranted.  However,  a  better  trade-off  can  be 
made  by  keeping  the  system  only  minimally  conditioned  so  as  to  only  protect  for  minimum  performance. 

(Reference  SODB,  vol.  I,  table  3. 4.2. 4-1) 

Rule  (A10-29J,  FCS  CHECKOUT  APU  OPERATIONS  references  this  rule.  ©[072398-6686B] 
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A10-101  WSB  LOSS  DEFINITIONS 

A  WSB  IS  CONSIDERED  LOST  IF: 

A.  AN  N2  OR  H20  LEAK  IS  VIOLATING  CONSUMABLES  REDLINES  OR  N? 

REGULATOR  PRESSURE  <  19.0  (21.6)  PSIG  WITH  THE  SUPPLY 

VALVE  OPEN. 

If  consumables  (water  or  GN2)  tire  below  the  redline,  there  is  insufficient  water  supply  for  the  WSB  to 
provide  adequate  cooling  for  the  APU  or  hydraulic  fluid.  The  water  spray  bar  will  not  operate  properly 
at  pressures  <  19  psig;  thus,  there  will  be  inadequate  cooling  ( reference  SODB,  vol.  I,  3. 4. 2. 4.1  lb.). 

B.  UNABLE  TO  MAINTAIN  APU  LUBRICATION  OIL  RETURN  TEMPERATURE 

<  325  DEG  (310  DEG)  F  OR  HYDRAULIC  RESERVOIR  TEMPERATURE 

<  230  DEG (222  DEG)  F  WITH  CONTROLLER  A  OR  B . 

These  temperatures  are  the  SODB  (vol.  I,  3. 4.2. 4. Id  and  table  3.4.4. 3-1)  limits  on  these  fluids.  At  325 
deg  F,  lubrication  oil  breakdown  occurs  and  its  viscosity  becomes  unacceptable.  At  275  deg  F,  the  seals 
in  the  hydraulic  system  become  degraded  which  could  result  in  leaks.  Since  the  WSB  primary  purpose  is 
to  maintain  these  temperatures  within  limits,  its  failure  to  do  so  using  both  controllers  constitute  its  loss. 

C.  UNABLE  TO  MAINTAIN  H20  TANK  TEMPERATURES  <125  DEG  (118  DEG) 
F  OR  >  32  DEG  (39  DEG)  F. 

The  WSB  controllers  are  mounted  on  the  water  tank  which  serves  as  the  heat  sink  for  the  controllers. 
Temperatures  >  125  deg  F  may  cause  excessive  controller  temperatures  which  could  cause  controller 
failure  ( reference  SODB.  vol.  I,  table  3. 4.2. 4-1 ).  Temperatures  below  32  deg  F  will  allow  the  water  to 
freeze. 

D.  BOTH  STEAM  VENT  HEATERS  ARE  LOST. 

A  steam  vent  heater  is  required  prior  to  deorbit  APU  start  to  ensure  that  ice  does  not  plug  or  restrict  the 
steam  vent  orifice.  A  restricted  steam  vent  orifice  causes  excessive  boiler  core  pressure  and  may  result 
in  a  steam  vent  duct  rupture.  The  rupture  (large  orifice)  may  lead  to  a  boiler  spray  bar  freeze  up  and 
loss  of  lube  oil  cooling.  This  would  require  the  APU  to  be  shut  down  prior  to  Mach  1.  A  TAEM  start  of 
the  associated  APU  ensures  that  cooling  is  not  required  and  the  system  is  available  from  TAEM  to 
wheelstop.  @[021199-6814] 

Reference  Rules  {A10-23},  APU  ENTRY  START  TIME,  and  {A10-24},  APU  OIL/GEARBOX 
TEMPERA  TURE 7  PRESS  URE. 

NOTE:  LOSS  OF  WSB  RESULTS  IN  EVENTUAL  LOSS  OF  ITS  ASSOCIATED 

APU/HYDRAULIC  SYSTEM. 
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A10-121  WSB  CONFIGURATION 

THE  WSB  N2  SUPPLY  VALVE  WILL  BE  CLOSED  EXCEPT  IN  PREPARATION  FOR 
AND  DURING  APU  OPERATIONS. 

The  valve  provides  isolation  of  the  G/V2  tank.  If  a  leak  develops  downstream  of  the  valve,  keeping  it 
closed  will  preserve  the  GN2  until  needed  for  WSB  operation. 

A10-122  LOSS  OF  WSB(S)  ACTIONS 

A.  FOR  THE  LOSS  OF  A  SINGLE  WSB,  FLIGHT  WILL  CONTINUE  TO  NOMINAL 

EOM  .  @[041097-461  IB] 

The  WSB’s  are  essentially  quiescent  while  on  orbit.  Because  a  subsequent  failure  of  another 
APU/hydraulicAVSB  system  will  likely  only  occur  when  these  systems  are  operated  for  entry,  there 
are  no  significant  risks  to  continuing  the  flight  until  nominal  EOM. 

The  loss  of  a  WSB  system  does  not  indicate  the  immediate  loss  of  an  APU/hydraulic  system,  though  the 
APU  can  only  run  for  about  11  minutes  before  reaching  an  overtemperature  condition.  The  APU 
associated  with  the  lost  WSB  will  be  started  late  during  entry  to  support  landing  ( reference  Rule  {A10- 
23},  APU  ENTRY  START  TIME).  Assuming  the  other  two  APU/hydraulicAVSB  systems  are  good,  three 
APU/hydraulic  systems  will  be  available  to  support  the  latter  part  of  entry  and  landing.  @[041 097-461 1 B] 

B.  FOR  THE  LOSS  OF  TWO  WSB'S,  A  NEXT  PLS  ENTRY  WILL  BE 
PERFORMED.  IF  THE  FAILURE  OCCURS  ON  LAUNCH  DAY: 

1.  FOR  NONDEPLOYABLE  PAYLOAD  FLIGHTS,  A  FIRST  DAY  PLS  ENTRY 
WILL  BE  PERFORMED. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A10-122  LOSS  OF  WSB(S)  ACTIONS  (CONTINUED) 

2.  FOR  DEPLOYABLE  PAYLOAD  FLIGHTS,  PAYLOAD  DEPLOY  AND/OR 

JETTISON  WILL  BE  SCHEDULED  TO  ALLOW  FOR  DEORBIT  ON  DAY  2. 

The  loss  of  a  WSB  system  does  not  indicate  the  immediate  loss  of  an  APU/hydraidic  system,  though  the 
APU  can  only  run  about  11  minutes  before  reaching  temperature  limits.  The  APU  associated  with  the 
lost  WSB  will  be  started  late  during  entry  to  support  landing  ( reference  Rule  {A10-23},  APU  ENTRY 
START  TIME).  Assuming  the  other  APU/hydraulicAVSB  systems  are  good,  three  APU /hydraulic  systems 
will  be  available  to  support  the  latter  part  of  entry  and  landing. 

For  the  loss  of  two  WSB’s,  entry  should  be  made  at  the  next  PLS  opportunity  after  deployable  payloads 
have  been  deployed.  It  is  desirable  to  deploy  the  payloads  since  this  will  improve  the  vehicle  capability 
to  maneuver  and  land  safely  if  an  APU  or  hydraulic  system  fails  during  entry.  Jettison  of  deployable 
payloads  that,  for  some  reason,  cannot  be  deployed  should  be  considered  as  a  means  of  last  resort  to 
improve  the  vehicle  entry  and  landing  capability. 

If  the  APU /hydraulic  system  not  associated  with  the  lost  WSB’s  fails  or  if  the  remaining  WSB  fails,  one 
of  the  APU /hydraulic  systems  with  limited  run  time  must  be  started.  Starts  and  restarts  of  both  limited 
lifetime  APU/hydraulic  systems  must  be  managed  to  allow  for  at  least  one  system  running  at  all  times. 
Accomplishing  this  may  be  an  impossible  task  if  the  good  APU/hydraulic  system  fails  at  the  worst 
possible  time,  i.  e. ,  prior  to  the  deorbit  burn.  A  next  PLS  entry  should  be  performed  for  the  loss  of  two 
WSB’s  in  order  to  minimize  the  amount  of  time  the  vehicle  is  exposed  to  the  next  failure  that  would 
result  in  the  orbiter  being  down  an  APU/hydraulic  system  and  two  water  spray  boilers. 

Rule  (A2-301J,  CONTINGENCY  ACTION  SUMMARY,  references  this  rule. 
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A10-141  NOSE  WHEEL  STEERING  (NWS) 

A.  NWS  IS  DEFINED  AS  "REQUIRED"  IF  IT  IS  NEEDED  TO  MAINTAIN 
DIRECTIONAL  CONTROL  DURING  ROLLOUT:  ®[1 02402-5804C] 

1.  FOR  RTLS/TAL/AOA  (KSC)  LANDINGS. 

2.  AT  ANY  LANDING  SITE  IF  THERE  ARE  KNOWN  DIRECTIONAL  CONTROL 
PROBLEMS  (MLG  OR  NLG  TIRE  PREDICTED  TO  BE  BELOW  THE  MINIMUM 
ACCEPTABLE  PRESSURE  AT  TOUCHDOWN,  UNCOMMANDED  BRAKE  PRESSURE, 
OR  PEAK  CROSSWINDS  ABOVE  THE  SURFACE  WIND  LIMITS) . 

EFFORTS  WILL  BE  TAKEN  TO  REGAIN  NWS  AS  SPECIFIED  IN  THE 
REFERENCED  FLIGHT  RULES. 

NWS  provides  the  most  effective  means  of  preventing  runway  departure  at  any  site  where  lateral  margins 
are  very  limited,  especially  if  a  subsequent  directional  control  problem  develops.  Ames  VMS  testing 
(July/August  1988,  May/June  1989)  demonstrated  that  differential  braking  and  rudder  inputs  may  not 
always  provide  adequate  directional  control  capability  when  directional  control  problems  are  known  to 
exist,  even  for  run  ways  with  wide  lateral  margins.  The  forward  position  of  the  nose  wheel  provides  a 
long  moment  arm  ( relative  to  the  vehicle  CG)for  very  effective  vehicle  steering.  Therefore,  NWS  can 
overcome  high  frictional  forces  that  may  develop  between  aflat  tire  and  a  runway  surface  and  also 
overcome  the  high  frictional  forces  caused  by  uncommanded  brake  pressure.  Moreover,  excessive 
energy  dissipated  through  differential  braking  can  lead  to  subsequent  loss  of  tire  pressure 
(overtemperature  of  fuse  plugs,  post  wheelstop).  In  all  cases,  NWS  is  much  more  effective  for  directional 
control  than  differential  braking.  ®[1 02402-5804C] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A10-141  NOSE  WHEEL  STEERING  (NWS)  (CONTINUED) 

B.  NWS  WILL  BE  TURNED  OFF  FOR  ENTRY  IF,  DURING  THE  OPS  8 

CHECKOUT,  TWO  OF  THREE  STEERING  POSITION  TRANSDUCERS  DO  NOT 
INDICATE  -0.42  ±  0.31  VOLTS  (GROUND)  OR  0.0  ±  0.75  DEGREES 
(ONBOARD)  .  ®[1 02402-5804C] 

The  NWS  system  requires  at  least  two  good  steering  position  transducers  for  reliable  nose  wheel  position 
SOP  operation.  If  none  of  the  steering  position  transducers  have  been  comm  faulted  (all  three  inputs 
available),  the  nose  wheel  position  SOP  will  midvalue  select  from  the  three  position  transducer  values, 
regardless  of  their  failure  status.  If  one  transducer  is  failed  or  biased,  one  of  the  two  good  transducers 
will  always  yield  the  midvalue  of  the  three,  and  the  SOP  will  always  select  a  good  value.  If  two 
transducers  are  failed  or  biased,  one  of  these  two  may  yield  the  midvalue,  and  the  SOP  would  then  select 
cm  erroneous  value.  However,  Ames  VMS  data  (July/August  1988)  confirmed  that,  for  this  scenario,  the 
selected  value  will  exceed  the  nose  wheel  position  comparison  limits  when  compared  against  the  DAP- 
commanded  nose  wheel  position  and  rate.  The  nose  wheel  position  SOP  will  then  generate  a  nose  wheel 
position  error  and  downmode  to  castor.  ®[1 02402-5804C] 

C.  NWS  1  WILL  BE  USED  AS  THE  PRIMARY  MEANS  OF  DIRECTIONAL  CONTROL. 
IF  NWS  1  HAS  FAILED:  ®[1 02402-5804C] 

1.  BEFORE  NGTD :  NWS2  WILL  BE  SELECTED  AND  USED  AS  THE  MEANS 
OF  DIRECTIONAL  CONTROL. 

2.  POST-NGTD:  NWS 2  CAN  BE  SELECTED  AND  USED  AS  THE  MEANS  OF 
DIRECTIONAL  CONTROL. 

Although  both  NWS  I  and  NWS2  modes  of  nosewheel  steering  provide  identical  functions  and 
capabilities,  NWS1  provides  more  downlisted  system  status  parameters;  NWS1  is,  therefore,  preferred 
over  NWS2.  ®[1 02402-5804C] 

If  NWS  is  determined  to  be  failed  during  the  OPS  8  checkout  or  anytime  prior  to  nose  gear  touchdown 
(ground  speed  enable  flag  set  true),  selecting  NWS2  will  provide  the  best  alternative  for  rollou  t 
directional  control.  Ames  VMS  testing  (July/August  1988)  demonstrated  that  switching  NWS  modes 
during  rollout  was  an  effective  procedure,  particularly  for  MDM  hardover  failure  cases. 

However,  SAIL  testing  (April  1991)  demonstrated  that  for  certain  scenarios  where  the  NWS  1  channel 
downmoded  to  free  castor  (post-NGTD),  the  NWS  system  did  not  recover  after  selecting  NWS2.  In 
these  cases,  the  NWS2  channel  was  selected  coincident  with  a  large  rudder  pedal  command  (DR 
100737  and  106206).  The  NWS  system  was  never  perceived  to  have  recovered  as  it  downmoded  to 
castor  unnoticeably  240  milliseconds  after  selection.  Although  the  NWS  software  may  not  recover  if 
the  alternate  NWS  channel  is  selected  on  rollout,  NWS2  can  still  be  safely  selected  post-NGTD  and 
is  likely  to  regain  control  if  a  large  rudder  pedal  input  is  not  presen  t  at  selection.  ®[1 02402-5804C] 
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A10-141  NOSE  WHEEL  STEERING  (NWS)  (CONTINUED) 

D.  NWS  WILL  BE  TURNED  OFF  FOR  LOSS  OF  ANY  OF  THE  FOLLOWING, 

UNLESS  NWS  IS  REQUIRED:  ®[1 02402-5804C] 

1 .  TWO  LATERAL  AA'  S 

2.  TWO  LEFT  OR  TWO  RIGHT  RPTA  CHANNELS 

3.  RIGHT  DDU  (TWO  POWER  SUPPLIES  -  A,  B,  OR  C) 

4.  TWO  STEERING  POSITION  TRANSDUCERS  ®[1 02402-5804C] 

Once  two  lateral  AA’s  or  RPTA’ s  have  failed,  there  are  potential  vehicle  control  risks  if  NWS  is  selected. 

A  hardover  or  high  bias  of  one  of  these  remaining  componen  ts  could  result  in  loss  of  vehicle  control. 

For  runways  with  wide  lateral  margins,  where  differential  braking  and  rudder  inputs  can  provide 
adequate  vehicle  control,  the  use  of  NWS  is  not  warranted  at  the  risk  of  a  third  AA  or  RPTA  failure, 
provided  there  are  no  known  directional  control  problems.  However,  for  abort  landing  sites  (without 
wide  lateral  margins),  the  risk  of  runway  departure  due  to  a  subsequen  t  directional  control  problem 
outweighs  the  potential  for  a  third  AA  or  RPTA  failure  during  the  small  window  of  rollout,  and  NWS 
should  be  selected. 

Results  of  a  NWS  test  matrix  performed  using  the  NASA  Ames  VMS  in  May/ June  1991  indicate  that 
vehicle  control  can  be  difficult  to  nonrecoverable  after  a  third  AA  or  RPTA  hardover  failure  has 
occurred  (Cooper/Harper  ratings  from  5  to  10).  The  matrix  also  demonstrated  that,  although  landing 
with  a  known  directional  control  problem  (failed  tire)  without  NWS  is  unsatisfactory  (Cooper/Harper 
ratings  between  5  and  8),  this  condition  is  sometimes  con  trollable.  Again,  the  risk  of  run  way  departure 
due  to  a  known  directional  con  trol  problem  ou  tweighs  the  poten  tial  for  a  third  AA  or  RPTA  failure 
during  rollout,  and  NWS  should  be  selected.  ®[1 02402-5804C] 

Rules  (A2-254CJ.1,  ENTRY  STRING  REASSIGNMENT;  (A2-261J,  ENTRY DTO/AUTO 
MODE/CROSSWIND  DTO  GO/NO  GO;  {A2-301J,  CONTINGENCY  ACTION  SUMMARY;  {A7-/02C/8, 
PASS  DATA  BUS  ASSIGNMENT  CRITERIA;  { A10-22E  and  Fj,  APU  START/RESTART  LIMITS;  {A10-24B}, 
APU  OIL/GEARBOX  TEMPERATURE/PRESSURE;  (A10-25D),  APU  HIGH  SPEED  SELECTION/SHIFT; 
{A10-71},  HYDRAULIC  SYSTEM  CONFIGURATION;  {A10-72BJ,  HYDRAULIC  LEAKS;  (A10-142J,  TIRE 
PRESSURE  [CIL];  and  { A10-145 },  UNCOMMANDED  BRAKE  PRESSURE,  reference  this  rule. 

®[1 11 094-1 622B] 
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A10-142  TIRE  PRESSURE  [CIL] 

A.  THERMAL  EFFECTS: 

THE  ORBITER  ATTITUDE  WILL  BE  MANAGED  TO  THERMALLY  CONDITION 

THE  TIRES  TO  MAINTAIN  ACCEPTABLE  PRESSURES  AND  TEMPERATURES 

FOR  LANDING.  THE  FOLLOWING  CONSTRAINTS  APPLY:  ®[041097-4009E] 

1.  FOR  NEOM  LANDING  AND  EXTENSION  DAYS,  MAIN  LANDING  GEAR 
TIRE  PRESSURE  WILL  BE  MAINTAINED  ABOVE  THE  MINIMUM 
PRESSURE  DERIVED  FROM  THE  NEOM/ EXTENSION  DAY  PLOTS  (+2 
PSI  UNCERTAINTY) . 

2.  DURING  THE  FLIGHT,  WHEN  PAYLOAD  ACTIVITIES  ALLOW,  MAIN 
LANDING  GEAR  TIRE  PRESSURE  WILL  BE  MAINTAINED  ABOVE  THE 
MINIMUM  TIRE  PRESSURE  DERIVED  FROM  THE  NEOM/EXTENS ION  DAY 
PLOTS  (+2  PSI  UNCERTAINTY)  (OR  AS  HIGH  AS  PRACTICAL  IF 
THE  LIMIT  CANNOT  BE  MET) . 

3.  AT  ALL  TIMES  DURING  THE  FLIGHT,  MAIN  LANDING  GEAR  TIRE 
PRESSURE  WILL  BE  MAINTAINED  ABOVE  THE  MINIMUM  PRESSURE 
DERIVED  FROM  THE  ANYTIME  DEORBIT  CONCRETE  (+2  PSI 
UNCERTAINTY)  PLOTS.  EXCEPTIONS  TO  THIS  RULE  WILL  BE 
DOCUMENTED  IN  THE  FLIGHT-SPECIFIC  ANNEX. 

4.  FOR  A  DEORBIT  PRIOR  TO  NEOM,  ALL  REASONABLE  EFFORTS  WILL 
BE  MADE  TO  SATISFY  THE  EOM  REQUIREMENT.  IN  THE  EVENT  THE 
NEOM  MINIMUM  TIRE  PRESSURE  CANNOT  BE  MET  (I.E.,  EMERGENCY 
DEORBIT) ,  THEN  DRAG  CHUTE  DEPLOY  MAY  BE  USED  TO  REDUCE 
TIRE  LOADS.  @[050495-1771 B] 

5.  TIRE  TEMPERATURE  WILL  BE  MAINTAINED  ABOVE  THE  MINIMUM 

OPERATIONAL  TEMPERATURE  OF  -45  (-43)  DEG  F.  ©[111298-6764A] 

Depending  on  the  orbiter  attitude,  main  gear  tire  temperatures  are  typically  between  0  to  30  deg  F  while 
on  orbit  (some  flights  have  seen  temperatures  as  low  as  -25  deg  F).  Since  the  tires  are  very  good 
insulators  arid  require  significant  time  to  warm  up,  there  is  no  significant  change  in  tire  pressure  from 
TIG  to  landing.  The  nose  gear  tires  have  never  required  thermal  conditioning.  ®[1 1 1298-6764A] 

Michelin  Aircraft  Tire  Corporation  completed  a  Delta  Certification  for  the  Space  Shuttle  Orbiter  Main 
Landing  Gear  Tire  on  August  20,  1998  ( reference  CR  #  26-194-0007 -0005B),  verifying  that  the  tire  is 
capable  of  operating  at  a  temperature  of  -45  deg  F  (previous  certification  limit  was  -35  deg  F).  The 
tire  demonstrated  the  ability  to  maintain  air  reten  tion  after  being  subjected  to  four  landing  load  tests 
at  -45  deg  F.  ®[1 1 1 298-6764A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A10-142  TIRE  PRESSURE  [CIL]  (CONTINUED) 

Protecting  the  -45  deg  F  thermal  limit  is  required  in  order  to  ensure  emergency  deorbit  capability,  since 
there  would  be  no  time  to  thermally  condition  the  tires  in  cm  emergency  deorbit  timeline.  ( Reference 
SODB,  vol.  I,  table  3.4.2. 1-1.)  ©[050495-1771B]  ©[041097-4009E]  ®[1 1 1298-6764A] 

Past  flight  experience  and  thermal  analysis  show  that,  after  going  to  a  bottom  Sun  attitude,  it  is  typically 
4  to  5  hours  before  any  increase  is  seen  in  the  wheel  wells  due  to  thermal  inertia.  Once  this  occurs,  the 
temperature  typically  goes  up  1  deg  per  hour  which  results  in  a  pressure  increase  of  approximately  0.77 
psi  per  hour.  (Reference  AEFTP  #91,  July  17,  1992.)  ®[041 097-4009E] 

In  order  to  avoid  significant  payload  impact,  the  limits  for  anytime  deorbit  which  do  not  include  the 
undispersed  limit  (nominal  load  for  given  mass  properties  without  RSS’d  performance  dispersions 
added)  will  be  used.  This  is  acceptable  due  to  the  unlikely  event  of  cm  anytime  deorbit,  the  availability  of 
drag  chute  deploy,  and  the  additional  capability  of  the  tire/strut  shown  in  off-nomincd  testing.  In  the 
event  of  deorbit  earlier  than  NEOM,  all  reasonable  attempts  will  be  made  to  meet  the  dispersed  limits 
( i.  e. ,  MDF  or  next  PLS  with  deorbit  the  following  day  should  cdlow  sufficien  t  time  to  condition  the  tires). 
@[050495-1771 B] 

Tire  load  capability  and  thereby  minimum  tire  pressure  allowed  depend  greatly  on  the  maximum  load 
conditions  that  the  tires  may  encoun  ter.  The  maximum  load  is  a  function  of  several  parameters 
primarily  associated  with  the  initiation  of  the  derotcition  maneuver  post-main  gear  touchdown.  Orbiter 
mass  properties  (total  weight  and  X  center  of  gravity)  are  significant  factors  in  the  maximum  tire 
loading.  The  other  factors  which  significantly  affect  tire  loading  are  controlled  by  crew  procedures 
which  affect  the  derotation  maneuver,  especially  in  the  first  second  or  two  of  the  initiation  of 
derotcition.  These  procedures  are  documented  in  the  Flight  Procedures  Handbook;  Approach, 

Landing,  and  Rollout,  JSC-23266,  Section  5. 3. 6. 7.  Among  these  crew  procedure  controlled 
parameters  are  the  indicated  airspeed  at  which  derotation  is  initiated.  This  is  a  significant  factor  in 
the  maximum  load  that  the  tires  will  experience.  Crew  technique  to  initiate  derotation  is  to  wait  for  cm 
indicated  185  KEAS  and  perform  a  beep  trim  derotcition.  Errors  in  display  plus  some  allowance  for 
human  factors  lead  to  a  maximum  dispersion  on  the  high  side  of  195  KEAS  actual  for  a  dispersed 
initiation  of  derotcition.  Lower  airspeeds  lead  to  significantly  lower  main  gear  loads  but  increase  the 
nose  gear  load  at  slapdown.  Lcikebed  runways  have  significantly  higher  loads  on  the  nose  gear.  The 
same  10-KEAS  error  applies  to  lcikebed  runway  derotcition  as  well  as  to  concrete  runway  derotcition. 

The  second  parameter  affecting  main  gear  maximum  loads  that  is  controlled  by  crew  procedure  is  the 
derotcition  rate  that  is  established  by  the  crew  in  the  initial  part  of  the  derotcition  for  a  manual 
derotcition.  This  should  not  be  confused  with  the  overall  or  average  derotcition  rate  for  the  en  tire 
maneuver  since  quite  high  rates  can  be  achieved  after  theta  =  0  degree.  Nor  should  this  rate  be 
confused  with  the  actual  rate  the  vehicle  achieves  in  the  initial  few  seconds  of  derotation.  Ames  VMS 
sims  (and  flight  data)  have  consistently  shown  that  the  average  rate  achieved  in  the  initial  derotation  is 
on  the  order  of  0.7  to  0.8  deg/sec.  For  simplicity,  the  analysis  assumes  the  derotcition  rate  of  1.0 
deg/sec  and  includes  dispersions  to  1.5  deg/sec.  In  some  few  very  dispersed  cases,  an  early  rate  of 
nearly  2.0  deg/sec  was  accomplished  but  this  took  significantly  longer  than  the  1. 0-second  time  (next 
parameter)  to  achieve.  The  third  important  parameter  affected  by  crew  procedural  control  is  the  speed 
with  which  the  derotcition  rate  is  achieved.  A  rapid  or  jerky  rate  can  lead  to  tire  “bounce”  with  greatly 
increased  ( though  oscillating)  loads.  Crew  procedures  specifically  call  for  the  rate  to  be  put  in 
smoothly  over  a  1-  to  2-second  interval.  Ames  VMS  studies  (and  flight  data)  show  that  the  average 
time  for  rate  buildup  is  1  second  with  the  most  dispersed  times  being  0.5  second.  When  initial  studies 
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were  done  with  the  maximum  dispersions  (185  KEAS  derotation ,  2.0  deg/sec,  0.5  second  ramp  input 
time),  the  loads  exceed  the  tire  capability  at  nominal  (launch)  pressures.  Further  examination  of  the 
Ames  VMS  data  (and  flight  data)  shows  that  the  combination  of  high  rate  (over  1  deg/sec)  and  short 
input  time  (less  than  1  second)  never  occurs.  The  1  deg/sec  with  0.5  second  input  time  represents  a 
worst  case  combination  from  the  load  standpoin  t.  Therefore,  this  was  chosen  as  the  dispersed  case 
(the  other  option,  2  deg/sec  with  1  second  ramp  time  yielded  significantly  lower  loads).  This  is  why  the 
table  in  this  rule  shows  the  command  initiation  time  to  be  1.0  second  with  -0.5  second  dispersion. 

Other  combinations  of  dispersions  may  be  postulated,  but  all  real-world  possible  combinations  result 
in  lower  mean  gear  loads.  @[050495-1771 B] 

Interpolation  for  different  orbiter  weights  on  the  tire  plots  is  allowed  between  185,000  pounds  and 
248,000  pounds.  Extrapolation  below  185,000  pounds  on  the  tire  plots  is  not  allowed.  If  vehicle  landing 
weight  is  less  than  185,000  pounds,  either  mission-specific  analysis  is  required  or  use  the  185,000  pound 
line  at  the  proper  CG.  If  vehicle  mass  properties  are  otherwise  off  the  chart  (landing  weight  above 
248,000  pounds,  CG  forward  of  1076  or  aft  of  1111.0  -  which  is  a  contingency  case),  specific  analysis  is 
requ  ired.  The  forward  CG  limit  of  1075.2  inches  is  for  Mach  3.5  and  not  touchdown.  Gear  deploy  causes 
the  CG  to  shift  AFT  and  therefore  the  carpet  plots  were  only  derived  to  1076  inches.  @[050495-1 771 B] 
@[091098-6713] 

All  plots  use  the  following  nominal  and  dispersed  pitchover  command  parameters  for  main  gear 
rollout  assessments  shown  below  and  are  taken  from  the  SODB  (reference  SODB,  vol.  V,  sec.  4.3  and 
Rule  { A2-206 },  DEROTATION  SPEED.)  Current  derotation  is  at  185  KEAS  using  beep  trim.  The 
minimum  loads  and  tire  pressures  for  185  KEAS  beep  trim  and  175  KEAS  manual  derotation  are 
protected  by  the  185  manual  derotation  plots.  The  185  KEAS  beep  trim  and  175  KEAS  manual 
derotation  plots  are  not  shown  here  but  are  in  SODB,  vol  V.,  sec.  4.3.3.  @[050495-1771 B] 


Parameter 

Value 

Nominal  Dispersion 

Derotation  speed 

?  Concrete 

?  Lcikebed 

185  KEAS 

185  KEAS 

+10  KEAS 
+10  KEAS 

Command  initiation  time 

1.0  sec 

-0.5  sec 

Pitch  command  rate  * 

-1.0  deg/sec 

-0.5  deg/sec 

Crosswind 

15  knots 

+5  knots 

@[050495-1771 B] 


•  This  is  RHC  commanded  rate  being  fed  into  the  system. 

Since  derotation  rate  increases  during  derotation,  actual  pitch  rate  at  slapdown  would  be  of  a  high 
magnitude. 
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01-26  Nominal  Orbiter  Main  Gear  Tire  Pressures 
Contingency  De-Orbit  Mission  Planning  Assessments  -  Concrete  Runways 
Contingency  Abort  &  Emergency  Landings  (Nominal  Vderotate  @185  keas) 
Orbiter  X-c.g.  With  Gear  Deployed 


1090  1095  1100 

ORBITER  X-c.g.  (INCHES) 


@[091098-6713] 

Contingency  Minimum  Orbiter  Main  Gear  Tire  Pressure  -  Concrete  -  Derotation 

Initiation  at  185  KEAS 

FIGURE  A10-142-I  -  ANYTIME  DEORBIT  (CONCRETE  RUNWAY) 
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01-26  Nominal  Orbiter  Main  Gear  Tire  Pressures 
Contingency  De-Orbit  Mission  Planning  Assessments  -  Lakebed  Runways 
Contingency  Abort  &  Emergency  Landings  (Nominal  Vderotate  @185  keas) 
Orbiter  X-cg  With  Gear  Deployed 


Weight  (klbs) 


—♦—225 

—=—195 
-  -  -  MM  1 .4 
MM  1.55 


ORBrTERX-c.g.  (INCHES) 


@[091098-6713] 

Contingency  Minimum  Orbiter  Main  Gear  Tire  Pressure  -  Lakebed  -  Derotation 

Initiation  at  185  KEAS 

Orbiter  Landing  Weights  Greater  Than  225  KLBS  Require  Separate  Evaluation 


FIGURE  A10— 142— II  -  ANYTIME  DEORBIT  (LAKEBED  RUNWAY) 
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01-26  Minimum  Orbiter  Main  Gear  Tire  Pressure 
Mission  Planning  Assessments  -  Concrete  Runways 
All  Normal  &  Intact  Abort  Landings  (Nominal  Vderotate  @185  keas) 
Orbiter  X-c.g.  With  Gear  Deployed 


Weight  (klbs) 


— X— 

248 

240 

— a— 

233 

225 

-O— 

217 

-m- 

211 

— a— 

207 

-o— 

195 

185 

1090  1095  1100 

ORBfTER  X-c.g.  (INCHES) 


@[091098-6713] 

Minimum  Orbiter  Main  Gear  Tire  Pressure  -  Concrete  -  Derotation  Initiation  at  185 

KEAS 


FIGURE  A10— 142— III  -  NOMINAL/EXTENSION  DAY  (CONCRETE  RUNWAY) 
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01-26  Minimum  Orbiter  Main  Gear  Tire  Pressure 
Mission  Planning  Assessments  -  Lakebed  Runways 
All  Normal  &  Intact  Abort  Landings  (Nominal  Vderotate  @185  keas) 
Orbiter  X-cg  With  Gear  Deployed 


:  Weight  (klbs) 


—•—225 

—0—195 
-  -  -  MM  1.4 
MM  1.55 


1090  1095  1100 

ORBfTER  X-c.g.  (INCHES) 


@[091098-6713] 

Minimum  Orbiter  Main  Gear  Tire  Pressure  -  Lakebed  -  Derotation  Initiation  at  185  KEAS 
Orbiter  Landing  Weights  Greater  Than  225  KLBS  Require  Separate  Evaluation 


FIGURE  A10— 142— IV  -  NOMINAL/EXTENSION  DAY  (LAKEBED  RUNWAY) 
THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  MECHANICAL  10-69 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A10-142  TIRE  PRESSURE  [CIL]  (CONTINUED) 

B.  LEAKING/FLAT  TIRE: 

1.  A  TIRE  LEAK  IS  DEFINED  AS  A  DECREASE  IN  A  TIRE'S 

PRESSURE  MEASUREMENTS  THAT  IS  INCONSISTENT  WITH  CHANGES 
IN  PRESSURE  OF  THE  OTHER  TIRES  AND  CANNOT  BE  EXPLAINED 
BY  INSTRUMENTATION  INACCURACY/FAILURE  OR  VARIATIONS  IN 
TEMPERATURE  .  ®[041097-4009E] 

2.  LOSS  OF  TIRE  PRESSURE  INSTRUMENTATION  WILL  NOT  BE  CAUSE 
FOR  EARLY  MISSION  TERMINATION. 

3.  FOR  A  LEAKING  TIRE,  IF  THE  AFFECTED  TIRE  PRESSURE  CAN  BE 

MAINTAINED  >  260  (262)  PSIG/275  (277)  PSIA  AT  THE  LANDING 

TIME  FOR  THE  NEXT  PLS  PLUS  2  EXTENSION  DAYS,  PLANNED  ON- 
ORBIT  ACTIVITIES  MAY  CONTINUE.  OTHERWISE,  DEORBIT  WILL 
BE  SCHEDULED  AT  THE  NEXT  PLS  OPPORTUNITY.  PAYLOADS  MAY 
BE  DEPLOYED/ JETTISONED  PRIOR  TO  ENTRY  IN  ORDER  TO 
DECREASE  TIRE  LOADS.  [CIL] 

4.  FOR  A  LEAKING  MAIN  GEAR  TIRE,  A  LANDING  WITH  A 
CROSSWIND  FROM  THE  SIDE  OF  THE  AFFECTED  TIRE  IS 
HIGHLY  DESIRABLE. 

Since  tire  pressure  is  greatly  dependent  upon  temperature,  a  leak  cannot  be  confirmed  unless  there  is 
a  sustained  unexpected  decay  in  both  the  actual  and  temperature-corrected  pressure  measuremen  ts 
on  a  tire.  The  loss  of  both  pressure  measuremen  ts  will  not  be  cause  to  declare  a  leaking/flat  tire. 

The  2  psi  transducer  error  is  based  on  the  ability  to  compare  the  TPDMS  system  to  KSC  mechanical 
gauge  readings  (0.1  percent  accuracy )  prelaunch  and  to  eliminate  the  measurement  scatter.  The 
remaining  2  psi  error  includes  the  KSC  mechanical  gauge  error  and  scatter  seen  prelaunch  in  the 
TPDMS  pressure  readings  due  to  variations  in  temperature. 

If  a  leaking  condition  is  confirmed  in  a  main  or  nose  gear  tire,  the  load-carrying  capability  of  that  tire  is 
reduced.  The  main  gear  and  nose  gear  values  were  derived  from  Convair  990  low  pressure  testing  which 
simulated  a  248K  vehicle  landing  at  225  knots  in  a  15  knot  crosswind  for  the  mains  (20  knot  crosswind 
for  the  nose  tires)  and  showed  a  low  pressure  tire  could  sustain  a  heavy  load.  Neither  mean  or  nose  gear 
tire  failed  at  the  lowest  pressures  tested  on  Convair.  The  flat  tire  limit  was  derived  from  this  lowest 
pressure  tested  (235  psig/250  psia)  with  10  percent  added  for  safety.  The  good  main  gear  tire,  355  psia, 
received  62  percent  of  the  strut  load  (162. 5K  peak  vert,  load )  while  the  flat  tire,  250  psia,  received  48 
percent  (123. 5K)  of  the  load  (Convair  flight  tests  121/122).  The  161. 5K  peak  load  tested  exceeds  the  tire 
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certification  of  142.5  klbs.  The  CV-990  test  demonstrated  additional  vertical  load  capability  by  reducing 
the  crosswind  to  15  knots.  The  good  nose  gear  tire,  325  psia,  received  61  percent  of  the  strut  load 
(55. OK  peak  vert.  load)  while  the  flat  nose  tire,  250  psia,  received  49  percent  (46.3  percent  of  the  load. 
(Convair  flight  tests  145/150).  (Ref.  Dryden  Test  Report,  August  1995:  Landing  System  Research 
Aircraft  Low  Pressure  Stress  Test  Flights.)  Reference  SODB.  vol.  I,  3.4.2. 1.  ®[041097-4009E] 

The  intent  of  a  nominal  drag  chute  deploy  is  to  achieve  disreef just  prior  to  NGTD  (reference 
Ascent/Entry  Flight  Techniques  Panel  #104).  In  the  event  of  a  leaking/flat  tire,  by  minimizing  MLG 
loads  there  is  a  possibility  that  the  good  tire  on  that  strut  will  not  fail.  Ames  (6/93)  data  indicates  that 
mean  landing  gear  loads  are  minimized  (decreased  by  up  to  17  percent)  by  obtaining  disreef  just  before 
NGTD.  Flight  data  and  testing  at  Ames  (1/96)  show  that  to  ensure  disreef  prior  to  NGTD,  the  chute 
should  be  deployed  10  knots  prior  to  derotation.  Deploy  will  be  performed  regardless  of  the  status  of 
SSME  repositioning  (reference  Rule  { A10-143J ,  DRAG  CHUTE  DEPLOY  TECHNIQUES).  @[041097- 

4009E] 

Rule  {A10-143},  DRAG  CHUTE  DEPLOY  TECHNIQUES  references  this  rule.  ®[111094-1690B] 

Requiring  the  tire  pressure  to  support  2  additional  days  maintains  tire  capability  should  a  deorbit 
wciveojf  or  bad  weather  occur  to  prevent  landing  on  the  desired  PLS  opportunity  (protects  for  one 
additional  PLS  landing  opportunity).  Because  load-carrying  capability  of  the  tire  is  reduced  if  tire 
pressure  is  degraded,  deploy  or  jettison  of  the  payload  is  desired,  if  accomplishable,  so  that  orbiter 
landing  weight  and  tire  loading  may  be  reduced,  increasing  the  possibility  of  tire  survival.  The  one 
additional  PLS  landing  opportunity  should  not  be  sacrificed  in  order  to  avoid  an  early  payload  deploy  or 
jettison,  if  applicable. 

Landing  with  a  crosswind  from  the  side  of  the  affected  main  gear  tire  is  highly  desirable  because  landing 
loads  on  the  adjacent  tire  and  strut  will  be  less  than  those  encoun  tered  on  the  leeward  side  of  the  vehicle, 
thereby  decreasing  the  possibility  of  a  second  failed  tire  on  the  same  strut.  If  such  a  tradeoff  is  necessary, 
a  higher  priority  should  be  placed  on  choosing  a  landing  with  the  crosswind  from  the  side  of  the  affected 
mean  gear  tire  over  considerations  due  to  head  winds  or  teal  winds.  Minimizing  the  tailwind  component  is 
a  secondary  priority.  Vehicle  ground  speed  increases  with  increasing  tail  winds.  A  higher  ground  speed 
decreases  vehicle  con  trollability,  especially  in  the  presence  of  directional  con  trol  problems  such  as  a  tire 
failure.  Though  a  lower  ground  speed  is  desirable,  a  beneficial  crosswind  component  is  the  highest 
priority  in  order  to  reduce  the  possibility  of  a  second  tire  failure.  ®[041097-4009E] 

Rule  { A2-207J ,  LANDING  SITE  SELECTION,  references  this  rule. 
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A10-143  DRAG  CHUTE  DEPLOY  TECHNIQUES 

A.  NOMINAL  DEPLOY:  DRAG  CHUTE  DEPLOY  WILL  BE  PERFORMED  POST 
MGTD  AT  195  KNOTS.  THE  FOLLOWING  EXCEPTIONS  APPLY: 

The  intent  of  a  nominal  drag  chute  deploy  is  to  achieve  disreef  just  prior  to  NGTD.  Flight  data  and 
testing  at  Ames  (1/96  and  7/96)  show  that,  to  ensure  disreef  prior  to  NGTD,  the  chute  should  be  deployed 
10  knots  prior  to  derotation.  Results  from  DTO  521  ( Drag  Chute  System)  show  that  a  chute  deploy  after 
the  derotation  rate  is  established  results  in  a  disreef  immediately  after  NGTD.  Ames  (2/93)  data  shows 
that  the  vehicle  sensitivity  to  lateral  excursions  is  a  function  of  how  long  the  orbiter’s  nose  is  in  the  air 
after  chute  disreef,  due  to  the  limited  ability  of  the  rudder  to  compensate  for  large  yawing  moments. 

STS-47  chute  disreef  occurred  approximately  2  seconds  prior  to  NGTD,  which  resulted  in  a  40  ft  lateral 
excursion  off  the  runway  centerline  and  subsequent  redesign  of  the  drag  chute  (5  ribbons  were  removed 
to  improve  chute  stability).  Ames  (  1/96,  7/96,  and  1/97)  data  shows  that  deploying  the  chute  10  knots 
prior  to  the  initiation  of  derotation  is  a  safe  technique  for  all  vehicle  mass  moment  cases  with  regard  to 
nose  gear  slapdown  limits  and  lateral  excursions.  The  delta  between  chute  deploy  speed  and  the  speed  at 
the  initiation  of  derotation  should  be  no  greater  than  10  knots  to  prevent  lateral  control  position  and 
rate  saturation  from  occurring ,  particularly  with  crosswinds  >  10  knots  with  a  lightweight  vehicle.  A 
nominal  deploy  alleviates  the  concern  of  objectionable  vehicle  performance  which  may  occur  if  disreef 
occurs  significantly  prior  to  NGTD  (ref.  Ascent/Entry  Flight  Techniques  Panel  #97,  #104).  Flight 
experience)  supports  these  conclusions.  ®[041 097-4890A] 

1.  EARLY  DEPLOY:  DRAG  CHUTE  DEPLOY  MAY  BE  PERFORMED  BETWEEN 
MGTD  AND  THE  NOMINAL  DEPLOY  TIME  ONLY  FOR  INSUFFICIENT 
ROLLOUT  MARGIN.  ®[041097-4890A] 

Maximum  deceleration  benefits  from  the  drag  chute  are  obtained  when  the  drag  chute  is  deployed  as 
early  as  possible.  A  chute  deploy  at  MGTD  provides  approximately  an  additional  1000 ft  of  rollout 
margin  over  a  nominal  deploy  (ref.  Ames  Pilot  Report  dated  4/93). 

Adequate  braking  capability  is  determined  based  on  brake  energy  predictions,  rollout  margin,  and 
landing  conditions  of  the  day  (reference  Rule  {A4-108},  TIRE  SPEED,  BRAKING,  AND  ROLLOUT 
REQUIREMENTS).  An  analysis  performed  by  Flight  Design  &  Dynamics  (10/92)  indicated  that  for 
adequate  control  and  stopping  distance,  ?  37.5  percent  brakes  are  required  without  NWS,  and  that  ?  25 
percent  brakes  are  required  with  NWS  (for  all  landing  sites).  This  analysis  assumed  15  kt  crosswinds 
and  no  drag  chute,  and  looked  at  brake  torque  only.  The  rollout  margin  predictions  made  from  real-time 
trajectory  simulations  must  satisfy  flight  Rule  {A4-108},  TIRE  SPEED,  BRAKING,  AND  ROLLOUT 
REQUIREMENTS,  specified  minimums  to  make  a  runway  GO.  These  simulations  do  not  include  the 
effects  of  the  drag  chute.  After  committing  to  a  landing  site,  if  a  braking/deceleration  system  partially  or 
totally  fails  or  TD  energy  is  unexpectedly  high,  an  early  drag  chute  deploy  is  allowed  to  provide 
additional  rollout  margin  protection. 

Ames  data  from  2/94  indicated  that  early  deploys  with  vehicle  mass  moments  >  1.80  x  1 06  ft -lb  may  violate 
NLG  slapdown  limits  (6  percent  of  the  VMS  runs).  Ames  testing  performed  in  1993,  1994,  and  1997  has 
shown  that  strut  loads  and  handling  qualities  are  acceptable  with  all  vehicle  mass  moments.  ®[041 097-4890A] 
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2.  LATE  DEPLOY:  DRAG  CHUTE  DEPLOY  WILL  BE  PERFORMED  AFTER 
NGTD  FOR  A  LOW  ENERGY  LANDING.  ®[1 11 094-1 690B] 

Ames  data  shows  a  late  deploy  is  required  because ,  after  drag  chute  deployment  during  a  low  energy 
landing ,  deceleration  happens  so  quickly  that  trailing  edge  “up”  saturation  occurs,  and  it  is  difficult  to 
con  trol  derotation  precisely.  These  factors  cause  high  pitchdown  rates  and  excessive  NLG  strut  loads. 
Late  deployment  of  the  chute  still  allows  some  of  the  benefits  of  the  chute  to  be  retained. 

B.  EMERGENCY  DEPLOY:  DRAG  CHUTE  DEPLOY  WITH  SSME  REPOSITIONING 
INCOMPLETE  WILL  ONLY  BE  PERFORMED  FOR  A  TAL/ELS,  LEAKING/FLAT 
TIRE,  INSUFFICIENT  ROLLOUT  MARGIN,  LOSS  OF  BRAKING 
CAPABILITY,  OR  A  SINGLE  APU  LANDING.  ®[1 11 094-1 690B] 

If  SSME  repositioning  is  not  complete,  the  drag  chute  will  not  be  deployed  unless  one  or  more  of  the 
above  conditions  are  presen  t.  If  none  of  the  above  conditions  are  presen  t,  the  call  to  the  crew  should  be 
“  Go  for  emergency  chute  deploy  only”,  indicating  to  the  crew  to  not  deploy  the  drag  chute  unless  they 
feel  that  the  drag  chute  could  provide  some  additional  benefit.  If  SSME  repositioning  did  not  occur  and 
one  or  more  of  the  above  conditions  are  presen  t,  the  call  to  the  crew  will  be  the  type  of  deploy  to  be 
performed  (e.g.  Go  for  nominal  deploy,  early  deploy,  or  late  deploy). 

Deploying  the  drag  chute  without  SSME  repositioning  risks  damage  to  engine  bells.  Rockwell  analysis 
(1/91)  shows  that  the  most  likely  contact  point  would  be  between  the  top  edge  of  the  center  mean  engine 
bell  and  the  risers,  when  the  risers  are  at  full  line  stretch  (twang).  For  certain  cases,  the  benefits  of  the 
drag  chute  outweigh  the  risk  of  potential  damage  to  the  SSME  bells. 

The  drag  chute  minimizes  MEG  loads  if  disreef  occurs  prior  to  NGTD.  The  additional  loads  margin  of  a 
nominal  chute  deploy  and  the  margin  the  chute  provides  for  the  uncertainties  of  a  short,  narrow  runway 
ou  tweigh  the  risk  of  engine  bell  damage  in  the  event  of  a  TAL  or  ELS  landing.  During  an  RTLS,  the 
engine  bells  are  moved  to  the  RTLS  stow  position  which  is  the  same  as  the  drag  chute  stow  position.  Due 
to  the  length  and  width  of  the  KSC  runway,  RTLS  is  not  a  sufficient  reason  to  deploy  if  failures  prevent 
the  cen  ter  mean  engine  from  reaching  the  stow  position. 

In  the  event  of  a  leaking/flat  tire,  by  minimizing  MLG  loads  there  is  a  possibility  that  the  good  tire  on 
that  strut  will  not  fail.  Main  landing  gear  loads  are  minimized  (decreased  by  up  to  17  percent)  by 
obtaining  disreef  just  before  NGTD  (reference  Rule  {A10-142},  TIRE  PRESSURE  [  CIL],  and 
Ascent/Entry  Flight  Techniques  Panel  #104,  September  17,  1993). 
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Adequate  rollout  margin  is  determined  based  on  brake  energy  predictions  and  landing  conditions  of  the 
day  (reference  Rule  {A4-108},  TIRE  SPEED,  BRAKING,  AND  ROLLOUT  REQUIREMENTS  AND 
ROLLOUT  REQUIREMENTS).  An  analysis  performed  by  Flight  Design  &  Dynamics  (10/92)  indicated 
that  for  adequate  control  and  stopping  distance,  ?  37.5  percent  brakes  are  required  without  NWS,  and 
that ?  25  percent  brakes  are  required  with  NWS  (for  all  landing  sites).  This  analysis  assumed  15  kt 
crosswinds  and  no  drag  chute,  and  looked  at  brake  torque  only. 

For  a  single  APU  landing,  the  drag  chute  provides  rollout  margin  in  the  event  the  last  APU  fails  during 
rollout.  Ames  ‘91  testing  shows  no  noticeable  changes  in  drag  chute  handling  qualities  due  to  a  single 
APU  landing. 

Rule  (A2-262J,  LANDING  DTO’s,  and  (A10-142),  TIRE  PRESSURE  [CIL]  reference  this  rule. 

®[1 11 094-1 690B] 

A10-144  DRAG  CHUTE  DEPLOY  CONSTRAINTS 

THE  DRAG  CHUTE  WILL  BE  DEPLOYED  FOR  ALL  LANDINGS  SUBJECT  TO  THE 
FOLLOWING:  ®[111 094-1 690B] 

The  drag  chute  adds  margin  to  the  landing  and  rollout  capabilities  of  the  shuttle  by  reducing  main  gear 
strut  loads  (possibly  preventing  a  second  blown  tire  at  NGTD  in  the  event  of  a  leaking/flat  tire), 
increasing  directional  stability  (especially  with  directional  control  problems),  and  reducing  rollout 
distance.  Ames  (6/93)  data  indicates  that  main  gear  load  savings  are  maximized  (loads  decreased  up  to 
17  percent)  by  obtaining  disreef  just  before  NGTD  (ref.  Ascent/Entry  Flight  Techniques  Panel  #104, 
September  17,  1993). 

A.  THE  DRAG  CHUTE  WILL  NOT  BE  DEPLOYED  IF  CROSSWIND  >  15  KNOTS 

PEAK. 

The  crosswincl  limit  is  for  peak  winds,  in  accordance  with  Rule  { A2-6J ,  LANDING  SITE  WEATHER 
CRITERIA  [HC].  Ames  1991  data  shows  that  deploying  the  chute  in  high  crosswinds  will  increase  the 
vertical  loads  on  the  downwind  tires  and  may  also  cause  reduced  pilot  handling  qualities.  Handling 
qualities  ratings  (HQR’s)  degrade  as  the  crosswinds  approach  15  kts,  but  are  still  typically  within 
acceptable  limits  (level  1-2  Cooper  Harper  ratings).  A  few  level  3  HQR’s  occurred  during  6/93  VMS 
runs  with  crosswinds  of  15  and  20  kts  (ref  Ascent/Entry  Flight  Techniques  Panel  #104,  September  17, 
1993). 

B.  THE  DRAG  CHUTE  WILL  NOT  BE  DEPLOYED  PRIOR  TO  MGTD . 

Before  MGTD,  the  crew  may  not  have  time  to  jettison  the  chute  nor  will  there  be  sufficient  force  to  cause 
the  pivot  pin  (105k  -  125k  lb  shear  pin)  to  disengage  and  release  the  chute  (Ames  1990). 
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C.  THE  DRAG  CHUTE  WILL  NOT  BE  DEPLOYED  AT  SPEEDS  >  230  KEAS  OR 
<  80  KGS.  ®[1 11 094-1 690B] 

The  pivot  pin  in  the  attach/jettison  mechanism  is  designed  to  disengage  and  release  the  chute  for  forces 
between  105k  lbs  and  125k  lbs,  preventing  structured  damage.  Above  230  KEAS,  the  loads  are  expected 
to  exceed  the  pivot  pin  disengage  limits.  If  these  limits  are  exceeded,  the  pivot  pin  will  most  likely 
release  the  chute  during  disreef,  the  period  of  maximum  loading.  If  this  occurs,  the  elevons  may  not  have 
enough  time  to  react  to  the  sudden  change  in  momen  t  of  the  orbiter,  and  derotation  could  increase  to  a 
rate  which  would  result  in  exceeding  NLG  slcipdown  loads.  ®[111094-1690B] 

If  the  drag  chute  is  deployed  at  speeds  <  80  KGS,  only  the  pilot  chute  will  deploy  (ref.  Rockwell  Downey 
1992  Computer  Simulations).  Analytical  data  shows  there  should  be  no  contact  between  the  risers  and 
the  center  mean  engine  bell  at  speeds  as  low  as  75  KGS.  Flight  data  shows  that  75  KGS  may  be 
conservative,  as  the  chute  is  riding  higher  than  anticipated. 

D.  THE  DRAG  CHUTE  WILL  BE  ARMED  AND  DEPLOYED  SIMULTANEOUSLY. 

When  the  chute  is  armed,  an  inadvertent  deploy  can  result  from  additional  failures  in  a  deploy  switch 
and/or  electrical  components  within  the  drag  chute  avionics.  An  inadvertent  deploy  of  the  chute  can 
result  in  excessive  sink  rates,  which  can  be  catastrophic. 

E.  FOLLOWING  DEPLOY,  THE  CHUTE  WILL  BE  JETTISONED  AT  A  SPEED  OF 
60  ±  20  KGS.  THE  CHUTE  WILL  NOT  BE  JETTISONED  BELOW  40  KGS. 

Ames  ( 1/93)  data  has  shown  that  jettison  of  the  chute  prior  to  NGTD  can  result  in  poor  handling 
qualities,  and  can  increase  the  nose  gear  slcipdown  loads  above  allowable  structural  limits. 

If  the  chute  is  jettisoned  below  20  KEAS,  there  is  an  increased  probability  that  the  drag  chute  risers  will 
contact  and  possibly  damage  the  engine  bells  (Rockwell  engineering  analysis).  All  crew  procedures 
after  nose  gear  touchdown  that  are  cued  to  velocity  must  use  ground  speed  because  the  HUD  display 
changes  from  airspeed  to  ground  speed  at  WONG.  The  40  KGS  minimum  jettison  cue  is  20  kt  faster 
than  the  20  KEAS  constraint  to  account  for  wind  and  atmospheric  effects,  instrumentation  error,  and 
system  lag. 

Rules  (A2-6),  LANDING  SITE  WEATHER  CRITERIA  [HC],  and  {A2-262},  LANDING  DTO’s,  reference 

this  rule.  ®[111 094-1 690B] 
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A10-145  UNCOMMANDED  BRAKE  PRESSURE  [CIL] 

A.  BRAKE  ISOLATION  VALVE  (S)  WILL  BE  CLOSED  IF  NECESSARY  TO 

PREVENT  LANDING  WITH  UNCOMMANDED  BRAKE  PRESSURE  >  180  (180) 

PSI  IN  ONE  OR  MORE  BRAKE/SKID  CONTROL  VALVES.  THE  ASSOCIATED 
BRAKE  ISOLATION  VALVE  (S)  WILL  BE  OPENED  AFTER  NOSE  GEAR 
TOUCHDOWN  TO  PROVIDE  FULL  BRAKING. 


Brake  application  is  possible  at  pressures  ?  180  psi.  If  brake  pressure  increases  above  180  psi  at  main 
gear  touchdown,  the  tire(s)  will  “skid”  until  tire  failure.  The  tire  adjacent  to  the  failed  tire  may  fail  at 
nose  gear  touchdown,  resulting  in  severe  lateral-directional  control  problems  during  rollout.  The  high 
friction  forces  of  a  locked  wheel  may  also  result  in  nose  gear  loads  in  excess  of  structural  limits. 

Closing  the  affected  isolation  valve(s)  isolates  the  brakes  from  the  high  pressure  flow,  arid  the  pressure 
should  decrease  to  nominal  levels  through  the  return  pressure  lines.  This  covers  the  most  credible 
failure  modes  ( brake  sen’ovalve  problems  due  to  contamination  and  silting  or  an  antiskid  card  failure). 

B.  IF  CLOSING  THE  BRAKE  ISOLATION  VALVE (S)  FAILS  TO  RELIEVE  THE 
BRAKE  PRESSURE,  AN  APU  WILL  BE  SHUT  DOWN  TO  PREVENT  LANDING 
WITH  BRAKE  PRESSURE  >  180  (180)  PSI  IN  A  SINGLE  BRAKE/SKID 

CONTROL  VALVE  IF  TWO  OTHER  GOOD  APU/HYDRAULIC  SYSTEMS  REMAIN. 
TWO  APU'S  WILL  BE  SHUT  DOWN  IF  NECESSARY  TO  RELIEVE 
UNCOMMANDED  BRAKE  PRESSURE  IN  MULTIPLE  BRAKE/SKID  CONTROL 
VALVES.  THE  ASSOCIATED  BRAKE  ISOLATION  VALVE (S)  WILL  BE 
OPENED  PRIOR  TO  APU  SHUTDOWN. 

If  uncommanded  brake  pressure  is  not  relieved  when  the  isolation  valve(s)  is  closed,  the  selector  valve 
is  stuck  such  that  it  is  blocking  both  the  primary  and  secondary  return  lines.  The  primary  system  brake 
isolation  valve(s)  will  be  reopened  to  allow  a  return  path  for  the  hydraulic  fluid,  and  the  primary  APU 
(1  or  2)  will  be  shut  down.  If  high  brake  pressure  is  detected  in  only  one  brake/skid  con  trol  module,  a 
second  APU  will  NOT  be  shut  down  because  of  the  possibility  that  the  failure  is  a  transducer  failure. 

The  180-psi  value  used  in  this  rule  does  not  take  into  account  the  ±  100  psi  transducer  error.  If 
transducer  error  was  considered,  the  value  at  which  to  take  action  would  be  well  within  the  nominal 
system  operating  range.  The  transducers  have  proven  to  be  reliable  in  their  accuracy. 

With  01-21  software  and  the  major  modification  hydraulic  changes,  the  brake  isolation  valves  will 
remain  closed  until  MGTD.  Therefore,  it  would  take  at  least  two  failures  to  implement  this  rule. 

Reference  SODB,  vol.  I,  sec.  3. 4.2.1,  and  Mechanical  Systems  Console  Handbook,  volume  II,  section 
2.5.9. 

Rule  {A10-71},  HYDRAULIC  SYSTEMS  CONFIGURATION,  references  this  rule. 
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A10-146  BRAKING 

A.  DEFINITIONS: 

1.  NOMINAL  BRAKING  PROFILE  -  THE  NOMINAL  BRAKING  PROFILE 
CONSISTS  OF  APPLYING  THE  BRAKES  WHEN  THE  VEHICLE  HAS 
REACHED  A  SPEED  OF  140  KNOTS  GROUND  SPEED  (GS) .  ONCE 
BRAKES  ARE  APPLIED,  A  DECELERATION  RATE  OF  8  FP#  SHOULD 
BE  MAINTAINED  UNTIL  A  SPEED  OF  40  KNOTS  GS  IS  REACHED, 

WHEN  THE  DECELERATION  RATE  SHOULD  BE  REDUCED  TO  LESS  THAN 
6  FPS2. 

The  140  knots  GS  was  chosen  as  the  nominal  brake-on  speed  because  it  is  the  maximum  speed  that  can 
be  used  with  this  deceleration  rate  and  not  exceed  the  reuse  energy  limit  of  the  brakes.  This  was 
determined  by  landing  and  rollout  analysis  programs  discussed  at  Flight  Techniques  meetings  and 
verified  in  the  SMS  and  Ames  VMS.  Applications  of  brakes  before  140  knots  will  lead  to  brake  energies 
above  the  allowable  limits  before  wheelstop  occurs.  Applying  brakes  below  this  speed  will  lengthen 
rollou  t  distances  from  the  predicted  values.  An  additional  consideration  with  regards  to  brake-on  speed 
is  that  the  hydroplaning  speed  for  the  orbiter  tire  pressure  is  approximately  140  knots,  and  skidding 
could  occur  above  this  speed  if  brakes  are  applied.  The  deceleration  rate  was  chosen  to  provide  the  most 
efficient  stop  versus  total  brake  energy  and  takes  into  consideration  the  following  design  characteristic 
of  the  brakes:  working  best  under  moderately  high  torque  values.  (Because  of  heat  buildup  and  transfer 
throughout  the  brake,  it  is  desirable  to  stop  quickly,  before  thermal  damage  can  occur  -  yet  not  so 
quickly  that  total  energy  exceeds  limits.)  Finally,  brake  torque  increases  at  lower  speeds,  and  it  is 
therefore  desirable  to  let  off  on  the  deceleration  rate  below  40  knots  GS  to  prevent  brake  structural 
failure  and  subsequent  lockup  of  the  wheel.  ®[ED  ] 

2.  MAXIMUM  BRAKING  PROFILE  -  THE  MAXIMUM  BRAKING  PROFILE 
CONSISTS  OF  APPLYING  MAXIMUM  BRAKE  PRESSURE  TO  ACHIEVE  THE 
HIGHEST  POSSIBLE  DECELERATION  RATE.  MAXIMUM  DECELERATION 
RATE  SHOULD  BE  ACHIEVED  IN  NOT  <  2  SECONDS  FROM  BRAKE 
APPLICATION.  WHEN  THE  VEHICLE  REACHES  40  KNOTS  GS ,  IF 
SUFFICIENT  RUNWAY  REMAINS,  THE  DECELERATION  RATE  SHOULD  BE 
DECREASED  TO  <  6  FPS2  UNTIL  WHEELSTOP.  ®[ED  ] 

Since  the  maximum  braking  profile  is  to  be  used  only  when  there  is  a  danger  of  the  vehicle  running  off 
the  end  of  the  runway,  no  regard  is  given  to  using  up  the  brake  hardware  by  exceeding  energy  limits; 
therefore,  the  maximum  amoun  t  of  torque  available  should  be  used.  A  smooth  rather  than  sudden 
application  is  preferred  to  prevent  possible  high-speed  failure  of  the  brake  stack.  Also,  if  sufficient 
run  way  remains  after  the  high-speed  part  of  the  stop,  it  is  desirable  to  release  the  brakes  below  40  knots 
GS  to  prevent  low-speed  lockup  of  the  wheel,  since  brake  torque  increases  at  lower  speeds. 
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A10-146  BRAKING  (CONTINUED) 

B.  BRAKING  PROFILE  SELECTION  -  THE  FOLLOWING  CRITERIA  DETERMINE 

THE  SELECTION  OF  THE  BRAKING  PROFILE  TO  BE  USED: 

1.  NO  BRAKING  BEFORE  MIDFIELD. 

All  shuttle  runways  are  at  least  11,000 feet  long  to  ensure  that  midfield  will  always  provide  a  minimum 
distance  (5,500 feet)  to  the  end  of  the  runway.  Landing  analysis  shows  that  stopping  distance  requirements 
can  always  be  met  in  this  distance;  therefore,  there  is  no  requirement  to  apply  the  brakes  before  midfield, 
thus  preserving  the  brakes  and  reducing  the  risk  of  failures. 

2.  AFTER  MIDFIELD,  BUT  BEFORE  THE  5,000-FOOT  REMAINING 
POINT,  THE  NOMINAL  BRAKING  PROFILE  WILL  BE  USED  WHEN  A 
SPEED  OF  140  KNOTS  GS  IS  REACHED.  (BRAKES  WILL  NOT  BE 
APPLIED  IN  THIS  REGION  UNTIL  THE  140  KNOTS  GS  SPEED  IS 
REACHED . ) 

Landing  and  deceleration  analysis  has  shown  that  the  nominal  braking  profile  can  stop  the  vehicle  with 
sufficient  margin  when  used  before  the  5,000-foot  remaining  point  when  brakes  are  applied  at  140  knots 
GS.  There  is  no  requirement  to  apply  the  brakes  before  the  140  knots  GS  speed  in  this  region  thus 
preven  ting  damage  from  high-energy  stops. 

3.  WHEN  THE  VEHICLE  PASSES  THE  5,000-FOOT  REMAINING  POINT 
AND  IF  THE  GROUND  SPEED  IS  <  140  KNOTS,  THE  NOMINAL 
BRAKING  PROFILE  WILL  BE  OBSERVED.  IF  THE  GROUND  SPEED 
IS  >  140  KNOTS,  THE  MAXIMUM  BRAKING  PROFILE  WILL  BE 
OBSERVED . 

If  the  vehicle  is  still  going  faster  than  140  knots  GS  when  it  passes  the  5,000-foot  remaining  point, 
maximum  braking  will  be  required  to  stop  before  the  end  of  the  runway  with  adequate  margins. 

Maximum  braking  effort  is  reserved  for  this  extreme  case,  since  it  will  lead  to  extensive  brake  damage, 
possibly  before  wheelstop,  and  creates  a  potential  for  a  post-stop  brake  fire.  If  the  vehicle  has  already 
slowed  to  less  than  140  knots  GS  at  the  5,000-foot  remaining  point,  the  vehicle  can  be  stopped  using  the 
nominal  braking  profile.  ®[ED  ] 

A10-147  THROUGH  A10-160  RULES  ARE  RESERVED 
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A10-161  DRIVE  MECHANISMS  LOSS  DEFINITIONS 

DRIVE  MECHANISMS  ASSOCIATED  WITH  VENT  DOORS,  PLBD'S, 

RADIATORS,  ET  UMBILICAL  DOORS,  PAYLOAD  RETENTION  LATCHES, 

ACTIVE  KEEL  LATCHES,  KU-BAND,  AND  ROEU/ROFU  ARE  CONSIDERED 
FAILED  IF:  @[062801 -4355A] 

A.  THE  DRIVE  TIME  EXCEEDS  SINGLE  MOTOR  DRIVE  TIME  (EXCEPT  IN 
THOSE  CASES  WHERE  VISUAL  INDICATIONS  ARE  AVAILABLE) . 

The  drive  mechanisms  men  tioned  above  each  possess  two  motors  for  redundancy  purposes.  A  single 
motor  can  drive  the  mechanism;  however ,  dual  motor  drive  will  actuate  the  mechanism  in  half  the  time 
( dual  motor  drive  is  nominally  used  for  the  mechanisms  above).  Therefore,  if  the  drive  time  (for 
open/close,  latch/unlatch,  etc.)  associated  with  the  mechanism  exceeds  that  for  single-motor  drive  ( the 
maximum  it  would  take  if  either  motor  drove),  then  it  is  assumed  that  the  mechanism  has  failed  to  reach 
the  desired  position.  If  visual  cues  are  available  to  ascertain  the  mechanism’s  position  and  it  is 
determined  that  the  desired  position  has  been  reached,  the  mechanism  is  not  considered  failed. 

B.  THE  DRIVE  MECHANISM  CAN  BE  OBSERVED  AND  IS  NOT  MOVING  IN 
RESPONSE  TO  THE  COMMAND. 

Assuming  the  proper  switch  and  circuit  breaker  configuration  and  that  the  mechanism  has  not  already 
attained  the  commanded  position,  movement  should  be  seen;  otherwise,  the  mechan  ism  has  failed. 

C.  THE  DRIVE  MECHANISM  CANNOT  BE  OBSERVED  AND  THERE  IS  NEITHER 
OPEN  NOR  CLOSED  POSITION  INDICATIONS  AND  DRIVE  TIME  EXCEEDS 
SINGLE-MOTOR  DRIVE  TIME. 

If  sufficient  time  has  elapsed  for  the  mechanism  to  have  reached  the  desired  state  for  only  one  motor 
driving  and  no  indications  of  it  reaching  the  commanded  position  are  seen,  then  the  mechanism  is 
considered  to  have  failed  in  transit.  This  applies  only  to  that  mechanism ’s  position.  This  is  based  on 
the  low  probability  of  transducer  failures  for  the  end-of-travel  indications  that  would  imply  that  the 
mechanism  had  failed  coupled  with  the  assumption  that  it  is  safer  to  consider  the  mechanism  failed. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  MECHANICAL  10-79 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A10-161  DRIVE  MECHANISMS  LOSS  DEFINITIONS  (CONTINUED) 

APPROXIMATE  SINGLE  MOTOR  DRIVE  TIMES  ARE: 


PLBD  CENTERLINE  LATCHES  (*OPEN  ONLY) .  40  SECONDS 

PLBD  BULKHEAD  LATCHES* .  60  SECONDS 

PLBD  DRIVE* .  126  SECONDS 

RADIATOR  LATCHES  .  60  SECONDS 

RADIATOR  STOW/DEPLOY  DRIVE* .  100  SECONDS 

ET  DOOR  CENTERLINE  LATCHES .  12  SECONDS 

ET  DOOR  DRIVE .  4  8  SECONDS 

ET  DOOR  UPLOCK  LATCHES .  12  SECONDS 

VENT  DOOR  DRIVE .  10  SECONDS 

PAYLOAD  RETENTION  LATCHES .  60  SECONDS 

KU-BAND  DRIVE*  .  46  SECONDS 

ROEU/ROFU  DRIVE*  .  60  SECONDS 

ROEU/ROFU  LATCH  .  40  SECONDS 

ROEU/ROFU  RELAX  .  24  SECONDS 

*VI  SUAL  CUE  AVAILABLE  @[062801 -4355A] 


The  table  above  gives  the  design  specification  time  required  for  the  indicated  drive  mechanism  to  reach 
the  full  open/close/etc.  position.  These  times  can  vary  somewhat  and  are  usually  less  than  that  shown. 
The  dual  motor  drive  time  can  be  determined  by  dividing  the  single-motor  drive  time  by  two. 

Visual  cues  are  provided  by  bulkhead  camera  views  and/or  by  looking  out  the  payload  bay  windows.  For 
the  centerline  latches  only,  the  open  position  can  be  observed.  When  partially  or  fully  closed,  the  latch 
hook  is  hidden  behind  the  extended  guide  roller  and  the  latch  hook  roller  brackets.  It  is  not  possible  to 
visually  determine  if  the  latches  are  closed  far  enough. 
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GENERAL  MECHANISMS  SYSTEMS  MANAGEMENT 


A10-181  DRIVE  MECHANISMS 

A.  IF  VISUAL  CUES  ARE  NOT  AVAILABLE,  A  DRIVE  MECHANISM  WILL 
BE  CONSIDERED  TO  HAVE  ATTAINED  ITS  COMMANDED  POSITION, 
OPEN/CLOSED/STOWED/DEPLOYED/LATCHED/RELEASED,  IF  AT  LEAST 
ONE  INDICATION  OF  THAT  STATE  OCCURS  WITHIN  SINGLE-MOTOR 
OPERATING  TIME. 

Redundant  indications  are  provided  for  the  drive  mechanisms  for  the  open/closed/stowed/deployed/ 
latchecl/released  positions.  If,  during  a  drive  sequence  for  any  of  the  above  mechanisms  that  does  not 
have  means  of  visual  verification,  any  of  the  end-of-travel  indications  are  present  within  the  single-motor 
drive  envelope,  the  mechanism  will  be  considered  to  be  in  the  desired  position.  This  is  based  on  the  low 
probability  of  a  transducer  failing  within  the  time  that  the  indication  was  expected  thereby  giving  a  false 
verification  of  position. 

B.  DRIVE  MECHANISM  COMMANDS  WILL  BE  TERMINATED  IF  THE  MECHANISM 
CAN  BE  OBSERVED  AND  IS  NOT  MOVING  IN  RESPONSE  TO  THE  COMMAND. 

To  preven  t  damage  to  motors  (burnout),  drive  mechanism  commands  will  be  terminated  if  no  mechanism 
movement  is  observed  for  those  mechanisms  which  can  be  visually  verified. 

C.  DRIVE  MECHANISMS  WHICH  CANNOT  BE  OBSERVED  WILL  BE  ALLOWED 
TO  DRIVE  TO  THE  SINGLE-MOTOR  DRIVE  TIME.  COMMANDS  WILL  BE 
TERMINATED  AFTER  SINGLE-MOTOR  TIME  OR  AFTER  RECEIPT  OF  ONE 
TERMINAL  POSITION  INDICATION  IN  THE  DIRECTION  OF  TRAVEL. 

If  one  motor  fails,  the  time  required  for  the  mechanism  to  change  state  will  be  twice  the  normal  dual 
motor  time.  If  the  mechanism  cannot  be  observed,  it  is  safe  to  send  drive  commands  for  the  single-motor 
drive  time  which  will  be  adequate  even  if  one  motor  has  failed.  Commands  should  be  terminated  after 
single-motor  time  even  if  no  terminal  indication  is  received  because  (the  mechanism  may  have  a  more 
serious  failure,  possible  jam)  continuing  the  command  could  possibly  damage  the  motor(s)  or  clutch(es). 

D.  DRIVE  MECHANISMS  WHICH  CAN  BE  OBSERVED  WILL  BE  ALLOWED  TO 
DRIVE  IN  EXCESS  OF  SINGLE-MOTOR  DRIVE  TIME  WHEN  DRIVING  IN 
THE  CLOSED/LATCHED  DIRECTION  WITH  DETECTABLE  MOTION. 

Allowing  a  mechanism  to  drive  beyond  single-motor  drive  time,  as  long  as  the  mechanism  can  be 
obsen’ed,  can  possibly  place  that  mechanism  in  a  fail-safe  configuration  (closed/latch  direction  is 
fail-safe  and  desirable). 
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PAYLOAD  DOOR  (PLBD)  SYSTEMS  MANAGEMENT 


A10-201  PLBD  GENERAL 

A.  LAUNCH  DAY  LANDING  PLBD  OPERATIONS: 

1.  IF  A  LANDING  IS  REQUIRED  AND  SUPPLY/WASTE  WATER  WILL 
SUPPORT  FES  OPERATIONS  UNTIL  ENTRY,  NO  ATTEMPT  WILL  BE 
MADE  TO  OPEN  ONE  OR  BOTH  THE  PLBD'S.  @[0201 96-1 804A] 

For  launch  day  landings  at  the  first  available  PLS,  the  supply  and  waste  water  tanks  are  loaded  such  that 
there  is  sufficient  water  for  FES  operations;  therefore,  there  is  no  requirement  to  incur  the  risks 
associated  with  opening  the  PLBD’s,  thus  eliminating  an  increase  in  the  crew  workload  during  this 
timeframe. 

2.  IF  A  LANDING  IS  REQUIRED  AFTER  PREDICTED  EXHAUSTION  OF 
SUPPLY  AND  WASTE  WATER  FOR  THE  FES,  THE  PLBD'S  MAY  BE 
OPENED . 

For  launch  day  landings  after  the  first  PLS  opportunity,  insufficient  supply/waste  water  may  have  been 
loaded  to  support  FES  operations  to  entry.  If  the  first  PLS  opportunity  is  no-go  or  likely  to  be  no-go, 
then  PLBD  opening  will  be  required.  This  situation  may  result  in  having  to  open  the  PLBD  without  close 
redundancy.  @[0201 96-1 804A] 

3.  FOR  PROBLEMS  PROHIBITING  NECESSARY  HEAT  REJECTION,  THE 
PLBD '  S  MAY  BE  OPENED  (TIME  PERMITTING)  WITHOUT  REGARD  TO 
CLOSE-MOTOR  REDUNDANCY,  FES  WATER  SUPPLY  AVAILABILITY,  OR 
MET  OF  LANDING.  @[0201 96-1 804A] 

For  cases  where  there  are  cooling  problems  and  opening  the  PLBD’s  is  required  to  alleviate  heating  of 
critical  equipment  needed  for  entry,  the  PLBD’s  should  be  opened  to  provide  the  increased  cooling 
capability.  This  may  be  necessary/  even  though  redundant  PLBD  closure  does  not  exist  and  the 
timeline/workload  would  be  increased. 

B.  IF  A  LATCH  GANG  FAILS  TO  FULLY  OPEN  BUT  CAN  BE  VERIFIED  TO 
CLEAR  THE  ROLLERS  BY  VISUAL  OBSERVATION/TV,  IT  WILL  NOT  BE 
CYCLED  CLOSED. 

In  order  to  provide  a  maximum  chance  to  at  least  complete  an  MDF,  a  failed  in-transit  latch  gang  that 
can  be  observed  to  be  open  will  not  be  cycled  closed.  Some  risk  is  associated  with  cycling  the  latch  gang 
closed.  It  may  fail  close  or  nearly  closed  prohibiting  PLBD  opening  operations.  There  is  no  real 
advan  tage  in  cycling  the  latch  gang  closed  when  the  problem  is  first  discovered  over  closing  it  in 
preparation  for  entry. 
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A10-201  PLBD  GENERAL  (CONTINUED) 

C.  PLBD  LATCHES  WILL  NOT  BE  CYCLED  CLOSED  WHILE  THE  PLBD'S  ARE 
OPEN. 

To  preclude  system  failures  (mechanical,  structural,  software)  that  may  occur  while  the  latch  gang  is 
being  closed  or  is  closed,  the  most  conservative  thing  to  do  is  not  close  the  latch  gang  while  the  PLBD’s 
are  opened.  There  is  no  EVA  capability  to  open  a  failed  closed  latch  gang.  A  failure  where  the  latch 
gang  remains  closed  would  prohibit  complete  PLBD  closure  and  latching  for  entry.  Cycling  of  a  latch 
gang  while  the  PLBD’s  are  open  will  not  be  done  for  troubleshooting  purposes. 

D.  THE  STARBOARD  PLBD  WILL  NOT  BE  CLOSED  WITH  THE  PORT  PLBD 
OPEN. 

Structural  interference  between  the  centerline  latch  hangers  (port  PLBD )  and  the  bell-  crank/hook 
bracket  assembly  (starboard  PLBD)  prevents  complete  PLBD  closure  and  latching.  Also,  if  the 
starboard  PLBD  drive  mechanism  f ails  (PLBD  jams  closed)  while  the  port  PLBD  is  open,  the  orbiter 
is  in  an  unflycible  system  configuration. 

E.  PLBD  WILL  NOT  BE  REOPENED  ONCE  IT  HAS  BEEN  CLOSED  DURING  AN 
EVA. 

If  an  EVA  had  to  be  performed  in  order  to  put  the  vehicle  in  a  fail-critical  configuration,  reopening  a 
failed  latch  and/or  PLBD  in  any  case  is  not  a  prudent  thing  to  do.  Entry  should  be  made  at  the  next  PLS 
opportunity  after  the  EVA  is  completed. 
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A10-202  PLBD  VISUAL  CUES 

THE  PLBD '  S  AND  PLBD  LATCHES  ARE  CONSIDERED  OPEN  OR  CLOSED  IF  THEY 
CAN  BE  VISUALLY  VERIFIED  VIA  THE  FOLLOWING  CRITERIA: 

A.  PLBD ' S  OPEN  -  THE  SIX  PUSH  RODS  SHOULD  HAVE  10  STRIPES  IN  THE 
FIELD  OF  VIEW  ABOVE  THE  LONGERON  SILL. 

Opening  and  closing  of  the  PLBD’s  is  accomplished  by  actuators  acting  through  pushrods  and  bell 
cranks  and  thus  on  the  PLBD ’s  themselves.  The  actuators  are  hidden  beneath  the  payload  bay  liner. 

Each  pushrod  has  10  stripes;  the  first,  eighth,  and  ninth  (counting  from  the  top)  are  gold  with  the  other 
seven  being  silver.  When  the  PLBD’s  are  closed,  the  pushrods  retract  behind  the  liner  and  only  the 
uppermost  stripe  may  be  visible  on  any  of  the  six  pushrods  for  that  door.  For  the  fully  open  position,  the 
pushrods  must  extend  far  enough  that  all  10  stripes  can  be  seen.  The  other  stripes  indicate  intermediate 
door  positions. 

B.  CENTERLINE  LATCHES  CLEAR  OF  ROLLERS  (DESIGN  OVERLAP  CASE)  - 
THE  TIP  OF  THE  LATCH  SHOULD  BE  POINTING  ABOUT  30  DEGREES  DOWN 
FROM  THE  Y-AXIS  WITH  THE  TIP  APPROXIMATELY  1  INCH  FROM  THE 
ROLLER. 

When  the  centerline  latches  are  in  the  open  position,  the  tip  of  the  latch  is  pointing  about  30  degrees  down 
from  the  horizontal  (see  SSSH  drawing  14.1,2).  If  this  can  be  visually  confirmed,  then  the  latches  are  clear 
of  the  rollers.  Due  to  the  position  of  the  latches  when  partially  to  fully  closed,  it  is  not  possible  to  determin  e 
if  the  latches  are  closed  far  enough.  Binoculars  are  available,  but  no  markings  are  provided. 
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A10-203  PLBD  CRITICAL  LATCHES 

A.  FOR  FAILURE  OF  ANY  TWO  PLBD  LATCH  GANGS  TO  FULLY  ENGAGE 
(CENTERLINE  OR  BULKHEAD),  AN  EVA  WILL  BE  PERFORMED  TO  INSTALL 
MANUAL  LATCH  TOOLS  ON  AT  LEAST  ONE  OF  THE  FAILED  LATCH  GANGS. 

B.  FOR  FAILURE  OF  ANY  SINGLE  OR  MULTIPLE  PLBD  LATCH  GANGS  TO 
FULLY  ENGAGE  (CENTERLINE  OR  BULKHEAD),  ENTRY  LOADS  WILL  BE 
MINIMIZED  PER  THE  FOLLOWING: 

1.  ENTRY  TEST  MANEUVERS  WILL  NOT  BE  PERFORMED,  AND  ANY 
PROGRAMMED  TEST  INPUTS  (PTI'S)  WILL  BE  INHIBITED. 

2.  CONSIDERATION  WILL  BE  GIVEN  TO  TARGETING  A  RUNWAY / HAC 
APPROACH  AT  THE  PLS  OR  SLS  TO  MINIMIZE  TAILWIND  AT  HAC 
INITIATION  AND  TURBULENCE / SURFACE  WINDS. 

There  is  no  analysis  which  indicates  that  entry  with  multiple  latch  gang  failures  is  an  acceptable 
condition.  Although  the  latch  tools  have  not  been  proven  to  provide  the  same  structural  integrity  as  a 
nominal  latch  gang,  performing  an  EVA  to  install  these  latch  tools  provides  a  workaround  to  recover  at 
least  some  load-carrying  capability.  Two  latch  tools  are  required  to  secure  a  single  failed  latch  gang; 
however ,  only  two  centerline  and  two  bulkhead  latch  tools  are  flown.  When  two  of  the  same  type  gangs 
have  failed,  only  one  gang  can  be  secured,  as  both  available  tools  are  required  to  secure  one  of  these 
latch  gangs. 

A  1991  Rockwell  assessment  (which  refined  analyses  performed  in  1981  and  1987/1 988)  for  a  PLBD 
single  latch-out  (centerline  or  bulkhead)  certified  a  nominal  entry  trajectory  in  AUTO  flight  control  by 
exhibiting  structural,  thermal ,  and  aerodynamic  margins  above  the  required  1.4  safety  factor.  This 
analysis  shows  that  steps  and  gaps  may  occur  as  a  result  of  the  payload  bay-to-arnbient  delta  pressure 
and  latch  disengagement.  Temperature  exceedances  may  occur  at  these  steps  and  gaps,  but  the  resulting 
thermal  damage  poses  no  flight  safety  concerns.  The  extent  of  the  postflight  repairs  can  be  limited  by 
minimizing  side  slip  and  steady  pitch-up  maneuvers,  according  to  the  1991  analysis.  (Reference 
Structural  Assessment  of  Shuttle  Payload  Bay  Doors  for  Entry  with  a  Latch  Gang  Out,  SSD91D0276, 

May  1991,  and  A/E  FTP  #96,  12/18/92.) 

Although  entry  test  maneuvers  and  PTI's  should  not  expose  the  vehicle  to  conditions  outside  of  its 
certification  limits,  flying  a  nominal  entry  trajectory  minimizes  adverse  mechanical,  thermal,  and 
aerodynamic  loads.  Vehicle  accelerations,  heating,  and  compartment-to -ambient  pressure  differentials 
can  be  limited  by  avoiding  these  maneuvers.  Selecting  a  runway/HAC  that  minimizes  HAC  winds  (most 
importantly,  tailwind  at  HAC  initiation)  will  help  to  minimize  normal  loads,  and  selecting  a  landing  site 
with  benign  turbulence  and  surface  wind  conditions  reduces  the  need  for  any  abrupt  directional  control 
maneuvers. 

Rules  (A2-260J,  ENTRY  LOAD  MINIMIZATION,  and  {A1 0-209},  PLBD  RULE  REFERENCE  MATRIX, 
reference  this  rule. 


VOLUME  A  06/20/02  FINAL  MECHANICAL  10-85 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A10-204  FAILED  PLBD  GPC  SEQUENCE 

IF  THE  GPC  CONTROLLING  THE  PLBD  SEQUENCE  FAILS  DURING  PLBD 
OPERATIONS,  THE  PAYLOAD  MDM'S  WILL  BE  CYCLED  OFF,  THEN  ON,  TO 
TERMINATE  EXISTING  PLBD  COMMANDS  UNTIL  THE  SOFTWARE  FUNCTION  CAN 
BE  REESTABLISHED. 


Cycling  the  MDM’s  will  clear  the  commands. 


A10-205  PLBD  CLEARANCE  CONSTRAINTS 

A.  THE  KU-BAND  ANTENNA  CAN  BE  DEPLOYED  ONLY  IF  THE  STARBOARD 
PAYLOAD  BAY  DOOR  IS  FULLY  OPEN. 

The  starboard  PLBD  must  be  fully  open  (reference  Rule  ( A 1 0-202A  j.  I ,  PLBD  VISUAL  CUES)  in 
order  to  allow  the  antenna  to  rotate  freely  without  any  in  terference  with  orbiter  hardware.  If  the 
starboard  PLBD  is  open  to  160  degrees,  interference  will  occur  between  the  PLBD  bellcrank/pushrod 
assembly  and  the  Ku-bancl  antenna  deployed  electronics  assembly  (DEA).  Each  pushrod  has  10 
stripes;  nine  visible  stripes  indicate  that  the  door  is  only  140  degrees  open  and  10  visible  stripes 
confirm  a  full-open  position  of  175  degrees.  Intermediate  PLBD  positions  ( e.  g. ,  160  degrees)  between 
140  degrees  and  175  degrees  cannot  be  accurately  determined.  Therefore,  the  open  microswitch 
indications  and/or  the  tenth  pushrod  stripe  must  be  visible  prior  to  performing  any  Ku-bancl 
deploy/stow  operation.  (Reference  SODB,  vol.  I,  3.4.5.2-25.) 

B.  THE  MANIPULATOR  POSITIONING  MECHANISMS  (MPM)  CAN  BE  DEPLOYED 
ONLY  IF  THE  PORT  PLBD  PUSHRODS  HAVE  AT  LEAST  SIX  STRIPES 
VISIBLE.  IF  THE  RMS  IS  INSTALLED,  NINE  STRIPES  MUST  BE 
VISIBLE . 

The  port  PLBD  must  be  open  greater  than  69  degrees  in  order  to  allow  the  MPM’s  to  be  deployed 
without  any  interference  with  the  PLBD  structure.  If  the  port  PLBD  is  open  less  than  69  degrees,  the 
bottom  of  the  RMS  shoulder  pedestal  will  interfere  or  drive  against  the  bottom  of  the  PLBD.  Each  PLBD 
pushrod  has  10  stripes;  six  stripes  indicate  that  the  door  is  at  a  minimum  angle  of  84  degrees.  A  PLBD 
position  of  69  degrees  is  indicated  on  the  fifth  silver  stripe.  In  termediate  positions  prior  to  the  sixth 
stripe  cannot  be  accurately  measured  for  adequate  clearance  margins.  Therefore,  in  order  to  provide 
acceptable  clearance  capability  prior  to  performing  any  MPM  deploy  operations,  six  PLBD  pushrod 
stripes  must  be  visible. 

The  port  PLBD  must  be  open  greater  than  130  degrees  in  order  to  allow  MPM’s  to  deploy  a  cradled 
RMS.  If  the  port  PLBD  is  open  less  than  130  degrees,  interference  will  occur  between  the  RMS  wrist  yaw 
joint  and  the  EVA  slidewire  mount.  Each  PLBD  pushrod  has  10  stripes;  nine  visible  stripes  indicate  that 
the  door  is  at  a  minimum  angle  of  137  degrees.  Eight  pushrod  stripes  correspond  to  a  maximum  PLBD 
angle  of  125  degrees.  Intermediate  PLBD  positions  ( e.  g. ,  130)  cannot  be  accurately  determined; 
therefore,  the  ninth  pushrod  stripe  must  be  visible  prior  to  performing  any  MPM  deploy  operations. 


VOLUME  A  06/20/02  FINAL  MECHANICAL  10-86 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A10-206  PLBD  CLOSE  GO/NO-GO 

A.  THERMAL  CONSTRAINTS: 


1  . 


ON  ORBIT,  PLBD  CLOSURES  WILL 
FOLLOWING  THERMAL  CONDITIONS 

NOT  BE  PERFORMED 

FOR  THE 

a . 

PORT  DOOR  - 

IF 

V34T1126A 

IS  ?  -100  DEG 

(-8 

7  DEG)  F. 

FOR  FAILURE 

OF 

V34T1126A 

,  V34T1128A  IS 

AN 

ALTERNATE 

b . 

STARBOARD  - 

IF 

V34T1130A 

IS  ?  -100  DEG 

(-8 

7  DEG)  F. 

FOR  FAILURE 

OF 

V34T1130A 

,  V34T1132A  IS 

AN 

ALTERNATE 

The  PORT  RDY-TO-LATCH  switch  module  failed  on  STS-3.  The  failure  of  this  module  to  switch  state 
after  PLBD  opening  (during  cold  case  testing )  determined  these  low  temperature  operational  limits  (ref 
paragraph  B). 


2.  FOR  NOMINAL  END  OF  MISSION  PLBD  CLOSURE,  THE  BENDING 
EFFECT  TEMPERATURE  MUST  BE  LESS  THAN  160  DEG  F.  THE 
BENDING  EFFECT  TEMPERATURE  IS  DEFINED  AS  THE  DIFFERENCE 
BETWEEN  AVERAGE  LOWER  BONDLINE  AND  AVERAGE  SILL  LONGERON 
TEMPERATURES  ADDED  TO  THE  DIFFERENCE  BETWEEN  70  DEG  F  AND 
THE  AVERAGE  SILL  LONGERON  TEMPERATURES.  (LOWER  BONDLINE 
TEMPERATURES  -  V09T1016A,  V34T1110A,  V34T1112A;  PORT 
LONGERON  TEMPERATURES  -  V34T1114A,  V34T1116A,  V34T1118A; 
AND  STBD  LONGERON  TEMPERATURES  -  V34T1120A,  V34T1122A, 
V34T1124A  USE  THE  AVERAGE  OF  THE  COLDER  SIDE  LONGERON 
TEMPERATURES . ) 


Bending  effect  temperature  (BET)  =  (lower  bondline  avg.  T  -  sill  longeron  avg.  T)  +  (70  deg  F  -  sill 
longeron  avg.  T).  This  equation  uses  both  the  delta  between  top  and  bottom  on  the  orbiter  and  a 
comparison  between  a  standard  ground  temperature  of  70  deg  F  and  average  sill  longeron 
temperatures  to  predict  door  closure  constraints  caused  by  thermal  defections.  The  worst  case 
thermal  conditions  for  PLBD  closure  were  seen  on  STS-3.  During  the  first  attempt  to  close  the 
doors,  door  closure  was  prevented  by  structural  interference  between  the  port  PLBD  and  the  aft 
bulkhead.  This  occurred  because  of  the  extremely  cold  overall  temperatures  and  the  high  thermal 
delta  between  the  top  and  bottom,  resulting  in  a  “banana  effect”  which  expanded  the  bottom  and 
shrunk  the  top  to  make  the  gap  between  the  door  and  the  aft  bulkhead  too  small  to  allow  proper  door 
closure.  After  thermal  conditioning,  the  doors  closed  properly  with  a  delta  between  lower  bonclline 
and  sill  longerons  of  approximately  52  deg  F  and  an  average  sill  longeron  temperature  of  -41  deg  F. 
For  this  case:  BET  =  52  deg  F  +  (70  deg  minus  -  41  deg  F)  =  163  deg  F.  From  this,  160  deg  F  was 
selected  as  the  limit.  This  constraint  is  for  all  planned  PLBD  operations. 
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A10-206  PLBD  CLOSE  GO/NO-GO  (CONTINUED) 

3.  THERMAL  ATTITUDE  WILL  BE  MANAGED  TO  MAINTAIN  THE  BET 

BELOW  200  DEG  F  TO  FACILITATE  CONTINGENCY  PLBD  CLOSURE. 
THERMAL  CONDITIONING  WILL  BE  PERFORMED  FOR  AS  LONG  AS 
PRACTICAL  TO  ATTEMPT  TO  GET  WITHIN  THE  CONSTRAINTS 
DEFINED  IN  PARAGRAPH  B.  FLIGHT  SPECIFIC  EXCEPTIONS  FOR 
HIGH  PRIORITY  FLIGHT  OPERATIONS  WILL  BE  IDENTIFIED  IN  THE 
FLIGHT  RULES  ANNEX.  FOR  ANY  MISSION  NOMINALLY  EXCEEDING 
THE  CONTINGENCY  LIMITS,  THE  EXCEPTION  WILL  BE  TAKEN  TO 
THE  PRCB  FOR  INFORMATION. 


After  STS-3,  the  hardware  was  modified  by  shaving  0.39  inch  off  the  aft  lug  to  allow  for  additional 
door  gap  clearance  between  the  doors  and  aft  bulkhead.  This  additional  clearance  would  have 
allowed  the  doors  to  close,  even  for  the  worst-case  thermal  conditions  seen  during  the  unsuccessful 
door  closing  attempt  on  STS-3.  (BET  =  74  deg  F  +  (+7  deg  minus  -64  deg  F)  =  208  deg  F.  A  limit  of 
200  deg  F  was  selected  to  allow  for  uncertainties  in  the  analysis.  This  constraint  is  for  contingency 
deorbit/PLBD  closure  anytime  during  the  mission. 


Reference  Rockwell  Document,  Effect  of  On-Orbit  Temperature  on  Shuttle  Payload  Bay  Door  Closure, 
STS90D0172,  March  1990,  for  temperature  effect  and  bulkhead  modification  descriptions. 

Rules  (A2-106J,  PBD  OPERATIONS  [CIL],  and  (A2-129J,  ORBITER  ON-ORBIT  HIGH  DATA  RATE 
REQUIREMENTS,  reference  this  rule. 

B.  PLBD  CENTERLINE  LATCH  EXTENDED  GUIDE  ROLLER  TRAJECTORY: 

THE  GO/NO-GO  CRITERIA  FOR  PLBD  CLOSE  IS  PER  RULE  {A10-205}, 
PLBD  CLEARANCE  CONSTRAINTS.  THE  PORT  PLBD  WILL  BE  CLOSED  AND 
LATCHED,  AND  THE  STARBOARD  PLBD  WILL  BE  CLOSED  TO  THE  POINT 
THAT  THE  CLOSEST  EXTENDED  GUIDE  ROLLER  (STARBOARD  DOOR)  IS  AS 
NEAR  AS  FEASIBLE  TO  ITS  STRIKER  PLATE  (PORT  PLBD)  WITHOUT 
IMPACTING  IT.  THE  VISUAL  PROJECTION  OF  THE  EXTENDED  GUIDE 
ROLLER  TRAJECTORY  MUST  NOT  EXCEED  THE  BOUNDARIES  IDENTIFIED  IN 
THE  PLBD  CENTERLINE  LATCH  EXTENDED  GUIDE  ROLLER  TRAJECTORY 
DIAGRAM  BELOW. 

The  crew  will  utilize  the  PLBD  CENTERLINE  LATCH  EXTENDED  GUIDE  ROLLER  TRAJECTORY 
(diagram)  as  GO/NO-GO  criteria  to  latch  the  centerline  latches  on  entry  day.  In  addition,  this  diagram 
is  used  to  satisfy  the  “PLBD  FIT  TEST'’  DTO  requirement  to  continue  the  mission  on  launch  day  for  the 
first  flight  of  a  new  vehicle. 
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PLBD  CENTERLINE  LATCH  EXTENDED  GUIDE  ROLLER  TRAJECTORY  (DIAGRAM): 
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A10-206  PLBD  CLOSE  GO/NO-GO  (CONTINUED) 

C.  PORT  AFT  BULKHEAD  LATCH  GO/NO-GO  CRITERIA: 

PLBD ' S  CLOSED  SUFFICIENT  FOR  BULKHEAD  LATCHING  -  THE  PORT 
PLBD  SCALLOP  MUST  BE  ON  OR  BELOW  THE  TOP  OF  TARGET  STRIPE 
(AFT  BULKHEAD)  OR  THE  PORT  AFT  PLBD  CLOSE  INDICATION  MUST  BE 
PRESENT  AS  SHOWN  IN  THE  PORT  AFT  BULKHEAD  LATCH  GO/NO-GO 
DIAGRAM  ON  THE  FOLLOWING  PAGE. 

The  PORT  AFT  BULKHEAD  LATCH  GO/NO-GO  CRITERIA  was  developed  to  aid  in  bulkhead  latching 
subsequen  t  to  the  jamming  of  the  port  PLBD  edge  of  the  aft  bulkhead  seal  bracket  on  STS-4.  If  the  port 
PLBD  close  indications  are  present ,  then  the  PLBD  is  sufficiently  closed  to  permit  bulkhead  latching. 
Withou  t  these  indications ,  visual  verification  can  be  made  by  observing  if  the  port  PLBD  scallop  (the 
leading  edge  of  the  PLBD/latch  mechanism  at  the  extreme  aft  portion  of  the  PLBD)  is  on  or  below  the 
top  of  the  black  stripe  (1  inch  wide)  painted  on  the  aft  bulkhead.  If  so,  the  PLBD  is  closed  far  enough  for 
the  latches  to  engage. 
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PLBD  CLOSE  GO/NO-GO  (CONTINUED) 


PORT  AFT  BULKHEAD  LATCH  GO/NO-GO  (DIAGRAM) 


-SCALLOP  WITH  PLBD  POSITION 
AT  CLOSED  AND  LATCHED 


PORT  AFT  LATCH 
GO/NO-GO  CRITERIA 

GO  -  IF  SCALLOP  IS  ON  OR  BELOW  TOP  OF  TARGET  PLANE  OR 
IF  PORT  AFT  PLBD  CLOSE  INDICATION  IS  PRESENT. 

NO-GO  -  IF  SCALLOP  IS  ABOVE  TOP  OF  TARGET  PLANE  AND  PORT 
AFT  PLBD  CLOSE  INDICATION  IS  NOT  PRESENT. 
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A10-207  PLBD  OVERLAP 

IF  A  PLBD  OVERLAP  CONDITION  EXISTS  AT  EOM  DOOR  CLOSURE  SUCH  THAT 
THE  PLBD ' S  CANNOT  BE  CLOSED,  ENTRY  WILL  BE  DELAYED  24  HOURS 
ALLOWING  PLBD  THERMAL  CONDITIONING  TO  REGAIN  NORMAL  CLOSING 
CONDITIONS.  IF  ENTRY-CRITICAL  SYSTEMS  ARE  NOT  SINGLE-FAULT 
TOLERANT  OR  A  1-DAY  WAVE-OFF  CAPABILITY  IS  NOT  AVAILABLE,  THEN 
TOP  SUN  PLBD  CONDITIONING  WILL  BE  DONE  FOR  AS  LONG  AS  PRACTICAL. 
IF  ADVERSE  OVERLAP  CONDITIONS  STILL  EXIST  AFTER  TOP  SUN,  THE 
SIMULTANEOUS  PLBD  CLOSING  PROCEDURE  WILL  BE  USED. 


Steps  will  be  undertaken  to  thermal  condition  the  PLBD’ s  for  entry  when  nominal  preentry  conditioning 
does  not  adequately  allow  for  PLBD  centerline  latching.  The  simultaneous  PLBD  closing  procedure  is 
the  last  means  by  which  the  centerline  can  be  latched  and  is  used  as  a  contingency  means  to  latch  the 


PLBD’s. 


Rule  {A2-301},  CONTINGENCY  ACTION  SUMMARY,  references  this  rule. 
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A10-208  CONTINGENCY  PLBD  CLOSURE 

FOR  PLBD  JAM  CASES,  WHICH  RESULT  IN  THE  INABILITY  TO  NOMINALLY 
LATCH  THE  AFT  BULKHEAD  LATCHES,  THE  FOLLOWING  CONTINGENCY  PLBD 
CLOSE  PROCEDURES  WILL  BE  IMPLEMENTED  IN  LISTED  ORDER  UNTIL  ONE 
METHOD  IS  SUCCESSFUL. 

A.  NOMINAL  EOM  PLBD  CLOSE  PROBLEMS: 

1.  CYCLE  PLBD. 

2.  ONE  ORBIT  TOP  SUN  THERMAL  CONDITIONING  -  REPEAT  PLBD  CYCLE. 

3.  DRIVE  AFT  LATCHES  AND  PLBD  PART  WAY. 

4.  WAVE  OFF  (THERMAL  CONDITION  IN  TOP  SUN  -  CHECK  CLOSE 
BEFORE  SLEEP) . 

5.  PERFORM  EVA. 

B.  EMERGENCY  DEORBIT  PLBD  CLOSE  PROBLEMS: 

1.  CYCLE  PLBD. 

2.  TOP  SUN  THERMAL  CONDITIONING  (IF  TIME  PERMITS)  -  REPEAT 
PLBD  CYCLE. 


3. 

DRIVE 

AFT 

LATCHES 

AND 

PLBD 

PART  WAY. 

4  . 

DRIVE 

AFT 

LATCHES 

AND 

PLBD 

TO 

STALL . 

5  . 

CLOSE 

BOTH 

PLBD ' S 

AND 

FORWARD 

BULKHEAD  LATCHES,  THEN 

CLOSE  CENTERLINE  LATCHES  IN  FORWARD  TO  AFT  ORDER,  THEN 
CLOSE  AFT  BULKHEAD  LATCHES. 


PLBD  contingency  PLBD  closure  procedures  were  developed  as  a  result  of  the  PLBD  closure  problems 
experienced  on  STS-3  and  STS-4  during  thermal  testing  of  the  orbiter.  Postmission  investigations 
resulted  in  the  conclusion  that  midfuselage  structure  thermal  distortion  caused  by  the  extreme  thermal 
attitudes  had  closed  the  gap  between  the  PLBD  and  the  X=1307  bulkhead.  These  attitudes  were  (1)  at 
the  end  of  tail  Sun,  top  to  space,  orbital  late  roll  attitude  and  (2)  at  the  end  of  bottom  solar  inertial 
attitude.  In  response  to  these  problems,  PLBD  and  latch  modifications  were  made  to  the  orbiters.  The 
solution  basically  allowed  the  PLBD  lug  to  be  moved  forward  to  increase  the  gap.  Flight  verification  of 
this  fix  has  not  been  done;  however,  analysis  has  indicated  that  a  positive  gap  will  exist  at  more  severe 
temperature  gradients  than  was  experienced  on  STS-3  and  STS-4;  i.  e. ,  PLBD  closure  should  not  be  a 
problem  after  experiencing  the  same  attitude  profiles. 

The  procedures  listed  above  start  with  the  most  benign  steps  and  progress  to  the  more  severe  action  to  be 
taken  for  each  case. 
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PLBD  RULE  REFERENCE  MATRIX 


FAILURE  MODE 

FLIGHT  RULE 

DAY  1/ON  ORBIT 

ENTRY  DAY 

DOOR  RULES 

A.  LATCH  GANG  DOES  NOT  HAVE  TWO  MOTORS 
FOR  CLOSE 

?  CONTINUE  FLIGHT  AS  PLANNED 

?  CONTINUE  FLIGHT 

AS  PLANNED 

B.  ONE  MOTOR  IN  EACH  OF  TWO  SEPARATE 

LATCH  GANGS  FAILED  DUE  TO  A  MECHANICAL, 
ELECTRICAL,  OR  PL  MDM  FAILURE,  AND  NEXT 
FAILURE  WILL  RESULT  IN  MULTIPLE  LATCH 
GANGS  OUT,  WHERE  MOTOR  FUNCTION  IS: 

1 .  NOT  RECOVERABLE  BY  IFM 

2.  RECOVERABLE  BY  IFM 

?  ENTER  FIRST  DAY  PLS/NEXT  PLS 

?  CONTINUE  FLIGHT  AS  PLANNED 

?  ENTER  FIRST  DAY 
PLS/NEXT  PLS 
?  CONTINUE  FLIGHT 

AS  PLANNED 

C.  C/L  LATCH  GANG  FAILS  CLOSED  OR  IN  TRANSIT 
AND  CANNOT  BE  VISUALLY  VERIFIED  TO  BE 
CLEAR  OF  THE  ROLLERS 

?  DO  NOT  OPEN  PLBD'S 

?  ENTER  FIRST  DAY  PLS/NEXT  PLS 
[1]  [2] 

?  ENTER  NEXT  PLS  [1] 
[2] 

D.  STARBOARD  BULKHEAD  LATCH  GANG  FAILS 
CLOSED  OR  IN  TRANSIT  AND  CANNOT  BE 
VISUALLY  VERIFIED  TO  BE  CLEAR  OF  THE 
ROLLERS 

?  DO  NOT  OPEN  PLBD'S 

?  ENTER  FIRST  DAY  PLS/NEXT  PLS 
[1]  [2] 

?  ENTER  NEXT  PLS  [1] 
[2] 

E.  PORT  BULKHEAD  LATCH  GANG  FAILS  CLOSED 

OR  IN  TRANSIT  AND  CANNOT  BE  VISUALLY 
VERIFIED  TO  BE  CLEAR  OF  THE  ROLLERS 

?  CANNOT  OPEN  PORT  PLBD 

?  LEAVE  STBD  DOOR  OPEN 

?  IF  ADEQUATE  COOLING  EXISTS, 
INVOKE  MDF  (IF  NOT,  NEXT  PLS) 

?  POWER  DOWN,  IF  NEEDED  [1]  [2] 

?  CONTINUE  FLIGHT 

AS  PLANNED 

?  CANNOT  OPEN 

PORT  PLBD  [1]  [2] 

F.  C/L  LATCH  GANG  FAILS  OPEN  OR  IN  TRANSIT 

AND  CAN  BE  VERIFIED  CLEAR  OF  THE  ROLLERS 

?  OPEN  PLBD'S  IN  MANUAL  MODE 

?  CONTINUE  FLIGHT  AS  PLANNED 
[1]  [2] 

?  CONTINUE  FLIGHT 

AS  PLANNED  [1]  [2] 

G.  BULKHEAD  LATCH  GANG  FAILS  OPEN  OR  IN 
TRANSIT  AND  CAN  BE  VERIFIED  CLEAR  OF 
ROLLERS 

?  OPEN  PLBD'S  IN  MANUAL  MODE 

?  CONTINUE  FLIGHT  AS  PLANNED 
[1]  [2] 

?  CONTINUE  FLIGHT 

AS  PLANNED  [1]  [2] 

H.  PLBD  DOES  NOT  HAVE  CLOSE  REDUNDANCY 

DUE  TO  A  MECHANICAL,  ELECTRICAL,  OR  PL 

MDM  FAILURE,  WHERE  MOTOR  FUNCTION  IS: 

1 .  NOT  RECOVERABLE  BY  IFM 

2.  RECOVERABLE  BY  IFM 

?  MDF 

?  CONTINUE  FLIGHT  AS  PLANNED 

?  MDF 

?  CONTINUE  FLIGHT 

AS  PLANNED 

1.  STBD  DOOR  FAILED  CLOSED 

?  ENTER  FIRST  DAY  PLS/NEXT  PLS 

?  ENTER  NEXT  PLS 

®[1 21 296-31 94B  ]  @[022201-3996  ] 


[1]  ACCEPTABLE  TO  ENTER  WITH  ONE  LATCH  GANG  UNLATCHED. 

[2]  MINIMIZE  ENTRY  LOADS  PER  RULE  {A10-203B},  PLBD  CRITICAL  LATCHES. 
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A10-209  PLBD  RULE  REFERENCE  MATRIX  (CONTINUED) 


FLIGHT  RULE 

FAILURE  MODE 

DAY  1/ON  ORBIT 

ENTRY  DAY 

DOOR  RULES 

J.  STBD  PLBD  FAILED  OPEN  OR  IN  TRANSIT: 

1.  READY-TO-LATCH  INDICATIONS  PRESENT 

? 

LATCH  STBD  BULKHEAD/C/L 

? 

LATCH  STBD 

LATCHES 

BULKHEAD/C/L 

? 

ENTER  FIRST  DAY  PLS/NEXT  PLS 

LATCHES 

? 

ENTER  NEXT  PLS 

2.  READY-TO-LATCH  INDICATIONS  NOT 

PRESENT: 

a.  ADEQUATE  CLEARANCE  TO  OPEN  PORT 

? 

OPEN  PORT  DOOR  AND  LEAVE 

? 

OPEN  PORT  PLBD 

DOOR 

OPEN  UNTIL  CLOSED  FOR  D/O 

? 

24-HOUR  DELAY 

? 

PREPARE  FOR  EVA  [3]  (POWER 

(POWER  DOWN,  IF 

DOWN,  IF  NECESSARY) 

NECESSARY) 

? 

INVOKE  MDF  IF  COOLING  ALLOWS 

9 

EVA  TO  CLOSE 

(IF  NOT,  PLS) 

DOOR  [3] 

? 

IF  ADEQUATE  COOLING,  PORT 
DOOR  CLEARANCE,  AND  PAYLOAD 
CLEARANCE  EXISTS,  A  5-SEC 

DRIVE  TEST  CAN  BE  PERFORMED 

b.  NOT  ENOUGH  CLEARANCE  TO  OPEN  PORT 

? 

DO  NOT  OPEN  PORT  DOOR 

? 

DO  NOT  OPEN  PORT 

DOOR 

? 

IF  FAILED  OPEN,  TRY  TO  CLOSE 

DOOR 

STBD  DOOR 

? 

EVA  TO  CLOSE 

? 

EVA  TO  CLOSE  STBD  DOOR  [3] 

STBD  DOOR  [3] 

? 

ENTER  FIRST  DAY  PLS/NEXT  PLS 

K.  PORT  PLBD  FAILED  CLOSED 

? 

STBD  DOOR  WILL  REMAIN  OPEN 

? 

STBD  DOOR  WILL 

UNTIL  D/O 

REMAIN  OPEN  UNTIL 

? 

POWER  DOWN,  IF  NEEDED 

D/O 

? 

INVOKE  MDF  IF  COOLING  ALLOWS 
(IF  NOT,  PLS) 

? 

POWER  DOWN,  IF 
NEEDED 

L.  PORT  PLBD  FAILED  OPEN  OR  IN  TRANSIT 

9 

STBD  PLBD  WILL  REMAIN  OPEN 

9 

STBD  PLBD  WILL  BE 

UNTIL  D/O 

OPENED  OR  REMAIN 

9 

PREPARE  FOR  EVA  (POWER 

OPEN 

DOWN,  IF  NECESSARY)  [3] 

? 

24-HOUR  DELAY 

9 

INVOKE  MDF  IF  COOLING  ALLOWS 
(IF  NOT,  PLS) 

(POWERDOWN,  IF 
NECESSARY) 

9 

IF  ADEQUATE  COOLING  AND 
PAYLOAD  CLEARANCE  IS 
AVAILABLE  A  5-SEC  DRIVE  TEST 
CAN  BE  PERFORMED 

9 

EVA  TO  CLOSE  PLBD 
[3] 

[3]  ENTRY  IS  REQUIRED  AT  NEXT  PLS  AFTER  EVA  IS  COMPLETE.  ®[ED  ]  @[022201-3996] 
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A10-209  PLBD  RULE  REFERENCE  MATRIX  (CONTINUED) 

A.  LATCH  GANG  DOES  NOT  HAVE  TWO  MOTORS  FOR  CLOSE. 

The  vehicle  is  in  a  fail-safe  condition  where  the  redundant  motor  remains  to  close  the  latch  gang. 
Loss  of  the  redundant  motor  will  still  allow  safe  entry.  Rockwell’s  1991  latch-out  analysis  has 
shown  that  an  entry  can  be  performed  with  a  single  bulkhead  or  centerline  latch  gang  out. 

Adequate  structural,  thermal,  and  stability  margins  exist  above  the  required  1.4  factor  of  safety  for 
all  tested  flight  conditions.  (Ref.  Structural  Assessment  of  Shuttle  Orbiter  Payload  Bay  Door  for 
Entry  with  a  Latch  Gang  Out,  SSD91D0276,  May  1991;  and  SODB,  vol.  I,  3. 4. 2. 3.) 

B.  ONE  MOTOR  IN  EACH  OF  TWO  SEPARATE  LATCH  GANGS  FAILED  DUE  TO  A 
MECHANICAL,  ELECTRICAL,  OR  PL  MDM  FAILURE,  AND  NEXT  FAILURE  WILL  RESULT  IN 
MULTIPLE  LATCH  GANGS  OUT,  WHERE  MOTOR  FUNCTION  IS:  @[022201  -3996  ] 

1.  NOT  RECOVERABLE  BY  IFM. 

Entry  should  be  made  at  the  next  PLS  opportunity  in  order  to  minimize  exposure  time  to  the 
next  failure  which  could  result  in  multiple  latch  gangs  out.  There  is  no  analysis  to  indicate 
that  entry  with  multiple  latch  gangs  out  is  an  acceptable  condition  or  that  the  manual  latch 
tools  provide  the  same  structural  integrity  as  a  latch  gang.  ( Reference  Rule  {A10-203}, 

PLBD  CRITICAL  LATCHES,  and  Structural  Assessment  of  Shu  ttle  Orbiter  Payload  Bay  Door 
for  Entry  with  a  Latch  Gang  Out,  SSD91D0276,  May  1991.)  ®[1 21 296-31 94B] 

Rule  (A1 7-1001  j,  LIFE  SUPPORT  GO/NO-GO  CRITERIA,  references  this  rule.  ®[i 21 296- 

3194B  ]  ®[ED  ] 

2.  RECOVERABLE  BY  IFM. 

PLBD  IFM  procedures  exist  that  allow  for  closing  a  PLBD  latch  group(s)  and/or  the  PLBD's 
if  one  or  both  payload  MDM’s  (or  associated  cards )  is  lost  or  if  control  busses  AB1,  AB2, 
BC1,  BC2,  CA1,  or  CA2  are  failed.  These  IFM  procedures  are  considered  a  level  of 
redundancy  for  PLBD  and  latch  gang  closure.  Therefore,  after  the  loss  of  one  PL  MDM  or 
one  of  the  aforementioned  control  busses,  single-fault  tolerance  to  close  the  PLBD's  and  latch 
gangs  exists.  Since  single-fault  tolerance  exists  and  since  the  probability  of  requiring  the 
IFM  is  extremely  low,  NEOM  is  acceptable  after  the  loss  of  one  PL  MDM  or  applicable 
control  bus.  ( Reference  AEFTP  # 131  and  #164  minutes,  and  6/96  MDF  splinter  AEFTP. ) 

®[ED  ] 
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A10-209  PLBD  RULE  REFERENCE  MATRIX  (CONTINUED) 

C.  CENTERLINE  (C/L )  LATCH  GANG  FAILS  CLOSED  OR  IN  TRANSIT  AND  CANNOT  BE 
VISUALLY  VERIFIED  TO  BE  CLEAR  OF  THE  ROLLERS. 

If  the  C/L  latch  gang  fails  closed  or  in  transit  without  visual  verification  that  it  is  clear  of  the 
rollers,  the  PLBD ’s  should  remain  closed  and  entry  should  be  done  at  the  next  PLS  opportunity. 

For  the  C/L  latch  gang  failed  in  transit  where  the  latches  cannot  be  verified  clear  of  the  rollers, 
opening  the  PLBD’s  with  no  positive  cues  that  the  C/L  latch  gangs  are  completely  open  could  lead 
to  structural  damage  to  the  PLBD  and/or  latches  (reference  Rule  (A10-202AJ.2,  PLBD  VISUAL 
CUES).  Additionally,  full  PLBD  closure  and/or  C/L  latching  may  be  inhibited.  @[022201-3996  ] 

Entry  should  be  performed  as  early  as  possible,  and  entry  loads  should  be  minimized  ( reference 
Rule  {A10-203B},  PLBD  CRITICAL  LATCHES ). 

D.  STARBOARD  BULKHEAD  LATCH  GANG  FAILS  CLOSED  OR  IN  TRANSIT  AND  CANNOT  BE 
VISUALLY  VERIFIED  CLEAR  OF  THE  ROLLERS. 

If  a  starboard  bulkhead  latch  gang  fails  closed  or  in  transit  and  cannot  be  visually  verified  to  be 
clear  of  the  rollers,  the  PLBD’s  cannot  be  opened  and  entry  should  be  done  at  the  next  PLS 
opportunity.  For  a  starboard  bulkhead  latch  failed  in  transit  where  it  cannot  be  visually  verified 
clear  of  the  rollers,  opening  the  starboard  PLBD  without  positive  cues  that  the  latches  are  clear 
of  the  rollers  could  also  lead  to  structural  damage  of  the  PLBD  and/or  bulkhead  latches.  PLBD 
closing  could  be  inhibited.  Entry  loads  should  be  minimized  (reference  Rule  {A10-203B},  PLBD 
CRITICAL  LATCHES). 

E.  PORT  BULKHEAD  LATCH  GANG  FAILS  CLOSED  OR  IN  TRANSIT  AND  CANNOT  BE 
VISUALLY  VERIFIED  TO  BE  CLEAR  OF  THE  ROLLERS. 

For  a  port  bulkhead  latch  foiled  closed  or  in  transit  with  no  visual  verification  that  it  is  clear  of  the 
rollers,  the  starboard  door  should  remain  open  to  provide  cooling.  The  port  door  cannot  be  opened, 
and  a  MDF  should  be  invoked.  If  a  port  bulkhead  latch  gang  is  partially  open,  but  not  clear  of  the 
rollers,  any  attempt  to  open  the  door  could  cause  structural  damage  to  the  door  and/or  latches,  and 
PLBD  closure  could  be  inhibited.  An  MDF  should  be  considered,  if  adequate  cooling  cdlows, 
otherwise,  entry  must  be  done  next  PLS.  Entry  loads  should  be  minimized  (reference  Rule  (A10- 
203B},  PLBD  CRITICAL  LATCHES). 
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A10-209  PLBD  RULE  REFERENCE  MATRIX  (CONTINUED) 

F./G.  CENTERLINE/BULKHEAD  LATCH  GANG  FAILS  OPEN  OR  IN  TRANSIT  AND  CAN  BE 
VERIFIED  CLEAR  OF  THE  ROLLERS. 

If  a  centerline  or  bulkhead  latch  gang  fails  open  or  in  transit  and  can  be  verified  clear  of  the 
rollers  the  flight  can  continue  as  planned  since  entry  with  a  single  bulkhead  latch  gang  out  has 
been  deemed  acceptable  (SODB.  vol.  I,  3. 4.2. 3  and  Rockwell  Latch  Out  Analysis,  1991).  Auto 
PLBD  software  will  terminate  PLBD  operations  if  single  motor  drive  time  is  exceeded  and  manual 
mode  will  have  to  be  used.  The  only  single-point  failure  that  will  result  in  multiple  latch  gang 
failu  re  is  a  mechanical  jam  during  PLBD  closure.  Since  the  doors  are  already  open,  the  risk 
associated  with  another  mechanical  jam  is  incurred  only  when  the  doors  are  closed.  Terminating 
the  mission  early  does  not  reduce  the  risk  of  the  next  failure.  Consequently,  the  mission  can 
continue  as  planned.  EVA  is  not  required  for  a  single  latch  gang  out,  but  entry  loads  should  be 
minimized  if  a  gang  is  unlatched  (reference  Rule  {A10-203},  PLBD  CRITICAL  LATCHES). 

H.  PLBD  DOES  NOT  HAVE  CLOSE  REDUNDANCY  DUE  TO  MECHANICAL,  ELECTRICAL,  OR  PL 
MDM  FAILURE,  WHERE  MOTOR  FUNCTION  IS:  @[022201 -3996  ] 

1.  NOT  RECOVERABLE  BY  IFM. 

For  loss  of  door  closu  re  redundancy  due  to  an  electrical  or  mechan  ical  failu  re,  an  MDF  must 
be  declared  to  minimize  exposure  to  the  next  failure  that  would  prevent  the  payload  bay  doors 
from  closing  without  cm  EVA. 

2.  RECOVERABLE  BY  IFM.  @[022201  -3996  ] 

Reference  B2  rationale.  ®[1 21 296-31 94B  ]  ®[ED  ] 

Reference  Rules  {A2-104A}.  Lb,  SYSTEMS  REDUNDANCY  REQUIREMENTS,  and  {A17-1001 },  LIFE 
SUPPORT  GO/NO-GO  CRITERIA.  ®[ED  ] 

I.  STARBOARD  DOOR  FAILED  CLOSED. 

For  the  starboard  door  failed  closed,  entry  must  be  done  at  the  next  PLS  opportunity.  The  failed 
starboard  door  prevents  either  door  from  opening,  and  results  in  lack  of  radiator  cooling. 
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A10-209  PLBD  RULE  REFERENCE  MATRIX  (CONTINUED) 

J.  STARBOARD  PLBD  FAILED  OPEN  OR  IN  TRANSIT. 

If  the  ready-to-latch  indications  are  present,  the  starboard  door  is  within  4  degrees  of  being  fully 
closed.  The  bulkhead  latches  can  be  used  to  help  “pull”  the  PLBD  closed,  since  this  position  is 
within  the  bulkhead  latch  reach  capability.  Entry  should  be  made  at  the  next  PLS  since  the  PLBD’s 
cannot  be  opened  and  limited  vehicle  cooling  exists. 

If  the  ready-to-latch  indications  are  not  present,  the  starboard  door  is  partially  or  fully  opened. 

The  starboard  door  is  opened  greater  than  two  stripes  on  the  pushrods,  there  is  sufficient 
clearance  for  the  port  door  to  open  withou  t  interference.  The  port  door  should  be  opened  and 
remain  open  to  allow  some  radiator  cooling  since  an  EVA  will  have  to  be  performed  to  close  the 
starboard  door.  An  MDF  will  be  done,  if  adequate  cooling  allows,  to  limit  exposure  to  the  next 
failure  that  might  affect  EVA  capability  or  cooling.  If  the  door  is  jammed  while  opening,  a  5- 
second  drive  test  can  be  done  to  troubleshoot  the  problem  as  long  as  closing  the  door  will  not 
threaten  cooling  margins,  port  door  closure,  or  the  payload  deploy  envelope. 

If  the  failure  occurs  on  entry  day,  a  24-hour  waveoff  will  be  required  to  prepare  for  and  complete 
the  EVA.  A  next  PLS  entry  will  be  required  after  the  EVA  is  complete.  If  the  starboard  door  is  not 
open  far  enough  ( two  pushrod  stripes)  to  allow  the  port  door  to  open,  an  entry  must  be  done  at  the 
next  PLS  opportunity,  since  neither  door  can  be  opened  for  radiator  cooling.  If  the  door  will  drive 
closed,  close  it;  if  jammed  in  the  open  direction,  perform  an  EVA  to  close  the  door. 

K.  PORT  PLBD  FAILED  CLOSED. 

If  the  port  door  fails  closed,  the  starboard  door  should  remain  open  to  provide  radiator  cooling. 

An  MDF  should  be  considered  if  adequate  cooling  is  available,  otherwise  enter  next  PLS. 

L.  PORT  PLBD  FAILED  OPEN  OR  IN  TRANSIT. 

For  a  port  door  failed  open  or  in  transit,  an  MDF  can  be  considered,  but  whether  it  can  be 
accomplished  depends  on  how  far  the  failed  PLBD  is  open  for  radiator  cooling.  Even  if  there  is 
no  cooling  constraint,  an  MDF  must  be  invoked  to  limit  exposure  to  the  next  failure  that  will  affect 
EVA  capability.  The  starboard  door  should  remain  open.  An  EVA  should  be  planned.  If  the  door 
jammed  while  opening,  a  5-second  drive  test  may  be  performed  to  troubleshoot  the  problem  as 
long  as  closing  the  door  will  not  threaten  cooling  margins  or  the  payload  deploy  envelope. 

For  a  failure  on  entry  day,  a  24-hour  waveoff  should  be  done  to  prepare  for  and  complete  the  EVA. 
Landing  at  the  next  PLS  will  be  required  upon  completion  of  the  EVA. 

Rule  (A1 7-1001  j,  LIFE  SUPPORT  GO/NO-GO  CRITERIA,  references  this  rule.  ®[ED  ] 
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RADIATOR  SYSTEMS  MANAGEMENT 


A10-221 


RADIATOR  MECHANICAL 


A.  PORT  OR  STARBOARD  RADIATOR  PANELS  WILL  BE  STOWED  AND  LATCHED 
WHEN  ONLY  SINGLE-MOTOR  CAPABILITY  REMAINS  TO  STOW  OR  LATCH 
THAT  SIDE. 


Failure  of  one  radiator  stow  or  latch  motor  places  the  vehicle  one  failure  away  from  loss  of  stow/latch 
capability.  Losing  the  stow  function  on  a  deployed  radiator  will  require  an  EVA  to  stow  that  radiator 
prior  to  payload  bay  door  closure.  An  unlatched  radiator  may  cause  the  loss  of  the  associated  Freon 
loop  due  to  entry  loads  and  vibrations  which  would  place  the  vehicle  one  failure  away  from  possible  loss 
of  crew/vehicle  (loss  of  remaining  Freon  loop).  It  is  not  known  if  the  stowed,  unlatched  radiator  could 
come  into  contact  with  items  in  the  payload  bay  during  en  try.  While  EVA  backup  exists  for  stowing  the 
radiators,  it  does  not  exist  for  latching  them. 


B.  THE  FLIGHT  WILL  CONTINUE,  WATER  CONSUMABLES  PERMITTING,  WITH 
THE  FOLLOWING  FAILURES: 


1.  RADIATOR  LATCHES  FAILED  CLOSED  OR  OPEN. 

2.  RADIATOR  PANELS  FAILED  STOWED  OR  DEPLOYED. 


The  radiators  were  designed  to  operate  in  either  the  deployed  or  stowed  position.  This  rule  was  written 
to  document  to  the  community  that,  regardless  of  the  radiator  position  or  latch  status,  the  mission  may 
continue. 

C.  AN  EVA  WILL  BE  REQUIRED  TO  STOW  A  FAILED  DEPLOYED  RADIATOR 
PANEL . 


The  PLBD’s  cannot  be  closed  with  a  failed,  deployed  radiator  due  to  possible  interference  with  the 
opposite  door,  radiator,  or  payload.  EVA  is  the  only  means  available  if  the  deploy/stow  mechanism  has 
failed.  No  EVA  capability  is  available  for  a  failed  radiator  latch. 
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A10-221  RADIATOR  MECHANICAL  (CONTINUED) 

D.  OPERATIONS  WHILE  THE  RMS  IS  UNCRADLED: 

1.  RADIATOR  DEPLOY  OPERATIONS: 

IF  PRACTICAL,  RADIATOR  DEPLOY  OPERATIONS  WILL  BE  DELAYED 
UNTIL  AFTER  RMS  OPERATIONS  ARE  COMPLETE  OR  THE  RMS  WILL 
BE  CRADLED  DURING  DEPLOY  OPERATIONS.  IF  IT  IS  NOT 
PRACTICAL  TO  CRADLE  THE  RMS,  RADIATOR  DEPLOY  OPERATIONS 
WILL  BE  PERFORMED  WITH  THE  CIRCUIT  BREAKERS  OPEN  FOR  MPM 
SYSTEM  SAFING  (SOME  ACTUATORS  WILL  OPERATE  SINGLE  MOTOR) 

2.  RADIATOR  STOW  OPERATIONS  MAY  BE  PERFORMED  WHILE  THE  RMS 
IS  UNCRADLED  (SOME  ACTUATORS  WILL  OPERATE  SINGLE  MOTOR) . 

In  order  to  prevent  the  uncradled  RMS  from  being  one  failure  away  from  inadvertent  MPM  stow 
( possible  loss  of  crew/vehicle),  the  following  cb  ’s  are  opened  to  remove  power  to  the  MPM  system: 

MA73C:  C  cb  MCA  PWR  AC  2  30  MID  2 
D  cb  MCA  PWR  AC  3  30  MID  4 

These  also  affect  radiator  motors,  but  allow  at  least  single-motor  operations  in  all  actuators.  Stow 
operations  may  occur  anytime  since  it  is  not  necessary  to  verify  dual-motor  operations.  During  deploy 
operations,  dual-motor  operations  must  be  verified  so  that  the  radiators  and  latches  will  not  be  one 
failure  away  from  loss  of  latch/stow  capability  due  to  an  undetected  failure  ( i.  e. ,  it  is  not  known  if  the 
powered-off  motor  is  functional).  Losing  the  latch  or  stow  function  on  a  radiator  may  cause  the  loss  of 
the  associated  Freon  loop  due  to  entry  loads  and  vibrations  which  would  put  the  vehicle  one  failure 
away  from  the  possible  loss  of  crewA’ehicle.  It  is  not  known  if  the  unsecured  radiator  could  come  into 
con  tact  with  a  returned  payload;  this  should  be  considered,  if  applicable.  Therefore,  to  ensure  dual- 
motor  radiator  operations,  deploy  should  wait  until  after  RMS  nominal  operations  are  completed  and 
the  RMS  can  be  safely  cradled  (payload  berthed  or  released,  etc.).  If  radiator  deploy  is  time  critical, 
the  RMS  will  be  cradled  if  present  operations  permit;  otherwise,  the  radiators  will  be  deployed  single 
motor.  It  is  highly  desirable  that  dual-motor  operations  be  verified  ASAP  after  the  RMS  is  cradled. 

This  is  especially  critical  for  latching,  because  there  is  no  known  EVA  backup  to  provide  this  function 
as  there  is  for  stowing. 

Rule  (A12-74J,  INADVERTENT  MPM  CYCLING  PROTECTION  [CIL],  references  this  rule. 
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A10-222  RADIATOR  VISUAL  CUES 

A.  RADIATOR  DEPLOYED  -  A  SUSPECT  RADIATOR  IS  CONSIDERED  DEPLOYED 
IF  IT  APPEARS  TO  BE  IN  THE  SAME  RELATIVE  POSITION  AS  THE 
OTHER  RADIATOR  WHEN  IT  IS  DEPLOYED. 

B.  RADIATOR  STOWED  -  A  SUSPECT  RADIATOR  CANNOT  BE  EVALUATED 
FOR  THE  STOWED  POSITION  (IF  CLOSE  TO  IT)  UNTIL  THE  PLBD 
IS  PARTIALLY  CLOSED  (90  DEGREES) .  FOR  SAFE  LATCHING  THE 
POSITIONS  OF  THE  FIXED  AND  DEPLOYED  PANELS  ON  THE  SAME 
SIDE  SHOULD  BE  ALIGNED  WITH  EACH  OTHER. 

If  the  radiator  is  thought  to  have  not  deployed  fully  (e.g.,  failure  to  receive  the  deploy  indications),  then 
the  only  visual  means  of  determining  if  it  reached  the  commanded  position  is  to  compare  it  to  the  other 
(fully  deployed )  radiator. 

If  a  radiator  is  suspected  to  have  not  reached  the  stowed  position  (e.g.,  failure  to  receive  the  stow 
indications),  then  it  can  be  checked  in  the  following  manner.  The  PLBD  to  which  it  is  attached  must  be 
closed  90  degrees  (about  halfw’ay)  so  that  the  radiator  can  be  easily  seen.  On  each  PLBD,  there  are  four 
radiator  panels,  two  deployable  (forward)  and  two  fixed  (aft).  When  the  deployable  panels  are  stowed, 
the  seam  between  them  and  the  fixed  set  should  match  up.  If  so,  the  radiator  can  be  safely  latched. 
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ET  UMBILICAL  DOORS  SYSTEMS  MANAGEMENT 


A10-241  ET  UMBILICAL  DOOR  KEYBOARD  ENTRY 

THE  ET  DOOR  CLOSE  KEYBOARD  ITEM  ENTRY  WILL  ONLY  BE  USED  IF 
MANUAL  ET  UMBILICAL  DOOR  CLOSE  OPERATIONS  ARE  UNSUCCESSFUL  AND: 
@[022802-5110  ] 

A.  THE  CENTERLINE  LATCHES  ARE  STOWED  AND  BOTH  ET  DOORS  ARE 
CONFIRMED  READY-TO-LATCH,  OR 

B.  AN  AOA  IS  BEING  PERFORMED. 

With  the  exception  of  an  RTLS  or  a  TAL,  the  software  sequence  is  not  nominally  used,  and  the  ET 
umbilical  doors  are  closed  manually.  After  ET  separation,  but  while  still  in  OPS  1  (MM  104,  105,  106), 
the  software  sequence  may  be  initiated  by  an  item  entry  on  SPEC  51.  This  software  issues  commands 
based  on  single  motor  drive  times  and  does  not  check  (or  stop)  for  anomalous  operation.  The  potential 
exists  to  drive  the  doors  against  the  centerline  latches  (if  they  do  not  stow  nominally),  damaging  the 
drive  mechanism  and  preventing  proper  door  closure. 

Crew  initiation  of  the  software  sequence  is  possible  only  in  OPS  1  via  the  SPEC  51  item  entry. 

Therefore,  for  an  AOA,  the  ET  umbilical  doors  will  be  closed  prior  to  transitioning  out  of  OPS  1  in  order 
to  maintain  redundancy  in  the  event  of  an  ET  umbilical  door  switch  failure.  Following  nominal  ascent 
or  an  ATO,  door  closure  can  be  delayed  until  OPS  2  since  real-time  commands  (RTC’s)  can  be  used  to 
close  and  latch  the  doors  in  the  event  of  a  switch  failure.  In  cases  where  there  is  no  potential  for  driving 
the  doors  against  the  centerline  latches  or  latching  the  uplock  latches  before  the  doors  are  closed,  the 
OPS  1  SPEC  51  item  entry  may  be  used  instead  of  sending  ground  commands.  Closure  during  an 
RTLS/TAL  is  automatic,  using  the  software  sequence.  In  all  other  situations,  the  MCC  will  be  con  tacted 
to  determine  the  method  of  door  closure.  @[022802-5110] 

A10-242  ET  UMBILICAL  DOORS  ON  ORBIT 

THE  ET  DOORS  WILL  NORMALLY  BE  CLOSED  AFTER  THE  H>  PRESSURIZATION 
LINE  VENTING  IS  COMPLETED.  BOTH  ET  DOORS  MUST  BE  CLOSED  AND 
LATCHED  BEFORE  DEORBIT. 

#2  pressurization  line  venting  should  be  completed  before  ET  door  closure  to  ensure  that  any  residual 
H2  in  the  line  can  dissipate  into  space.  If  the  doors  are  closed,  El 2  can  be  trapped  in  the  ET  door  cavity 
and  will  take  a  much  longer  time  to  vent  through  the  aft  compartment.  The  doors  should  be  closed  and 
latched  before  entry  to  avoid  structural  damage  because  of  protruding  surfaces  during  reentry  heating 
and  to  provide  a  smooth  undersu  rface  for  stable  aerodynamic  con  trol. 
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A10-243  ET  UMBILICAL  DOOR  CLOSURE  DELAY  FOR  DISCONNECT 

VALVE  FAILURE  [CIL] 

FOR  FAILURE  OF  THE  LO2  AND/OR  LH2  17-INCH  DISCONNECT  VALVE ( S )  TO 
CLOSE,  ET  UMBILICAL  DOOR  CLOSURE:  @[022802-5110] 

A.  FOLLOWING  NOMINAL  ASCENT  OR  AN  ATO,  WILL  BE  DELAYED  IN  ORDER 
TO  OBTAIN  A  MINIMUM  OF  40  CONTINUOUS  MINUTES  OF  BOTTOM-SUN 
EXPOSURE  IMMEDIATELY  PRIOR  TO  ATTEMPTING  CLOSURE. 

B.  DURING  AN  AOA,  WILL  BE  DELAYED  AS  LONG  AS  POSSIBLE,  WITH 
BOTTOM-SUN  EXPOSURE  IF  FEASIBLE,  BUT  WILL  BE  PERFORMED  PRIOR 
TO  TRANSITIONING  FROM  OPS  1. 

C.  DURING  A  TAL  OR  RTLS ,  WILL  NOT  BE  DELAYED. 

When  possible,  ET  umbilical  door  closure  will  be  delayed  following  failure  of  the  LO2  or  LH2 
disconnect  valves  to  close  in  order  to  allow  for  venting  of  residual  cryogenic  propellants  and  thermal 
conditioning  of  the  ET  door  pressure  seal  and  thermal  barrier.  This  will  allow  proper  door 
closure/sealing,  prevent  pressurization  of  the  ET  umbilical  compartment,  and  prevent  residuals  from 
entering  the  aft  compartment.  A  bottom-sun  attitude  speeds  this  conditioning/venting.  For  most  orbits 
( 160  nm,  28.5-degree  inclination),  a  maximum  of  55  minutes  of  sun  exposure  can  be  obtained.  For  ATO 
orbits  ( 106  nm  altitude),  only  40  minutes  of  sun  exposure  can  be  obtained.  Higher  inclination  orbits 
provide  longer  sun  exposure.  A  minimum  of  40  continuous  minutes  with  the  orbiter  in  a  bottom-sun 
attitude  will  ensure  adequate  conditioning/venting.  Reference  SODB  submittal  Pl-1577 for  thermal 
analysis. 

Crew  initiation  of  the  software  sequence  is  possible  in  OPS  1  only  (MM  104,  105,  106),  via  the  SPEC  51 
item  entry.  Therefore,  for  an  AOA,  the  ET  umbilical  doors  will  be  closed  prior  to  transitioning  out  of 
OPS  1  in  order  to  maintain  redundancy  in  the  event  of  an  ET  umbilical  door  switch  failure.  For  nominal 
ascent/ ATO,  door  close  redundancy  exists  in  OPS  2  via  ground-issued  RTC’s.  Closure  during  an 
RTLS/TAL  is  automatic;  also,  the  time  criticality  of  door  closure  precludes  additional  venting  or 
conditioning.  @[022802-51 1 0  ] 
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VENT  DOOR  SYSTEMS  MANAGEMENT  ®[ED  ] 


A10-261  VENT  DOOR  MANAGEMENT 

A.  ORBIT  -  ALL  VENT  DOORS  WILL  NOMINALLY  BE  OPEN  DURING  ORBIT 
OPS  EXCEPT  FOR  THE  FOLLOWING: 

1.  IF  REDUNDANT  CLOSE  CAPABILITY  IS  LOST  FOR  VENT  DOORS  1 
AND  2,  THE  AFFECTED  DOOR  WILL  BE  CLOSED  PROVIDED  OPEN 
REDUNDANCY  EXISTS  ON  THE  OPPOSITE  DOOR.  FOR  THE  REMAIN¬ 
ING  DOORS,  NO  ACTION  WILL  BE  TAKEN  FOR  THE  LOSS  OF 
REDUNDANT  CLOSE  CAPABILITY. 

For  loss  of  close  redundancy ,  the  affected  door  is  closed  to  limit  the  exposure  to  the  next  failure  that 
would  leave  the  door  failed  open.  It  is  predicted  that  the  1/2  vent  box  will  melt  if  exposed,  resulting  in 
structural  damage  that,  although  not  a  flight-safety  concern,  is  a  significant  impact  to  vehicle 
turnaround  (upper  and  lower  fuselage  must  be  demoted  for  repair  -  estimated  >  1  year). 

If  open  redundancy  does  not  exist  on  the  opposite  door,  the  affected  door  will  not  be  closed  in  order  to 
protect  against  a  subsequent  failure  that  could  fail  the  door  in  the  closed  position.  With  the  loss  of  open 
redundancy,  the  flight  rule  is  biased  towards  ensuring  1/2  compartment  venting  is  guaranteed  ( i.  e. ,  door 
open)  rather  than  closing  the  door  to  protect  against  the  thermal  impact  during  entry  should  subsequent 
failures  occur. 

The  thermal  impact  with  a  door  failed  open  is  the  most  severe  in  the  forward  compartment.  The  midbody 
doors  will  experience  600  deg  to  700  deg  F  heating  while  the  aft  compartment  doors  will  experience  less 
than  550  deg  F  heating.  The  structural  impact  associated  with  these  temperatures  is  minimal. 
Consequently,  no  protective  measures  are  implemented. 

2.  FOR  A  VENT  DOOR  FAILED  OPEN,  NO  ACTION  WILL  BE  TAKEN 
UNLESS  CLOSE  REDUNDANCY  IS  LOST  ON  THE  OPPOSITE  DOOR. 
LOSS  OF  CLOSE  REDUNDANCY  ON  THE  OPPOSITE  DOOR  WILL  BE 
CAUSE  TO  CLOSE  THE  DOOR. 

Discussions  at  the  Entry  Flight  Techniques  Panel  (FTP)  # 43  determined  that  sufficient  entry  venting 
can  be  maintained  with  one  side  of  a  vent  group  closed.  (Assumes  nominal  entry.  If  entry  is  dispersed 
and  vent  door  fails  closed,  the  factor  of  safety  will  be  less  than  1.4).  Furthermore,  entry  with  both  sides 
open  will  result  in  structural  damage  due  to  hot  plasma  and  possible  flow-through  of  hazardous  gas. 
Therefore,  if  a  vent  door  fails  open  and  close  redundancy  is  lost  on  the  opposite  door,  the  opposite  door 
will  be  closed  to  protect  against  the  next  failure  that  would  leave  the  door  failed  open. 
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A10-261  VENT  DOOR  MANAGEMENT  (CONTINUED) 

3.  VENT  DOORS  MAY  BE  CLOSED  IN  ORDER  TO  MINIMIZE  THE 
POTENTIAL  FOR  CONTAMINATION  OF  SPACECRAFT  OR  EVA 
OPERATIONS  WHEN  A  KNOWN  CONTAMINANT  EXISTS  IN  AN 
ACTIVELY  VENTED  COMPARTMENT.  ©[072398-6686B] 

On-orbit,  the  vent  doors  are  nominally  left  open  to  permit  molecular  venting  of  the  thermal  insulation. 
The  risk  of  closing  the  forward  and/or  aft  compartments  to  preclude  any  potential  off-gassing  of  a  known 
contaminant  from  these  compartments  outweighs  the  risk  of  compartment  overpressurization  should  a 
large  OMS  or  RCS  tank  leak  occur.  ©[072398-6686B] 

B.  ENTRY 

1.  IF  OPEN  CAPABILITY  IS  LOST  ON  ANY  VENT  DOOR  DUE  TO  A 

MULTIPHASE  AC  LOSS  (NO  SHORT),  DEORBIT  WILL  BE  DELAYED 
TO  INSTALL  THE  AC  BUS  TRANSFER  CABLE  AND  REGAIN  OPEN 
CAPABILITY. 


Deorbit  will  be  delayed  if  the  ac  bus  transfer  cable  can  be  installed  to  regain  open  capability  on  any  vent 
door.  This  will  allow  entering  with  the  maximum  available  venting. 

2.  IF  VENT  DOORS  1  AND  2  OR  8  AND  9  ARE  FAILED  CLOSED  ON  ONE 
SIDE  AND  OPEN  REDUNDANCY  IS  LOST  ON  THE  OPPOSITE  SIDE, 
DEORBIT  WILL  BE  DELAYED  IF  INSTALLATION  OF  THE  AC  BUS 
TRANSFER  CABLE  WILL  REGAIN  OPEN  REDUNDANCY. 


Deorbit  will  be  delayed  if  the  ac  bus  transfer  cable  can  be  installed  to  regain  open  redundancy  after  the 
opposite  door  has  failed  closed  in  the  forward  or  aft  compartmen  t.  This  will  allow  en  tering  with  the 
doors  closed,  precluding  entry  heating  structural  damage. 

3.  ALL  VENT  DOORS  WILL  NOMINALLY  BE  CLOSED  FOR  ENTRY  EXCEPT 
AS  FOLLOWS: 

a.  FORWARD/AFT  VENT  DOORS: 

(1)  IF  OPEN  REDUNDANCY  IS  LOST  ON  BOTH  SIDES  OF  THE 
AFFECTED  COMPARTMENT  (1  AND  2  OR  8  AND  9)  AND 
ONE  FAILURE  (AVIONICS/POWER)  WILL  RESULT  IN  LOSS 
OF  OPEN  CAPABILITY  OF  DOORS  ON  BOTH  SIDES,  ONE 
DOOR  WILL  REMAIN  OPEN  THROUGHOUT  THE  MISSION. 
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A10-261  VENT  DOOR  MANAGEMENT  (CONTINUED) 

During  nominal  entry,  it  is  required  to  maintain  the  capability  to  open  at  least  one  side  of  each  vent 
door  group  in  the  forward  and  aft  compartmen  ts  for  sufficien  t  compartmen  t  ven  ting.  After  the  loss  of 
redundancy  on  both  sides  of  either  the  forward  or  aft  compartments  and  one  failure  of  avionics  or 
power  resulting  in  loss  of  open  capability  of  doors  on  both  sides,  one  door  will  remain  open 
throughout  the  mission.  This  action  will  cause  structural  damage  to  the  orbiter  due  to  the  hot  plasma 
(1200  deg  F  for  1  and  2  and  less  than  550  deg  F  for  8  and  9),  but  will  protect  against  the  next  failure 
preventing  any  venting  to  a  compartmen  t.  Loss  of  ven  ting  in  the  forward  or  aft  compartmen  ts  is 
catastrophic. 

(2)  IF  VENT  DOORS  1  AND  2  OR  8  AND  9  ARE  FAILED 

CLOSED  ON  ONE  SIDE  AND  OPEN  REDUNDANCY  IS  LOST 
ON  THE  OPPOSITE  SIDE,  THE  OPPOSITE  VENT  DOORS 
WILL  REMAIN  OPEN  FOR  ENTRY.  IF  THE  AFFECTED 
DOOR  IS  MECHANICALLY  FAILED  CLOSED,  THE  OPPOSITE 
DOOR  WILL  REMAIN  OPEN  FOR  ENTRY  INDEPENDENT  OF 
OPEN  REDUNDANCY. 

Entry  FTP  #43  determined  that  it  is  expected  that  sufficient  venting  can  be  maintained  during  nominal 
entry  with  one  side  of  a  vent  door  group  in  the  forward  or  aft  compartmen  t  closed.  Entry  with  both  sides 
of  a  vent  group  failed  closed  in  the  forward  or  aft  compartment  will  result  in  structural  failure  and 
possible  loss  of  crew/vehicle.  If  a  vent  door  fails  closed  in  the  forward  or  aft  compartment,  as  long  as 
open  redundancy  exists  on  the  opposite  door,  no  action  will  be  taken.  The  orbiter  is  still  two  failures 
away  from  a  catastrophic  condition  ( i.  e. ,  no  compartment  venting),  assuming  a  structural  failure, 
gearbox  jam,  or  torque  limiter  slip  does  not  occur. 

Single-point  structural  failures  exist  but  are  not  protected  because  of  the  extreme  low  probability  of 
occurrence  (no  failures  experienced  in  testing  or  flight).  However,  if  a  vent  door  fails  closed  during 
flight  and  is  unexplained,  a  mechanical  failure  will  be  assumed.  The  opposite  vent  door  will  remain 
open,  protecting  against  a  subsequent  mechanical  failure  that  would  be  catastrophic. 

SODB  and  CIL’s  assume  that  failure  to  open  a  single  vent  door  below  70,000 feet  will  result  in  loss  of 
the  crew/vehicle. 


(3)  LEFT  VENT  DOORS  1/2  AND  8/9  WILL  REMAIN  OPEN  FOR 
ENTRY  IN  THE  EVENT  OF  AN  OMS  OXIDIZER,  RCS 
OXIDIZER,  OR  OMS  HE  LEAK.  IF  THE  LEAK  IS 
SUBSEQUENTLY  ISOLATED,  THESE  DOORS  WILL  BE 
CLOSED.  FOR  AN  OMS  FUEL,  RCS  FUEL,  RCS  HE,  OR 
APU  FUEL  LEAK  DURING  ENTRY,  NO  ACTION  WILL  BE 
TAKEN . 
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A10-261  VENT  DOOR  MANAGEMENT  (CONTINUED) 

It  has  been  determined  that  gas  leaks  which  exceed  structural  limits  occur  so  rapidly  that  the  crew 
cannot  respond.  For  example,  assuming  an  initial  tank  pressure  of 2000  psia  and  a  hole  diameter  of 
0.11  inch,  transient  leak  analysis  for  the  OMS  pod  large  helium  tank  indicated  that  the  peak  differential 
pressure  would  occur  20. 7  seconds  after  the  leak  started.  In  addition,  if  the  OMS  pod  to  ambient 
differential  pressure  exceeds  0.65  psid,  the  aft  vent  doors  may  not  open  when  commanded  (see  JSC 
memorandum  ES42-1 10M-85).  As  a  result,  a  GPC  item  entry  is  used  during  MM  301  to  command  left 
doors  1/2  and  8/9  open  independent  of  the  other  vent  doors.  This  capability  protects  the  orbiter  from 
possible  compartment  overpressurization  in  the  event  of  a  massive  OMS  oxidizer,  RCS  oxidizer,  or  OMS 
He  leak  during  MM  301,  302,  and  303. 

Nominally,  the  doors  are  closed  at  MM  304  transition  to  avoid  structural  damage  and  hazardous  gas 
ingestion  due  to  the  plasma  phase  of  entry.  However,  if  a  leak  cannot  be  isolated,  left  vent  doors  1/2  and 
8/9  will  remain  open  throughout  entry  in  order  to  remain  within  structural  limits. 

If  there  is  a  question  between  an  RCS  helium  or  RCS  oxidizer  leak,  an  oxidizer  leak  will  be  assumed  (ref. 
A/E  FTP  #13). 

b.  MIDBODY  VENT  DOORS: 

(1)  NO  ACTION  WILL  BE  TAKEN  FOR  MIDBODY  VENT  DOORS 
FAILED  CLOSED  AND/OR  LOSS  OF  REDUNDANCY. 

Discussions  at  the  Entry  FTP  # 43  determined  that  with  a  nominal  entry,  sufficient  venting  can  be 
maintained  in  the  midbody  after  two  opposite  doors  have  failed  closed. 

(2)  FOR  ENTRY  WITH  A  MIDBODY  H2  LEAK  >  1.0  LB/HR, 
MAXIMIZE  VENTING  BY  LEAVING  VENT  DOORS  OPEN 
UNTIL  AUTO  CLOSURE  MM  304  TRANSITION  (EI-5)  . 

Leaks  of  H 2  greater  than  1  Ib/hr  can  lead  to  H2  concentrations  in  the  midfuselage  that  exceed  the  H2 
flammability  limit  during  entry  (ref.  informal  note,  DF7/84-126,  dated  6/20/84).  Delaying  the  closure  of 
the  vent  doors  until  the  MM  304  transition  will  reduce  the  amoun  t  of  time  that  is  available  for  H2  to 
build  up  within  the  midfuselage  while  providing  the  maximum  amount  of  time  prior  to  the  high  heating 
phase  of  entry  that  //2  has  the  opportunity  to  escape. 

The  current  vent  door  software  will  automatically  close  any  vent  doors  at  the  MM  304  transition  that 
might  have  been  left  open  prior  to  that  time.  Additionally,  the  capability  does  not  exist  in  the  current 
software  to  open  any  midbody  vent  door  prior  to  the  MM  305  transition  which  occurs  well  below  the 
100,000 foot  altitude.  Therefore,  the  latest  the  midbody  vent  doors  can  be  left  open  for  H2  venting  is 
MM  304,  and  the  earliest  the  doors  can  be  opened  is  MM  305  (Mach  2.4). 
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PAYLOAD  RETENTION  LATCHES  (PRLA)  SYSTEMS  MANAGEMENT 


A10-281  PRLA' S/AKA' S 

A.  PRLA/ AKA  MANAGEMENT: 

1.  FOR  A  DEPLOYABLE  PAYLOAD  (WITH  RETURN  CAPABILITY),  THE 
ASSOCIATED  PRLA' s/AKA's  WILL  NOT  BE  CLOSED  UNTIL  PAYLOAD 
RETURN  CAPABILITY  IS  NO  LONGER  AN  OPTION.  ®[ED  ] 

2.  FOR  A  PAYLOAD  RETRIEVAL  MISSION,  THE  ASSOCIATED 
PRLA' S/AKA'S  WILL  NOT  BE  CLOSED  ON  ORBIT  UNTIL  THE 
PAYLOAD  IS  BERTHED. 


Because  of  inherent  single-point  failures  in  the  payload  retention  system,  the  PRLA’s  and  AKA’s  will 
remain  open  to  avoid  a  failure  that  could  preclude  returning  a  payload. 

3.  AN  EVA  WILL  BE  CONSIDERED  TO  OPEN  OR  CLOSE  ANY  TYPE  PRLA 
THAT  HAS  FAILED  TO  RELEASE  OR  LATCH.  AKA'S  ARE  EXCLUDED 
FROM  CONSIDERATION.  @[011801-3849] 

The  standard  weight  longeron  latch,  super  middleweight  longeron  latch  (SMWLL),  middleweight 
longeron  latch  (MWLL),  modified  middleweight  longeron  latch  (MMWLL),  and  lightweight  longeron 
latch  (LWLL)  types  have  EVA  release/latch  drive  mechanisms  incorporated  into  their  designs.  EVA 
should  be  considered  in  lieu  of  discontinuing  payload  operations  or  payload  jettison  in  order  to  preserve 
mission  success.  The  standard  weight  and  lightweight  AKA  types  have  neither  EVA  drive  capability  nor 
physical  access.  ®[oi  1 801  -3849  ] 

B.  PRLA/ AKA  REQUIREMENTS  FOR  NOMINAL  PAYLOAD  BERTHING 
OPERATIONS : 

1.  CONFIRMING  VISUAL  CUES  AND/OR  AT  LEAST  ONE  OF  TWO  RELEASE 
INDICATIONS  ON  ALL  PRLA' S/AKA'S  MUST  BE  PRESENT  BEFORE 
MANEUVERING  THE  PAYLOAD  INTO  THE  PRLA  V-GUIDES. 


During  berthing  operations,  PRLA  ’s/AKA  's  must  be  verified  released  in  order  to  preclude  possible 
structural  damage  to  the  payload  and  orbiter. 
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A10-281  PRLA' S/AKA' S  (CONTINUED) 

2.  CONFIRMING  VISUAL  CUES  AND/OR  AT  LEAST  ONE  OF  TWO  READY- 
FOR-LATCH  MICROSWITCH  INDICATIONS  MUST  BE  PRESENT  ON  ALL 
PRLA'S  BEFORE  CONTINUING  NOMINAL  PRLA/ AKA  CLOSE 
PROCEDURES . 

The  absence  of  both  PRLA  R-F-L  indications  represen  ts  a  condition  where  a  payload  trunnion  may  be 
outside  the  2-inch  PRLA  latch  envelope.  Continuation  of  PRLA  ops  without  further  evaluation  could 
allow  the  payload  operator  to  drive  this  latch  against  the  trunnion,  causing  the  PRLA  motors  to  stall. 

For  contingency  IUS  reberthing  operations,  R-F-L  indications  are  not  required,  since  the  IUS  keel  kick¬ 
offspring  will  nominally  preven  t  the  IUS  trunn  ions  from  contacting  the  R-F-L  microswitch  lever  arms. 
The  AFTA,  however,  will  maintain  the  trunnions  within  the  PRLA  latch  envelope  once  the  IUS  is  returned 
to  the  PRLA  release  position. 

When  latching  an  AKA,  the  R-F-L  indication  is  not  expected  until  the  latch  is  almost  completely  closed. 
The  indication  actually  serves  as  a  trunnion-in-place  indication  instead  of  a  R-F-L  cue. 

3.  WHEN  NOMINALLY  BERTHING  A  PAYLOAD  WITH  MULTIPLE  PRLA'S 
AND  ONE  OR  MORE  AKA'S,  THE  AKA ( S )  MUST  BE  LATCHED  FIRST 
BEFORE  CLOSING  THE  PRLA'S.  (REFER  TO  SPACE  SHUTTLE 
OPERATIONAL  FLIGHT  RULES  ANNEX  FOR  EXCEPTIONS.) 

During  berthing  operations,  the  AKA(s)  provides  the  necessary  force  required  to  center  the  payload 
within  the  payload  bay.  The  AKA  has  a  limited  capability  in  the  Y-direction  (2,500  lb  with  less  than  a 
0.25-inch  payload  offset,  1,000  lb  with  a  greater  than  0.25-inch  offset),  which  may  be  insufficient  to 
overcome  the  longeron  latch  resistance  once  the  PRLA’s  are  latched.  Therefore,  the  AKA(s)  must  be 
closed  prior  to  the  PRLA  ’ s  to  preclude  an  AKA  from  stalling.  Reference  RI STS84-0190A,  Payload 
Retention  System  Latches  Safety  Assessment  Report,  July  1984;  and  Shuttle  Flight  Operations  Manual 
(SFOM),  Volume  16,  Payload  Deployment  and  Retrieval  System,  Final,  June  1,  1981. 

C.  PRLA/ AKA  REQUIREMENTS  FOR  PAYLOAD  DEPLOY 

CONFIRMING  VISUAL  CUES  AND/OR  AT  LEAST  ONE  OF  TWO  RELEASE 
INDICATIONS  ON  ALL  PRLA's/AKA'S  MUST  BE  PRESENT  BEFORE 
CONTINUING  NOMINAL  PAYLOAD  DEPLOY  OPERATIONS. 

During  deploy  operations,  PRLA  ’ s/AKA ’s  must  be  verified  released  in  order  to  preclude  possible 
structured  damage  to  the  payload  and  orbiter. 
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A10-281  PRLA' S/AKA'S  (CONTINUED) 

D.  PRLA/AKA  LATCHED  DEFINITION 

FOR  PAYLOAD  RETURN  OR  ON-ORBIT  MANEUVERS  AND  TRANSLATIONS, 

A  PRLA/AKA  WILL  NOT  BE  CONSIDERED  LATCHED  WITHOUT  THE 
COMBINATION  OF  AT  LEAST  ONE  OF  TWO  LATCH  MICROSWITCH 
INDICATIONS,  AND  AT  LEAST  ONE  OF  TWO  RFL  MICROSWITCH 
INDICATIONS  (VISUAL  CUES  ACCEPTABLE  FOR  R-F-L  INDICATIONS) . 


PRLA  ’s/AKA ’s  must  be  verified  latched  in  order  to  preclude  possible  structural  damage  to  the  payload 
and  orbiter.  Failure  of  any  PRLA/AKA  to  indicate  a  latched  configuration  will  be  evaluated  on  a  flight- 
specific  basis  regarding  subsequent  on-orbit  maneuvers,  orbiter  attitude  control,  and  return  to  Earth 
capabilities. 

E.  PAYLOAD  RETENTION  PAYLOAD  SELECT  ROTARY  SWITCH  OPERATIONS: 

1.  FOR  MISSIONS  WHERE  NOMINALLY  ONLY  A  SINGLE  PAYLOAD  SELECT 
POSITION  WILL  BE  UTILIZED,  THE  PAYLOAD  RETENTION  PAYLOAD 
SELECT  ROTARY  SWITCH  WILL  BE  CONFIGURED  TO  THAT  POSITION 
FOR  LAUNCH  AND  WILL  REMAIN  IN  THAT  POSITION  FOR  THE 
DURATION  OF  THE  FLIGHT. 

2.  FOR  ALL  OTHER  MISSIONS,  THE  ROTARY  SWITCH  WILL  BE  LAUNCHED 
IN  THE  MONITOR  POSITION  AND  WILL  BE  OPERATED  AS  REQUIRED 
TO  BEST  SUPPORT  THE  MISSION. 


Operation  of  the  rotary  switch  for  single  payload  select  missions  is  not  necessary;  and  because  of 
inherent  single-point  failures  within  the  payload  select  rotary  switch,  use  of  this  switch  for  this  type 
mission  is  avoided  to  preclude  the  potential  of  mission  failure.  The  payload  retention  system  maintains 
fail  op/fail  safe  redundancy  against  inadvertent  operation  when  launched  and  flown  in  any  position. 

For  missions  using  multiple  payload  select  positions,  use  of  the  rotary  switch  is  usually  required.  The 
monitor  position  allows  a  complete  systems  status  verification  for  launch  commit  criteria  purposes  and 
for  orbit  operations. 

F.  PRLA/AKA  CONFIGURATION  FOR  ASCENT/ENTRY  @[072398-6687]  @[011801-3849] 

1.  WITH  NO  PAYLOAD 

a.  PRLA'S:  LATCHED 

b.  FLOATING  AKA'S:  RELEASED  @[011801-3849] 
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A10-281  PRLA' S/AKA'S  (CONTINUED) 

C.  FIXED  AKA'S:  LATCHED  OR  RELEASED  (REFER  TO  SPACE 
SHUTTLE  OPERATIONAL  FLIGHT  RULES  ANNEX  FOR 
EXCEPTIONS.)  @[011801-3849] 

All  PRLA  certification  testing  for  dynamic  flight  was  done  using  hardware  in  the  latched  configuration. 
Because  of  the  inherent  latch  mechanism  free-play  when  not  latched  overcenter,  the  loads  and  vibration 
levels  associated  with  dynamic  flight  may  cause  in  ternal  PRLA  damage  and  accelerate  mechanism 
wear.  Without  a  payload  trunnion  present,  a  floating  AKA  in  its  latched  position  is  free  to  move  along 
its  bridge  fitting  approximately  9  inches  in  the  x-axis.  Therefore,  the  AKA  can  impact  its  end  stops, 
resulting  in  AKA  and/or  orbiter  payload  bay  hardware  damage.  In  addition,  extensive  ground 
turnaround  testing/repair  would  be  required.  When  released,  however,  a  floating  AKA  opens  up  to 
completely  fill  the  gap  between  its  end  stops,  and  movement  along  its  bridge  fitting  cannot  occur.  A 
fixed  AKA  is  installed  with  a  center  stop  which  prevents  the  AKA  from  sliding  when  fully  latched.  The 
bridge  fitting  end  stops  prevent  movement  when  the  AKA  is  released. 

Reference  SODB,  vol.  I,  3.4.2.5-14  and  table  3. 4.2. 5-5  ( Active  Keel  Latch  Ascent  and  Entry  Constraints). 

@[072398-6687  ] 

2.  WITH  PAYLOAD  (REFER  TO  SPACE  SHUTTLE  OPERATIONAL  FLIGHT 
RULES  ANNEX  FOR  EXCEPTIONS) 

a.  PRLA' S :  LATCHED 

b.  FLOATING  AKA'S:  LATCHED 

c.  FIXED  AKA'S:  LATCHED 

The  payload  must  be  constrained  during  ascent/entry  to  prevent  movement  that  could  lead  to  damage  of 
the  orbiter  or  payload,  or  loss  of  crew/vehicle.  This  constraint  may  be  relaxed  for  entry  based  on  loads 
analysis  for  the  specific  payload;  the  annex  documents  any  such  analysis.  @[011801-3849  ] 

A10-282  THROUGH  A10-300  RULES  ARE  RESERVED 


VOLUME  A  06/20/02  FINAL  MECHANICAL  10-112 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


KU-BAND  ANTENNA  DEPLOY  MECHANISM  SYSTEMS  MANAGEMENT 


A10-301  ANTENNA  STOW  REQUIREMENT  [CIL] 

A.  FOR  LOSS  OF  REDUNDANT  KU-BAND  ANTENNA  STOW  CAPABILITY,  THE 

DEPLOYED  ASSEMBLY  WILL  BE  STOWED  AS  SOON  AS  PRACTICAL  UNLESS 
REQUIRED  TO  SUPPORT  RENDEZVOUS,  DOCKING,  PLANNED  EVA,  OR 
OTHER  OPERATIONS  STATED  IN  THE  FLIGHT  SPECIFIC  ANNEX.  FOR 
THESE  CASES:  [CIL]  @[090999-6930] 

1.  THE  DEPLOYED  ASSEMBLY  WILL  BE  DEPLOYED  AND  REMAIN 
DEPLOYED  TO  SUPPORT  THE  OPERATION. 

2.  THE  DEPLOYED  ASSEMBLY  WILL  BE  STOWED  AS  SOON  AS  PRACTICAL 
AFTER  COMPLETION  OF  THE  OPERATION (S)  BUT  NO  LATER  THAN 
THE  BEGINNING  OF  THE  DAY  PRIOR  TO  ENTRY. 

IF  THE  LAST  OPERATION  IS  A  PLANNED  EVA,  THE  DEPLOYED 
ASSEMBLY  WILL  BE  STOWED  PRIOR  TO  THE  END  OF  THE  EVA. 


Without  redundant  stow  capability,  the  an  tenna  could  not  be  stowed  normally  if  a  single  additional  failure 
occurred.  If  stow  capability  could  not  be  regained  by  one  of  the  methods  given  in  Rule  jA10-303f 
ANTENNA  CONTINGENCY  PROCEDURES,  the  antenna  would  be  costly  in  terms  of  mission  success 
( cases  stated  above  or  in  the  annex),  the  antenna  will  be  stowed  when  redundancy  is  lost.  For  the  loss  of 
redundancy  case,  the  antenna  should  be  stowed  prior  to  the  end  of  the  last  planned  EVA  in  the  event  that 
EVA  assistance  is  needed  to  complete  the  stow  operation. 

Rule  {A2-103C},  EXTENSION  DAY  REQUIREMENTS,  references  this  rule.  @[090894-1 670B] 

B.  FOR  LOSS  OF  TEMPERATURE  CONTROL  OR  TEMPERATURE  MONITORING 
CAPABILITY,  THE  KU-BAND  ANTENNA  WILL  BE  STOWED  AS  SOON  AS 
PRACTICAL  EXCEPT  FOR  THOSE  CASES  STATED  IN  THE  FLIGHT 
SPECIFIC  ANNEX.  [CIL] 

Precise  antenna  positioning  capability  is  required  to  lock  the  gimbals  and  properly  stow  the  Ku-band 
antenna.  When  the  temperature  of  the  antenna  gyro  mechanism,  signal  feed,  or  the  alpha  or  beta  gimbal 
angle  cannot  be  maintained  within  SODB  limits,  the  capability  to  obtain  correct  stow  angles  may  be  lost. 
The  Ku-band  antenna  deployed  assembly  (gimbals  must  be  locked  for  entry,  or  jettison  is  inevitable. 
Therefore,  when  the  Ku-band  antenna  temperature  control  or  monitoring  capability  is  lost,  the  Ku-band 
systems  should  be  deactivated  and  the  antenna  stowed  as  a  precaution.  The  Ku-band  will  be  jettisoned  if 
the  gimbals  cannot  be  locked  for  entry.  @[090999-6930  ] 
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A10-301  ANTENNA  STOW  REQUIREMENT  [CIL] 

Reference  Rules  {A10-303C},  ANTENNA  CONTINGENCY  PROCEDURES;  {All-56},  LOSS  OF 
KU-BAND  TEMPERATURE  CONTROL  [CIL];  {All-57},  LOSS  OF  KU -BAND  TEMPERATURE 
MONITORING  CAPABILITY  [CIL] ;  and  {All-77},  LOSS  OF  ANY  01  DSC;.  @[090999-6930] 


Rule  {A2-103},  EXTENSION  DAY  REQUIREMENTS,  references  this  rule. 

C.  THE  KU-BAND  ANTENNA  WILL  NOT  BE  REDEPLOYED  FOR  MISSION 
EXTENSION  DAYS. 

Reference  Rule  {A2-103C},  EXTENSION  DAY  REQUIREMENTS. 

D.  FOLLOWING  UNSUCCESSFUL  ATTEMPTS  TO  FULLY  DEPLOY  THE  KU-BAND 
ANTENNA,  THE  ANTENNA  WILL  BE  DRIVEN  BACK  TO  THE  STOWED 
POSITION. 


If  the  antenna  cannot  be  successfully  deployed,  there  is  a  good  possibility  of  a  cechanism  problem  that 
could  also  affect  the  stow  capability.  It  is  important  to  stow  the  antenna  early  in  the  flight  so  IFM  or 
EVA  contingency  procedures  can  be  planned  per  Rule  [A1 0-303},  ANTENNA  CONTINGENCY 
PROCEDURES,  if  required.  Also,  the  antenna  is  no  use  if  not  fully  deployed  and  there  is  a  potential  for 
an  additional  failure  to  make  antenna  stowage  impossible  as  the  flight  progresses.  @[090999-6930  ] 


A10-302  DAP  CONFIGURATION  FOR  ANTENNA  STOW 

THE  DAP  WILL  BE  CONFIGURED  TO  "VERN"  OR  "FREE  DRIFT"  DURING 
KU-BAND  DEPLOY  ASSEMBLY  STOWING. 

Reference  SODB,  vol.  I,  3.4.5.2.10.  In  order  to  ensure  proper  gimbal  locking  during  the  antenna 
automatic  stow  sequence,  the  primary  RCS  jets  cannot  be  selected.  Damage  to  the  gimbal  locking 
mechanism  may  be  caused  by  orbiter  accelerations  greater  then  0.5  deg/sec ^  and  orbiter  rates  greater 
than  5  deg/sec  during  the  stow  sequence.  Either  “vern”  or  “free  drift”  is  acceptable. 
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A10-303  ANTENNA  CONTINGENCY  PROCEDURES 

A.  IF  THE  KU-BAND  ANTENNA  GIMBALS  CANNOT  BE  LOCKED  FOR  KU-BAND 
STOW,  CONSIDERATION  WILL  BE  GIVEN  TO  PERFORMING  AN  EVA  TO 
LOCK  THE  GIMBALS  IF  A  DEORBIT  DAY  PLUS  1-DAY  WAVEOFF  IS 
AVAILABLE  AFTER  EVA  DAY. 


For  this  case,  an  EVA  is  considered  an  option  if  it  can  be  performed  and  consumables  will  support  a 
deorbit  day  plus  1  day  waveojf  after  EVA  day. 

B.  IF  THE  KU-BAND  ANTENNA  CANNOT  BE  STOWED  OR  THE  GIMBALS  CANNOT 
BE  LOCKED  BUT  THE  FAILURE  OCCURS  SUCH  THAT  AN  EVA  CANNOT  BE 
PERFORMED,  CONSIDERATION  WILL  BE  GIVEN  TO  A  1-ORBIT  WAVEOFF 
OR  A  1-DAY  EXTENSION  IN  ORDER  TO  PERFORM  ANY  OF  THE  FOLLOWING 
CONTINGENCY  PROCEDURES  IF  A  DEORBIT  DAY  PLUS  1-DAY  WAVEOFF 
DAY  IS  MAINTAINED: 

1.  KU-BAND  ANTENNA  -  FAILED  DEPLOY/STOW  SWITCH  (IFM) . 

2.  KU-BAND  ANTENNA  -  GIMBALS  CAN  BE  LOCKED  (IFM) . 

3.  USE  OF  THE  KU-BAND  ANTENNA  DIRECT  STOW  SWITCH. 

4.  KU-BAND  ANTENNA  JETTISON  (IF  FAILURE  PREVENTS  PLBD  CLOSURE) 

The  rule  assumes  that,  for  whatever  reason,  performing  an  EVA  has  not  been  an  option.  It  also  assumes 
that  on  entry  day  we  are  unable  to  stow  the  antenna  or  lock  the  gimbals. 


There  are  a  few  contingency  procedures  that  do  not  involve  an  EVA,  but  might  require  a  one-orbit 
waveoff  or  a  1-day  extension  to  perform.  Depending  on  the  failure,  they  could  result  in  saving  the 
antenna  and  still  enter  with  at  least  a  1-day  backup. 


The  contingency  procedure  required  to  be  used  is  dependent  on  the  actual  failure  condition;  however,  if 
the  failure  can  be  corrected  via  IFM,  the  IFM  procedure  should  have  priority  over  the  others.  The  IFM 
procedures  allow  for  normal  antenna  stow  procedures  to  be  used  once  the  gimbals  are  locked. 

Rule  {A10-301B  and  CJ,  ANTENNA  STOW  REQUIREMENT  [CIL],  references  this  rule. 

C.  THE  KU-BAND  WILL  BE  JETTISONED  IF  THE  GIMBALS  CANNOT  BE 
LOCKED  FOR  ENTRY. 


With  the  Ku-band  mechanism  stowed  and  the  antenna  gimbals  unlocked,  the  antenna  disk  is  free  to  move 
about  its  gimbal  axes  and  cause  radiator  damage  when  subjected  to  entry  arid  landing  loads.  Loss  of  the 
ability  to  lock  the  antenna  gimbals  and  secure  the  disk  for  entry  is  considered  a  criticality  1  failure. 

Reference  JSC  VNS-87-26,  Ku-Band  Comm/Radar  FMEAJCIL,  Level  III  CCB  minutes  (12/10/86). 
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REMOTELY  OPERATED  ELECTRICAL/FLUID  UMBILICAL  (ROEU/ROFU)  SYSTEMS 

MANAGEMENT  @[062801 -4355A] 


A10-321  ROEU/ROFU  OPERATIONS 

A.  THE  ROEU/ROFU  WILL  BE  DEMATED  FROM  THE  PAYLOAD  PRIOR  TO 
UNLATCHING  THE  PRLA(S)  OR  AKA(S). 

The  ROEU/ROFU  was  not  designed  to  withstand  the  loads  that  may  be  caused  by  a  payload  that  is  not 
fully  constrained  in  the  payload  bay.  This  will  preclude  possible  damage  to  the  ROEU/ROFU,  which 
may  lead  to  binding  during  unberthing  of  the  payload. 

B.  THE  ROEU/ROFU  WILL  NOT  BE  MATED  TO  THE  PAYLOAD  UNTIL  AND 
UNLESS  THE  PRLA(S)  AND  AKA(S)  REQUIRED  FOR  ENTRY  ARE 
CONFIRMED  LATCHED. 

The  ROEU/ROFU  was  not  designed  to  withstand  the  loads  that  may  be  caused  by  a  payload  that  is  not 
fully  constrained  in  the  payload  bay.  This  will  preclude  possible  damage  to  the  ROEU/ROFU  which  may 
lead  to  binding  should  a  con  tingency  unberthing  of  the  payload  be  required. 

C.  THE  PAYLOAD  WILL  NOT  BE  UNBERTHED  UNTIL  CONFIRMATION  THAT  THE 
ROEU/ROFU  IS  DEMATED  AND  OVERCENTER  LOCKED  OR  VISUAL 
VERIFICATION  OF  CLEARANCE  IS  OBTAINED. 

The  separation  distance  between  the  payload  and  the  orbiter  disconnect  assembly  (ODA)  is  critical 
during  berth  and  unberth.  If  the  distance  is  less  than  the  specified  3.2  inches,  contact  may  occur  between 
the  ODA  and  the  payload.  If  not  overcen  ter  locked,  the  orbiter  arm  drive  mechanism  ( ODM)  may  be  free 
to  backdrive  such  that  the  clearance  is  less  than  3.2  inches  and  potentially  cause  contact  during  berth  or 
unberth.  During  unberthing,  without  confirmation  of  overcen  ter  lock,  the  crew  will  have  to  visually 
verify  the  clearances  to  avoid  ODA-to-payload  contact.  @[062801 -4355A] 
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A10-321  ROEU/ROFU  OPERATIONS  (CONTINUED) 

D.  IF  A  POSITIVE  LATCH  INDICATION  IS  NOT  RECEIVED  AFTER 
ROEU/ROFU  LATCH  HAS  BEEN  ATTEMPTED,  THE  ROEU/ROFU  WILL  BE 
UNLATCHED  AND  DEMATED  PRIOR  TO  ENTRY.  @[062801 -4355A] 

Without  at  least  one  microswitch  confirming  that  the  ODA  hooks  are  overcenter  locked,  possible  damage 
to  the  ROEU/ROFU  may  occur  during  entry  due  to  separation  of  the  ODA  and  the  payload  disconnect 
assembly  {PDA).  The  overcenter  demoted  position  is  safe  for  entry. 

E.  IF  THE  ROEU/ROFU  FAILS  TO  DEMATE,  AN  UNSCHEDULED  EVA  WILL  BE 
CONSIDERED  TO  DEMATE  THE  ROEU/ROFU. 

The  ROEU/ROFU  ODA  Hooks  and  ODM  Arm  have  EVA  drive  capability.  Demating  the  ROEU/ROFU 
via  EVA  should  be  considered  in  lieu  of  discon  tinuing  payload  operations  in  order  to  presence  mission 
success. 

F.  IF  THE  ROEU/ROFU  CANNOT  BE  REMATED  WITH  THE  PAYLOAD,  AN 
UNSCHEDULED  EVA  WILL  BE  CONSIDERED  TO  REMATE  THE  ROEU/ROFU. 

The  ROEU/ROFU  ODA  Hooks  and  ODM  Arm  have  EVA  drive  capability.  Remating  the  ROEU/ROFU 
via  EVA  should  be  considered  to  avoid  damage  to  the  payload  resulting  from  loss  of  functions  provided 
by  the  ROEU/ROFU.  @[062801 -4355A] 
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ANDROGYNOUS  PERIPHERAL  DOCKING  SYSTEM  (APDS)  SYSTEMS  MANAGEMENT 


A10-341  APDS  CONFIGURATION 

A.  THE  DOCKING  RING  MUST  BE  AT  THE  INITIAL  POSITION  AND  THE  RING 
ALIGNED  BEFORE  ATTEMPTING  TO  DOCK.  @[021199-6816] 

With  the  ring  aligned  at  the  initial  position,  each  ballscrew/nut  assembly  has  its  maximum  stroke 
available  to  react  to  and  attenuate  the  docking  loads.  If  the  ring  is  not  aligned,  or  if  it  is  extended 
beyond  or  below  the  initial  position,  the  available  stroke  decreases,  thus  decreasing  attenuation 
capability.  This  would  also  increase  the  probability  of  bottoming  out  the  mechanism,  which  could  result 
in  excessive  loads  and  damage  to  the  mechanism  or  the  vehicles.  In  addition,  if  the  ring  is  not  aligned, 
the  probability  of  achieving  capture  is  reduced,  since  the  mechanism  must  then  overcome  misalignmen  ts 
in  the  ring  as  well  as  piloting  misalignments  in  order  to  engage  all  three  capture  latches. 

B.  THE  INNER  HATCH  WILL  BE  CLOSED  AND  LATCHED  PRIOR  TO  ANY 
ATTEMPT  TO  DOCK  WITH  ISS.  IF  AN  IFM  IS  REQUIRED  TO  COMPLETE 
DOCKING,  THE  IFM  WILL  BE  SET  UP  PRIOR  TO  THE  DOCKING  ATTEMPT. 
THE  INNER  HATCH  WILL  BE  OPENED  AFTER  CAPTURE  IS  OBTAINED  TO 
DRIVE  THE  APPROPRIATE  APDS  MOTOR  TO  COMPLETE  THE  SEQUENCE. 

Closing  the  inner  hatch  isolates  the  crew  cabin  from  the  ODS  volume  should  the  APDS  hatch  or  ODS 
structure  be  breached  during  a  docking  attempt. 

C.  THE  DOCKING  RING  WILL  NOMINALLY  BE  RETRACTED  TO  ITS  FINAL 
POSITION  PRIOR  TO  CLOSING  THE  PLBD'S.  IF  THE  RING  CANNOT  BE 
RETRACTED,  THE  SYSTEM  IS  STILL  IN  A  SAFE  CONFIGURATION  FOR 
ENTRY. 

The  active  docking  ring  will  nominally  be  retracted  during  the  docking  sequence  and  will  not  be  re¬ 
extended.  If  the  docking  sequence  is  not  completed,  the  ring  should  be  retracted  before  attempting  to 
close  the  payload  bay  doors.  Analysis  has  not  been  done  to  show  that  damage  to  the  ring  or  ballscrew 
mechanism  will  not  occur  if  the  ring  is  extended  during  entry.  However,  the  ring  does  not  interfere  with 
the  payload  bay  door  envelope  even  at  its  fully  extended  position.  If  the  capability  does  not  exist  to 
retract  the  ring,  there  are  no  safety  concerns  with  the  ring  being  extended  during  entry.  Reference 
Rockwell-Downey  Internal  Letter  ODS-36.1 1-94-142.  @[021 199-6816  ] 
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A10-342  APDS  PRESSURE/TEMPERATURE 

A.  THE  DMCU,  DSCU,  LACU,  PACU,  AND  PSU  AVIONICS  BOXES  WILL  NOT 
BE  OPERATED  IF  THE  EXTERNAL  AIRLOCK  PRESSURE  IS  LESS  THAN 
8.0  PSIA.  @[021199-6816] 

To  ensure  adequate  heat  dissipation,  the  atmospheric  pressure  within  the  DMCU,  DSCU,  LACU, 
and  PACU  avionics  boxes  ( which  is  represented  by  the  external  airlock  pressure)  must  be  greater 
than  8.0  psia.  If  the  airlock  pressure  falls  below  8.0  psia  and  is  subsequently  repressurized  to  >  8.0 
psia,  operation  of  these  boxes  is  acceptable  (assuming  paragraph  D  of  this  rule  has  not  been 
violated).  Reference  APDS  Multi-Mir  Critical  Design  Review,  February  1995. 

B.  THE  PFCU  IS  DESIGNED  AS  A  ONE-TIME  USE  BOX  AND  MAY  BE 
OPERATED  IN  A  VACUUM  IF  REQUIRED. 

There  are  no  relays  within  the  PFCU  that  are  continuously  energized  as  in  the  other  boxes.  Since  it 
takes  less  than  a  second  to  activate  the  necessary  relays  to  fire  the  hook  6,  there  is  no  issue  with 
overheating  and  premature  failure  of  the  componen  ts  due  to  lack  of  atmosphere  in  the  box.  In  addition, 
the  PFCU  is  designed  to  be  used  only  once.  This  is  due  to  the  degradation  of  the  fusistors  as  they  are 
heated  by  the  current  flow  and  the  probability  of  the  KQ  relay  contacts  welding  closed.  Reference  APDS 
Multi-Mir  Critical  Design  Review  Protocol,  February  23,  1995. 

C.  THE  DCU'S  ARE  SEALED  BOXES  AND  MAY  BE  OPERATED  AS  REQUIRED  IN 
A  VACUUM. 

There  are  no  heat  rejection  concerns  with  the  DCU’s  because  the  DCU’s  do  not  use  the  same  heat- 
generation  relays  that  the  other  boxes  have.  Since  these  boxes  are  also  hermetically  sealed,  there  is  no 
constraint  to  operation  in  a  vacuum. 

D.  THE  DMCU,  DSCU,  LACU,  PACU,  AND  PFCU  AVIONICS  BOXES  HAVE  A 
MAXIMUM  CUMULATIVE  NON-OPERATING  VACUUM  EXPOSURE  LIMIT  OF 
200  HOURS. 

The  DMCU,  DSCU,  LACU,  PACU  and  PFCU  avionics  boxes  are  not  sealed;  therefore,  exposing  these 
boxes  to  a  vacuum  will  expose  the  internal  electronics  to  a  vacuum.  Due  to  concerns  about  the  effect  of 
vacuum  exposure  on  the  electronics,  these  boxes  have  a  maximum  cumulative  nonoperation  vacuum 
exposure  limit  of  200  hours.  Reference:  Procurement  Specification  for  the  Androgynous  Peripheral 
Docking  System  for  the  ISS  Missions  (JSC-26938,  Rev  C).  ®[021 199-6816  ] 
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A10-342  APDS  PRESSURE/TEMPERATURE  (CONTINUED) 

E.  DOCKING  SYSTEM  TEMPERATURES,  AS  INDICATED  BY  THE  DOCKING 

BASE,  CAPTURE  LATCH,  BALL  DRIVE,  RING  DRIVE,  AND  HOOK  DRIVE 
TEMPERATURES,  MUST  BE  MAINTAINED  WITHIN  THE  LIMITS  LISTED 
BELOW.  ORBITER  ATTITUDE  WILL  BE  MANAGED,  OR  THE  DOCKING  RING 
EXTENDED  OR  RETRACTED,  TO  MAINTAIN  THESE  LIMITS.  @[021199-6816] 


MISSION  PHASE 

LIMITS 

DOCKING 

-22?F/-30?C  (-1 3?F/-25?C)?  T  ?  122?F/50?C  (1 1 37F/457C) 

RING  EXTENSION 

RING  RETRACTION 

UNDOCKING 

-58?F/-50?C  (-49 7F/-45 ?C) ?  T  ?  122?F/50?C  (1 1 37F/457C) 

NON-OPERATING 

-85?F/-65?C  (-76 7F/-60 ?C) ?  T  ?  185?F/85?C  (1 767F/807C) 

A  9-degree  F  margin  was  used  to  protect  worst  case  component  temperatures.  Reference:  Procuremen  t 
Specification  for  the  Androgynous  Peripheral  Docking  System  for  the  ISS  Missions  ( JSC-26938,  Rev  C). 

F.  THE  DMCU,  DSCU,  LACU,  PACU,  AND  PSU  AVIONICS  BOXES  WILL  NOT 
REMAIN  POWERED  ON  FOR  LONGER  THAN  2  HOURS.  THE  AVIONICS  MUST 
THEN  BE  POWERED  OFF  FOR  A  MINIMUM  OF  30  MINUTES  PRIOR  TO  THE 
NEXT  POWERUP. 

To  avoid  excessive  heat  buildup,  the  docking  system  avionics  boxes  have  a  maximum  power  on  time 
constraint  of  2  hours.  Following  powerup,  the  boxes  must  be  powered  down  for  a  minimum  of  30 
minutes  to  allow  for  adequate  heat  dissipation. 

G.  THE  DCU  BOXES  DO  NOT  HAVE  A  POWERON  TIME  CONSTRAINT. 

The  electronics  within  the  data  collection  units  have  negligible  heat  buildup  characteristics  even 
though  the  box  is  sealed.  Therefore,  the  DCU  ’s  are  capable  of  remaining  powered  indefinitely. 

Reference  APDS  Multi-Mir  Critical  Design  Review,  February  23,  1995. 

H.  THE  DAMPERS  WILL  NOT  REMAIN  POWERED  ON  FOR  MORE  THAN 
5  MINUTES  OF  CONTINUOUS  OPERATION. 

RSC-Energia  has  constrained  damper  operation  to  a  maximum  of  5  minutes  in  order  to  preclude 
excessive  heat  buildup  and  potential  hardware  degradation.  Note  that  once  the  dampers  are  powered 
off,  they  cannot  be  re-enabled  during  the  same  docking  attempt.  Reference  Technical  Interface  Meeting, 
June  1998.  @[021199-6816] 
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A10-343  APDS  MECHANISM  END  OF  TRAVEL  INDICATIONS 

A.  THE  ACTIVE  DOCKING  RING  WILL  BE  CONSIDERED  TO  HAVE  ATTAINED 
ITS  COMMANDED  POSITION,  F INAL/ INI T I AL/FORWARD ,  IF  AT  LEAST 
ONE  OF  THE  FOLLOWING  INDICATIONS  OCCURS  WITHIN  SINGLE-MOTOR 
DRIVE  TIME:  @[021199-6816] 

1.  THE  ASSOCIATED  APDS  CONTROL  PANEL  STATUS  LIGHT  OR  THE 
ASSOCIATED  DISCRETE  TELEMETRY  DATA  INDICATES 
FINAL/INITIAL/FORWARD . 

2.  THE  ASSOCIATED  ANALOG  POTENTIOMETER  MEASUREMENT  IS  AT  5 
PERCENT  (±3  PERCENT)  FOR  FINAL  POSITION,  76  PERCENT  (±3 
PERCENT)  FOR  INITIAL  POSITION,  OR  98  PERCENT  (±2  PERCENT) 
FOR  FORWARD  POSITION. 


Redundant  indications  are  provided  for  the  ring  drive  mechanisms  for  the  final/initial/forward  and 
analog  position  indications.  During  ring  operations,  if  any  of  the  proper  end-of-travel  indications  are 
obtained  within  the  single-motor  drive  envelope,  the  ring  will  be  considered  to  be  in  the  desired  position. 
This  is  based  on  the  low  probability  of  a  sensor  failing  within  the  time  that  the  indication  was  expected, 
thereby  giving  a  false  verification  of  position.  Reference  January  1998,  APDS  ISS  Brassboard 
Functional  Testing. 

B.  THE  ACTIVE  DOCKING  RING  WILL  BE  CONSIDERED  PROPERLY  ALIGNED 
IF  AT  LEAST  ONE  OF  THE  FOLLOWING  INDICATIONS  IS  OBTAINED: 

1.  THE  ASSOCIATED  APDS  CONTROL  PANEL  STATUS  LIGHT  OR 
DISCRETE  TELEMETRY  DATA  INDICATES  RING  ALIGNED. 

2.  THE  ASSOCIATED  ANALOG  POTENTIOMETER  MEASUREMENTS  ON  THE 
RING  ARE  AT  50  PERCENT  (±1  PERCENT)  AND  THOSE  ON  THE  BASE 
ARE  WITHIN  1  PERCENT  OF  EACH  OTHER. 


The  docking  ring  is  aligned  when  all  six  ballscrews  are  extended  the  same  length.  For  the  ring  to  be 
aligned  in  pitch,  roll,  and  z,  the  base  potentiometer  measurements  should  be  within  1  percent  of  each 
other.  Alignment  in  the  yaw,  x,  and  y  axes  is  confirmed  by  the  ring  potentiometer  measurements  being 
centered  at  50  percent  ?  1  percent. 

C.  THE  CAPTURE  LATCHES  WILL  BE  CONSIDERED  OPEN  IF  AT  LEAST  ONE 
OF  THE  FOLLOWING  INDICATIONS  CAN  BE  VERIFIED: 

1.  THE  ASSOCIATED  APDS  CONTROL  PANEL  STATUS  LIGHT  OR  THE 

ASSOCIATED  DISCRETE  TELEMETRY  DATA  INDICATES  OPEN  WITHIN 
THE  MOTOR  DRIVE  TIME.  @[021199-6816] 
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A10-343  APDS  MECHANISM  END  OF  TRAVEL  INDICATIONS  (CONTINUED) 

2.  THE  LATCHES  CAN  BE  VERIFIED  OPEN  AS  INDICATED  BY  A  FULLY 
RETRACTED  RING  POST-HARD-DOCK.  @[021199-6816] 

The  capture  latches  indicate  open  when  all  three  latches  are  open  ( i.  e. ,  the  redundant  con  tacts  of  each 
sensor  are  wired  in  series).  During  latch  operations,  if  the  open  indications  are  obtained  within  the 
expected  drive  time  of  3-4  seconds,  the  latches  will  be  considered  to  be  in  the  desired  position.  This  is 
based  on  the  low  probability  of  a  sensor  failing  within  the  time  that  the  indication  was  expected,  thereby 
giving  a  false  verification  of  position.  Also,  if  the  ring  can  be  retracted  to  the  fined  position  as  indicated 
by  ring  position  or  verified  visually,  all  three  latches  are  known  to  be  open. 

D.  THE  CAPTURE  LATCHES  WILL  BE  CONSIDERED  CLOSED  IF  THE 
ASSOCIATED  APDS  CONTROL  PANEL  STATUS  LIGHT  OR  THE  ASSOCIATED 
DISCRETE  TELEMETRY  DATA  INDICATES  CLOSED  WITHIN  THE  MOTOR 
DRIVE  TIME. 

The  capture  latches  indicate  closed  when  all  three  latches  are  closed  (i.e.,  the  redundant  contacts  of  each 
sensor  are  wired  in  series).  During  latch  operations,  if  the  closed  indications  are  obtained  within  the 
expected  drive  time  of  3-4  seconds,  the  latches  will  be  considered  to  be  in  the  desired  position.  This  is 
based  on  the  low  probability  of  a  sensor  failing  within  the  time  that  the  indication  was  expected,  thereby 
giving  a  false  verification  of  position.  Also,  if  the  ring  cannot  be  retracted  to  the  final  position  post- 
hard-dock,  at  least  one  capture  latch  should  be  considered  closed. 

E.  EACH  GANG  OF  APDS  HOOKS  WILL  BE  CONSIDERED  OPEN/CLOSED  IF  AT 
LEAST  ONE  OF  THE  FOLLOWING  INDICATIONS  OCCURS  WITHIN  SINGLE¬ 
MOTOR  DRIVE  TIME: 

1.  THE  ASSOCIATED  APDS  CONTROL  PANEL  STATUS  LIGHT  OR  THE 
ASSOCIATED  DISCRETE  TELEMETRY  DATA  INDICATES  OPEN/CLOSED. 

2.  THE  ASSOCIATED  ANALOG  POTENTIOMETER  MEASUREMENT  IS  AT 
5  PERCENT  (±3  PERCENT)  FOR  HOOKS  OPEN  OR  92  PERCENT 
(±3  PERCENT)  FOR  HOOKS  CLOSED. 

Redundant  indications  are  provided  for  the  hook  drive  mechanisms  for  the  open/close  and  analog 
position  indications.  During  hook  operations,  if  any  of  the  end-of -travel  indications  are  obtained 
within  the  single-motor  drive  en  velope,  the  hooks  will  be  considered  to  be  in  the  desired  position. 

This  is  based  on  the  low  probability  of  a  sensor  failing  within  the  time  that  the  indication  was 
expected,  thereby  giving  a  false  verification  of  position.  In  addition  to  the  indications  above,  the 
APDS  hooks  have  close  microswitches  on  each  of  the  individual  hooks  (except  for  hooks  6  and  7, 
which  are  driven  directly  by  the  hook  power  drive  units).  These  sensors  indicate  the  individual  hooks 
are  closed  when  the  hook  potentiometer  indicates  approximately  80  percent.  The  PMA  2/3  hooks  have 
close  microswitches  similar  to  the  PMA-1  hooks;  however,  the  PMA  2/3  sensors  are  wired  in  series,  in 
groups  of  three.  @[021 1 99-681 6  ] 
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A10-344  APDS  DOCKING  SEQUENCE  OPERATIONS 

A.  IF  ANY  APDS  CONTROL  PANEL  STATUS  LIGHT  INADVERTENTLY 
ACTIVATES  OR  FAILS  TO  ACTIVATE:  @[021199-6816] 

1.  PRIOR  TO  DOCKING,  IF  THE  FAILURE  IS  DETERMINED  TO  BE  IN  A 
SINGLE  SENSOR  CONTACT,  DOCKING  MAY  PROCEED  AS  PLANNED. 

IF  MULTIPLE  FAILURES  EXIST,  DOCKING  WILL  BE  DELAYED  AS 
REQUIRED  TO  ALLOW  TROUBLESHOOTING. 

2.  DURING  DOCKING,  THE  APDS  DOCKING  SEQUENCE  WILL  BE  STOPPED 
VIA  A  POWER  CYCLE.  IF  THE  FAILURE  IS  DETERMINED  TO  BE  IN 
A  SINGLE  SENSOR  CONTACT,  DOCKING  MAY  BE  COMPLETED.  IF 
MULTIPLE  FAILURES  EXIST,  COMPLETION  OF  THE  DOCKING 
SEQUENCE  WILL  BE  DELAYED  AS  REQUIRED  TO  ALLOW 
TROUBLESHOOTING . 

The  design  philosophy  within  the  APDS  avionics  utilizes  three  separate  electrical  paths;  two  of  the  three 
are  required  to  activate  any  particular  function.  For  feedback  from  sensors  external  to  the  avionics 
boxes,  the  three  paths  are  typically  combined  into  two  paths  to  the  sensors,  with  the  APDS  A  logic  bus 
feeding  both  paths  (i.e.,  A  and  B  paths  completed  through  one  sensor  contact,  A  and  C  through  the 
other).  In  this  way,  with  any  two  busses  powered,  the  system  can  complete  its  function.  Conversely, 
however,  if  any  one  contact  or  associated  wiring  shorts  to  ground  or  fails  closed,  two  of  the  three  paths 
associated  with  that  sensor  will  be  activated,  possibly  disrupting  the  system  operation.  This  is  the  basis 
for  all  of  the  avionics  single-point  failures. 

Due  to  the  avionics  design,  workarounds  are  available  to  bypass  any  single  contact  failure  (e.g.,  by 
removing  one  source  of  power  to  the  contact).  Removing  one  power  source  also  provides  a  means  of 
determining  if  a  single-point  failure  exists,  or  if  multiple  failures  have  caused  the  erroneous  indication. 
Since  the  single  failure  scenarios  are  already  accounted  for  in  the  docking  sequence  cue  cards,  if  there  is  a 
con  tact  short,  the  docking  may  proceed  using  the  appropriate  workarounds.  If  multiple  failures  exist, 
further  troubleshooting  must  be  done  to  determine  the  source  of  the  failures  and  any  possible  workarounds. 
@[021199-6816] 
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A10-344  APDS  DOCKING  SEQUENCE  OPERATIONS  (CONTINUED) 

B.  POST-CONTACT,  ALL  RELATIVE  MOTION  BETWEEN  THE  ORBITER  AND  ISS 
MATED  STACK  WILL  BE  ALLOWED  TO  DAMP  OUT  PRIOR  TO  DRIVING  THE 
ACTIVE  DOCKING  RING.  WHEN  THE  RELATIVE  MOTION  HAS  STOPPED, 

THE  DOCKING  SEQUENCE  WILL  BE  RESTARTED.  @[021199-6816] 

1.  IF  THE  RING  IS  NOT  ALIGNED  AFTER  ALL  RELATIVE  MOTION  HAS 
STOPPED,  THE  APDS  SEQUENCE  WILL  BE  RESTARTED  BY  EXTENDING 
THE  RING  TO  THE  FORWARD  POSITION  IN  ORDER  TO  FORCE 
ALIGNMENT . 

2.  IF  THE  RING  IS  ALIGNED,  THE  APDS  SEQUENCE  CAN  BE  RESTARTED 
BY  EITHER  EXTENDING  THE  RING  TO  THE  FORWARD  POSITION  OR  BY 
RETRACTING  THE  RING. 

The  APDS  high  and  low  energy  dampers  are  automatically  energized  5  seconds  after  contact.  Preflight 
analysis  has  shown  that  the  docking  system  dynamics  will  be  over-damped ,  and  therefore,  the  ring  will 
likely  not  align  itself  after  all  relative  motion  has  stopped.  Consequen  tly,  before  the  ring  can  be  retracted 
with  fixers  engaged,  it  must  first  be  driven  to  the  Forward  position  (against  its  hard  stops )  to  force 
alignment.  The  dampers  remain  energized  during  this  extension  operation,  in  order  to  prevent  excessive 
motion  of  the  ring  (caused  by  perturbations  of  the  system  induced  during  the  ring  extension ).  However,  if 
the  ring  is  aligned  at  the  Initial  position  after  motion  is  damped,  the  docking  sequence  can  be  restarted 
with  a  Ring  In  command.  The  ring  can  also  be  extended  to  Forward,  and  then  retracted,  in  order  to  keep 
crew  procedures  consistent  with  nominal  operations.  However,  ring  extension  is  not  required  if  ring 
alignment  is  achieved  at  the  ring  Initial  position.  MCC-H  is  usually  prime  for  determining  when  relative 
motion  has  damped  completely,  and  when  the  ring  has  been  aligned  sufficiently  to  allow  ring 
extension/retraction.  However,  in  a  loss  of  commun  ications  scenario,  the  crew  has  sufficien  t 
indications/verifications  in  order  to  continue  the  docking  sequence  without  ground  concurrence. 

C.  THE  DOCKING  SEQUENCE  CAN  BE  PAUSED  OR  STOPPED  AT  ANY  TIME 
AFTER  CAPTURE,  IN  ORDER  TO  TROUBLESHOOT  ERRONEOUS  APDS 
OPERATION  OR  TO  PERFORM  A  BACKAWAY . 

Five  seconds  after  capture,  the  high  energy  and  low  energy  electromagnetic  dampers  are  activated  to 
null  the  relative  motion  between  the  vehicles.  These  dampers  remain  active  until  the  crew  performs  a 
PWR  ON  reset  or  a  power  cycle  of  the  avionics.  If  a  backciway  needs  to  be  performed,  the  successful 
completion  of  damping  becomes  irrelevan  t,  and  the  sequence  may  be  stopped  as  required.  @[021199-6816  ] 
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A10-344  APDS  DOCKING  SEQUENCE  OPERATIONS  (CONTINUED) 

D.  IF  RING  EXTENSION  TO  THE  FORWARD  POSITION  IS  REQUIRED  IN 
ORDER  TO  FORCE  ALIGNMENT  AND  THE  DAMPERS  ARE  DE-ENERGIZED, 
THE  RING  WILL  BE  PAUSED  JUST  PRIOR  TO  REACHING  THE  FORWARD 
POSITION.  WHEN  THE  RELATIVE  MOTION  HAS  STOPPED,  THE  RING 
DRIVE  TO  FORWARD  WILL  BE  RESTARTED.  @[021199-6816] 

Nominally,  the  dampers  remain  energized  during  ring  extension  to  the  Forward  position  in  order  to 
preven  t  excessive  motion  of  the  ring  ( caused  by  perturbations  of  the  system  induced  during  the  ring 
extension).  By  stopping  the  ring  drive  just  prior  to  the  Forward  position  and  allowing  all  relative  motion 
to  damp  out,  excessive  loads  against  the  mechanism  hard  stops  can  be  avoided.  Loads  against  the  hard 
stops  will  be  minimized  when  the  ring  drive  is  restarted. 

E.  FOLLOWING  CONTACT,  IF  CAPTURE  CANNOT  BE  CONFIRMED,  BUT 
SEPARATION  DOES  NOT  OCCUR,  THE  DOCKING  SEQUENCE  SHALL 
CONTINUE  AFTER  PASSIVE  DAMPING  IS  COMPLETED  PROVIDED: 

@[052302-51 11  A] 

1.  NO  VISIBLE  GAPPING  BETWEEN  THE  ACTIVE  AND  PASSIVE  RINGS 
EXISTS,  AND 

2.  THE  HOOKS  DRIVE  AUTOMATICALLY  UPON  RING  RETRACT I ON . 

CAPTURE  CAN  BE  CONFIRMED  BY  EITHER  ILLUMINATION  OF  THE 
CAPTURE  LIGHT  OR  INITIATION  OF  ACTIVE  DAMPING.  @[052302-51 11  A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  MECHANICAL  10-125 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A10-344  APDS  DOCKING  SEQUENCE  OPERATIONS  (CONTINUED) 

If  the  interfaces  do  not  separate  post-contact,  physical  capture  has  most  likely  occurred.  A  single  failed 
capture  sensor  could  cause  the  capture  latching  logic  to  remain  unlatched.  This  would  result  in  no 
CAPTURE  light  and  no  active  damping.  Continuing  the  docking  sequence  is  safe  in  this  case  provided 
any  relative  motion  is  allowed  to  damp  passively.  The  “manual”  steps  in  the  docking  sequence  must  be 
performed  since  the  auto-sequence  will  not  have  initiated.  @[052302-5111  A] 

Analysis  indicates  that  if  one  capture  latch  failed  to  engage  the  passive  latch,  separation  would  not  likely 
occur.  (Ref  Mir  FTP  #12,  November  18,  1994.)  Prior  to  retracting  the  ring  to  the  Ready-to-Hook 
position  du  ring  the  docking  sequence,  this  case  would  not  be  distinguishable  from  the  loss  of  a  capture 
sensor  unless  visible  gapping  is  noted  between  the  active  and  passive  rings  at  one  or  more  petals.  If  the 
docking  sequence  were  to  continue,  it  may  be  possible  to  determine  ifcdl  three  latches  are  engaged  when 
retracting  the  active  ring  to  the  Ready-to-Hook  position.  At  the  Ready-to-Hook  position,  four  spring 
pushers  (two  on  each  mechanism)  positioned  around  the  structural  ring  will  exert  a  separating  force  on 
the  in  terface,  which  may  result  in  the  inability  to  compress  one  or  more  of  the  four  Ready-to-Hook 
sensors.  If  two  such  sensors  are  not  depressed  far  enough  to  make  contact,  the  Ready-to-Hook  light  will 
not  be  illuminated  and  automatic  hooks  closure  will  not  occur.  Attempting  to  close  the  hooks  manually 
in  this  case  may  result  in  binding  and  damage  to  the  structural  hook  mechanisms.  Under  these 
circumstances  the  ring  should  be  driven  out  to  the  Initial  Position  and  the  Failed  Capture  procedure 
executed  to  undock. 

The  likelihood  of  a  failed  capture  sensor  is  considered  much  higher  than  the  likelihood  of  a  structural  or 
mechanical  failure  of  a  capture  latch.  The  three  capture  latches  are  configured  to  the  closed  (ready  to 
dock)  position  at  KSC  before  launch  and  are  not  driven  open  until  structural  mate  is  complete  during  the 
docking  sequence.  The  LATCHES  CLOSED  light  and  accompanying  telemetry  can  be  used  to  confirm 
that  all  three  capture  latches  are  closed.  @[052302-51  n  A] 
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A10-345  APDS  RECONFIGURATION  AFTER  FAILED  DOCKING 

A.  IN  THE  EVENT  OF  A  FAILED  CAPTURE,  THE  DOCKING  RING  WILL  BE 
EXTENDED  TO  THE  FORWARD  POSITION  (IF  REQUIRED  TO  REALIGN  THE 
RING) ,  FULLY  RETRACTED,  AND  THEN  RE-EXTENDED  TO  THE  INITIAL 
POSITION  PRIOR  TO  A  SECOND  DOCKING  ATTEMPT.  THE  AVIONICS 
WILL  ALSO  BE  REINITIALIZED  BY  MEANS  OF  A  POWER  CYCLE. 

To  ensure  the  APDS  mechanism  did  not  experience  excessive  loads  during  a  failed  capture  that  could 
damage  mechanism  components  and  to  ensure  all  active  dampers  have  disengaged,  the  ring  will  be 
extended  with  the  fixers  off  to  the  forward  position  (in  order  to  force  alignment ),  then  retracted  and  re¬ 
extended.  This  allows  a  review  of  the  drive  system  characteristics  (drive  time,  currents)  as  an  indicator 
of  system  health.  The  ring  also  needs  to  be  realigned  to  be  in  the  proper  position  for  the  next  docking 
attempt.  The  avionics  will  also  be  reinitialized  to  ensure  that  its  logic  is  in  the  proper  state  for  another 
docking  attempt. 

B.  AFTER  AN  UNSUCCESSFUL  DOCKING  ATTEMPT  DURING  WHICH  THE  APDS 
ACTIVE  DAMPING  WAS  COMMANDED  ON,  A  SECOND  DOCKING  ATTEMPT 
WILL  NOT  BE  ATTEMPTED  UNTIL  THE  DAMPING  MECHANISM  IS 
CONFIRMED  TO  BE  DISENGAGED. 

During  6  degree-of-freedom  docking  loads  testing  in  Moscow,  an  instance  occurred  during  which  the 
damping  mechanism  did  not  disengage  after  the  damping  commands  were  removed.  During  the  next  test, 
loads  in  excess  of  the  acceptable  docking  loads  were  noted.  Upon  investigation  of  the  high  loads,  it  was 
determined  that  the  damping  mechanisms  clutch  had  not  disengaged.  Therefore,  to  ensure  that  a  similar 
problem  does  not  occur  during  the  Shuttle/ISS  docking  missions,  a  second  docking  attempt,  following  an 
attempt  that  failed  after  the  dampers  were  commanded  ON,  should  not  be  performed  until  the  dampers 
can  positively  be  verified  disengaged.  @[021 1 99-681 6  ] 

A10-346  APDS  REDUNDANCY  REQUIREMENTS 

IN  SUPPORT  OF  ALL  FLIGHTS  RULE  {A2-104},  SYSTEMS  REDUNDANCY 
REQUIREMENTS,  EXTRAVEHICULAR  ACTIVITY  (EVA)  WILL  BE  CONSIDERED 
AS  A  LEVEL  OF  REDUNDANCY  IN  ORDER  TO  ACCOMPLISH  SHUTTLE/ISS 
UNDOCKING.  EVA  WILL  BE  USED  AS  THE  THIRD  METHOD  TO  ACHIEVE 
SEPARATION.  @[021199-6816] 

The  shuttle  docking  system  has  two  sets  of  six  hooks;  each  set  is  opened  and  closed  by  dual-motor 
electro-mechanical  actuators  arid  a  pulley/cable  drive  system.  Additionally,  there  are  independent  pyro 
systems  that  can  remotely  release  the  active  and/or  passive  hooks.  The  active  hooks  pyro  system  releases 
all  12  shuttle  hooks,  and  the  passive  hooks  system  releases  all  12  passive  hooks.  In  the  event  that  either 
hooks  drive  system  fails,  and  discharging  either  or  both  pyro  systems  is  unsuccessful,  the  96-Bolt  EVA 
will  be  executed  in  order  to  separate  the  shuttle.  @[021199-6816] 

A10-347  THROUGH  A10-360  RULES  ARE  RESERVED 
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VIEWPORT  SYSTEMS  MANAGEMENT 


A10-361  VIEWPORT  (VP) 

A.  WHEN  THE  VP  IS  NOT  IN  USE,  THE  OUTER  COVER  WILL  REMAIN 
CLOSED.  @[051194-1637] 

Limiting  VP  use  to  experiment  operations  and  earth/space  observations  minimizes  the  risk  of  mechan  ism 
damage  (from  landing  loads)  should  the  outer  cover  fail  in  the  OPEN  position.  The  outer  cover  provides 
mechanical  and  thermal  protection  when  it  is  closed;  however,  it  does  not  provide  a  redundant  pressure 
seal. 

B.  THE  VP  OUTER  COVER  MUST  BE  CLOSED  WITHIN  35  MINUTES  OF  VP 
WINDOW  EXPOSURE  TO  THE  SUN  IN  FIELD  OF  VIEW  (FOV)  OR  2  HOURS 
OF  VP  WINDOW  EXPOSURE  TO  DEEP  SPACE  (VP  HEATER  ACTIVATED  AND 
FUNCTIONAL) . 

The  sun  exposure  constrain  t  precludes  the  VP  internal  surfaces  from  exceeding  the  maximum 
allowable  touch  temperature  of  45  deg  C  (113  deg  F).  The  deep  space  constraint  precludes  the 
formation  of  condensation  on  the  actuator  mechanism  and  VP  glass  (a  free  fluid,  ice  formation,  and 
hardware  degradation  concern),  and  ensures  VP  seal  integrity.  The  VP  lower  thermal  qualification 
limit  is  -10  deg  C  (14  deg  F).  ®[i  1 1 501 -4966A] 

The  sun  is  in  FOV  of  the  VP  whenever  it  is  within  a  60  deg  half-cone  angle  about  the  VP  normal  vector. 
The  VP  is  exposed  to  deep  space  whenever  the  sun  and  the  entire  earth  are  outside  an  80  deg  half-cone 
angle  about  the  VP  normal  vector.  (The  VP  normal  vector  is  in  the  orbiter  -Z  body  axis.) 

Reference:  JSC-16744,  Spacelab  Operational  Data  Book  (SLODB)  3.5.1,  Constraints/Contingency 
Operations;  TR-OK-0008,  Thermal  Vacuum  Test  Results:  Viewport;  TN-ER-36-061-77,  VP/Viewport 
Adapter  Assembly  (VAA)  Thermal  Analysis,  5/30/78;  and  MDC-93-W-5652,  5/93.  @[051194-1637] 
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A10-361  VIEWPORT  (VP)  (CONTINUED) 

C.  THE  INNER  SAFETY  COVER  SHOULD  REMAIN  INSTALLED  ON  THE  VP  AT 
ALL  TIMES,  UNLESS  ITS  REMOVAL  IS  REQUIRED  FOR  PAYLOAD 
ACCOMMODATIONS  OR  PHOTOGRAPHY.  THE  INNER  SAFETY  COVER  MUST 
BE  INSTALLED  PRIOR  TO  MODULE  EGRESS.  (INSTALLATION  IS 
REQUIRED  WHEN  EGRESSING  FOR  MODULE  DEACTIVATION,  ENTRY  PREP, 
OR  EVA  PREPARATIONS;  INSTALLATION  IS  NOT  REQUIRED  WHEN 
EGRESSING  FOR  EMERGENCY  DEACTIVATION.)  AN  INNER  SCREEN  OTHER 
THAN  THE  INNER  SAFETY  COVER  WILL  NOT  BE  INSTALLED  ON  THE  VP. 
@[051194-1637]  ®[1 11501 -4966A] 

The  VP  glass  assembly  contains  three  laminated  panes  of  Triplex  “10-20”  glass  (26mm  total 
thickness ).  Because  these  panes  are  laminated,  the  assembly  cannot  be  considered  fail-safe.  However, 
the  inner  safety  cover  (a  safety  pane  of  polycarbonate  plastic)  provides  a  structural  seal  over  the  VP 
aperture  that  allows  sufficient  time  to  complete  a  contingency  Spacehcib  deactivation/evacuation  of  the 
module  in  the  event  of  a  toted  glass  feature.  (A  small  port  in  the  inner  safety  cover  allows  for 
venting/air  circulation/pressure  equalization  between  both  sides  of  the  cover.)  The  inner  safety  cover 
also  protects  the  VP  glass  against  impact  from  inside  the  module.  However,  safe  return  of  the  crew  is 
not  compromised  if  the  inner  safety  cover  is  not  installed  for  a  Spacehcib  emergency  deactivation.  To 
preclude  the  scenario  where  an  EVA  is  required  during  the  mission,  and  subsequent  module  ingress  is 
not  possible,  the  inner  safety  cover  must  be  installed  to  properly  restrain  it  for  entry.  An  installed 
inner  screen  (other  than  the  inner  safety  cover)  can  cause  a  potential  “greenhouse”  effect  from  solar 
radiation  whenever  the  outer  cover  is  open,  or  from  a  failed  on  VP  heater  whenever  the  outer  cover  is 
closed.  Either  case  can  cause  VP  glass  degradation.  The  inner  safety  cover  provides  similar  optical 
qualities  (transmissivity)  as  the  VP  glass  assembly. 

Reference:  TN-ER-36-061-77,  VP/Viewport  Adapter  Assembly  (VAA )  Thermal  Analysis,  5/30/78. 

D.  THE  VP  HEATER  MUST  BE  ACTIVATED  WHENEVER  THE  VP  WINDOW  IS 
EXPOSED  TO  DEEP  SPACE,  OR  AT  ANY  TIME  CONDENSATION  FORMS  ON 
THE  VP  GLASS  OR  ACTUATOR  MECHANISM.  THE  VP  HEATER  MAY  REMAIN 
POWERED  FOR  NO  LONGER  THAN  20  MINUTES  WHEN  THE  SUN  IS  IN  FOV 
OF  THE  VP  GLASS. 

The  VP  heater  is  only  required  when  the  VP  window  is  exposed  to  deep  space  to  prevent  condensation 
from  forming  on  the  VP  glass  and/or  to  extend  the  time  until  condensation  forms  on  the  VP  actuator. 

The  seals  will  remain  above  the  lower  thermal  qualification  limit  of  -10  deg  C  (14  deg  F)  if  the  deep 
space  exposure  time  limits  are  not  exceeded,  and/or  the  heater  is  active.  The  VP  inner  surface  may 
exceed  the  maximum  allowable  touch  temperature  of  45  deg  C  (113  deg  F)  if  the  heater  is  activated  with 
the  outer  cover  closed,  if  the  VP  glass  is  not  exposed  to  deep  space,  or  if  the  VP  heater  is  powered  for 
more  than  20  minutes  with  the  sun  in  FOV  of  the  VP  glass. 

Reference:  TR-OK-0008,  Thermal  Vacuum  Test  Results:  Viewport;  and  MDC-93-W-5652,  5/93. 

@[051194-1637] 
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A10-361  VIEWPORT  (VP)  (CONTINUED) 

E.  ORBITER  ATTITUDE  ADJUSTMENTS  MAY  BE  MADE  TO  MAINTAIN  THE 
VP  TEMPERATURE  WITHIN  OPERATIONAL  LIMITS  IF  HIGH  PRIORITY 
MISSION  OBJECTIVES  ARE  NOT  JEOPARDIZED.  @[051194-1637] 

If  required  to  work  around  an  outer  cover  and/or  heater  failure,  adjusting  the  attitude  timeline  is  an 
acceptable  option  for  main  taining  the  VP  temperature  within  operational  limits  as  long  as  high  priority 
mission  objectives  are  not  significantly  affected.  The  VP  lower  thermal  qualification  limit  is  -10  deg  C 
( 14  deg  F);  the  upper  limit  is  60  deg  C  ( 140  deg  F). 

F.  ON-ORBIT  VP  ATTITUDE  TIMELINE  MANAGEMENT  TO  ENSURE  COMPLIANCE 
WITH  VP  OPERATIONAL  FLIGHT  RULES/TEMPERATURE  LIMITS  IS  THE 
RESPONSIBILITY  OF  MISSION  CONTROL  CENTER-HOUSTON  (MCC-H) . 

Due  to  the  dynamic  nature  of  orbiter  flight  attitude  timeline  changes,  MCC-H  management  of  on-orbit 
VP  operations  will  be  required  to  ensure  VP  FOV  constraints  and  operational  temperature  limits  are  not 
exceeded. 

A10-362  CRACKED  VIEWPORT 

FOR  A  CRACKED  VP  WINDOW,  THE  INNER  SAFETY  COVER  WILL  BE  INSTALLED, 
AND  THE  OUTER  COVER  WILL  BE  CLOSED  AND  REMAIN  CLOSED.  SPACEHAB  OPS 
WILL  BE  ALLOWED  TO  CONTINUE  IF  THE  VP  WINDOW  CAN  MAINTAIN  PRESSURE 
INTEGRITY. 

The  VP  glass  assembly  contains  three  laminated  panes  of  Triplex  “10-20”  glass  (26  mm  total  thickness), 
each  of  which  is  capable  of  main  tain  ing  pressure.  However,  the  VP  inner  safety  cover  (a  safety  pane  of 
polycarbonate  plastic )  provides  a  structural  seal  over  the  VP  aperture  that  allows  sufficient  time  to 
complete  a  contingency  Spacehab  deactivation/evacuation  of  the  module  in  the  event  of  a  total  glass 
failure  (A  small  port  in  the  inner  safety  cover  allows  for  venting/air  circulation/pressure  equalization 
between  both  sides  of  the  cover.)  VP  operations  should  be  terminated  in  order  to  minimize  thermal 
stresses  on  a  cracked  VP  window.  Installing  the  inner  safety  cover  and  closing  the  outer  cover  ensures 
con  tainmen  t  of  any  loose  glass  debris.  Installing  the  VP  inner  safety  cover  also  ensures  safe 
continuation  of  Spacehab  operations  by  providing  cabin  pressure  redundancy  (as  long  as  the  VP  window 
is  main  taining  pressure ).  @[051 1 94-1 637  ] 
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A10-363  VIEWPORT  CONFIGURATION  FOR  CLOSED  SPACEHAB  HATCH 

FOR  SPACEHAB  OPERATIONS  WITH  THE  SPACEHAB  HATCH  CLOSED,  THE  VP 
OUTER  COVER  WILL  BE  CLOSED  AND  THE  INNER  SAFETY  COVER  WILL  BE 
INSTALLED.  @[051194-1637]  @[021600-7101] 


Failure  conditions  exist  which  would  prevent  re-entry  into  the  module  ( e.  g. ,  after  an  EVA )  to  secure  the 
viewport.  If  orbiter  entry  is  performed  with  the  external  cover  open,  damage  to  the  cover/viewport  is 
likely  to  occur. 


A10-364  LOSS  OF  VP  PRESSURE  INTEGRITY 

FOR  LOSS  OF  VP  PRESSURE  INTEGRITY,  THE  INNER  SAFETY  COVER  WILL  BE 
INSTALLED,  AND  THE  OUTER  COVER  WILL  BE  CLOSED  AND  REMAIN  CLOSED. 
SPACEHAB  OPERATIONS  WILL  BE  TERMINATED. 

The  VP  inner  safety  cover  provides  a  structural  seal  over  the  VP  aperture  that  allows  sufficient  time  to 
complete  a  contingency  Spacehab  deactivation/evacuation  of  the  module  when  VP  pressure  integrity  has 
been  lost.  (A  small  port  in  the  inner  safety  cover  allows  for  venting/air  circulation/pressure  equalization 
between  both  sides  of  the  cover. ) 


A10-365  EVA  REQUIREMENTS  FOR  FAILED  VP  OUTER  COVER 

AN  EVA  IS  NOT  REQUIRED  TO  STOW  OR  SECURE  A  FAILED  OPEN  VP  OUTER 
COVER. 

When  open,  the  VP  outer  cover  does  not  infringe  upon  the  PLED  dynamic  envelope.  Although  there  is  a 
potential  for  VP  mechanism  damage  from  landing  loads,  the  risk  of  an  EVA  to  stow  the  outer  cover  is  not 
warranted.  @[051 1 94-1 637  ] 


@[021 998-6492  ]  ®[1 21 400-3850  ] 
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A10-381  THERMAL  WINDOWPANE  FAILURE  [CIL] 

A  THERMAL  WINDOWPANE  IS  CONSIDERED  FAILED  IF  PIECES  OF  THE  PANE 
ARE  MISSING.  A  CRACKED  THERMAL  WINDOWPANE  IS  NOT  CONSIDERED 
FAILED  WHILE  THE  PANE  REMAINS  INTACT. 

NOTE:  THE  PROBABILITY  OF  A  CRACKED  PANE  FAILING  IS  HIGHEST 

DURING  THE  MAXIMUM  DYNAMIC  PRESSURE  PHASE  (MAX  Q) 

( T=4 0  TO  T=60 )  . 

FOR  A  FAILED  FORWARD  WINDSHIELD  OR  SIDE  HATCH  THERMAL  WINDOWPANE 
PRIOR  TO  THE  RTLS  BOUNDARY,  ABORT  RTLS ,  OTHERWISE  CONTINUE  EOM . 
FOR  A  FAILED  OVERHEAD  THERMAL  WINDOWPANE,  CONTINUE  EOM. 

A  thermal  windowpane  could  fail  due  to  flaws  caused  by  ice  or  other  debris  impacting  it  during  ascent. 

A  cracked  thermal  windowpane  is  more  likely  to  fail  during  MAX  Q  phase.  An  RTLS  abort  should  be 
performed  if  possible  to  minimize  thermal  effects  on  the  remaining  windowpanes  and  structure,  as  the 
RTLS  abort  has  the  most  benign  reentry  thermal  environment  of  all  entry  modes.  The  nominal  and  the 
thermally  similar  AO  A  impose  the  most  heating  on  the  panes. 

TAL  aborts  have  a  slightly  more  benign  thermal  environment  with  respect  to  the  windowpanes  and 
surrounding  structure  than  the  nominal  EOM.  However,  the  risk  of  a  TAL  abort  outweighs  the  benefit 
of  slightly  less  heating  on  the  windows.  Therefore,  post-RTLS,  no  other  abort  should  be  initiated.  The 
overhead  windows  are  not  considered  for  an  RTLS  abort  since  the  thermal  environment  for  these 
windows  during  a  nominal  EOM  entry  is  relatively  benign  (ref.  A/E  FTP  #68,  June  29,  1990). 

A  side  hatch  thermal  pane  failure  may  be  undetectable  during  ascent  because  of  crew  visibility.  For  a 
failed  side  hatch  thermal  pane  or  forward  windshield  past  the  RTLS  boundary,  thermal  conditioning  of 
the  affected  window  may  be  required  prior  to  deorbit,  based  on  real-time  thermal  analysis. 

Rule  [A2-54AJ.2,  RTLS,  TAL.  AND  AOA  ABORTS  FOR  SYSTEMS  FAILURES  [CIL],  references  this 

rule.  @[021998-6493] 


VOLUME  A  06/20/02  FINAL  MECHANICAL  10-132 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A10-382  PRESSURE/REDUNDANT  WINDOWPANE  FAILURE 

FOR  A  FAILURE  OF  EITHER  A  PRESSURE  PANE  (I.E.,  UNIFORM  SHATTERING 
OF  AN  INNER  PANEL  INTO  SMALL  PIECES)  OR  A  REDUNDANT  PANE  (I.E., 
CRACKED  OR  SHATTERED  PANE  WITH  FRAGMENTS  AROUND  RETAINER  FRAME) , 
CABIN  PRESSURE  WILL  BE  REDUCED  TO  10.2  PSI.  CABIN  DEPRESSURIZA¬ 
TION  WILL  NOT  BE  ATTEMPTED  PRIOR  TO  THE  POST  INSERTION  TIMEFRAME 
OR  AFTER  SEAT  INGRESS  FOR  ENTRY: 

A.  ON  ASCENT,  AN  ORBIT  3  ENTRY  WILL  BE  PERFORMED. 

B.  ON  ORBIT,  ENTER  NEXT  PLS . 

A  severe  impact  may  break  the  pressure  pane.  Neither  the  pressure  pane  (other  than  severe  impact)  nor 
the  redundant  panel  should  fail.  If  a  failure  of  one  of  these  panes  has  occurred  for  an  unknown  reason, 
the  remaining  windows  may  be  threatened.  Pressure  redundancy  is  required  in  the  orbiter  window 
system  (the  thermal  panel  does  not  provide  cabin  pressure  redundancy).  The  pressure  redundancy 
requirement  is  violated  with  a  failure  of  any  one  of  the  pressure  panes  or  redundant  panes  (windshields, 
overhead  windows,  rear  viewing  windows,  or  side  hatch  window).  Loss  of  both  the  pressure  pane  and  the 
redundan  t  pane  in  a  window  would  result  in  loss  of  crew  and  orbiter. 

Flight  techniques  discussions  have  resulted  in  the  choice  of  an  orbit  3  deorbit  as  the  best  choice  to 
minimize  exposure  time  to  a  single  string  windowpane  situation  without  the  risks  entailed  in  more  rapid 
abort  situations.  A  reduced  cabin  pressure  is  desired  due  to  the  time-at-stress  nature  of  windowpane 
failures. 

Flight  Techniques  have  indicated  that  wearing  the  LES  helmet  for  the  4.6  hours  of  orbit  3  is  acceptable. 
The  reason  for  wearing  the  LES  helmet  after  a  pressure  pane  failure  is  to  reduce  the  possibility  of 
crewmember  exposure  to  shattered  pane  particles.  The  LES  helmet  must  be  worn  for  all  en  tries; 
therefore,  using  anticontamination  goggles  and  masks  until  donning  the  LES  helmet  is  not  desired  for 
the  orbit  3  case  due  to  the  possibility  of  con  tamination  during  the  donning  process. 

Reference  Ascent  Flight  Techniques  Panel  Meetings  #33  and  #36,  August  28  and  October  15,  1987. 
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A10-383  BAILOUT/POSTLANDING  EMERGENCY  EGRESS  PYROTECHNICS 

MANAGEMENT 

A.  THE  SAFING  PIN  FOR  THE  T-HANDLE  BOX  COVER  WILL  BE  REMOVED  AND 
STOWED  PRELAUNCH,  REINSTALLED  DURING  POST  INSERTION,  REMOVED 
AND  STOWED  DURING  DEORBIT  PREP,  AND  REINSTALLED  POSTLANDING. 

This  procedure  improves  access  to  the  pyro  vent  valve  and  side  hatch  jettison  T-handles  during  an 
ascen  t,  entry ,  or  postlanding  emergency,  and  ensures  that  the  handles  are  less  accessible  at  other  times. 

B.  THE  SAFING  PINS  FOR  THE  PYRO  VENT  VALVE  AND  SIDE  HATCH 
JETTISON  T-HANDLES  WILL  NOT  BE  REMOVED  UNLESS  REQUIRED  FOR 
ORBITER  BAILOUT  OF  EMERGENCY  GROUND  EGRESS. 

The  purpose  of  this  rule  is  to  prevent  accidental  activation  of  the  handles.  Removal  of  the  safing  pins 
requ  ires  less  than  1  second  for  each  handle;  therefore,  an  insign  ifican  t  tune  delay  is  imposed  during  an 
emergency. 

C.  THE  PYRO  VENT  VALVE  WILL  ONLY  BE  ACTIVATED: 

1.  DURING  AN  IN-FLIGHT  BAILOUT,  PRIOR  TO  JETTISONING  THE 
SIDE  HATCH. 

2.  DURING  A  POSTLANDING  EMERGENCY  EGRESS,  IF  NECESSARY. 

The  purpose  of  the  pyro  vent  valve  is  to  equalize  the  difference  in  pressure  between  the  crew 
compartment  and  the  outside  atmosphere.  If  the  side  hatch  is  jettisoned  during  an  in-flight  bailout 
before  the  pressure  is  equalized,  the  large  delta  P  will  probably  cause  the  floor  of  the  middeck  to  buckle, 
leading  to  extensive  damage  within  the  vehicle.  The  postlanding  delta  P  is  much  smaller  and  will  not 
buckle  the  middeck  floor.  Because  the  pyro  vent  valve  is  an  ignition  source  in  the  payload  bay,  it  should 
not  be  activated  postlanding  unless  a  side  hatch  emergency  egress  is  impossible  and  the  overhead  escape 
panel  (W8)  will  not  open  due  to  the  delta  P. 

D.  THE  SIDE  HATCH  WILL  ONLY  BE  JETTISONED: 

1.  DURING  AN  IN-FLIGHT  BAILOUT. 

2.  DURING  A  POSTLANDING  EMERGENCY  WHERE  THE  SIDE  HATCH 
CANNOT  BE  OPENED  NORMALLY  AND  RAPID  EGRESS  OF  THE  CREW 
IS  NECESSARY  IN  ORDER  TO  PREVENT  LOSS  OF  LIFE.  IN  THIS 
CASE,  THE  CREW  SHALL  MAKE  EVERY  EFFORT  TO  VERIFY  THAT 
ALL  FIRE/RESCUE  PERSONNEL  ARE  CLEAR  OF  THE  SIDE  HATCH 
BEFORE  IT  IS  JETTISONED. 

This  rule  prevents  unnecessary  damage  to  the  orbiter  and  minimizes  the  risk  that  side  hatch  jettison 
poses  to  fire/rescue  personnel. 
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A10-384  MAXIMUM  NUMBER  OF  FILLED  CWC'S 

THE  NUMBER  OF  FILLED  CONTINGENCY  WATER  CONTAINERS  (CWC'S)  WILL 
NOT  EXCEED  THE  NUMBER  OF  AVAILABLE  CERTIFIED  STOWAGE  LOCATIONS, 

AS  DETAILED  IN  THE  FLIGHT  SPECIFIC  RULES  ANNEX.  ®[1 00997-6345A] 

This  assures  that,  in  the  event  of  an  unplanned  deorbit  (PLS),  all  CWC’s  can  be  stowed  in  locations  that 
will  not  cause  structural  damage  or  endanger  the  crew  in  the  event  of  a  hard  landing.  Determination  of 
the  number  and  placement  of  CWC’s  is  performed  by  DF54/Crew  Systems.  Reference  OFTP  #161, 
February  14,  1997.  @[072398-6621  ] 

A10-385  FILLED  CWC  STOWAGE  MANAGEMENT 

A.  FILLED  CONTINGENCY  WATER  CONTAINERS  (CWC'S)  THAT  MUST  BE 
RETURNED  IN  THE  ORBITER  WILL  BE  DISPOSED  OF  WITH  THE 
FOLLOWING  PRIORITY,  TIME  AND  AVAILABILITY  PERMITTING: 

®[1 00997-6345A]  @[032802-5305] 

1.  OVERBOARD  NOZZLE  DUMP  @[032802-5305] 

A  filled  CWC  represents  a  considerable  mass  that  must  be  properly  restrained  to  insure  structural  loads 
will  not  be  violated  in  an  emergency  landing.  CWC’s  can  be  used  to  transfer  water  from  the  orbiter  to 
ISS.  Stowage  of  filled  CWC’s  will  be  required  if  water  transfer  cannot  be  accomplished.  For  ISS  water 
transfer,  CWC’s  are  normally  filled  to  approximately  100  lbs.  This  weight  is  assumed  below,  unless 
otherwise  stated.  Reference  SODB.  vol.  I,  3.4.1.  To  avoid  the  stowage  and  structural  limits  concern,  it  is 
most  desirable  to  dump  the  water  from  the  CWC’s  overboard  and  then  stow  the  empty  CWC’s.  Filled 
CWC’s  can  also  represent  considerable  mass  stowed  far  forward  of  the  orbiter  CG.  An  overboard  CWC 
dump  prior  to  deorbit  may  relax  propellant  margins  if  ballasting  would  otherwise  be  increased.  However, 
there  must  be  adequate  time  to  dump  water  from  filled  CWC’s  overboard  prior  to  deorbit  prep.  Flight 
data  from  STS-60  shows  that  it  takes  approximately  1  hour  to  dump  a  single  CWC  (the  rate  is  1.56 
Ibm/min).  Certain  stowage  locations  can  accept  loads  imposed  by  a  filled  CWC  during  landing  and  will 
be  utilized  if  dump  capability  is  not  available.  In  cases  where  propellant  margins  are  tight,  stowage 
locations  minimizing  ballast  requirements  are  preferred.  ®[1 00997-6345A]  @[092701-4840  ] 
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A10-385  FILLED  CWC  STOWAGE  MANAGEMENT  (CONTINUED) 

2.  STOWAGE  IN  THE  FOLLOWING  STRUCTURALLY  CERTIFIED  LOCATIONS 
(SEE  FLIGHT  SPECIFIC  RULES  ANNEX  FOR  ADDITIONS)  :  ®[1 00997-6345A] 
@[032802-5305  ] 


LOCATION 

MAXIMUM 

WEIGHT 

(LBS) 

ORBITER  COORDINATES 

X0  Y0  Z0 

MAX.  VOL. 

(CU.  FT.) 

MAX.  # 
CWC’S 

EXTERNAL  AIRLOCK  STOWAGE 
BAG 

[2] 

206 

649 

(BAY2) 

731 

(BAY3) 

0 

333 

9.7 

2 

[1] 

MIDDECK  BAG 

[3] 

206 

545 

?24 

(STBD/ 

PORT) 

333 

(FLOOR) 

382 

(CEILING) 

9.7 

2 

[1] 

INTERNAL  AIRLOCK  CEILING 
BAG 

212 

545 

0 

385 

7 

2 

[IIP] 

INTERNAL  AIRLOCK  KIT  FLOOR 
BAG 

190 

545 

0 

333 

7.33 

2 

[4]  [9] 

VOLUME  F 

240 

491 

33 

315 

8 

2 

mm 

LIOH  BOX  WET  TRASH 

151 

250 

492 

0 

311 

6.7 

2 

■HI 

VOLUME  H 

95 

525 

-42 

317 

3.33 

1 

mm 

VOLUME  G 

f81 

95 

525 

42 

317 

3.33 

1 

in 

VOLUME  D 

271 

439 

0 

314 

9.06 

2 

[4]  [10] 

SEAT  6  STOWAGE  BAG 

204 

492 

-12 

325 

N/A 

2 

SEAT  7  STOWAGE  BAG 

204 

492 

12 

325 

N/A 

2 

ISIS! 

®[1 00997-6345A]  @[072398-6621]  @[022201-3987]  @[092701-4840]  @[032802-5305] 


Reference  SODB,  Vol.  /,  paragraph  3.4.1.  These  locations  would  be  available  (provided  soft  stowage 
can  be  removed  and  stowed  in  alternate  locations)  for  return  of  fully  filled  CWC’s  (95  lbs).  Stowage  of 
partially  filled  CWC’s  will  be  addressed  in  real  time  based  on  approximate  mass  and  available  stowage 
locations.  @[032802-5305  ] 
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A10-385  FILLED  CWC  STOWAGE  MANAGEMENT  (CONTINUED) 

[1]  ANY  VOIDS  SURROUNDING  A  CWC  MUST  BE  FILLED  WITH  SOFT  GOODS  SUCH  AS  CLOTHING  TO  ENSURE  THAT 
THE  CWC  IS  SUPPORTED  ON  ALL  SIX  SIDES.  @[032802-5305  ] 

[2]  206  LBS  IS  MAX  WEIGHT  OF  EXTERNAL  AIRLOCK  BAG.  EXT  A/L  IS  LIMITED  TO  990  LBS  MINUS  THE  WEIGHT  OF 
EMU’S  (TWO  @  330  LBS  EACH).  649  IN.  IS  X-CG  FOR  BAY  2  EXTERNAL  AIRLOCK  LOCATION.  731  IS  X-CG  FOR  BAY 
3  EXTERNAL  AIRLOCK  LOCATION  (FORWARD  TUNNEL  ADAPTER). 

[3]  THE  LIMITS  ARE  VALID  FOR  THE  SMALL  AND  LARGE  VERSIONS  OF  THE  MIDDECK  BAG.  @[072398-6621  ] 

[4]  95  LBS  EACH. 

[5]  RESERVED  @[092701-4840] 

[6]  CWC’S  STANDING  ON  END,  SIDE-BY-SIDE 

[7]  AVAILABLE  ONLY  ON  OV-1 02  WITH  RCRS 

[8]  LOCKER  REMOVAL  REQUIRED  TO  ALLOW  ACCESS  TO  VOLUME  G.  ®[1 00997-6345A] 

[9]  ONLY  AVAILABLE  ON  OV-1 02  @[022201-3987] 

[10]  VOLUME  NOT  AVAILABLE  ON  OV-1 03 

3.  DUMP  INTO  WCS.  @[032802-5305] 

This  option  would  only  apply  if  the  nozzle  dump  were  unavailable,  no  certified  stowage  was  available, 
and  adequate  time  existed.  There  is  only  limited  ullage  in  the  waste  tank,  and  it  is  time  consuming  for 
the  crew  to  do  this.  ®[1 00997-6345A] 
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A10-385  FILLED  CWC  STOWAGE  MANAGEMENT  (CONTINUED) 

4.  STOWED  AND  RESTRAINED  IN  THE  FOLLOWING  UNCERTIFIED 
LOC  AT  IONS:  @[032802-5305  ] 


LOCATION 

MAXIMUM  WEIGHT  (LBS.) 

ORBITER  COORDINATES 

X0  Y0  Z0 

MAX.  # 
CWC’S 

EXTERNAL  AIRLOCK  FLOOR 

300  (MINUS  WEIGHT  OF  OTHER 
FLOOR  STOWAGE) 

649 

(BAY  2) 

731 

(BAY  3) 

0 

333 

2 

FORWARD  TUNNEL  ADAPTER  FLOOR 

TBD 

582 

0 

333 

2 

INTERNAL  AIRLOCK  FLOOR 

225  WITH  4  EMU’S  INSTALLED 

545 

0 

333 

2 

®[1 00997-6345A] 


These  locations  have  not  been  certified,  due  to  possible  inability  to  fully  restrain  CWC’s.  These 
locations  should  only  be  used  when  necessitated  by  lack  of  certified  stowage  and  the  time  criticality  of 
entry.  The  priority  reflects  the  desire  to  remove  the  CWC’s  as  far  as  possible  from  the  cabin,  due  to  the 
possibility  of  hatch  penetration  by  the  CWC  as  a  projectile  during  hard  landing.  Leakage  or  failure  of  a 
CWC  carries  the  risk  of  damaging  electronic  equipmen  t  stowed  in  these  locations.  All  stowage  in  these 
locations  should  be  restrained  on  the  floor  in  such  a  manner  that  it  does  not  in  terfere  with,  or  damage 
existing,  certified  equipment  stowed  nearby  during  landing  settling.  Gray  tape  and  bungies  are 
suggested  (although  uncertified )  methods  of  restraint.  ®[1 00997-6345A] 

B.  THE  NUMBER  OF  FILLED  CWC'S  IN  THE  ORBITER  WILL  NOT  EXCEED  THE 
NUMBER  OF  CERTIFIED  STOWAGE  LOCATIONS  AVAILABLE  FOR  LANDING. 
THE  MAXIMUM  NUMBER  OF  FILLED  CWC'S  THAT  MAY  BE  RETURNED  IN 
THE  ORBITER  IS  FOUR.  EXCEPTIONS/ADDITIONS  TO  THIS  LIMIT  WILL 
BE  ADDRESSED  IN  THE  FLIGHT-SPECIFIC  ANNEX. 

Preflight  planned  stowage  has  been  reviewed  and  the  number  of  certified  stowage  locations  is  limited  to 
this  amount.  The  available  CWC  stowage  locations  are  Vol  H  (1  ),  Vol  G  (1),  and  Vol  F  (2 ).  Changes  to 
this  limit  based  on  planned  stowage  will  be  addressed  on  a  flight -by -flight  basis  in  the  Flight-Specific 
Annex. 

Analysis  of  the  number  of  CWC’s  is  performed  by  DX3 3/Crew  Systems  (OFTP  #161,  February  14,  1997). 
The  structurally  certified  stowage  locations  are  listed  in  Rule  { A10-385B j,  FILLED  CWC  STOWAGE 
MANAGEMENT.  @[032802-5305  ] 
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MMACS  GO/NO-GO  @[062801 -4355A] 


A10-1001  MMACS  GO/NO-GO  CRITERIA  @[021199-6816  ] 


SYSTEMS/COMPONENTS/FUNCTIONS 

CONTINUE 
NOMINAL 
ASCENT  IF: 

INVOKE 

MDF 

IF: 

ENTER  NEXT 
PLS 

IF: 

A. 

APU/HYD: . 

2?  [2] 

1? 

[10]  [11] 

B. 

WSB: . 

m 

1? 

[10]  [11] 

C. 

LANDING  GEAR: . 

1. 

HYD  OR  PYRO  DEPLOYMENT  SYSTEMS . 

[31 

2  ? 

2. 

DIRECTIONAL  CONTROL  (BRAKES,  NWS) . 

ZERO  FAULT 
TOLERANT 

3. 

TIRES  (LEAKING/FLAT) . 

[13] 

D. 

MECHANICAL  SYSTEMS: . 

1. 

PLBD  DRIVE  MOTORS  (2/DOOR) . 

1  CLS  ? 

2  ? 

[8] 

2. 

PLBD  LATCH  DRIVE  MOTORS  (2/GANG) . 

2  ? 

[6] 

3. 

RAD  DEPLOYMENT  SYSTEMS . 

[5] 

4. 

VENT  DOOR  DRIVE  SYSTEMS . 

5. 

ET  UMB  DOOR  CLOSURE . 

[4] 

[14] 

6. 

KU-BAND  ANT  STOW  MECHANISM . 

[9] 

7. 

ROEU/ROFU  MECHANISM . 

8. 

WINDOWS . 

PRESSURE  (OR  REDUNDANT)  PANE . 

1  ? 

THERMAL  PANE  (FORWARD  OR  SIDE  HATCH) 

[12] 

THERMAL  PANE (OVERHEAD) . 

@[041 097-461 1 B]  @[062801 -4355A] 


LEGEND: 

NO  REQUIREMENT 

REQUIRED 


[  ]  NOTE  REFERENCE 
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A10-1001  MMACS  GO/NO-GO  CRITERIA  (CONTINUED) 

The  table  above  gives  the  action  taken  for  specific  MMACS  hardware  losses.  The  decision  to  in  voke 
MDF  or  to  enter  next  PLS  is  based  on  redundancy  and  safety  requirements.  Refer  to  the  MMACS 
systems  loss/failure  definitions  for  what  constitutes  a  “down”  system. 


NOTES: 

[1  ]  LOSS  OF  A  WSB  COULD  RESULT  IN  EVENTUAL  LOSS  OF  ITS  ASSOCIATED  APU  AND  HYDRAULIC  SYSTEM. 

[2]  IF  TWO  APU’S  ARE  SHUT  DOWN  DURING  ASCENT,  AND  THE  THIRD  APU/HYDRAULIC/WSB  SYSTEM  PERFORMANCE 
IS  NOMINAL,  THE  THIRD  ONE  WILL  BE  SHUT  DOWN  AND  LATER  RESTARTED  TO  SUPPORT  A  DAY  1  PLS.  THE 
THIRD  APU/HYDRAULIC/WSB  WILL  NOT  BE  SHUT  DOWN  FOR  AN  AOA,  TAL,  OR  RTLS  ABORT.  IF  THE  THIRD 
APU/HYDRAULIC/WSB  SYSTEMS  ARE  NOT  NOMINAL,  IT  WILL  BE  SHUT  DOWN  AND  RESTARTED  AS  REQUIRED  TO 
SUPPORT  ANY  ABORT  OR  ENTRY. 

[3]  HYDRAULIC  SYSTEM  1  PLUS  2  PYROS. 

[4]  MUST  BE  CLOSED  PRIOR  TO  ENTRY. 

[5]  FAILURE  TO  DEPLOY  ONE  RADIATOR  PANEL  WILL  RESULT  IN  A  20  TO  30  PERCENT  LOSS  OF  HEAT  REJECTION  IN 
THAT  FCL/RAD.  ORBIT  LIFETIME  WILL  BE  DEPENDENT  ON  ORBITER  THERMAL  HEAT  REJECTION  REQUIREMENTS. 

[6]  NEXT  PLS  IF  IN  SEPARATE  LATCH  GANGS  AND  NEXT  FAILURE  RESULTS  IN  MULTIPLE  LATCH  GANG  FAILURES,  OR  IN 
SAME  LATCH  GANG  AND  CANNOT  BE  VISUALLY  VERIFIED  CLEAR  OF  ROLLERS.  NOMINAL  EOM  IF  IN  SAME  LATCH 
GANG  AND  CAN  BE  VISUALLY  VERIFIED  CLEAR  OF  ROLLERS. 

[7]  RESERVED. 

[8]  SAME  DOOR.  IF  DOOR  OPEN  AND  OPEN  CAPABILITY  LOST,  INVOKE  MDF.  ENTRY  IS  REQUIRED  AT  NEXT  PLS  AFTER 
EVA  TO  CLOSE  DOORS  IS  COMPLETED. 

[9]  KU-BAND  ANTENNA  WILL  BE  STOWED  FOR  LOSS  OF  REDUNDANT  STOW  CAPABILITY. 

[1 0]  ENTER  NEXT  PLS  IF  ONE  APU/HYD/WSB  FAILED  AND  THE  NEXT  FAILURE  RESULTS  IN  A  SINGLE  APU  ENTRY. 

[11]  ENTER  NEXT  PLS  AFTER  EXPEDITED  PAYLOAD  DEPLOY,  IF  APPLICABLE. 

[12]  IF  PIECES  ARE  NOTED  MISSING  PRIOR  TO  THE  RTLS  BOUNDARY,  AN  RTLS  ABORT  WILL  BE  PERFORMED. 
OTHERWISE,  CONTINUE  NEOM. 

[13]  ENTER  NEXT  PLS  IF  TIRE  PRESSURE  WILL  BE  <  260  PSIG  (275  PSIA)  AT  NEXT  PLS  LANDING  OPPORTUNITY  PLUS  2 
DAYS. 

[14]  IF  CAPABILITY  TO  CLOSE  ET  DOORS  IS  LOST  PRIOR  TO  RTLS  BOUNDARY,  PERFORM  AN  RTLS.  ®[041 097-461 1 B] 
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SYSTEM  MANAGEMENT  RULES 


All-1  COMMUNICATIONS  DURING  ASCENT 

THERE  ARE  NO  COMMUNICATIONS  FAILURES  FOR  WHICH  THE  ASCENT  PHASE 
WILL  BE  TERMINATED. 

Termination  of  the  ascent  phase  implies  an  immediate  return;  i.  e. ,  an  RTLS,  AOA,  or  TAL/TPL. 

Continuing  to  orbit  is  the  most  benign  environment  for  the  orbiter  and  crew.  In  addition,  there  is  a  high 
probability  of  restoring  at  least  one  communications  link  once  on  orbit;  and,  if  communication  is  not 
restored,  the  orbiter  is  capable  of  a  safe  day  1  return  without  any  further  contact  with  the  MCC. 

All-2  S— BAND/UHF  LAUNCH  REQUIREMENT 

S-BAND  PM  VOICE  WILL  BE  PRIME  FOR  LAUNCH.  THE  UHF  SYSTEM  WILL  BE 
CONFIGURED  IN  TRANSMIT/RECEIVE  MODE  AS  BACKUP  TO  THE  S-BAND  PM 
SYSTEM. 

The  S-band  PM  system  is  the  only  system  available  for  launch  that  can  provide  redundant  real-time 
telemetry,  command,  ranging,  and  duplex  voice  required  for  ascent  phase  support.  SSME  engine 
in  terface  unit  (EIU)  data  uses  the  S-band  FM  system  and  is  redundantly  recorded  on  Ops  recorder  1. 
C-band  skin  tracking  provides  a  redundant  tracking  source,  and  the  UHF  system  provides  an  additional 
simplex  voice  source. 
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All-3  UPLINK  HANDOVER  DURING  ASCENT  FROM  KSC 

UPLINK  HANDOVER  FROM  MIL  TO  PDL  WILL  OCCUR  BEFORE  THE  LINE-OF- 
SIGHT  FROM  THE  ORBITER  TO  MIL  INTERSECTS  THE  SRB  PLUME.  THE 
CARRIER  WILL  REMAIN  ON  PDL  UNTIL  POST-SRB  STAGING.  AT  THAT  TIME 
IT  WILL  BE  HANDED  BACK  TO  MIL  TO  REGAIN  S-BAND  TRACKING. 

During  ascent  it  is  highly  desirable  to  provide  S-band  ranging  data  to  the  MCC  as  an  additional 
tracking  source  for  trajectory  evaluation.  S-band  ranging  is  available  from  M1UMILX  but  not  PDL. 
Ascen  ts  from  KSC  necessarily  result  in  the  line-of-site  from  the  orbiter  to  MIL/MILX  in  tersecting  the 
SRB  plume.  The  SRB  plume  characteristics  are  such  that  severe  S-band  attenuation  (approaching  60 
dB)  and  erratic  phase  shifts  will  adversely  affect  the  S-band  PM  link,  resulting  in  poor  uplink  lock 
conditions  and  intermittent  downlink  data.  To  avoid  the  plume,  the  orbiter  antennas  are  optimized  for 
PDL  from  lift-off  and  the  uplink  is  handed  to  PDL  just  before  plume  intersection  until  after  SRB  staging. 
This  loss  of  S-band  ranging  and  somewhat  weaker  signal  margin  during  this  time  period  is  considered 
preferable  to  intermittent  S-band  uplink  and  downlink  lock  conditions,  since  downlink  vectors  and  C- 
band  tracking  are  still  available  for  trajectory  mon  itoring.  @[092602-5734  ] 

All-4  ORBITER  DATA  PRIORITY  DURING  ASCENT/ENTRY 

ORBITER  DATA  WILL  TAKE  PRIORITY  OVER  PAYLOAD  DATA  DURING 
ASCENT/ENTRY.  PCMMU  SWITCHES  FOR  THE  PURPOSE  OF  RECOVERING 
ORBITER  DATA  WILL  BE  PERFORMED  AT  THE  EXPENSE  OF  PDI  PAYLOAD 
DATA. 

01 MDM  port  failures  and  internal  PCMMU  failures  affecting  downlink  or  crew  display  of  orbiter  data 
can  be  recovered  by  power  cycling  the  active  PCMMU  or  by  switching  to  the  alternate  PCMMU.  During 
ascent/entry  phases,  when  the  SM  major  function  for  PCMMU  reloading  is  unavailable,  the  PDI  data 
downlinked  to  the  MCC  would  be  lost  as  the  PCMMU  defaults  to  Format  129  upon  powerup  and  this 
format  allocates  no  bandwidth  to  PDI  data.  The  intent  of  this  rule  is  to  document  that  monitoring  of 
orbiter  data  during  ascent/entry  takes  precedence  over  remoting  payload  data  to  remote  POCC’s.  PDI 
data  displayed  to  the  crew  will  not  be  affected. 
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All-5  POSTLANDING  S-BAND  ANTENNA  SELECTION 

MCC  WILL  INSURE  THAT  THE  UPPER  ANTENNAS  ARE  SELECTED  FOR 
POSTLANDING  COMMUNICATIONS  SUPPORT. 

A.  MCC  WILL  NOMINALLY  INHIBIT  BFS  ANTENNA  POINTING  AND  SELECT 
UPPER  ANTENNAS  VIA  COMMAND  POST  WHEELSTOP . 

B.  FOR  LOSS  OF  MCC  COMMAND  THE  CREW  WILL  BE  INSTRUCTED  TO 
MANUALLY  SELECT  THE  PROPER  UPPER  ANTENNAS  AFTER  WHEELSTOP. 

Upper  antennas  are  required  to  protect  the  convoy  personnel  from  RF  radiation.  BFS  automatic  antenna 
pointing  is  required  to  be  inhibited  due  to  nominal  postlanding  nav  state  “drift”.  This  drift  in  orbiter 
position  could  cause  an  inadverten  t  antenna  selection  which  could  result  in  a  loss  of  comm  or  a  hazard 
to  the  convoy  personnel.  If  command  is  not  available  the  crew  will  be  instructed  to  manually  select  the 
proper  upper  antennas  which  overrides  the  BFS  automatic  pointing  capability.  This  task  will  be 
performed  for  both  GSTDN  and  TDRS  landings. 

All-6  MINIMUM  COMMUNICATIONS  REQUIREMENTS  FOR  SCHEDULED 

EVA 

IN  ORDER  TO  COMMIT  TO  OR  CONTINUE  A  SCHEDULED  EVA,  EACH  EVA 
CREWMEMBER  MUST  HAVE  TWO-WAY  COMMUNICATIONS  WITH  THE  ORBITER, 
EITHER  DIRECTLY  OR  VIA  THE  OTHER  EVA  CREWMEMBER. 

All  scheduled  EVA’s  are  planned  for  two  crewmembers  who  are  trained  to  coordinate  their  activities 
and  accomplish  their  task  within  a  limited  time.  EVA  activities  often  result  in  encountering  unforeseen 
problems  which  must  be  solved  by  the  EVA  crewmember  on  the  scene  as  the  orbiter  and  MCC  are  in  a 
poor  position  for  offering  assistance.  Additionally,  the  EVA  crewmembers  must  always  be  prepared  to 
assist  each  other  in  case  of  emergency.  Av  long  as  the  EVA  is  scheduled  and  not  required  for 
contingency  reasons  ( e. g. ,  failure  of  the  payload  bay  doors  to  close),  it  is  not  prudent  to  attempt  an  EVA 
without  adequate  means  of  crew  coordination,  even  if  some  mission  objectives  cannot  be  accomplished. 

Rule  { A15-7 },  MINIMUM  RF  COMMUNICATIONS  DEFINITION,  references  this  rule. 
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All-7  KU-BAND  OPERATIONS  DURING  EVA 

A.  FOR  EVA  ACTIVITIES  CONDUCTED  WITHIN  THE  AREAS  PROTECTED  BY 

THE  KU-BAND  BETA  MASK  OR  ORBITER  STRUCTURAL  BLOCKAGE,  THE  KU- 
BAND  MAY  BE  OPERATED  WITHOUT  POINTING  CONSTRAINTS  DURING  AOS 
AND  WILL  BE  PLACED  IN  STANDBY  DURING  LOS. 

When  EVA  activities  are  conducted  within  the  areas  protected  by  the  microprocessor  mask  ( including  the 
Beta  function  in  the  communication  mode)  or  orbiter  structural  blockage,  the  Ku-band  transmitter  is 
automatically  turned  off  protecting  the  crew.  The  radiation  exposure  levels  will  remain  below  20  volts 
meter  which  is  the  limit  exposed  by  the  EMU  specification.  Although  a  single-point  failure  which  could 
allow  the  transmitter  to  radiate  into  the  normally  protected  region  exists,  the  risk  is  considered 
acceptable  because  the  MCC  will  monitor  the  automatic  cutoff  function  during  AOS  and  because  a 
redundant  cutoff  function  (standby  mode)  will  be  commanded  by  MCC  to  be  effective  during  LOS 
periods.  No  permanent  damage  is  expected  at  levels  exceeding  20  volts/meter  although  this  has  not  been 
confirmed  by  tests.  Human  exposure  limits  have  been  defined  as  137  volts/meter.  ®[ED  ] 

1.  A  BETA  MASK  OF  0  DEGREES  BETA  ONLY  WILL  BE  USED  TO 
PROTECT  EVA  CREWMEMBERS  OPERATING  WITHIN  THE  GENERIC 
PAYLOAD  BAY  ENVELOPE.  REFERENCE  RULE  {A15-24},  EVA 
OPERATIONS  IN  THE  GENERIC  PAYLOAD  BAY  ENVELOPE.  ®[ED  ] 

2.  A  BETA  MASK  OF  21  DEGREES  BETA  +  MASK  WILL  BE  USED  TO 
PROTECT  EVA  CREWMEMBERS  OPERATING  ENTIRELY  WITHIN  THE 
CONFINES  OF  THE  PAYLOAD  BAY  MOLDLINE. 

Analysis  presented  at  EVA  Flight  Techniques  #16  in  January  1992  revealed  that  a  Beta  Mask  of  0 
degrees  Beta  Only  will  protect  any  EVA  crewmember  confined  to  operating  within  the  limits  of  the 
generic  payload  bay  envelope  as  defined  in  Rule  {A15-24J,  EVA  OPERATIONS  IN  THE  GENERIC 
PAYLOAD  BAY  ENVELOPE.  The  SM  default  value  of  21  degrees  Beta  +  Mask  is  known  to  protect  the 
Orbiter  payload  bay  moldline  boundary.  ®[ED  ] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  COMMUNICATIONS  11-4 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


All-7  KU-BAND  OPERATIONS  DURING  EVA  (CONTINUED) 

B.  FOR  EVA  ACTIVITIES  WHICH  MAY  BE  CONDUCTED  EXTERNAL  TO  THE 

KU-BAND  PROTECTIVE  BETA  MASK  OR  ORBITER  STRUCTURAL  BLOCKAGE, 
THE  KU-BAND  S YSTEM/ORBI TER  ATTITUDE  WILL  BE  MANAGED  TO 
PRECLUDE  RADIATING  THE  EVA  CREWMEMBER  WITH  AN  EXPOSURE  OF  > 
20  VOLT/METER  OR  EXPOSURE  IN  THE  MAIN  BEAM  AT  A  RANGE  <125 
METERS  FROM  THE  ANTENNA  FACE.  DURING  AOS  PERIODS,  THE  CREW 
AND  THE  MCC  WILL  BOTH  BE  PREPARED  TO  TAKE  THE  KU-BAND  SYSTEM 
TO  STANDBY  IN  THE  EVENT  THAT  THE  LINE  OF  SIGHT  CROSSES  INTO 
THE  PROTECTED  HEMISPHERE.  DURING  PREDICTED  LOS  PERIODS,  THE 
MCC  WILL  COMMAND  THE  KU-BAND  SYSTEM  TO  STANDBY.  ®[021 998-651 5A] 


When  EVA  activities  are  conducted  outside  the  areas  protected  by  the  microprocessor  mask  or  orbiter 
structural  blockage,  the  Ku-band  transmitter  is  not  automatically  turned  off  to  protect  the  crew.  In  this 
case  it  is  acceptable  to  manage  the  orbiter  attitude  so  that  Ku-band  pointing  will  be  restricted  to  the  +  Z 
hemisphere  ( below  the  X-Y plane)  while  EVA  activities  will  be  conducted  in  the  opposite  hemisphere. 

The  crew  and  the  MCC  will  both  be  prepared  to  take  the  Ku-band  to  STANDBY  in  the  event  that  the  line 
of  sight  crosses  into  the  protected  hemisphere.  This  will  be  based  upon  predicted  times  and  will  be 
backed  up  with  real-time  monitoring  of  antenna  position.  During  predicted  LOS  periods,  the  MCC  will 
command  the  Ku-band  to  STANDBY  to  positively  preclude  any  possibility  of  radiation.  The  maximum 
exposure  levels  are  defined  in  the  rule  for  reference.  ®[021 998-651 5A] 

C.  IF  THE  MMU  IS  FLOWN  OUTSIDE  THE  PAYLOAD  BAY  AND  SIMULTANEOUS 
KU-BAND  TRANSMISSION  IS  REQUIRED,  THEN  MMU  FLIGHT  WILL  BE 
RESTRICTED  TO  THE  ORBITER  -  Z  HEMISPHERE  AND  THE  KU-BAND 
ANTENNA  POINTING  WILL  BE  RESTRICTED  TO  THE  +  Z  HEMISPHERE. 

The  rationale  for  this  rule  applying  to  MMU  operations  is  same  as  rationale  for  paragraph  B. 

D.  USE  OF  THE  KU-BAND  IN  THE  LOW  POWER  RADAR  MODE  DURING  EVA 
OPERATIONS  IS  UNRESTRICTED. 


When  the  Ku-band  system  is  in  the  radar  mode  with  low  power  selected,  analysis  has  shown  that  the 
crewmember  radiation  limits  will  not  be  exceeded  at  any  range  or  look  angle.  Therefore,  EVA 
operations  may  be  freely  conducted  without  any  special  monitoring  or  procedure  for  the  purposes  of 
avoiding  excessive  radiation  levels  of  exposure. 

Rule  (A15-24J,  EVA  OPERATIONS  IN  THE  GENERIC  PAYLOAD  BAY  ENVELOPE,  references  this 
rule. 
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All-8  ORBITER  S-BAND  OPERATIONS  DURING  EVA 

A.  ALL  ORBITER  S-BAND  SYSTEMS  MAY  BE  OPERATED  WITHOUT 
RESTRICTION  DURING  EVA  OPERATIONS  CONDUCTED  WITHIN  THE 
GENERIC  PAYLOAD  BAY  ENVELOPE. 

The  generic  payload  bay  EVA  envelope  was  developed  assuming  the  use  of  simple  avoidance  to  control 
S-band  radiation  to  less  than  120  V/M  (ref.  Rule  / A15-24 },  EVA  OPERATIONS  IN  THE  GENERIC 
PAYLOAD  BAY  ENVELOPE). 

B.  ALL  ORBITER  S-BAND  SYSTEMS  MAY  BE  OPERATED  WITHOUT 
RESTRICTION  DURING  EVA  OPERATIONS  OUTSIDE  THE  GENERIC  PAYLOAD 
BAY  ENVELOPE  AS  LONG  AS  THE  EVA  CREWMEMBER  REMAINS  AT  LEAST  1 
METER  AWAY  FROM  ANY  RADIATING  OR  POTENTIALLY  RADIATING 
ANTENNA. 

An  S-band  dipole  antenna  “near  field”  is  generally  considered  to  extend  approximately  1  meter  from  the 
antenna  in  all  directions.  Within  this  near  field  region,  exact  field  intensities  cannot  be  computed,  and 
as  such,  could  exceed  the  acceptable  level  for  the  EMU  (120  V/M).  If  an  antenna  is  totally  inhibited 
( e. g. ,  PI  turned  OFF  or  S-band  FM forced  to  the  lower  antenna  by  crew  switch)  then  the  EVA 
crewmember  is  not  at  risk  in  approaching  these  antennas.  Since  an  S-band  PM  antenna  under  GPC 
control  could  begin  radiating  without  warning,  the  crewmember  must  stay  1  meter  away  to  ensure  his/her 
safety. 

C.  FOR  EVA  OPERATIONS  WHICH  MUST  BE  CONDUCTED  LESS  THAN  1  METER 
AWAY  FROM  AN  ORBITER  S-BAND  ANTENNA,  STEPS  MUST  BE  TAKEN  TO 
ENSURE  THAT  THE  ANTENNA  WILL  NOT  RADIATE  WHILE  THE  CREWMEMBER 
IS  WITHIN  1  METER. 

An  S-band  dipole  antenna’s  “  near  field”  is  generally  considered  to  extend  approximately  1  meter  from 
the  antenna  in  all  directions.  Within  this  near  field  region,  exact  field  intensities  cannot  be  computed, 
and  as  such,  could  exceed  the  certification  level  for  the  EMU  (120  V/M).  If  an  antenna  is  totally 
inhibited  (e.g.,  PI  turned  OFF  or  S-band  FM  forced  to  the  lower  antenna  by  crew  switch)  then  the  EVA 
crewmember  is  not  at  risk  in  approaching  these  antennas.  Since  an  S-band  PM  antenna  under  GPC 
control  could  begin  radiating  without  warning,  the  crewmember  must  stay  1  meter  away  to  ensure  his/her 
safety. 

Reference  Documentation:  United  Technology/Hamilton  Standard  Engineering  Memorandum 
EMUM-604,  April  30,  1992. 

Rule  (A15-24J,  EVA  OPERATIONS  IN  THE  GENERIC  PAYLOAD  BAY  ENVELOPE,  references  this 
rule. 
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All-9  RECORDER  USAGE 

A.  THE  OPS  OR  SOLID  STATE  RECORDERS  WILL  BE  MANAGED  FROM  THE 
GROUND  SUCH  THAT  ONE  RECORDER  WILL  BE  RECORDING  DURING  EACH 
LOS  PERIOD.  @[092701-4847] 

In  order  to  maximize  mission  data  recovery  and  retrieve  data  for  analysis  concerning  events  or 
anomalies  that  occur  during  LOS  periods,  the  recorders  will  be  managed  accordingly.  Since  this  is  a 
con  tinuous  and  repetitive  function  and  since  data  playback  involves  coordination  with  ground  stations  or 
TDRS,  it  is  best  accomplished  by  the  MCC  rather  than  the  crew.  @[092701-4847  ] 

B.  OPS  DATA  AND  VOICE  (192  KBPS)  WILL  BE  RECORDED  DURING  HIGH 
ACTIVITY  PERIODS  OR  WHEN  REQUIRED  FOR  CREW  VOICE  LOGS. 

DURING  OTHER  PERIODS,  ONLY  DATA  (128  KBPS)  WILL  BE  RECORDED. 
FOR  DOD  ENCRYPTED  FLIGHTS,  THE  OPTION  OF  RECORDING  128  KBPS 
IS  NOT  AVAILABLE. 

Crew  voice  will  be  recorded  only  during  high  activity  mission  phases  (ascent,  entry,  EVA’s,  etc.)  and 
upon  crew  request.  At  other  times  data  will  be  recorded  without  voice.  This  technique  allows  quicker 
data  retrieval  as  the  recorders  can  be  operated  at  a  slower  speed  and  dumped  at  an  8:1  vs.  5:1  rate  with 
voice  disabled. 

C.  IF  THE  REQUIREMENT  TO  RECORD  DATA  AND  VOICE  CAUSES  RECORDER 
CAPACITY  TO  BE  EXCEEDED,  THEN  ONLY  DATA  WILL  BE  RECORDED. 

If  the  recorders  are  expected  to  overflow  for  whatever  reason  (recorder  failure,  site  or  Ku-band 
problems,  etc.)  and  data  and  voice  recording  is  expected  to  be  lost,  only  data  will  be  recorded  (no  voice). 
This  is  the  quickest  and  easiest  way  to  avoid  the  overflow  as  the  dump/  record  ratio  is  then  8:1  as 
opposed  to  5:1.  The  loss  of  crew  recorded  voice  during  high  activity  periods  when  recorded  voice  is 
scheduled  can  be  compensated  for  by  crew  logs,  more  detailed  real-time  voice  reports,  or  other 
hand-held  recorders.  The  loss  of  recorded  data  is  irretrievable,  however,  and  should  be  avoided  if 
possible. 
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All-10  UHF  USAGE 

A.  THE  UHF  TRANSCEIVER  WILL  BE  NOMINALLY  CONFIGURED  IN  SIMPLEX 
259.7  MHZ. 

The  UHF  system  provides  a  completely  independent  source  of  air/ground  voice  to  the  S-band  system. 

The  UHF  system  is  simplex  for  air/ ground  use  (one  direction  at  a  time )  and  can  be  configured  to  any  one 
of  three  frequencies:  296.8,  259. 7  and  243.0  MHz.  The  243.0  MHz  frequency  is  reserved  as  a  guard 
channel  (for  con  tingency  communications  with  air  traffic  con  trol  facilities  only)  and  is  not  normally  used 
on  orbit.  Either  296.8  MHz  or  259.7  MHz  can  be  used  on  orbit  (not  TDRS).  The  259.7  MHz  channel  is 
preferred  as  it  has  the  better  circuit  margins.  Should  ground  interference  disturb  the  crew,  the  UHF 
system  is  often  turned  off.  It  is  generally  turned  off  during  DOD  flights  on  orbit  as  UHF  voice  is  not 
encrypted. 

B.  IN  THE  EVENT  OF  A  ONE-PERSON  EVA,  THE  ORBITER  WILL  BE 
CONFIGURED  FOR  EVA  DUPLEX,  TRANSMIT  ON  296.8,  AND  THE  EVA 
CREWMEMBER  WILL  BE  CONFIGURED  FOR  MODE  "B" .  THERE  WILL  BE  NO 
UHF  COMMUNICATIONS  WITH  THE  GSTDN .  FOR  A  TWO-PERSON  EVA,  THE 
OTHER  EVA  CREWMEMBER  WILL  BE  CONFIGURED  FOR  MODE  "A". 

During  a  two-person  EVA  it  is  desirable  for  each  crewmember  to  transmit  on  his  own  frequency  thus 
enabling  full  conferencing  capability  between  the  IVA  crewmember  in  the  orbiter  arid  both  EVA 
crewmembers.  All  three  parties  can  have  simultaneous  communication,  but  only  when  the  orbiter  is 
configured  for  296.8  MHz  transmit;  one  crewmember  is  in  EVA  mode  A  and  the  other  in  mode  B.  Any 
other  configuration  results  in  less  than  full  conferencing  capability.  In  the  case  where  there  is  only  one 
EVA  crewmember,  it  is  arbitrary,  from  an  onboard  standpoint,  whether  or  not  the  EMU  is  configured  for 
mode  A  or  B  as  either  mode  permits  duplex  communications.  Mode  B  is  preferred,  however,  since  it  uses 
a  transmit  frequency  of  279.0  MHz  which  is  not  used  at  the  GSDTN  sites,  thus  allowing  the  ground  an 
interference-free  interrupt  capability  if  required  on  the  GSDTN  prime  frequency.  When  Mode  A  is  used, 
the  transmit  frequency  is  259.7  MHz,  which  coincides  with  the  prime  GSTDN  UHF  requiring  the  ground 
to  interrupt  on  the  GSTDN  alternate  frequency,  296.8  MHz.  The  orbiter  UHF  mode  ( the  simplex  power 
amp  is  bypassed)  circuit  margins  do  not  permit  UHF  communications  with  the  GSTDN  during  EVA’s, 
but  the  ground  will  be  configured  to  monitor  the  prime  frequency  (259.7  MHz)  should  the  crew  need  to 
call. 
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All-11  S-BAND  FM  USAGE 

A.  THE  S-BAND  SYSTEM  SHALL  BE  REQUIRED  TO  TRANSMIT  MAIN  ENGINE 
DATA  DURING  ASCENT  PHASE. 


The  S-band  FM  system  provides  the  only  real-time  source  of  main  engine  interface  unit  (EIU)  high 
rate  data.  It  is  sufficiently  important  enough  to  require  downlinking  in  real  time  as  well  as  being 
redundantly  recorded  onboard. 

B.  FOR  THE  REMAINDER  OF  THE  FLIGHT,  THE  S-BAND  FM  SYSTEM  WILL  BE 
USED  FOR  TV,  OPS  RECORDER  DUMPS,  SOLID  STATE  RECORDERS  DUMPS 
(SSR) ,  REAL-TIME  PAYLOAD  DATA,  AND  PAYLOAD  RECORDER  DUMPS. 
@[102402-5735] 

The  S-band  FM  system  provides  a  wideband  downlink  to  GSDTN  sites  (not  for  TDRS)  which  can  be 
configured  for  any  one  of  several  inputs  (e.g.,  Ops  or  Payload  recorder  dumps,  SSR’s,  TV,  and  real¬ 
time  analog,  or  digital  payload  data).  Individual  mission  requirements  will  dictate  when  these  inputs 
will  be  required  to  use  the  FM  system  for  a  particular  flight  and  what  the  time-sharing  plan  will  be. 
@[102402-5735] 
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All-12  S-BAND  PM  USAGE 

A.  THE  S-BAND  PM  SYSTEM  2  LRU'S  WILL  NOMINALLY  BE  SELECTED  VIA 
COMMAND  FOR  THE  ENTIRE  FLIGHT.  ONBOARD  SWITCHES  WILL  BE  IN 
THE  SYSTEM  1  LRU  CONFIGURATION. 

Since  the  S-band  system  is  the  prime  orbiter  communications  system,  it  is  desirable  that  switchover 
capability  to  the  redundan  t  system  be  reachable  from  the  CDR  or  PLT  seats  during  ascen  t/entry  and 
other  high  activity  phases.  The  design  of  panel  and  command  hybrid  driver  logic  within  the  GCIL  allows 
the  en  tire  S-band  PM  system  ( NSP ,  XPNDR,  antenna  electronics,  Power  Amp,  Pre  Amp)  to  be  switched 
to  the  redundant  string  with  a  single  switch  on  panel  C3.  The  redundant  string  is  selectable  via  the 
panel  C3  switch  (nominally  string  1).  The  choice  of  system  1  or  2  is  arbitrary;  however,  the  Flight  Data 
File  has  long  been  written  assuming  this  configuration. 

B.  THE  GROUND  WILL  BE  PRIME  FOR  OPERATION  OF  THE  S-BAND  PM 
SYSTEM. 

The  orbiter  S-band  PM  system  must  be  configured  differently  for  TDRS,  GSTDN  or  SGLS  modes 
continuously  as  required  during  the  flight.  This  is  a  routine,  repetitive  task  necessary  during  both  crew 
awake  and  crew  sleep  periods  in  order  to  maximize  data  retrieval  and  is  best  done  by  MCC  to  free  the 
flightcrew  for  more  mission-unique  tasks.  Additionally,  through  telemetry  indications  from  the  orbiter 
and  using  voice  reports  and  other  indications  from  TDRS,  GSTDN,  and  SGLS  sites,  the  MCC  has  better 
overall  visibility  into  the  total  air/ground  communications  network  and  is  better  suited  for  operating  the 
total  system,  especially  during  lion-nominal  conditions. 

C.  S-BAND  PM  ANTENNA  MANAGEMENT  WILL  BE  VIA  GPC  AUTOMATIC 
ANTENNA  SELECTION. 

S-band  PM  antenna  management  can  be  done  either  manually  by  the  crew  or  ground  or  via  GPC 
automatic  selection.  As  long  as  the  GPC’s  knowledge  of  attitude  and  position  is  accurate,  it  is  less  error 
prone  to  enable  automatic  selection.  This  has  the  added  benefit  of  greatly  reducing  crew  or  ground 
workload  for  what  is  largely  a  routine  function. 
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All-13  S-BAND  PAYLOAD  USAGE 

A.  THE  S-BAND  PAYLOAD  SYSTEM  1  LRU'S  WILL  NORMALLY  BE  USED  TO 
SUPPORT  PAYLOAD  OPERATIONS.  ONBOARD  SWITCHES  WILL  MATCH  THE 
DESIRED  CONFIGURATION. 

The  S-band  payload  system  consists  of  redundant  PI/PSP  strings.  Although  there  are  exceptions  on  some 
flights,  the  flightcrew  is  typically  much  more  involved  with  the  usage  of  this  system  than  in  the  S-band 
PM  system,  the  management  of  which  is  primarily  a  ground  function.  The  switch  setup  for  S-band  PM  is 
unmatched  from  that  commanded  so  that  the  crew  need  throw  a  minimum  number  of  switches  to  restore 
communications  in  the  event  of  onboard  failure.  In  the  case  of  the  S-band  payload  system,  it  is 
preferable  to  have  the  switches  match  the  commanded  configuration  so  that  the  crew  can  easily  track  the 
current  status  since  they  are  the  prime  system  operators. 

B.  THE  S-BAND  PAYLOAD  INTERROGATOR  (PI)  CHANNEL  SELECT 
THUMBWHEELS  WILL  BE  CONFIGURED  SO  THAT  INADVERTENT  PI 
ACTIVATION  WILL  NOT  INTERFERE  WITH  THE  S-BAND  PM  SYSTEM. 

THE  STANDARD  SETTING  FOR  ASCENT/ENTRY  SHALL  BE  CHANNEL  910. 

@[102402-5737] 

Although  the  PI  may  be  unpowered,  a  single-point  failure  exists  that  can  inadvertently  result  in  PI 
activation.  Should  this  occur  when  the  selected  channel  is  one  that  interferes  with  the  S-band  PM  uplink 
or  downlink,  a  loss  of  uplink  or  downlink  PM  lock  may  occur  disrupting  the  prime  mode  of 
communications.  The  cause  of  this  unexpected  disruption  would  be  difficult  to  detect,  result  in 
confusion,  and  the  workaround  would  not  be  obvious  even  if  the  alternate  UHF  link  were  available. 
Therefore,  it  should  be  avoided.  Channel  910  is  safe  for  ascent/entry  since  it  cannot  cause  any 
interference.  ®[1 02402-5737  ] 
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All-14  CREW  ALERT  SPC'S 

DURING  TIME  PERIODS  WHEN  ALL  CREWMEMBERS  SLEEP  SIMULTANEOUSLY, 

A  CREW  ALERT  SPC  WILL  BE  ROUTINELY  USED  TO  ALERT  THE  CREW  TO 
COMMUNICATIONS  SYSTEMS  PROBLEMS.  THE  SPC  WILL  TIME  OUT 
APPROXIMATELY  HALFWAY  THROUGH  THE  SLEEP  PERIOD  IN  THE  EVENT  OF 
A  LOSS  OF  UPLINK  COMMAND. 

The  crew  alert  commands  result  in  an  onboard  class  3  alarm.  When  loaded  into  the  SM  SPC  buffer 
during  time  periods  when  all  crewmembers  are  sleeping,  it  can  be  used  to  alert  the  crew  that  uplink 
S-band  command  and  probably  voice  capability  has  been  lost.  The  crew  alert  commands  are  uplinked  at 
the  beginn  ing  of  a  sleep  period  and  timetagged  to  execu  te  midway  through  the  sleep  period.  Should  no 
loss  of  command  occur,  these  commands  are  cleared  from  the  SPC  buffer  before  execution.  If  uplink 
command  is  lost,  it  is  possible  that  uplink  voice  or  even  downlink  voice  and  telemetry  may  be  lost  as  well 
since  common  components  are  used.  Single-point  failures  in  the  S-band  PM  system  exist  making  this 
possible.  UHF  provides  a  redundant  voice  source  but  is  often  deactivated  during  crew  sleep  periods  due 
to  ground  in  terference.  Therefore,  the  crew  alert  commands  are  used  to  warn  the  crew  of  a  possible  loss 
of  all  monitoring  capability  and  all  communications  capability.  This  is  considered  serious  enough  to 
wake  the  crew. 


All-15  ELBOW  CAMERA/ PAYLOAD  INTERFERENCE  [CIL] 

FOR  THOSE  MISSIONS  WHERE  AN  ELBOW  CAMERA/PAYLOAD  INTERFERENCE 
PROBLEM  EXISTS,  THE  ELBOW  CAMERA  WILL  NOT  BE  ACTIVATED  UNLESS  THE 
INTERFERENCE  PROBLEM  IS  ELIMINATED.  THIS  APPLIES  EVEN  IF  THE  RMS 
IS  DEPLOYED. 

FLIGHT-SPECIFIC  EXCEPTIONS  FOR  HIGH  PRIORITY  OPERATIONS  WILL  BE 
IDENTIFIED  IN  THE  FLIGHT  RULES  ANNEX. 


Due  to  the  geometry  of  the  elbow  camera  25 -degree  mounting  wedge  when  the  MPM  is  stowed,  the 
maneuvering  envelope  of  the  camera  intrudes  upon  the  maximum  payload  envelope.  A  potential 
interference  problem  exists  with  a  payload  manifested  at  the  same  X  location  as  the  elbow  camera.  The 
in  terference  could  preven  t  stowing  the  MPM’s  and  require  an  RMS  jettison  or  EVA  to  close  PLBD’s. 
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All-16  KU-BAND  MANAGEMENT 

THE  ORBITER  KU-BAND  SYSTEM  WILL  BE  OPERATED  IN  THE  "BETA  PLUS 
MASK"  MODE  WITH  A  LIMIT  OF  21  DEGREES  UNLESS  A  PAYLOAD 
EXTENDS  BEYOND  THE  PAYLOAD  BAY  DOOR  ENVELOPE.  IN  THIS  CASE, 
FLIGHT-SPECIFIC  KU  MASKING  IS  DEFINED  IN  RULE  {A2^25},  IFM 
PROCEDURES  ON  EXPERIMENTS  WITH  TOXIC  HAZARDS.  ®[ED  ]  @[102402-5742] 

The  Ku-band  masking  is  used  to  protect  a  payload  in  the  payload  bay  from  the  Ku  main  beam  RF 
radiation.  A  limit  of  21  degrees  in  the  “Beta  Plus  Mask ”  mode  will  protect  the  entire  bay  up  to  the 
payload  bay  door  moldline  and  prevent  any  part  of  the  bay  being  exposed  to  a  level  greater  than  10  volts 
per  meter  (the  ICD  limit).  This  masking  mode  also  provides  the  maximum  comm  coverage  while  still 
providing  the  required  protection.  @[102402-5742  ] 

If  a  payload  instrument  is  present  which  extends  beyond  the  payload  bay  door  moldline,  then  this 
masking  may  not  protect  the  payload  from  levels  higher  than  the  ICD  level.  The  required  mode  and  beta 
limit  is  then  dependent  on  the  location  of  the  payload  in  the  bay  and  on  the  dimensions  of  the  payload. 
Thus,  the  limit  must  be  calculated  for  the  specific  mission  case.  @[102402-5742  ] 

Note  that  the  beta  mask  function  does  not  apply  to  Ku  radar  operation.  The  radar  mode  uses  the  old 
microprocessor  mask  which  is  equivalent  to  beta  plus  mask  with  a  limit  of  -90  degrees.  This  is  more 
restrictive  ( i. e. ,  more  protection)  than  21  degrees.  ®[ED  ] 

Rule  (A2-118J,  RNDZ/PROX  OPS  COMMUNICATION  SYSTEMS  MANAGEMENT,  references  this  rule. 
@[061396-1961  ] 
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All-17  PI  CHANNELS  AND  S-BD  FREQUENCIES  COMPATIBILITIES 

IN  ORDER  TO  PREVENT  MUTUAL  INTERFERENCE  BETWEEN  THE  PAYLOAD 
INTERROGATOR  (PI)  AND  THE  S-BAND  PM  SYSTEM,  THE  FOLLOWING  PI 
CHANNELS  AND  S-BAND  PM  FREQUENCIES  COMPATIBILITY  TABLE  WILL  BE 
FOLLOWED  FOR  ALL  PI  OPERATIONS:  @[090894-1 648B] 


COMPATIBLE  PI  CHANNELS  AND  S-BAND  PM  FREQUENCIES 

WHEN  USING  PI  CHANNEL 

USE  S-BAND  PM  FREQUENCY 

001-407 

HIGH 

408-433 

NOT  COMPATIBLE  WITH  LOW  OR  HIGH  * 

434-883 

LOW 

899-909 

HIGH 

910-920 

LOW 

*  PI  INTERFERENCE  WITH  SSA  FORWARD  LINK  TEST  SHOWS  THAT  THERE  IS  A  POTENTIAL  FOR  DEGRADED  SSA 
FORWARD  LINK  ACQUISITION  AND;  THEREFORE,  THIS  PI/S-BD  PM  COMBINATION  (408-420/421-433)  WILL  NOT  BE 
USED.  EXCEPTIONS  MAY  BE  MADE  ON  A  FLIGHT  SPECIFIC  BASIS  BY  DETAILED  ANALYSIS. 

The  S-Band  PM  system  and  Payload  Interrogator  selectable  frequencies  overlap  and  if  not  properly 
selected  could  in  terfere  with  each  other.  The  consequence  of  selecting  channels  other  than  those  noted 
in  the  table  above  are  unknown  and  potentially  compromise  S-Band  PM  communications  and/or 
communications  with  a  detached  payload.  Reference  ESTL  report  EE7-93-214.  ®[090894-i648B] 

All-18  COMSEC  USAGE 

IN  ORDER  TO  PROTECT  THE  ORBITER  FROM  UNAUTHORIZED  COMMANDS,  THE 
S-BAND  SYSTEM  UPLINK  WILL  NORMALLY  BE  ENCRYPTED  FOR  ALL  FLIGHTS. 

Configuring  the  S-band  uplink  for  encryption  protects  against  unauthorized  commands  being  received 
via  both  the  S-band  and  Ku-band  systems  as  the  COMSEC  equipment  interfaces  with  the  NSP  which  is 
common  to  both  systems.  Uplinks  bypassing  the  NSP  can  still  be  received  via  the  alternate  (216  kbps) 
Ku-band  channel ,  but  this  channel  (intended  for  OCA  and  high  rate  payload  data)  does  not  interface 
with  the  GPC’s  or  other  critical  orbiter  systems.  ®[1 11298-6778  ]  ®[01 2402-5068  ] 
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All-19  UPLINK  BLOCK 

A.  WHEN  SM  IS  UNAVAILABLE  AND  THE  UPLINK  IS  NOT  ENCRYPTED, 

COMMANDS  WILL  BE  BLOCKED  VIA  "UPLINK"  SWITCH  WHEN  COMMAND 
ACTIVITY  IS  NOT  REQUIRED.  LOSS  OF  THE  BLOCK  FUNCTION, 
HOWEVER,  IS  NOT  A  CONSTRAINT  TO  CONTINUING  TO  NOMINAL  EOM . 


National  Security  Decision  Directive  145  (NSDD  145 )  and  NASA  policy  dictates  that  the  uplink 
command  path  be  blocked  or  encrypted  to  prohibit  unauthorized  command  sources  from  reaching  the 
orbiter.  This  is  necessary  to  preclude  any  possibility  of  unwanted  GMEM’s,  DEU  equivalents,  etc.,  from 
disrupting  or  endangering  flight  operations.  When  SM  and  encryption  are  both  unavailable,  the  crew  is 
required  to  manually  enable  or  block  the  uplink  using  the  UPLINK  switch  in  panel  C3  since  no 
automatic  function  exists. 

B.  WHEN  SM  IS  AVAILABLE,  UPLINK  COMMANDS  WILL  BE  AUTOMATICALLY 
BLOCKED  BY  THE  SM  SOFTWARE  WHENEVER  THE  SITE-IN-VIEW  FLAG  IS 
NOT  PRESENT  AND  THE  UPLINK  WILL  NORMALLY  BE  ENCRYPTED. 
REFERENCE  RULE  {All-64},  LOSS  OF  COMMUNICATION  SECURITY 
(COMSEC) . 


SM  software  and  the  use  of  encryption  provide  uplink  protection  during  on-orbit  periods.  Rule  {All- 
64},  LOSS  OF  COMMUNICATION  SECURITY  (COMSEC),  addresses  cases  when  COMSEC  is 
failed. 


All-20  UPLINK  COMMANDING  DURING  OPS  TRANSITIONS 

NORMALLY,  UPLINK  COMMANDING  TO  THE  ORBITER  WILL  BE  PROHIBITED 
DURING  OPS  MODE  TRANSITIONS. 

Because  of  software  cleanup  operations  during  an  OPS  transition,  there  is  a  short  (1  second)  window  of 
vulnerability  where  a  redundan  t  set  split,  fail-to-sync,  or  erroneous  command  may  occur  if  an  uplink 
command  is  received.  This  could  be  hazardous  during  time-critical  operations  or  could  cause  serious 
delays  to  mission  completion  operations. 
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All-21  CRITICAL  UPLINK  COMMAND  POLICY 


CRITICAL  COMMANDS 
OR  DURING  PERIODS 
COMMANDS  ARE  TIME 


SHALL  NOT  BE  UPLINKED  WITHIN  10  MINUTES 
OF  PREDICTED  POOR  COMMUNICATIONS  UNLESS 
CRITICAL  TO  OPERATIONS. 


OF  LOS 
THOSE 


During  periods  of  marginal  communications,  error  rates  increase  and  uplinks  have  a  higher  probability 
of  dropouts.  Commands  which  are  critical,  such  as  GMEM’s,  state  vectors,  etc.,  but  not  time  critical, 
should  only  be  uplinked  when  sufficient  time  remains  to  assess  the  success  of  those  commands  on  the 
onboard  systems. 


All-22  TWO-STAGE  COMMAND  BUFFER  TLM  REJECT 

NO  TWO-STAGE  COMMANDS  SHALL  BE  EXECUTED  WHEN  THE  TWO-STAGE 
COMMAND  BUFFER  IS  NOT  AVAILABLE  VIA  TELEMETRY  TO  VERIFY 
SUCCESSFUL  UPLINK,  WITHOUT  THE  APPROVAL  OF  THE  FLIGHT  DIRECTOR. 


Without  telemetry,  the  ground  cannot  verify  that  the  uplinked  command  has  correctly  been  received 
onboard.  However,  for  cases  where  not  executing  a  command  may  have  worse  consequences  than  the 
possible  consequences  of  an  erroneous  command,  the  Flight  Director  may  elect  to  approve  execution  of 
the  command.  @[060800-7213] 

All-23  KU  BAND  TRANSMITTER  INHIBITED  DURING  ACQUISITION 

OF  TDRS  INSIDE  THE  RF  PROTECT  BOX 

THE  KU  BAND  SYSTEM  SHALL  BE  INHIBITED  FROM  RADIATING,  DURING 
ACQUISITION  OF  THE  TDRS  SATELLITE,  WHEN  IT  IS  PREDICTED  TO  BE 
POINTING  INSIDE  THE  KU  BAND  RF  PROTECT  BOX.  @[110900-7263] 


A  race  condition  was  discovered  in  the  antenna  management  flight  software  that  allows  radiation  to 
occur  while  the  Ku  Band  system  is  slewing  to  the  designated  pointing  angles  inside  the  RF  protect  box. 

To  prevent  inadvertent  radiation  of  protected  regions,  the  ground  will  inhibit  the  Ku  Band  from  radiating 
prior  to  the  acquisition  of  TDRS  inside  the  RF  protect  box.  This  condition  only  occurs  when  the  Ku 
Band  is  performing  a  fast  slew  to  angles  which  are  inside  the  RF  protect  box  but  outside  the  beta 
masking.  ®[1 1 0900-7263  ] 

All-24  THROUGH  All-50  RULES  ARE  RESERVED 
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SYSTEM  FAILURE  RULES 


All-51  LOSS  OF  TWO-WAY  VOICE 

IF  ONLY  A  SINGLE  SOURCE  OF  ENTRY  TWO-WAY  VOICE  COMMUNICATIONS 
REMAINS  (COMMAND  OK) ,  THE  FLIGHT  WILL  BE  TERMINATED  AT  THE  NEXT 
PLS .  IF  THIS  OCCURS  ON  FD  1  HOWEVER,  DELAY  ENTRY  UNTIL  FD  2. 
THIS  COULD  RESULT  FROM  THE  FOLLOWING  FAILURES: 


A. 

TWO 

NSP'S  ( 

UPLINK  OR  DOWNLINK) . 

B. 

TWO 

XPNDRS 

(UPLINK  OR  DOWNLINK  WITH  UNSUCCESSFUL  IFM) 

C. 

UHF 

AND  ONE 

NSP  OR  XPNDR . 

Voice  communications  is  the  most  valuable  communications  mode  of  all  due  to  its  flexibility.  In 
contingency  cases  when  command  or  telemetry  is  lost,  voice  can  be  used  as  a  substitute  although  it  is  a 
slower  means  of  conveying  this  type  of  information.  It  is  the  only  satisfactory  means  of  crew/MCC 
coordination  during  high  activity  phases.  The  only  available  voice  sources  during  entry  are  the  two 
S-band  channels  (A/G  1  and  2)  arid  UHF.  A/G  1  and  2  are  redundant  and  UHF  is  partially  redundant. 
Should  a  combination  of  failures  result  in  being  a  single  failure  away  from  loss  of  all  entry  two-way 
voice,  it  is  best  to  be  prudent  and  terminate  the  mission  while  overall  systems  and  landing  site  status  are 
known  and  understood.  This  is  more  prudent  than  risking  future  occurrences  which  could  result  in  a 
crew  or  vehicle  safety  hazard  due  to  the  absence  of  a  satisfactory  means  of  crew/MCC  coordination.  In 
the  event  these  multiple  voice  failures  occur  on  FD  1,  it  is  better  to  stay  on  orbit  until  the  next  day  and 
deliberately  plan  on  the  possibility  of  a  no-voice  entry  rather  than  rush  through  deorbit  activities  while 
adapting  to  the  zero  g  environment. 

Rules  {All -63 A},  C,  and  D,  LOSS  OFNSP’s;  {A11-58B},  LOSS  OF  TRANSPONDERS;  and  {All-1001 }, 
COMMUNICATIONS  GO/NO-GO  CRITERIA,  reference  this  rule. 
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All-52  LOSS  OF  BOTH  VOICE  AND  COMMAND 

A.  DURING  ASCENT  -  CONTINUE  TO  ORBIT:  @[092701-4816] 

1.  IF  GPS  IS  NOT  VERIFIED  TO  BE  FUNCTIONING  PROPERLY, 

DEORBIT  ON  ORBIT  2. 

2.  IF  GPS  IS  VERIFIED  TO  BE  FUNCTIONING  PROPERLY,  DEORBIT  ON 
PREFERRED  FIRST  DAY  PLS  OPPORTUNITY. 

Continuing  to  orbit  is  the  most  benign  action.  If  GPS  is  not  verified  to  be  functioning  properly 
(hardware  problems  or  commfaults,  extended  periods  of  high  FOM,  extended  periods  of  less  than  4 
satellite  tracking),  deorbit  on  orbit  2  is  recommended  since  this  allows  sufficient  time  to  perform  the  loss 
of  command  and  voice  procedures  while  minimizing  the  degradation  of  the  onboard  state  vector. 

Deorbit  on  orbit  3  would  probably  not  be  useful  from  a  systems  recovery  standpoint  and  only  causes 
further  degradation  of  the  state  vector. 

GPS  will  provide  an  adequate  source  for  orbit  navigation  and  the  deorbit  state  vector  as  long  as  it  is 
verified  to  be  functioning  properly  (no  hardware  problems  or  commfaults,  no  extended  periods  of  high 
FOM,  no  extended  periods  of  less  than  4  satellite  tracking).  Caution  should  be  taken  when  using  GPS 
state  vectors  with  FOM’s  >  5  (650 feet  position  error  one  sigma),  since  the  estimated  position  error 
increases  rapidly  with  higher  FOM  values.  A  later  first  day  PLS  deorbit  may  be  preferred  over  an  orbit 
2  deorbit  after  a  loss  of  both  voice  and  command.  Deorbit  capability,  weather  forecasts,  and  lighting 
conditions  will  be  considered  for  the  landing  site  selection. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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All-52  LOSS  OF  BOTH  VOICE  AND  COMMAND  (CONTINUED) 

B.  ON-ORBIT  -  DEORBIT  TO  THE  PLS  AT  THE  TIG  OF  THE  SLEEP  VECTOR 
TARGET  SET.  IF  THIS  TIG  IS  IN  THE  PAST  OR  A  SLEEP  VECTOR  IS 
NOT  ONBOARD,  THEN: 

1.  IF  GPS  IS  NOT  VERIFIED  TO  BE  FUNCTIONING  PROPERLY  AND  NO 
ALTERNATE  VOICE  OR  FILE  TRANSFER  PATH  EXISTS  TO  UPDATE 
THE  ONBOARD  STATE  VECTOR,  DEORBIT  WITHIN  THE  NEXT  13 
HOURS  IF  PERIGEE  IS  GREATER  THAN  OR  EQUAL  TO  120  NM;  OR 
THE  NEXT  9  HOURS  IF  PERIGEE  IS  GREATER  THAN  105  NM,  BUT 
LESS  THAN  120  NM;  OR  FROM  LOSS  OF  VOICE  AND  COMMAND 
ACCORDING  TO  THE  FOLLOWING  PRIORITIES: 

a.  THE  NEXT  LIGHTED  CONUS  OPPORTUNITY. 

b.  THE  NEXT  CONUS  OPPORTUNITY. 

C.  THE  NEXT  LIGHTED  ELS  OPPORTUNITY.  @[092701-4816] 

2.  IF  GPS  IS  VERIFIED  TO  BE  FUNCTIONING  PROPERLY  OR  AN 
ALTERNATE  VOICE  OR  FILE  TRANSFER  PATH  EXISTS,  DEORBIT 
NEXT  PLS,  PREFERABLY  TO  A  LIGHTED  OPPORTUNITY.  @[092701-4816] 

A  study  was  presented  to  Orbit  Flight  Techniques  Panel  # 86  (6/10/88)  which  shows,  for  a  general  case, 
an  onboard  state  vector  will  remain  within  tolerances  per  Rule  { A4-154 ),  DOWNTRACK  ERROR,  for  13 
hours  if  perigee  is  greater  than  120  nm.  A  subsequent  study  showed  that  the  vector  will  remain  within 
tolerances  for  9  hours  if  perigee  is  greater  than  105  nm.  This  assumes  a  1-sigma  case  with  a  semi-major 
axis  error  of  1000 feet  and  a  downtrack  error  of  20,000 feet  at  loss  of  communication  ( the  crew  will  be 
informed  if  the  ground  is  unable  to  maintain  the  vector  to  this  accuracy.)  This  was  approximately  the 
average  quality  of  the  onboard  state  vector  before  a  new  one  was  uplinked  based  on  previous  flight  data. 
This  was  selected  to  reduce  the  chance  of  committing  to  an  ELS  landing.  It  is  therefore  best  to  deorbit 
within  the  specified  time  limits  unless  the  state  vector  is  confirmed  for  a  future  landing  opportunity  or 
GPS  is  verified  to  be  functioning  properly  (no  hardware  problems  or  commfaults,  no  extended  periods  of 
high  FOM,  no  extended  periods  of  less  than  4  satellite  tracking)  to  maintain  state  vector  accuracy.  State 
Vector  confirmation  can  come  as  a  sleep  vector  (zero  delta-V  command  load  with  the  TIG  of  the  deorbit 
burn  to  the  PLS)  or  by  voice  at  the  time  the  state  vector  was  uplinked. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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All-52  LOSS  OF  BOTH  VOICE  AND  COMMAND  (CONTINUED) 

If  the  onboard  state  vector  has  been  confirmed  for  a  deorbit  to  the  next  PLS,  it  is  best  to  plan  for  that. 

The  case  where  the  confirmation  has  not  been  received  and  GPS  is  not  verified  to  be  functioning  properly 
(hardware  problems  or  commfaults,  extended  periods  of  high  FOM,  extended  periods  of  less  than  4 
satellite  tracking)  is  more  difficult.  It  is  clearly  more  desirable  to  land  at  a  CONUS  landing  site 
con  tain  ing  a  full  complemen  t  of  landing  aids.  It  is  also  more  desirable  to  land  during  the  day. 

Therefore,  the  next  two  priorities  are  a  lighted  CONUS  landing,  then  a  dark  one. 

If  no  CONUS  opportunity  exists  within  the  specified  times,  it  is  best  to  deorbit  as  soon  as  possible  to  the 
next  lighted  ELS.  There  will  always  be  a  lighted  ELS  opportunity  within  the  next  9  hours  at  any  time 
during  the  mission,  so  a  dark  ELS  landing  is  not  addressed. 

GPS  will  provide  an  adequate  source  for  orbit  navigation  and  the  deorbit  state  vector  as  long  as  it  is 
verified  to  be  functioning  properly.  Caution  should  be  taken  when  using  GPS  state  vectors  with  FOM’s 
>  5  (650 feet  position  error  one  sigma),  since  the  estimated  position  error  increases  rapidly  with  higher 
FOM  values.  Orbit  stay  periods  of  up  to  24  hours  or  longer  may  be  performed  to  avoid  ELS  landings  if 
GPS  is  used  to  maintain  the  onboard  state  vector.  Deorbit  capability,  weather-forecasts,  and  lighting 
conditions  will  be  considered  for  the  landing  site  selection. 

If  the  Ku-band  and  Orbited  Communications  Adapter  ( OCA)  systems  are  operational  or  a  comm  link  via 
ISS  is  available,  a  delta  state  update  can  be  performed.  The  orbiter  state  vector  can  be  downlinked  to 
the  MCC  via  OCA  file  transfer  or  read  down  by  the  crew  via  OCA  videoconference  or  ISS  assets  if  GNC 
downlist  telemetry  is  not  available.  Once  the  ground  has  computed  the  delta  state,  it  can  be  uplinked  to 
the  orbiter  via  OCA  file  transfer  or  read  up  via  OCA  videoconference  or  ISS  assets.  The  crew  can  then 
manually  enter  the  delta  state  into  the  GPC  in  GNC  OPS  3.  The  generation  of  the  orbit  delta  state  by  the 
ground  is  no  longer  trained  and  will  require  a  thorough  procedure  review  prior  to  implementation. 

Orbit  stay  periods  can  be  extended  to  next  PLS  to  avoid  cm  ELS  landing  if  GPS  or  delta  states  are 
available  to  keep  the  state  vector  within  limits.  ®[021 998-651 6  ]  @[092701-4816  ] 
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All-53  LOSS  OF  COMMAND 

IF  ALL  COMMAND  CAPABILITY  IS  LOST  BUT  AT  LEAST  TWO  SOURCES  OF 
ENTRY  VOICE  ARE  STILL  AVAILABLE,  AN  MDF  WILL  BE  PERFORMED. 

Loss  of  all  command  capability  implies  redundant  failures  and  would  impose  a  significant  increase  in 
workload  to  the  crew  as  state  vectors,  gyro  biases,  target  loads,  etc.,  would  have  to  be  relayed  to  the 
crew  by  voice  or  OCA  and  entered  into  the  computers  manually,  in  many  cases,  by  GMEM  Read/Write. 
Recorder  dumps  and  communications  configurations  would  also  have  to  be  done  manually  and,  for  some 
flights,  payload  operations  would  be  adversely  affected  as  control  is  only  from  the  POCC.  Therefore,  the 
potential  for  introducing  errors  into  computer  updates  is  increased.  @[021998-6516  ]  @[012402-5068  ] 

Rules  {A11-58B},  LOSS  OF  TRANSPONDERS;  {All-63 A},  LOSS  OF NSP’s;  and  [A1 1-1001}, 
COMMUNICATIONS  GO/NO-GO  CRITERIA,  reference  this  rule. 

All-54  LOSS  OF  TELEMETRY 

IF  ALL  SOURCES  OF  TELEMETRY  TO  MCC  ARE  LOST  THE  FLIGHT  WILL 
TERMINATE  AT  THE  NEXT  PLS .  THIS  COULD  RESULT  FROM: 

A.  LOSS  OF  DOWNLINK  FROM  BOTH  NSP'S. 

B.  LOSS  OF  BOTH  PCMMU' S  . 

C.  LOSS  OF  BOTH  TRANSPONDERS  FOLLOWED  BY  AN  UNSUCCESSFUL  IFM . 
(REF.  RULE  {A11-58C},  LOSS  OF  TRANSPONDERS.) 

The  MCC  has  a  much  greater  systems  monitoring  capability  than  available  onboard  and  most  crew 
procedures  and  training  are  based  on  the  availability  of  having  telemetry  data  in  the  MCC  or  POCC 
monitored  by  systems  experts.  Without  telemetry,  computer  loads  could  not  be  verified  before  execution. 
Some  future  system  failures  could  remain  undetected  (such  as  those  requiring  trend  monitoring)  or  the 
exten  t  of  the  failure  unappreciated  (e.g.,  bus  transients).  Also,  for  many  missions,  payload  data  is  only 
retrievable  via  telemetry.  If  telemetry  during  the  entry  phase  is  known  to  be  unavailable  (even  though 
onboard  data  may  be  unaffected),  then  it  is  safest  to  terminate  the  mission  while  overall  systems  status  is 
known  and  understood  by  all  rather  than  risk  adverse  future  occurrences  which  could  result  in  a  crew  or 
vehicle  safety  hazard  due  to  the  loss  of  insight  normally  provided  by  the  MCC. 

Rules  {All-63},  LOSS  OF  NSP’s;  and  {All-1001},  COMMUNICATIONS  GO/NO-GO  CRITERIA, 
reference  this  rule. 
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All-55  LOSS  OF  KU-BAND 

LOSS  OF  KU-BAND  WILL  RESULT  IN  THE  FLIGHT  CONTINUING  TO  NOMINAL 
EOM .  IF  THE  MISSION-SPECIFIC  CAPABILITY  JUSTIFIES  THE 
REQUIREMENT  FOR  THE  KU-BAND,  PERFORM  AN  MDF . 

Refer  also  to  mission-specific  rules  that  may  be  documented  in  Flight  Rules  Annexes. 

Ku-band  communication  is  provided  primarily  to  support  payloads.  It  is  used  to  provide  supplemental 
capabilities  unavailable  via  the  prime  S-band  communications  system  such  as  TDRS  television,  TDRS 
recorder  dumps,  OCA,  and  high  rate  payload  data.  Generally  speaking,  other  useful  mission  objectives 
can  be  accomplished  even  with  the  loss  of  these  capabilities  and,  therefore,  early  mission  termination  is 
not  justified.  The  Ku-band  system  also  provides  the  only  source  of  rendezvous  radar  capability,  but 
alternate  onboard  and  ground  capabilities  allow  rendezvous  to  continue  in  the  event  of  radar  failure. 
Specific  mission  objectives  that  cannot  be  accomplished  with  a  loss  of  Ku-band  are  identified  in  the 
Flight  Rules  Annex.  ®[021 998-651 6  ]  ®[01 2402-5068  ] 

Rule  {All -1001 },  COMMUNICATIONS  GO/NO-GO  CRITERIA,  references  this  rule. 

All-56  LOSS  OF  KU-BAND  TEMPERATURE  CONTROL  [CIL] 

INABILITY  TO  MAINTAIN  KU-BAND  TEMPERATURES  WITHIN  THEIR  SODB 
LIMITS  (DEFINED  AS  ABOVE  MINIMUM  TURN-ON  AND  BELOW  MAXIMUM 
SURVIVAL)  WILL  RESULT  IN  KU-BAND  DEACTIVATION  AND  STOWAGE. 

If  temperature  control  of  the  Ku-band  gyro  or  either  alpha  or  beta  gimbal  cannot  be  maintained  within 
SODB  limits,  the  subsequent  potential  of  degradation  could  result  in  inability  to  properly  stow  the 
deployed  assembly  since  fairly  precise  positioning  is  required  for  the  antenna  to  lock.  Stowing  the 
deployed  assembly  with  an  unlocked  antenna  could  result  in  damage  to  the  antenna  or  the  adjacent 
radiator  panel  during  entry.  Temperature  con  trol  of  the  antenna  feed,  the  transmitter,  and  the  receiver 
is  also  required  to  prohibit  damage  to  these  componen  ts.  For  any  of  these  cases  the  system  should  be 
deactivated  and  stowed  as  a  precaution. 

Rule  {A10-301B};  ANTENNA  STOW  REQUIREMENT  [CIL],  and  {All-57},  LOSS  OF  KU-BAND 
TEMPERATURE  MONITORING  CAPABILITY  [CIL],  reference  this  rule. 
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All-57  LOSS  OF  KU-BAND  TEMPERATURE  MONITORING  CAPABILITY 

[CIL] 

LOSS  OF  THE  CAPABILITY  TO  MONITOR  THE  KU-BAND  GYRO,  ALPHA  GIMBAL, 
OR  BETA  GIMBAL  TEMPERATURES  WILL  RESULT  IN  DEACTIVATION  AND 
STOWAGE  EXCEPT  FOR  THOSE  CASES  DOCUMENTED  IN  THE  FLIGHT  RULES 
ANNEX . 

FLIGHT-SPECIFIC  EXCEPTIONS  FOR  HIGH  PRIORITY  OPERATIONS  WILL  BE 
IDENTIFIED  IN  THE  FLIGHT  RULE  ANNEX. 


Ku-band  temperature  control  is  necessary  to  ensure  that  component  damage  will  not  occur  and  to  ensure 
that  the  antenna  can  be  properly  locked  and  stowed  for  entry  ( ref  Rule  (All -56},  LOSS  OF  KU-BAND 
TEMPERATURE  CONTROL  [ CIL]).  A  failed  transducer  would  result  in  the  inability  to  detect  a  heater 
that  is  failed  ON  or  failed  OFF.  Since  heater  monitoring  locations  are  relatively  insulated,  attempting  to 
extrapolate  remaining  measurements  to  determine  an  out-of-limits  condition  for  the  gyro  or  either 
gimbal  is  unreliable. 
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All-58  LOSS  OF  TRANSPONDERS 

A.  LOSS  OF  ONE  TRANSPONDER  (UPLINK  OR  DOWNLINK)  WILL  RESULT  IN 
CONTINUING  TO  NOMINAL  EOM . 

Loss  of  one  transponder  is  still  one  failure  away  from  any  condition  resulting  in  either  a  minimum 
duration  flight  or  a  next  PLS  landing. 

B.  LOSS  OF  UPLINK  CAPABILITY  FROM  BOTH  TRANSPONDERS  WILL  RESULT 
IN  A  NEXT  PLS  LANDING. 

Refer  to  Rule  {All -51 },  LOSS  OF  TWO-WAY  VOICE;  and  Rule  {All-53},  LOSS  OF  COMMAND.  This 
failure  results  in  the  loss  of  all  S-band  voice  and  command. 

C.  IF  ALL  S-BAND  PM  DOWNLINK  TO  MCC  IS  LOST  RESULTING  FROM  A 
FAILURE  OF  BOTH  TRANSPONDERS  AND  THE  IFM  TO  USE  THE  S-BAND  FM 
IS  SUCCESSFUL,  AN  MDF  WILL  BE  COMPLETED.  IF  THE  IFM  IS 
UNSUCCESSFUL  THEN  THE  FLIGHT  WILL  TERMINATE  AT  THE  NEXT  PLS. 

Loss  of  telemetry  and  downlink  voice  from  two  transponders  leaves  only  Ku-band  as  a  telemetry  source 
and  UHF  and  Ku-band  for  voice.  An  IFM  is  available  to  restore  real-time  S-band  telemetry  and 
downlink  S-band  voice  in  the  event  of  a  dual  transponder  failure  using  the  S-band  FM  transmitters.  This 
coverage  is  unavailable  via  TDRS  and  would  result  in  limited  ground  coverage  from  DOD  and  NASA 
stations  which  would  have  to  be  called  up  for  support.  However,  it  still  would  provide  a  source  for  entry 
telemetry.  This  failure  leaves  recorded  telemetry  still  available.  Therefore,  sufficient  systems  insight 
remains  to  complete  a  minimum  duration  flight.  An  unsuccessful  IFM  would  result  in  no  telemetry  and 
only  UHF  voice  following  Ku-band  stowage.  To  avoid  the  possibility  of  a  no-telemetry  entry  with  an 
orbiter  degraded  by  a  subsequent  systems  failure,  a  next  PLS  landing  is  justified  as  being  the 
conservative  approach. 

Rules  {All-54},  LOSS  OF  TELEMETRY;  and  {All -1001},  COMMUNICATIONS  GO/NO-GO 
CRITERIA,  reference  this  rule. 
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All-59 


FM  SYSTEM  IFM  GROUND  RULE 


FOLLOWING  A  CONFIRMED  LOSS  OF  DOWNLINK  IN  ONE  S-BAND  TRANSPONDER, 
CONSIDERATION  WILL  BE  GIVEN  TO  IMPLEMENTING  AN  IFM  PROCEDURE  TO 
ALLOW  THE  USE  OF  THE  FM  SYSTEM  AS  A  REDUNDANT  TELEMETRY  SOURCE 
FOR  ENTRY. 

Following  a  transponder  loss,  no  redundancy  remains  for  downlink  telemetry.  The  IFM  regains  this 
redundancy  using  the  FM  system,  and  implementation  of  the  IFM  should  be  considered  prior  to  entry. 

The  IFM  procedure  to  allow  the  use  of  the  S-band  FM  system  for  downlink  voice  and  telemetry  results  in 
disconnecting  flight  cables  and  terminating  the  use  of  one  of  the  Ops  recorders.  The  NSP’s  must  be 
switched  when  real-time  arid  dump  data  share  the  FM  downlink.  This  is  compatible  only  with  ground 
stations,  not  TDRS.  For  these  reasons  it  is  desirable  to  troubleshoot  the  transponders  to  determine 
alternate  capabilities  before  considering  the  IFM  which  nominally  requires  about  2-1/2  hours  of  crew 
time.  As  transponder  troubleshooting  necessarily  requires  a  ground  station  or  TDRS  to  confirm  status, 
the  ground  should  direct  the  procedure  rather  than  the  crew  if  the  remaining  capability  makes  this 
feasible.  The  ground  is  required  because  compatible  configurations  are  necessary  onboard  and  at  the 
STDN  to  ensure  valid  checks. 


All-60 


LOSS  OF  TDRS  TRACKING  CAPABILITY 


LOSS  OF  TDRS  TRACKING  CAPABILITY  WILL  RESULT  IN  CONTINUING  TO 
NOMINAL  EOM . 

Loss  of  TDRS  tracking  would  require  call  up  of  contingency  use  S-band  tracking  stations  that  are 
obligated  to  provide  support  in  the  event  of  such  an  orbiter  or  ground  system  failure.  These  stations, 
supplemented  as  required  by  C-band  radars,  can  provide  satisfactory  support  to  continue  nominal 
orbital  operations  and  entry  preparations. 

Rule  {All -1001},  COMMUNICATIONS  GO/NO-GO  CRITERIA,  references  this  rule. 
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All-61  LOSS  OF  S-BAND  PREAMPS  AND  POWER  AMPS 

LOSS  OF  BOTH  S-BAND  PREAMPLIFIERS  AND/OR  BOTH  POWER  AMPLIFIERS 
WILL  RESULT  IN  CONTINUING  TO  NOMINAL  EOM . 

Loss  of  either  both  preamps  or  both  power  amps  results  in  loss  of  all  TDRS  S-band  capability.  Ku-band 
still  remains  but  does  not  provide  a  tracking  source  arid  is  unavailable  following  antenna  stowage  during 
deorbit  prep.  A  total  loss  of  TDRS  S-band  would  require  call  up  of  the  contingency  ground  stations  that 
are  obligated  to  provide  support  in  the  event  of  such  an  orbiter  failure.  These  stations  would  be  a 
combination  of  the  NASA  Spacecraft  Tracking  and  Data  Network  (STDN),  DOD  remote  tracking  stations 
(RTS),  and  C-band  radars.  These  stations  can  provide  satisfactory  support  to  continue  nominal  orbital 
operations  and  nominal  entry  preparations.  ®[1 02402-5741  ] 

Rule  I  All -1001 j,  COMMUNICATIONS  GO/NO-GO  CRITERIA,  references  this  rule. 

All-62  LOSS  OF  ANTENNA  ELECTRONICS 

THE  FLIGHT  WILL  BE  CONTINUED  FOR  LOSS  OF  THE  S-BAND  ANTENNA 
ELECTRONICS . 

Loss  of  both  S-band  antenna  electronics  results  in  the  inability  to  select  S-band  antennas  ( i.  e. ,  only  one 
antenna  could  be  used).  All  communications  functions  would  remain,  but  severe  attitude  constraints 
would  have  to  be  imposed  to  maintain  TDRS  S-band.  TDRS  Ku-band  would  be  unaffected,  and  ground 
station  (GSTDN)  S-band  would  be  slightly  degraded  due  to  reduced  (but  still  acceptable)  circuit 
margins.  Since  the  attitude  timeline  would  be  affected,  it  is  reasonable  to  assume  that  mission  activities 
would  be  impacted.  As  long  as  productive  mission  objectives  can  still  be  accomplished,  the  mission  need 
not  be  shortened.  Rule  {All-1001  f  COMMUNICATIONS  GO/NO-GO  CRITERIA,  references  this  rule. 
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All-63  LOSS  OF  NSP ' S 

A.  LOSS  OF  UPLINK  CAPABILITY  FROM  ONE  NSP  WILL  RESULT  IN 
CONTINUING  TO  NOMINAL  EOM . 

Loss  of  uplink  from  one  NSP  is  still  one  failure  away  from  any  condition  resulting  in  either  a  minimum 
duration  flight  or  a  next  PLS  landing.  Refer  to  Rules  {All-51},  LOSS  OF  TWO-WAY  VOICE;  and 
{All -53},  LOSS  OF  COMMAND. 

B.  LOSS  OF  ALL  DOWNLINK  REAL  TIME  AND  ALL  RECORDED  DATA  OUTPUTS 
FROM  ONE  NSP  WILL  RESULT  IN  AN  MDF . 

The  NSP’s  are  required  to  provide  all  telemetry,  recorded  telemetry  and  voice,  all  command  and  all  S- 
band  voice.  UHF  voice  may  still  remain,  but  the  limited  ground  coverage  (essentially  Continental  U.S.) 
is  insufficient  to  satisfy  orbital  requirements.  Ku-band  OCA  and  downlink  TV  capabilities  may  also 
remain  during  the  period  that  the  Ku-band  is  deployed.  Although  two-way  voice  and  video  capability 
with  OCA  may  be  available,  flight  experience  has  demonstrated  that  this  capability  is  not  robust. 
Considering  the  impact  of  losing  all  NSP  capability  in  the  event  of  a  second  failu  re  versus  the  small  gain 
in  mission  achievement  that  may  be  possible,  redundan  t  NSP’s  should  be  required  to  extend  the  flight 
beyond  minimum  duration.  <@[021998-6516]  <@[012402-5068] 

C.  LOSS  OF  UPLINK  CAPABILITY  FROM  BOTH  NSP'S  WILL  RESULT  IN  A 
NEXT  PLS  LANDING. 

Refer  to  the  rationale  for  Rule  {All-51},  LOSS  OF  TWO-WAY  VOICE.  Loss  of  both  NSP  uplinks  would 
result  in  only  UHF  availability  for  two-way  voice. 

D.  LOSS  OF  ALL  DOWNLINK  REAL  TIME  AND  ALL  RECORDED  DATA  OUTPUTS 
FROM  BOTH  NSP'S  WILL  RESULT  IN  A  NEXT  PLS  LANDING. 

Refer  to  the  rationale  for  Rules  {All-51},  LOSS  OF  TWO-WAY  VOICE;  and  {All-54},  LOSS  OF 
TELEMETRY.  Loss  of  all  downlink  capability  from  both  NSP’s  would  result  in  only  UHF  availability  for 
two-way  voice  and  no  telemetry  to  MCC. 

Rule  {All -1001},  COMMUNICATIONS  GO/NO-GO  CRITERIA,  references  this  rule. 
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All-64  LOSS  OF  COMMUNICATIONS  SECURITY  (COMSEC) 

A.  LOSS  OF  COMSEC  WILL  RESULT  IN  THE  FLIGHT  CONTINUING  TO 
NOMINAL  EOM . 


Refer  also  to  mission-specific  rules  that  may  be  documented  in  Flight  Rules  Annexes. 

Curren  t  agency  policy  with  a  fully  operational  TDRSS  is  to  encrypt  command/con  trol  uplinks  or  data  as 
appropriate  to  protect  sensitive  government  data  and  provide  protection  from  unauthorized  commands. 
When  all  data  is  unclassified,  as  it  is  for  NASA  flights,  this  policy  would  be  waived  (as  it  has  been  in  the 
past)  in  order  to  complete  the  mission.  In  the  event  of  total  COMSEC  failure,  uplink  protection  will  be 
provided  by  use  of  the  uplink  block  protection.  When  data  is  classified,  as  for  DOD  flights,  COMSEC 
rules  will  be  defined  in  the  Flight  Rules  Annex. 

B.  FOR  LOSS  OF  A  SINGLE  COMSEC  (UPLINK  AND/OR  DOWNLINK),  ORBIT 
OPERATIONS  WILL  CONTINUE  TO  BE  ENCRYPTED.  FOR  ASCENT  AND 
ENTRY,  REDUNDANCY  WILL  BE  PROVIDED  BY  GOING  TO  CLEAR.  IF 
UPLINK  ENCRYPTION  IS  DESELECTED,  THE  UPLINK  BLOCK  SWITCH  WILL 
BE  USED  BY  THE  CREW  TO  PROTECT  COMMAND  UPLINK  WHEN  COMMAND 
ACTIVITY  IS  NOT  REQUIRED. 


ENCRYPTION  LOST 

CONFIGURATION  FOR  ASCENT/ENTRY 

BOTH  UPLINK  AND  DOWNLINK 

UPLINK  ONLY 

DOWNLINK  ONLY 

CLEAR  UPLINK  AND  DOWNLINK  (CREW  USES  BLOCK  SWITCH 

CLEAR  UPLINK  AND  DOWNLINK  (CREW  USES  BLOCK  SWITCH) 

ENCRYPTED  UPLINK,  CLEAR  DOWNLINK 

Loss  of  a  single  COMSEC  (uplink  and/or  downlink)  does  not  prevent  protection  of  that  link  with  the 
remaining  COMSEC  system.  Subsequent  COMSEC  failures  can  be  resolved  by  deselecting  encryption. 
For  ascent  and  entry,  the  encryption  will  be  deselected  (uplink  and/or  downlink)  to  recover  redundancy 
for  command  and  S-band  voice  (the  encryption  switches  are  not  accessible  from  the  crew  seats).  When 
data  are  classified,  as  for  DOD  flights,  COMSEC  rules  will  be  defined  in  the  Flight  Rules  Annex. 

Rule  {All -1001},  COMMUNICATIONS  GO/NO-GO  CRITERIA,  references  this  rule. 
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All-65  AUDIO  CENTRAL  CONTROL  UNIT  (ACCU) 

THE  ACCU  IS  CONSIDERED  LOST  IF  TWO-WAY  VOICE  ON  THE  FOLLOWING 
LOOPS  IS  INOPERABLE: 

A.  AIR/GROUND  1. 

B.  AIR/GROUND  2. 

C.  AIR/AIR. 

These  are  the  only  loops  that  in  terface  with  the  communications  equipment  (both  air/ground  and  EVA). 
Only  Intercom  and  Page  loops  remain.  Therefore,  a  subsequent  failure  in  the  alternate  ACCU  would 
result  in  the  loss  of  all  orbiter  communications.  One -half  of  the  ACCU  BYPASS  IFM  (J4)  should  be 
performed  as  described  in  Rule  {All-66},  LOSS  OF  ACCU’ s. 

Rule  {All-66},  LOSS  OF  ACCU’ s,  references  this  rule. 
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All-66  LOSS  OF  ACCU' S 

A.  FOR  THE  LOSS  OF  ONE  ACCU,  ONE-HALF  OF  THE  ACCU  BYPASS  IFM 

( J4 )  WILL  BE  PERFORMED  AS  SOON  AS  PRACTICAL  AND  THE  NOMINAL 
FLIGHT  COMPLETED.  IF  UNSUCCESSFUL  A  NEXT  PLS  LANDING  WILL  BE 
PERFORMED . 

Refer  to  Rule  {All-65},  AUDIO  CENTRAL  CONTROL  UNIT  (ACCU). 

B.  FOR  THE  LOSS  OF  BOTH  ACCU'S,  THE  IFM  WILL  BE  COMPLETED  AND  AN 
MDF  WILL  BE  PERFORMED. 

The  primary  difference  between  A  and  B  above  is  that  loss  of  an  ACCU  is  only  loss  of  one  source  of 
redundancy  while  loss  of  total  IFM  is  loss  of  two  sources. 

Loss  of  one  ACCU  is  one  failure  away  from  loss  of  all  air/ground  voice.  The  IFM,  when  installed, 
provides  two  sources  of  air/ground  voice.  Implementing  the  J4  half  of  the  IFM  allows  normal  use  of  the 
remaining  ACCU  but  with  the  following  lost  capabilities: 

1.  PS,  OS,  and  AIRLOCK  ATU’s. 

2.  TACAN  3  tones. 

3.  C&W  B  tones  via  ACCU  (Middeck  Speaker  Unit).  ®[i  02402-5743  ] 

4.  NSP  2  voice  record  channel  1. 

5.  NSP  1  voice  record  channel  2. 

6.  NSP  1  Air/Ground  2  loop. 

7.  PLT  ATU  is  limited  to  only  the  Air/Ground  1  loop  in  NSP  2  and  only  in  hot  mike  mode. 

The  extent  of  these  lost  capabilities  is  of  minor  mission  impact  and  does  not  constitute  grounds  for 
shortening  the  mission.  For  vehicles  103  and  104  only  one  crewmember  in  the  airlock  will  have  hardline 
communications  which  has  a  minor  procedural  impact.  Should  the  remaining  ACCU  fail  after  the  J4 
IFM,  the  CDR  and  PLT  ATU’s  (only)  will  still  retain  an  S-band  communications  capability  although  it 
will  be  nonredundant.  The  IFM  should  then  be  completed  restoring  dual  S-band  communications 
redundancy.  Since  redundancy  is  available,  an  immediate  (next  PLS)  lajiding  is  not  necessary,  but  the 
dwindling  communication  capabilities  justify  that  the  flight  be  continued  only  until  MDF. 

Rule  {All-65},  AUDIO  CENTRAL  CONTROL  UNIT  (ACCU),  references  this  rule. 
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All-67  LOSS  OF  THE  PLT  AND  MS  ATU'S 

LOSS  OF  BOTH  THE  PLT  AND  MS  ATU'S  WILL  RESULT  IN  THE  FLIGHT 
CONTINUING  TO  NOMINAL  EOM . 

These  two  ATJJ’s  are  necessary  to  process  audio  system  configuration  data  for  external  interfaces  such 
as  the  NSP’s,  recorders,  UHF,  etc.  In  the  event  of  a  subsequent  ACCU  switch  failure,  these  external 
configurations  would  come  up  in  a  random  state.  However,  testing  and  analysis  have  shown  that  the 
probability  of  regaining  a  working  Air/Ground  loop  on  each  switch  attempt  (A/G  1,  2,  or  UHF)  exceeds 
90  percen  t.  Therefore,  shortening  the  mission  for  these  failures  is  not  justified.  @[092701-4872  ] 

Rule  {All -1001 },  COMMUNICATIONS  GO/NO-GO  CRITERIA,  references  this  rule. 

All-68  LOSS  OF  INTERCOM 

THE  FLIGHT  WILL  BE  CONTINUED  FOR  THE  LOSS  OF  ALL  INTERCOM. 

Intercom  is  desirable  but  not  mandatory  for  crew  coordination.  When  seated  for  entry,  the  CDR  and 
PET  can  easily  communicate  without  the  intercom.  Communications  with  MSI  and  MS2  can  be  done 
using  the  Air/Ground  or  Air/Air  loops  if  necessary,  although  simultaneous  tran  smission  s  to  the  STDN  in 
these  cases  would  occur.  It  would  also  be  necessary  to  use  the  Air/Ground  or  Air/Air  loops  to  record 
voice  on  the  Ops  recorders.  These  conditions  may  be  undesirable  but  not  considered  serious  enough  to 
shorten  the  mission 

Rule  {All -1001  j,  COMMUNICATIONS  GO/NO-GO  CRITERIA,  references  this  rule. 
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All-69  LOSS  OF  UHF 

LOSS  OF  UHF  WILL  RESULT  IN  THE  FLIGHT  CONTINUING  TO  NOMINAL  EOM . 

UHF  voice  is  used  as  the  sole  source  of  EVA  communications,  as  the  source  of  communication  on  the 
universal  guard  channel  (243.0  MHz),  and  as  an  alternate  source  of  communication  during  ascents  and 
entries.  Failures  of  UHF  affecting  air/ground  communications  should  not  result  in  an  early  mission 
termination  as  long  as  S-band  redundancy  exists  for  entry. 

Rule  {All -1001},  COMMUNICATIONS  GO/NO-GO  CRITERIA,  references  this  rule. 

All-70  LOSS  OF  GCIL 

LOSS  OF  GCIL  WILL  RESULT  IN  THE  FLIGHT  CONTINUING  TO  NOMINAL  EOM. 

Loss  of  GCIL  capability  implies  loss  of  command  capability  to  most  of  the  communications  systems,  loss 
of  a  quick  way  to  switch  S-band  strings  ( the  “Panel/Command”  capability)  and  loss  of  some  unique 
functions  that  require  a  GCIL;  e.  g. ,  frequency  selection.  Workarounds  exist  in  all  cases  although  the 
crew  would  have  to  assume  some  additional  workload.  The  resulting  loss  of  efficiency  does  not  justify 
shortening  the  mission. 

Rule  {All -1001},  COMMUNICATIONS  GO/NO-GO  CRITERIA,  references  this  rule. 
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All-71  LOSS  OF  RECORDERS 

A.  THE  FLIGHT  WILL  BE  CONTINUED  FOR  A  LOSS  OF  ALL  OPS,  SOLID 
STATE,  MADS/OEX  AND  PAYLOAD  RECORDERS.  @[092701 -4848A] 

In  order  to  justify  a  mission  termination,  either  an  actual  or  potential  crew  safety  hazard  must  exist,  all 
planned  mission  objectives  must  have  been  achieved,  or  no  further  useful  mission  objectives  can  be 
achieved  on  this  flight  for  whatever  reason.  It  is  extremely  unlikely  that  failure  of  any  or  all  of  these 
recorders  would  result  in  one  of  these  three  conditions.  Recorders  are  generally  used  to  document  a 
complete  mission  history  and  to  backup  or  supplement  analog  or  digital  data  that  is  acquired  by  other 
means,  e.g.,  real  time.  When  this  is  not  the  case,  the  data  is  rarely  critical  to  total  mission  success  as  a 
backup  was  apparently  not  justifiable.  The  MADS/OEX  recorder  is  a  sole  source  oforbiter  supplemental 
data;  but,  since  this  data  is  usually  for  entry  performance  evaluation,  a  MADS/OEX  recorder  failure 
does  not  justify  an  early  reentry  as  the  data  is  lost  regardless.  Recorder  criticality,  if  any,  would  be 
defined  in  the  Flight  Rules  Annex. 

B.  IN  THE  EVENT  BOTH  OPS  RECORDERS  FAIL,  THE  OPS  2  RECORDER  WILL 
BE  REPLACED  WITH  THE  PAYLOAD  RECORDER. 

The  payload  recorder  is  not  used  for  recording  orbiter  systems  data  and,  therefore,  its  loss  can  only 
impact  the  degree  of  mission  success.  Since  real-time  orbiter  systems  data  is  not  continuous,  but  is 
limited  by  station  coverage  or  entry  blackout,  it  is  probable  that  the  Ops  recorders  could  prove  the  sole 
source  of  orbiter  data  and  recorded  voice  at  the  time  a  systems  anomaly  occurs.  Since  this  data  is  much 
more  extensive  than  that  available  to  the  crew,  it  is  poten  tially  critical  for  allowing  complete  systems 
anomaly  troubleshooting.  It  is  also  the  only  source  of  crew  intercom  voice.  Therefore,  giving  up  the 
payload  recorder  for  these  dual  failure  conditions  is  prudent.  Ops  2  is  preferred  as  it  is  much  more 
accessible  than  Ops  I.  No  third  unit  will  be  available  to  back  up  solid  state  recorders.  Likewise,  if  the 
payload  recorder  is  not  flown  on  a  particular  mission,  it  is  not  available  to  back  OPS  recorders. 

@[092701 -4848A] 

C.  NO  RECORDER  CHANGEOUTS  WILL  BE  ACCOMPLISHED  FOR  LOSS  OF  A 
SINGLE  OPS  RECORDER. 

The  availability  ofTDRS  and  the  reduction  of  the  need  for  voice  recording  to  only  high  activity  mission 
phases  results  in  only  one  Ops  recorder  for  a  given  flight  being  required  to  satisfy  requirements.  The 
other  Ops  recorder  is  considered  a  backup.  Since  the  payload  recorder  is  used  on  some  flights  to 
acquire  data  unavailable  elsewhere  and  since  approximately  2  hours  of  crew  time  is  necessary  to  change 
out  recorders,  the  replacemen  t  of  the  backup  Ops  recorder  with  the  payload  recorder  is  not  justified. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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All-71  LOSS  OF  RECORDERS  (CONTINUED) 

D.  IF  THE  OPS  2  RECORDER  FAILS  DURING  ASCENT,  THE  OPS  1  RECORDER 
WILL  BE  RECONFIGURED  TO  RECORD  BOTH  MAIN  ENGINE  DATA  AND  01 
DATA.  THE  SPEED  WILL  BE  THE  OPTIMUM  (24  IPS)  FOR  01  DATA 
RATE.  A  RECORDER  IS  CONSIDERED  FAILED  WHEN  ANY  OF  THE 
FOLLOWING  OCCUR: 

1.  RECORDER  BITE  INDICATION  PRESENT. 

2.  RECORDER  TEMPERATURE  >120  DEG  F. 

3.  UNABLE  TO  DETECT  TAPE  MOTION. 

The  Ops  1  recorder  can  be  configured  to  record  orbiter  01  telemetry  and  voice,  but  provides  the  only 
means  of  recording  SSME  EIU  data  during  ascent.  The  Ops  2  recorder  can  only  be  used  to  record  01 
data  and  voice  which  is  its  nominal  ascent  configuration.  Should  the  Ops  2  recorder  fail  during  ascent, 
both  EIU  and  orbiter  data  can  be  recorded  on  Ops  1  during  powered  flight  in  a  slightly  degraded  but 
recoverable  mode.  After  powered  flight,  Ops  1  can  be  reconfigured  to  record  only  01  data  and  voice. 

Recent  test  data  shows  both  EIU  and  01  data  and  voice  may  be  recorded  and  recovered,  on  the  same 
recorder,  with  minimum  degradation. 

This  reconfiguration  is  not  necessary  if  flying  solid  state  recorder  (SSR),  since  solid  state  recorder  2 
(SSR  2)  records  Main  Engine  and  OPS  data  simultaneously.  @[092701 -4848A] 

E.  IF  SSR  2  FAILS  DURING  ASCENT  ON  A  MISSION  IN  WHICH  SSR  1  IS 
RECORDING  PAYLOAD  DATA  INSTEAD  OF  OPS  DATA,  SSR  1  WILL  BE 
RECONFIGURED  TO  RECORD  01  DATA.  @[092701 -4848A] 

F.  AN  SSR  IS  CONSIDERED  FAILED  WHEN  ANY  OF  THE  FOLLOWING  OCCUR: 

1.  RECORDER  BITE  INDICATION  PRESENT. 

2.  RECORD  POSITION  DOES  NOT  INCREASE. 

SSR  2  normally  records  Mean  Engine  and  OPS  data  during  ascent;  SSR  1  normally  records  OPS  data 
also,  but  is  available  for  use  as  a  payload  recorder  if  required.  Should  SSR  2  fail  during  ascent,  SSR  1 
is  required  to  record  OPS  data.  @[092701 -4848A] 

Rule  {A1 1-1001  j,  COMMUNICATIONS  GO/NO-GO  CRITERIA,  references  this  rule. 
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All-72  LOSS  OF  TV 

THE  FLIGHT  WILL  BE  CONTINUED  FOR  LOSS  OF  ALL  OR  PART  OF  THE  TV 
SYSTEM. 

The  TV  system  has  never  been  identified  as  being  essential  for  crew  safety  purposes.  It  is  usually  used 
for  real-time  or  near  real-time  public  information  purposes  and  for  mission  documentation  of  payload 
bay  activities.  It  has  also  proven  useful  as  a  close-in  ranging  aid,  as  an  RMS  grapple  aid,  for 
monitoring  PAM  PKM  burns,  and  miscellaneous,  often  unforeseen,  mission  activities  such  as  water  dump 
nozzle  sun’ey.  None  of  these  uses  are  considered  a  realistic  justification  for  an  early  flight  termination. 

It  is  conceivable  however,  that  some  mission  objectives  may  not  be  satisfied  for  a  total  TV  system  loss. 
These  will  be  identified  in  the  Flight  Rule  Annex. 

Rule  {All -1001  j,  COMMUNICATIONS  GO/NO-GO  CRITERIA,  references  this  rule. 

All -7 3  LOSS  OF  OCA  ®[01 2402-5068  ] 

LOSS  OF  OCA  WILL  RESULT  IN  THE  FLIGHT  CONTINUING  TO  NOMINAL  EOM . 

OCA  is  a  major  convenience  for  passing  information  to  the  crew.  If  OCA  capability  were  lost,  the  same 
information  would  be  passed  via  voice.  @[021998-6516  ]  @[012402-5068  ] 


All 

-74 

PCM  MASTER  UNIT  (PCMMU) 

THE 

PCMMU  IS 

CONSIDERED  LOST  IF  ANY  ONE 

OR  MORE 

OF  THE  FOLLOWING 

IS 

TRUE 

: 

A. 

IT 

CANNOT 

SUPPLY 

DATA  TO  AT  LEAST  ONE  GPC. 

B. 

IT 

CANNOT 

SUPPLY 

HIGH  DATA  RATE  AND 

LOW  DATA 

RATE  TELEMETRY 

TO 

THE  GROUND . 

C. 

IT 

CANNOT 

SUPPLY 

DOWNLIST  DATA  FROM 

AT  LEAST 

ONE  GPC  TO  THE 

GROUND . 

The  PCMMU  is  required  for  three  major  purposes.  It  supplies  all  orbiter  real-time  and  recorded 
telemetry  ( OI MDM  and  PDI  data ).  It  supplies  OI  and  PDI  data  to  the  SM  and  BFS  GPC ’sfor  onboard 
display  and  fault  detection  (class  3  alarms).  It  supplies  all  GPC  downlist  data  to  real-time  and  recorded 
telemetry.  The  loss  of  either  of  these  three  functions  is  a  serious  impact  upon  systems  monitoring 
visibility  for  either  the  crew  or  MCC.  The  extent  of  the  visibility  loss  is  significant  enough  to  consider 
the  PCMMU  as  unusable  and  essen  tially  failed. 
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All-75  LOSS  OF  PCMMU' S 

A.  LOSS  OF  ONE  PCMMU  WILL  RESULT  IN  AN  MDF . 

The  PCMMJJ’ s  are  required  to  provide  all  real-time  and  recorded  telemetry  to  MCC  and  much  onboard 
systems  data  to  the  SM  or  BFS  GPC’s  for  crew  display  and  class  3  alerts.  There  are  no  available 
workarounds  for  a  PCMMU  failure.  Considering  the  impact  of  losing  such  extensive  insight  into  the 
onboard  systems  in  the  event  of  a  second  failure  versus  the  small  gain  in  mission  achievement  that  may 
be  possible,  redundant  PCMMU’ s  should  be  required  to  extend  the  flight  beyond  minimum  duration. 

B.  LOSS  OF  TWO  PCMMU' S  WILL  RESULT  IN  A  NEXT  PLS  LANDING. 

This  failu  re  results  in  a  significan  t  loss  of  telemetry  or  onboard  monitoring  capability. 

Rule  {All -1001  j,  COMMUNICATIONS  GO/NO-GO  CRITERIA,  references  this  rule. 

All-76  LOSS  OF  01  MDM 

LOSS  OF  ANY  01  MDM  WILL  RESULT  IN  THE  FLIGHT  CONTINUING  TO 
NOMINAL  EOM . 

The  impacts  of  losing  any  single  01  multiplexer/demultiplexer  have  been  analyzed  with  the  results 
documented  in  JSC-16983,  01 MDM/DSC  Failure  Impacts.  The  analysis  reveals  that  adequate 
instrumentation  remains  for  making  mission-critical  decisions  using  other  sources.  Flight  Data  File 
procedures  exist  that  reference  any  configurations  that  are  necessary  following  the  loss  of  the  LRU. 

All-77  LOSS  OF  ANY  01  DSC 

LOSS  OF  ANY  01  DSC  WILL  RESULT  IN  THE  FLIGHT  CONTINUING  TO 
NOMINAL  EOM. 

The  impacts  of  losing  any  single  01  Dedicated  Signal  Conditioner  have  been  analyzed  with  the  results 
documented  in  JSC-16983,  01  MDM/DSC  Failure  Impacts.  The  analysis  reveals  that  adequate 
instrumentation  remains  for  making  mission  critical  decisions  using  other  sources.  Flight  Data  File 
procedures  exist  that  reference  any  reconfigurations  that  are  necessary  following  the  loss  of  the  LRU. 

All-78  THROUGH  All-100  RULES  ARE  RESERVED 
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GO/NO-GO  CRITERIA 


All-1001  COMMUNICATIONS  GO/NO-GO  CRITERIA 


FAILURE 


A.  COMMUNICATIONS 

(1)  2-WAY  VOICE  (3)  (A/G,  1,2,  UHF) 

(2)  COMMAND  (S-BD  1, 2) 

(3)  2-WAY  VOICE  +  COMMAND 

(4)  TELEMETRY 

(5)  TDRS  TRACKING 

(6)  NSP  UPLINK  (2) 

(7)  NSP  DOWNLINK  (2) 

(8)  XPNDR  UPLINK  (2) 

(9)  XPNDR  DOWNLINK  (2)  (I) 

(10)  ACCU  (2)  (I) 

(11)  COMSEC  (2)  [1  ] 

(12)  KU-BAND  [1] 

(13)  UHF 

(14)  ATU  (PLT&  MS) 

(15)  TV 

(16)  OCA 

(17)  INTERCOM 

(18)  PI  (2)  [1] 

(19)  PSP  (2)  [1] 

(20)  S-BD  PREAMP  (2)  [10] 

(21)  S-BD  PWR  AMP  (2)  [10] 

(22)  GCIL 

(23)  ANTENNA  ELECTRONICS 

B.  INSTRUMENTATION 


(1)  PCMMU  (2) 

(2)  Ol  MDM’S  (7) 

(3)  Ol  DSC'S  (14) 

[11] 

(4)  PDI 

[1] 

(5)  MADS/OEX 

(6)  OPS  RCDR  (2) 

(7)  PL  RCDR 

[1] 

®[1 1 1 298-6778  ]  ®[01 2402-5069  ] 


INVOKE 
MDF  IF: 

ENTER  NEXT 
PLS  IF: 

RULE  REF. 

2  ? 

{All-51} 

2  ? 

{All -53} 

ALL  ?  [41 

{All -52} 

ALL  ? 

{All -54} 

{All -60} 

2 

?  [8] 

{A11-63A},C 

1  ? 

2  ?  [91 

{A1 1  -63B},D 

2  ?  [81 

{A1 1  -58A},B 

2  ? 

2  ?  1  ?  [71 

{A1 1  -58A},C 

2  ?  [51  1  ? 

1  ?  1  ?  [61 

{All -65} 

{All -64} 

{All -55} 

{All -69} 

{All -67} 

{All -72} 

{All -73} 

{All -68} 

ANNEX 

ANNEX 
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Rule  {A1 7-1001  j,  LIFE  SUPPORT  GO/NO-GO  CRITERIA,  references  this  rule. 
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All-1001  COMMUNICATIONS  GO/NO-GO  CRITERIA  (CONTINUED) 

NOTES: 

[1]  REFER  ALSO  TO  ANY  MISSION-SPECIFIC  RULES  DOCUMENTED  IN  FLIGHT  RULES  ANNEXES. 

[2]  RESERVED 

[3]  RESERVED 

[4]  IF  NO  VOICE  AND  NO  COMMAND  AND  PAST  LAST  PLS  OPPORTUNITY,  THEN  DEORBIT  PER  CRITERIA  AND 
PRIORITIES  LISTED  IN  RULE  {All -52},  LOSS  OF  BOTH  VOICE  AND  COMMAND.  @[012402-5069  ] 

[5]  IFM  REMAINS  WHICH  BYPASSES  THE  ACCU’S  AND  RESTORES  DUAL  AIR/GROUND  VOICE  SOURCES. 

[6]  LOSS  OF  ONE  ACCU  AND  AN  UNSUCCESSFUL  IFM  RESULTS  IN  BEING  ONE  FAILURE  AWAY  FROM  LOSS  OF  ALL 
VOICE.  LOSS  OF  BOTH  ACCU’S  AND  AN  UNSUCCESSFUL  IFM  RESULTS  IN  LOSS  OF  ALL  VOICE. 

[7]  IFM  ALLOWS  REGAIN  OF  DOWNLINK  (NOT  TO  TDRS)  TO  GROUND  STATIONS.  RULE  IS  BASED  UPON  LOSS  OF 
ALL  ENTRY  TELEMETRY  AND  ONLY  A  SINGLE  VOICE  SOURCE  (UHF)  REMAINING  FOR  ENTRY. 

[8]  RULE  IS  BASED  ON  ONLY  A  SINGLE  VOICE  SOURCE  (UHF)  REMAINING  FOR  ENTRY. 

[9]  RULE  IS  BASED  UPON  LOSS  OF  TELEMETRY  AND  ONLY  A  SINGLE  VOICE  SOURCE  (UHF)  REMAINING  FOR  ENTRY. 

[10]  IMPLIES  LOSS  OF  TDRS  TELEMETRY. 

[11]  ADDITIONAL  DOS’S  ARE  INSTALLED  FOR  EDO  PALLET  FLIGHTS. 

@[092701-4872  ] 
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SECTION  12  -  ROBOTICS 


GENERAL 


A12-1  EVA  FOR  RMS  OPERATIONS 

A.  FOR  RMS  FAILURES  THAT  ARE  KNOWN  PRIOR  TO  THE  START  OF  RMS 
OPERATIONS : 

AN  UNSCHEDULED  EVA  TO  CONFIGURE  THE  RMS  FOR  OPERATIONS  (E.G., 
SHOULDER  BRACE  RELEASE,  MPM  DEPLOY)  MAY  BE  CONSIDERED  ONLY  IF 
A  SECOND  EVA  WILL  NOT  BE  REQUIRED  TO  MAKE  THE  ORBITER  SAFE 
FOR  ENTRY. 

FLIGHT-SPECIFIC  EXCEPTIONS  FOR  HIGH  PRIORITY  OPERATIONS  WILL 
BE  IDENTIFIED  IN  THE  FLIGHT-SPECIFIC  ANNEX. 

EVA  techniques  are  available  to  release  the  shoulder  brace  and  to  deploy  the  arm  which  will  place  the 
RMS  into  an  operational  configuration.  Subsequent  to  MPM  deploy,  there  could  be  occasions  where  the 
EVA  crewmember  would  wait  for  the  accomplishment  of  the  mission  objective  and  stow  the  MPM  within 
the  same  EVA.  But  it  is  not  safe  to  require  another  EVA  to  stow  the  MPM  because  the  orbiter  must 
retain  the  capability  to  perform  a  contingency  payload  bay  door  EVA. 

The  shoulder  brace  is  only  required  for  ascent  loads;  so,  once  it  is  released,  an  additional  EVA  will  not 
be  required  to  reattach  it.  However,  if  the  arm  is  deployed  EVA,  it  is  very  likely  a  second  EVA  would  be 
required  to  stow  it.  If  a  second  EVA  is  not  available,  the  arm  would  have  to  be  jettisoned  to  make  the 
payload  bay  safe  for  entry. 
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A12-1  EVA  FOR  RMS  OPERATIONS  (CONTINUED) 

B.  FOR  RMS  FAILURES  THAT  OCCUR  OR  ARE  DISCOVERED  AFTER  RMS 
OPERATIONS  HAVE  COMMENCED: 

IF  CONDITIONS  PERMIT,  AND  AFTER  ALL  OTHER  METHODS  HAVE 
FAILED,  AN  UNSCHEDULED  EVA  MAY  BE  CONSIDERED  FOR  THE 
FOLLOWING  TASKS  TO  PRECLUDE  HAVING  TO  JETTISON  THE  RMS, 
PAYLOAD,  AND/OR  MPM : 

1.  END  EFFECTOR  (EE)  RELEASE. 

2.  RMS  JOINT  ALIGN. 

3.  RMS  TIEDOWN. 

4.  MPM  STOW. 

5.  PAYLOAD  BERTHING. 

Once  RMS  operations  have  commenced ,  there  are  additional  EVA  techniques  available  for  various 
failures  in  the  end  effector,  joint  motors,  MRL,  and  MPM  which  will  make  the  RMS  safe  for  entry  and 
preclude  jettison  of  the  arm,  payload,  and/or  MPM.  For  certain  payloads,  the  crew  may  also  be  trained 
to  berth  the  payload  manually  using  EVA  techniques. 

Rule  { A2-112A },  PDRS,  references  this  rule.  ®[ED  ] 
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A12-2 

A. 


UNATTENDED  RMS  CONSTRAINTS 


DURING  CREW  AWAKE  PERIODS,  THE  UNCRADLED  RMS  (LOADED  OR 
UNLOADED)  MAY  BE  LEFT  UNATTENDED  IF  ALL  OF  THE  FOLLOWING 
CONDITIONS  ARE  MET: 


1 . 

THE 

2  . 

THE 

3. 

THE 

4  . 

THE 

5  . 

THE 

6. 

THE 

7  . 

RMS 

FROM  STRUCTURE  IS  MAINTAINED 


With  the  arm  selected,  I/O  established  with  the  MCIU,  and  the  brakes  on,  the  RMS  software  is  in  the  idle 
mode  with  all  six  joints  held  by  the  mechanical  brakes.  Idle  mode  is  required  to  determine  the  health  of 
the  arm.  The  RMS  mode  switch  should  be  left  in  any  position  except  DIRECT  so  that  the  joint  slip 
algorithm  will  operate.  The  joint  switch  should  be  in  the  CRIT  TEMP  position  so  that  a  failure  of  the 
SINGLE/DIRECT  DR  switch  will  not  lead  to  a  single-joint  runaway.  Meeting  the  flight-specific  annex 
rules  is  required  to  ensure  that  specific  DAP  configuration  and  RMS  position/clearance  constraints  are 
met  to  prevent  orbiter/RMS/payload  contact  (PDRS  Working  Panel  16-4  baselined  this  criteria). 
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A12-2  UNATTENDED  RMS  CONSTRAINTS  (CONTINUED) 

B.  NOMINALLY,  DURING  CREW  SLEEP  PERIODS  AND  DURING  EXTENDED 
PERIODS  OF  NON-RMS  OPERATIONS,  THE  RMS  SHALL  BE  CRADLED, 
LATCHED,  AND  THE  SYSTEM  LEFT  IN  THE  TEMPERATURE  MONITOR  MODE. 
HOWEVER,  PREFLIGHT  PLANNED  OVERNIGHT  PARKING  IS  ACCEPTABLE  IF 
THE  RMS  IS  UNGRAPPLED  AND  THE  CONDITIONS  IN  PARAGRAPH  A  ARE 
SATISFIED.  FLIGHT-SPECIFIC  EXCEPTIONS  FOR  HIGH  PRIORITY 
PAYLOADS  ARE  IDENTIFIED  IN  THE  FLIGHT  RULES  ANNEX.  THE  RMS 
CONFIGURATION  FOR  THE  EXCEPTIONS  IS  DEFINED  IN  PARAGRAPH  A. 

The  cradled  and  latched  configuration  of  the  RMS  protects  against  RMS  and  MRL  failures  causing  a 
delay  should  an  emergency  deorbit  be  required.  Preflight  planned  parking  of  the  ungrappled  RMS  is 
acceptable  to  accommodate  specific  customer  requirements  such  as  witness  plates  and  other  data 
gathering  that  cannot  be  accomplished  in  1  crew  day.  No  flight-specific  analysis  needs  be  done  for  the 
ungrappled  RMS. 

C.  FOR  A  CONTINGENCY  REQUIRING  OVERNIGHT  PARK,  THE  UNCRADLED  RMS 
(LOADED  OR  UNLOADED)  MAY  BE  LEFT  UNATTENDED  PROVIDED  ALL 
CONDITIONS  IN  PARAGRAPH  A  ARE  SATISFIED. 

The  crew  response  time  to  an  RMS  alert  is  longer  when  the  crew  is  asleep.  The  additional  risk  imposed 
by  a  longer  response  time  is  considered  small  and  preferable  to  RMS/paylocid  jettison.  The  arm  shall  be 
left  configured  per  paragraph  A  for  the  same  reasons  as  above.  On-Orbit  Flight  Techniques  Panel  # 130 
baselined  acceptability  of  this  RMS  configuration  for  con  tingency  overnight  parking. 

D.  FOR  RMS/ ORBITER  CONTINGENCIES  WHERE  THE  CONDITIONS  OF 
PARAGRAPH  A  CANNOT  BE  MET,  UNLOADED,  UNATTENDED  OVERNIGHT 
PARK  IS  ACCEPTABLE  WITH  THE  ARM  UNPOWERED. 

FLIGHT-SPECIFIC  EXCEPTIONS  FOR  LOADED  CASES  WILL  BE 
IDENTIFIED  IN  THE  FLIGHT  RULES  ANNEX. 

Certain  RMS  anomalies  (e.g.,  loss  of  health  monitoring  insight  or  loss  of  one  electrical  inhibit)  combined 
with  mission  situations  may  require  the  RMS  to  be  deselected  and/or  power  removed.  An  unpowered  arm 
prevents  subsequent  electrical  failures  from  causing  a  possible  unannunciated  or  unprotected  hazard. 
Deselecting  the  arm  is  the  preferred  method  of  removing  power  to  cdlow  temperature,  MCIU,  and  D&C 
health  monitoring.  RMS  power  may  also  be  removed  via  the  RMS  power  switch.  RMS  temperature 
control  and/or  monitoring  should  be  considered  prior  to  removing  RMS  power.  Real-tune  insight  and 
annunciation  as  to  the  status  of  the  RMS  will  be  affected  when  removing  RMS  power. 
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A12-3  TEMPERATURE  CONSTRAINTS  [CIL] 

A.  BOTH  RMS  HEATERS  SHALL  BE  ACTIVATED  AT  LEAST  1  HOUR  PRIOR  TO 
RMS  OPERATIONS.  IF  EVENTS  REQUIRE  THE  RMS  TO  BE  USED  BEFORE 
THE  1  HOUR  REQUIREMENT  HAS  BEEN  MET,  BOTH  HEATER  SYSTEMS 
SHOULD  BE  ACTIVATED  AND  THE  LIGHT  EMITTING  DIODE  (LED)  AND 
THE  ARM  BASED  ELECTRONICS  (ABE)  TEMPERATURES  MUST  BE  AT  LEAST 
10  DEG  (21  DEG)  F. 


SPAR  Aerospace  recommended,  during  the  FMEA/CIL  activities,  that  both  RMS  heater  buses  be  turned 
on  at  least  1  hour  before  arm  operations  to  guaran  tee  that  thermal  gradien  ts  across  the  join  ts  do  not 
cause  joint  problems  in  the  event  of  a  heater  failure.  SPAR  also  confirmed  that  RMS  operations  may 
proceed  immediately  without  any  risk  of  uncommanded  motion  if  the  temperatures  as  reported  by  the 
thermistors  are  within  the  nominal  range  (at  least  21  deg  F).  (SPAR  Aerospace  Response  to  NASA-VP- 
87-020.) 

B.  RMS  OPERATIONS  WILL  BE  TERMINATED  AND  THE  ARM  CRADLED  AND 

LATCHED  WITHIN  25  MINUTES  IF  THE  LOW  TEMPERATURE  ALARM  LIMIT 
(LED  -20  DEG  (0  DEG)  F,  ABE  -20  DEG  (0  DEG)  F)  IS  REACHED, 

AND  TROUBLE-SHOOTING  DOES  NOT  ALLEVIATE  THE  PROBLEM.  IF  THE 
LOW  TEMPERATURE  QUALIFICATION  LIMIT  (LED  -42  DEG  (-10  DEG)  F, 
ABE  -33  DEG  (-10  DEG)  F)  IS  REACHED,  FURTHER  RMS  OPERATIONS 
WILL  NOT  BE  PERFORMED  UNTIL  THE  TEMPERATURES  RETURN  WITHIN 
THE  ALARM  LIMITS.  A  JOINT  DRIVE  TEST  IN  DIRECT  WILL  BE 
PERFORMED  TO  VERIFY  HEALTH  PRIOR  TO  ANY  FURTHER  OPERATIONS. 


There  is  an  SODB  requirement  that  heater  power  must  be  restored  within  25  minutes  of  receipt  of  the  low 
temperature  alarm.  If  troubleshooting  does  not  alleviate  the  low  temperature  problem,  the  arm  must  be 
placed  in  a  safe  configuration  (meaning  cradled  and  latched)  within  25  minutes  to  prevent  any  degraded 
performance  due  to  the  low  temperature.  If  the  low  temperature  qualification  limits  are  reached,  arm 
performance  may  be  unreliable;  so,  further  RMS  operations  will  not  be  performed  until  temperatures 
return  within  the  alarm  limits.  Once  within  limits,  a  joint  drive  test  in  direct  will  be  performed  to 
ascertain  joint  health.  Numbers  in  parentheses  assume  a  1-3/4  count  potential  error  in  the  thermistor 
readings. 
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A12-3  TEMPERATURE  CONSTRAINTS  [CIL]  (CONTINUED) 

C.  RMS  OPERATIONS  WILL  BE  TERMINATED  AND  THE  ARM  CRADLED  AND 

LATCHED  WITHIN  15  MINUTES  IF  THE  HIGH  TEMPERATURE  ALARM  LIMIT 
(LED  176  DEG  (172  DEG)  F,  ABE  (EE)  147  DEG  (144  DEG)  F,  ABE 
(SPA)  110  DEG  (106  DEG)  F)  IS  REACHED,  AND  TROUBLESHOOTING 
DOES  NOT  ALLEVIATE  THE  PROBLEM.  THE  ARM  MUST  BE  CRADLED  AND 
LATCHED  BEFORE  THE  TEMPERATURE  REACHES  THE  ACCEPTANCE 
TEMPERATURE  LIMIT  (LED  186  DEG  (181  DEG)  F,  ABE  (EE)  157  DEG 
(154  DEG)  F,  ABE  (SPA)  120  DEG  (117  DEG)  F) .  IF  THE  ARM 
REACHES  THE  ACCEPTANCE  TEMPERATURE  LIMIT,  POWER  WILL  BE 
REMOVED.  IF  THE  HIGH  TEMPERATURE  QUALIFICATION  LIMIT  (LED 
205  DEG  (202  DEG)  F,  ABE  (EE)  178  DEG  (176  DEG)  F,  ABE  (SPA) 
140  DEG  (136  DEG)  F)  IS  REACHED,  FURTHER  RMS  OPERATIONS  WILL 
NOT  BE  PERFORMED  UNTIL  THE  TEMPERATURES  RETURN  WITHIN  THE 
ALARM  LIMITS.  A  JOINT  DRIVE  TEST  IN  DIRECT  WILL  BE  PERFORMED 
TO  VERIFY  HEALTH  PRIOR  TO  ANY  FURTHER  OPERATIONS.  ®[ED  ] 
@[111298-6744] 

There  is  an  SODB  requirement  that  continued  operation  of  the  RMS  is  limited  to  15  minutes  if  the  high 
temperature  alarm  limit  has  been  reached.  In  addition,  all  power  will  be  removed  from  the  arm  if  the 
high  temperature  acceptance  test  limits  are  reached.  If  troubleshooting  does  not  alleviate  the  problem, 
the  arm  must  be  placed  in  a  safe  configuration  ( meaning  cradled  and  latched)  as  soon  as  possible  to 
prevent  any  degraded  performance  due  to  the  high  temperature.  If  the  high  temperature  qualification 
limits  are  reached,  arm  performance  may  be  unreliable  so  the  arm  should  not  be  uncradled  again  until 
temperatures  return  within  the  alarm  limits.  Once  within  limits,  a  joint  drive  test  in  direct  will  be 
performed  to  ascertain  joint  health  prior  to  any  fu  rther  arm  operations.  Numbers  in  paren  theses 
assume  a  1-3/4  count  potential  error  in  the  thermistor  readings.  Spar  Aerospace  Memo  PMO/97-017, 
dated  June  25,  1997,  updated  the  upper  limit  ABE  numbers  based  on  the  redesigned  SPA  lower 
acceptance  and  qualification  limits.  ®[1 1 1 298-6744  ] 

Rules  {A1 8-451},  ORBITER  THERMAL  CONSTRAINTS  AND  ATTITUDE  MANAGEMENT  [CIL],  and 
{. A12-1001V },  RMS  GO/NO-GO  CRITERIA,  reference  this  rule.  ®[ED  ] 
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A12-4  RMS  ACTIVITY  TERMINATION 

A.  FOR  MPM  AND  MRL  EOM  CONSTRAINTS,  REFERENCE  RULE  {A2-103C}  AND 
D,  EXTENSION  DAY  REQUIREMENTS.  @[090894-1 670B]  ®[1 13095-1 809A] 

B.  DECLARATION  OF  A  NEXT  PLS  DEORBIT  IS  CAUSE  TO  TERMINATE  RMS 
ACTIVITIES  IMMEDIATELY.  FLIGHT-SPECIFIC  EXCEPTIONS  FOR  HIGH- 
PRIORITY  OPERATIONS  WILL  BE  IDENTIFIED  IN  THE  FLIGHT-SPECIFIC 
ANNEX . 


In  the  event  of  a  next  PLS  situation,  the  orbiter  must  be  in  a  safe  configuration  as  soon  as  possible.  This 
requires  that  the  RMS  be  cradled,  latched,  and  stowed  prior  to  payload  bay  door  closure.  If  importan  t 
arm  operations  are  being  performed,  such  as  berthing  a  payload,  the  situation  may  allow  for  those 
operations  to  be  completed  depending  on  the  time  left  before  deorbit. 


A12-5  ORBITER  AVOIDANCE  MANEUVERS  CONSTRAINT  [CIL] 

A  PILOT  SHALL  ALWAYS  BE  AVAILABLE  TO  PERFORM  A  COLLISION 
AVOIDANCE  MANEUVER  DURING  ALL  LOADED  RMS  OPERATIONS  IN  THE  EVENT 
OF  A  PAYLOAD  UNCOMMANDED  RELEASE. 


Since  there  are  failure  modes  that  result  in  an  uncommanded  release  of  a  payload  that  is  attached  to  the 
arm,  it  may  be  necessary  to  maneuver  the  orbiter  in  a  short  period  of  time  to  avoid  collision  with  the 
free-flying  payload. 
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A12-6  OMS/RCS  CONSTRAINTS 

A.  VRCS  ®[11 3095-1 809A] 

1.  VRCS  CONTROL  IS  NOT  PERMITTED  WHEN  THE  RMS  IS: 

a.  IN  TEST  MODE  AND  GRAPPLED  TO  A  NON-CONS TRAINED 
PAYLOAD . 

b.  PERFORMING  FREE-FLYING  PAYLOAD  END  EFFECTOR 
OPERATIONS . 

c.  IN  MOTION  WITH  A  PAYLOAD  OVER  3640  KG  (8000  LBS) . 

(NOTE:  THIS  CONSTRAINT  APPLIES  TO  DAP  AUTO  CONTROL 

ONLY;  DAP  MANUAL  MODE  IS  ALLOWED.) 

2.  FOR  OTHER  VRCS  CONSTRAINTS  DURING  LOADED  RMS  OPERATIONS 
(DUE  TO  DAP  STABILITY  PROBLEMS,  PAYLOAD  CLEARANCE 
CONCERNS,  PAYLOAD  LOADS  SENSITIVITY  CONCERNS,  OR  OTHER 
PAYLOAD  CONSTRAINTS),  REFERENCE  THE  FLIGHT  RULES  ANNEX. 

When  in  test  mode,  unexpected  arm  motion  due  to  payload  inertia  may  result  from  VRCS  firings  since  all 
joints  are  at  maximum  current  attenuation  and  are  essentially  free  to  rotate  when  external  forces  are 
applied  (except  for  internal  gearbox  friction).  No  free-flying  EE  operations  should  be  performed  with 
VRCS  because  jet  firings  may  cause  unexpected  motion  of  the  EE  when  the  arm  is  limped  for  capture  or 
rigidize  sequences  or  tipojf  rates  may  occur  at  release.  Volume  XIV,  Appendix  8  states  that  prior  to  the 
grapple  sequence,  the  orbiter  RCS  will  be  configured  to  free  drift.  It  also  specifies  an  orbiter  DAP  free 
drift  period  prior  to  release  between  15  and  120  seconds  to  allow  RMS  oscillation  damping. 

Both  SPAR  and  MPAD  have  performed  analyses  which  show  there  is  no  chance  of  exceeding  RMS  or 
longeron  loads  for  any  combination  of  VRCS  firings  with  a  loaded  RMS.  However,  there  can  be  stability 
problems  associated  with  manipulation  of  high  mass  payloads  due  to  the  change  in  the  composite  eg  of 
the  orbiter /payload.  Volume  XIV,  Appendix  8  states  that  for  payloads  weighing  over  8000  pounds,  DAP 
free  drift  is  required  while  the  RMS  is  maneuvering  the  payload.  ®[11 3095-1 809A] 
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A12-6  OMS/RCS  CONSTRAINTS  (CONTINUED) 

B.  PRCS  ATTITUDE  CONTROL  ®[1 13095-1 809A] 

1.  PRCS  PRI  DAP  ATTITUDE  CONTROL  IS  NOT  PERMITTED  WHEN  THE 
RMS  IS: 

a.  IN  A  SINGULARITY. 

b.  AT  A  REACH  LIMIT. 

C.  IN  TEST  MODE  UNLESS  GRAPPLED  TO  A  CONSTRAINED 
PAYLOAD . 

d.  PERFORMING  END  EFFECTOR  OPERATIONS. 

e.  MANEUVERING  A  PAYLOAD  OVER  APPROXIMATELY  450  KG 
(1000  LBS) . 

f.  CLOSER  THAN  APPROXIMATELY  1 . 5M  (5  FT)  FROM  ORBITER 
STRUCTURE,  OTHER  PAYLOADS,  OR  EVA  CREWMEMBER. 

2.  FOR  ADDITIONAL  LOADED  RMS  PRCS  CONSTRAINTS,  REFERENCE  THE 
FLIGHT  RULES  ANNEX. 

Both  SPAR  and  MPAD  have  performed  analyses  that  show  there  is  no  constraint  to  an  unloaded  arm  for 
PRCS  firing  as  long  as  the  arm  is  not  positioned  near  a  reach  limit  or  singularity.  At  these  positions,  a 
degree  of  freedom  is  lost  and  the  arm  cannot  relieve  loads  through  backdriving.  When  in  test  mode, 
unexpected  arm  motion  may  result  from  PRCS  firings  since  all  joints  are  at  maximum  current 
attenuation  and  are  essentially  free  to  rotate  when  external  forces  are  applied  (except  for  interned 
gearbox  friction).  No  EE  operations  should  be  performed  with  PRCS  because  jet  firings  may  cause 
unexpected  motion  of  the  EE  when  the  arm  is  limped  for  capture  or  rigidize  sequences  or  tipojf  rates  may 
occur  at  release.  Volume  XIV,  Appendix  8  states  that  prior  to  the  grapple  sequence,  the  orbiter  RCS  will 
be  configured  to  free  drift.  It  also  specifies  an  orbiter  DAP  free  drift  period  prior  to  release  between  15 
and  120  seconds  to  cdlow  RMS  oscillation  damping. 

The  ICD  specifically  prohibits  RMS  from  maneuvering  a  payload  greater  than  450  kg  (1000  lbs)  unless 
PRCS  is  inhibited. 

Level  B  Groundrules  and  Constraints  defines  minimum  clearance  of  1.5  M  (5  ft)  to  protect  for  induced 
) notion  resulting  from  PRCS  auto  hold  and  PRCS  auto  maneuver.  ®[11 3095-1 809A] 
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A12-6  OMS/RCS  CONSTRAINTS  (CONTINUED) 

C.  PRCS  TRANSLATIONS  ®[1 1 3095-1 809A] 

1.  PRCS  TRANSLATIONS  ARE  NOT  PERMITTED  EXCEPT  WHEN  THE  RMS 
IS  : 

a.  UNLOADED  PROVIDED  CLEARANCE  OF  APPROXIMATELY  1 . 5M 
(5  FT)  OR  GREATER  IS  MAINTAINED  BETWEEN  THE  RMS  AND 
OTHER  ORBITER  STRUCTURE. 

b.  GRAPPLED  TO  A  SIX-DOF  CONSTRAINED  PAYLOAD  IN 
CONTINGENCY  SITUATIONS  THAT  REQUIRE  TRANSLATIONS. 

2.  REFERENCE  THE  FLIGHT  RULES  ANNEX  FOR  EXCEPTIONS  FOR 
PAYLOADS  REQUIRING  TRANSLATIONS. 


The  loaded  RMS  has  not  been  certified  to  withstand  the  motion  or  loads  associated  with  PRCS 
translations,  and  a  flight-specific  analysis  will  need  to  be  done  for  each  specific  case. 

D.  OMS  USAGE:  ®[11 3095-1 809A] 

1.  OMS  BURNS  WILL  NOT  BE  PERFORMED  WITH  AN  UNCONSTRAINED 
LOADED  RMS . 

2.  PLANNED  OMS  BURNS  (DUAL  OR  SINGLE  ENGINE)  ARE  PERMITTED 
PROVIDED  THE  RMS  IS  CRADLED  WITH  AT  LEAST  TWO  OF  THREE 
MRL '  S  LATCHED  OR  THE  UNLOADED  RMS  IS  IN  THE  PRECRADLE 
POSITION  (SY  =0,  SP  =  25,  EP  =  -25,  WP  =  5 ,  WY  =  0,  WR 
=  0)  . 

3.  IN  CONTINGENCY  SITUATIONS  THAT  REQUIRE  OMS  BURNS  (I.E., 
OMS  LEAK) ,  OMS  USAGE  IS  PERMITTED  WITH  THE  UNLOADED  RMS 
UNCRADLED  AND  NOT  IN  THE  PRECRADLE  POSITION  (ASSUMES  BEST 
EFFORT  TO  POSITION  THE  RMS  AS  CLOSE  TO  THE  PRECRADLE 
POSITION  AS  POSSIBLE) .  OMS  BURNS  ARE  ALSO  PERMITTED  IF 
THE  RMS  IS  GRAPPLED  TO  A  SIX-DOF  CONSTRAINED  PAYLOAD. 
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A12-6  OMS/RCS  CONSTRAINTS  (CONTINUED) 

Rockwell  Space  Operations  Company  (RSOC)  analysis  has  determined  that  loads  from  OMS  burns  are 
well  below  the  flight  planning  load  limits,  and  no  joint  slippage  occurs  when  the  RMS  is  in  the  precrcidle 
position  during  an  OMS  burn.  The  analysis  investigated  single,  double,  and  worst  case  failure 
conditions  as  well  and  determined  all  loads  and  motion  were  acceptable.  Other  positions  analyzed 
showed  several  inches  to  several  feet  of  motion  for  worst  case  OMS  failures.  OMS  burns  with  a  loaded 
RMS  showed  unacceptable  motion  and  loads  and  could  result  in  payload-to-orbiter  contact.  If  a 
con  tingency  OMS  burn  is  required  and  the  RMS  cannot  be  maneuvered  to  the  precrcidle  position,  a  best 
effort  to  maneuver  to  the  precrcidle  is  required  to  minimize  the  potential  motion.  Refer  to  STSOC 
transmittal  Form,  RSOC-635/250-91-066,  October  4,  1991. 

E.  EXCEPT  FOR  TRANSITORY  MOTION,  NO  PART  OF  THE  RMS  SHALL  BE 
MANEUVERED  OR  PARKED  WITHIN  THE  FOLLOWING  DISTANCES  OF  AN  RCS 
JET  CONTINUOUS  FIRING  RATE  STAY-OUT  ZONE,  AS  DEFINED  BELOW, 
UNLESS  THE  JET  IS  DESELECTED.  ®[1 13095-1 809A] 

F.  FLIGHT-SPECIFIC  EXCEPTIONS  FOR  THE  LOWER  RATE  STAYOUT  ZONES 
MAY  BE  IDENTIFIED  IN  THE  FLIGHT-SPECIFIC  ANNEX.  ®[1 13095-1 809A] 

1.  PRCS : 


FIRING  RATE 

STAY-OUT 

ZONES 

-k 

CONTINUOUS 

X 

II 

o 

R=2  00 

X=4  2  5 

R=1 5  0 

X=500 

R=1 0  0 

X=60  0 

o 

ll 

6  SECONDS 

X 

II 

o 

R=2  0  0 

X=2  00 

R=1 0  0 

X=3  4  0 

o 

II 

80  MSEC 

X 

II 

o 

o 

II 

PC 

X=130 

o 

II 

PC 

X=1  60 

o 

CO 

II 

PC 

X=1 8  0 

o 

II 

C4 

2 .  VRCS : 


FIRING  RATE 

STAY-OUT  ZONES* 

CONTINUOUS 

CO 
\ — 1 

II 

C4 

o 

II 

X 

00 
\ — 1 

II 

PC 

o 

LO 

II 

X 

X=7  0  R=1 0 

o 

II 

o 

00 

II 

X 

80  MSEC 

X=0  R=5 

X=3  0  R=0 

*X  =  DISTANCE  IN  INCHES  FROM  THRUSTER  IN  DIRECTION  OF 
THRUSTER  PLUME 

R  =  LATERAL  DISTANCE  IN  INCHES  FROM  CENTER  OF  THRUSTER 
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A12-6  OMS/RCS  CONSTRAINTS  (CONTINUED) 


Based  on  data  presented  by  SPAR  at  the  STS-2  Orbit  Flight  Techniques  Meeting  # 19  on  August  28,  1981, 
the  above  clearances  are  required  to  prevent  damage  to  the  RMS  thermal  protection  system.  This  is  the 
minimum  required  separation  in  direct  line  with  the  cen  ter  axis  of  the  thruster.  Based  on  Orbit  Flight 
Techn  iques  Meeting  # 149  on  December  16,  1994,  the  decision  was  made  to  deselect  the  affected  jets  for 
long-term  parking  of  the  RMS  in  a  jet  stay-out  zone  to  preclude  the  inadverten  t  pluming  of  the  RMS. 
Additionally,  PDRS  Ops  Checklist  Unloaded  Survey  procedu  res  have  been  updated  to  deselect  jets  for 
those  surveys  that  violate  RCS  stay-out  zones.  ®[i  1 3095-1 809A] 

G.  IN  UNPLANNED  CONTINGENCY  SITUATIONS,  WHEN  THE  STATIONARY  RMS 

IS  LOADED,  CLOSED-LOOP  VRCS  ATTITUDE  CONTROL  (I.E.,  DAP  AUTO, 

INRTL-DISC,  LVLH-DISC)  IS  PERMITTED  FOR  ARM  CONFIGURATIONS 

THAT  HAVE  NOT  BEEN  ANALYZED  FOR  DAP  STABILITY  PREFLIGHT  IF 

THE  FOLLOWING  CRITERIA  ARE  MET:  ®[11 3095-1 809A] 

1.  THE  PAYLOAD  WEIGHT  IS  LESS  THAN  35K  LB. 

2.  THE  RMS  IS  NOT  IN  A  REACH  LIMIT  OR  SINGULARITY. 

3.  CLEARANCE  BETWEEN  THE  PAYLOAD  AND  ORBITER  IS  AT  LEAST 
10  FEET. 

4.  THE  PAYLOAD  IS  NOT  LOAD  SENSITIVE. 

5.  THE  CREW  MONITORS  THE  RMS  AND  ORBITER  FOR  SIGNS  OF  DAP 
INSTABILITY. 

6.  THE  FLIGHT  CONTROL  TEAM  MONITORS  FOR  SIGNS  OF  DAP 
INSTABILITY. 

7.  TIGHT  RATE  AND  ATTITUDE  DEADBANDS,  SUCH  AS  THOSE  USED 
FOR  PAYLOAD  RELEASE,  ARE  NOT  USED. 

8.  CLOSED-LOOP  ATTITUDE  HOLD  WILL  NOT  BE  INITIATED  DURING 
LOS  . 

9.  CLOSED-LOOP  ATTITUDE  MANEUVERS  WILL  NOT  BE  INITIATED  OR 
TERMINATED  DURING  LOS. 

10.  THE  BEST  AVAILABLE  DAP  I-LOAD  SET  (CNTL  ACCEL)  FOR  THE 
RMS/PL  CONFIGURATION  IS  USED. 
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A12-6  OMS/RCS  CONSTRAINTS  (CONTINUED) 

IF  AN  INSTABILITY  IS  DETECTED,  THE  ORBITER  DAP  SHOULD  BE 
DOWNMODED  TO  FREE  DRIFT  AND  MANUAL  CONTROL  USED  FOR  ATTITUDE 
HOLD  AND  MANEUVERS . 

IN  ORDER  TO  REGAIN  CLOSED-LOOP  DAP  CAPABILITY  AFTER  AN 
INSTABILITY  HAS  OCCURRED,  THE  RMS  AND/OR  DAP  SHOULD  BE 
RECONFIGURED  BEFORE  REINITIATING  AUTO  CONTROL. 

A  limited  analysis  of  the  effects  of  an  unstable  VRCS  DAP  on  the  loaded  RMS  (22k  PL)  has  shown  loads 
to  be  below  the  flight  planning  load  limit  and  motion  of  the  payload  at  a  rate  less  than  2  in/niin  with  the 
RMS  brakes  on  and  insignificant  when  the  RMS  was  in  position  hold  ( Orbit  Flight  Techniques  Panel 
Meeting  #101).  Discussion  at  Orbit  Flight  Techniques  Panel  meeting  # 105  concluded  that  the 
magn  itude  of  the  uncommanded  motion  of  the  RMS/PL  is  more  than  an  order  of  magnitude  below  any 
unacceptable  limit  and  that  the  RMS  joints  will  backdrive  to  relieve  loads  as  long  as  the  RMS  is  not  in  a 
singularity  or  reach  limit.  Additionally,  flight  controllers  can  monitor  phase  plane  activity  and  jet  firing 
patterns  to  determine  whether  or  not  the  DAP  is  unstable  if  the  crew  cannot  detect  the  instability  (ref. 
Draper  memo  SSV-88-49,  Identification  of  RMS/FCS  Instability  During  Payload  Extended  Operations, 
10/21/88).  Tight  deadbands  should  not  be  used  at  nonanalyzed  configurations  because  they  have  a  high 
probability  of  causing  an  instability.  Draper  Lab  recommends  widening  the  deadbands  to  a  rate  limit  of 
0.1  deg/sec  and  an  attitude  deadband  of  2.0  degrees.  Instability  during  attitude  maneuvers  is  less  likely 
to  occur  by  using  a  maneuver  rate  less  than  or  equal  to  the  rate  limit.  The  most  likely  time  for  an 
instability  to  occur  is  when  closed-loop  con  trol  is  first  initiated  or  when  cm  auto  maneuver  is  started  or 
terminated.  Because  the  crew  cannot  easily  detect  cm  instability,  it  is  preferable  to  initiate  closed-loop 
control  during  a  period  of  AOS  to  cdlow  the  flight  control  team  to  assess  the  DAP’s  performance.  Auto 
maneuvers  should  be  scheduled  to  begin  and  end  during  an  AOS  period,  also.  Before  initiating  closed- 
loop  attitude  control,  the  DAP  I-locid  set  ( CNTL  ACCEL  on  SPEC  20)  that  best  matches  the  RMS/PL 
configuration  should  be  selected.  In  determining  the  best  CNTL  ACCEL,  the  payload  Z  position  is  the 
most  important  parameter.  An  improper  CNTL  ACCEL  can  lead  to  inefficient  jet  selection  and  possible 
loss  of  attitude  control. 

If  cm  instability  occurs,  the  crew  should  downmode  to  free  drift  and  use  manned  control.  Reconfiguring 
the  RMS  and/or  DAP  before  reinitiating  auto  control  may  result  in  a  stable  DAP. 
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A12-7  RMS  IFM  D&C  KIT 

A.  FOR  RMS  A8  D&C  PANEL  FAILURES,  IF  THE  MISSION  TIMELINE  CAN 

ACCOMMODATE  THE  INSTALLATION  AND  REMOVAL  TIME  OF  THE  RMS  D&C 
KIT,  FOR  GO/NO-GO  DECISIONS,  ITS  PRESENCE  CAN  BE  ASSUMED 
WHETHER  IT  IS  CURRENTLY  INSTALLED  OR  NOT.  CONVERSELY,  WHEN 
THE  KIT  IS  INSTALLED,  PANEL  A8  CONTROLLED  FUNCTIONS  WHICH  ARE 
DISABLED  BY  KIT  INSTALLATION  (AUTO/MAN  EE  DRIVE  AND  DIRECT 
DRIVE)  WILL  NOT  BE  CONSIDERED  PERMANENTLY  LOST  FOR  GO/NO-GO 
DECISIONS . 


Approximately  1  hour  is  required  to  install  the  RMS  D&C  kit  and  an  additional  hour  is  required  for 
removal.  If  sufficient  time  exists  for  installation  and  removal,  the  system  configuration  (and  capabilities) 
will  be  modified  by  the  kit;  hence,  its  functions  should  be  used  in  the  decision-making  process. 


Since  the  kit  will  only  be  installed  if  sufficien  t  time  exists  for  its  removal,  the  system  configuration  will  be 
returned  to  nominal,  and  those  functions  disabled  by  kit  presence  should  not  be  considered  permanen  tly 
lost  in  the  decision-making  process. 

B.  WHEN  THE  RMS  D&C  KIT  IS  INSTALLED,  THE  APPLICABLE  AC/DC 
SWITCH  POWERING  THE  KIT  WILL  REMAIN  OFF  UNTIL  IMMEDIATELY 
PRIOR  TO  THE  REQUIRED  OPERATION  AND  WILL  BE  RETURNED  TO  OFF 
IMMEDIATELY  AFTER  THE  OPERATION  IS  COMPLETED.  THE  KIT  WILL 
BE  REMOVED  AS  SOON  AS  PRACTICAL  AFTER  THE  REQUIRED  FUNCTION 
IS  COMPLETED. 

The  RMS  D&C  kit  utilizes  separate  cabling  for  ac  and  dc  controlled  functions.  Since  the  kit  design  does 
not  include  an  enable  switch  for  the  joint  drive  or  end  effector  functions,  failures  of  these  switches  with 
the  kit  installed  will  potentially  produce  CRIT  1  situations.  For  this  reason,  the  switch  powering  the  kit 
will  be  used  as  an  enable/inhibit  switch,  and  power  will  only  be  applied  during  the  actual  operation 
which  caused  installation  of  the  kit.  ®[1 1 1 298-6744  ] 

C.  USE  OF  ANY  APPROVED  DC  POWER  KIT  FUNCTIONS  EXCEPT  EE 
OPERATIONS  IN  SUPPORT  OF  PAYLOAD  RELEASE  MUST  BE  PRECEDED  BY 
A  KIT  VERIFICATION.  PRIOR  TO  APPLICATION  OF  DC  POWER  TO  THE 
KIT,  THE  FOLLOWING  CONDITIONS  MUST  BE  MET: 

1.  THE  RMS/PL  MUST  BE  POSITIONED  WELL  CLEAR  OF  (> 
APPROXIMATELY  5  FEET)  STRUCTURE. 

2.  THE  KIT  JOINT  SELECT  SWITCH  MUST  BE  POSITIONED  TO  A  JOINT 
WHICH  WILL  PRODUCE  BENIGN  MOTION  IF  UNCOMMANDED  DIRECT 
DRIVE  OCCURS. 
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A12-7  RMS  IFM  D&C  KIT  (CONTINUED) 

3.  IF  LOADED,  THE  RMS  MUST  BE  POSITIONED  SUCH  THAT  PAYLOAD 
ROTATIONS  DUE  TO  UNCOMMANDED  DERIGID  WILL  NOT  CAUSE 
CONTACT,  AN  ORBITER  PILOT  MUST  BE  AVAILABLE  TO  PERFORM  AN 
IMMEDIATE  SEPARATION  SHOULD  AN  UNCOMMANDED  RELEASE  OCCUR, 
AND  DOWNLINK  MUST  BE  AVAILABLE  TO  CONFIRM  LACK  OF  EE 
STALL  CURRENTS. 

When  dc  power  is  applied  to  the  kit,  the  direct  drive,  and  EE  drive,  switches  are  all  enabled  and  failures 
within  these  switches  could  command  those  functions.  Failures  within  the  kit  direct  drive  switch  will 
override  all  commands  (even  if  brakes  on  and  RMS  stationary)  and  result  in  uncommanded  drive  of  the 
joint  selected  on  the  kit.  The  best  method  to  halt  this  motion  is  to  remove  primary  power  from  the  RMS 
(application  of  brakes  will  be  ineffective).  Also,  when  dc  power  is  applied  to  the  kit,  EE  functions  are 
enabled,  and  subsequen  t  failure  of  those  switches  could  resu  lt  in  uncommanded  payload  derigid,  release, 
or  EE  burnout.  ®[1 1 1 298-6744  ] 

It  should  be  determined  that  the  selected  joint  does  not  drive  in  the  presence  of  no  command  and  that 
multiple  join  ts  do  not  drive  when  a  command  is  issued.  The  kit  joint  select  switch  should  be 
prepositioned  to  the  joint  which  would  produce  the  most  benign  motion  should  uncommanded  joint  drive 
occur  when  power  is  applied  to  the  kit.  Application  of  dc  power  to  support  EE  functions  is  short  term 
and  hence  cm  acceptable  risk. 

D.  USE  OF  THE  RMS  D&C  KIT  IS  APPROVED  FOR  THE  FOLLOWING 
FUNCTIONS : 

1 .  RMS  SHOULDER  BRACE  RELEASE 

2.  EE  OPERATIONS 
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A12-7  RMS  IFM  D&C  KIT  (CONTINUED) 

3.  DIRECT  DRIVE  (LOADED  OR  UNLOADED)  @[111298-6744] 

RMS  shoulder  brace  release  utilizes  ac  power.  There  are  no  other  ac  kit  function  s  hence  no  risk 
associated  with  use  of  this  function. 

When  dc  power  is  applied  to  the  kit,  the  direct  drive,  and  EE  drive  switches  are  all  enabled  and  failu  res 
within  these  switches  could  command  those  functions.  However,  health  status  of  the  kit  is  verified  prior 
to  its  operational  use  (except  for  PL  release)  and;  hence,  the  period  of  vulnerability  to  subsequent  failure 
is  limited  to  the  timeframe  that  dc  power  is  actually  applied  to  the  kit.  Other  flight  rules  constrain  power 
application  times  to  the  minimum  required  to  perform  the  desired  function  with  the  kit.  @[111298-6744] 

EE  operations  utilize  dc  power.  EE  drive  times  are  procedurally  limited  to  under  30  seconds;  hence,  this 
is  deemed  to  be  an  acceptable  risk  (to  failures  within  the  direct  drive  switch ). 

Direct  drive  operations  utilize  dc  power.  Direct  drive  may  require  extensive  time  periods  for 
maneuvering;  however,  the  potential  benefits  to  loaded  RMS  mission  success  outweigh  the  risk  of 
uncommanded  EE  operations  if  a  successful  kit  verification  has  been  completed  as  required. 

The  redesign  of  the  Sen’o  Power  Amplifiers  has  obviated  the  need  for  a  scifing  inhibit  function. 
@[111298-6744] 
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A12-8  RMS  OPCODE  UPLINKS 

A.  RMS  OPCODE  UPLINKS  ARE  NOT  PERFORMED  ON  A  NOMINAL  BASIS. 
UPLINKS  MAY  BE  PERFORMED  FOR  THE  FOLLOWING  CASES. 

RMS  level  C  data  is  nominally  defined  during  the  flight  cycle  of  the  flight  software  (FSW)  build. 

1.  IDENTIFICATION  OF  LEVEL  C  REQUIREMENTS  LATE  IN  THE 
PROGRAM  FLOW. 

FLIGHT-SPECIFIC  REQUIREMENTS  WILL  BE  IDENTIFIED  IN  THE 
FLIGHT-SPECIFIC  ANNEX. 


Previously,  payload  or  program  requiremen  ts  iden  tified  after  the  n  ominal  flight  cycle  deadlines  could 
only  be  accommodated  by  a  costly  software  patch.  The  uplink  capability  provides  a  cost-efficient 
alternative  to  meeting  these  requirements. 

2 .  PAYLOAD  OR  PROGRAM  REQUIRES  MORE  LEVEL  C  DATA  THAN  FSW 
LIMITATIONS  CAN  SUPPORT. 

FLIGHT-SPECIFIC  REQUIREMENTS  WILL  BE  IDENTIFIED  IN  THE 
FLIGHT-SPECIFIC  ANNEX. 


Current  manifest  projections  and  increased  payload  complexities  may  require  more  EEID’s,  PLID’s,  or 
autosequences  than  FSW  can  support.  The  opcode  uplink  enables  RMS  to  have  the  capability  to  support 
these  situations  without  requiring  a  GMEM  read/write. 

3.  CONTINGENCY  RMS  OPCODE  UPLINKS  DESIGNED  AND  SUBMITTED 
DURING  A  MISSION. 


Situations  unanticipated  preflight  could  arise  where  the  opcode  unlink  capability  is  useful  to  successfully 
meet  mission  objectives. 

B.  CONTINGENCY  OPCODE  UPLINK  DATA  WILL  BE  DEVELOPED  AND  TESTED 
WITH  THE  RMS  PLANNING  SYSTEM  (RPS)  TOOL  AND  VALIDATION  WILL 
CONSIST  OF  THE  FOLLOWING: 


RPS  is  a  configuration  controlled  (MOD  Software  Management  Plan  for  Workstation  Applications)  RMS 
tool  used  to  design,  develop,  and  test  nominal  level  C  data  and  RMS  procedures.  An  application  exists 
on  RPS  to  build  and  test  data  files  for  uplink  applications. 
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A12-8  RMS  OPCODE  UPLINKS  (CONTINUED) 

1.  RPS  TESTING  FOR  LEVEL  C  GENERATION,  RANGE  LIMIT  CHECKING, 
AND  RMS  FUNCTIONAL  TESTS.  ANY  RANGE  LIMIT  EXCEEDANCES 
WILL  BE  DOCUMENTED  IN  A  MER  CHIT,  RESOLVED  WITH  THE  MER, 
AND  BROUGHT  TO  THE  FD'S  ATTENTION  PRIOR  TO  UPLINK. 

Data  range  limits  defined  in  STS-97 -0017  (RMS  Level  C  Functional  Subsystem  Software  Requirements 
document )  are  based  on  formulas  developed  to  ensure  RMS  in  tegrity  given  payload-specific  mass 
property  data.  Level  C  data  must  be  within  these  specified  ranges  else  it  will  be  rejected  by  the  SM 
preprocessor  and  the  opcode  program.  Situations  arise  where  these  limits  can  safely  be  exceeded. 

Range  limit  exceedances  annunciated  to  the  RPS  or  workstation  user  will  be  evaluated  on  a  case-by-case 
basis  to  determine  if  the  uplink  should  be  performed. 

RPS  and  the  opcode  uplink  program  software  are  designed  to  perform  testing  and  procedure  verification 
comparable  to  the  Shuttle  Avionics  Integration  Laboratory  (SAIL),  RSOC  Level  8,  IBM  Software 
Development  Facility  (SDF),  and  SM  preprocessor.  Therefore,  no  additional  testing  is  required. 

2.  MER  CONCURRENCE  ON  THE  UPLINK  AND  RPS  VALIDATION  VIA  MER 
CHIT  . 

The  MER  chit  ensures  the  RMS  community  concurs  the  data  is  valid  and  will  not  compromise  the  RMS. 

C.  THE  RMS  MUST  HAVE  THE  BRAKES  ON  WHEN  THE  OPCODE  UPLINK  IS 
PERFORMED . 

This  ensures  a  runaway  due  to  the  uplinked  data  will  not  occur.  Additionally,  the  FSW  will  reject  the 
uplink  if  the  RMS  is  not  in  the  suspend,  idle,  or  temperature  monitor  mode. 


A12-9  RMS  MCIU  BITE  OVERRIDES  [CIL] 

MCIU  OVERRIDES  (SM  95,  ITEMS  36,  37,  OR  38)  WILL  NOT  BE  PERFORMED 

WITHOUT  MCC  CONCURRENCE.  @[071494-1644] 

With  BITE  overrides  enabled,  the  failed  joint  is  one  failure  away  from  a  crit  1  situation  for  which  the 
autobrakes  are  designed  to  catch.  With  a  joint  BITE  failure  overridden,  autobrakes  and  fault 
annunciation  are  disabled  for  a  subsequent  failure  of  that  same  joint.  Requiring  the  MCC  to  concur  with 
performing  BITE  overrides  ensures  that  the  risks  are  assessed  and  precautions  taken  to  mitigate  the 
effects  of  subsequent  failures.  @[071 494-1 644  ] 
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MPM/MRL  LOSS/FAILURE  DEFINITIONS 


A12-51  MPM/MRL  POSITIONING 

AN  MPM  OR  MRL  MECHANISM  SHALL  BE  CONSIDERED  TO  HAVE  ATTAINED  ITS 
COMMANDED  POSITION  IF  AT  LEAST  ONE  INDICATION  OF  THAT  STATE 
OCCURS  WITHIN  THE  SINGLE  MOTOR  DRIVE  TIME. 

If  a  microswitch  changes  to  reflect  what  is  believed  to  be  the  true  state  of  the  hardware  at  the  exact  time 
the  hardware  is  supposed  to  achieve  that  state,  it  is  extremely  probable  that  the  hardware  is  indeed  at  the 
indicated  state  even  if  the  redundant  microswitcli  does  not  verify  the  condition. 

While  operating  the  MPM  or  MRL,  flight  experience  has  demonstrated  that  there  are  normal  drive  times 
associated  with  failure  free  conditions.  Anything  other  than  those  times  achieved  during  operation 
would  be  grounds  to  suspect  an  anomalous  condition.  However,  if  the  drive  time  is  within  the  single 
motor  specification  time  and  other  cues  (visual  and/or  duration  of  current  signatures)  corroborate  the 
single  microswitch  indication,  it  is  assumed  that  the  mechanism  is  actually  at  the  indicated  state. 

A12-52  MPM  FAILED  IN  TRANSIT 

WHEN  COMMANDING  THE  MPM,  IF  NEITHER  THE  SHOULDER  DEPLOYED  (ONE  OF 
TWO)  NOR  STOWED  (ONE  OF  TWO)  POSITIONS  ARE  INDICATED  AFTER  THE 
SINGLE  MOTOR  DRIVE  TIME  HAS  ELAPSED,  IT  SHALL  BE  ASSUMED  THAT  THE 
MPM  HAS  FAILED  IN  TRANSIT. 

Without  a  deploy  or  stow  indication  of  the  MPM,  the  system  is  considered  in  transit  and  unlocked.  The 
rule  is  only  applicable  when  the  MPM  is  being  driven.  Once  the  MPM  has  reached  the  stowed  or 
deployed  position,  it  is  assumed  that  it  remains  there,  even  if  the  microswitches  change  state,  un  less 
there  is  a  drive  command  present. 

In  fact,  this  has  occurred  during  flight  on  several  occasions.  While  the  arm  was  being  driven,  the  MPM 
deploy  microswitches  cycled  to  the  “not  deploy”  state.  The  community  has  concluded  that  this 
phenomenon  is  associated  with  arm  operational  stresses  applied  to  the  base  of  the  MPM  and  the 
relatively  sensitive  nature  of  the  microswitch  rigging  calibration. 
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A12-53  MRL  FAILED  IN  TRANSIT 

WHEN  COMMANDING  THE  MRL '  S ,  IF  AN  MRL  DOES  NOT  INDICATE  THE 
LATCHED  (ONE  OF  TWO)  OR  RELEASED  (ONE  OF  TWO)  POSITION  AFTER  THE 
SINGLE  MOTOR  DRIVE  TIME  HAS  ELAPSED,  IT  SHALL  BE  ASSUMED  THAT  THE 
MRL  HAS  FAILED  IN  TRANSIT. 


Without  the  proper  latched  or  released  indications,  the  latch  position  is  indeterminate. 
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A12-71  MPM/MRL  CYCLING 

CYCLING  OF  THE  MPM  OR  MRL  SHALL  ONLY  BE  PERFORMED  WHILE  THE  ARM 
IS  CRADLED. 

There  are  two  intentions  for  this  rule.  The  first  is  to  prevent  MPM  motion  with  the  arm  uncradled  since 
the  system  was  not  designed  for  that  capability.  The  other  is  to  prevent  the  latches  from  failing  closed 
when  the  RMS  is  uncradled.  If  this  occurred,  the  RMS  could  not  be  cradled.  Therefore,  adequate 
clearance  would  not  exist  between  the  arm  and  radiators  with  the  doors  shut,  and  the  arm  would  have  to 
be  jettisoned. 


VOLUME  A  06/20/02  FINAL  ROBOTICS  12-21 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A12-72  MPM  DEPLOY/ STOW  CONSTRAINTS 

A.  THE  MPM' S  SHALL  BE  STOWED  AS  SOON  AS  PRACTICAL  IF  ONLY  SINGLE 
MOTOR  DRIVE  IS  AVAILABLE. 

The  MPM’s  are  all  driven  by  a  single  torque  tube  from  two  separate  motors.  The  MPM  shall  be  stowed 
if  a  single  motor  is  lost  since  a  subsequent  failure  of  the  other  motor  would  require  an  EVA  or  jettison  of 
the  arm  and  MPM’s.  During  normal  operations  of  the  arm,  it  is  unacceptable  to  continue  if  the  system  is 
one  failure  from  having  to  jettison  or  perform  an  EVA.  EVA  tools  and  procedures  are  available  to 
deploy  or  stow  the  MPM  that  has  stopped  because  of  an  electrical  failure  but  not  for  a  mechanical  jam. 
@[110900-7257] 

Rule  {A2-103E},  EXTENSION  DAY  REQUIREMENTS,  references  this  rule.  @[090894-1 670B] 

B.  FOR  LOSS  OF  MPM  STOW  REDUNDANCY  DURING  HIGH  PRIORITY 
OPERATIONS,  THE  MPM' S  WILL  REMAIN  DEPLOYED  UNTIL  OPERATIONS 
ARE  COMPLETE.  IF  FAILURE  OF  THE  REMAINING  MPM  STOW  SYSTEM 
OCCURS  WHILE  DEPLOYED,  OPERATIONS  WILL  CONTINUE  UNTIL  AN  EVA 
CAN  BE  PERFORMED  OR  JETTISON  IS  REQUIRED. 

The  MPM  must  be  deployed  to  achieve  mission  success  for  high  priority  RMS  operations.  Termination 
of  loaded  activities  due  to  loss  of  stow  capability  during  loaded  operations  will  be  of  no  benefit.  A 
subsequent  failure  of  the  second  MPM  drive  system  would  require  an  EVA  to  roll  in  the  MPM  or  jettison 
of  the  RMS/MPM.  EVA  may  be  viable  for  electrical  failures  only  (mechanical  jam  may  result  in  jettison). 
Due  to  the  priority  of  the  mission  objectives,  the  risk  is  acceptable. 

Rule  [A12-1001 },  RMS  GO/NO-GO  CRITERIA,  references  this  rule.  ®[i  10900-7257] 

C.  FOR  THE  COMPLETE  LOSS  OF  MPM  MOTOR  DRIVE  CAPABILITY,  AN  EVA 
TO  DEPLOY  AND/OR  STOW  THE  MPM' S  WILL  BE  PERFORMED  TO  PERMIT 
HIGH  PRIORITY  LOADED  RMS  OPERATIONS.  @[110900-7257] 

The  MPM  must  be  deployed  to  achieve  mission  success  for  high  priority  RMS  operations.  Electrical 
failures  which  prevent  driving  the  MPM  can  be  worked  around  via  IFM  or  EVA;  mechanical  failures 
cannot.  Due  to  the  priority  of  the  mission  objectives,  EVA  support  for  these  contingencies  has  been 
preflight  planned. 
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A12-72  MPM  DEPLOY/ STOW  CONSTRAINTS  (CONTINUED)  ®[ED  ] 

D.  THE  MPM  MUST  BE  POSITIONED  AS  FOLLOWS  DURING  RMS  OPS: 

1.  UNLOADED  RMS  -  THE  MPM  MUST  BE  EITHER  FULLY  DEPLOYED  OR 
FULLY  STOWED.  IF  STOWED,  DAP  FREE  DRIFT,  VRCS,  OR  ALT 
MODE  ATTITUDE  CONTROL  IS  REQUIRED.  IF  ALT  MODE  IS  USED, 
TWO  JET  CONTROL  WITH  JET  ON  TIME  OF  0.08  SECONDS  MUST  BE 
USED.  DELAY  TIMES  OF  5  SECONDS  OR  LESS  ARE  ACCEPTABLE. 

®[071 494-1 662A] 

2.  LOADED  RMS  -  THE  MPM  MUST  BE  FULLY  DEPLOYED.  FLIGHT- 
SPECIFIC  EXCEPTIONS  FOR  HIGH  PRIORITY  OPERATIONS  WILL  BE 
IDENTIFIED  IN  THE  FLIGHT-SPECIFIC  ANNEX. 


Without  deployed  or  stowed  indications,  the  MPM’s  are  considered  in  transit  curd  unlocked  with  only  the 
stiffness  of  the  torque  tube  present  to  maintain  a  firm  shoulder  position.  This  is  not  a  sufficien  t  load 
path  to  support  any  arm  operations  without  possible  structural  failure.  In  the  fully  deployed  or  stowed 
positions,  loads  are  distributed  to  the  sill  longeron  by  overcenter  locked  structural  links  plus,  if  fully 
deployed,  a  load-bearing  J-hook.  Supplemental  Rockwell -Downey  analyses  ( 280-STSD-106-89-027 ) 
have  shown  that  for  an  unloaded  RMS,  positive  MPM  structural  margins  exist  during  nominal  RMS 
maneuvering  or  RMS  runaway  failures  at  various  worst  case  (bounding)  RMS  orientations  with  the 
shoulder  MPM  in  the  stowed  position.  Previous  analyses  have  concluded  that  runaway  loads  bound 
VRCS  induced  loads  but  do  not  always  bound  Pri  DAP  induced  loads.  RSOC  Analysis  (RSOC-635/250- 
94-009)  also  shows  that  longeron  loads  induced  by  reasonable  worst  case  PRCS  alt  mode  jet  firings  are 
bounded  by  the  previous  runaway  loads,  hence,  the  free  drift,  VRCS,  or  alt  mode  constraint. 

®[071 494-1 662A]  ®[1 13095-1 809A] 

E.  ONCE  THE  MPM' S  ARE  DEPLOYED,  THEY  MAY  REMAIN  DEPLOYED  UNTIL 
RMS  MISSION  OPERATIONS  ARE  COMPLETED.  REFERENCE  PARAGRAPHS 
A,  B,  AND  C  FOR  THE  LOSS  OF  DUAL-MOTOR  STOW  CAPABILITY. 

With  two-motor  stow  capability,  there  is  no  problem  with  leaving  the  MPM’s  deployed.  Paragraphs  A, 

B,  and  C  of  this  rule  address  the  loss  of  clucd-motor  stow  capability.  The  in  ten  t  of  this  rule  is  to  not 
require  stowing  the  MPM’s  at  the  end  of  each  day  if  RMS  operations  are  planned  on  subsequent  days. 

Rule  {A12-1001 },  RMS  GO/NO-GO  CRITERIA,  references  this  rule.  ®[i  10900-7257] 
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A12-73  MRL  CONSTRAINTS 

A.  THE  RMS  SHALL  BE  CRADLED  AND  LATCHED  AS  SOON  AS  PRACTICAL  IF 
THE  MRL'S  ARE  ONE  FAILURE  AWAY  FROM  BEING  UNABLE  TO  LATCH  AT 
LEAST  TWO  OF  THREE  PEDESTALS. 

There  are  failures  that  result  in  the  loss  of  two  or  three  MRL  latch  motors.  If  the  configuration  of  the 
MRL  is  such  that  the  next  failure  can  result  in  the  inability  to  latch  at  least  two  MRL’s,  the  arm  shall  be 
cradled  ASAP  since  there  is  no  analysis  that  indicates  that  it  is  safe  to  return  the  orbiter  with  the  RMS 
unlatched  (ref  paragraph  C).  @[110900-7257] 

Rule  {A2-103E},  EXTENSION  DAY  REQUIREMENTS,  references  this  rule.  ®[090894-i670B] 

B.  FOR  HIGH  PRIORITY  MISSION  OBJECTIVES,  IF  FAILURES  CAUSE  THE 
MRL'S  TO  BE  ONE  FAILURE  AWAY  FROM  THE  LOSS  OF  ABILITY  TO 
LATCH  TWO  PEDESTALS,  RMS  OPERATIONS  WILL  BE  ALLOWED  TO 
CONTINUE.  THE  RMS  SHALL  BE  CRADLED  AND  LATCHED  AS  SOON  AS 
PRACTICAL  AFTER  ALL  RMS  SUPPORTED  HIGH  PRIORITY  MISSION 
OBJECTIVES  ARE  COMPLETED. 

At  least  two  of  three  MRL’s  are  required  to  be  latched  to  allow  the  orbiter  to  enter  with  the  RMS.  Due  to 
the  importance  of  the  mission  objectives,  operations  will  be  permitted  to  continue  if  the  MRL’s  are  one 
failure  away  from  the  loss  of  ability  to  latch  two  or  three  MRL ’s.  Either  EVA  tiedown  or  RMS  jettison  is 
available  as  an  alternative  means  to  safe  the  RMS  or  orbiter  for  entry. 

Rule  (A12-1001J,  RMS  GO/NO-GO  CRITERIA,  references  this  rule. 

C.  THE  RMS  MUST  HAVE  TWO  OF  THREE  MRL'S  SECURED  FOR  ENTRY. 

Each  of  the  three  MRL’s  have  two  independent  drive  motors,  and  either  a  mechanical  jam  would  have  to 
occur  or  both  drive  systems  would  have  to  fail  to  cause  loss  of  latch  capability  for  an  MRL  pedestal. 
Flight  Techniques  analysis  has  indicated  that  two  of  three  MRL’s  must  be  secured  for  entry  (via  MRL 
latch  or  EVA  technique )  to  prevent  RMS/radiator  contact.  This  capability  is  protected  by  staying  at  least 
two  failures  away  from  not  being  able  to  latch  two  of  three  MRL’s. 

Rules  { A12-1001 j,  RMS  GO/NO-GO  CRITERIA,  and  { A2-103EJ ,  EXTENSION  DAY  REQUIREMENTS, 

reference  this  rule.  @[090894-1 670B]  @[110900-7257] 
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A12-74  INADVERTENT  MPM  CYCLING  PROTECTION  [CIL] 

WHILE  THE  RMS  IS  UNCRADLED,  THE  FOLLOWING  CIRCUIT  BREAKERS  WILL 
BE  OPENED  TO  PREVENT  INADVERTENT  CYCLING  OF  THE  MPM  SYSTEM: 

MA7 3C : C  cb  MCA  PWR  AC 2  30  MID  2 
MA7 3C : D  cb  MCA  PWR  AC 3  30  MID  4 

FMEA’S  exist  for  MPM  DPLY /STOW  switch  or  hybrid  relay  failures  that  result  in  uncommanded  motion 
of  the  MPM.  The  orbiter/RMS/payload  may  be  damaged  if  the  MPM  stows  during  RMS  operations. 
Opening  these  circuit  breakers  removes  ac  power  from  both  MPM  motors.  This  provides  protection 
while  the  payload  bay  mechanical  power  switches  are  on.  These  cb’s  must  be  closed  for  vent  and 
payload  bay  door  operations;  neither  of  which  are  normally  done  during  RMS  operations.  For  radiator 
stow/deploy,  see  Rule  {A10-221D},  RADIATOR  MECHANICAL. 
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A12-91  SHOULDER  BRACE  OPERATION 

THE  SHOULDER  BRACE  SHOULD  BE  RELEASED  AS  EARLY  AS  PRACTICAL  AFTER 
PLBD  OPENING. 

There  are  failure  modes  which  may  prohibit  the  operation  of  the  shoulder  brace  release  mechanism. 

Orbit  thermal  effects  could  also  prevent  release.  Therefore,  it  is  prudent  to  release  the  brace  as  soon  as 
practical  since  its  only  function  is  to  support  ascent  loads. 

Rule  (A12-1001AJ,  RMS  GO/NO-GO  CRITERIA,  references  this  rule. 
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A12-92  RMS  CHECKOUT 

A.  THE  RMS  FLIGHT  DATA  FILE  CHECKOUT  PROCEDURES  SHALL  BE 
PERFORMED  ONCE  PER  MISSION,  AS  EARLY  AS  PRACTICAL,  PRIOR 
TO  ANY  NOMINAL  RMS  OPERATIONS. 

There  are  several  failure  modes  that  can  be  detected  during  the  RMS  checkout.  Early  detection  of  a 
failure  may  provide  adequate  time  to  troubleshoot  the  problem  and  develop  workaround  procedures. 

B.  FOR  OFF-NOMINAL  SITUATIONS  WHERE  A  RAPID  RMS  RESPONSE  IS 
DESIRED,  COMPLETION  OF  THE  CHECKOUT  PROCEDURES  FOR  BACKUP  AND 
DIRECT  DRIVE  MODE  SHALL  BE  ACCOMPLISHED  AS  A  MINIMUM. 

This  will  ensure  that  the  arm  is  not  a  single  failure  away  from  having  to  be  jettisoned  or  stowed  EVA. 

One  of  these  modes  is  required  to  cradle  the  arm.  Approximately  5  to  10  minutes  are  required  to 
complete  these  tests.  A  test  of  direct  drive  gives  valuable  insight  into  any  possible  joint  degradation 
while  testing  single  may  not  indicate  the  problem.  The  PDRS  checklist  has  been  modified  to  give  the 
crew  a  success  criteria  for  direct  drive. 

C.  THE  EE  CHECKOUT  WILL  BE  PERFORMED  ONCE  PER  MISSION  PRIOR  TO 
ANY  EE  OPERATIONS. 

It  is  important  to  understand  if  there  are  any  failures  resident  in  the  EE  prior  to  operations  to  prohibit 
unsafe  use  of  the  system.  This  rule  also  implies  that  the  EE  does  not  have  to  be  checked  if  there  are  no 
EE  operations  for  the  flight. 

D .  RESERVED 

E.  THE  DIRECT  DRIVE  TEST  SHALL  BE  PERFORMED  ON  EACH  JOINT  WITH  A 
MINIMUM  CONTINUOUS  DRIVE  IN  EACH  DIRECTION  FOR  12  SECONDS. 

RMS  checkout  operations  on  orbit  are  the  only  tests  of  the  RMS  in  which  the  results  are  not  affected  by 
gravity  and  the  inadequacies  of  the  test  equipmen  t.  Parametric  studies  by  SPAR  Aerospace  Limited  have 
concluded  that  the  direct  drive  mode  tests,  if  properly  run,  will  supply  the  necessary  data  for  trend 
analysis  of  the  individual  RMS  joints.  To  make  this  data  meaningful,  each  joint  must  be  driven 
con  tin  ually  in  each  direction  for  12  seconds  to  guarantee  that  the  motor  has  stabilized  at  the  maximum 
rate. 
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RMS  DRIVE  SYSTEM  MANAGEMENT 


A12-111  MODE  AVAILABILITY  DRIVE  CONSTRAINT 

A.  RMS  OPERATIONS  SHALL  CEASE  AND  THE  RMS  SHALL  BE  CRADLED  AND 
LATCHED  IF  BACKUP  PLUS  ONE  OTHER  PRIMARY  SINGLE  JOINT  MODE  IS 
NOT  AVAILABLE  TO  DRIVE  EACH  JOINT.  @[110900-7257] 

Backup  mode  is  electrically  independent  from  all  other  modes;  therefore,  requiring  this  mode  in  addition 
to  one  other  single  join  t  mode  to  begin  or  con  tinue  normal  RMS  operations  ensures  that,  after  a  single 
point  failure,  the  arm  can  still  be  cradled.  It  has  not  been  demonstrated  that  the  arm  can  be  cradled  in 
any  mode  other  than  one  utilizing  a  single  joint  drive  method.  In  addition,  the  only  way  that  loss  of 
backup  can  be  determined  is  during  the  RMS  checkout  or  by  the  loss  of  main  bus  B. 

Rule  { A12-1001 j,  RMS  GO/NO-GO  CRITERIA,  references  this  rule. 

B.  RMS  OPERATIONS  IN  SUPPORT  OF  HIGH  PRIORITY  TASKS  CAN  BE 
PERFORMED  WITH  ONLY  ONE  MODE  OF  OPERATING  THE  RMS  AVAILABLE. 

The  RMS  utilizes  two  power  sources,  primary  and  backup,  and  has  multiple  modes  for  driving  the  arm  on 
primary  power.  The  priority  of  operations  is  such  that  operations  will  continue  with  only  one  mode 
available  to  drive  the  RMS.  EVA  and  jettison  can  be  considered  as  redundancy  for  cradling  the  RMS  or 
safing  the  payload  bay. 

Rule  {A12-1001},  RMS  GO/NO-GO  CRITERIA,  references  this  rule.  ®[i  10900-7257] 

A12-112  FIELD  OF  VIEW  CONSTRAINT  [CIL] 

THE  RMS  SHALL  NOT  BE  DRIVEN  UNLESS  THE  CREW  IS  OBSERVING  THE 
EXPECTED  MOTION  OF  THE  RMS /PAYLOAD  STRUCTURE  VIA  WINDOW  AND/OR 
CCTV  VIEWS . 

There  are  a  considerable  number  of  failure  modes  identified  in  the  FMEA  which  can  result  in 
unannunciated,  uncommanded  motion  (e.g.,  two  joints  drive,  wrong  joint  drives,  hand  controller  fails 
at  56  percent  of  max  command,  etc.).  If  the  operator  is  driving  the  arm  in  a  configuration  where  the 
occurrence  of  one  of  these  failure  modes  could  not  be  observed,  then  the  operator  may  not  react  to  the 
failure  by  stopping  the  arm  with  the  brakes  (or  whatever  means  are  available)  to  avoid  a  collision  with 
the  orbiter/payload/EVA  crewmember. 


VOLUME  A  06/20/02  FINAL  ROBOTICS  12-28 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A12-113  AUTO  MODE  ENTRY  CONSTRAINT  [CIL] 

AUTO  MODES  SHALL  NOT  BE  ENTERED  UNLESS  THE  PAYLOAD  BAY  AND 
PAYLOAD  STRUCTURES  ARE  IN  A  CONFIGURATION  FOR  WHICH  THE  SEQUENCES 
HAVE  BEEN  VERIFIED.  THE  OPERATOR  SHALL  ONLY  ENTER  AN  AUTO  MODE 
IMMEDIATELY  PRIOR  TO  SELECTION  OF  "PROCEED" . 

The  first  part  of  the  rule  requires  that  the  payload  bay  be  configured  the  way  it  was  when  the  sequence 
was  validated.  This  is  simply  to  ensure  that  no  appendages  or  other  objects  have  been  placed  in  the  path 
of  the  sequence.  Validation  of  the  preflight  designed  auto  sequences  is  accomplished  by  performing  them 
on  several  of  the  available  simulators  and  during  crew  training.  Most  of  the  operator-commanded  auto 
sequences  (OCAS)  are  also  verified  preflight  in  this  way.  However ,  in  some  cases,  the  crew  may  opt  to 
develop  a  new  OCAS  real  time.  This  OCAS  can  be  verified  by  the  ground  flight  controllers  on  their 
simulator  or  by  the  crew  if  the  geometry  is  simple  enough  that  they  are  confiden  t  that  the  procedure  will 
run  safely. 

There  are  failure  modes  which  can  cause  an  auto  sequence  to  begin  prematurely  (once  the  mode  is 
entered),  not  stop  at  pause  points,  or  not  stop  when  “stop”  is  selected.  By  following  this  procedural 
rule,  these  failures  will  not  place  the  crew  in  a  hazardous  condition.  For  operator-commanded  auto 
sequences,  care  should  be  exercised  in  entering  the  desired  position  and  attitude  parameters  because  the 
sequence  could  begin  with  no  operator  command. 

Rule  { A12-114 j,  ORBITER  PROXIMITY  CONSTRAINTS  [CIL],  references  this  rule. 
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A12-114  ORBITER  PROXIMITY  CONSTRAINTS  [CIL] 

A.  IF  THE  MANIPULATOR  CONTROLLER  INTERFACE  UNIT  (MCIU)  SAFING 
FUNCTION  IS  LOST,  COMPUTER-SUPPORTED  MODES  SHALL  NOT  BE  USED 
CLOSE  TO  (WITHIN  APPROXIMATELY  5  FEET)  STRUCTURE/PAYLOAD/EVA 
CREWMEMBER.  WHILE  BERTHING  A  PAYLOAD,  ALL  MODES  CAN  BE  USED 
ONCE  THE  TRUNNIONS  HAVE  ENTERED  THE  V-GUIDES. 

With  this  class  of  failure  mode,  MCIU  safing  will  not  automatically  stop  the  arm  if  I/O  with  the  GPC  is 
erratic  or  interrupted  while  the  arm  is  operating  in  a  computer-supported  mode.  It  is  prudent  to  use  only 
direct  when  close  to  any  obstacles  when  MCIU  safing  is  lost  since  direct  is  unaffected  by  these  failure 
modes.  Approximately  5  feet  is  considered  sufficient  since  the  runaway  will  be  at  the  last  commanded 
rate  unlike  other  runaways  which  can  result  in  maximum  torque  and  joint  rates.  Once  within  the  V- 
guides,  any  uncommanded  motion  is  constrained  by  the  physical  guide.  When  the  arm  is  not  close  to 
obstacles,  all  modes  can  be  used  since  there  is  sufficient  time  for  the  operator  to  detect  any 
uncommanded  motion  and  apply  the  brakes. 

B.  OPERATE  AT/OR  LESS  THAN  VERNIER  RATES  WHEN  THE  ARM/PAYLOAD  IS 
CLOSE  TO  (WITHIN  APPROXIMATELY  10  FEET)  STRUCTURE/PAYLOAD/EVA 
CREWMEMBER.  THE  OPERATOR  MUST  CYCLE  THE  APPROPRIATE  PANEL 
SWITCH  WHEN  DRIVING  IN  DIRECT  OR  BACKUP  TO  APPROXIMATELY 
MAINTAIN  RATES  AT  OR  LESS  THAN  VERNIER  RATES. 

There  are  many  failure  modes  which  result  in  uncommanded,  unannunciated  motion  (e.g.,  hand 
controller  fails,  wrong  joint  drives,  wrong  joint  direction,  two  joints  drive,  sluggish,  or  stalled  joint,  etc.) 
which  the  operator  must  detect  and  stop  by  applying  the  brakes.  Many  of  these  failure  modes  will  run 
away  at  the  last  commanded  rate  or  are  joint  rate  limited  so  operating  in  vernier  will  limit  the  ultimate 
rates  the  failure  can  produce.  The  rest  of  the  failure  modes  result  in  unexpected  motion,  uncommanded 
release,  or  derigidize.  The  detection  and  arresting  of  this  motion  or  maneuvering  the  orbiter  clear  of  a 
released  payload  will  be  less  hazardous  (i.e.,  give  the  crew  more  time  to  react )  if  the  arm  is  operating  at 
a  slow  rate. 

C.  RATE  HOLD  SHALL  NOT  BE  USED  WHEN  THE  RMS /PAYLOAD  IS  CLOSE  TO 
(WITHIN  APPROXIMATELY  10  FEET)  AND  IS  MOVING  TOWARDS 
STRUCTURE/PAYLOAD/EVA  CREWMEMBER  EXCEPT  WHEN  CAPTURING  A  FREE 
FLYING  PAYLOAD. 

There  are  failure  modes  which  result  in  the  inability  to  cancel  rate  hold.  If  this  occurs  close  to  an 
obstacle,  a  collision  could  occur  before  the  operator  has  enough  time  to  detect  and  apply  the  brakes. 
Therefore,  it  is  prudent  not  to  use  rate  hold  close  to  any  obstacles.  Rate  hold  may  be  used  when 
capturing  a  free-flying  payload  since  the  payload/arm  combination  will  be  far  from  the  orbiter. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A12-114  ORBITER  PROXIMITY  CONSTRAINTS  [CIL]  (CONTINUED) 

D.  AUTO  TRAJECTORIES  SHALL  BE  DESIGNED  SUCH  THAT  THE  ARM/PAYLOAD 
DOES  NOT  PASS  CLOSE  TO  (WITHIN  APPROXIMATELY  5  FEET) 
STRUCTURE/PAYLOAD/EVA  CREWMEMBER.  @[111298-6744] 

There  are  failure  modes  (e.g.,  sluggish  and  stalled  joints)  which  result  in  undetected  deviations  from  the 
in  tended  auto  trajectory.  This  requiremen  t  will  allow  the  operator  time  to  detect  the  failure  and  apply 
brakes.  There  is  another  rule  (Rule  {A12-113J,  AUTO  MODE  ENTRY  CONSTRAINT  [ CIL])  which 
governs  use  of  auto  mode  (vice  design).  That  rule  prohibits  using  auto  for  un  verified  trajectories. 

E.  THE  RMS/PAYLOAD  SHALL  NOT  BE  MANEUVERED  OR  PARKED  IN  REGIONS 
WHERE  IT  CANNOT  BE  MANEUVERED  TO  A  SAFE  JETTISON  POSITION 
WITH  THE  LOSS  OF  ANY  SINGLE  JOINT.  @[111298-6744] 

There  are  single  point  failure  modes  which  result  in  the  inability  to  drive  an  arm  joint  in  either  primary 
or  backup  modes.  If  any  of  these  failures  occurs  and  an  EVA  cannot  be  performed,  the  arm  must  be 
jettisoned  prior  to  closing  the  PLED.  Therefore,  since  a  joint  failure  may  restrict  arm  mobility,  the  arm 
shall  never  be  in  a  position  where  it  cann  ot  be  maneuvered  to  a  safe  jettison  position  using  only  five  of 
six  joints. 

The  only  single  point  failure  modes  which  can  result  in  the  inability  to  drive  all  joints  are  in  the  power 
and  arm  select  switches.  These  failu  re  modes  can  be  worked  around  by  using  an  IFM  pin  kit.  Final 
approval  requires  CIL  change. 

G.  EXCEPT  FOR  TRANSITORY  MOTION  (I.E.,  BERTHING/UNBERTHING, 

CRADLING/UNCRADLING,  PAYLOAD  DOCKING/UNDOCKING,  OR  PAYLOAD 
CAPTURE/RELEASE),  THE  RMS/PAYLOAD  SHALL  NOT  BE  MANEUVERED  OR 
PARKED  (CREW  AWAKE)  CLOSER  THAN  60  CM  (2  FT)  FROM  ORBITER 
STRUCTURE  OR  OTHER  PAYLOADS.  FOR  APPLICATION  OF  THIS  RULE, 
EVA  CREWMAN  IS  NOT  CONSIDERED  ORBITER  STRUCTURE  OR  PAYLOAD. 

FLIGHT  SPECIFIC  EXCEPTIONS  FOR  HIGH  PRIORITY  OPERATIONS  WILL 
BE  IDENTIFIED  IN  THE  FLIGHT  SPECIFIC  ANNEX. 

Crew  comfort,  RMS  and  payload  visibility,  VRCS  and  ALT  mode  induced  motion.  RMS  failures,  and  lack 
of  task  specific  crew  training  become  overriding  concerns  when  maneuvering  payloads  in  close  proximity 
to  orbiter  structure.  In  cases  where  missions  cannot  be  completed  without  violating  this  rule,  the 
program  incurs  greater  risk.  Av  such,  task  specific  assessment  is  required  to  document  the  risk  and 
proposed  methods,  if  any,  to  con  trol  it. 
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A12-115  INOPERATIVE  BRAKE  CONSTRAINT  [CIL] 

IF  A  BRAKE  IS  INOPERATIVE  DUE  TO  A  MECHANICAL  FAILURE,  THE  RMS 
SHALL  BE  CRADLED  IN  SINGLE  MODE  AND  LATCHED  AS  SOON  AS  POSSIBLE. 
IF  THE  WRIST  ROLL  BRAKE  IS  INOPERATIVE,  UNLOADED  RMS  OPERATIONS 
MAY  CONTINUE.  PAYLOAD  OPERATIONS  WILL  NOT  CONTINUE  WITH  THE 
EXCEPTION  OF  COMPLETION  OF  BERTHING  OPERATIONS  IF  THE  PAYLOAD  IS 
ALREADY  WITHIN  THE  BERTHING  GUIDES. 

A  failure  mode  exists  which  results  in  a  brake  pad  mechanically  not  engaging.  The  motor  drive  amplifier 
(MDA)  will  still  be  inhibited  when  the  brakes  are  electrically  commanded  on,  so  the  failed  joint  will  be 
free  in  both  primary  and  backup  modes.  Single  mode  must  be  used  to  cradle  the  arm  since  it  is  the  only 
remaining  single  join  t  mode  that  is  still  operative  ( uses  position  hold  instead  of  brakes  to  maintain  arm 
position).  During  unloaded  operations,  operations  may  continue  with  a  known  wrist  roll  brake  problem 
since  runaways  on  the  wrist  roll  cannot  result  in  any  uncommanded  translations  of  the  arm. 

Rule  {A12-1001OJ  and  P,  RMS  GO/NO-GO  CRITERIA,  reference  this  rule. 

A12-116  AUTO  BRAKES  CONSTRAINT  [CIL] 

COMPUTER-SUPPORTED  MODES  SHALL  NOT  BE  USED  IF  THE  AUTO  BRAKES 
FUNCTION  HAS  FAILED. 

There  are  many  failure  modes  which  result  in  runaways  (six  or  single  joint)  which  are  detected  and 
automatically  stopped  by  the  auto  brakes  function.  SPAR  SIMFAC  simulations  have  demonstrated  that 
without  these  automatic  checks  a  runaway  in  a  computer-supported  mode  could  travel  as  far  as  18  feet 
before  a  crewmember  could  stop  it  by  applying  the  brakes.  Therefore,  computer-supported  modes  should 
not  be  used  after  loss  of  this  function. 

Rule  { A12-1001QJ ,  RMS  GO/NO-GO  CRITERIA,  references  this  rule. 
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A12-117  CONTINGENCY  STOP  [CIL] 

THE  BRAKES  SHALL  ALWAYS  BE  THE  METHOD  USED  TO  STOP  THE  RMS  IF 
UNCOMMANDED  MOTION  OR  UNUSUAL  RMS  BEHAVIOR  OCCURS  (INSTEAD  OF 
SAFING,  AUTO  STOP  SWITCH,  OR  RELEASING  THE  COMMAND) .  IF  THE 
BRAKES  ARE  INOPERATIVE  VIA  THE  PANEL  SWITCH,  THEY  SHALL  BE 
APPLIED  BY  TERMINATING  PRIMARY  POWER. 


Use  of  the  brakes  is  the  most  positive  method  of  stopping  the  arm  in  emergency  situations.  It  is  preferred 
over  safmg  since  it  inhibits  the  MDA  at  the  joints  which  will  stop  a  runaway  joint  caused  by  the  sen’o  or 
MDA  (safing  would  not  in  many  cases).  It  is  also  preferred  over  the  stop  switch  during  auto  sequences 
since  there  are  D&C  failures  which  could  prohibit  the  stop  switch  from  operating. 


A12-118  POHS  AND  LEFT-HANDED  COORDINATE  SYSTEMS 

RMS  POSITION  AND  ORIENTATION  HOLD  SELECT  (POHS)  MUST  BE  DISABLED 
FOR  USE  OF  RMS  PAYLOAD  ID'S  THAT  ARE  DEFINED  USING  A  LEFT-HANDED 
PAYLOAD  OPERATING  COORDINATE  FRAME.  @[071494-1644] 


POHS  is  a  right-handed  algorithm.  It  generates  arm  drive  commands  that  are  normal  to  the  desired 
path  which  attempt  to  reduce  off-axis  deviations.  Attempts  to  use  it  with  left-handed  defined  payload 
operating  systems  results  in  unexpected  motion  by  generating  commands  which  are  in  a  direction  away 
from  the  desired  trajectory .  @[071494-1644] 
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END  EFFECTOR  (EE)  LOSS/FAILURE  DEFINITIONS 


A12-141  EE  BACKUP  RELEASE 

EE  BACKUP  RELEASE  IS  CONSIDERED  LOST  IF  SNARES  DO  NOT  OPERATE 
SMOOTHLY  TO  THE  FULLY  OPEN  POSITION. 

Data  from  SPAR  indicates  that  temperature  has  a  significant  effect  on  the  time  for  the  snares  to  open 
during  the  backup  release  check.  Times  on  the  order  of  minutes  were  seen  at  the  lowest  qualification  test 
temperatures.  With  no  grapple  pin  in  the  EE,  the  snares  open  quickly  for  the  first  70-80  percent  of  travel 
then  slow  down  at  the  end  of  travel.  At  the  coldest  flight  conditions,  during  the  on-orbit  backup  release 
check,  the  snares  should  fully  open  within  2  minutes,  although  20-25  seconds  has  been  typical.  If  the 
snares  do  not  open  smoothly  and  completely,  there  is  a  mechanical  problem  and  backup  release  would  be 
considered  lost. 


A12-142  EE  CAPTURE/RIGIDIZE 

EE  CAPTURE  OR  RIGIDIZE  FUNCTIONS  ARE  CONSIDERED  LOST  FOR  AUTO 
AND/OR  MANUAL  IF  THE  CAPTURE  TIME  EXCEEDS  3  SECONDS  OR  THE 
RIGIDIZE  TIME  EXCEEDS  25  SECONDS. 


The  maximum  capture  specification  time  is  3  seconds  and  the  maximum  rigidize  specification  time  is 
25  seconds.  Failure  to  meet  these  time  constraints  is  indicative  of  binding  in  the  drive  mechanism  or 
loss  of  one  mode  due  to  an  electrical  failure. 

Rule  {A2-112J,  PDRS,  references  this  rule. 

A12-143  EE  RELEASE/DERIGIDIZE 

EE  RELEASE  OR  DERIGIDIZE  FUNCTIONS  ARE  CONSIDERED  LOST  FOR  AUTO 
AND/OR  MANUAL  IF  THE  RELEASE  TIME  EXCEEDS  3  SECONDS  OR  THE 
DERIGIDIZE  TIME  EXCEEDS  25  SECONDS. 


The  maximum  release  specification  is  3  seconds  and  the  maximum  derigidize  specification  time  is 
25  seconds.  Failure  to  meet  these  constraints  is  indicative  of  binding  in  the  drive  mechanism  or 
loss  of  one  mode  due  to  an  electrical  failure. 
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END  EFFECTOR  SYSTEM  MANAGEMENT 


A12-161  PAYLOAD  GRAPPLE  CONSTRAINTS 

A.  PAYLOADS  SHALL  NOT  BE  GRAPPLED  AND  UNBERTHED  UNLESS  BACKUP 
RELEASE  AND  ONE  OF  TWO  METHODS  TO  CAPTURE  AND  RIGIDIZE  (AUTO 
OR  MANUAL)  AND  ONE  OF  TWO  METHODS  TO  DERIGIDIZE  AND  RELEASE 
(AUTO  OR  MANUAL)  ARE  AVAILABLE. 

The  EE  system  is  designed  such  that  a  single  failure  can  result  in  the  loss  of  both  the  auto  and  manual 
release  capability.  The  backup  release  capability  can  also  be  lost  with  a  single  failure,  but  it  is 
electrically  isolated  from  auto  and  manual.  As  a  rule,  backup  as  well  as  one  other  release  mode  is 
required  so  that  more  than  one  failure  has  to  occur  before  the  arm  must  be  jettisoned  or  the  payload 
released  via  EVA.  ®[1 1 0900-7257  ] 

B.  LOADED  OPERATIONS  WILL  CEASE  AS  SOON  AS  PRACTICAL  IF  BACKUP 
AND  ONE  OF  TWO  METHODS  TO  RELEASE  (AUTO  OR  MANUAL)  ARE  NOT 
AVAILABLE . 

If  backup  or  both  primary  methods  of  releasing  a  payload  are  lost,  then  the  RMS  is  one  failure  from 
being  unable  to  release  the  payload.  In  a  worst  case  situation  this  would  lead  to  ann/payload  jettison. 

It  is  unacceptable  to  continue  operations  when  the  system  is  one  failure  away  from  jettison. 

Mission  activities  such  as  final  release  or  berth  may  be  completed  under  certain  conditions  with  this 
failure. 

C.  RMS  OPERATIONS  IN  SUPPORT  OF  HIGH  PRIORITY  ACTIVITIES  CAN  BE 
PERFORMED  WITH  A  SUSPECTED  LOSS  OF  BACKUP  RELEASE  CAPABILITY. 

There  are  three  methods  for  opening  the  EE  to  release  a  payload  (auto,  manual,  and  backup).  Without 
backup  release  capability,  the  EE  is  one  failure  away  from  the  inability  to  release  the  payload.  The 
priority  of  this  mission  is  such  that  operations  are  allowed  to  continue  with  loss  of  two  of  the  methods. 
@[110900-7257] 
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A12-161  PAYLOAD  GRAPPLE  CONSTRAINTS  (CONTINUED) 

D.  RMS  OPERATIONS  IN  SUPPORT  OF  HIGH  PRIORITY  ACTIVITIES  CAN  BE 
COMPLETED  WITH  A  SUSPECTED  LOSS  OF  END  EFFECTOR  (EE) 
DERIGIDIZE  CAPABILITY.  @[110900-7257] 

Loss  of  derigidize  capability  does  not  preclude  releasing  of  the  grapple  fixture;  however,  if  the  snares 
are  opened  without  derigidizing,  potential  exists  that  tip-off  rates  may  be  induced.  Additionally,  without 
the  capability  to  derigidize/extend  the  snare  carriage,  future  capture  capability  is  lost. 

One  alternative  which  may  or  may  not  be  available  is  to  install  the  RMS  IFM  Display  and  Control 
(D&C)  kit  to  work  around  a  D&C  panel  failure. 

E.  A  CAPTURE  SHALL  NOT  BE  ATTEMPTED  WHILE  IN  A  REACH  LIMIT  OR 
SINGULARITY.  @[110900-7257] 

The  RMS  does  not  respond  normally  to  commands  while  in  a  reach  limit  or  singularity.  Also,  excessive 
arm  loads  may  result  when  a  capture  is  attempted  in  a  reach  limit  or  singularity  since  one  or  more 
degrees  of  freedom  are  lost.  With  this  loss  the  arm  may  not  be  able  to  conform  to  the  payload  if  there 
are  any  EE/payload  grapple  fixture  misalignments.  If  the  arm  cannot  conform,  significant  forces  may  be 
applied  to  the  EE/RMS  structure. 

Rules  { A12-1001S j,  T  and  U,  RMS  GO/NO-GO  CRITERIA,  reference  this  rule. 
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A12-162  EE  MODE  SWITCH  CONSTRAINTS  [CIL] 

A.  THE  EE  MODE  SWITCH  SHALL  ONLY  BE  TAKEN  OUT  OF  THE  "OFF" 
POSITION: 


1.  FOR  FREE-FLYING  PAYLOADS  (I.E.,  PAYLOADS  NOT  ATTACHED  TO 
THE  RMS  OR  ANY  ORBITER  STRUCTURE)  WHEN  THE  EE  IS  IN  THE: 

a.  PRECAPTURE  POSITION  (I.E.,  THE  POSITION  THE  RMS 
MAINTAINS  ABOVE  THE  PLB  DURING  THE  RENDEZVOUS 
PROCESS)  JUST  PRIOR  TO  CAPTURE, 

OR 


2  . 


b . 

RELEASE 

POSITION. 

FOR 

BERTHED 

PAYLOADS  WHEN 

a . 

CAPTURE 

ENVELOPE, 

OR 

b . 

RELEASE 

POSITION. 

EE  IS  IN  THE: 


3.  DURING  RMS  CHECKOUT. 


There  are  many  failure  modes  that  can  cause  the  arm  to  limp  unexpectedly  or  produce  an  uncommanded 
release  or  derigidize  when  the  EE  mode  switch  is  in  the  manual  or  auto  position.  Therefore,  the  EE 
mode  switch  should  only  be  taken  out  of  the  OFF  position  when  it  is  safe  to  do  so  ( i.  e. ,  when  the  arm  is 
not  moving  and  is  far  from  obstacles  or  is  in  the  process  of  moving  the  last  few  feet  during  the  capture 
process  of  a  free-flying  payload). 

B.  THE  EE  MODE  SWITCH  SHALL  ALWAYS  BE  PLACED  BACK  IN  THE  "OFF" 
POSITION  IMMEDIATELY  AFTER  THE  NOMINAL  CAPTURE /RIGID I ZE  AND 
RELEASE/DERIGIDIZE  TIMES  HAVE  ELAPSED. 


There  are  many  failure  modes  which  can  result  in  a  continuously  limped  arm  ( e.  g. ,  incomplete  rigidize 
sequence )  or  stalled  EE  drive  motor  ( e.  g. ,  motor  reversals,  rigid  microswitch  fails  low,  etc.,  which  lead 
to  motor  burnout  in  approximately  2  minutes)  so  that  the  microswitches  never  attain  the  proper  state  to 
complete  an  automatic  EE  captu  re  or  release.  The  effect  of  these  failure  modes  can  be  n  ullified  simply 
by  turning  the  EE  mode  switch  to  off. 


VOLUME  A  06/20/02  FINAL  ROBOTICS  12-37 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A12-163  CAPTURE  AND  RELEASE  PROXIMITY  CONSTRAINT  [CIL] 

DURING  A  CAPTURE  OR  RELEASE  OF  A  FREE-FLYING  PAYLOAD,  THE  EE 
SHALL  BE  FAR  ENOUGH  AWAY  FROM  ORBITER  STRUCTURE/OTHER 
PAYLOADS /EVA  CREWMEMBER  THAT  NO  CONTACT  COULD  OCCUR  REGARDLESS  OF 
PAYLOAD  ROTATIONS. 

FLIGHT-SPECIFIC  EXCEPTIONS  FOR  LARGE  PAYLOADS  OR  TO  MEET  DAP 
STABILITY  CONSTRAINTS  WILL  BE  IDENTIFIED  IN  THE  FLIGHT-SPECIFIC 
ANNEX . 


There  are  many  failure  modes  which  result  in  a  payload  being  snared  but  only  partially  rigidized.  When 
capturing  a  rotating  payload,  the  payload  could  continue  to  rotate  around  the  EE.  If  this  occurs  during 
release,  gravity  gradient  and  LVLH  effects  could  result  in  payload  rotation.  This  rule  would 
procedurally  prohibit  any  con  tact  ( other  than  the  arm)  for  these  failure  scenarios.  For  payloads  that 
cannot  be  positioned  far  enough  from  orbiter  structure  due  to  size  or  DAP  constraints,  an  exception  shall 
be  identified  in  the  flight-specific  annex. 


A12-164  PAYLOAD  RELEASE  DURING  BERTHING 

DURING  BERTHING,  A  NOMINAL  RELEASE  OF  A  PAYLOAD  WILL  NOT  BE 
PERFORMED  UNTIL  THE  PAYLOAD  IS  VERIFIED  BERTHED  AND  LATCHED. 

If  the  payload  was  released  without  being  latched,  orbiter  recontact  could  occur.  The  payload  would 
have  to  be  jettisoned  per  procedure  unless  EVA  straps  are  available  to  strap  a  payload  down  for  entry. 
Minimum  payload  latch  configuration  must  be  examined  from  a  structural  standpoint  and  may  be 
different  for  on-orbit  and  entry/landing  requirements.  Reference  flight-specific  annex  rules  for  the 
definition  of  the  minimum  payload  latch  configuration. 

A12-165  THROUGH  A12-180  RULES  ARE  RESERVED 
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RMS  JETTISON  SYSTEM  MANAGEMENT 


A12-181  JETTISON  SYSTEM  CONSTRAINT 

A.  RMS  OPERATIONS  SHALL  BE  ALLOWED  TO  CONTINUE  IF  EITHER  OF  THE 
JETTISON  SYSTEM  BUSES  MNB  ML 8  6B  OR  MNC  ML8  6B  IS  LOST  PROVIDED 
RMS  DRIVE  MODE  REDUNDANCY,  END  EFFECTOR  RELEASE  MODE 
REDUNDANCY,  AND  MPM  AND  MRL  STOW  AND  LATCH  REDUNDANCY  EXISTS. 
®[11 3095-1 809A] 

B.  IF  FLIGHT  SPECIFIC  ANNEX  RULES  ALLOW  OPERATIONS  TO  CONTINUE 
FOR  RMS  SYSTEMS  REDUNDANCY  FAILURES,  AN  IFM  WILL  BE  PERFORMED 
TO  REGAIN  A  LOST  JETTISON  SYSTEM  BUS  WHEN  CONVENIENT.  THE 
IFM  ONLY  NEEDS  TO  BE  PERFORMED  UP  TO  THE  POINT  OF  BEING 
INVASIVE  TO  THE  ORBITER  PANELS  AND  OTHER  ORBITER  SYSTEMS 
(I.E. ,  RCS  HEATERS) . 


With  an  RMS  system  redundancy  failure  and  loss  of  a  jettison  system,  the  system  is  two  failures  away 
from  a  catastrophic  situation  in  the  event  of  an  emergency  deorbit.  However,  there  is  no  means  of 
verifying  the  current  health  of  the  alternate  pyro  system  even  though  load  and  resistance  tests  were 
performed  on  turnaround.  Therefore,  if  the  Flight  Specific  Annex  allows  operations  to  con  tinue  in  this 
posture,  as  much  of  the  IFM  should  be  performed  as  possible  without  impacting  RCS  heaters  and  by 
removing  all  but  two  of  the  panel  A14  fasteners.  With  loss  of  RCS  heaters,  hotfiring  of  the  affected  RCS 
jets  is  the  primary  method  to  maintain  thermal  conditioning.  A  PRCS  hotfire,  if  required,  would  be  at 
odds  with  RMS  operations.  An  additional  5  minu  tes  will  be  required  to  complete  the  IFM  should  jettison 
subsequently  be  required.  ®[1 1 3095-1 809A]  ®[1 1 0900-7257  ] 

Rule  { A12-1001 j,  RMS  GO/NO-GO  CRITERIA,  references  this  rule. 

C.  IF  AN  RMS  JETTISON  SYSTEM  BUS  IS  LOST  PRIOR  TO  COMPLETION  OF 
HIGH  PRIORITY  MISSION  OBJECTIVES,  OPERATIONS  WILL  CONTINUE 
WITHOUT  JETTISON  SYSTEM  REDUNDANCY. 


Operations  may  contin  ue  with  the  loss  of  a  jettison  system  due  to  mission  objective  priorities.  An  IFM  is 
available  to  restore  a  failed  (short  or  open)  jettison  bus.  This  IFM  will  restore  the  jettison  capability  for 
any  detected  loss,  but  will  impact  other  orbiter  systems. 

Rule  {A12-1001},  RMS  GO/NO-GO  CRITERIA,  references  this  rule.  ®[i  10900-7257] 
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A12-182  RMS /PAYLOAD  JETTISON 

IF  AN  RMS /PAYLOAD  COMBINATION  MUST  BE  JETTISONED,  THE  RMS  AND 
PAYLOAD  SHALL  BE  JETTISONED  AS  A  SINGLE  UNIT,  IF  AT  ALL  POSSIBLE. 


It  is  desirable  to  limit  the  number  of  free  objects  in  space  to  avoid  recontact  problems  by  jettisoning  the 
arm  and  payload  as  one  unit. 


A12-183  THROUGH  A12-200  RULES  ARE  RESERVED 
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GO/NO-GO  CRITERIA 


A12-1001  RMS  GO/NO-GO  CRITERIA 


CONTINUE  OPERATIONS  IF: 


RMS 

UNCRADLE 

CONTINUE 

UNLOADED 

GRAPPLE 

UNBERTH 

CONTINUE 

LOADED 

HIGH 

PRIORITY 

ENTRY 

FLIGHT 

RULES 

REF. 

A. 

SHOULDER  BRACE  REL  (1) 

0?  [6] 

{A12-91} 

B. 

JETTISON  SYSTEM  (2) 

1  ?  [4] 

1  ?  [4] 

1  ?  [4] 

1?  [4] 

1  ? 

{A1 2-181} 

C. 

MPM  STOW  MOTORS  (2) 

0?  [6] 

0?  [6] 

0?  [6] 

0?  [6] 

2?  [6] 

{A12-72} 

D. 

MRL  LAT  CAP  (3) 

[1] 

[1] 

[1] 

[1] 

[5] 

{A12-73} 

E. 

MPM  (4)  STOWED 
INDICATIONS  (8) 

[2] 

{A12-72} 

F. 

MPM  (4)  DEP 

INDICATIONS  (8) 

SHOULDER 

1  ? 

SHOULDER 

1  ? 

SHOULDER 

1  ? 

SHOULDER 

1  ? 

SHOULDER 

1  ? 

{A12-72} 

G. 

MRL'S  LATCHED  (3) 

1  ? 

{A12-73} 

H. 

MANUAL  AUG  MODE  (1) 

3?  [7] 

{A12-1 11} 

1. 

DIRECT  MODE  (1) 

1  ? 

1  ? 

1  ? 

1  ? 

{A12-1 11} 

J. 

SINGLE  MODE  (1) 

K. 

BACKUP  MODE  (1) 

0? 

0? 

0? 

0? 

{A12-1 11} 

L. 

BRAKES  (6) 

WRIST 

ROLL? 

WRIST 

ROLL? 

0? 

0? 

0? 

{A12-1 15} 

M. 

AUTO  BRAKES  (1) 

0?  [3] 

0?  [3] 

0?  [3] 

0?  [3] 

0?  [3] 

{A12-1 16} 

N. 

CAPTURE  &  RIGIDIZE  (2) 

1  ? 

1  ? 

{A1 2-161} 

O. 

DERIGIDIZE  (2) 

1  ? 

1  ? 

2  ? 

{A1 2-161} 

P. 

RELEASE  (2) 

1  ?  [6] 

1  ?  [6] 

2?  [6] 

{A1 2-161} 

Q. 

BACKUP,  RELEASE  (1) 

0?  [6] 

0?  [6] 

{A1 2-161} 

R. 

THERMAL  (DEG  F)-20(0), 
176(172),  LED 

REQUIRED 

REQUIRED 

REQUIRED 

REQUIRED 

REQUIRED 

{A1 2-3} 

-20(0),  147(144),  ABE(EE) 

-20(0),  110(106)  ABE(SPA) 

®[1 1 3095-1 809A]  ®[1 1 1 298-6744  ]  ®[1 1 0900-7257  ] 
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A12-1001  RMS  GO/NO-GO  CRITERIA 

NOTES: 

[1]  CONTINUE  OPERATIONS  IF  ONE  FAILURE  WILL  NOT  RESULT  IN  THE  INABILITY  TO  LATCH  AT  LEAST  TWO  MRL’S. 

[2]  ONE  AT  THE  SHOULDER  AND  ONE  AT  EITHER  THE  MID  OR  AFT  PEDESTAL  IS  REQUIRED. 

[3]  OPERATIONS  IN  DIRECT  AND  BACKUP  CAN  CONTINUE  WITH  THE  LOSS  OF  AUTOBRAKES. 

[4]  RMS  SYSTEM  REDUNDANCY  OR  JETT  REDUNDANCY  IFM  REQUIRED.  ®[1 13095-1 809A] 

[5]  CONTINUE  OPERATIONS  EVEN  IF  ONE  FAILURE  WILL  RESULT  IN  THE  INABILITY  TO  LATCH  AT  LEAST  TWO  MRL’S 
(ASSUMES  CURRENTLY  HAVE  TWO-LATCH  CAPABILITY).  EVA  CAPABILITY  REQUIRED.  @[110900-7257  ] 

[6]  EVA  CAPABILITY  EXISTS  FOR  THE  FOLLOWING  CONTINGENCIES: 

?  SHOULDER  BRACE  RELEASE 

?  MPM  DEPLOY/STOW 
?  RMS  STRAPDOWN 
?  GRAPPLE  FIXTURE  (GF)  RELEASE 

[7]  ONE  OF  SINGLE,  DIRECT,  OR  BACKUP  REQUIRED  FOR  UNCRADLING.  @[110900-7257  ] 
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ASCENT 


A13-1  ASCENT  ABORT 

THERE  ARE  NO  MEDICAL  REASONS  FOR  ABORTING  DURING  THE  ASCENT 
PHASE . 

The  powered  flight  phase  is  too  short  to  allow  an  adequate  evaluation  of  any  medical  problem  that  may 
develop  and  to  call  an  abort  would  impose  unacceptable  risks  on  the  remainder  of  the  crew. 


A13-2  SPACEHAB  SAFE  ATMOSPHERE  REQUIREMENTS  -  UNPOWERED 

ASCENT 

THE  ATMOSPHERE  FOR  AN  UNPOWERED  SPACEHAB  ON  ASCENT  IS  CERTIFIED 
SAFE  PREFLIGHT  AND  FOR  INITIAL  CREW  ENTRY  FOR  36  DAYS  FROM  THE 
TIME  GROUND  VENTILATION  IS  REMOVED  IN  THE  ABSENCE  OF  PAYLOADS 
WITH  HIGH  OFFGASSING  CHARACTERISTICS  (T-VALUE  >  0.2).  SPACEHAB 
PAYLOADS  WITH  HIGH  OFFGASSING  CHARACTERISTICS  SUCH  THAT  THE  SAFE 
ENTRY  TIME  IS  REDUCED  WILL  BE  LISTED  IN  THE  FLIGHT  SPECIFIC 
ANNEX.  ®[1 1 1501-4964A] 

High  offgassing  characteristics  are  defined  as  any  hardware  with  an  index  of  toxicity  (T-value)  greater 
than  0.2.  Off-gassing  analyses  by  JSC  Toxicology  have  shown  that  the  atmosphere  of  a  closed, 
unpowered  Spacehab  module  develops  unacceptably  high  levels  of  toxic  gases  after  36  days  and  may  not 
be  certified  for  crew  ingress  after  36  days.  For  missions  that  the  Spacehab  module  is  unpowered,  the 
module  is  enclosed  without  ventilation  or  circulation  from  the  time  that  ground  ventilation  is  removed 
through  launch,  allowing  a  potential  buildup  of  toxic  offgas  products.  The  level  of  these  products 
remains  below  the  maximum  allowable  for  36  days;  therefore,  there  is  no  constraint  to  accessing  the 
module  on  FD1  prior  to  crew  sleep.  There  is  no  constrain  t  for  a  powered  Spacehab  module  on  ascen  t 
because  air  circulation  remains  active. 

Reference:  Toxicology  Group  Memo  375,  Safe  Entry  Into  the  Double  arid  Single  Spacehab  Modules, 
dated  February  25,  1998  and  the  Special  Daily  PRCB  Presentation,  Item  No.  1  Spacehab  Module  Purge 
Evaluation  (STS-101),  dated  May  11,  2000.  ®[1 1 1 501 -4964A] 
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ON-ORBIT 


A13-21  EARLY  FLIGHT  TERMINATION 

ANY  FLIGHT  TERMINATION  DECISION  RELATED  TO  CREW  HEALTH  WILL  BE  A 
REAL-TIME  CALL  AND  WILL  ONLY  BE  CONSIDERED  IF  ACCEPTABLE  ON-ORBIT 
TREATMENT  IS  NOT  AVAILABLE. 


Early  flight  termination  may  be  required  for  the  onset  of  any  condition  that  adversely  affects  crew  safety 
or  health  and  performance.  Rule  {A17-1001 },  LIFE  SUPPORT  GO/NO-GO  CRITERIA ,  references  this 
rule. 


A13-22  ONBOARD  MEDICAL  KIT 

THOSE  ITEMS  IN  THE  SHUTTLE  ORBITER  MEDICAL  SYSTEM  (SOMS)  MEDICAL 
KIT  LABELED  "PHYSICIAN  APPROVAL  REQUIRED  FOR  USE"  WILL  BE  USED  BY 
NON-PHYSICIAN  CREWMEMBERS  ONLY  AS  DIRECTED  BY  THE  FCR  SURGEON  OR 
AN  ONBOARD  ASTRONAUT  PHYSICIAN.  A  COMPLETE  LISTING  OF  ALL 
ONBOARD  MEDICATIONS  AND  THEIR  SIDE  EFFECTS  CAN  BE  FOUND  IN  THE 
MEDICAL  CHECKLIST  APPENDIX.  ALL  ITEMS  USED  FROM  THE  MEDICAL  KIT 
WILL  BE  LOGGED  IN  FLIGHT  ON  INDIVIDUAL  CARDS  LOCATED  IN  THE  SOMS 
KIT  AND  REPORTED  TO  THE  SURGEON  DURING  THE  POSTFLIGHT  DEBRIEF. 


Prescription  drugs  must  be  con  trolled  by  a  physician  during  flight  in  the  same  manner  that  they  are 
controlled  on  the  ground.  Drug  control  protects  the  crew  by  preventing  inappropriate  use  of 
medications  and  unexpected  side  effects  that  could  affect  performance.  Records  of  usage  are  required 
for  reconstructing  medical  history  and  to  assist  in  the  refurbishment  of  the  SOMS  kits  for  subsequent 
flights. 
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A13-23  PRIVATE  MEDICAL  COMMUNICATION  (PMC) 

A.  A  PMC  MAY  BE  REQUESTED  AS  NEEDED  BY  THE  CREW  CDR,  FCR 
SURGEON,  OR  FLIGHT  DIRECTOR. 


This  rule  reflects  NASA  Policy  and  Privacy  Act  of  1974  considerations  regarding  the  privileged  nature  of 
doctor-patient  comm  un  i  cat  ions. 

B.  MEDICAL  TREATMENT  IN  RESPONSE  TO  CREW  REQUESTS  MAY  BE 

PRESCRIBED  DURING  NONPRIVATE  COMMUNICATION  PERIODS  AT  THE 
DISCRETION  OF  THE  CDR  AND  THE  FCR  SURGEON. 


The  crew  may  discuss  medical  concerns  and  treatmen  t  over  nonprivate  air-to-ground  loops  if  they  choose 
to  waive  the  privacy  accorded  them  by  the  Privacy  Act  of  1974. 

C.  A  PMC  WILL  BE  SCHEDULED  PRIOR  TO  ANY  EVA  OR  LANDING  EARLIER 
THAN  MET  72  HOURS  EXCEPT  WHEN  LANDING  ON  LAUNCH  DAY. 


Early  deorbit/landing  or  scheduled  and  unscheduled  EVA’s  may  be  considered  during  flight.  A  PMC  is 
necessary  to  accurately  assess  crew  health  during  the  first  72  hours  MET  when  symptoms  of  motion 
sickness  are  greatest.  ( Reference  Rule  {A13-101B}  and  C,  SCHEDULED  AND  UNSCHEDULED  EVA 
CONSTRAINTS,  and  rationale.) 

D.  A  PMC  WILL  BE  SCHEDULED  ON  ALL  FLIGHT  DAYS.  IT  WILL  USUALLY 
BE  SCHEDULED  DURING  THE  PRESLEEP  PERIOD  EXCEPT  ON  LANDING  DAY 
WHEN  IT  WILL  BE  SCHEDULED  PRIOR  TO  DEORBIT  PREP,  PREFERABLY 
IN  THE  POST  SLEEP  PERIOD. 

FOR  DUAL-SHIFT  MISSIONS,  PMC'S  WILL  BE  SCHEDULED  WHEN  BOTH 
TEAMS  ARE  AWAKE,  IF  POSSIBLE. 


This  rule  provides  the  opportunity  for  the  surgeon  to  discuss  health-related  concerns  with  the  crew  and 
assist  in  the  treatment  of  medical  problems. 
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A13-24  CPHS  PROTOCOLS 

ALL  LIFE  SCIENCES  EXPERIMENTS  USING  THE  CREW  AS  TEST  SUBJECTS 
WILL  BE  CONDUCTED  ACCORDING  TO  PROTOCOLS  APPROVED  BY  THE  JSC 
COMMITTEE  FOR  THE  PROTECTIONS  OF  HUMAN  SUBJECTS  (CPHS)  AND  OTHER 
PARTICIPATING  MEDICAL  BOARDS.  DEVIATIONS  IN  FLIGHT  TO  THESE 
PROTOCOLS  REQUIRE  THE  CONCURRENCE  OF  THE  FOR  SURGEON.  ANY  SAFETY 
RELATED  ISSUES  OR  PROCEDURES  ARE  THE  FINAL  RESPONSIBILITY  OF  FOR 
SURGEON.  @[092195-1797] 

Life  sciences  experiments  often  involve  hardware  that  requires  detailed  procedures,  safety  devices, 
and  restraints  to  minimize  the  risk  of  injury  to  the  participating  crewmember(s).  Data  collection  is 
not  allowed  until  the  JSC  CPHS  is  satisfied  that  the  experiment  has  been  designed  to  minimize  the 
risk  of  injury  or  illness  for  the  crewmember.  Therefore,  deviation  from  approved  protocols  and 
procedures  may  compromise  the  safety  of  an  experimen  t  and  expose  the  crewmember  to  an 
unacceptable  level  of  risk  for  injury.  @[092195-1797]  ®[ED  ] 

A13-25  CREW  AWAKE  TIME  CONSTRAINT 

A.  ON  ORBIT  -  THE  MAXIMUM  ON-ORBIT  CREW  AWAKE  TIME  IS  18  HOURS. 

B.  LANDING  DAY  -  THE  MAXIMUM  CREW  AWAKE  TIME  ON  LANDING  DAY  IS 
18  HOURS  FROM  CREW  WAKE-UP  ON  ORBIT  TO  THE  SLEEP  PERIOD  AFTER 
LANDING,  INCLUSIVE  OF  ALL  POSTLANDING  ACTIVITIES. 

Fatigue  represents  a  blend  of  factors  resulting  in  a  state  of  decreased  ability.  It  has  been  shown  to 
negatively  impact  both  mental  and  physical  performance,  and  fatigue-induced  changes  increase  after 
18  hours  awake  time.  The  strong  relationship  between  sleep  loss  and  the  development  of  fatigue  is  well 
known. 

For  landing  day,  the  post  landing  activities  are  described  in  the  Crew  Scheduling  Constraints  Document, 
Appendix  K,  Section  3.5  ( JSC-22354 ).  Post  landing  activities  may  be  scheduled  up  to  a  maximum  crew 
awake  time  of  18  hours  inclusive  of  the  presleep  period. 
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A13-26  ACCELERATION  RESTRICTIONS  ON  MEDICAL  PROCEDURES 

A.  THE  FOLLOWING  TYPES  OF  MEDICAL  EXPERIMENTS  WILL  NOT  BE 

PERFORMED  DURING  PROS  ATTITUDE  HOLD,  TRANSLATIONS,  OR  OMS 
FIRINGS:  ®[111094-1714A] 

1.  INVASIVE  EXPERIMENTS  THAT  REQUIRE  A  DEVICE  TO  PENETRATE 
THE  SKIN  OF  THE  SUBJECT  CREWMEMBER. 

2.  APPLICATION  OF  ANY  DEVICE  TO  THE  SURFACE  OF  THE  EYE. 

3.  EXPERIMENTS  THAT  REQUIRE  THE  INSERTION  OF  ANY  DEVICE  INTO 
THE  EAR,  NOSE,  OR  MOUTH. 

4.  EXPERIMENTS  THAT  REQUIRE  THE  USE  OF  A  SYRINGE  OR  ANY 
SHARP-EDGED  DEVICE. 


Relative  motion  between  an  operator  and  subject  will  occur  during  OMS  or  RCS  firings.  This  motion 
could  lead  to  injury. 

B.  THE  CREW  WILL  INFORM  THE  ORBITER  COMMANDER  OR  PILOT  PRIOR  TO 
PERFORMING  DELICATE/INVASIVE  MEDICAL  OPERATIONS. 

Delicate  or  invasive  operations  require  that  acceleration  levels  do  not  exceed  those  produced  by  the 
VRCS.  In  the  case  of  the  loss  of  VRCS,  the  crew  needs  to  coordinate  with  the  CDR  or  PLT  to  ensure  that 
the  orbiter  is  in  free  drift  until  the  operation  has  been  completed.  This  will  prevent  injury  to  the  crew. 

®[1 1 1094-1 71 4A]  ®[ED  ] 
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A13-27  LOWER  BODY  NEGATIVE  PRESSURE  (LBNP) 

A.  A/G  VOICE  REQUIREMENTS 

ELECTROCARDIOGRAM  (ECG)  TELEMETRY  AND  CONTINUOUS  A/G  VOICE 
COMMUNICATIONS  ARE  REQUIRED  DURING  PORTIONS  OF  THE  LBNP  RAMP 
TEST  >  30  MMHG  DECOMPRESSION. 

B.  A  SECOND  CREWMEMBER  IS  REQUIRED  TO  BE  IN  CLOSE  PROXIMITY 
DURING  ALL  LBNP  OPERATIONS  WHILE  A  SUBJECT  IS  IN  THE  LBNPD . 
THE  SECOND  CREWMEMBER  MAY  PERFORM  OTHER  EXPERIMENTS . 


The  second  crewmember  acts  as  an  operator  to  assist  the  subject  to  egress  the  LBNP  during  rapid  egress 
and  in  the  event  the  subject  becomes  incapacitated  ( ref  SL-J  Phase  III  Payload  Flight  Safety  Review 
minutes).  The  second  crewmember  may  operate  other  experiments  but  cannot  be  restrained  or  leave  the 
immediate  vicinity.  The  second  crewmember  must  be  physically  in  attendance  (in  close  proximity)  during 
ramp  sessions. 

C.  LOSS  OF  CONSCIOUSNESS 

FOR  LOSS  OF  CONSCIOUSNESS  BY  SUBJECT  DURING  RAMP  OR  SOAK 
PROTOCOL,  IMMEDIATELY  RECOMPRESS  LBNP  BY  BREAKING  WAIST  SEAL, 
OPENING  THE  MANUAL  RELIEF  VALVE,  OR  SEPARATING  A  QUICK 
DISCONNECT,  AND  CONTACT  FLIGHT  SURGEON.  ®[ED  ] 
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A13-28  LBNP  TEST  TERMINATION  CRITERIA 

A.  LBNP  RAMP  OPERATIONS  ON  A  SUBJECT  WILL  BE  TERMINATED  FOR  ANY 
ONE  OF  THE  CRITERIA  BELOW: 

G  -  GROUND  PERSONNEL  CAN  MAKE  CALL 

S  -  CREWMEMBER  IN-FLIGHT  CAN  MAKE  CALL 


G 

S 

(1)  DROP  IN  HEART  RATE  >  15  BEATS  PER  MINUTE  IN  1  MINUTE 

G 

S 

(2)  DROP  IN  BLOOD  PRESSURE  (EITHER  A  SYSTOLIC  DROP  >  25  MMHG  OR  A  DIASTOLIC  DROP 
>  15  MMHG  IN  1  MINUTE 

G 

S 

(3)  SYSTOLIC  BLOOD  PRESSURE  ?  70  MMHG 

G 

(4)  SIGNIFICANT  CARDIAC  ARRHYTHMIAS 

?  HEART  RATE  <  40  BPM  FOR  PERSONS  WHOSE  RESTING  HEART  IS  >  50  BPM 
?  THREE  OR  MORE  BEATS  IN  A  ROW  OF  SUPRAVENTRICULAR  OR  VENTRICULAR  TACHYCARDIA 
?  EVIDENCE  OF  HEART  BLOCK  OTHER  THAN  FIRST  DEGREE 

?  PREMATURE  VENTRICULAR  COMPLEXES  (PVC)  WHICH  MEET  ANY  OF  THE  FOLLOWING  CRITERIA: 

-  ?  6  PVC’S  IN  1  MINUTE 

-  PVC’S  THAT  ARE  CLOSELY  COUPLED  (QR/QT  <  0.85) 

-  PVC’S  THAT  FALL  ON  THE  T-WAVE  OF  THE  PRECEDING  BEAT  (R  ON  T  PHENOMENA) 

-  PVC’S  THAT  OCCUR  IN  PAIRS  OR  IN  RUNS 

-  PVC’S  THAT  ARE  MULTIFORMED 

S 

(5)  SEVERE  NAUSEA,  CLAMMY  SKIN,  PROFUSE  SWEATING,  LIGHTHEADEDNESS,  TINGLING,  DIZZINESS 

S 

(6)  SUBJECT  REQUEST  AT  ANYTIME 

G 

S 

(7)  LOSS  OF  ECG  AT  THE  SURGEON’S  CONSOLE  OR  VOICE  DOWNLINK  DURING  PORTIONS  OF  RAMP 
PROTOCOLS  BELOW  30  MMHG  OF  DECOMPRESSION  (-  40  MMHG  AND  -  50  MMHG) 

G 

S 

(8)  RESTING  HEART  RATE  GREATER  THAN  THE  MAXIMUM  HEART  RATE  OBSERVED  DURING  PREFLIGHT 
PRE-SYNCOPAL  LBNP  TESTING 

®[ED  ] 


NOTE:  FOLLOWING  LBNP  OPERATIONS  TERMINATION,  A  PRIVATE  MEDICAL 
CONFERENCE  (PMC)  WILL  BE  CONDUCTED  IF  NECESSARY.  IF  THE 
SITUATION  IS  TIME  CRITICAL,  THE  SURGEON  WILL  INSTRUCT  THE 
CREW  DIRECTLY  FROM  THE  CAPCOM  CONSOLE.  IF  THE  RAMP  MUST 
BE  TERMINATED  DUE  TO  REACHING  TERMINATION  CRITERIA,  THE 
LBNP  WILL  BE  RECOMPRESSED  TO  AMBIENT  PRESSURE.  FOLLOWING 
A  5-MINUTE  RECOVERY  WITH  ECG  DOWNLINK  AND  A  GO  FROM 
MCC/POCC,  THE  SOAK  TO  -  30  MMHG  MAY  BE  RESUMED. 
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A13-29  NOISE  LEVEL  CONSTRAINTS  (CONTINUED) 

B.  LBNP  SOAK  OPERATIONS  ON  A  SUBJECT  WILL  BE  TERMINATED  FOR  ANY 
ONE  OF  THE  CRITERIA  BELOW: 


G 

\*3 

(1)  SYSTOLIC  BLOOD  PRESSURE?  70  MMHG 

G 

(2)  SIGNIFICANT  CARDIAC  ARRHYTHMIAS 

?  HEART  RATE  <  40  BPM  FOR  PERSONS  WHOSE  RESTING  HEART  IS  >  50  BPM 
?  THREE  OR  MORE  BEATS  IN  A  ROW  OF  SUPRAVENTRICULAR  OR  VENTRICULAR  TACHYCARDIA 
?  EVIDENCE  OF  HEART  BLOCK  OTHER  THAN  FIRST  DEGREE 

?  PREMATURE  VENTRICULAR  COMPLEXES  (PVC)  WHICH  MEET  ANY  OF  THE  FOLLOWING  CRITERIA: 

-  ?  6  PVC’S  IN  1  MINUTE 

-  PVC’S  THAT  ARE  CLOSELY  COUPLED  (QR/QT  <  0.85) 

-  PVC’S  THAT  FALL  ON  THE  T-WAVE  OF  THE  PRECEDING  BEAT  (R  ON  T  PHENOMENA) 

-  PVC’S  THAT  OCCUR  IN  PAIRS  OR  IN  RUNS 

-  PVC’S  THAT  ARE  MULTIFORMED 

s 

(3)  SEVERE  NAUSEA,  CLAMMY  SKIN,  PROFUSE  SWEATING,  LIGHTHEADEDNESS,  TINGLING,  DIZZINESS 

s 

(4)  SUBJECT  REQUEST  AT  ANYTIME 

G 

s 

(5)  RESTING  HEART  RATE  GREATER  THAN  THE  MAXIMUM  HEART  RATE  OBSERVED  DURING  PREFLIGHT 
PRE-SYNCOPAL  LBNP  TESTING 

NOTE:  FOLLOWING  LBNP  OPERATIONS  TERMINATION,  A  PRIVATE  MEDICAL 
CONFERENCE  (PMC)  WILL  BE  CONDUCTED  IF  NECESSARY.  IF  THE 
SITUATION  IS  TIME  CRITICAL,  THE  SURGEON  WILL  INSTRUCT  THE 
CREW  DIRECTLY  FROM  THE  CAPCOM  CONSOLE.  IF  THE  RAMP  MUST 
BE  TERMINATED  DUE  TO  REACHING  TERMINATION  CRITERIA,  THE 
LBNP  WILL  BE  RECOMPRESSED  TO  AMBIENT  PRESSURE.  FOLLOWING 
A  5-MINUTE  RECOVERY  WITH  ECG  DOWNLINK  AND  A  GO  FROM 
MCC/POCC,  THE  SOAK  TO  -  30  MMHG  MAY  BE  RESUMED.  ®[ED  ] 
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A13-29  NOISE  LEVEL  CONSTRAINTS 

A.  IF  THE  24-HOUR  AVERAGE  NOISE  LEVEL  (LEQ)  IN  ANY  HABITABLE 
VOLUME  (INCLUDING  ORBITER  FLIGHT  DECK,  MIDDECK,  SPACELAB, 
SPACEHAB)  IS  GREATER  THAN  OR  EQUAL  TO  74  DBA  AS  MEASURED  BY 
THE  AUDIO  DOSIMETER,  ONE  OR  MORE  OF  THE  FOLLOWING  ACTIONS 
WILL  BE  TAKEN:  ®[072795-1785A] 

1.  POWER  OFF  THE  GREATEST  NOISE  PRODUCER (S).  THE  POCC/MCC 
MAY  DECIDE  ANY  PRIORITIES  IN  THE  POWERDOWN  IF  THERE  IS 
MORE  THAN  ONE  LOUD  NOISE  SOURCE.  ®[ED  ] 

2.  RESCHEDULE  THE  TIMELINE  SO  THAT  ESPECIALLY  NOISY 
EXPERIMENTS  DO  NOT  OCCUR  ON  THE  SAME  DAY. 

3.  WEAR  HEARING  PROTECTION  DURING  SLEEP  TO  ALLOW  A  RECOVERY 
PERIOD  FROM  THE  NOISE. 

4.  IN  CONTINGENCY  SITUATIONS  ONLY,  WEAR  HEARING  PROTECTION 
DURING  THE  DAY.  ®[072795-1785A] 

Exposure  to  noise  levels  of  74-76  dB  for  10  days  has  been  seen  to  cause  fatigue,  headaches,  ringing  in 
the  ears  and  temporary  threshold  shifts  of  up  to  20-25  clB.  Exposure  to  these  levels  for  even  24  hours  led 
to  complaints  of  the  irritating  effect  of  the  noise.  Each  payload  has  been  required  to  meet  certain  noise 
constraints.  A  number  of  payloads  have  not  met  those  constraints  and  have  been  granted  waivers.  Any 
individual  payload  is  not  likely  to  cause  difficulty  but,  in  combination,  may  produce  unacceptable  noise 
levels.  Powering  off  the  loudest  noise  producers  or  rescheduling  the  time  so  that  several  loud 
experiments  do  not  occur  on  the  same  day  should  lower  the  24-hour  noise  exposure  to  an  acceptable 
level.  ®[0 72795-1 785A] 

Wearing  hearing  protection  (e.g.,  foam  ear  plugs)  during  sleep  provides  a  period  of  time  to  recover  from 
the  temporary  threshold  shift  in  hearing.  The  noise  level  during  the  day  may  still  be  irritating  and 
fatiguing  and  may  cause  difficulty  with  communication.  Wearing  hearing  protection  during  the  day 
should  eliminate  the  irritation  and  fatigue  from  the  noise;  however,  communication  among  the  crew,  with 
the  ground,  and  the  ability  to  hear  alert  tones  may  be  impacted. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A13-29  NOISE  LEVEL  CONSTRAINTS  (CONTINUED) 


B.  IF  THE  NOISE  LEVEL,  USING  THE  AUDIO  DOSIMETER  IN  THE  SOUND 

LEVEL  METER  MODE,  EXCEEDS  THE  FOLLOWING  LIMITS,  STATEMENTS  1, 
2,  OR  4  OF  PARAGRAPH  A  ABOVE  MAY  BE  IMPLEMENTED.  ®[072795-1785A] 

76-80  DBA  5  MINUTES 

81-85  DBA  1  MINUTE 


?  86  DBA 


NOT  ALLOWED 


At  noise  levels  greater  than  85  cIBA,  adequate  communication  with  the  ground  would  be  extremely 
difficult ,  if  not  impossible,  represen  ting  a  potentially  unsafe  situation  if  urgen  t  calls  to  the  crew  cannot 
be  heard.  Noise  levels  in  the  range  from  76-85  dBA  will  make  communication  difficult  both  among  the 
crew  and  between  the  crew  and  the  ground.  These  time  limits  have  been  recommended  by  the  Spacelcib 
Payloads  Acoustic  Working  Group  and  were  approved  by  the  Shuttle  Program  as  a  maximum  time  that 
this  level  of  communication  in  terference  by  an  individual  payload  should  be  allowed. 

C.  IF,  AT  ANY  TIME,  THE  NOISE  LEVELS  ARE  SUCH  THAT  THE  CREW 

BECOMES  UNCOMFORTABLE  OR  IS  UNABLE  TO  COMMUNICATE  WITH  EACH 
OTHER  OR  THE  GROUND  ADEQUATELY,  THE  CREW  MAY  INSTITUTE 
CORRECTIVE  ACTIONS  PER  PARAGRAPH  A. 

IF  THE  AUDIO  DOSIMETER  IS  INOPERATIVE  OR  NOT  AVAILABLE,  THE 
SAME  CORRECTIVE  ACTIONS  MAY  BE  IMPLEMENTED.  NOISE  LEVEL 
READINGS  CAN  BE  TAKEN  AT  ANY  TIME  BY  THE  CREW,  OR  MAY  BE 
REQUESTED  BY  THE  FLIGHT  DIRECTOR  OR  FCR  SURGEON  IF  PREFLIGHT 
OR  INFLIGHT  CONCERN  OVER  NOISE  LEVEL  EXISTS. 


Noise  levels  in  paragraphs  A  &  B  are  established  as  mandatory  levels;  however,  the  crew  may  experience 
fatigue,  headaches,  or  other  symptoms  at  lower  noise  levels  or  may  encounter  problems  in 
communication  with  each  other  or  the  ground.  The  crew  has  the  authority  to  make  such  judgment  calls 
and  use  the  above  guidelines  and  priorities  to  achieve  a  workable  environment  to  complete  the  mission 
safely  and  successfully.  @[012694-1601  ]  ®[ED  ] 
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A13-30  IODINE  REMOVAL  REQUIREMENT 

THE  TOTAL  AMOUNT  OF  IODINE  AND  IODIDE  INGESTED  BY  CREWMEMBERS 
SHOULD  BE  LIMITED  ON  ALL  SPACE  FLIGHTS.  IT  IS  HIGHLY  DESIRABLE 
TO  LIMIT  IODINE  CONSUMPTION  TO  1 . 0  MG/DAY  PER  CREWMEMBER.  THIS 
LIMIT  INCLUDES  IODINE  FROM  ALL  SOURCES  INCLUDING  DIETARY  INTAKE 
AND  POTABLE  WATER  CONSUMPTION.  @[090999-6996] 

The  Medical  Operations  Branch  and  a  medical  expert  review  panel  agree  that  there  is  an  insignificant 
risk  of  consuming  1.0  mg/day;  however,  excess  iodine  is  suspected  to  cause  long  term  adverse  effects  in 
people  who  are  susceptible  to  thyroid  problems.  The  shuttle  supply  water  system  is  designed  to  iodinate 
drinking  water  to  3-4  ppm  (mg/L).  At  normal  crew  consumption  levels,  this  would  equate  to  6-8  mg  of 
iodine  ingested  per  day.  The  Galley  Iodine  Reduction  Assembly  (GIRA)  will  completely  remove  iodine 
from  the  cold  water  line  and  will  provide  approximately  0. 7  mg  of  free  iodine  in  16  oz  of  hot  water  ( 1.5 
mg/L  of  total  iodine ).  The  food  will  contribute  approximately  0.3  mg/day.  @[090999-6996  ] 


A13-31  CREW  CABIN  TEMPERATURE  LIMITS 

TO  MAXIMIZE  CREW  COMFORT  AND  PERFORMANCE,  MISSION  THERMAL 
ANALYSIS  AND  PLANNING  SHALL  KEEP  THE  CABIN  TEMPERATURE  AT  OR 
BELOW  THE  FOLLOWING  LIMITS:  @[022201 -7095A] 


A. 

PRE-LAUNCH: 

? 

80  DEGREES  F 

B. 

ON-ORBIT:  ? 

80 

DEGREES  F 
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A13-31  CREW  CABIN  TEMPERATURE  LIMITS  (CONTINUED) 

C.  ENTRY/LANDING:  ?  75  DEGREES  F 

IF  ATTEMPTING  TO  MEET  THE  ENTRY/LANDING  CONSTRAINT  OF  75  DEG 
RESULTS  IN  UNACCEPTABLY  COLD  TEMPERATURES  DURING  CREW  SLEEP, 
THE  75  DEG  LIMIT  CAN  BE  INCREASED  WITH  CDR  AND  SURGEON 
CONCURRENCE.  @[092701-4860] 

Excessive  thermal  stress  can  have  a  negative  effect  on  crew  health,  safety,  and  performance.  Exceeding 
these  limits  would  be  expected  to  result  in  an  increased  incidence  of  post-flight  orthostatic  intolerance, 
and  an  increased  awareness  and  reporting  of  thermal  discomfort  by  the  crew.  Liquid  cooling  for  the 
ACES  full-pressure  suit  was  developed  in  response  to  crew  complaints  of  thermal  discomfort  during  the 
landing  and  post-landing  period  on  flights  STS-26  through  STS-62.  Post-flight  medical  data  have  shown 
that  the  incidence  of  orthostatic  intolerance  has  been  reduced  since  liquid  cooling  has  been  available  to 
crews.  The  individual  cooling  units  (ICU’s)  used  during  ascent/entry  since  STS-88  were  designed  to 
remove  340  BTU’s/hr  at  cm  ambient  temperature  of  75  deg  F,  which  is  the  metabolic  heat  load  produced 
by  a  resting,  minimally  active  crewmember.  According  to  data  provided  by  EC5,  the  ICUs  are  expected 
to  become  less  efficient  at  removing  heat  at  ambient  temperatures  above  75  deg  F.  An  engineering 
evaluation  of  these  units  at  higher  ambient  temperatures  has  not  been  performed  to  date.  Orthostatic 
intolerance  is  mainly  a  concern  during  the  entry/landing  phase.  Excessive  heat  load  exacerbates 
orthostatic  intolerance  by  increasing  vasodilation  and  sweating.  Therefore,  the  recommended 
temperature  limits  are  more  restrictive  during  this  mission  phase. 

If  CDR/ 'surgeon  determines  that  the  temperature  control  measures  to  attain  cm  entry/lcmding  temperature 
of  75  deg  F  would  compromise  crew  sleep  by  being  too  cold,  per  CDR  and  surgeon  concurrence,  the 
entry/lcmding  target  will  be  adjusted  to  ensure  a  comfortable  sleep  environment.  A  thermal  assessment 
of  the  projected  wake-up  and  landing  temperatures  will  be  provided  to  assist  in  making  this  decision. 
@[092701-4860] 

Measures  to  achieve  the  crew  cabin  temperature  limits  listed  above  are  documented  in  Rule  { A17-152 }, 
CABIN  TEMPERATURE  CONTROL  AND  MANAGEMENT. 

References:  “Revised  Cabin  Temperature  Requirements,  ”  SD-99-005,  March  23,  19  99;  Summary 
Chart:  “Liquid  Cooling  in  the  LES  Phase  1  Test  Results,  ”  Medical  Sciences  Division/Jcimes  M. 

Waligora,  1993;  En  vironmen  tal  Guidelines  for  Aerobic  and  Resistive  Exercise  Activities,  Tables  1  &  2, 
Medical  Operations  Bone/Muscle/Exercise  IPT,  Medical  Operations  Branch,  Jeff  Jones,  M.D.;  Graph  of 
ICU  Performance  vs  Cabin  Temperature,  EC5/Stephcmie  Walker;  Figure  5.8.2.2-1,  Environmental 
Requirements,  NASA  MSIS-131  Rev.  A;  Minutes  of  Medical  Operations  EVA  IPT,  Cabin  Temperature 
Recommendations,  SD26/Joseph  P.  Dervay,  M.  D. ,  November  17,  19  98;  “  Use  of  liquid  cooling  in  the 
launch  and  entry  suit,  ”  NASA  Technical  Report,  May  12,  1993;  “  Use  of  liquid  cooling  in  the  launch  and 
entry  suit — Phase  II,  ”  NASA  Technical  Report,  February  17,  1994;  and  “Temperature  control  as  a 
countermeasure  to  post-flight  orthostatic  intolerance,  ”  NASA  Technical  Presentation,  April  11,  1996. 
@[022201 -7095A] 
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A13-32  INTENSE  CYCLE  EXERCISE 

THIS  RULE  APPLIES  TO  EXPERIMENTAL /DSO  EXERCISE  PROTOCOLS,  WHEN 

REQUIRED  BY  THE  HRPPC,  AND  DOES  NOT  APPLY  TO  CREW  OPTIONAL 

EXERCISE . 

A.  A/G  VOICE  REQUIREMENTS 

WHEN  FLOWN,  INTENSE  CYCLE  EXERCISE  REQUIRES  ELECTROCARDIOGRAM 
(ECG)  TELEMETRY  AND  CONTINUOUS  A/G  VOICE  COMMUNICATIONS 
DURING  PORTIONS  OF  THE  CYCLE  TEST  (I.E.,  AT  LEVELS  >  80 
PERCENT  PREFLIGHT  MAXIMUM  HEART  RATE)  AND  CONTINUING  THROUGH 
THE  RECOVERY  PERIOD.  THE  RECOVERY  PERIOD  SHALL  LAST  A 
MINIMUM  OF  5  MINUTES  AND  MAY  BE  EXTENDED  AT  THE  FLIGHT 
SURGEON'S  DISCRETION.  THE  SUBJECT  SHALL  CONTACT  FLIGHT 
SURGEON  IMMEDIATELY  PRIOR  TO  BEGINNING  THE  EXERCISE  PROTOCOL 
AND  AGAIN  IMMEDIATELY  BEFORE  PERFORMING  EACH  WORKLOAD 
INCREASE  THAT  EXCEEDS  80  PERCENT  IN  ORDER  TO  CONFIRM  NO 
ORB I TER  LOSS  OF  SIGNAL  (LOS) . 

B.  ON  FLIGHTS  WITHOUT  A  TRAINED  PHYSICIAN  ASTRONAUT  OR  ONBOARD 
ECG  MONITORING  CAPABILITY,  LOSS  OF  ECG/COMM  WILL  NECESSITATE 
LIMITING  EXERCISE  TO  80  PERCENT  WORKLOAD  OR  REDUCING  EXERCISE 
TO  80  PERCENT  IF  ALREADY  ABOVE  IT.  ®[072893-1517A] 

C.  IF  ECG  CAN  BE  MONITORED  ONBOARD  AND  A  TRAINED  PHYSICIAN 
ASTRONAUT  IS  AVAILABLE,  THE  A/G  VOICE  REQUIREMENTS  IN 
PARAGRAPHS  A  AND  B  ABOVE  DO  NOT  APPLY.  THE  PHYSICIAN 
ASTRONAUT  MUST  CONTINUOUSLY  MONITOR  THE  ECG  DURING  EXERCISE 
ABOVE  THE  80-PERCENT  WORKLOAD.  THE  PHYSICIAN  ASTRONAUT  MAY 
NOT  PERFORM  OTHER  EXPERIMENTS  AT  THIS  TIME  AND  MUST  BE  ABLE 
TO  SEE  THE  ECG  DATA. 


The  physician  astronaut  will  be  able  to  detect  significant  dysrhythmias  since  ECG  is  available  onboard. 
The  physician  astronaut  should  be  certified  in  advanced  cardiac  life  support  to  assure  capability  in 
dysrhythmia  recognition  and  intervention.  Prior  to  exceeding  the  80  percent  workload ,  ECG 
downlink/convn  should  be  confirmed.  If  downlink  is  available,  the  flight  surgeon  in  the  MCC  will 
monitor  the  ECG  data. 

D.  TEST  TERMINATION  CRITERIA  @[072893-1 51 7A] 

INTENSE  CYCLE  EXERCISE  OPERATIONS  ON  A  SUBJECT  WILL  BE 
TERMINATED  FOR  ANY  ONE  OF  THE  CRITERIA  LISTED  BELOW: 

G  -  GROUND  PERSONNEL  CAN  MAKE  CALL 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A13-32  INTENSE  CYCLE  EXERCISE  (CONTINUED) 

S  -  CREWMEMBER  IN  SPACE  CAN  MAKE  CALL 

G  1.  THE  CARDIAC  RHYTHM  DISTURBANCES,  LISTED  BELOW,  OCCUR: 

SUSTAINED  ABNORMAL  SUPRAVENTRICULAR  TACHYCARDIA  (I.E., 
PAROXYSMAL  ATRIAL  TACHYCARDIA,  ATRIAL  FIBRILLATION, 
ATRIAL  FLUTTER,  OR  OTHER  SUPRAVENTRICULAR  TACHYCARDIA 
OF  UNIDENTIFIED  ETIOLOGY  LASTING  MORE  THAN  10  SECONDS) 

a.  VENTRICULAR  TACHYCARDIA 

b.  EXERCISE  INDUCED  BUNDLE  BRANCH  BLOCK 
C.  R-ON-T  PVC's 

d.  UNEXPLAINED  INAPPROPRIATE  BRADYCARDIA 

e.  MULTIFOCAL  PVC's 

f.  ONSET  OF  SECOND  OR  THIRD  DEGREE  HEART  BLOCK 

g.  INCREASING  VENTRICULAR  ECTOPY  ( >3 0  PERCENT  OF  TOTAL 
BEATS  UNIFOCAL  PVC'S  DEFINED  AS  ABNORMAL) 

G  S  2 .  A  MAXIMUM  HEART  RATE  VALUE  GREATER  THAN  THAT  EXPLAINABLE 
BY  THE  EXERCISE  STIMULUS  AND  NORMAL  PHYSIOLOGICAL 
VARIABILITY  OCCURS.  (IF  THIS  OCCURS  AT  LOW  LEVELS,  WITH 
NO  SIGNS  OF  INTOLERANCE,  CREWMEMBER  SHOULD  CHECK  HEART 
WATCH  AND  CONFIRM  HEART  RATE  WITH  GROUND) . 

S  3.  SUBJECT  EXPERIENCES  CHEST  PAIN,  DIZZINESS,  OR  OTHER 
INAPPROPRIATE  SYMPTOMS  OF  EXCEPTIONAL  INTOLERANCE. 

S  4.  SUBJECT  REQUESTS  TO  STOP.  ®[ED  ] 
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A13-33  EXERCISE  REQUIREMENTS 

A.  PRESCRIBED  EXERCISE  SHALL  BE  SCHEDULED  FOR  THE  CDR,  PLT ,  AND 
MS2  AT  LEAST  EVERY  OTHER  DAY  FROM  FD04  TO  NOMINAL  EOM-1 .  FOR 
FLIGHTS  >11  DAYS,  EXERCISE  FOR  ALL  OTHER  CREWMEMBERS  SHALL 
BE  SCHEDULED  AT  LEAST  EVERY  3  DAYS.  EXERCISE  STARTING  ON 
FD03  IS  HIGHLY  DESIRABLE  AND  SHALL  BE  SCHEDULED  IF  CREW  SPACE 
MOTION  SICKNESS  (SMS)  SYMPTOMS  PERMIT  (CREW  CALL)  .  ®[022802-4887C] 

Properly  performed  exercise  results  in  improved  condition  of  the  crew  on  return  to  a  1-G  environment. 

The  parameters  defining  the  specific  components  of  the  exercise  prescription  are  based  upon  the  findings 
of  the  Extended  Duration  Orbiter  Medical  Project  and  from  evaluation  of  crews  on  Mir  during  Phase  1. 

All  shuttle  crewmembers  need  to  be  capable  of  emergency  egress,  if  required,  and  should  possess  the 
level  of  physical  conditioning  required  to  assist  in  the  egress  of  returning  long-duration  crewmembers. 

The  CDR,  PLT,  and  MS2  must  be  capable  of  performing  the  necessary  piloting  tasks  of  a  nominal 
landing,  arid  therefore  have  priority  in  the  scheduling  of  exercise.  Exercise  will  be  scheduled  daily 
according  to  the  Shuttle  Crew  Scheduling  Constraints  Document  (SCSCD).  These  requirements  are 
found  in  the  Shuttle  Crew  Scheduling  Constraints  Document  (NSTS-37326). 

Prescribed  aerobic  exercise  can  be  performed  on  the  cycle  ergometer,  treadmill,  or  rowing  device. 

Specific  components  of  the  aerobic/anaerobic  exercise  protocol  shall  at  a  minimum  include:  exercise 
duration  (exclusive  of  warm-up)  ?  20  minutes;  exercise  frequency  ?  three  times/seven  flight  days; 
exercise  intensity  performed  at  a  level  eliciting  ?  70  percent  of  the  individual  crewmember’s  age- 
predicted  maximum  heart  rate. 

Aerobic/anaerobic  exercise  performed  at  an  intensity,  duration,  or  frequency  lower  than  that  listed  above 
will  result  in  insufficient  training  for  maintenance  of  exercise  capacity. 

Strength  training  with  resistive  exercise  hardware  is  also  encouraged  every  3  days,  especially  for  CDR , 
PLT,  and  MS2. 

Shuttle  exercise  will  be  briefed  to  the  crew  by  the  shuttle  crew  surgeon,  prior  to  flight,  and  will  be 
discussed  when  necessary  via  Private  Medical  Conference.  ®[022802-4887C] 

B.  FAILURE  OF  EXERCISE  EQUIPMENT  ALONE  WILL  NOT  BE  CAUSE  TO 
SHORTEN  THE  FLIGHT.  ®[022802-4887C] 

If  exercise  hardware  fails,  exercise  will  be  performed  according  to  a  workaround/contingency 
prescription  from  the  surgeon. 

Reference  {C13.2.4-1},  EXERCISE  REQUIREMENTS  FOR  ISS  CREWMEMBERS  RETURNING  ON 
SHUTTLE,  for  additional  exercise  requirements. 
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A13-33  EXERCISE  REQUIREMENTS  (CONTINUED) 

DOCUMENTATION: 

Johnston,  S.  L.,  Wear,  M.  L.,  and  Hamm,  P.  B.  Incidence  of  Herniated  Nucleus  Pulposis  Among 
Astronauts  and  Other  Selected  Populations.  Presented  at  69  th  meeting  of  the  Aerospace  Medical 
Association,  May  1998. 

Jones,  Jeffrey  A.  Effects  of  Sustained  Microgravity  on  the  Musculoskeletal  System  and  Joint 
Coun  termeasures  for  ISS  Crews.  August  2000. 

Shackelford,  L.  C.,  et  al.  Countermeasures  against  Disuse  Bone  Loss.  Life  Science  Research 
Laboratories,  NASA/JSC,  Houston,  TX;  Baylor  College  of  Medicine,  Houston,  TX. 

Watenpaugh,  DE,  RE  Ballard,  M  Aratow,  AR  Hargens,  DF  Schwandt,  SE  Parzynski,  SM  Fortney. 
Exercise  technology  for  space  and  earth.  Abstract  in  AIAA  Conference  in  Houston,  March  5-7,  1996. 
@[022802-4887 C] 

Extended  Duration  Orbiter  Medical  Project.  Final  Report  1989-1995.  Section  1:  Cardiovascular 
Deconditioning  and  Section  3:  Functional  Performance  Evaluation.  NASA-SP- 1999-5 34 

A13-34  THROUGH  A13-50  RULES  ARE  RESERVED 
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A13-51  CABIN  PRESSURE 

A.  MINIMUM  CABIN  PRESSURE: 

1.  IF  THE  PCS  IS  UNABLE  TO  MAINTAIN  THE  CABIN  PRESSURE  AT  OR 
ABOVE  8.0  PSIA,  THE  FLIGHT  WILL  BE  TERMINATED  AT  THE  NEXT 
PLS  . 

The  minimum  cabin  pressure  of  8  psia  is  specified  to  provide  adequate  protection  from  decompression 
sickness  (bends)  for  continued  on-orbit  operations.  A  decompression  from  14.7  to  8  psia  would  produce 
an  R  value  of  1.50.  ( The  R-value  is  a  measure  of  risk  for  developing  decompression  sickness  and  is  the 
ratio  of  tissue  nitrogen  pressure  prior  to  decompression  to  the  final  ambient  pressure.)  The  risk  of 
simple  limb  bends  is  estimated  to  be  less  than  10  percent  and  the  risk  of  incapacitating  bends  less  than 
2  percent  at  this  level.  This  level  is  more  conservative  than  the  EVA  rule  (ref.  Rule  {A13-103A},  EVA 
PREBREATHE  PROTOCOL)  because  the  crew  could  be  exposed  for  many  hours,  and  the  cabin  could 
not  be  repressurized  above  8  psia  should  symptoms  of  bends  develop. 

Rule  (A1 7-258},  LOSS  OF  CABIN  INTEGRITY  TMAX  DEFINITION  AND  TIG  SELECTION,  references 

this  rule.  ®[042594-ED  ] 

2.  MINIMUM  PRESSURES  BELOW  8  PSI  -  FOR  CONTINGENCY  PLANNING, 
IF  POSSIBLE,  PRESSURE  REDUCTIONS  BELOW  8  PSI  WILL  NOT 
EXCEED  THE  SPECIFIED  LIMITS  SHOWN  BELOW. 


a . 

6.5 

PSI 

FOR 

NO 

MORE 

THAN 

90 

MINUTES . 

b . 

3 . 5 

PSI 

FOR 

NO 

MORE 

THAN 

30 

MINUTES . 

The  con  tingency  limits  on  cabin  pressure  specified  provide  adequate  protection  from  decompression 
sickness  to  allow  safe  return  of  crew  to  preferred  recovery  sites.  Risk  of  decompression  sickness  is  a 
complex  function  of  many  factors,  including  amount  of  pressure  reduction,  exposure  time,  and  activity 
of  the  crewmembers.  Based  on  available  data,  exceeding  the  specified  limits  in  the  shuttle  environment 
would  result  in  a  risk  of  incapacitating  bends  of  more  than  5  to  10  percent  and  a  risk  of  “pain  only” 
bends  of  approximately  40  percen  t. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A13-51  CABIN  PRESSURE  (CONTINUED) 

B.  UNPLANNED  REDUCTION  IN  CABIN  PRESSURE: 

1.  ANY  UNPLANNED  REDUCTION  OR  PROJECTION  OF  CABIN  PRESSURE 
BELOW  12.5  PSIA  WILL  REQUIRE  THE  CREW  TO  DON  THE  QUICK 
DON  MASK  (QDM)  IMMEDIATELY.  THE  FINAL,  STABILIZED  CABIN 
PRESSURE  WILL  DETERMINE  THE  NEED  FOR  CONTINUED  USE  OF  THE 
QDM.  THE  FCR  SURGEON  SHOULD  BE  CONSULTED  FOR  PLANNING  OF 
ALL  SUBSEQUENT  CREW  ACTIVITIES. 


Reduction  in  cabin  pressure  and  the  resulting  decrease  in  PPO2  may  result  in  hypoxia  and  increase  the 
risk  of  decompression  sickness  in  crewmembers.  If  the  QDM  is  donned  above  a  pressure  of  12.5  psia, 
formation  of  micro  emboli  in  the  blood  may  still  be  prevented.  With  a  rapid  loss  of  pressure,  cm  under¬ 
standing  of  the  resulting  cabin  environmen  t  and  the  restrictions  it  may  impose  must  be  evaluated  by  the 
surgeon. 

2.  CREWMEMBERS  MAY  DISCONTINUE  USE  OF  THE  QDM  WHEN  THE 
FINAL,  STABILIZED  CABIN  PRESSURE  AND  PPC£  LEVELS  ARE 
AT  OR  ABOVE  THE  FOLLOWING  MINIMUM  VALUES: 

FOR  TEMPERATURES  WITHIN  70  DEG  TO  85  DEG  F,  USE  THE 
IN-RANGE  VALUE.  THE  OUT-OF-RANGE  VALUE  IS  USED  FOR 
TEMPERATURES  LESS  THAN  70  DEG  F  OR  GREATER  THAN  85  DEG 

F  . 


CABIN  PRESSURE 
(PSIA) 

PP02 

(PSIA) 

OXYGEN  CONCENTRATION 
(PERCENT) 

OUT 

IN 

OUT 

14.7 

2.29 

2.37 

2.44 

15.6 

16.1 

16.6 

10.2 

2.35 

2.43 

2.50 

23.0 

23.8 

24.5 

8.0 

2.38 

2.46 

2.53 

30.1 

30.8 

31.6 

All  of  the  cabin  pressure-PP02  combinations  provide  the  equivalen  t  of  cm  8000-foot  pressure  altitude 
breathing  air.  The  rationale  of  Rule  {A13-53B},  MINIMUM  PPO2  CONSTRAINTS,  applies.  ®[ED  ] 
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A13-52  PPCQ2  CONSTRAINT 

A.  TWO-GAS  ENVIRONMENT  (CABIN) : 

1.  IF  THE  ATMOSPHERIC  REVITALIZATION  SYSTEM  (ARS)  IS  UNABLE 
TO  MAINTAIN  THE  PPCO2  IN  THE  ORBITER  CREW  COMPARTMENT 
BELOW  15  MMHG,  THE  CREW  WILL  DON  THE  QDM .  THE  MISSION 
WILL  BE  TERMINATED  AT  THE  NEXT  PLS . 


Deleterious  physiological  changes  can  be  expected  at  PPCO2  levels  of  15  mmHg  and  above.  These 
symptoms  will  be  alleviated  by  using  the  QDM  and  breathing  100  percent  O2 ■  If  the  ARS  is  unable  to 
maintain  PPCO2  levels  below  15  mmHg,  the  mission  must  be  terminated  as  the  cabin  atmosphere  is 
unsafe  for  routine  crew  activities  without  supplementary  oxygen.  Oxygen  toxicity  must  be  avoided  with 
the  prolonged  exposure  to  100  percen  t  O2  while  using  the  QDM  (ref .  Rule  { Aid -54} ,  100  PERCENT 
OXYGEN  USE  CONSTRAINT). 

2.  FOR  PPCO2  LEVELS  BETWEEN  7.6  MMHG  AND  15  MMHG,  PLANNING 
FOR  ALL  CREW  ACTIVITIES  WILL  REQUIRE  EVALUATION  BY  THE 
FCR  SURGEON. 


A  PPCO2  of  7.6  mmHg  is  the  maximum  level  that  can  be  tolerated  by  the  crew  for  long  periods. 

Above  7.6  mmHg,  physiological  changes  may  occur  that  are  unacceptable  for  crew  safety,  health, 
and  performance.  The  length  of  exposure  to  levels  above  7.6  mmHg  and  the  planned  crew  activities 
will  need  to  be  reviewed  by  the  FCR  surgeon  for  consideration  of  physiological  and  performance 
effects. 

B.  ONE-GAS  ENVIRONMENT  (EMU) : 

1.  FOR  PPCO2  LEVELS  BETWEEN  3  AND  8  MMHG  WITH  SYMPTOMS 
INDICATIVE  OF  CO2  EXPOSURE,  THE  CREWMEMBER  WILL  TERMINATE 
THE  EVA,  PROCEED  TO  THE  AIRLOCK,  AND  CONNECT  TO  THE 
SERVICE  AND  COOLING  UMBILICAL  (SCU)  .  ®[ED  ] 

2.  FOR  PPCO2  LEVELS  GREATER  THAN  8  MMHG  DURING  EVA,  IF  IT 
CANNOT  BE  CONFIRMED  THAT  THE  ELEVATED  LEVELS  ARE  DUE  TO  A 
SENSOR  ERROR,  THE  EVA  CREWMEMBER  WILL  TERMINATE  THE  EVA, 
PROCEED  TO  THE  AIRLOCK,  AND  CONNECT  TO  THE  SCU.  ®[1 21 1 97-6456A] 

3.  FOR  LOSS  OF  PPCO2  SENSOR,  THE  FLIGHT  SURGEON  MAY  REQUEST 
PHYSIOLOGICAL  STATUS  CHECKS  TO  EVALUATE  THE  CREWMEMBER  FOR 
SYMPTOMS  OF  HYPERCAPNIA.  IF  SYMPTOMS  ARE  DETECTED,  THE 
EVA  WILL  BE  TERMINATED.  ®[1 21 1 97-6456A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A13-52  PPCQ2  CONSTRAINT  (CONTINUED) 

For  a  PPCO2  indication  of  3  to  8  mmHg,  the  actual  level  in  the  helmet  can  be  11  to  15  mmHg  and  may  be 
as  high  as  19  to  23  mmHg,  depending  on  the  metabolic  rate.  If  symptoms  are  associated  with  indicated 
values  of  3  to  8  mmHg,  this  indicates  a  high  level  of  CO 2  in  the  helmet,  and  the  EVA  should  be  terminated. 

In  order  to  avoid  unnecessary  termination  of  cm  EVA  due  to  faulty  high  PPCO2  readings,  an  evaluation 
of  the  PPCO2  sensor  should  be  performed  if  the  indicated  level  is  greater  than  8  mmHg.  The  EVA  cuff 
checklist  outlines  the  procedure  to  be  followed  by  the  crewmember.  Additional  evaluation  can  be 
performed  by  ground  personnel  to  determine  the  status  of  the  sensor.  If  the  indicated  PPCO2  level  is 
greater  than  8  mmHg,  due  to  a  confirmed  sensor  error ,  the  crewmember  may  continue  the  EVA;  but 
crewmember  symptoms  should  be  evaluated  periodically.  If  symptoms  are  noted  the  EVA  should  be 
terminated,  and  the  crewmember  should  proceed  to  the  airlock  and  connect  to  the  SCU.  When  the 
crewmember  is  connected  to  the  SCU  with  the  helmet  purge  valve  open,  the  resultant  O 2  flow  alleviates 
danger  of  high  PPCO2  levels. 

For  CO 2  transducer  loss,  the  ability  to  detect  a  high  CO2  level  relies  primarily  on  the  crewmember’ s 
ability  to  detect  physiological  symptoms.  Since  one  of  the  symptoms  of  hypercapn  ia  is  impaired  judgmen  t, 
the  unaffected  EVA  crewmember,  TV  crewmember,  and  Flight  Surgeon  will  assist  in  periodically 
monitoring  the  affected  crewmember’ s  physiological  condition.  The  most  common  sign  of  CO 2  exposure 
is  an  increased  breathing  rate  that  will  occur  at  1  to  2  percent  (7.6  to  15  mmHg).  The  pulse  rate  will 
increase  at  3  to  5  percent  (22  to  38  mmHg).  Nonspecific  symptoms  experienced  by  the  crewmember  can 
be  headache,  dizziness,  drowsiness,  muscular  weakness,  etc.  Note  that  the  OSHA  standard  for  an  8-hour 
workplace  exposure  is  0.5  percent  (3.8  mmHg).  The  Flight  Surgeon  will  continually  monitor  the 
downlinked  ECG  and  metabolic  data  as  well  as  the  voice  communications  and  breathing  rate  and  may 
request  physiological  status  checks  be  performed  with  the  crewmember  as  necessary.  The  other  EVA 
crewmember  and  the  TV  crewmember  will  monitor  the  affected  crewmember’ s  task  performance  and  voice 
communications  and  should  perform  status  checks  every  30-60  minutes  or  as  requested  by  the  Flight 
Surgeon.  If  symptoms  are  detected,  the  EVA  should  be  terminated.  Thirty  minu  tes  was  determined  to  be 
the  minimum  time  it  would  take  for  the  PPCO2  levels  to  increase  from  3  mmHg  to  8  mmHg  due  to  a  LiOH 
breakthrough.  ®[1 21 1 97-6456A] 

Rules  {A13-54},  100  PERCENT  OXYGEN  USE  CONSTRAINT;  {A15-102H},  EMU  GO/NO-GO 
CRITERIA;  {A17-106J,  REGENERATIVE  C02  REMOVAL  SYSTEM  (RCRS)  LOSS  DEFINITION; 
and  (A1 7-301 },  CABIN  ATMOSPHERE  MANAGEMENT;  reference  this  rule.  ®[ED  ] 
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A13-53  MINIMUM  PPQ2  CONSTRAINTS 

A.  TWO-GAS  ENVIRONMENT  (CABIN) : 

1 .  THE  PCS  SHOULD  MAINTAIN  THE  PPO2  AT  OR  ABOVE  THE 
FOLLOWING  SPECIFIED  CABIN  PRESSURES: 

a.  FOR  TEMPERATURES  WITHIN  70  DEG  TO  85  DEG  F,  USE 
THE  IN-RANGE  VALUE.  THE  OUT-OF-RANGE  VALUE  IS 
USED  FOR  TEMPERATURES  LESS  THAN  70  DEG  F  OR 
GREATER  THAN  85  DEG  F. 


CABIN  PRESSURE 
(PSIA) 

PP02 

(PSIA) 

OXYGEN  CONCENTRATION 
(PERCENT) 

IN 

OUT 

IN 

OUT 

14.7 

2.29 

2.37 

2.44 

15.6 

16.1 

16.6 

10.2 

2.35 

2.43 

2.50 

23.0 

23.8 

24.5 

8.0 

2.38 

2.46 

2.53 

30.1 

30.8 

31.6 

b.  IF  THE  LEVEL  OF  PP02  CANNOT  BE  MAINTAINED  AT  THE 

ABOVE  LEVELS,  THE  MISSION  WILL  BE  TERMINATED  AT  THE 
NEXT  PLS . 

The  PPO2  minimum  acceptable  limits  defined  in  the  table  are  established  to  ensure  adequate  delivery  of 
oxygen  to  the  pulmonary  alveoli.  These  limits  represent  the  minimum  PPO2  required  to  maintain  the 
alveolar  pressure  of  oxygen  equivalent  to  that  of  breathing  air  at  an  8000-foot  pressure  altitude.  Due 
to  the  saturation  of  breathing  gases  with  water,  PPO2  limits  must  increase  as  cabin  pressure  decreases 
to  main  tain  the  same  alveolar  partial  pressure  of  oxygen.  For  temperatures  of  70  deg  to  85  deg  F,  the 
maximum  PPO2  sensor  error  is  ±  0.08  psia.  This  error  is  added  to  the  minimum  acceptable  true  PPO2 
(8,000 feet  altitude  equivalent )  to  arrive  at  the  minimum  acceptable  PPO2  sensor  reading  ( e. g. ,  2.29  + 
0.08  =  2.37).  For  temperatures  outside  this  range,  the  PPO2  error  is  ±  0.15  psia,  and  this  error  must 
be  adjusted  accordingly  per  OMRSD  V61AJ0.141.  Above  a  pressure  altitude  of 8,000 feet,  deleterious 
changes  in  crew  performance  can  occur  from  hypoxia  arid  altitude  sickness.  Symptoms  of  altitude 
sickness  can  develop  over  several  hours  consisting  of  headache,  lethargy,  and  reduced  appetite  in  15  to 
20  percent  of  crewmembers.  More  serious  symptoms  of  confusion,  loss  of  coordination,  and  difficulty  in 
breathing  may  occur.  These  more  serious  symptoms  must  be  treated  with  oxygen  and  an  immediate 

increase  in  ambient  pressure.  ( Ref.  Rule  {A13-54},  100  PERCENT  OXYGEN  USE  CONSTRAINT). 

®[ED  ] 

Rules  (A1 7-203},  PP02  CONTROL,  and  {A1 7-1001},  LIFE  SUPPORT  GO/NO-GO  CRITERIA, 
reference  this  rule. 
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A13-53  MINIMUM  PPQ2  CONSTRAINTS  (CONTINUED) 

2.  FOR  NEXT  PLS  LANDING,  THE  PPO2  MAY  BE  ALLOWED  TO  DECREASE 
TO  THE  FOLLOWING  LEVELS  FOR  NO  MORE  THAN  24  HOURS.  THE 
LAUNCH/ENTRY  SUIT  (LES)  SHALL  BE  DONNED  1  HOUR  PRIOR  TO 
LANDING  WITH  VISORS  DOWN. 

FOR  TEMPERATURES  WITHIN  70  DEG  TO  85  DEG  F,  USE  THE 
IN-RANGE  VALUE.  THE  OUT-OF-RANGE  VALUE  IS  USED  FOR 
TEMPERATURES  LESS  THAN  70  DEG  F  OR  GREATER  THAN  85  DEG  F. 


CABIN  PRESSURE 
(PSIA) 

PP02 

(PSIA) 

OXYGEN  CONCENTRATION 
(PERCENT) 

IN 

OUT 

IN 

OUT 

14.7 

2.09 

2.17 

2.24 

14.2 

14.8 

15.2 

10.2 

2.14 

2.22 

2.29 

20.1 

21.8 

22.5 

8.0 

2.20 

2.28 

2.35 

27.5 

28.5 

29.4 

These  PPO2  levels  represent  a  pressure  altitude,  breathing  air  of  10,000 feet.  Rapid  ascents  to  10,000 
feet  cause  a  mild  altitude  sickness  incidence  of  20  to  40  percen  t.  The  risk  of  altitude  sickness  is  increased 
principally  from  the  reduced  alveolar  oxygen  tension  and  to  a  lesser  degree  from  the  decrease  in  the 
ambien  t  air  pressure.  High  altitude  pulmonary  edema  has  been  noted  in  the  15  to  25  percent  of  those 
exposed  to  a  14,000-foot  pressure  altitude  for  24  hours  and  has  occurred  as  low  as  9,000 feet.  Death 
from  high  altitude  cerebral  edema  has  been  reported  at  10,000 feet.  The  risk  of  altitude  sickness  at 
certain  cabin  pressures  and  PPO2  levels  must  be  balanced  against  system  anomalies  and  difficulties 
generated  from  landing  at  a  non-PLS  site.  Wearing  the  LES  and  breathing  100  percent  oxygen  1  hour 
prior  to  landing  will  eliminate  the  subtle  performance  decrements  that  occur  with  hypoxia  (ref.  Rule  (A13- 
54},  100  PERCENT  OXYGEN  USE  CONSTRAINT). 

Rules  { A17-203} ,  PP02  CONTROL;  {A17-254},  CABIN  02  CONCENTRATION;  and  {A17-1001},  LIFE 
SUPPORT  GO/NO-GO  CRITERIA,  reference  this  rule.  ®[ED  ] 

3.  FOR  CONTINGENCY  LANDING  PURPOSES,  IN  A  SITUATION  WHERE 

THE  PPO2  CANNOT  BE  MAINTAINED  AT  THE  LEVELS  IN  PARAGRAPH 
A. 2,  THE  QDM  SHALL  BE  DONNED.  THE  FINAL  DETERMINATION  OF 
QDM  USE  AND  LES  DONNING  WILL  DEPEND  ON  FINAL  STABLE  CABIN 
PRESSURE,  PPO2,  AND  TIG. 

If  the  cabin  cannot  be  maintained  at  the  PPO2  levels  delineated  in  paragraph  A. 2,  use  of  the  QDM  is 
necessary  to  prevent  hypoxia  and  altitude  sickness.  Providing  supplementary  oxygen  with  the  QDM  or 
LES  can  preven  t  deleterious  changes  in  crew  performance  from  both  hypoxia  and  altitude  sickness. 
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A13-53  MINIMUM  PPQ2  CONSTRAINTS  (CONTINUED) 

4.  CONSULT  THE  FCR  SURGEON  FOR  THE  TOTAL  LENGTH  OF  TIME  THAT 
THE  CREW  MAY  WEAR  THE  QDM  OR  LES. 

The  next  PLS  opportunity  may  not  occur  for  several  hours.  Some  crewmembers  may  be  able  to  remove 
their  QDM  or  LES  for  brief  periods  of  time  during  low  activity  and/or  sleep  periods.  This  removal  will 
provide  for  greater  crew  comfort,  increased  mobility,  and  will  prevent  possible  oxygen  toxicity  from 
breathing  100  percent  oxygen  (ref.  Rule  {A13-54},  100  PERCENT  OXYGEN  USE  CONSTRAINT).  The 
FCR  surgeon  can  estimate  the  pressure  altitude,  breathing  air  from  the  known  cabin  pressure  and  PP02, 
and  can  estimate  the  length  of  time  that  the  crew  may  safely  remove  their  QDM  or  LES. 

B.  ONE-GAS  ENVIRONMENT  (EMU)  -  IF  THE  PRESSURE  IN  THE  SUIT  FALLS 
BELOW  3.15  (3.3)  PSI,  THE  EVA  CREWMEMBER  WILL  ABORT  THE  EVA. 

@[050400-71 97A] 

At  92  percent  O2,  3.15  (3.3)  psia  corresponds  to  a  pressure  altitude  of 8000 feet  and  the  rationale  of 
paragraph  A.l  applies.  Exhaled  nitrogen  from  the  crewmember  dilutes  the  oxygen  atmosphere  in  the  suit 
to  92  percent.  ®[050400-7i97A] 

Rule  ( A 1 3-5 1 B J.2,  CABIN  PRESSURE,  references  this  rule. 
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A13-54  100  PERCENT  OXYGEN  USE  CONSTRAINT 

A.  THE  MAXIMUM  AMOUNT  OF  TIME  A  CREWMEMBER  MAY  BREATHE  100 

PERCENT  OXYGEN  BY  WEARING  THE  QDM  OR  LES  AT  VARIOUS  CABIN 
PRESSURES  IS: 


CABIN  PRESSURE 

MAXIMUM  QDM  OR  LES 
HELMET  TIME 

12-14.7  PSI 

6  HOURS 

10.2-12  PSI 

12  HOURS 

<10.2  PSI 

INDEFINITELY 

Breathing  100  percent  oxygen  at  sea  level  pressure  will  result  in  physiologic  changes  due  to  oxygen 
toxicity  after  6  hours  minimum.  Since  oxygen  toxicity  is  proportional  to  the  oxygen  partial  pressure 
and  not  the  percent  gas,  longer  exposures  of  100  percent  oxygen  can  be  tolerated  at  lower  pressures. 

For  100  percent  oxygen  at  sea  level,  physiologic  changes  begin  as  mild  (2  to  5  percent )  asymptomatic 
decreases  in  vital  capacity  (the  largest  volume  of  air  which  can  be  exhaled  voluntarily)  beginning  with 
fully  inflated  lungs.  After  12  hours,  coughing,  sore  throat,  and  substernal  soreness  are  usually  seen, 
and  after  24  hours,  atelectasis,  pulmonary  edema,  broncho-pneumonia,  and  further  decrements  in  vital 
capacity  may  develop.  Intermittent  air  breaks  or  lowering  pressure  may  avoid  such  effects. 

B.  CONTINGENCIES,  SUCH  AS  FIRE  OR  SMOKE  IN  THE  CABIN,  HALON  1301 
OR  OTHER  TOXIC  COMPOUNDS  SPILLED  IN  THE  CABIN,  MAY  REQUIRE 
EXTENDED  USE  OF  THE  QDM  OR  LES  BEYOND  THE  LIMITS  STATED  IN 
PARAGRAPH  A.  THE  FCR  SURGEON  SHOULD  BE  CONSULTED  FOR  THE 
MAXIMUM  LENGTH  OF  TIME  THE  QDM  OR  LES  MUST  BE  WORN  (REF.  RULE 
{A13-52},  PPCO2  CONSTRAINT). 

After  exposure  of  the  shuttle  cabin  atmosphere  to  a  toxic  substance  and  subsequent  cleanup,  the 
atmosphere  may  need  to  be  purged  of  residual  toxic  contamination  based  on  the  type  of  substance, 
amount  released,  relative  toxic  potential,  and  the  ability  ofARS  to  remove  the  substance. 

The  atmosphere  is  considered  purged  of  residual  toxic  material  that  can  be  removed  by  the  ARS  after  a 
six-fold  cycle  through  the  ARS. 

Oxygen  toxicity  changes  are  usually  mild  at  onset  and  may  be  considered  less  limiting  than  other 
considerations,  including  PLS  availability  and  deorbit  time  requirements.  Individual  determination  by 
the  crew  surgeon  is  required  to  balance  cost/benefits  for  specific  cases. 

Rules  { A13-52A.1 },  PPC02  CONSTRAINT;  and  (A13-53A.2},  MINIMUM  PP02  CONSTRAINTS, 
reference  this  rule. 
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EVA  OPERATIONS 


A13-101  SCHEDULED  AND  UNSCHEDULED  EVA  CONSTRAINTS 

A.  NO  SCHEDULED  OR  UNSCHEDULED  EVA  SHALL  OCCUR  PRIOR  TO 
APPROXIMATELY  24  HOURS  MET  OF  FLIGHT. 

B.  NO  SCHEDULED  EVA  SHALL  OCCUR  PRIOR  TO  APPROXIMATELY  72  HOURS 
MET  UNLESS  AN  ASSESSMENT  OF  CREW  HEALTH  HAS  BEEN  ACCOMPLISHED 
BY  THE  FOR  SURGEON  DURING  A  PMC. 

Symptoms  of  motion  sickness  are  experienced  by  73  percent  of  crewmembers  on  their  first  shuttle  flight. 
Thirteen  percent  of  them  will  have  a  severe  case  characterized  by  drowsiness,  inability  to  concentrate, 
severe  nausea  arid  vomiting,  and  little  or  no  food  or  water  intake  over  24  to  48  hours.  The  majority  of 
susceptible  crewmembers  develop  symptoms  in  the  first  6  hours  of  flight,  and  all  crewmembers  graded  as 
moderate  or  severe  had  symptom  onset  in  the  first  6  hours.  Symptoms  peak  over  24  to  48  hours  MET 
and  resolve  over  48  to  72  hours  MET.  During  adaption  to  zero-g,  movement  (especially  head  movement) 
may  provoke  nausea  and  vomiting  in  susceptible  crewmembers  and  potentially  endanger  the  safety  of  the 
crewmember  by  decreased  concentration,  lethargy,  or  vomitus  in  the  helmet. 

C.  NO  UNSCHEDULED  EVA  SHALL  OCCUR  PRIOR  TO  APPROXIMATELY  48  HOURS 
MET  UNLESS  AN  ASSESSMENT  OF  CREW  HEALTH  HAS  BEEN  ACCOMPLISHED 
BY  THE  FOR  SURGEON  DURING  A  PMC. 

An  unscheduled  EVA  for  mission  success  is  a  high  priority  EVA  and  may  be  performed  after 
approximately  48  hours  MET  as  many  crewmembers  will  have  resolving  symptoms  of  motion  sickness 
and  will  be  less  susceptible  to  provocative  motion  stimuli  after  48  hours  MET.  The  reduced  risk  of 
motion  sickness  is  balanced  against  the  prospective  gain  of  a  successful  mission.  The  limitations 
elaborated  in  the  Crew  Scheduling  document,  Appendix  K,  recognize  that  the  EVA  may  not  be  performed 
due  to  crew  health  concerns. 

Rules  (A13-23J,  PRIVATE  MEDICAL  COMMUNICATION  (PMC);  and  {A1 5-14},  SCHEDULED  AND 
UNSCHEDULED  EVA  CONSTRAINTS,  reference  this  rule. 
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A13-102  MAXIMUM  EVA  DURATION  CONSTRAINTS 

EXTENSION  OF  ANY  EVA  BEYOND  AN  EVA  PET  6.5  HOURS  REQUIRES 
FLIGHT  SURGEON  APPROVAL  BASED  ON  OBJECTIVE  AND/OR  SUBJECTIVE 
PHYSIOLOGICAL  DATA  AND  PARAMETERS  FOR  EACH  EV  CREWMEMBER. 

@[050400-71 93A] 

The  energy  level  of  the  EV  crewmember  may  be  diminished  after  6.5  hours.  The  average  metabolic  rate  of 
an  EV  crewmember  is  approximately  800  BTU/hr  (200  kcal/hr),  with  peak  rates  during  heavy  work  periods 
of  1600  to  2000  BTU/hr  (400  to  500  kcal/hr).  While  in  the  EMU,  crewmembers  do  not  have  access  to  food. 
An  increase  in  EVA  duration  could  result  in  energy  deficiency  that  begins  to  affect  performance.  Higher 
than  average  workloads  will  also  affect  the  EV  crewmember.  Wearing  the  EMU  suit  and  performing  special 
EVA  tasks  could  cause  local  fatigue  in  the  hands,  arms,  and  upper  body.  Free  floating  also  requires  more 
energy  and  produces  greater  cumulative  fatigue  than  tasks  utilizing  foot  restraints. 

The  body  looses  6  to  8  ounces  of  water  per  hour  during  the  EVA.  This  could  cause  an  EV  crewmember 
with  a  32-ounce  drink  bag  to  be  1  percent  dehydrated  (thirsty)  at  the  end  of  an  8-hour  EVA.  If  the 
crewmember  begins  the  EVA  already  at  a  1  percent  dehydration  level,  performance  will  be  affected  in  the 
6.5  to  8-hour  period  of  the  EVA. 

Other  factors  that  could  lead  to  limiting  EVA  extension  include,  but  are  not  limited  to,  residual  Space 
Adaptation  Sickness,  uncertain  hydration,  nutrition,  inadequate  sleep/rest,  poor  thermal  con  trol  of  the 
Liquid  Cooling  Garment  (leading  to  a  hot  crewmember  loosing  excessive  water),  higher  than  normal 
metabolic  rates,  abnormal  biomedical  signs,  and  performance  decrement. 

DOCUMENTATION :  Kumar,  K.  V  and  Waligora,  J.M.  Energy  Utilization  Rates  During  Shuttle 
Extravehicular  Activities.  Elsevier  Science  Ltd.  Vol  36,  Nos  8-12,  pp. 595-599.  1995. 

DOCUMENTATION :  Pepper,  Larry  J.  and  Waligora,  James  M.  Physiological  Experience  During 
Shuttle  EVA.  SAE  Technical  Paper  Series:  951592.  10-13  July  1995.  ®[050400-7i93A] 
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A13-103  EVA  PREBREATHE  PROTOCOL 

A.  FOR  SCHEDULED  AND  UNSCHEDULED  EVA'S,  PREBREATHING  WILL  BE 
ACCOMPLISHED  USING  THE  PROTOCOL  DEFINED  IN  PARAGRAPH  A.l 
(10.2  PSI  CABIN)  UNLESS  THE  PROTOCOL  DEFINED  IN  PARAGRAPH  A. 2 
(IN-SUIT)  IS  REQUIRED  FOR  A  SPECIFIC  FLIGHT. 

1.  10.2  PSI  CABIN  OPTIONS: 

a.  EVA  SCHEDULED  WITHIN  36  HOURS  OF  CABIN  DEPRESS  TO 
10 . 2  PSI  : 


INITIAL  PREBREATHE 

TIME  AT  10.2  PSI 

FINAL  PREBREATHE 

60  MINUTES 

24  HOURS 

40  MINUTES 

60  MINUTES 

20  HOURS 

50  MINUTES 

60  MINUTES 

16  HOURS 

60  MINUTES 

60  MINUTES 

12  HOURS 

75  MINUTES 

(1)  THE  INITIAL  PREBREATHE  MUST  BE  AN  UNBROKEN 
PREBREATHE  WITH  >  95  PERCENT  C£ ,  AT  LEAST  45 
MINUTES  OF  WHICH  MUST  BE  ACCOMPLISHED  PRIOR  TO 
DEPRESSURIZATION  BELOW  12.5  PSI.  THE  PREBREATHE 
WILL  NOT  BE  TERMINATED  UNTIL  THE  CABIN  PRESSURE 
REACHES  10.2  PSI. 

(2)  THE  FINAL  PREBREATHE  MUST  BE  AN  UNBROKEN 
PREBREATHE  IN  THE  SUIT  OF  40  MINUTES  (24-HOUR 
PROTOCOL)  OR  75  MINUTES  (12-HOUR  PROTOCOL) 
IMMEDIATELY  PRIOR  TO  EVA.  THE  FINAL  PREBREATHE 
MAY  BE  GRADUALLY  REDUCED  FOR  10.2  PSI  EXPOSURES 
LONGER  THAN  12  HOURS  BUT  LESS  THAN  24  HOURS. 
CONSULT  THE  FCR  SURGEON  FOR  THE  TOTAL  TIME 
REQUIRED  FOR  THE  FINAL  PREBREATHE. 

b.  EVA  SCHEDULED  FOR  LATER  THAN  36  HOURS  AT  10.2  PSI: 

(1)  IF  THE  EVA  IS  SCHEDULED  FOR  LATER  THAN  36  HOURS 
AFTER  CABIN  DEPRESS  TO  10.2,  THE  INITIAL 
PREBREATHE  MAY  BE  ELIMINATED.  THE  FINAL 
PREBREATHE  WILL  BE  40  MINUTES. 
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A13-103  EVA  PREBREATHE  PROTOCOL  (CONTINUED) 

(2)  IF  THE  INITIAL  PREBREATHE  IS  ELIMINATED,  BUT  THE 
EVA  OCCURS  PRIOR  TO  36  HOURS  AT  10.2  PSI,  THEN 
60  MINUTES  WILL  BE  ADDED  TO  THE  PREBREATHE. 

2.  IN-SUIT  OPTION: 

A  MINIMUM  OF  4  HOURS  UNBROKEN  PREBREATHE  WITH  >  95  PERCENT 
O2  IS  REQUIRED  AT  A  CABIN  PRESSURE  ABOVE  12.5  PSI  PRIOR  TO 
ANY  CABIN  OR  AIRLOCK  DEPRESSURIZATION  BELOW  8  PSI. 

All  prebreathe  options  in  paragraphs  A.l  and  A.  2  produce  the  same  denitrogenation  for  all 
crewmembers  (R=1.65-1.68)  and  these  protocols  or  less  conservative  protocols  have  been  verified  in 
ground-based  testing.  The  R-value  is  the  ratio  of  tissue  N2  prior  to  decompression  to  the  final  ambient 
pressure.  The  R-value  is  a  measure  of  risk  for  decompression  sickness.  The  02  prebreathe  displaces 
nitrogen  from  the  tissues  and  blood  thus  lowering  the  risk  for  decompression  sickness  at  low  ambient 
pressure.  The  nitrogen  displaced  from  the  tissues  will  dilute  the  suit  oxygen  slightly  ( down  to  92 
percent),  but  supply  oxygen  >  95  percent  will  still  provide  adequate  denitrogenation.  The  10.2  cabin 
option  is  always  preferred  and  will  be  used  unless  a  specific  flight  carries  equipment  that  cannot  be 
exposed  to  a  10.2  psi  cabin  atmosphere  and  must  continue  to  operate  throughout  the  EVA.  For  off- 
nominal  prebreathe  situations,  a  calculated  prebreathe  time  based  on  an  R-vcilue  of  1.65  is  highly 
desirable.  Lack  of  ground-based  support  data  for  off-nominal  prebreathe  scenarios  dictates  a 
conservative  approach  in  the  prevention  of  DCS  symptoms.  @[032395-1761  ] 

Prebreathe  protocols  for  12  and  24  hours  at  10.2  psi  have  been  tested  in  ground-based  studies  and  are 
the  preferred  operational  protocols.  Prebreathe  exposures  between  12  and  24  hours  may  be  considered 
as  necessary,  but  no  ground-based  test  data  has  been  obtained  at  intermediate  exposures. 

When  an  EVA  is  scheduled  after  36  hours  at  10.2,  it  is  unlikely  that  any  dispersed  gas  bubbles  formed  by 
the  depressurization  to  10.2  would  remain  beyond  36  hours.  If  the  initial  prebreathe  was  not  performed, 
but  an  EVA  becomes  necessary  prior  to  36  hours,  then  the  calculated  fined  prebreathe  will  be  extended 
by  60  minutes.  It  is  estimated  that  the  extra  60  minutes  of  fined  prebreathe  would  offset  the  reduced 
nitrogen  washout  capability  that  small  persistent  bubbles  would  cause. 

B.  FOR  ANY  CONTINGENCY  EVA,  PREBREATHING  WILL  BE  ACCOMPLISHED  AS 
FOLLOWS : 

1.  IF  SUFFICIENT  CREW  TIME  IS  AVAILABLE  DURING  PREPARATION 
FOR  A  CONTINGENCY  EVA,  THE  PREBREATHE  PROTOCOLS  OF 
PARAGRAPHS  A.l  OR  A. 2  SHALL  APPLY. 
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A13-103  EVA  PREBREATHE  PROTOCOL  (CONTINUED) 

2.  IF  EVA  PREPARATION  TIME  IS  CRITICAL  TO  CREW  SAFETY,  A 

MINIMUM  OF  2.5  HOURS  UNBROKEN  PREBREATHE  WITH  >  95  PERCENT 
O2  IS  RECOMMENDED  AT  A  CABIN  PRESSURE  ABOVE  12.5  PSI  PRIOR 
TO  ANY  CABIN  OR  AIRLOCK  PRESSURE  BELOW  8  PSI.  THE  FOR 
SURGEON  SHALL  BE  CONSULTED  FOR  A  RECOMMENDED  PREBREATHE 
PROTOCOL  FOR  ANY  CONTINGENCY  EVA. 


A  minimum  prebreathe  of  2.5  hours  will  reduce  the  estimated  risk  of  incapacitating  bends  to  <  50 
percent  for  an  EVA  up  to  6  hours  in  duration.  This  recommended  time  is  very  approximate  and  should 
be  extended  if  possible.  A  prebreathe  <2.5  hours  would  exceed  a  50  percent  risk  of  incapacitating 
bends,  and  the  risk  would  increase  as  the  prebreathe  was  progressively  shortened.  The  FCR  surgeon 
should  be  consulted  on  each  con  tingency  EVA  situation  for  an  estimate  of  the  risk  based  on  the  proposed 
length  of  prebreathe  time. 

C.  INTERRUPTION  OF  THE  PREBREATHE  PROTOCOL: 

1 .  10.2  CABIN  OPTION: 

a.  NO  MODIFICATION  OF  THE  10.2  PSI  PREBREATHE  PROTOCOL 

IS  REQUIRED  IF  THE  CABIN  PRESSURE  IS  MAINTAINED  BELOW 
THE  MAXIMUM  LIMIT  OF  10.84  (10.6)  PSI. 

b.  IF  THE  CABIN  PRESSURE  EXCEEDS  10.6  PSI  INDICATED, 

THE  EVA  CREWMEMBERS  WILL  DON  THE  QDM  IMMEDIATELY. 
CONSULT  THE  FCR  SURGEON  FOR  THE  REQUIRED 
MODIFICATION  TO  THE  PREBREATHE  PROTOCOL. 

An  increase  in  the  cabin  pressure  above  10.6  psi  indicated  will  cause  the  tissues  and  blood  to  reabsorb 
nitrogen.  At  cm  indicated  cabin  pressure  of  10.6  psi,  the  true  cabin  pressure  may  be  10.84  psi.  The 
indicated  PPO2  caution  and  warning  limit  of 2.55,  2.40  psi  true,  produces  a  worst  case  PPN2  of  8.44 
(10.84  -  2.40)  psi.  This  maximum  PPN2  of  8.44  psi  is  acceptable  for  continued  prebreathe  without 
modification.  For  pressures  above  10.6  psi  indicated,  wearing  the  QDM  and  breathing  100  percen  t 
oxygen  can  prevent  renitrogenation  and  preserve  the  prebreathe  protocol.  ( Ref.  Rule  { A17-301} ,  CABIN 
ATMOSPHERE  MANAGEMENT. ) 

2.  QDM/EMU  OPERATIONS  (100  PERCENT  O2  PREBREATHE) 
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A13-103  EVA  PREBREATHE  PROTOCOL  (CONTINUED) 

a.  ANY  INTERRUPTION  OF  THE  PREBREATHE  PROTOCOL  WHICH 
OCCURS  WHILE  THE  CREW  IS  WEARING  THE  QDM  OR  IS  IN 
THE  EMU  WILL  REQUIRE  AN  INCREASE  IN  THE  TIME  ON  100 
PERCENT  02  AT  A  RATIO  OF  2  ADDITIONAL  MINUTES  FOR 
EACH  1  MINUTE  INTERRUPTION  OF  PREBREATHE.  ®[021 1 99-6806A] 

b.  IF  THE  EMU  IN-SUIT  PREBREATHE  IS  INTERRUPTED  AFTER 
COMPLETION  OF  THE  SUIT  PURGE,  THE  INTERRUPTION 
DURATION  IS  DEFINED  AS  THE  TIME  BREATHING  CABIN 
ATMOSPHERE  PLUS  THE  TIME  BREATHING  SUIT  ATMOSPHERE 
PRIOR  TO  REINITIATION  OF  A  SUBSEQUENT  SUIT  PURGE. 

THE  SUBSEQUENT  SUIT  PURGE  DURATION  DOES  NOT  COUNT  AS 
EITHER  THE  INTERRUPTION  TIME  OR  THE  ADDITIONAL 
PREBREATHE  TIME. 

C.  THE  RESULTING  PREBREATHE  TIME  (ADDITIONAL  PREBREATHE 

PLUS  REMAINDER  OF  ORIGINAL  PREBREATHE)  WILL  NOT  EXCEED 
THE  ORIGINAL  PREBREATHE  TIME  PER  PARAGRAPH  A.l  OR  A. 2. 
CONSULT  THE  FOR  SURGEON  FOR  THE  REQUIRED  INCREASE  IN 
LENGTH  OF  THE  PREBREATHE  PERIOD.  ®[021 1 99-6806A] 

Breathing  nitrogen  after  the  prebreathe  has  begun  allows  the  tissues  and  blood  to  reabsorb  nitrogen. 

Renitrogenation  occurs  at  a  more  rapid  rate  than  denitrogenation,  and  a  break  in  the  prebreathe  will 

require  extra  prebreathe  time  to  be  added  to  the  protocol. 

D.  FOR  MULTIPLE  EVA'S: 

1.  IF  THE  PROTOCOLS  OUTLINED  IN  PARAGRAPH  A.l  ARE  USED,  THE 
CABIN  PRESSURE  WILL  BE  MAINTAINED  AT  10.2  PSI  UNTIL 
COMPLETION  OF  THE  FINAL  EVA.  EACH  SUBSEQUENT  EVA  MUST 
HAVE  AN  UNBROKEN  PREBREATHE  OF  AT  LEAST  40  MINUTES  IN  THE 
SUIT  IMMEDIATELY  PRIOR  TO  EVA. 

2.  IF  THE  IN-SUIT  PREBREATHE  OPTION  IS  USED,  EACH  EVA  WILL 
FOLLOW  THE  PROTOCOL  OUTLINED  IN  PARAGRAPH  A. 2. 

Rules  (A2-107CJ,  EVA  GUIDELINES;  {A13-51},  CABIN  PRESSURE;  {A15-151},  DENITROGENATION; 

and  {A17-309},  CABIN  PRESSURE  TIME  AT  10.2  PSIA;  reference  this  rule.  ®[oi  2694-1 600  ] 
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A13-104  DECOMPRESSION  SICKNESS  SYMPTOMS  AND  CREW 

DISPOSITION 

A.  CUFF  CLASS  1:  ©[040899-6836A] 

1.  SYMPTOMS:  MILD  PAIN  AT  SINGLE  OR  MULTIPLE  SITES 
AND/OR  SINGLE  EXTREMITY  PARASTHES IA .  SYMPTOMS  THAT 
ARE  DIFFICULT  TO  DISTINGUISH  FROM  SUIT  PRESSURE 
POINTS.  SYMPTOMS  DO  NOT  INTERFERE  WITH  PERFORMANCE. 

2.  RESPONSE:  CONTINUE  EVA  AND  REPORT  IN  POST-EVA  PMC. 

3.  NO  IMPACT  ON  FUTURE  EVA  PLANS  FOR  THE  AFFECTED  CREWMEMBER 
OR  ON  MISSION  DURATION. 


The  EMU  cart  cause  pressure  points  and  pains  that  could  be  confused  with  DCS  symptoms.  However, 
the  risk  of  mild  pain  of  this  nature  progressing  to  a  serious  symptom  is  low.  Because  there  is  low 
concern  with  injury  and  the  symptoms  are  expected  to  resolve  during  repress  if  they  are  DCS  related,  it 
is  acceptable  to  continue  the  EVA  and  report  the  symptoms  later  in  a  PMC.  It  is  specifically  mentioned 
in  the  rule  that  there  is  no  impact  to  future  EVA  to  encourage  cuff  class  1  symptom  reporting.  This 
reporting  is  required  to  verify  total  DCS  risk  over  time. 

B.  CUFF  CLASS  2: 

1.  SYMPTOMS:  MODERATE  CUFF  CLASS  1  SYMPTOMS  THAT  INTERFERE 
WITH  PERFORMANCE. 

2.  RESPONSE:  TERMINATE  EVA  FOR  AFFECTED  CREWMEMBER. 
UNAFFECTED  CREWMEMBER  TERMINATES  EVA  AFTER  COMPLETING 
WORK  SITE  CLEANUP  AND  PAYLOAD  BAY  SAFING.  REPRESS 
AIRLOCK  AS  SOON  AS  PAYLOAD  BAY  SAFING  IS  COMPLETE. 
CONDUCT  PMC  AFTER  REPRESS. 

3.  NO  IMPACT  ON  MISSION  DURATION  IF  SYMPTOMS  RESOLVE. 

SURGEON  WILL  DETERMINE  CONSTRAINTS  ON  FUTURE  EVA  FOR 
AFFECTED  CREWMEMBER  CONSISTENT  WITH  NASA  JSC 
DECOMPRESSION  SICKNESS  PROCEDURES  AND  GUIDELINES  JPG 
18  0  0.3.  ©[040899-6836A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  AEROMEDICAL  13-31 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A13-104  DECOMPRESSION  SICKNESS  SYMPTOMS  AND  CREW 

DISPOSITION  (CONTINUED) 


This  level  of  symptoms  is  distinguishable  from  EMU  pressure  points  by  a  trained  EVA  astronaut. 

Because  it  represents  confirmed  DCS  symptoms  and  pressure  is  one  of  the  most  effective  treatments,  the 
affected  crewmember  should  be  repressed  as  soon  as  practical.  The  overall  risk  is  low  enough  to 
warrant  work  site  cleanup  and  payload  bay  safing  before  repressing  but  not  additional  mission  success 
tasks.  The  affected  crewmember’ s  activity  should  be  minimized  because  con  tinued  joint  loads  can 
aggravate  the  symptoms.  During  the  post-repress  PMC,  the  Surgeon  will  determine  specific  treatment 
required.  NASA  JSC  Decompression  Sickness  Procedures  and  Guidelines  JPG  1800.3  documents  the 
approved  limits  for  return-to-duty  and  return-to-delta  pressure  operations.  The  responses  in  these  flight 
rules  are  consistent  with  this  document.  ®[040899-6836A] 

C.  CUFF  CLASS  3: 

1.  SYMPTOMS:  SEVERE  CUFF  CLASS  1  SYMPTOMS  OR  MIGRATORY, 
TRUNKAL  OR  MULTIPLE  SITE  PARESTHESIA,  OR  SEVERE  OR 
UNUSUAL  HEADACHE . 

2.  RESPONSE:  TERMINATE  EVA  FOR  BOTH  CREWMEMBERS.  UNAFFECTED 
CREWMEMBER  WILL  ASSIST  AFFECTED  CREWMEMBER  TO  AIRLOCK 
THEN  PERFORM  PAYLOAD  BAY  SAFING.  REPRESS  AIRLOCK  AS  SOON 
AS  PAYLOAD  BAY  SAFING  IS  COMPLETE.  CONDUCT  PMC  AFTER 
REPRESS . 

3.  NO  IMPACT  ON  MISSION  DURATION  IF  SYMPTOMS  RESOLVE. 

SURGEON  WILL  DETERMINE  CONSTRAINTS  ON  FUTURE  EVA  FOR 
AFFECTED  CREWMEMBER  CONSISTENT  WITH  NASA  JSC 
DECOMPRESSION  SICKNESS  PROCEDURES  AND  GUIDELINES  JPG 
1800 . 3  . 

These  symptoms  are  more  severe  than  cuff  class  2  because  they  are  a  more  generalized  level  of  DCS  and 
there  is  a  higher  risk  of  symptom  progression.  Because  continued  joint  loads  can  aggravate  the 
symptoms,  the  affected  crewmember’ s  activity  should  be  restricted  to  airlock  ingress  and  should  be 
assisted  as  much  as  possible.  Further,  work  site  and  payload  bay  cleanup  should  be  limited  to  only  those 
required  to  safe  the  payload  bay  for  an  expedited  deorbit.  The  overall  risk  is  low  enough  to  warrant 
delaying  repress  until  both  crewmembers  are  in  the  airlock.  During  the  post-repress  PMC,  the  Surgeon 
will  determine  specific  treatment  required.  NASA  JSC  Decompression  Sickness  Procedures  and 
Guidelines  JPG  1800.3  documents  the  approved  limits  for  return-to-duty  and  return-to-delta  pressu  re 
operations.  The  responses  in  these  flight  rules  are  consistent  with  this  document.  ®[040899-6836A] 
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A13-104  DECOMPRESSION  SICKNESS  SYMPTOMS  AND  CREW 

DISPOSITION  (CONTINUED) 

D.  CUFF  CLASS  4:  ©[040899-6836A] 

1.  SYMPTOMS:  CENTRAL  NEUROLOGICAL  OR  CARDIOPULMONARY. 

2.  RESPONSE:  ABORT  EVA.  UNAFFECTED  CREWMEMBER  WILL  ASSIST 
AFFECTED  CREWMEMBER  TO  AIRLOCK.  AFFECTED  CREWMEMBER  WILL 
BE  REPRESSED  IMMEDIATELY,  WITH  THE  UNAFFECTED  CREWMEMBER 
PERFORMING  PAYLOAD  BAY  SAFING  AND  REPRESSING  SEPARATELY 
IF  REQUIRED.  CONDUCT  PMC  AFTER  REPRESSING  THE  AFFECTED 
CREWMEMBER. 

3.  SURGEON  WILL  DETERMINE  CONSTRAINTS  ON  FUTURE  EVA  FOR 
AFFECTED  CREWMEMBER  CONSISTENT  WITH  NASA  JSC  DECOMPRESSION 
SICKNESS  PROCEDURES  AND  GUIDELINES  JPG  1800.3. 


The  absolute  minimum  time  to  repress  the  affected  crewmember  is  essential  because  these  symptoms  pose 
a  serious  health  risk  and  increase  the  probability  of  an  emergency  deorbit.  Therefore,  it  is  acceptable  to 
repress  the  affected  crewmember  separately  while  the  other  crewmember  safes  the  payload  bay  for  cm 
expedited  deorbit.  At  this  level,  it  is  likely  the  affected  crewmember  will  require  assistance  due  to 
impairmen  t,  and  continued  joint  loads  can  aggravate  the  symptoms.  During  the  post-repress  PMC,  the 
Surgeon  will  determine  specific  treatment  required.  NASA  JSC  Decompression  Sickness  Procedures  and 
Guidelines  JPG  1800.3  documents  the  approved  limits  for  return-to-duty  and  return-to- delta  pressure 
operations.  The  responses  in  these  flight  rules  are  consistent  with  this  documen  t. 

DOCUMENTATION :  DCS  Risk  Definition  and  Contingency  Plan  Review,  April  1998;  NASA  JSC 
Decompression  Sickness  Procedures  and  Guidelines  JPG  1800.3. 

Reference  Rule  {A13-105},  DECOMPRESSION  SICKNESS  RESPONSE  AND  TREATMENT. 

©[040899-6836A] 
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A13-105  DECOMPRESSION  SICKNESS  RESPONSE  AND  TREATMENT 

A.  DEORBIT  REQUIREMENTS:  ©[040899-6835B] 

1.  ANY  EARLY  MISSION  TERMINATION  AND  DEORBIT  FOR  DCS 
PURPOSES  WILL  ONLY  BE  CONSIDERED  TO  A  SITE  DESIGNATED 
AS  A  PRIMARY  HYPERBARIC  CARE  SITE. 

Deorbit  timeframe  will  be  based  on  deorbit  opportunities  and  Surgeon’s  evaluation  of  the  severity  of 
the  specific  symptoms.  The  additional  risk  of  landing  at  an  ELS  will  only  be  considered  if  the  site  has 
hyperbaric  treatment  capability  since  the  most  important  treatment  for  DCS  is  increased  pressure.  The 
landing  site  list  maintained  by  Flight  Surgeon  is  annotated  to  show  sites  that  medical  operations  has 
classified  as  primary  hyperbaric  care  sites.  This  designation  reflects  the  time  to  transport  the  injured 
crewmember  to  the  chamber  and  the  level  of  support  available  at  the  chamber. 

2.  FOR  ALL  LEVELS  OF  DCS  THAT  RESOLVE  WITH  TREATMENT,  THERE 
IS  NO  REQUIREMENT  FOR  EMERGENCY  DEORBIT. 

If  symptoms  resolve  with  treatment,  there  is  a  low  risk  of  recurring  symptoms  and  injury  to  the 
crewmember.  Therefore,  the  risk  of  an  emergency  deorbit  is  not  warran  ted.  However,  based  on  specific 
symptoms  and  response  to  treatment,  Surgeon  may  request  the  affected  crewmember  be  returned  to  Earth 
before  the  normal  end  of  mission. 

3.  FOR  ALL  CUFF  CLASS  1  SYMPTOMS,  OR  CUFF  CLASS  2  AND  3 
SYMPTOMS  WHICH  RESOLVE  WITH  TREATMENT,  THERE  IS  NO 
REQUIREMENT  FOR  ANY  EARLY  MISSION  TERMINATION. 

4.  EARLY  DEORBIT  WILL  GENERALLY  NOT  BE  CONSIDERED  FOR 
UNRESOLVED  NON-CUFF  CLASS  4  SYMPTOMS  UNLESS  MEDICAL 
JUDGMENT  DEEMS  THE  SYMPTOMS  ARE  PROGRESSING  AND/OR 
ENDANGER  CREW  HEALTH  AND  SAFETY. 

98.6  percent  or  more  of  non-Cujf  Class  4  symptoms  resolve  with  ground  level  O2,  so  we  would 
expect  them  to  resolve  with  our  on-orbit  treatments.  Additionally,  we  have  data  and  experience  that 
clearly  suggests  the  suit  creates  residual  symptoms,  pain  and  paresthesia,  that  are  consistent  with 
non-Cujf  Class  4  DCS.  Also,  data  indicates  there  is  no  long-term  injury  associated  with  unresolved 
non-Cujf  Class  4  symptoms. 
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A13-105  DECOMPRESSION  SICKNESS  RESPONSE  AND  TREATMENT 

(CONTINUED) 


5.  FOR  UNRESOLVED  CUFF  CLASS  4  SYMPTOMS,  DEORBIT  TO  THE  NEXT 
PRIMARY  LANDING  SITE  OR  WITHIN  THE  SCOPE  OF  NORMAL  NPLS 
DEORBIT  TIMING  TO  A  LANDING  SITE  DESIGNATED  AS  A  PRIMARY 
HYPERBARIC  CARE  SITE.  BASED  ON  THE  SPECIFIC  MEDICAL 
SITUATION,  DEORBIT  WILL  BE  CONSIDERED  TO  THESE  SITES  AS 
EARLY  AS  10  HOURS  AFTER  THE  ONSET  OF  CUFF  4  SYMPTOMS. 

©[040899-6835B] 

After  the  full  treatment  flow,  persistent  Cuff  Class  4  symptoms  are  life  threatening.  Even  in  this  case,  the 
additional  risk  of  landing  at  an  ELS  will  only  be  considered  if  the  site  has  hyperbaric  treatmen  t 
capability  since  the  most  important  treatment  for  DCS  is  increased  pressure.  Long-term  risk  to  an 
affected  crewmember  is  reduced  if  treatment  is  initiated  within  approximately  12  hours.  Depending  on 
the  severity  of  the  specific  Cuff  4  symptoms.  Surgeon  may  request  an  expedited  deorbit.  Considering  the 
treatmen  t  available  simply  from  cabin  pressure  and  when  the  risk  to  the  affected  crewmember  is  weighed 
against  the  risk  to  the  full  crew  and  spacecraft,  it  was  concluded  that  landing  in  less  than  10  hours  is  not 
justified.  ®[040899-6835B] 

B.  THE  CAPABILITY  OF  THE  AFFECTED  CREWMEMBER  TO  RETURN  TO  DUTY 
AND  TO  EVA  AFTER  TREATMENT  WILL  BE  DETERMINED  BY  THE  SURGEON 
CONSISTENT  WITH  NASA  JSC  DECOMPRESSION  SICKNESS  PROCEDURES 
AND  GUIDELINES  JPG  1800.3. 

C.  THE  SUIT  WILL  REMAIN  IN  THE  PRESS  MODE  OR  AT  BTA  TREATMENT 
PRESSURE  AS  SUPPORTED  BY  SUIT  CONSUMABLES.  THE  BTA  CAN  BE 
INSTALLED  TO  PROVIDE  THE  MAXIMUM  PRESSURE  IN  THE  SUIT  FOR 
TREATMENT.  @[071001-4742] 


The  BTA  can  now  be  installed  without  depressurizing  the  suit.  The  use  of  the  BTA  will  pressurize  the 
affected  crewmember  to  6  or  8  psi  above  ambient.  Using  the  BTA  to  press  the  suit  to  8  psi  over  ambient, 
renders  the  suit  unusable  for  subsequent  EVAs  due  to  a  need  for  re-certification  of  the  suit  seals. 
@[071001-4742] 

D.  CABIN  PRESSURE  WILL  BE  MANAGED  AS  FOLLOWS: 

1.  FOR  CUFF  CLASS  2  OR  3  SYMPTOMS  THAT  DO  NOT  RESOLVE 

WITHIN  20  MINUTES  OF  AIRLOCK  REPRESS,  THE  CABIN  WILL  BE 
REPRESSURIZED  TO  14.7  PSI.  FOR  CASES  THAT  DO  NOT 
RESOLVE  WITH  14.7  TREATMENT,  THE  CABIN  WILL  BE  FURTHER 
PRESSURIZED  TO  THE  HIGHEST  PRESSURE  SUPPORTABLE  BY 
CONSUMABLES  AND  OXYGEN  CONSTRAINTS  UP  TO  15.56  PSI. 
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DECOMPRESSION  SICKNESS  RESPONSE  AND  TREATMENT 
(CONTINUED) 

FOR  CUFF  CLASS  4  SYMPTOMS,  THE  CABIN  WILL  BE 
REPRESSURIZED  TO  14.7  PSI  BEFORE  OR  DURING  AIRLOCK 
REPRESS.  FOLLOWING  CABIN/AIRLOCK  REPRESS,  THE  CABIN 
WILL  BE  FURTHER  PRESSURIZED  TO  THE  HIGHEST  PRESSURE 
SUPPORTABLE  BY  CONSUMABLES  AND  OXYGEN  CONSTRAINTS  UP  TO 

15.56  PSI.  ©[040899-6835B] 

FOR  CUFF  CLASS  2,  3  AND  4  SYMPTOMS,  THE  AFFECTED 
CREWMEMBER  WILL  NOT  BE  EXPOSED  TO  A  REDUCED  CABIN 
PRESSURE  FOR  AT  LEAST  72  HOURS  AFTER  DCS  TREATMENT  UNLESS 
REQUIRED  FOR  DEORBIT,  CONSUMABLES  MANAGEMENT,  OR  OXYGEN 
CONSTRAINTS.  FOR  CASES  WITH  THE  CABIN  PRESSURE  RAISED 
ABOVE  14.7  PSIA,  THE  CABIN  PRESSURE  WILL  BE  ALLOWED  TO 
BLEED  DOWN  TO  14.7  PSIA.  ©[040899-6835B] 

In  all  cases,  the  most  effective  immediate  treatment  is  repressurization.  The  total  pressure  reached  at 
cabin  pressure  with  the  suit  in  PRESS  mode  suffices  for  cuff  class  2  and  3  symptoms.  If  the  symptoms 
resolve,  there  is  no  need  to  increase  the  cabin  pressure  above  the  pressure  at  ingress.  However,  if  Cuff 
Class  2  and  3  symptoms  do  not  resolve  with  the  initial  treatment  in  a  10.2-psi  cabin,  the  additional  4.5 
psi  is  the  most  effective  next  step  and  the  cabin  will  be  repressed  to  14.7  psi. 

Due  to  the  severity  of  cuff  class  4  symptoms,  the  cabin  will  immediately  be  repressed  to  at  least  14.7  psi 
to  maximize  the  initial  treatment  pressure.  Toted  pressure  will  be  raised  as  high  as  15.56  psi  if 
supported  by  consumables  and  oxygen  constraints.  This  pressure  provides  0.24-psi  margin  (cabin 
pressure  sensor  measurement  error)  below  the  positive  pressure  relief  valve  (PPRV)  cracking  pressure 
based  on  a  relief  pressure  of  15.8  psi  for  OV-105.  15.8  psia  is  the  lowest  PPRV  cracking  pressure  of  the 
fleet.  The  other  vehicle’s  PPRV  cracking  pressures  are  as  follows:  OV-102  and  OV-103  -  15.9  psia,  OV- 
104  -  15.95  psia. 

To  prevent  recurring  symptoms,  the  affected  crewmember  will  not  be  exposed  to  cabin  pressure 
reductions  for  at  least  72  hours.  Surgeon  may  require  a  longer  period  based  on  specific  symptoms  and 
response  to  treatment. 

The  cabin  pressure  may  be  raised  to  15.56  psia  while  treating  severe  symptoms.  However,  at  the  end  of 
the  treatment,  the  crewmember  will  be  removed  from  the  EMU  that  is  providing  the  majority  of  the 
additional  pressure  during  the  treatment.  Therefore,  it  is  acceptable  to  allow  the  cabin  pressure  to  bleed 
down  over  time  to  14. 7  psia  in  order  to  return  to  automatic  atmosphere  maintenance  using  the  O2/N2 
cabin  regulators. 

DOCUMENTATION :  NSTS  16007  LCC  Rev  G  (ECL-05),  DCS  Risk  Definition  and  Contingency  Plan 
Review,  April  1998;  NASA  JSC  Decompression  Sickness  Procedures  and  Guidelines  JPG  1800.3,  OMI 
V1217  Test  Data. 
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A13-105  DECOMPRESSION  SICKNESS  RESPONSE  AND  TREATMENT 

(CONTINUED) 


Arthur  DC  and  Margulies  RA.  The  pathophysiology,  presentation,  and  triage  of  altitude-related 
decompression  sickness  associated  with  hyperbaric  chamber  operation.  Aviat.  Space  Environ.  Med. 
48:489-494,  May  1 982.  ®[07i  001-4742  ] 

Wade  Frost  presented  to  the  Systems  Safety  Review  Panel,  "Review  of  the  revised  on-orbit  bends 
treatment  procedure",  May  23,  2001. 

Conkin,  J.  EVA-IPT  response  to  ACTION  about  barotrauma  risk  with  rapid  decompression  of  EMU  with 
BTA  attached.  February  2,  2001.  ®[071 001  -4742  ] 

Reference  Rules  (A13-104J,  DECOMPRESSION  SICKNESS  SYMPTOMS  AND  CREW  DISPOSITION, 
and  {A1 7-254},  CABIN  02  CONCENTRATION.  ®[040899-6835B] 
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HAZARD  MANAGEMENT 


A13-151  HOT  CABIN  ATMOSPHERE 

IN  THE  EVENT  OF  LOSS  OF  CABIN  COOLING  CAPABILITY  AND  TIG  IS 

GREATER  THAN  2.5  HOURS,  THE  FOLLOWING  MEASURES  SHOULD  BE  TAKEN: 

A.  MONITOR  AND  RECORD  CREW  AND  CABIN  TEMPERATURE  AND  HUMIDITY 
CHANGES  USING  AVAILABLE  SENSORS  INCLUDING  MEDICAL  KIT 
THERMOMETERS . 

B.  BEGIN  IMMEDIATE  FLUID  LOADING,  WITH  8  OUNCES  OF  WATER  EVERY 
15  MINUTES  AND  ONE  SALT  TABLET  EVERY  30  MINUTES. 

C.  DON  QDM  FOR  CREWMEMBER  DISCOMFORT  (I.E.,  ESTIMATED  CABIN 
TEMPERATURE  GREATER  THAN  90  DEG  F  AND  HUMIDITY  GREATER  THAN 
90  PERCENT)  WITH  CONTINUED  WEAR  UNTIL  RESOLUTION  OF  THE 
COOLING  PROBLEM.  DEORBIT  TO  AN  EMERGENCY  LANDING  SITE  MAY  BE 
REQUIRED  PRIOR  TO  PLS  AS  DETERMINED  REAL  TIME  BY  CREW,  FLIGHT 
DIRECTOR,  AND  CREW  SURGEON. 

D.  WEAR  LES  DURING  ENTRY.  INFLATION  OF  G-SUIT  PORTION  OF  THE 
LES  TO  1.5  PSI  REQUIRED  AT  El. 


A  hot  cabin  may  quickly  reach  crew  tolerance  limits  and  impair  crew  performance/health  prior  to  PLS 
opportunities,  and  monitoring  of  the  cabin  and  crew  may  be  very  limited  due  to  the  powerdown.  Crew 
tolerances  may  be  near  limits  when  their  skin  temperature  increases  greater  than  2.5  deg  F  (1  deg  F 
core)  or  if  pulse  is  greater  than  140,  but  precise  prediction  of  crew  tolerances  and  time  constraints  for 
entry  is  not  possible.  Stepwise  preventive  measures,  including  water  and  salt  intake,  QDM  use  (for 
respiratory  cooling  with  low  humidity  oxygen ),  and  LES  wear  with  G-suit  use  (to  increase  effective  blood 
volume  by  preventing  blood  pooling  in  lower  extremities)  are  necessary  to  provide  maximum  protection 
from  the  environment.  Cabin  purges  may  also  be  used  for  cooling.  An  emergency  landing  may  be 
required  to  preven  t  crew  incapacitation  during  certain  situations,  and  preparations  for  such  landings 
must  begin  well  in  advance.  Such  a  determination  will  be  a  real-time  call  depending  on  the  situation  due 
to  the  n  umerous  factors  involved. 
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A13-152  CABIN  ATMOSPHERE  CONTAMINATION 

A.  PLANNED  OR  ACCIDENTAL  DISCHARGE  OF  EITHER  A  FIXED  AVIONICS 

BAY  FIRE  EXTINGUISHER  OR  A  PORTABLE  FIRE  EXTINGUISHER  INTO  AN 
AVIONICS  BAY  WITH  NO  SMOKE/FIRE  DETECTED:  @[090894-1 682A] 

1 .  THE  CREW  MAY  BE  EXPOSED  TO  THE  CABIN  ATMOSPHERE  FOR 
72-100  HOURS  FROM  THE  TIME  OF  DISCHARGE  WITHOUT  IMPACT. 

2.  THE  CREW  WILL  CONTACT  MCC  TO  DETERMINE  THE  MAXIMUM 
ALLOWABLE  EXPOSURE  TIME  ON-ORBIT.  THE  SURGEON  WILL  MAKE 
A  DECISION  AS  TO  WHEN  THE  CREW  MAY  DON  THE  QDM' S  OR  LES'S 
AND  BREATHE  100  PERCENT  OXYGEN  TO  INCREASE  MISSION 
DURATION. 

3.  THE  CDR,  PLT,  AND  FLIGHT  ENGINEER  WILL  CLOSE  VISORS  ON 
THE  LES'S  AND  BREATHE  100  PERCENT  OXYGEN  FOR  60  MINUTES 
PRIOR  TO  LANDING  AND  THROUGH  LANDING  ROLLOUT. 

REAL-TIME  DISCUSSION  OF  MISSION  DURATION  OR  EXTENSION  WILL  BE 
DEPENDENT  UPON  SUCH  FACTORS  AS  CREW  SYMPTOMS,  PERFORMANCE, 
AND/OR  INITIATION  OF  A  DEDICATED  AVIONICS  BAY  PURGE. 

The  above  criterion  was  established  based  upon  information  from  NASA’s  Halon  1301  Human  Inhalation 
Study  ( reference  JSC-23845,  August  1989),  the  National  Research  Council  (NRC),  and  JSC  Toxicology 
Group.  The  human  study  involved  exposing  8  volunteers  to  Halon  1301  for  a  period  of  24  hours  at  a 
concentration  of  1.0  percent  (10,000  ppm).  The  effects  on  both  physiology  and  performance  were  studied 
using  a  computerized  battery  of  tests  on  reaction  time,  decision-making,  etc.  No  significant  changes  in  any 
physiological  parameters  were  noted.  There  were  no  alterations  of  any  blood  counts  or  chemistries,  no 
pulmonary  function  changes,  no  cardiac  dysrhythmias,  arid  no  mental  status  changes.  There  were  no 
significant  decrements  in  performance  recorded  from  the  pre-exposure  baselines.  Based  on  this  study, 
exposure  of  crewmembers  to  Halon  concentration  levels  is  limited  to  1.0  percent.  @[021600-7170  ] 

As  a  result  of  research  done  in  the  “Documentation  of  the  Spacecraft  Maximal  Allowable  Concentration 
Values  on  Bromotrifluoromethane”  (White  Paper),  the  NRC  approved  revised  SMAC  levels  for  Halon 
1301  on  November  18,  1993.  These  guidelines  state  that  for  24-hour  exposure,  the  SMAC  level  is  0.35 
percent  (3500  parts  per  million),  and  for  7-day  exposure,  the  SMAC  level  is  0.18  percent  (1800  ppm). 

The  JSC  Toxicology  Group  sponsored  the  mentioned  study  and  proposed  SMAC  levels  to  the  NRC. 
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A13-152  CABIN  ATMOSPHERE  CONTAMINATION  (CONTINUED) 

Approximately  50  percent  ofHalon  1301  discharged  from  afire  extinguisher  into  the  avionics  bay  will 
diffuse  into  the  cabin  atmosphere  within  50  hours,  and  100%  of  it  will  diffuse  in  100  hours.  Halon 
1301  is  poorly  absorbed  by  the  charcoal  in  the  LiOH  canisters  as  well  as  the  Ambient  Temperature 
Catalytic  Oxidizer  ( ATCO )  canister.  Thus,  it  cannot  be  effectively  removed  from  the  cabin  atmosphere. 
@[090894-1 682A] 

Discharge  of  one  portable  fire  extinguisher  into  an  avionics  bay  would  produce  a  Halon  1301 
concentration  of  approximately  0.3  percen  t  (3000  ppm)  at  equilibrium.  Discharge  of  one  fixed 
avionics  bay  fire  extinguisher  would  produce  a  concentration  of  approximately  0.4  percent  (4000 
ppm)  at  equilibrium.  These  concentrations  were  calculated  on  the  assumption  that  complete 
equilibration  ofHalon  1301  with  the  cabin  atmosphere  occurs  after  100  hours.  @[090894-1 682A] 
@[021600-7170] 

Provided  sufficient  consumables  are  available,  the  mission  duration  may  be  extended  by  having  the  crew 
don  the  QDM’s  or  LES’s  and  breathe  100  percen  t  oxygen  for  up  to  6  hours  at  12.0-14.7  psia  without  risk 
of  oxygen  toxicity  (reference  rule  {A13-54},  100  PERCENT  OXYGEN  USE  CONSTRAINT).  The 
Surgeon  and  EECOM  shall  coordinate  their  efforts  to  derive  a  plan  that  can  increase  mission  duration 
after  the  crew  has  been  exposed  to  Halon  1301. 

Data  shows  that  the  half-life  ofHalon  1301  in  non-fatty  tissues  (primarily  blood)  is  5  minutes;  whereas, 
the  half-life  ofHalon  1301  is  approximately  200  minutes  in  fat  (Halon  is  lipid  soluble).  Breathing  100 
percen  t  oxygen  for  60  minutes  prior  to  landing  should  sign  ifican  tly  reduce  the  blood  and  brain  levels  of 
Halon  1301  and  further  protect  crew  performance  during  critical  performance  periods  (i.e.,  de-orbit 
preparation,  landing,  landing  rollout).  Due  to  02  concentration  limits,  three  crewmembers  can  breathe 
100  percent  02  for  1  hour,  or  seven  crewmembers  can  breathe  100  percent  02  for  30  minutes. 

A  real-time  decision  is  to  be  made  by  the  Flight  Director,  Surgeon,  EECOM,  IFM,  and  any  other 
disciplines  involved  with  the  decision-making  process  to  perform  a  landing  after  the  crew  has  been 
exposed  to  Halon  1301.  The  range  of  72-100  hours  is  to  be  used  as  a  guideline.  The  actual  mission 
duration  or  extension  is  dependen  t  upon  such  factors  as  crew  symptoms,  performance,  and/or  in  itiation 
of  a  dedicated  avionics  bay  purge. 

B.  PLANNED  OR  ACCIDENTAL  DISCHARGE  OF  A  PORTABLE  FIRE 

EXTINGUISHER  INTO  A  PANEL  OR  INTO  THE  OPEN  CABIN  ATMOSPHERE, 
OR  DETECTION  OF  A  LEAKING  PORTABLE  FIRE  EXTINGUISHER,  WITH  NO 
SMOKE/FIRE  DETECTED: 

1 .  THE  CREW  MAY  BE  EXPOSED  TO  THE  CABIN  ATMOSPHERE  FOR 

24-48  HOURS  FROM  THE  TIME  OF  DISCHARGE  OR  DETECTION  OF 
A  LEAKING  BOTTLE  WITHOUT  IMPACT. 
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A13-152  CABIN  ATMOSPHERE  CONTAMINATION  (CONTINUED) 

2.  THE  CREW  WILL  CONTACT  MCC  TO  DETERMINE  THE  MAXIMUM 

ALLOWABLE  EXPOSURE  TIME  ON-ORBIT.  THE  SURGEON  WILL  MAKE 
A  DECISION  AS  TO  WHEN  THE  CREW  MAY  DON  THE  QDM' S  OR  LES'S 
AND  BREATHE  100  PERCENT  OXYGEN  TO  INCREASE  MISSION 
DURAT I  ON  .  @[090894-1 682A] 

3.  THE  CDR,  PLT ,  AND  FLIGHT  ENGINEER  WILL  CLOSE  VISORS  ON 
THE  LES'S  AND  BREATHE  100  PERCENT  OXYGEN  FOR  60  MINUTES 
PRIOR  TO  LANDING  AND  THROUGH  LANDING  ROLLOUT.  @[090894-1 682A] 

REAL-TIME  DISCUSSICN  OF  MISSION  DURATION  OR  EXTENSION  WILL  BE 
DEPENDENT  UPON  SUCH  FACTORS  AS  CREW  SYMPTOMS,  PERFORMANCE, 
AND/OR  DETERMINATION  OF  THE  AMOUNT  OF  HALON  LEAKED/DISCHARGED 
INTO  THE  CABIN. 

Discharge  of  a  fire  extinguisher  into  a  panel  or  into  the  open  cabin  will  produce  a  rapid  equilibration 
with  the  cabin  atmosphere.  A  Halon  1301  level  of  approximately  0.3  percent  (3000  ppm)  will  be  rapidly 
achieved,  and  the  maximum  allowable  crewmember  exposure  time  at  this  level  is  in  the  range  of  24-48 
hours  based  on  the  SMAC  levels  for  Halon  1301  in  paragraph  A’ s  rationale. 

Provided  sufficient  consumables  are  available,  the  mission  duration  may  be  extended  by  having  the  crew 
don  the  QDM's  or  LES  's  and  breathe  100  percent  oxygen  for  up  to  6  hours  at  12.0-14. 7  psia  without  risk 
of  oxygen  toxicity  (reference  Rule  { A13-54 },  100  PERCENT  OXYGEN  USE  CONSTRAINT).  The 
Surgeon  and  EECOM  shall  coordinate  their  efforts  to  derive  a  plan  that  can  increase  mission  duration 
after  the  crew  has  been  exposed  to  Halon  1301. 

Breathing  100  percen  t  oxygen  for  60  minutes  prior  to  landing  should  significan  tly  reduce  the  blood  and 
brain  levels  of  Halon  1301  and  further  protect  crew  performance  during  critical  performance  periods  ( i.  e. , 
de-orbit  preparation,  landing,  landing  rollout).  Due  to  02  concentration  limits,  three  crewmembers  can 
breathe  100  percent  02  for  1  hour,  or  seven  crewmembers  can  breathe  100  percent  02  for  30  minutes. 

A  real-time  decision  is  to  be  made  by  the  Flight  Director,  Surgeon,  EECOM,  and  any  other  disciplines 
involved  with  the  decision-making  process  to  perform  a  landing  after  the  crew  has  been  exposed  to  Halon 
1301.  The  range  of  24-48  hours  is  to  be  used  as  a  guideline.  The  actual  mission  duration  or  extension  is 
dependen  t  upon  such  factors  as  crew  symptoms,  performance,  and/or  determination  of  the  amoun  t  of 
Halon  leaked/discharged  into  the  cabin.  Reference  Flight  Rule  ( A17-54 },  MANAGEMENT 
FOLLOWING  HALON  DISCHARGE  WITHOUT  FIRE  CONFIRMATION.  @[090894-1 682A]  ®[ED  ] 
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A13-152  CABIN  ATMOSPHERE  CONTAMINATION  (CONTINUED) 

C.  SMOKE  OR  FIRE  DETECTED  AND  CONFIRMED  VIA  VISUAL  OBSERVATION, 
TWO  SMOKE  DETECTORS,  OR  CREW  SYMPTOMS. 

1.  IMMEDIATELY  DON  THE  QDM'  S  AND  INITIATE  02  FLOW.  @[090894-1 673A] 

2.  INSTALL  TWO  FRESH  LIOH  CANISTERS  IN  THE  ARS ,  OR  ONE  FRESH 
LIOH  CANISTER  AND  THE  FRESHEST  CHARCOAL  CANISTER  IF  THE 
RCRS  IS  FLOWN.  @[090894-1 673A] 

3.  TURN  CABIN  TEMPERATURE  CONTROLLER  TO  FULL  COOL.  @[090894-1 673A] 

4.  ACTIVATE  THE  WASTE  MANAGEMENT  SYSTEM  (WMS)  AIR  SCRUBBER. 

5.  UNSTOW  CSA-CP  AND  TAKE  READINGS  IN  VICINITY  OF  THE  FIRE. 
@[021600-7170] 

6.  WHEN  HCL  <  5  PPM  OR  TIG  <  3  HOURS,  REPLACE  ONE  LIOH 
CANISTER  WITH  THE  ATCO  CANISTER. 

To  protect  crewmembers  from  toxicological  injury,  none ont animated  breathing  gases  must  be  provided 
immediately  following  afire  since  even  small  concentrations  of  some  combustion  products  can  be  lethal. 
Combustion  products  ofHalon,  polyvinyl  chloride.  Teflon,  and  Kcipton  can  include  hydrogen  fluoride 
(HF),  hydrogen  chloride  (FIC1),  hydrogen  cyanide  (HCN),  hydrogen  bromide  (HBr),  fluorine  and 
bromine  gases,  carbonyl  fluoride  (COF2),  and  carbon  monoxide  (CO).  @[021600-7170  ] 

HF,  HCl,  and  HBr  act  instantaneously  on  the  mucous  membrane  of  the  eye  and  respiratory  tract  causing 
temporary  blindness,  coughing,  and  wheezing.  Bronchitis  and  pneumonia  can  develop  hours  later.  High 
levels  of  HCN  and  CO  may  become  an  immediate  danger  to  life  and  health. 

Protection  of  the  eyes  and  respiratory  tract  is  achieved  by  donning  the  QDM.  The  QDM  is  recommended 
over  the  FES  since  the  QDM  can  be  donned  more  quickly.  Donning  the  full  FES  will  be  considered  later. 
Con  tinuous  use  of  the  QDM  or  FES  will  rapidly  use  the  gaseous  N2  reserves  to  main  tain  the  cabin  02 
concentration  within  limits  (the  QDM  or  FES  put  02  into  the  cabin  and  diluting  it  with  N2  is  the  only 
way  to  prevent  the  02  concentration  from  rising  above  the  maximum  allowable  limit;  reference  Rule 
{ A17-254J ;  CABIN  02  CONCENTRATION).  The  total  N2  available  will  be  insufficient  to  last  more 
than  10.5  hours  with  seven  crewmembers  on  the  QDM  or  FES  (assuming  cm  average  02  concentration  of 
40  percent,  216  lb  usable  N2,  3  lb  02/hr/crewmember  introduced  into  the  cabin  due  to  QDM  or  FES 
use).  For  the  worst  case  redline  value  of  80  lb  usable  N2,  the  time  decreases  to  approximately  4  hours. 
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HF,  HBr,  HC1,  fluorine,  and  bromine  are  absorbed  by  the  LiOH  canisters.  The  CO  is  removed  only  by 
the  ATCO  canister.  HCN  is  only  effectively  removed  by  the  activated  charcoal  in  the  LiOH  canister,  the 
charcoal  canister  (flown  on  RCRS  flights),  the  WMS  Odor  Bacteria  Filter,  or  the  ATCO  canister. 

One  LiOH  canister  should  be  changed  out  every  15  minutes  for  HCN  scrubbing.  Since  there  is  only 
1/4  lb  of  charcoal  in  the  LiOH  can  isters,  its  capability  to  scrub  HCN  is  limited  to  approx.  15  min.  The 
charcoal  canisters  contain  5  lbs  of  activated  charcoal  and  by  comparison  should  last  for  up  to  2  hours. 
LiOH  canister  changeout  should  continue  until  the  HCN  concentration  reaches  acceptable  levels  or 
stabilizes,  at  which  time  the  preflight  changeout  schedule  can  be  reimplemented.  ®[090894-i  673A] 

Two  fresh  LiOH  canisters  are  immediately  installed  to  remove  the  acid  gases  (primarily  HCl)  that  can 
degrade  the  platinum  catalyst  in  the  ATCO  canister  and  therefore  inhibit  the  effect  of  CO  removal.  When 
HCl  concentration  drops  below  5  ppm,  the  ATCO  canister  can  be  installed  without  significant  risk  of 
degradation.  5  ppm  is  based  upon  engineering  judgment.  At  tested  HCl  levels  of 500  ppm,  the  ATCO 
canister  was  completely  degraded,  and  conversely  HCl  levels  of  1  ppm  resulted  in  no  measurable 
degradation.  In  the  interest  of  beginning  CO  scrubbing  as  quickly  as  possible,  a  level  of  5  ppm  was 
determined  to  pose  no  significant  risk  of  degradation  and  allowed  the  ATCO  to  be  installed  earlier  by 
severed  hours  as  compared  to  1  ppm  HCl.  If  TIG  <  3  hrs,  the  ATCO  should  be  installed  regardless  of  the 
detected  HCl  levels.  By  analysis,  the  worst  case  CO  levels  will  be  scrubbed  out  of  the  cabin  atmosphere  in 
approx.  4  hrs;  therefore,  the  ATCO  is  installed  to  provide  the  maximum  CO  scrubbing  capability  prior  to 
touchdown.  @[090894- 1673 A]  @[021600-7170] 

Turning  the  cabin  temperature  controller  to  the  full-cool  mode  will  maximize  the  air-flow  rate  through 
the  cabin  heat  exchanger  and  therefore  increase  the  amount  of  contaminants  removed  by  the  humidity 
separator. 

The  WMS  air  scrubber  con  tains  activated  charcoal  and  can  assist  in  the  removal  of  acid  gases  due  to  its 
high  flow  rate  and  large  capacity. 

The  Compound  Specific  Analyzer-Combustion  Products  ( CSA-CP)  should  be  used  to  measure  the  levels 
of  the  toxic  target  compounds  (CO,  HCN,  HCl)  in  the  crew  cabin  and  to  follow  trends  in  these  levels  as 
cleanup  efforts  continue.  @[021600-7170  ] 

Documentation:  Combustion  Product  Removal  From  Cabin  Air  (OFTP  #109  minutes,  dated  8/90)  Phase 
I  Combustion  Products  Test  Results  ( OFTP  #113  minutes,  dated  1/09/91 ),  Phase  II  Combustion 
Products  Test  Results  (OFTP  #120  minutes,  dated  8/21/91),  LESC  memo  053-52-BR1,  Suggested  Flight 
Procedures  in  Response  to  an  Accidental  Burning  of  Wire  in  the  Orbiter,  dated  9/12/90.  @[090894-1 673A] 
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7.  THE  MCC  WILL  ASSIST  IN  EVALUATING  THE  CABIN 

CONCENTRATION  OF  THE  COMBUSTION  PRODUCTS.  THE  CREW  WILL 
REMOVE  QDM' S  ONLY  ON  MCC  CALL.  THIS  DECISION  WILL  BE 
BASED  UPON  THE  FOLLOWING:  @[090894-1 682A] 

a.  CREW  SYMPTOMS 

b.  SMOKE  DETECTORS  RESPONSE 
C.  CSA-CP  RESPONSE  @[021600-7170] 

d.  MATHEMATICAL  MODEL  OF  ARS  REMOVAL  @[090894-1 682A] 

e.  CREW  INPUT  ON  AMOUNT  &  TYPE  OF  MATERIAL  BURNED 
@[090894-1 682A] 

Collectively,  these  will  provide  only  an  estimate  of  the  total  toxicity  hazard  in  the  cabin.  If  crew 
symptoms  like  temporary  blindness,  coughing,  and  wheezing  are  noted,  QDM's  should  remain  donned. 

Crew  will  remove  QDM’s  based  on  coordinated  communication  with  the  Flight  Director,  Surgeon,  and 
EECOM.  QDM’s  will  be  donned  if  any  symptoms  are  incurred.  QDM’s  can  stay  doffed  if  all 
crewmembers  remain  symptom-free  for  greater  than  10  minutes. 

Medical  Operations  cannot  recommend  that  crewmembers  discontinue  breathing  noncontamincited  gases 
unless  there  is  satisfactory  evidence  that  the  cabin  concen  tration  of  combustion  products  is  within  safe 
limits.  However,  the  risk  of  breathing  contaminated  gases  must  be  weighed  against  the  risks  of  cm  ELS, 
or  exceeding  cabin  02  limits.  These  risks  were  assessed  by  the  community  and  have  been  considered  in 
sections  8,  9,  and  10  of  this  flight  rule. 

Smoke  detector  readings  will  be  evaluated  by  EECOM  for  safe  levels.  QDM’s  should  remain  donned  if 
visible  indication  of  smoke  remains  in  the  cabin. 

A  real-time  decision-making  process,  using  the  CSA-CP,  will  be  based  upon  the  initial  post-fire  readings 
compared  with  the  decreasing  trend  in  contaminant  concentrations  measured  by  the  CSA-CP.  The  Surgeon, 
EECOM,  and  Toxicology  Group  will  be  consulted  in  these  decisions.  These  baseline  readings  will  be 
compared  with  the  following  con  taminan  t  levels  (SMAC  is  Spacecraft  Maximum  Allowable  Concentrations): 
CO  <  55  ppm  (1-hour  SMAC);  HCN  <  8  ppm  ( 1-hour  SMAC);  HCl  <  5  ppm  ( 1-hour  SMAC).  Depending  on 
the  profile  of  changing  contaminant  concentrations,  the  following  24-hour  SMAC  may  be  used  as  guidelines: 
CO  <  20  ppm;  HCN  <  4  ppm;  HCl  <  2  ppm.  The  fact  that  irritant  gases  ( HCl  and  HF)  act  additively  will  be 
considered.  The  criteria  for  determining  a  safe  cabin  or  removing  QDM’s  will  not  be  based  solely  on  CSA- 
CP  readings.  @[021 600-71 70  ] 
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The  mathematical  models  of  ARS  removal  of  toxic  compounds  will  be  utilized  to  predict  the  rate  of 
decrease  in  cabin  concentrations.  These  predictions  will  be  correlated  with  real-time  CSA-CP  data. 


Crew  input  on  the  amount  and  type  of  materials  burned  will  determine  the  poten  tial  thermal  degradation 
and/or  toxic  byproducts. 

8.  IF  EVALUATION  SHOWS  THE  CABIN  ATMOSPHERE  PRESENTS  A 
DEFINITE  SHORT-TERM  HAZARD: 

a.  ALL  CREWMEMBERS  WILL  REMAIN  ON  QDM' S . 

b.  LES'S  WILL  BE  USED  WITH  VISORS  DOWN  FOR  ENTRY  AND 
ORBITER  EGRESS.  @[090894-1 682A] 

C.  AN  ELS  OR  NEXT  PLS  LANDING  WILL  BE  PERFORMED  BASED 
ON  N2  CONSUMABLES  AND  THE  TIME  TO  THE  NEXT  PLS. 

@[090894-1 682A] 

If  the  cabin  atmosphere  is  clearly  hazardous,  there  is  no  choice  but  to  protect  the  crew  by  wearing  the 
QDM’s  and  LES’s.  An  ELS  may  be  required. 

9.  IF  EVALUATION  OF  THE  CABIN  ATMOSPHERE  SHOWS  A  MODERATE 
PROBABILITY  OF  BEING  HAZARDOUS:  @[021600-7170] 

a.  A  NEXT  PLS / CONUS  LANDING  WILL  BE  PERFORMED. 

b.  THE  QDM' S  MAY  BE  REMOVED,  IF  REQUIRED,  TO  PREVENT 
EXHAUSTING  ALL  N2  PRIOR  TO  THE  NEXT  PLS  LANDING. 

C.  IF  POSSIBLE,  CDR  AND  PLT  WILL  REMAIN  ON  QDM' S . 

IF,  AFTER  DOFFING  QDM'S,  THE  CABIN  ATMOSPHERE  IS 
CONFIRMED  TO  BE  HAZARDOUS: 

d.  QDM'S  WILL  BE  RE-DONNED  BY  ALL  CREWMEMBERS. 

e.  AN  ELS  OR  NEXT  PLS  LANDING  WILL  BE  PERFORMED  BASED  ON 
N2  CONSUMABLES  AND  THE  TIME  TO  THE  NEXT  PLS. 
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f.  LES'S  WILL  BE  USED  WITH  VISORS  DOWN  FOR  ENTRY  AND 
ORBITER  EGRESS. 

If  the  assessmen  t  of  the  inhalation  hazard  of  combustion  products  is  inconclusive  or  the  range  of 
uncertainty  in  the  assessment  is  such  that  some  risk  still  exists  that  the  atmosphere  may  be  hazardous, 
the  risk  to  the  crew  is  real  and  a  next  PLS  or  CONUS  landing  is  justified.  Although  the  poten  tial  risk 
to  crew  health  with  the  QDM’s  removed  is  recognized,  in  the  assessment  of  the  overall  community, 
there  is  a  greater  risk  associated  with  an  ELS  landing  or  exceeding  cabin  02  concentration  limits  (fire 
risk).  If  it  becomes  necessary  to  remove  the  QDM’s  to  minimize  N2  consumption,  ensuring  a  PLS  or 
CONUS  landing,  the  CDR  and  PLT  should  remain  on  noncontaminated  breathing  gases  to  assure  their 
peak  performance  throughout  entry  and  landing.  @[090894-1 682A] 

10.  IF  EVALUATION  SHOWS  THE  CABIN  ATMOSPHERE  IS  CLEARLY  SAFE, 
THE  SOURCE  OF  THE  FIRE  CAN  BE  LOCATED  AND  SAFED  (I.E.,  A 
SHORT  THAT  CAN  BE  UNPOWERED) ,  AND  A  HALON  BOTTLE  HAS  NOT 
BEEN  DISCHARGED:  @[090894-1 682A] 

a.  QDM'S  WILL  BE  REMOVED. 

b.  A  NOMINAL  DURATION  MISSION  MAY  BE  PERFORMED. 

IF  A  HALON  BOTTLE  HAS  BEEN  DISCHARGED,  PARAGRAPHS  A  OR  B 
OF  THIS  RULE  WILL  APPLY. 


If  the  cabin  atmosphere  can  be  shown  to  be  safe,  there  is  no  reason  to  shorten  the  flight 

D.  IF  A  FREON-TO-WATER-LOOP  LEAK  OCCURS  IN  THE  HEAT  EXCHANGER 

AND,  SUBSEQUENTLY,  A  WATER  LOOP  LEAK  INTO  THE  CABIN  DEVELOPS: 

1.  QDM'S  WILL  BE  DONNED  BY  ALL  CREWMEMBERS. 

2.  CABIN  ATMOSPHERE  CONTAMINATION  BY  FREON  21  MAY  REQUIRE 
MISSION  TERMINATION  AT  THE  NEXT  PLS. 
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3.  LES'S  WILL  BE  USED  WITH  VISORS  DOWN  FOR  ENTRY  AND  ORBITER 
EGRESS . 

Freon  21  detection ,  concentration  determination,  and  toxic  effects  will  be  difficult  to  determine  in  orbit 
and  require  conservative  management.  Although  concentration  and  SMAC  limits  at  various  time 
intervals  have  been  established  for  Freon  21,  accurate  in-flight  determination  is  not  possible  at  present. 

In  chronic  exposures  and  low  concentrations  (0.02  percent  or  200  ppm  for  7  days),  Freon  21  may  cause 
liver  damage,  with  mental  impairment  expected  at  0.05  percent  (500  ppm)  and  cardiac  arrhythmias  at 
0.5  percent  (5000  ppm)  during  acute  exposures.  Cardiac  arrythmias  and  pulmonary  effects  are 
progressively  worsened  at  higher  levels  and  are  potentiated  by  increased  epinephrine  levels.  The 
potential  cabin  concentration  upon  release  of  3.0  gm.  is  11.0  ppm;  there  is  nearly  272  kg.  of  Freon  21 
onboard  the  orbiter.  For  each  0.45  kg.  of  charcoal  in  the  ARS  LiOH  canisters,  Freon  21  concentration 
will  only  be  lowered  approximately  12.5  ppm.  Given  the  larger  number  of  toxic  compounds  carried  on 
the  orbiter  and  in  experiments,  early  recognition  and  response  in  atmosphere  contamination 
con  tingencies  are  essen  tial  for  crew  safety. 

Rule  { A17-51 },  MANAGEMENT  FOLLOWING  LOSS  OF  SMOKE  DETECTION,  references  this  rule. 

@[090894-1 682A] 

A13-153  BROKEN  GLASS /HAZARDOUS  SUBSTANCE  CONSTRAINT 

A.  IF  BROKEN  GLASS  OR  A  HAZARDOUS  SUBSTANCE  SPILLS  INTO  A 
CLOSED  VOLUME  AREA,  THAT  VOLUME  AREA  WILL  NOT  BE  OPENED  TO 
THE  HABITABLE  ENVIRONMENT.  FLIGHT-SPECIFIC  EXCEPTIONS  WILL 
BE  LISTED  IN  THE  FLIGHT-SPECIFIC  ANNEX. 

This  will  prevent  the  introduction  of  the  hazardous  substance  into  the  crew’s  environment. 

B.  RELEASE  OF  BROKEN  GLASS  IN  THE  CABIN  ENVIRONMENT  IS  A  LEVEL  2 
HAZARDOUS  SPILL.  REFERENCE  RULE  {A13-155C},  ORBITER 
HAZARDOUS  SUBSTANCE  SPILL  RESPONSE,  FOR  CREW  ACTIONS. 

Free-floating  glass  particles  represent  a  hazard  to  the  eyes  and  respiratory  tract.  Cleanup  may  be 
attempted  with  the  crew  wearing  protective  equipment  as  noted  for  a  level  2  hazardous  spill. 
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HAZARDOUS  SPILL  LEVELS  ARE  DEFINED  BY  THE  FOLLOWING  HAZARDOUS 
SPILL  LEVEL  DEFINITION  TABLE. 


COLOR/ 

LEVEL 

STATE 

FLAMMABILITY 

SYSTEMIC/ 

INTERNAL 

DAMAGE 

IRRITANCY 

CRIT 

SUMMARY  OF 
HAZARD  LEVEL 

RED 

? 

?  ? 

?  4  ? 

?  ?  ?  ? 

GAS,  VOLATILE 
LIQUID,  OR  FUMES 
THAT  ARE  NOT 
CONTAINABLE  BY 

A  CLEANUP  CREW. 
THE  ARS  WILL 

BE  USED  TO 
DECONTAMINATE. 
THE  5-MICRON 
SURGICAL  MASKS 
WILL  NOT  PROTECT 
THE  CREW. 

EITHER  THE  QUICK 
DON  MASKS  OR 
THESEBS  ARE 
REQUIRED. 

MAY  BE  CAPABLE  OF 
PRODUCING  FLAMMABLE 
VAPORS  OR  FINE  MIST  IN 
SUFFICIENT  QUANTITY  TO 
PRODUCE  A  HAZARD. 

APPRECIABLE 
EFFECTS  ON 
COORDINATION, 
PERCEPTION, 

MEMORY,  ETC.,  OR 
POTENTIAL  FOR  LONG 
TERM  (DELAYED) 
SERIOUS  INJURY 
(E.G.,  CANCER)  OR 

MAY  RESULT  IN 
INTERNAL  TISSUE 
DAMAGE. 

MODERATE 

TO  SEVERE 
IRRITATION 

THAT  HAS  THE 
POTENTIAL  FOR 
LONG-TERM  CREW 
PERFORMANCE 
DECREMENT 
(FOR  EYE  ONLY 
HAZARDS, THERE 
MUST  BE  A  RISK 

OF  PERMANENT 

EYE  DAMAGE). 

NOTE:  WILL 
REQUIRE  THERAPY 
IF  CREW  IS 
EXPOSED. 

[i] 

IT  IS  A  CATASTROPHIC 
HAZARD  (CAPABLE  OF 
CAUSING  DISABLING 

INJURY)  THAT  IS  NOT 
CONTAINABLE  BY  A 

CLEANUP  CREW  AND  HAS 
THE  POTENTIAL  FOR 
SYSTEMIC  TOXICITY, 
MODERATE-TO-SEVERE 
IRRITANT,  TISSUE  DAMAGE, 
OR  CAN  PRODUCE 
FLAMMABLE  VAPORS. 

THE  SURGICAL  MASKS 

WILL  NOT,  COMBINED  WITH 
GOGGLES  AND  GLOVES, 
PROTECT  THE  CREW. 

EITHER  QUICK  DON  MASKS 
OR  SEBS  ARE  REQUIRED 

TO  BE  WORN  WHILE  THE 

ARS  DECONTAMINATES. 

NO  PROVISION  HAS  BEEN 
MADE  FOR  SEVERE  SKIN 
IRRITATION  OR 

ABSORPTION. 

EXAMPLE:  METAL  VAPOR 
LIKE  MERCURIC  IODIDE. 

ORANGE 

? 

?  ? 

?  3  ? 

?  ?  ?  ? 

EITHER  A  SOLID 

OR  NONVOLATILE 
LIQUID.  CAN  BE 
CONTAINED  BY  A 
CLEANUP  CREW 

AND  DISPOSED  OF. 
SURGICAL  MASKS 
AND  GLOVES  WILL 
NOT  PROTECT  THE 
CREW.  EITHER 
QUICK  DON  MASKS 
ORSEBS  AND 
SILVER  SHIELD 
GLOVES  ARE 
REQUIRED. 

MAY  BE  CAPABLE  OF 
PRODUCING  FLAMMABLE 
VAPORS  OR  FINE  MIST  IN 
SUFFICIENT  QUANTITY  TO 
PRODUCE  A  HAZARD. 

APPRECIABLE 
EFFECTS  ON 
COORDINATION, 
PERCEPTION, 

MEMORY,  ETC.,  OR 

THE  POTENTIAL  FOR 
LONG-TERM 
(DELAYED)  SERIOUS 
INJURY  (E.G., 

CANCER)  OR  MAY 
RESULT  IN  INTERNAL 
TISSUE  DAMAGE. 

THERE  MAY  BE 
IRRITATION  THAT 
ACCOMPANIES  THE 
SYSTEMIC  TOXICITY 
CONCERNS; 
HOWEVER, 
IRRITANCY  ALONE 
WOULD  NOT  DRIVE 
YOU  TO  A  LEVEL  3. 

NOTE:  WILL 
REQUIRE  THERAPY 
IF  CREW  IS 
EXPOSED. 

[i] 

IT  IS  A  CATASTROPHIC 
HAZARD  (CAPABLE  OF 
CAUSING  DISABLING 

INJURY)  THAT  IS 
CONTAINABLE  BY  A 

CLEANUP  CREW  AND 

HAS  THE  POTENTIAL  FOR 
SYSTEMIC  TOXICITY,  OR  IS 
CAPABLE  OF  PRODUCING 
FLAMMABLE  VAPORS,  OR 
COULD  CAUSE  INTERNAL 
TISSUE  DAMAGE.  THE 
5-MICRON  SURGICAL 

MASKS,  GLOVES,  AND 
GOGGLES  ARE  NOT 
SUFFICIENT  TO  PROTECT 

THE  CREW.  THEREFORE, 
EITHER  QUICK  DON  MASKS 
OR  SEBS  ARE  REQUIRED 

TO  BE  WORN  BY  ALL 
CREWMEMBERS.  ONLY 

THE  CLEANUP  CREW  WILL 
BE  REQUIRED  TO  WEAR 
SILVER  SHIELD  GLOVES. 

EXAMPLE:  ACETONITRILE. 

KEY: 

[1]  -  CATASTROPHIC  [2]  -  CRITICAL  [3]  -  NONE 
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COLOR/ 

LEVEL 

STATE 

FLAMMABILITY 

SYSTEMIC/ 

INTERNAL 

DAMAGE 

IRRITANCY 

CRIT 

SUMMARY  OF 
HAZARD  LEVEL 

YELLOW 

? 

?  ? 

?  2  ? 

?  ?  ?  ? 

EITHER  A  SOLID  OR 
NONVOLATILE 
LIQUID.  CAN  BE 
CONTAINED  BY  A 
CLEANUP  CREW 

AND  DISPOSED  OF. 
THE  CREW  WILL 

BE  PROTECTED 

BY  5-MICRON 
SURGICAL  MASKS, 
SILVER  SHIELD 
GLOVES,  AND 
GOGGLES. 

MAY  BE  CAPABLE  OF 
PRODUCING  FLAMMABLE 
SOLIDS  OR  LIQUIDS 

BUT  NOT  VAPORS  IN 
SUFFICIENT  QUANTITY 

TO  PRODUCE  A  HAZARD. 

NONE. 

MODERATE-TO- 

SEVERE 

IRRITATION 

THAT  HAS  THE 
POTENTIAL  FOR 
LONG-TERM  CREW 
PERFORMANCE 
DECREMENT 
(FOR  EYE-ONLY 
HAZARDS,  THERE 
MUST  BE  A  RISK  OF 
PERMANENT  EYE 
DAMAGE). 

NOTE:  WILL 
REQUIRE  THERAPY 
IF  CREW  IS 
EXPOSED. 

[i] 

IT  IS  A  CATASTROPHIC 
HAZARD  (CAPABLE  OF 
CAUSING  DISABLING 

INJURY)  THAT  IS 
CONTAINABLE  BY  A 
CLEANUP  CREW.  SINCE 
THERE  ARE  NO  SYSTEMIC 
TOXICITY  CONCERNS  OR 
TISSUE  DAMAGE  (OTHER 
THAN  EYE),  5-MICRON 
SURGICAL  MASKS, 
GOGGLES,  AND  SILVER 
SHIELD  GLOVES  WILL 
PROTECT  THE  CREW. 
NEITHER  QUICK  DON 

MASKS  NOR  SEBS  ARE 
REQUIRED.  SINCE  THE 
SUBSTANCE  IS  A  SEVERE 
IRRITANT  OR  COULD 

CAUSE  EYE  DAMAGE,  THE 
CREW  MUST  WEAR 
SURGICAL  MASKS, 
GOGGLES,  AND  GLOVES. 

NO  PROVISION  HAS  BEEN 
MADE  FOR  SEVERE  SKIN 
IRRITATION  OR 

ABSORPTION. 

EXAMPLE:  SODIUM 
HYDROXIDE  WITH  VERY 

HIGH  PH  (>12) 

BLUE 

? 

?  ? 

?  1  ? 

?  ?  ?  ? 

GAS,  SOLID,  OR 
LIQUID  MAY  OR 

MAY  NOT  BE 
CONTAINABLE. 
HOWEVER,  THE 
CREW  WILL  BE 
PROTECTED  BY 
SURGICAL  MASKS 
AND  GOGGLES. 
CLEANUP  CREW 
SHOULD  ALSO  USE 
SURGICAL  GLOVES. 

VERY  LOW  FLAMMABILITY 
POTENTIAL.  THE 
SUBSTANCE  HAS  A  HIGH 
FLASH  POINT  AND  A  LOW 
VAPOR  PRESSURE. 

MINIMAL  EFFECTS. 

NO  POTENTIAL  FOR 
LASTING  INTERNAL 
TISSUE  DAMAGE. 

SLIGHT-TO- 
MODERATE 
IRRITATION  THAT 
LASTS  >  30 

MINUTES.  IF  AN 
EYE-ONLY  HAZARD, 
CAN  AFFECT 

VISUAL  ACUITY  >30 
MINUTES. 

NOTE:  WILL 
REQUIRE  THERAPY 
IF  CREW  IS 
EXPOSED. 

[2] 

IT  IS  A  CRITICAL  HAZARD 
(CAPABLE  OF  CAUSING 
NONDISABLING  INJURY) 

AND  MAY  OR  MAY  NOT  BE 
CONTAINABLE  BY  A 

CLEANUP  CREW.  IF  NOT 
CONTAINABLE,  THE  CREW 
MUST  BE  PROTECTED  BY 
THE  SURGICAL  MASKS  AND 
GOGGLES.  WITH  LEVEL  1 
HAZARDS,  IT  IS  ASSUMED 
THAT  THE  CREW  NEEDS 
THERAPY  IF  EXPOSED. 
THEREFORE,  ALL 
CREWMEMBERS  IN  THE 
AREA  MUST  WEAR 
PROTECTIVE  GEAR  SO  AS 

TO  AVOID  CONTACT. 
CLEANUP  CREW  MUST 

ALSO  USE  SURGICAL 
GLOVES. 

EXAMPLE:  SOLUTIONS 

LIKE  15%  SODIUM 

CHLORIDE. 

GREEN 

? 

?  ? 

?  0  ? 

?  ?  ?  ? 

GAS,  SOLID,  OR 
LIQUID  MAY  OR 

MAY  NOT  BE 
CONTAINABLE. 

NONE. 

NONE. 

SLIGHT  IRRITATION 
THAT  LASTS  <  30 
MINUTES  AND  WILL 
NOT  REQUIRE 
THERAPY.  ALL 
EFFECTS  WILL  BE 
RESOLVED  WITHIN 
30  MINUTES 
WITHOUT 

THERAPY. 

[3] 

IT  IS  NOT  A  HEALTH  OR 

FIRE  HAZARD.  MAY  OR 

MAY  NOT  BE  CONTAINABLE. 
IF  NOT,  REPORT  TO  MCC. 

EXAMPLE:  SILICON  OIL  OR 
WEAK  HYPERTONIC 
SOLUTIONS. 

KEY: 


[1]- CATASTROPHIC  [2]  -  CRITICAL  [3]  -  NONE 
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THE  FLIGHT-SPECIFIC  ANNEX  WILL  LIST  ALL  LEVEL  4  THROUGH  LEVEL  1 
PAYLOAD  HAZARDOUS  SUBSTANCES.  REFERENCE  RULE  {A13-154},  HAZARDOUS 
SPILL  LEVEL  DEFINITIONS.  THE  FOLLOWING  ACTIONS  WILL  BE  TAKEN  IN 
THE  EVENT  THAT  A  HAZARDOUS  SUBSTANCE  IS  RELEASED  INTO  THE  ORBITER 
ATMOSPHERE . 

A.  LEVEL  4 

1.  ALL  CREWMEMBERS  WILL  DON  AND  ACTIVATE  QUICK  DON  MASKS. 

THE  CLEANUP  CREW  WILL  TAKE  THE  FOLLOWING  ACTIONS: 

a.  SET  CABIN  TEMPERATURE  CONTROLLER  TO  FULL  COOL. 

b.  TURN  ON  THE  WASTE  COLLECTION  SYSTEM. 

C.  TURN  OFF  THE  REGENERATIVE  CO2  REMOVAL  SYSTEM  (RCRS) 

(IF  APPLICABLE) . 

2.  THE  CREW  SHALL  PERFORM  A  CABIN  DEPRESS  TO  8  PSI  AND  A 

CONTINUOUS  CABIN  PURGE  AT  8  PSI  IF  REQUIRED  TO  CONTROL 
PP02 .  (REFERENCE  RULE  {A17-254},  CABIN  02 
CONCENTRATION)  .  @[090894-1 673A] 

3.  THE  FLIGHT  CONTROL  ROOM  SURGEON  SHOULD  BE  CONSULTED  FOR 

THE  MAXIMUM  LENGTH  OF  TIME  THE  QUICK  DON  MASKS  CAN  BE 
WORN.  (REFERENCE  RULE  {A13-54},  100  PERCENT  OXYGEN 

CONSTRAINT . ) 


A  level  4  hazardous  substance  is  defined  as  either  a  gas,  a  volatile  liquid,  or  fumes  that  are  not 
containable  by  the  crew.  Crew  exposure  could  result  in  systemic  toxicity,  severe  irritation,  and/or 
tissue  damage.  The  driving  factor  that  distinguishes  a  level-4  substance  from  a  level  3  substance  is 
noncontainabi  1  i  ty. 

The  immediate  priorities  for  a  level  4  spill  are  to  prevent  crew  exposure  to  the  substance  and  to 
configure  the  ARS  to  scrub  the  environment.  All  crewmembers  will  don  and  activate  QDM’s  to  avoid  any 
debilitating  effects. 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  AEROMEDICAL  13-50 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A13-155  ORBITER  HAZARDOUS  SUBSTANCE  SPILL  RESPONSE 

(CONTINUED) 


The  ARS  configuration  steps  were  determined  to  provide  maximum  decontamination.  Setting  the  cabin 
temperature  to  full  cool  will  provide  maximum  removal  of  water  soluble  or  particulate  hazardous 
substances  through  the  humidity  separator  as  condensate.  Other  atmospheric  scrubbing  can  be 
accomplished  with  the  use  of  the  odor/bactericd  filter  of  the  WCS  and  the  LiOH  and/or  charcoal 
canisters  that  are  already  installed.  The  most  recently  installed  LiOH  canisters  may  have  exhausted 
CO 2  removal  capability;  however,  the  Li0H/C02  product,  LiyCOy,  and  existing  charcoal  still  have 
scrubbing  potential.  For  flights  that  use  the  RCRS,  the  RCRS  must  be  unpowered  to  prevent 
contamination  of  the  solid  amine. 

A  cabin  depress  to  8  psi  and  continuous  purge  at  8  psi  will  manage  02  concentrations  below  maximum 
levels  as  well  as  decrease  the  concen  tration  of  the  level  4  substance.  This  action  could  extend  the  time 
on  orbit  so  as  to  avoid  cm  ELS  entry.  ®[090894-l673A] 

B.  LEVEL  3 

1.  ALL  CREWMEMBERS  WILL  DON  AND  ACTIVATE  QUICK  DON  MASKS  AND 
SILVER  SHIELD  GLOVES.  THE  FLIGHT  DECK  CREW  WILL  TURN  OFF 
THE  CABIN  AND  IMU  FANS  ONE  CREWMEMBER  WILL  CONTINUOUSLY 
MONITOR  THE  SPILL.  THE  CLEANUP  CREW  WILL  TAKE  THE 
FOLLOWING  ACTIONS: 

a.  ATTEMPT  TO  CLEAN  UP  THE  SPILL. 

b.  BAG,  LABEL  AND  STCW  IN  WET  TRASH. 

2.  IF  CLEANUP  ATTEMPT  FAILS,  THE  HAZARDOUS  SPILL  WILL  BE 
UPGRADED  TO  A  LEVEL  4 . 

A  level-3  hazardous  substance  is  defined  as  a  solid  or  nonvolatile  liquid  that  is  containable  by  the 
cleanup  crew.  It  is  this  containability  that  separates  a  level-3  substance  from  a  level  4. 

Crew  exposure  to  a  level-3  substance  could  result  in  systemic  toxicity,  severe  irritation,  and/or  tissue 
damage.  It  is  this  severity  of  effects  on  exposure  that  separates  a  level-3  substance  from  the  levels  2,  1, 
and  0  substances.  All  crewmembers  must  wear  QDM’s  to  protect  themselves  during  the  cleanup. 

During  the  cleanup,  all  airflow  is  halted  by  deactivating  the  cabin  and  IMU  fans  to  prevent  dispersion  of 
the  spilled  substance.  The  maximum  time  that  a  cabin  fan  can  be  deactivated  in  cm  off-nominal  situation 
is  20  minutes  (ref.  SODB,  Volume  3,  Rev.  A,  Table  4. 5.0-1,  Display  Driver  Unit).  The  maximum  time 
that  cm  IMU  fan  can  be  deactivated  in  an  off-nominal  situation  is  45  minutes,  (ref.  SODB,  Volume  3, 

Rev.  A,  Table  4. 5.0-1,  Inertial  Measuring  Unit). 
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By  definition,  a  level-3  hazardous  spill  is  catastrophic  and  con  tainable.  If  the  level-3  cleanup  fails,  this 
spill  will  be  upgraded  to  a  level  4,  and  level-4  cleanup  actions  shall  be  implemented. 

C.  LEVEL  2 

1.  ALL  CREWMEMBERS  WILL  DON  GOGGLES,  SURGICAL  MASKS,  AND 

SILVER  SHIELD  GLOVES.  THE  FLIGHT  DECK  CREW  WILL  TURN  OFF 
THE  CABIN  AND  IMU  FANS.  THE  CLEANUP  CREW  WILL  TAKE 
ACTIONS  1  .  a  AND  1  .b  LISTED  IN  PARAGRAPH  B  ABOVE.  ®[ED  ] 

2.  IF  CLEANUP  ATTEMPT  FAILS,  THE  HAZARDOUS  SPILL  WILL  BE 
UPGRADED  TO  A  LEVEL  4 . 

A  level-2  substance  is  either  a  solid  or  a  nonvolatile  liquid  that  is  containable  by  the  cleanup  crew. 

Crew  exposure  could  result  in  moderate  to  severe  irritation  that  has  the  potential  for  long-term  crew 
performance  decremen  t.  All  crewmembers  will  be  adequately  protected  by  the  5-micron  surgical  masks, 
goggles,  and  silver  shield  gloves. 

See  paragraph  B,  level-3  rationale,  for  the  reason  for  stopping  the  airflow  in  the  spill  area. 

Even  though  a  level-2  substance  causes  less  severe  effects  than  a  level-3  substance,  a  level-2  spill  is 
defined  as  catastrophic  and  containable.  If  the  level-2  cleanup  fails,  this  spill  will  be  upgraded  to  a 
level-4,  and  level-4  cleanup  actions  shall  be  implemented. 

D.  LEVEL  1 

ALL  CREWMEMBERS  WILL  DON  GOGGLES  AND  SURGICAL  MASKS.  THE 
FLIGHT  DECK  CREW  WILL  TURN  OFF  THE  CABIN  AND  IMU  FANS.  THE 
CLEANUP  CREW  WILL  DON  SURGICAL  GLOVES  AND  TAKE  ACTIONS  a  AND 
b  LISTED  IN  PARAGRAPH  B. 

A  level-1  hazardous  substance  may  or  may  not  be  containable  by  the  crew.  Crew  exposure  will  result 
only  in  slight  to  moderate  irritation.  All  crewmembers  will  be  protected  by  surgical  masks  and  goggles. 

See  paragraph  B,  level-3  rationale,  for  the  reason  for  stopping  the  airflow  in  the  spill  area. 

If  the  spill  is  not  con  tainable  by  the  crew,  the  MCC  will  determine  other  procedures  for  con  tainmen  t  or 
for  a  workaround. 
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E.  LEVEL  0 

THE  FLIGHT  DECK  CREW  WILL  TURN  OFF  THE  CABIN  AND  I MU  FANS. 
THE  CLEANUP  CREW  WILL  TAKE  ACTIONS  a  AND  b  LISTED  IN 
PARAGRAPH  B. 

A  level-0  substance  may  or  may  not  be  containable  by  the  crew.  Crew  exposure  would  result  in  only 
slight  transient  ( less  than  30  minutes)  irritation. 

No  protective  gear  is  required. 

See  paragraph  B,  level-3  rationale,  for  the  reason  for  stopping  the  airflow  in  the  spill  area. 

If  the  spill  is  not  con  tainable  by  the  crew,  the  MCC  will  determine  other  procedures  for  con  tainmen  t  or 
for  a  workaround. 

All  payload  substances  are  reviewed  by  the  Payload  Safety  Review  Panel;  those  not  listed  as  level-4 
through  1  are  considered  nonhazardous  (level  0). 
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@[092701-4872  ] 

THE  FLIGHT-SPECIFIC  ANNEX  WILL  LIST  ALL  EXPERIMENT/ SAMPLES 
CONTAINING  LEVEL-4  THROUGH  LEVEL-1  PAYLOAD  HAZARDOUS  SUBSTANCES. 
REFERENCE  RULE  {A13-154},  HAZARDOUS  SPILL  LEVEL  DEFINITIONS.  THE 
FOLLOWING  ACTIONS  WILL  BE  TAKEN  IN  THE  EVENT  THAT  A  HAZARDOUS 
SUBSTANCE  IS  RELEASED  INTO  THE  SPACEHAB/ORBITER  ATMOSPHERE. 
@[111501-4971  ] 

A.  LEVEL  4 

1.  ORBITER 

REFERENCE  RULE  {A13-155A},  ORBITER  HAZARDOUS  SUBSTANCE 
SPILL  RESPONSE.  THE  CREW  SHALL  SAFE  AND  ISOLATE  THE 
SPACEHAB  MODULE  PER  RULE  {A2-329},  SPACEHAB 
DEACTIVATION/ENTRY  PREP.  ®[ED  ] 

A  level-4  hazardous  substance  is  defined  as  either  a  gas,  a  volatile  liquid,  or  fumes  that  are  not 
containable  by  the  crew.  Crew  exposure  could  result  in  a  systemic  toxicity,  severe  irritation,  and/or 
tissue  damage.  The  driving  factor  that  distinguishes  a  level-4  substance  from  a  level-3  substance  is 
none  on  ta  inabil  i  ty. 


The  immediate  priorities  for  a  level-4  spill  in  the  orbiter  are  prevention  of  crew  exposure  to  the  sub¬ 
stance  and  configuration  of  the  atmospheric  revitalization  system  (ARS)for  environmental  scrubbing. 
All  crewmembers  will  don  and  activate  Quick  Don  Masks  to  avoid  any  detrimental  effects. 


The  Spacehab  module  cannot  be  used  as  a  safe  haven  for  the  crew  because  the  module  ARS  is  incapable 
of  controlling  humidity,  O2,  N2,  and  CO 2  concentrations. 

2  .  SPACEHAB  MODULE 

IF  HAZARDOUS  SPILL  OCCURS  IN  THE  SPACEHAB  MODULE,  EVACUATE 
ALL  CREWMEMBERS  TO  THE  ORBITER  EXCEPT  THE  SAFING  CREW.  THE 
FLIGHTDECK  CREW  WILL  TURN  OFF  ALL  SPACEHAB  FANS.  THE 
EVACUATING  CREW  WILL  CLOSE  THE  MAN  PL  ISOL  VLV .  THE  SAFING 
CREW  WILL  PERFORM  THE  FOLLOWING  ACTIONS:  @[021 600-71 02A] 

a.  DON/ACTIVATE  SEBS 

b.  OPEN  CABIN  DEPRESS  VALVE  (CDV) 

C.  EVACUATE  THE  MODULE 

d.  CLOSE  THE  SPACEHAB  HATCH 
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e.  CLOSE  AND  CAP  EQUALIZATION  VALVES  @[111501-4971] 

NOTE:  MODULE  ISOLATION  IS  NECESSARY  BECAUSE  THE  MODULE  ARS  DOES 

NOT  HAVE  THE  CAPABILITY  TO  SCRUB  THE  CONTAMINATED  AIR. 

ALL  EXPERIMENTS/SAMPLES  CONTAINING  LEVEL-4  PAYLOAD 
HAZARDOUS  SUBSTANCES  ARE  LISTED  IN  THE  FLIGHT  SPECIFIC 
ANNEX.  @[021 600-71 02A]  @[111501-4971] 

Reference  the  rationale  for  paragraph  1  for  a  definition  of  level-4  hazardous  substances. 

The  immediate  priorities  for  a  level-4  spill  in  the  module  are  crew  evacuation  to  the  orbiter  and 
isolating  Spacehcib.  Nonessential  crew  will  evacuate  to  the  orbiter  to  limit  crew  exposure  to  the 
hazardous  substance.  The  ARS  and  ccibin/HF A  fans  are  temporarily  deactivated  by  the  flightdeck  crew 
to  halt  air  exchange  within  the  transfer  tunnel  while  the  Spacehcib  hatch  is  still  open.  The  MAN  PL 
ISOL  VLV  is  closed  to  stop  air  exchange  between  Spacehcib  and  the  orbiter  through  the  transfer  tunnel 
ducting.  Since  the  Spacehcib  will  remain  powered,  the  CDV  is  being  opened  to  protect  the  option  to 
depress  the  module  in  case  of  ci  fire  or  to  reduce  the  level  of  the  hazardous  spill  concentration. 

@[021 600-71 02A] 

The  scifing  crew  will  don  and  activate  SEBS  to  avoid  systemic  effects  while  they  secure  the  module. 

B.  LEVEL  3 

1.  ORBITER: 

REFERENCE  RULE  {A13-155B},  ORBITER  HAZARDOUS  SUBSTANCE 
SPILL  RESPONSE.  THE  FLIGHTDECK  CREW  WILL  DEACTIVATE  THE 
SPACEHAB  ARS  FAN. 

A  level-3  hazardous  substance  is  defined  as  a  solid  or  nonvolatile  liquid  that  is  containable  by  the 
cleanup  crew.  It  is  this  contciinability  that  separates  a  level-3  substance  from  a  level-4. 

Crew  exposure  to  a  level-3  substance  could  result  in  systemic  toxicity,  severe  irritation,  and/or  tissue 
damage.  It  is  this  severity  of  effects  on  exposure  that  separates  a  level-3  substance  from  the  level-2, 

1,  and  0  substances.  Since  O2/N2,  CO2,  and  humidity  control  are  not  available  in  the  module  for  an 
orbiter  spill,  all  crewmembers  must  don  and  activate  Quick  Don  Masks  and  don  chemically  resistan  t 
silver  shield  gloves. 

During  the  cleanup,  all  airflow  in  the  spill  area  is  halted  to  prevent  dispersion  of  the  spilled  substance. 
For  an  orbiter  spill,  this  requires  deactivating  the  cabin  and  IMU  fans  and  turning  off  the  Spacehcib 
ARS  fan,  which  will  halt  air  exchange  between  the  orbiter  and  Spacehcib.  If  the  hazardous  spill  is  such 
that  total  isolation  of  the  Spacehcib  module  is  required,  the  MAN  PL  ISOL  VLV  and  the  Spacehcib  hatch 
will  be  closed.  ®[i  1 1 501  -4971  ] 
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2.  SPACEHAB  MODULE: 

ALL  CREWMEMBERS  EXCEPT  THE  CLEANUP  CREW  WILL  EVACUATE  THE 
MODULE.  THE  FLIGHTDECK  CREW  WILL  DEACTIVATE  THE  SPACEHAB 
ARS  AND  CAB IN /HF A  FANS.  THE  EVACUATING  CREW  WILL  CLOSE  THE 
MAN  PL  I  SOL  VLV .  THE  CLEANUP  CREW  WILL  TAKE  THE  FOLLOWING 
ACTIONS:  ®[i  1 1501-4971  ] 

a.  DON/ACTIVATE  SEBS  AND  SILVER  SHIELD  GLOVES 

b.  DEACTIVATE  AFT  MODULE  FAN  (LDM  ONLY)  ®[021 600-71 02A] 

C.  ATTEMPT  TO  CLEAN  UP  THE  SPILL 

d.  BAG,  LABEL,  AND  STOW  IN  WET  TRASH 

NOTE:  IF  CLEANUP  FAILS,  THIS  SPILL  WILL  BE  UPGRADED  TO  A 

LEVEL-4.  ALL  EXPERIMENTS/SAMPLES  CONTAINING  LEVEL-3 
PAYLOAD  TOXIC  MATERIALS  ARE  LISTED  IN  THE  FLIGHT 
SPECIFIC  ANNEX. 

See  rationale  from  paragraph  1  for  a  definition  of  a  level-3  hazardous  spill. 

The  cleanup  crew  must  use  SEBS  along  with  chemically  resistant  silver  shield  gloves  to  protect 
themselves  while  they  perform  the  cleanup. 

During  the  cleanup ,  all  airflow  in  the  spill  area  is  halted  by  closing  the  MAN  PL  ISOL  VLV  and  by 
deactivating  all  Spacehcib  subsystem  fans.  Unlike  for  a  level-4  spill,  the  aft  modu  le  fan  is 
deactivated  from  inside  the  module  by  the  cleanup  crew  because  an  item  entry  by  the  flightdeck  crew 
would  turn  off  the  aft  module  lights,  reducing  module  illumination  for  the  cleanup  crew.  @[021600- 
7102A] 

If  the  initial  module  PPCO2  level  is  7.15  mmHg  at  the  time  the  SH  ARS  fan  is  deactivated,  it  will 
take  23.7  minutes  to  reach  a  level  of  7.6  mmHg  and  378  minutes  to  reach  15  mmHg  (reference  TM- 
SP ACEH  ABN 1003,  April  1991 )  in  a  Spacehcib  single  module  configuration.  Times  will  be  greater 
for  Spacehab  double  module  (LDM/RDM)  configurations. 

By  definition,  a  level-3  hazardous  spill  is  catastrophic  and  con  tainable.  If  the  level-3  clean  up  fails,  this 
spill  will  be  upgraded  to  a  level-4,  and  level-4  cleanup  actions  will  be  implemented.  @[111501-4971  ] 
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(CONTINUED) 


C.  LEVEL  2  @[111501-4971] 

1.  ORBITER: 

REFERENCE  RULE  {A13-155C},  ORBITER  HAZARDOUS  SUBSTANCE 
SPILL  RESPONSE.  THE  FLIGHTDECK  CREW  WILL  DEACTIVATE  THE 
SPACEHAB  ARS  FAN. 

2.  SPACEHAB  MODULE: 

ALL  CREWMEMBERS  EXCEPT  THE  CLEANUP  CREW  WILL  EVACUATE 
THE  MODULE.  THE  FLIGHTDECK  CREW  WILL  DEACTIVATE  THE 
SPACEHAB  ARS  AND  CABIN/HFA  FANS.  THE  EVACUATING  CREW 
WILL  CLOSE  THE  MAN  PL  ISOL  VLV .  THE  CLEANUP  CREW  WILL 
TAKE  THE  FOLLOWING  ACTIONS. 

a.  DON  SURGICAL  MASKS,  GOGGLES,  AND  SILVER  SHIELD  GLOVES 

b.  DEACTIVATE  AFT  MODULE  FAN  ( LDM  ONLY) 

C.  ATTEMPT  TO  CLEAN  UP  THE  SPILL 

d.  BAG,  LABEL,  AND  STOW  IN  WET  TRASH 

NOTE:  IF  CLEANUP  FAILS,  THIS  SPILL  WILL  BE  UPGRADED  TO  A 

LEVEL-4.  ALL  EXPERIMENTS  CONTAINING  LEVEL-2  PAYLOAD 
TOXIC  MATERIALS  ARE  LISTED  IN  THE  FLIGHT  SPECIFIC 
ANNEX . 


A  level-2  hazardous  substance  is  either  a  solid  or  a  nonvolatile  liquid  that  is  containable  by  the  cleanup 
crew.  Crew  exposure  could  result  in  moderate-to-severe  irritation  that  has  the  potential  for  long-term 
crew  performance  decrement.  All  crewmembers  will  be  adequately  protected  by  the  5-micron  surgical 
masks,  goggles,  and  silver  shield  gloves. 

Reference  paragraph  B,  level-3  rationale  for  the  reason  for  stopping  airflow  in  the  spill  area. 

Even  though  a  level-2  substance  causes  less  severe  effects  than  a  level-3  substance,  a  level-2  hazardous 
spill  is  defined  as  catastrophic  and  con  tainable.  If  the  level-2  cleanup  fails,  this  spill  will  be  upgraded  to 
a  level-4,  and  level-4  cleanup  actions  shall  be  implemented.  @[111501-4971  ] 
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A13-156  SPACEHAB  HAZARDOUS  SUBSTANCE  SPILL  RESPONSE 

(CONTINUED) 


D.  LEVEL  1  @[111501-4971] 

1.  ORBITER: 

REFERENCE  RULE  {A13-155D},  ORBITER  HAZARDOUS  SUBSTANCE 
SPILL  RESPONSE.  THE  FLIGHTDECK  CREW  WILL  DEACTIVATE  THE 
SPACEHAB  ARS  FAN. 

2.  SPACEHAB  MODULE: 

ALL  CREWMEMBERS  EXCEPT  THE  CLEANUP  CREW  WILL  EVACUATE  THE 
MODULE.  THE  FLIGHTDECK  CREW  WILL  DEACTIVATE  THE  SPACEHAB 
ARS  AND  CAB IN /HF A  FANS.  THE  EVACUATING  CREW  WILL  CLOSE 
THE  MAN  PL  ISOL  VLV.  THE  CLEANUP  CREW  WILL  TAKE  THE 
FOLLOWING  ACTIONS. 

a.  DON  GOGGLES  AND  SURGICAL  MASKS  AND  GLOVES 

b.  DEACTIVATE  AFT  MODULE  FAN  (LDM  ONLY) 

C.  ATTEMPT  TO  CLEAN  UP  THE  SPILL 

d.  BAG,  LABEL,  AND  STOW  IN  WET  TRASH 

A  level-1  hazardous  substance  may  or  may  not  be  containable  by  the  crew.  Crew  exposure  could  result 
only  in  slight-to-moderate  irritation.  All  crewmembers  will  be  protected  by  surgical  masks  and  goggles. 
Also,  the  cleanup  crew  will  need  to  use  surgical  gloves.  @[111501-4971  ] 

Reference  paragraph  B.  level-3  rationale  for  the  reason  for  stopping  the  airflow  in  the  vicinity  of  the 
spill.  Reference  Rule  {A13-154}.  HAZARDOUS  SPILL  LEVEL  DEFINITIONS. 
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A13-156  SPACEHAB  HAZARDOUS  SUBSTANCE  SPILL  RESPONSE 

(CONTINUED) 

E.  LEVEL  0  @[111501-4971] 

1.  ORBITER: 

REFERENCE  RULE  {A13-155E},  ORBITER  HAZARDOUS  SUBSTANCE 
SPILL  RESPONSE.  NO  SPACEHAB  ACTIONS  ARE  REQUIRED. 

2.  SPACEHAB  MODULE: 

THE  FLIGHTDECK  CREW  WILL  DEACTIVATE  THE  SPACEHAB  ARS  AND 
CABIN/HFA  FANS.  THE  CLEANUP  CREW  WILL  TAKE  THE  FOLLOWING 
ACTIONS : 

a.  DEACTIVATE  AFT  MODULE  FAN  (LDM  ONLY) 

b.  ATTEMPT  TO  CLEAN  UP  THE  SPILL 

C.  BAG,  LABEL,  AND  STOW  IN  WET  TRASH 

A  level-0  substance  is  assumed  to  be  containable  by  the  crew.  Crew  exposure  would  result  in  only  slight 
transient  (less  than  30  minutes)  irritation.  No  protective  gear  is  required.  Reference  paragraph  B, 
level-3  rationale  for  the  reason  for  stopping  the  airflow  in  the  vicinity  of  the  spill. 

All  payload  substances  are  reviewed  by  the  Payload  Safety  Review  Panel;  those  not  listed  as  level-4 
through  1  are  considered  non-hazardous  (level-0).  ®[ii  1501-4971  ] 
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A13-201  ANTI— G  SUIT  PROTOCOL  (ANTI-ORTHOSTATIC 

COUNTERMEASURE )  ®[ED  ]  @[102501-4885] 

A.  WHEN  PREPARING  FOR  ENTRY,  EACH  CREWMEMBER  WILL  DON  THE  LES . 
IF  THE  CREWMEMBER  ELECTS  TO  INFLATE  THE  ANT I -G  BLADDERS,  THE 
BLADDERS  WILL  REMAIN  INFLATED  UNTIL  LANDING.  IF  THE 
CREWMEMBER  ELECTS  TO  DEFLATE  THE  ANTI-G  BLADDERS  PRIOR  TO 
EGRESS,  DEFLATION  WILL  BE  ACCOMPLISHED  PROGRESSIVELY  OVER  AT 
LEAST  A  10-MINUTE  PERIOD. 


Normal  adaptation  to  zero-g  results  in  a  condition  equivalent  to  a  10-percent  loss  of  blood  volume. 
During  entry  (re-exposure  to  gravity ),  blood  tends  to  pool  in  the  lower  extremities  arid  a  “light 
headedness”  or  visual  symptoms  may  result.  Inflation  of  the  anti-g  bladders  prevents  blood  pooling  and 
increases  blood  return  to  the  heart.  Gradual  deflation  of  the  bladders  after  landing  minimizes  symptoms 
by  reducing  blood  pooling. 

B.  FOR  FLIGHTS  GREATER  THAN  11  DAYS  (COMMANDER  FLIGHT  DAYS) 

OF  PLANNED  MISSION  LENGTH,  ANTI-G  SUITS  MUST  BE  INFLATED 
TO  0.5  PSI  AFTER  ENTRY  INTERFACE  AND  TO  AT  LEAST  1.0  PSI 
AT  1  G.  THE  ANTI-G  SUITS  MUST  REMAIN  INFLATED  UNTIL  AT 
LEAST  WHEEL-STOP. 


Anti-G  suit  inflation  needs  to  occur  prior  to  occurrence  of  symptoms.  This  will  be  especially  important 
to  help  preven  t  orthostatic  problems  after  longer  duration  flights.  @[102501-4885  ] 
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A.  FLUID  LOADING  IS  REQUIRED  BY  ALL  CREWMEMBERS  PRIOR  TO 
DEORBIT.  CREWMEMBERS  WILL  INITIATE  FLUID  LOADING  1 
HOUR  BEFORE  DEORBIT  TIG  AND  SHOULD  BE  COMPLETED  BY  El. 
EACH  CREWMEMBER  WILL  CONSUME  8  OUNCES  OF  WATER  AND  TWO 
SALT  TABLETS  OR  8  OUNCES  OF  OTHER  APPROVED  SOLUTION 
EVERY  15  MINUTES,  ACCORDING  TO  THE  FOLLOWING  TABLE: 

®[030994-1 608  ]  @[011801  -71 87A] 


FLUID  LOADING  AMOUNTS  FOR  ENTRY  BASED  ON  BODY  MASS: 


PREFLIGHT 

NUMBER  OF 

NUMBER  OF 

APPROVED 

CREWMEMBER 

8  OZ  DRINK 

SALT 

OR 

SOLN  (OZ) 

MASS 

CONTAINERS 

AND 

TABLETS 

<120  LBS 

3 

6 

24 

120-155 

4 

8 

32 

156-190 

5 

10 

40 

>190  LBS 

6 

12 

48 

@[050400-7187] 

THE  CREWMEMBERS  WILL  BE  INSTRUCTED  ON  THE  PROPER  AMOUNTS 
PRIOR  TO  LAUNCH.  REMINDERS  CAN  BE  GIVEN  DURING  THE  ENTRY 
DAY  PMC,  IF  NECESSARY. 

B.  IF  THERE  IS  A  ONE  ORBIT  WAVE-OFF  AND  THE  FLUID-LOADING 
PROTOCOL  DESCRIBED  IN  PARAGRAPH  A  WAS  COMPLETED,  THE  PROTOCOL 
SHOULD  BE  REPEATED  TO  A  TOTAL  OF  ONE-HALF  OF  THE  PRESCRIBED 
AMOUNT  DETERMINED  IN  PARAGRAPH  A,  TO  BE  COMPLETED  BY  El.  IF 
THERE  IS  A  GREATER  THAN  ONE  ORBIT  WAVEOFF  OR  A  PARTIAL  FLUID 
LOAD  WAS  COMPLETED  ON  THE  PREVIOUS  DEORBIT  ATTEMPT,  THE 
ENTIRE  PROTOCOL  DESCRIBED  IN  PARAGRAPH  A  SHOULD  BE  REPEATED. 
®[01 1801-7187A] 

C.  IF  A  CREWMEMBER  IS  PARTICIPATING  IN  A  FLUID-LOADING  DSO,  THE 
PROTOCOL  AND  ITS  METHOD  OF  IMPLEMENTATION  WILL  BE  DETAILED 
PREFLIGHT  BY  THE  INVESTIGATOR  AND  THE  CREW  SURGEON.  THE 
PROTOCOL  WILL  ALSO  BE  DOCUMENTED  IN  THE  MISSION-SPECIFIC 
FLIGHT  RULES  ANNEX. 
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A13-202  FLUID  LOADING  (CONTINUED) 

Oral  fluid  loading  with  a  salt/water  mixture  similar  to  body  fluids  has  been  shown  to  significantly  reduce 
detrimental  heart  rate  and  blood  pressure  changes  during  orthostatic  stress  post  flight.  Basing  the 
amount  of  salt  and  water  (in  a  proper  ratio)  or  other  approved  solution  on  the  crewmember’s  body  mass 
helps  to  assure  the  fluid  loading  is  adequate  for  larger  crewmembers  and  possibly  not  too  much  for 
smaller  crewmembers.  ASTROADE  ®  and  other  tested  isotonic  solutions  provide  plasma  volume 
expansion  similar  to  salt  tablets/water  and  may  be  easier  for  some  crewmembers  to  ingest.  Flight 
Surgeons  must  approve  these  alternate  solutions  for  individual  use  prior  to  flight.  @[030994-1608  ] 

®[ED  ] 

The  basis  for  initiating  fluid  loading  1  hour  prior  to  TIG  includes  the  amoun  t  of  time  it  takes  for  fluid  to 
leave  the  stomach,  enter  the  in  testine,  and  be  absorbed  to  affect  the  plasma  volume.  A  plot  for  gastric 
emptying  ( i.  e. ,  the  time  to  leave  the  stomach  and  enter  the  intestine)  showed  that  it  takes  approximately 
60  minutes  for  nearly  cdl  of  cm  isotonic  solution  consumed  to  enter  the  in  testine  (approximately  20 
minutes  for  80  percent,  approximately  40  minutes  for  95  percent,  approximately  60  minutes  for  98 
percen  t,  and  approximately  80  minutes  for  100  percen  t).  Furthermore,  it  takes  approximately  2  hours 
from  initiation  of  fluid  loading  for  the  change  in  plasma  volume  to  plateau  (at  approximately  5  percent). 
Since  landing  occurs  1  hour  after  TIG,  change  in  plasma  volume  will  peak  at  landing  if  fluid  loading  is 
initiated  1  hour  prior  to  TIG. 

From  a  wave-off  perspective,  the  desire  is  to  delay  fluid  loading  as  close  to  TIG  as  possible  since 
weather  wave-offs  often  occur  just  minutes  prior  to  TIG.  However,  consuming  too  much  too  fast  can 
cause  gastric  discomfort  and  vomiting. 

If  fluid  loading  is  initiated  1  hour  prior  to  TIG  but  deorbit  is  subsequently  delayed,  the  impact  is  crew 
discomfort  and  increased  WCS  usage.  Although  this  is  undesirable,  it  is  not  a  safety  issue.  However,  if 
fluid  loading  is  delayed  and  the  reduction  in  the  change  in  plasma  volume  at  landing  is  significant,  then 
crewmembers  may  feel  faint  or  dizzy  upon  return  to  lg  and  may  not  be  able  to  egress  unassisted.  This 
can  be  a  safety  concern  for  crewmembers  involved  with  landing  the  vehicle  and  for  cdl  crewmembers  in 
an  emergency  egress  scenario.  ®[oi  1 801  -71 87A] 

DOCUMENTATION:  M.W.  Bungo,  J.B.  Charles,  and  P.C.  Johnson,  Cardiovascular  Deconditioning 
During  Space  Flight  and  the  Use  of  Saline  as  a  Coun  termeasure  to  Orthostatic  Intoleranc,  Aviation 
Space  Environment  Medicine,  56(10):  985-990,  1985.  ®[0ii80i-7i87A] 

DOCUMENTATION :  F.  Brouns,  Gastric  Emptying  as  a  Regulatory  Factor  in  Fluid  Uptake. 
International  Journal  Sports  Medicine,  19(1998)  S 125 -S 128,  George  Thieme  Verlag  Stuttgart, 

New  York.  ®[01 1 801  -71 87A] 
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TANK  B  WATER  SHOULD  ONLY  BE  USED  AS  A  POTABLE  WATER  SOURCE  IN  A 
CONTINGENCY.  IF  IT  BECOMES  NECESSARY  FOR  CREWMEMBERS  TO  CONSUME 
TANK  B  WATER,  DIRECT  FLOW  OF  TANK  B  WATER  THROUGH  THE  AUXILIARY 
WATER  PORT  MICROBIAL  CHECK  VALVE  (MCV)  AND  WAIT  10  MINUTES  TO 
ALLOW  THE  IODINE  SUFFICIENT  TIME  TO  KILL  THE  BACTERIA.  TANK  B 
WATER  MUST  NOT  BE  MIXED  WITH  ANY  FLAVORING  ADDITIVES  DURING  THE 
10-MINUTE  PERIOD. 

Tank  B  water  is  unsafe  for  crew  consumption  without  additional  preparation.  Although  it  is  iodinated 
prior  to  launch ,  it  is  nominally  utilized  for  FES  operations  soon  after  orbital  insertion.  Tank  B 
subsequently  receives  water  directly  from  the  fuel  cell  without  being  iodinated  by  an  MCV.  Therefore, 
while  on  orbit,  tank  B  water  is  subject  to  bacterial  growth  and  should  be  considered  contaminated.  In 
order  to  ensure  the  crew  does  not  drink  contaminated  water,  tank  B  water  should  be  iodinated  for  an 
appropriate  period  of  time  prior  to  consumption.  An  IFM  procedure  will  be  utilized  to  divert  flow  of 
tank  B  water  through  the  auxiliary  water  port  MCV.  The  water  must  not  be  consumed  for  10  minutes 
after  passing  through  the  MCV,  allowing  the  iodine  sufficient  time  to  kill  bacteria.  In  addition,  water 
flavoring  additives  ( lemonade ,  tea,  etc.)  should  not  be  added  to  the  recently  iodinated  tank  B  water. 

These  additives  will  bind  with  iodine  and  prevent  its  antibacterial  activity.  ®[ED  ] 
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SECTION  14  -  SPACE  ENVIRONMENT 

The  Flight  Rules  of  the  Space  Environment  Section  deal  specifically  with  ionizing  radiation  and  are 
intended  to  provide  assurance  that  crew  radiation  exposure  during  Space  Shuttle  operations  will  be 
maintained  as  low  as  reasonably  achievable  (ALARA),  as  required  by  the  Code  of  Federal  Regulations 
for  Safety  and  Health..  In  this  context,  Space  Shuttle  operations  include  crew  activities  for  EVA  and  IVA 
for  the  orbiter  and  any  habitable  payload  (Spacelab,  Spacehab,  etc.).  JSC  Space  and  Life  Sciences 
personnel  ( Flight  Surgeon,  Radiological  Health  Officer,  and  the  Space  Radiation  Analysis  Group)  are 
responsible  for  prelaunch,  orbit,  and  postflight  assessment  of  all  shuttle  mission  crew  radiation 
hazard/health  issues.  ®[ED  ] 


DEFINITIONS 


A14-1  UNCONFIRMED  ARTIFICIAL  EVENT  DEFINITION 

AN  UNCONFIRMED  ARTIFICIAL  EVENT  IS  DEFINED  AS  AN  ARTIFICIAL  EVENT 
NOT  CONFIRMED  BY  THE  PROPER  SUPPORT  DATA  SOURCE. 


This  definition  is  self-explanatory.  It  is  included  to  minimize  the  influence  on  space  shuttle  operations  of 
rumor  or  speculation  from  unofficial  sources. 

Reference  Rule  { B14-1  j,  UNCONFIRMED  ARTIFICIAL  EVENT  DEFINITION.  [R ]  @[032901 -7266A] 

Rules  (A14-7J,  RADIATION  ENVIRONMENT  CONDITION  DEFINITION;  {A14-55},  DOWNGRADING 
TO  NOMINAL  FROM  ALERT  OR  CONTINGENC;  and  {B14-1},  UNCONFIRMED  ARTIFICIAL  EVENT 
DEFINITION.  [R],  reference  this  rule. 


A14-2  CONFIRMED  ARTIFICIAL  EVENT  DEFINITION 

A  CONFIRMED  ARTIFICIAL  EVENT  IS  DEFINED  AS  AN  ARTIFICIAL  EVENT 
THAT  IS  REPORTED  BY  THE  PROPER  SUPPORT  DATA  SOURCE. 

Reference  Rule  { B14-2  j,  CONFIRMED  ARTIFICIAL  EVENT  DEFINITION.  [R ]  @[032901 -7266A] 

Rules  (A14-7J,  RADIATION  ENVIRONMENT  CONDITION  DEFINITION;  { A14-55 j,  DOWNGRADING 
TO  NOMINAL  FROM  ALERT  OR  CONTINGENCY;  and  {B14-2},  CONFIRMED  ARTIFICIAL  EVENT 
DEFINITION. [R],  reference  this  rule. 
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A14-3  SOLAR  PARTICLE  EVENT  WARNING  DEFINITION  @[032901-7265] 

@[032901 -7271  A] 

A  SOLAR  PARTICLE  EVENT  (SPE)  WARNING  IS  DEFINED  AS  AN  SPE  WARNING 
GENERATED  BY  NOAA .  NO A A  WILL  GENERATE  THIS  WARNING  BASED  ON 
THEIR  PROJECTIONS  THAT  CURRENT  CONDITIONS  ARE  SUCH  THAT  THERE  IS 
A  HIGH  PROBABILITY  THAT  AN  SPE  (10  PROTONS  (>10  MEV) /CM-S-STER 
AT  GEOSYNCHRONOUS  ALTITUDE)  IS  LIKELY. 


NOAA  solar  models  take  into  account  many  different  factors  to  determine  that  a  solar  particle  event  is 
likely.  NOAA  will  also  provide  a  window  of  time  that  the  onset  of  the  SPE  may  be  observed.  This 
warning  replaces  the  previous  alert  criterion  based  on  X-ray  events,  magnitude  >M5,  as  an  indicator 
that  an  SPE  is  possible.  This  will  help  reduce  the  number  of  alerts. 

Reference  Rule  {B14-3 j,  SOLAR  PARTICLE  EVENT  WARNING  DEFINITION. [R ]  @[032901  -7271  A] 

Rules  (A14-7J,  RADIATION  ENVIRONMENT  CONDITION  DEFINITION  and  (B14-3J,  SOLAR 
PARTICLE  EVENT  WARNING  DEFINITION  [R],  referencethis  rule. 

A14-4  SOLAR  PARTICLE  EVENT  DEFINITION 

A  SOLAR  PARTICLE  EVENT  IS  DEFINED  AS  AN  INCREASE  IN  THE  NEAR-EARTH 
PROTON  RADIATION  ENVIRONMENT  RESULTING  FROM  SOLAR  FLARE  ACTIVITY. 
THRESHOLD  LEVEL  IS  10  PROTONS  ( >1 0  MEV) /C]\?-S-STER  AT  GEOSYNCHRONOUS 
ALTITUDE.  THRESHOLD  LEVEL  FOR  AN  ENERGETIC  SPE  IS  1  PROTON  (>100 
MEV) /CM2-S-STER  AT  GEOSYNCHRONOUS  ALTITUDE.  @[032901 -7267A] 


A  distinction  is  made  between  “ordinary”  SPE’s  and  energetic  SPE’s.  Ordinary  SPE’s  are  mostly  a 
concern  for  EVA  astronauts.  Energetic  SPE’s  include  particles  with  sufficient  energy  to  penetrate  the 
shuttle  and  thus  is  a  concern  for  both  TV  A  and  EVA  crewmembers. 

Reference  Rule  {B14-4},  SOLAR  PARTICLE  EVENT  (SPE)  DEFINITION.  .[R]  ®[03290i-7267A] 

Rules  (A14-7J,  RADIATION  ENVIRONMENT  CONDITION  DEFINITION;  { A14-55 j,  DOWNGRADING 
TO  NOMINAL  FROM  ALERT  OR  CONTINGENCY;  and  {B14-4},  SOLAR  PARTICLE  EVENT  (SPE) 
DEFINITION  .[R],  reference  this  rule. 
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A14-5  GEOMAGNETIC  STORM  DEFINITION  @[032901 -7272A] 

A  GEOMAGNETIC  STORM  IS  DEFINED  AS  A  CHANGE  FROM  NORMAL  LEVELS  IN 
THE  HORIZONTAL  COMPONENT  OF  THE  MAGNETIC  FIELD  AT  THE  SURFACE  OF 
THE  EARTH  AS  MEASURED  BY  MAGNETOMETERS  AT  BOULDER,  CO.  MAJOR 
GEOMAGNETIC  STORM  THRESHOLD  IS  Pq  =  50-99  OR  %  =  6.  SEVERE 
GEOMAGNETIC  STORM  THRESHOLD  IS  Pq  ?  100  OR  %  ?  7. 

Reference  Rule  { B14-5 },  GEOMAGNETIC  STORM  DEFINITION. .[RJ.  ®[03290i-7272A] 

Rules  (A14-7J,  RADIATION  ENVIRONMENT  CONDITION  DEFINITION;  and  {A14-55}, 
DOWNGRADING  TO  NOMINAL  FROM  ALERT  OR  CONTINGENCY;  reference  this  rule. 

A14-6  OTHER  RADIATION  EVENT  DEFINITION  @[032901 -7268A] 

OTHER  RADIATION  EVENT  IS  DEFINED  AS  INCREASED  RADIATION  RATES 
PRODUCED  BY  ANY  SOURCE  OTHER  THAN  SOLAR,  GEOMAGNETIC  OR 
ARTIFICIAL  EVENT  ACTIVITY.  THRESHOLD  LEVEL  IS  ANY  INCREASE  ABOVE 
THE  NOMINAL  MISSION  RATE  PROJECTIONS. 


This  definition  is  included  to  cover  any  natural  or  manmade  exposure  enhancement  from  radiation 
sources  not  listed  in  the  definitions  above.  For  example,  geomagnetic  storms  can  inject  or  accelerate 
particles  in  the  Earth ’s  trapped  charged  particle  belts  resulting  in  an  increased  ambient  radiation 
environment  surrounding  the  shuttle.  These  enhancements  can  last  from  days  to  weeks.  Occasionally, 
during  severe  geomagnetic  activity,  new  radiation  belts  that  may  persist  for  lengthy  periods  can  be 
formed  apart  from  the  existing  belts,  and  may  increase  shuttle  crew  exposure,  particularly  during  EVA ’s. 

Reference  Rule  { B14-6} ,  RADIATION  BELT  ENHANCEMENT  DEFINITION.  [R]  ®[03290i-7268A] 

Rules  {A14-7},  RADIATION  ENVIRONMENT  CONDITION  DEFINITION;  and  {A14-55}, 
DOWNGRADING  TO  NOMINAL  FROM  ALERT  OR  CONTINGENCY,  reference  this  rule. 
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A14-7 

RADIATION  ENVIRONMENT  CONDITION  DEFINITION 

CONDITION 

DEFINITION 

NOMINAL 

NO  ADVERSE  ENVIRONMENTAL  CONDITION  EXISTS. 

ALERT 

A  CONDITION  WHERE  AN  IMMINENT  INCREASE  IN  CREW  RADIATION  EXPOSURES  IS  POSSIBLE.  A 
RADIATION  ALERT  IS  INITIATED  WHEN  ANY  OF  THE  FOLLOWING  EVENTS  OCCUR: 

1.  UNCONFIRMED  ARTIFICIAL  EVENT  (REF.  RULES  A14-1},  UNCONFIRMED  ARTIFICIAL  EVENT 
DEFINITION); 

2.  SOLAR  PARTICLE  EVENT  WARNING  (REF.  RULE  {A14-3},  SOLAR  PARTICLE  EVENT  WARNING 
DEFINITION); 

3.  SOLAR  PARTICLE  EVENT  (REF.  RULE  {A14-4},  SOLAR  PARTICLE  EVENT  DEFINITION); 

4.  GEOMAGNETIC  STORM  (REF.  RULE  {A14-5},  GEOMAGNETIC  STORM  DEFINITION);  OR 

5.  OTHER  RADIATION  EVENT  (REF.  RULE  {A14-6},  OTHER  RADIATION  EVENT  DEFINITION]); 

CONTINGENCY 

A  CONFIRMED  INCREASE  IN  RADIATION  EXPOSURE  LEVELS  TO  THE  CREW  THAT  MAY  REQUIRE 
ACTIVE  INTERVENTION  TO  MINIMIZE  THE  EFFECTS  FROM  THE  ENHANCED  ENVIRONMENT. 

1.  FOR  >45-DEGREE  INCLINATION  FLIGHTS,  >100  PFU  (>100  MEV  PROTONS)  AS  MEASURED 

FROM  GOES; 

2.  FOR  >45-DEGREE  INCLINATION  FLIGHTS  AND  IF  SIGNIFICANT  MISSION  OBJECTIVES  ARE  TO 

BE  PERFORMED  EVA,  IF  Kb  >  8  OR  A  SIGNIFICANT  SHIFT  IN  THE  ELECTRON  BELTS  HAS 
OCCURRED; 

3.  IF  IN  THE  JUDGMENT  OF  THE  RADIATION  CONSOLE  OPERATOR,  ENVIRONMENTAL 

CONDITIONS  WILL  PRODUCE  LOCAL  DOSE  RATES  >  5  MRADS/MIN; 

4.  A  CONFIRMED  ARTIFICIAL  EVENT  (REF.  RULE  {A14-2},  CONFIRMED  ARTIFICIAL  EVENT 
DEFINITION); 

@[032901 -7273A] 

Space  weather  events  may  trigger  substantial  changes  in  the  near-Earth  radiation  environment.  Close 
monitoring  of  the  radiation  en  vironmen  t  is  required  to  detect  trends  that  could  lead  to  unacceptable 
increases  in  crew  radiation  exposure.  Radiation  environment  enhancements  may  become  significant 
enough  to  warrant  actions  by  the  crew  to  reduce  radiation  exposures  in  order  to  remain  within  crew 
exposure  limits  (Ref.  Rule  (A14-11J,  SHUTTLE  ADMINISTRATIVE  LIMIT  [HC])  and/or  comply  with 
ALARA  (Ref.  Rule  {A14-9},  ALARA  DEFINITION). 

Reference  Rule  {B14-7},  RADIATION  ENVIRONMENT  CONDITIONS.  [R]  (TBR  FOR  RUSSIAN 
CONCURRENCE )  @[03290 1 -7273A] 
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A14-8  PROJECTED  OPERATIONAL  DOSE  LIMIT  VIOLATION 

DEFINITION  @[032901 -7268A] 

PROJECTED  OPERATIONAL  DOSE  LIMIT  VIOLATION  IS  DEFINED  AS  A  DOSE 
EXTRAPOLATION  THAT  VIOLATES  AN  OPERATIONAL  LIMIT  (RULE  {A14-51},  CREW 
RADIATION  EXPOSURE  LIMITS  [HC] )  BASED  UPON  ANALYTICAL  PROJECTIONS 
WITH  ACCUMULATION  RATES  CONFIRMED  BY  ONBOARD  DOSIMETRY  READOUT. 

This  definition  is  seif-explanatory.  @[032901 -7268A] 

Rules  (A14-10J,  LEGAL  EXPOSURE  LIMITS  [HC]  and  { A14-53 },  ACTIONS  REQUIRED  FOR 
RADIATION  ENVIRONMENT  CONDITIONS  -  ON  ORBIT  [HC],  reference  this  rule. 

A14-9  ALARA  DEFINITION 

ALARA,  AS  LOW  AS  REASONABLY  ACHIEVABLE,  REFERS  TO  A  RADIATION 
PROTECTION  PRINCIPLE  THAT  REQUIRES  ANY  ADDITIONAL  RADIATION 
EXPOSURE  BE  SUBJECT  TO  A  RISK-VERSUS-GAIN  ANALYSIS  REGARDLESS  OF 
THE  MAGNITUDE  OF  ADDITIONAL  EXPOSURE.  THE  MAXIMUM  PERMISSIBLE 
LEVELS,  OR  LIMITS,  ARE  NOT  TO  BE  CONSIDERED  AS  "ACCEPTABLE,"  BUT 
INSTEAD,  THEY  REPRESENT  THE  LEVELS  THAT  SHOULD  NOT  BE  EXCEEDED. 

@[032901 -7275A] 

NASA  is  required  by  the  Occupational  Safety  and  Health  Administration  (OSHA)  to  maintain  a  risk- 
limitation  system  for  all  activities  that  involve  radiation  exposure.  This  risk-limitation  system  includes 
the  need  to  minimize  cumulative  radiation  exposures  for  all  crewmembers.  Since  OSHA  classifies 
crewmembers  as  radiation  workers,  these  federally  mandated  rules  apply. 

Reference  Rule  {B14-8},  ALARA  DEFINITION.  [R]  @[032901 -7275A] 

Rules [ A1 4-7},  RADIATION  ENVIRONMENT  CONDITION  DEFINITION;  { A14-10 },  LEGAL 
EXPOSURE  LIMITS  [HC[;  [A14-51 },  CREW  RADIATION  EXPOSURE  LIMITS  [HC[;  {A14-52}, 

ACTIONS  REQUIRED  FOR  RADIATION  ENVIRONMENT  CONDITIONS  -  PRELAUNCH,  {A14-53}, 

ACTIONS  REQUIRED  FOR  RADIATION  ENVIRONMENT  CONDITIONS  -  ON  ORBIT  [HC],  and 
[A14-54},  GO/NO-GO  CRITERIA  FOR  EVA  BASED  ON  RADIATION  EXPOSURE  [HC],  reference  this 
rule. 
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A14-10  LEGAL  EXPOSURE  LIMITS  [HC] 

THE  FOLLOWING  OPERATIONAL  CREW  IONIZING  RADIATION  EXPOSURE  LIMITS 
SHALL  BE  ADHERED  TO:  @[032901 -7274B] 

TABLE  A14-10-I  -  EXPOSURE  LIMITS  (REM  (SIEVERT) ) 


EXPOSURE  PERIOD 

BLOOD  FORMING  ORGAN  (BFO) 

EYE 

SKIN 

30  DAYS 

25  (0.25) 

100  (1.00) 

150  (1.50) 

ANNUAL 

50  (0.50) 

200  (2.00) 

300  (3.00) 

Space  shuttle  crew  radiation  exposure  limits  recommended  to  NASA  by  the  National  Council  on  Radiation 
Protection  and  Measurements,  “Guidance  on  Radiation  Received  in  Space  Activities,  ”  NCRP  Report  No. 
98,  July  31,  1989,  have  been  legally  adopted  as  the  agency’s  supplementary  standard  in  accordance  with 
29  CFR  1960.18.  Space  shuttle  flights  are  nominally  constrained  to  the  30-day  exposure  limits  that  are 
conservatively  set  to  minimize  mission  impact  ( ref.  Rule  { A14-8 },  PROJECTED  OPERATIONAL  DOSE 
LIMIT  VIOLATION  DEFINITION).  The  practice  of  ALARA  is  part  of  NASA ’s  legal  requirement  to 
regulate  crew  exposures  just  as  much  as  the  maximum  exposure  limits. 

Reference  Rule  { B14-9J ,  JOINT  EXPOSURE  LIMITS.  [R ]  @[032901 -7274B] 

Rules  {A14-51},  CREW  RADIATION  EXPOSURE  LIMITS  [HC];  {A14-54},  GO/NO-GO  CRITERIA  FOR 
EVA  BASED  ON  RADIATION  EXPOSURE  [HC];  and  {B14-9},  JOINT  EXPOSURE  LIMITS  [R], 
reference  this  rule.. 

A14-11  SHUTTLE  ADMINISTRATIVE  LIMIT  [HC] 

THE  SHUTTLE  ADMINISTRATIVE  LIMIT  IS  0.5  RAD  (SKIN)  ABOVE  THE 
PREFLIGHT  MISSION  EXPOSURE  LEVELS.  @[032901 -7276B] 

This  rule  is  applied  by  the  EVA  go/no-go  rule  to  establish  a  threshold  when  EVA’s  are  required  to  be 
rescheduled  to  reduce  exposure.  Below  this  threshold,  normal  ALARA  practices  govern  EVA  exposure 
con  trol.  The  administrative  limit  includes  all  additional  exposures  (IVA  and  EVA)  resulting  from  the 
enhanced  radiation  environment,  from  the  beginning  of  the  mission  projected  through  the  next  EVA. 

Reference  Rule  [B14-11J,  CREW  EXPOSURE  ADMINISTRATIVE  LIMITS.  [R]  (TBR  FOR  RUSSIAN 
CONCURRENCE )  ®[032901-7276B] 

Rules  [A14-7J,  RADIATION  ENVIRONMENT  CONDITION  DEFINITION;  (A14-53J,  ACTIONS 
REQUIRED  FOR  RADIATION  ENVIRONMENT  CONDITIONS  -  ON  ORBIT  [HC;  and,  {A14-54}, 
GO/NO-GO  CRITERIA  FOR  EVA  BASED  ON  RADIATION  EXPOSURE  [HC],  reference  this  rule., 
reference  this  rule. 
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A14-12  HIGH  DOSE  RATE  LIMITS  [HC] 

A  HIGH  DOSE  RATE  CONDITION  IS  DEFINED  AS  A  DOSE  PROJECTED  FOR  1 
DAY  THAT  EQUALS  OR  EXCEEDS  ONE  OF  THE  FOLLOWING:  @[032901 -7277B] 

A.  2.5  RAD  BFO/DAY  (0.025  GRAY) 

B.  10  RAD  EYE/DAY  (0.10  GRAY) 

C.  15  RAD  SKIN/DAY  (0.15  GRAY) 

The  National  Council  on  Radiation  Protection,  in  making  their  recommendation  for  the  legal  radiation 
exposure  limits,  defines  5  rem  BFO  in  1  day  as  the  threshold  for  acute  exposure.  For  uniformity,  the 
“rem”  values  are  converted  to”  rad”  using  an  assumed  quality  factor  of  2.0.  This  quality  factor  is  an 
estimate  of  the  expected  value  during  a  large  solar  proton  event.  Dose  rates  above  this  threshold  will 
result  in  additional  risk  compared  to  a  similar  exposure  delivered  over  a  longer  period  of  time  ( e.  g. , 
protracted/chronic  exposure).  Eye  and  skin  values  are  extrapolated  from  the  legal  limits  based  on  the 
BFO  exposure. 

Reference  Rule  {B 14-12},  HIGH  DOSE  RATE  LIMITS. [R ]  @[032901 -7277B] 

Rule  I A14-54J ,  GO/NO-GO  CRITERIA  FOR  EVA  BASED  ON  RADIATION  EXPOSURE  [HC], 
references  this  rule. 

A14-13  THROUGH  A14-50  RULES  ARE  RESERVED 
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MANAGEMENT 


A14-51  CREW  RADIATION  EXPOSURE  LIMITS  [HC]  @[032901 -7269B] 

THE  FOLLOWING  OPERATIONAL  CREW  IONIZING  RADIATION  EXPOSURE  LIMITS 
SHALL  BE  ADHERED  TO: 

A.  LEGAL  EXPOSURE  LIMITS  (REF.  RULE  {A14-10},  LEGAL  EXPOSURE 
LIMITS  [HC] ) 

B.  ALARA:  FLIGHT  MANAGEMENT  SHALL  EXERCISE  REASONABLE  EFFORTS 
TO  MAINTAIN  CREW  EXPOSURES  AS  LOW  AS  REASONABLE  ACHIEVABLY 
(REF.  RULE  { A14-9 }  ALARA  DEFINITION) . 


Space  shuttle  crew  radiation  exposure  limits  recommended  to  NASA  by  the  National  Council  on 
Radiation  Protection  and  Measurements,  “  Guidance  on  Radiation  Received  in  Space  Activities,  ” 
NCRP  Report  No.  98,  July  31,  1989,  have  been  legally  adopted  as  the  Agency’s  Supplementary 
Standard  in  accordance  with  29  CFR  1960.18.  Space  shuttle  flights  are  nominally  constrained  to  the 
30-day  exposure  limits  that  are  consen’atively  set  to  minimize  mission  impact.  The  practice  of  ALARA 
is  part  of  NASA 's  legal  requiremen  t  to  regulate  crew  exposures.  @[032901 -7269B] 

Rules  (A14-51J,  CREW  RADIATION  EXPOSURE  LIMITS  [HC])  and  (A14-52J,  ACTIONS 
REQUIRED  FOR  RADIATION  ENVIRONMENT  CONDITIONS  -  PRELAUNCH,  reference  this  rule. 
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A14-52  ACTIONS  REQUIRED  FOR  RADIATION  ENVIRONMENT 

CONDITIONS  -  PRELAUNCH  @[032901-7265]  @[032901 -7278A  ] 

A.  NOMINAL  OR  ALERT  -  GO  FOR  LAUNCH 

B.  CONTINGENCY  - 

1.  CONSIDERATION  SHALL  BE  MADE  TO  DEFER  THE  FLIGHT  UNTIL 
RADIATION  LEVELS  HAVE  DECLINED. 

2.  CONFIRMED  ARTIFICAL  EVENT  (ONLY): 

a.  PRIOR  TO  L-31  SECONDS,  THE  FLIGHT  DIRECTOR  WILL 
REQUEST  A  LAUNCH  HOLD. 

b.  AFTER  L-31  SECONDS,  GO  FOR  LAUNCH.  FURTHER  ACTION 
WILL  BE  GOVERNED  BY  ON-ORBIT  (REF.  RULE  {A14-53}, 
ACTIONS  REQUIRED  FOR  RADIATION  ENVIRONMENT  CONDITIONS 
-  ON  ORBIT)  [HC] . 

3.  OTHERWISE,  GO  FOR  LAUNCH . 

During  alert  or  contingency  conditions,  substantial  changes  in  the  near-Earth  radiation  environment 
may  be  initiated.  Close  monitoring  of  the  radiation  environment  is  required  to  detect  trends  that  could 
lead  to  unacceptable  increases  in  crew  radiation  exposure.  Radiation  environment  enhancements  may 
become  significant  enough  to  warrant  actions  by  the  crew  to  reduce  radiation  exposures  in  order  to 
remain  within  crew  exposure  limits  (ref.  Rule  {A14-51},  CREW  RADIATION  EXPOSURE  LIMITS  [HC] 
and/or  comply  with  ALARA  (ref.  Rule  {A14-9},  ALARA  DEFINITION). 

For  Artificial  events:  If  prior  to  L-31  seconds,  it  is  better  to  hold/terminate  than  to  risk  exposing  the 
crew  to  a  potentially  hazardous  radiation  environment.  After  L-31  seconds,  it  is  safer  to  continue  a 
nominal  ascent  and  subsequently  order  deorbit  if  required.  After  achieving  orbit,  further  action  will  be 
governed  by  orbit  flight  phase  rules.  Dosimeter  readings  are  needed  to  confirm  exposure  and  rate  of 
exposure  so  that  valid  projections  can  be  determined.  This  rule  will  minimize  crew  exposure  from  the 
poten  tially  very  high  dose  rates  that  can  be  produced  before  stabilization  of  the  enhanced  trapped 
electron  belts. 

Reference  Rule  [B14-103J,  ACTIONS  REQUIRED  FOR  RADIATION  ENVIRONMENT 
CONDITIONS. [R]  (TBR  FOR  RUSSIAN  CONCURRENCE )  ®[03290i-7278A  ] 
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A14-53  ACTIONS  REQUIRED  FOR  RADIATION  ENVIRONMENT 

CONDITIONS  -  ON  ORBIT  [HC]  @[032901-7265]  @[032901 -7279B] 


A.  ALERT 

1.  ENSURE  SHUTTLE  TEPC  IS  OPERATING. 

a.  OBTAIN  A  BASELINE  TEPC  CALLDOWN  IF  NOT  OBTAINED  IN 
LAST  24  HRS. 

b.  IF  THE  TEPC  IS  INOPERABLE,  OBTAIN  BASELINE 
MEASUREMENTS  FROM  THE  RADIATION  DOSIMETER  ASSEMBLY. 

2.  PERFORM  SHUTTLE  TEPC  DISPLAY  CALL-DOWNS  DAILY. 

B.  CONTINGENCY 

1.  ENSURE  SHUTTLE  TEPC  IS  OPERATING. 

a.  OBTAIN  A  BASELINE  TEPC  CALLDOWN  IF  NOT  OBTAINED  IN 
LAST  24  HRS. 

b.  IF  THE  TEPC  IS  INOPERABLE,  OBTAIN  BASELINE 
MEASUREMENTS  FROM  THE  RADIATION  DOSIMETER  ASSEMBLY. 

2.  PERFORM  SHUTTLE  TEPC  DISPLAY  CALLDOWNS  AT  LEAST  TWICE 

DAILY. 

3.  INFORM  CREW.  RECOMMEND  REMAINING  IN  THE  AIRLOCK  DURING 

INTERVALS  OF  HIGH  RISK  ORBITAL  ALIGNMENTS. 

4.  CONFIRMED  ARTIFICIAL  EVENT  (ONLY): 

a.  THE  FLIGHT  DIRECTOR  WILL  NOTIFY  THE  CREW  AND  REQUEST 
THE  CREW  TO  TAKE  AND  REPORT  DOSIMETER  READINGS  AT 
SPECIFIED  INTERVALS. 

b.  EVA  CREWMEMBER  WILL  RETURN  TO  THE  AIRLOCK  ASAP. 
GO/NO-GO  FOR  CONTINUATION  OF  EVA  WILL  BE  BASED  ON 
PROJECTED  RADIATION  EXPOSURE  LEVELS.  @[032901 -7279B] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A14-53  ACTIONS  REQUIRED  FOR  RADIATION  ENVIRONMENT 

CONDITIONS  ~  ON  ORBIT  [HC]  (CONTINUED) 

5.  IF  AN  OPERATIONAL  DOSE  LIMIT  VIOLATION  HAS  BEEN  PROJECTED 
(REF.  RULE  { A14-8 } ,  PROJECTED  OPERATIONAL  DOSE  LIMIT 
VIOLATION  DEFINITION) ,  THE  FLIGHT  DIRECTOR  WILL  BE 
NOTIFIED.  @[032901 -7279B] 

a.  THE  FLIGHT  DIRECTOR  WILL  NOTIFY  THE  CREW  OF  THE 
PROJECTED  DOSE  LIMIT  VIOLATION. 

b.  BASED  ON  THE  PROJECTED  RADIATION  EXPOSURE  LEVELS  AND 
TIME  REMAINING  TO  REACH  THE  DOSE  LIMIT,  CONSIDERATION 
WILL  BE  GIVEN  TO: 

(1)  RESTRICT  CREW  LOCATION  WITHIN  THE  ORBITER. 

(2)  CHANGE  ORBITER  ALTITUDE/ATTITUDE  IF  IT  DECREASES 
CREW  EXPOSURES. 

(3)  DEORBIT  NEXT  PLS. 

(4)  DEORBIT  NEXT  DAY  PLS. 


During  alert  or  contingency  conditions,  substantial  changes  in  the  near-Ecirth  radiation  environment 
may  be  initiated.  Close  monitoring  of  the  radiation  environment  is  required  to  detect  trends  that  could 
lead  to  unacceptable  increases  in  crew  radiation  exposure.  Radiation  environment  enhancements  may 
become  significant  enough  to  warrant  actions  by  the  crew  to  reduce  radiation  exposures  in  order  to 
remain  within  crew  exposure  limits  (ref.  Rule  {A14-11},  SHUTTLE  ADMINISTRATIVE  LIMIT  [HC]) 
and/or  comply  with  ALARA  (ref.  Rule  {A14-9},  ALARA  DEFINITION).  Higher  shielded  locations  are 
based  on  analysis  conducted  by  SRAG.  Unplanned  exposures  will  be  evaluated  in  reed  time  by  the 
surgeon  to  determine  risk  of  medical  implications  and  weighed  against  other  mission  risks  prior  to 
making  recommendations  on  crew  actions.  Communications  with  the  Flight  Director  concerning  crew 
actions  will  be  coordinated  with  the  surgeon. 

Reference  Rule  (B 14-103},  ACTIONS  REQUIRED  FOR  RADIATION  ENVIRONMENT  CONDITIONS. 
[R ]  (TBR  FOR  RUSSIAN  CONCURRENCE)  @[032901 -7279B] 

Rule  [A14-52J,  ACTIONS  REQUIRED  FOR  RADIATION  ENVIRONMENT  CONDITIONS  - 
PRELAUNCH,  references  this  rule. 
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EXPOSURE  [HC]  @[032901-7265]  @[032901 -7280B] 

THE  FOLLOWING  WILL  BE  DONE  ONLY  TO  REDUCE  CREW  EVA  EXPOSURES: 

A.  FOR  PREDICTED  EVA  EXPOSURE  LESS  THAN  SHUTTLE  ADMINISTRATIVE 
LIMIT  (REF.  RULE  {A14-11},  SHUTTLE  ADMINISTRATIVE  LIMIT 
[HC]  )  : 

1.  CONSIDER  DELAYING  OR  ACCELERATING  EGRESS  1-2  REVS  IF  THIS 
WILL  REDUCE  THE  EXPOSURE  WHILE  ACCOMPLISHING  MISSION 
OBJECTIVES  CONSISTENT  WITH  NORMAL  CREW  GROUNDRULES  AND 
CONSTRAINTS,  AND  TIMELINE  CHANGES  ARE  LIMITED  TO  A  SINGLE 
FLIGHT  DAY. 

2.  AN  EVA  IN  PROGRESS  WILL  CONTINUE.  CONSIDER  NOT  ADDING 
UNSCHEDULED  ITEMS  TO  EXISTING  TIMELINE  IF  THIS  RESULTS  IN 
ADDITIONAL  EVA  CREW  EXPOSURE. 

While  performing  EVA’s,  crewmembers  have  reduced  levels  of  shielding  against  radiation  environments 
compared  with  TV  A  operations.  The  reduced  shielding  can  result  in  significantly  higher  exposures  to  the 
radiation  sensitive  organs  of  EVA  crewmembers  compared  with  the  TV  A  crew.  Avoiding  EVA’s  or 
rescheduling  EVA 's  when  possible  during  enhanced  radiation  environment  conditions  is  in  compliance 
with  the  federally  mandated  ALARA  principle.  To  meet  mission  objectives,  complete  avoidance  of 
radiation  exposure  may  not  be  possible.  Actions  are  based  on  combining  the  best  estimate  on  the  current 
mission  dose  with  the  projected  EVA  dose  and  comparing  that  value  against  the  administrative  limit  for 
that  time  in  the  mission. 

Even  for  crew  exposures  below  the  admin  limit,  the  flight  con  trol  team  will  consider  rescheduling  airlock 
egress  in  order  to  shift  out  of  high  radiation  areas,  if  this  can  be  done  while  still  accomplishing  all 
mission  objectives.  Based  on  the  levels  of  exposure  below  the  admin  limit,  this  replanning  is  limited  to  a 
1-2  rev  change  in  egress  time  in  order  to  preclude  significant  subsequent  replanning,  crew  scheduling 
groundrule  violations,  etc.  Unscheduled  tasks  will  not  be  added  for  the  next  EVA  if  they  will  result  in 
additional  elevated  exposures.  @[032901 -7280B] 

The  risk  from  additional  radiation  exposures  below  the  admin  limit  compared  with  the  risk  incurred  by 
going  EVA  is  low  enough  to  support  continuing  an  EVA  already  in  progress.  Unscheduled  tasks  added 
at  the  end  of  the  EVA  will  be  evaluated  against  additional  exposures.  Due  to  the  structure  of  the 
radiation  environment,  certain  geographic  regions  may  produce  significant  fractions  of  the  total 
exposure.  In  most  cases,  the  phasing  will  be  such  that  little  additional  risk  is  added  from  performing 
extra  tasks  and,  therefore,  the  tasks  could  be  added.  Potentially,  a  significant  exposure  could  be  phased 
at  the  end  of  the  EVA  that  would  merit  avoiding  the  unscheduled  task  in  lieu  of  con  tinuing.  ( Ref.  Rule 
{A14-9J,  ALARA  DEFINITION.)  ®[03290i-7280B] 
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A14-54  GO/NO-GO  CRITERIA  FOR  EVA  BASED  ON  RADIATION 

EXPOSURE  [HC]  (CONTINUED) 


The  admin  limit  is  in  place  to  regulate  mission  actions  to  minimize  risk.  The  mortality  risk  associated 
with  this  limit  is  comparable  to  the  risk  of  EMU  suit  penetration/depressurization.  It  is  also  comparable 
to  the  average  toted  radiation  risk  for  shuttle  flights.  The  maximum  mission  exposure  for  the  shuttle 
remains  at  the  30-day  legal  limit  values  ( e. g. ,  25  rem  BFO,  etc.). 

B.  PREDICTED  CREW  MISSION  EXPOSURE  GREATER  THAN  SHUTTLE 
ADMINISTRATIVE  LIMIT  AT  THE  END  OF  THE  EVA  (REF.  RULE 
{ A14-11 } ,  SHUTTLE  ADMINISTRATIVE  LIMIT  [HC]): 

1.  DELAY  OR  ACCELERATE  EGRESS  1-2  REVS  TO  REDUCE  EXPOSURES 
OR  DELAY  1  DAY  TO  RESCHEDULE  IN  A  LOWER  EXPOSURE  EVA 
PATH. 

2.  IF  AN  ISS  MISSION,  CONSIDER  TRANSFERRING  TASKS  TO  A 
STATION-BASED  EVA  TO  BE  PERFORMED  AT  A  LATER  DATE. 

3.  AN  EVA  IN  PROGRESS  WILL  CONTINUE.  CONSIDER  EXPEDITING 
TASKS  NOT  REQUIRED  FOR  PRIMARY  MISSION  OBJECTIVES. 


For  crew  mission  exposures  above  the  admin  limit,  replanning  will  be  more  aggressive,  including 
accepting  more  downstream  timeline  impacts,  crew  scheduling  groundrule  violations,  etc.  Since  shuttle 
operations  are  typically  time  constrained,  the  first  option  is  to  delay  or  accelerate  by  1-2  revs  to  shift  out 
of  the  enhanced  radiation  areas.  The  EVA  may  also  be  conducted  with  a  lower  exposure  by  delaying  the 
EVA  up  to  1  day  to  allow  the  increased  radiation  environment  to  decay  or  to  select  a  trajectory  that  has 
shifted  out  of  the  high  radiation  areas.  ®[03290i-7280B] 

The  risk  from  this  level  of  radiation  exposure/risk  compared  to  the  risk  incurred  by  going  EVA  is  low 
enough  to  support  con  tinuing  an  EVA  already  in  progress.  However,  consideration  of  expediting  or 
deleting  tasks  shall  be  made  to  aid  in  minimizing  the  radiation  risk  consistent  with  mission  objectives  and 
the  associated  risk  of  being  EVA.  If  an  ISS  mission,  consider  transferring  tasks  to  a  station-based  EVA. 

A  later  station  based  EVA  may  result  in  completing  the  task  with  a  lower  exposure.  ®[03290i-7280B] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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EXPOSURE  [HC]  (CONTINUED) 

C.  PREDICTED  CREW  EXPOSURE  GREATER  THAN  THE  HIGH  DOSE  RATE 
LIMITS  (REF.  RULE  {A14-12},  HIGH  DOSE  RATE  LIMITS  [HC]): 

1.  A  PLANNED  EVA  SHALL  BE  RESCHEDULED  AS  REQUIRED  TO  REDUCE 
THE  EXPOSURE  TO  BELOW  THE  HIGH  DOSE  RATE  LIMIT. 

2.  AN  EVA  IN  PROGRESS  SHALL  CONTINUE  ONLY  IF  NO  INCREASED 
ADDITIONAL  DOSE  IS  PROJECTED  FOR  THE  REMAINDER  OF  THE 
EVA.  OTHERWISE,  EXPEDITE  THE  EVA  BY  DELETING  TASKS  NOT 
REQUIRED  FOR  PRIMARY  MISSION  OBJECTIVES. 


The  high  dose  rate  limits  are  daily  exposure  limits  that  meet  the  bounding  assumptions  used  as  a  basis 
for  the  U.S.  legal  limits  and,  therefore,  require  replanning  using  similar  options  described  in  paragraph 
B.  This  replanning  will  ensure  the  predicted  exposure  is  below  the  high  dose  rate  limit  and  that  the 
crewmember’ s  mission  exposure  is  below  the  legal  exposure  limit,  if  possible,  or  as  low  as  practical 
above  the  admin  limit  if  exposu  re  history  is  curren  tly  in  the  restricted  range,  to  preclude  additional 
replanning. 

The  risk  of  this  level  of  radiation  warran  ts  ending  the  EVA  early.  Since  some  risk  has  already  been 
incurred  by  going  EVA,  an  EVA  in  progress  will  be  expedited  by  completing  only  the  tasks  required  for 
min  imum  mission  success.  Remain  ing  tasks  will  be  replann  ed  for  a  subsequen  t  EVA.  @[032901 -7280B] 

D.  PREDICTED  CREW  EXPOSURE  GREATER  THAN  THE  LEGAL  EXPOSURE 
LIMITS  (REF.  RULE  {A14-10},  LEGAL  EXPOSURE  LIMITS  [HC]): 
@[032901 -7280B] 

1.  A  PLANNED  EVA  SHALL  BE  RESCHEDULED  AS  REQUIRED  TO  REDUCE 
THE  CREWMEMBER'S  MISSION  EXPOSURE  TO  BELOW  THE  LEGAL 
EXPOSURE  LIMIT. 

2.  AN  EVA  IN  PROGRESS  SHALL  BE  TERMINATED. 

The  short-term  and  long-term  health  risks  incurred  with  exposures  above  the  legal  exposure  limits 
require  replanning  the  EVA  to  reduce  the  radiation  exposure,  despite  any  long-term  planning  impacts 
that  result.  Replanning  will  be  done  in  a  manner  that  ensures  the  predicted  EVA  exposure  is  as  low  as 
possible  to  preclude  additional  replanning. 

The  risk  of  this  level  of  radiation  warran  ts  terminating  an  EVA  in  progress  as  early  as  safely  possible. 
Only  tasks  required  for  crew  and  vehicle  safety  will  be  performed. 

Reference  Rule  { B14-106J ,  GO/NO-GO  CRITERIA  FOR  EVA  BASED  ON  RADIATION 
EXPOSURE. [HC]  [R]  ®[032901-7280B] 
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A14-55 

DOWNGRADING  TO  NOMINAL  FROM  ALERT  OR  CONTINGENCY 

A.  AN 

ALERT  IS  CANCELED  WHEN:  @[042601 -7281  A] 

1  . 

SPE  WARNING:  THE  TIME  PROJECTED  BY  NOAA  HAS  EXPIRED. 

2  . 

SPE:  FLUX  LEVELS  HAVE  BEEN  REDUCED  BELOW  EVENT  THRESHOLD 

CRITERIA  FOR  THREE  CONSECUTIVE  READINGS  AND  SHOW  A  CLEAR 
TREND  DOWN.  SUBSEQUENT  MINOR  FLUCTUATIONS  WILL  NOT 
CONSTITUTE  A  NEW  ALERT  UNLESS  LEVELS  INCREASE  OVER 

DEFINED  SPE  THRESHOLDS  FOR  THREE  CONSECUTIVE  READINGS 
(REF.  RULE  { A14-4 } ,  SOLAR  PARTICLE  EVENT  (SPE) 

DEFINITION) . 

3. 

GEOMAGNETIC  STORM:  GEOMAGNETIC  KB  OR  AB  LEVELS  ARE 
REDUCED  BELOW  EVENT  THRESHOLD  LEVELS  (REF.  RULE  {A14-5}, 
GEOMAGNETIC  STORM  DEFINITION) . 

4  . 

OTHER  RADIATION  EVENT:  REGRESSION  TO  NOMINAL 

ENVIRONMENTAL  CONDITIONS  IS  AT  THE  DISCRETION  OF  THE 
RADIATION  CONSOLE  OPERATOR  (REF.  RULE  {A14-6},  OTHER 
RADIATION  EVENT  DEFINITION) . 

5  . 

UNCONFIRMED  ARTIFICIAL  EVENT:  WILL  BE  EVALUATED  ON 

A  CASE  BY  CASE  BASIS  FOR  DOWNGRADING  (REF.  RULE 
{ A14-1 } ,  UNCONFIRMED  ARTIFICIAL  EVENT  DEFINITION). 

@[042601 -7281  A] 
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A14-55  DOWNGRADING  TO  NOMINAL  FROM  ALERT  OR  CONTINGENCY 

(CONTINUED) 


B.  A  CONTINGENCY  IS  DOWNGRADED  TO  NOMINAL  WHEN:  @[042601 -7281  A] 

1.  SPE:  FLUX  LEVELS  HAVE  BEEN  REDUCED  BELOW  EVENT  THRESHOLD 
CRITERIA  FOR  THREE  CONSECUTIVE  READINGS  AND  SHOW  A  CLEAR 
TREND  DOWN.  SUBSEQUENT  MINOR  FLUCTUATIONS  WILL  NOT 
CONSTITUTE  A  NEW  ALERT  UNLESS  LEVELS  INCREASE  OVER 
DEFINED  SPE  THRESHOLDS  FOR  THREE  CONSECUTIVE  READINGS 
(REF.  RULE  { A14-4 } ,  SOLAR  PARTICLE  EVENT  (SPE) 

DEFINITION) . 

2.  GEOMAGNETIC  STORM  (FOR  EVA  CONSIDERATION):  GEOMAGNETIC 
Kb  OR  Ab  LEVELS  ARE  REDUCED  BELOW  EVENT  THRESHOLD  LEVELS 
AND  TRAPPED  ELECTRONS  ARE  NOT  AT  ELEVATED  LEVELS  (REF. 
RULE  {A14-5},  GEOMAGNETIC  STORM  DEFINITION). 

3.  OTHER  RADIATION  EVENT:  REGRESSION  TO  NOMINAL 
ENVIRONMENTAL  CONDITIONS  IS  AT  THE  DISCRETION  OF  THE 
RADIATION  CONSOLE  OPERATOR  (REF.  RULE  {A14-6},  OTHER 
RADIATION  EVENT  DEFINITION) . 

4.  CONFIRMED  ARTIFICIAL  EVENT:  WILL  BE  EVALUATED  ON  A  CASE 
BY  CASE  BASIS  FOR  DOWNGRADING  (REF.  RULE  {A14-2}, 
CONFIRMED  ARTIFICIAL  EVENT  DEFINITION) . 


A/7  alert  indicates  a  change  in  the  environment  that  threatens  to  increase  crew  exposures.  This  rule 
provides  guidelines  when  conditions  are  no  longer  indicative  of  escalating  environmental  conditions 
(SPE/Geomagnetic  Storm/Artificial  Event )  or  an  assessment  of  re-planning  (belt  enhancement). 
Likewise,  contingency  conditions  will  also  be  downgraded.  During  big  events,  downgrading  may 
only  be  temporary  due  to  re-initiation  of  activity  of  events. 

Reference  Rule  (B 14- 109},  DOWNGRADING  TO  NOMINAL  FROM  ALERT  OR  CONTINGENCY  [R] 

@[032901-7265]  @[042601 -7281  A] 
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A14-1001  SPACE  ENVIRONMENT  GO/NO-GO  CRITERIA  [HC]  @[032901 -7270B] 


RADIATION  CONDITION 

F 

JGHT  PHASE 

PRELAUNCH 

ORBIT 

EVA 

UNCONFIRMED  ARTIFICIAL  EVENT 

[i] 

[i] 

[i] 

CONFIRMED  ARTIFICIAL  EVENT 

[2]  [4]  [5] 

[4]  [5] 

[3]  [4]  [5] 

SOLAR  PARTICLE  EVENT  WARNING 

[1] 

[1] 

[1] 

SOLAR  PARTICLE  EVENT 

[4] 

[4] 

[4] 

GEOMAGNETIC  STORM 

[1]  [4] 

[1]  [4] 

[1]  [4] 

OTHER  RADIATION  EVENT 

[4] 

[4] 

[4] 

PROJECTED  OPERATIONAL  DOSE  LIMIT 
VIOLATION 

[2]  [4]  [5] 

[5] 

[3]  [5] 

@[032901 -7270B] 


NOTES: 


[1]  PURSUE  CONFIRMATION  FROM  ALL  DATA  SOURCES. 

[2]  HOLD  LAUNCH  IF  PRIOR  TO  L-31  SECONDS. 

[3]  EVA  CREW  TO  AIRLOCK  (MAY  REQUIRE  RISK  VERSUS  GAIN  ASSESSMENT).  (TEMPORARY  ACTION. 
GO/NO-GO  FOR  CONTINUATION  OF  EVA  DETERMINED  THROUGH  IMPLEMENTATION  OF  NOTES  4 
AND  5,  IF  NECESSARY.) 

[4]  PURSUE  MAXIMUM  DATA  RECOVERY  FROM  STS  RADIATION  SUPPORT  DATA  SOURCES  AND/OR 
SPACECRAFT  DOSIMETRY  FOR  RISK  ASSESSMENT.  (ONBOARD  DOSIMETRY  READOUT  WILL  BE 
REQUESTED  IF  PROJECTED  EXPOSURES  REACH  LEVELS  OF  CONCERN  OR  IF  DATA  ASSESSMENT 
INDICATES  HIGH  EXPOSURES  HAVE  BEEN  RECEIVED.  RESULTS  OF  DATA  ASSESSMENT  WILL 
DETERMINE  THE  NECESSITY  FOR  NOTE  5  IMPLEMENTATION.) 

[5]  CONSIDER  MISSION  CHANGE  TO  LOWER  DOSE  WITHOUT  INCREASING  TOTAL  RISK  TO  CREW. 
NASA  MANAGEMENT  RISK  VERSUS  GAIN  DECISION  REQUIRED.  (CONSIDERATIONS  ARE 
RADIATION  SOURCE  AND  EXPOSURE  LEVEL  DEPENDENT,  AND  INCLUDE:  LOWERING  ALTITUDE, 
CHANGING  ORBITER  ATTITUDE,  RESTRICTING  CREW  LOCATION,  EVA  CREW  TO  AIRLOCK  AT 
SPECIFIED  TIMES,  TERMINATE  EVA,  DEORBIT  AT  A  SPECIFIED  PLS,  DEORBIT  NEXT  PLS,  DEORBIT 
NEXT  DAY  PLS,  ETC.) 


The  criteria  table  provides  a  logical  sequence  for  operational  decisions  to  maximize  crew  safety: 
(I)  identifies  the  radiation  source,  (2)  confirms  the  enhanced  radiation  condition,  (3)  projects  the 
anticipated  exposure  level,  and  (4)  provides  information  pertinent  to  risk  versus  gain  assessment. 


Rule  (B 14- 106},  GO/NO-GO  CRITERIA  FOR  EVA  BASED  ON  RADIATION  EXPOSURE  [HC]  [R], 
references  this  rule. 
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SECTION  15  -  EXTRAVEHICULAR  ACTIVITY  (EVA) 


GENERAL 


A15-1  EVA  TIME  DEFINITION 

A.  EMU  TIME 

EMU  TIME  STARTS  WHEN  THE  EMU  IS  SWITCHED  TO  INTERNAL  POWER, 
ENDS  WHEN  THE  EMU  IS  SWITCHED  TO  ORBITER  POWER. 

EMU  time  represents  the  time  that  the  EMU  is  operating  on  internal  power.  The  EMU  primary  life 
support  subsystem  (PLSS)  provides  consumables  for  a  duration  of  7  hours.  In  order  to  provide  a 
30-minute  reserve  of  primary  consumables,  EVA  operations  should  be  scheduled  to  be  completed  within 
a  phase  elapse  time  {PET)  of  6  hours  30  minutes.  This  time  includes  all  overhead  activities  (such  as 
airlock  egress/ingress  and  payload  bay  setup/cleanup)  in  addition  to  the  EVA  task  itself. 

B.  EVA  PHASE  ELAPSE  TIME 

EVA  PET  STARTS  WHEN  THE  EMU  IS  SWITCHED  TO  INTERNAL  POWER, 
ENDS  WHEN  AIRLOCK  REPRESSURIZATION  IS  INITIATED. 


EVA  PET  represents  the  time  that  the  EMU  is  exposed  to  vacuum.  Some  EVA  scenarios  require  the  EVA 
crew  to  return  to  the  airlock  and  wait  for  some  other  operation  to  be  completed  ( e.  g. ,  a  payload 
deployment)  before  resuming  EVA  tasks  or  before  initiating  airlock  repressurization.  Since  the  EMU  is 
operating  on  orbiter  power  during  this  time,  EVA  PET  may  be  significantly  longer  than  EMU  time.  EVA 
PET  will  be  used  when  tabulating  historical  mission  data. 


A15-2  TERMINATE  EVA  DEFINITION 

TERMINATE  EVA  MEANS  TO  CEASE  EVA  ACTIVITIES,  CLOSE  OUT  PAYLOAD 
BAY,  TRANSFER  TO  ORBITER  AIRLOCK,  INGRESS,  AND  REPRESSURIZE 
AIRLOCK. 

NOTE:  IF  EMU  PROBLEM  CAN  BE  STABI LI ZED /CORRECTED  BY  USING 

SERVICE  AND  COOLING  UMBILICAL  (SCU),  CREWMEMBER  WITH 
PROBLEM  MAY  REMAIN  ON  SCU  AT  VACUUM  FOR  POSSIBLE 
RESCUE/ASSIST,  WHILE  OTHER  CREWMEMBER  COMPLETES  EVA. 
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A15-3  ABORT  EVA  DEFINITION 

ABORT  EVA  MEANS  TO  IMMEDIATELY  TRANSFER  TO  ORBITER  AIRLOCK, 
INGRESS,  AND  REPRESSURIZE  AIRLOCK. 

A15-4  SCHEDULED  EVA  DEFINITION 

A  SCHEDULED  EVA  IS  DEFINED  AS  ANY  EVA  INCORPORATED  INTO  THE 
NOMINAL  FLIGHT  PLAN.  @[041896-1868] 

A15-5  UNSCHEDULED  EVA  DEFINITION 

AN  UNSCHEDULED  EVA  IS  USED  TO  ACHIEVE/ENHANCE  THE  MISSION 
OBJECTIVES  OF  THE  ORBITER  OR  ITS  PAYLOADS.  IT  IS  NOT  PART  OF  THE 
FLIGHT  PLAN.  @[041896-1869] 

A15-6  CONTINGENCY  EVA  DEFINITION 

A  CONTINGENCY  EVA  IS  DEFINED  AS  AN  EVA  REQUIRED  TO  EFFECT  THE 
SAFE  RETURN  OF  THE  CREW  AND  THE  ORBITER. 

A15-7  MINIMUM  RF  COMMUNICATIONS  DEFINITION 

IN  ORDER  TO  COMMIT  TO  OR  CONTINUE  A  SCHEDULED  OR  UNSCHEDULED  EVA, 
EACH  EVA  CREWMEMBER  MUST  HAVE  TWO-WAY  COMMUNICATIONS  WITH  THE 
ORBITER,  EITHER  DIRECTLY  OR  VIA  THE  OTHER  EVA  CREWMEMBER  (REF. 
RULE  {All-6},  MINIMUM  COMMUNICATIONS  REQUIREMENTS  FOR  SCHEDULED 
EVA)  .  ®[ED  ] 

Rules  { A15-102E} ,  EMU  GO/NO-GO  CRITERIA;  and  {A15-155},  MANIPULATOR  FOOT  RESTRAINT 
(MFR )  AND  PFR  ATTACHMENT  DEVICE  ( PAD )  GUIDELINES,  reference  this  rule.  @[090894-1 669A] 

®[ED  ] 
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A15-8  OPERATIONAL  CAUTION  AND  WARNING  SYSTEM  (CWS) 

DEFINITION 

THE  EMU  CWS  IS  DETERMINED  TO  BE  OPERATIONAL  IF  EITHER  OF  THE 
FOLLOWING  TWO  CONDITIONS  ARE  SATISFIED:  @[090894-1668] 

A.  THE  ABILITY  TO  MONITOR  THE  OPERATIONAL  INTEGRITY  OF  THE  EMU 
(AT  LEAST  STATUS  LIST)  BY  THE  EVA  CREW. 

B.  THE  ABILITY  FOR  MCC  TO  MONITOR  THE  EMU  STATUS  WITH  THE  EVA 
CREW  MONITORING  CWS  ALERT  TONES  AND  THE  DISPLAYS  AND  CONTROL 
MODULE  (DCM)  SUIT  PRESSURE  GAUGE. 


The  EMU  CWS  is  operational  if  the  EVA  crew  can  monitor  at  least  the  DCM  status  list  to  determine 
EMU  failures.  If  the  crew  cannot  monitor  the  DCM  status  list,  then  MCC  will  have  to  monitor  EMU 
status  while  the  EVA  crew  monitors  the  CWS  alert  tones  and  the  DCM  suit  pressure  gauge.  If  a  CWS 
alert  tone  was  to  occur  with  a  non-functional  DCM  display,  the  EVA  crew  would  check  the  suit  pressure 
gauge  and  check  with  MCC  to  determine  the  type  of  failure  and  action. 

Reference  Rule  {A15-102KJ.2,  EMU  GO/NO-GO  CRITERIA.  @[090894-1668]  ®[ED  ] 

A15-9  TWO/ONE-CREWMEMBER  EVA  GUIDELINES 

REFERENCE  RULE  {A2-107},  EVA  GUIDELINES. 

A15-10  EVA  CREWMEMBER (S)  SUPPORT 

AT  ALL  TIMES  DURING  EVA,  AT  LEAST  ONE  INTRA VEHICULAR  (IV) 
CREWMEMBER  WILL  BE  DEDICATED  TO  SUPPORTING  THE  EVA  CREWMEMBERS. 

@[021 1 99-6747B] 

IV  crewmember  is  responsible  for  recording  EMU  status,  monitoring  the  timeline,  and  providing  orbiter 
support. 
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A15-11  SAFETY  TETHER  REQUIREMENTS 

A.  AT  ALL  TIMES  DURING  EVA,  EXCEPT  WHEN  INSIDE  A  CLOSED  AIRLOCK, 
EACH  EVA  CREWMEMBER  WILL  BE  ATTACHED  TO  THE  ORBITER  VIA  A 
SAFETY  TETHER.  FLIGHT-SPECIFIC  EXCEPTIONS  TO  TETHERING  TO 
THE  ORBITER  WILL  BE  IDENTIFIED  IN  THE  FLIGHT-SPECIFIC  ANNEX. 
®[021 1 99-6747B] 


Prevent  loss  of  crewmember  and  resulting  rescue  scenarios.  For  some  missions,  it  may  be  desirable  for 
the  crewmember  to  be  attached  (to  a  certified  tether  point )  to  the  payload  secured  in  the  payload  bay 
rather  than  the  orbiter. 


B.  EVA  TOOLS  WILL  BE  TETHERED  TO  THE  CREWMEMBER  AT  ALL  TIMES 
DURING  THEIR  USE. 


Prevents  loss  of  tools.  Free-floating  tools  could  impact  orbiter  causing  orbiter  damage. 


A15-12  HAZARDOUS  EQUIPMENT  SAFING 

POTENTIALLY  HAZARDOUS  EQUIPMENT  WILL  BE  VERIFIED  SAFE  IN  THE 
EVENT  OF  EVA. 

Potentially  hazardous  equipment  will  be  verified  safe  in  the  event  of  an  EVA  to  minimize  chances  for 
injury  to  the  EV  crewmember. 


A15-13  AIRLOCK  CONFIGURATION 

AN  EVA  CREWMEMBER  SHALL  NOT  BE  LOCKED  OUT  OF  A  PRESSURIZED 
AIRLOCK  EXCEPT  IN  THE  CASE  OF  AN  "ABORT  EVA"  WHERE  THE  EV 
CREWMEMBERS  ARE  SIGNIFICANTLY  SEPARATED  AND  REPRESSURIZATION  TIME 
IS  CRITICAL.  ©[021199-6747B] 

In  the  case  of  a  serious  EMU  failure  ( i.  e. ,  loss  of  suit  pressure),  the  EV  crewmember  must  have 
immediate  access  to  the  airlock.  This  includes  an  abort  scenario  where  the  other  EV  crewmember  is 
significantly  separated  from  the  airlock.  In  this  case,  the  separated  crewmember  still  has  the  capability 
to  depressurize  the  airlock  for  ingress  via  the  outer  hatch  equalization  valves.  ®[021199-6747B] 
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A15-14  SCHEDULED  AND  UNSCHEDULED  EVA  CONSTRAINTS 

A.  NO  SCHEDULED  EVA  WILL  BE  PERFORMED  PRIOR  TO  MET  72  HOURS. 

During  adaptation  to  zero-g  conditions,  moving  about  may  provoke  symptoms  of  illness.  The  activity 
associated  with  putting  on  a  suit  would  increase  the  chance  of  an  EVA  crewmember  being  ill  and 
potentially  endanger  the  crewmember  with  vomitus  in  the  suit. 

B.  UNSCHEDULED  EVA'S: 


1 . 

NO 

OF 

UNSCHEDULED 

FLIGHT . 

EVA 

SHALL 

OCCUR  DURING  THE 

FIRST 

24 

HOURS 

2  . 

AN 

UNSCHEDULED 

EVA 

MAY  BE 

PERFORMED  PRIOR 

TO  MET 

72 

HOURS 

ONLY  IF  AN  ASSESSMENT  OF  CREW  HEALTH  HAS  BEEN  ACCOMPLISHED 
BY  THE  FOR  SURGEON  AND  APPROVED  BY  THE  FLIGHT  DIRECTOR. 

Asymptomatic  crewmembers  may  be  able  to  safely  perform  an  unscheduled  EVA  before  MET  72  hours. 

An  accurate  assessment  of  the  health  status  of  the  EVA  crew  can  be  made  by  the  FCR  surgeon  during  a 
private  medical  conference. 

C.  NO  SCHEDULED  OR  UNSCHEDULED  EVA  SHALL  BE  PERFORMED  ON  ENTRY 

DAY  . 

1.  FOR  A  FLIGHT  USING  A  SINGLE  CREW  SHIFT,  A  SCHEDULED  OR 
UNSCHEDULED  EVA  MAY  BE  PERFORMED  ON  THE  DAY  BEFORE  ENTRY 
ONLY  IF  AIRLOCK  INGRESS  IS  COMPLETED  NOT  LATER  THAN  CREW 
SLEEP  MINUS  7  HOURS. 

2.  FOR  A  FLIGHT  USING  DUAL  SHIFT  OPERATIONS,  A  SCHEDULED  OR 
UNSCHEDULED  EVA  MAY  BE  PERFORMED  ON  THE  DAY  BEFORE  ENTRY 
ONLY  IF  AIRLOCK  INGRESS  IS  COMPLETED  NOT  LATER  THAN  CREW 
SLEEP  (NONENTRY  TEAM)  MINUS  4.5  HOURS. 

An  EVA  may  be  done  on  the  day  before  entry  if  there  is  adequate  time  post-EVA  to  perform 
required  activities.  These  activities  include  airlock  repress,  post-EVA,  EMU  maintenance  recharge, 
post-EVA  entry  prep,  cabin  stow,  and  presleep.  Seven  hours  is  considered  the  minimum  amount  of 
time  to  accomplish  these  activities  for  a  single  shift  flight.  FCS  C/O,  RCS  hot  fire,  and  cabin  repress 
activities  must  also  be  performed  but  can  be  overlapped  with  post-EVA  arid  cabin  stow  activities.  For  an 
unscheduled  EVA  on  the  day  before  entry,  it  will  be  necessary  to  perform  this  EVA  as  a  “quick  response” 
EVA  ( i.  e. ,  the  EMU  C/O  and  cabin  depress  will  need  to  be  done  on  the  day  prior  to  the  EVA).  For  a  dual 
shift  flight,  4.5  hours  is  considered  the  minimum  due  to  cabin  stow  occurring  on  entry  day  for  the 
nonentry  team. 
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A15-15  CONTINGENCY  EVA  PROTECTION 

A  SCHEDULED  OR  UNSCHEDULED  EVA  WILL  NOT  BE  CONDUCTED  IF 
IT  JEOPARDIZES  FUTURE  CONTINGENCY  EVA  CAPABILITY  (E.G., 
INSUFFICIENT  CONSUMABLES  FOR  RECHARGE) . 


Must  always  preserve  the  capability  to  perform  a  contingency  EVA  to  bring  the  orbiter  home  safely. 
Reference  Rule  { A2-107A j,  EVA  GUIDELINES. 


A15-16  EVA  TERMINATION  FOR  CABIN  LEAK 

A  SCHEDULED  OR  UNSCHEDULED  EVA  WILL  BE  TERMINATED  FOR  A  CABIN 
LEAK  WHICH  CAUSES  LOSS  OF  HIGHER  PRIORITY  FLIGHT  OBJECTIVES  OR 
COMPROMISES  SAFE  ENTRY. 


This  rule  assumes  that  the  leak  is  in  the  inner  hatch  and  became  evident  after  the  start  of  the  EVA. 


A15-17  PAYLOAD  BAY  CONFIGURATION  POST-EVA 

AT  THE  END  OF  AN  EVA,  THE  PAYLOAD  BAY  WILL  BE  LEFT  IN  A 

CONFIGURATION  WHICH  DOES  NOT  REQUIRE  A  SUBSEQUENT  EVA  FOR 

DEORBIT.  EXCEPTIONS: 

A.  ABORT  THE  EVA. 

B.  A  SPECIFIC  PAYLOAD  HAS  THE  CAPABILITY  TO  BE  JETTISONED  OR 
STOWED  BY  REMOTE  ACTION. 

It  can  never  be  assumed  that  there  will  be  the  time  or  consumables  available  for  a  subsequent  EVA  to 

clean  up  the  payload  bay: 

a.  The  first  exception  is  the  case  when  an  EVA  must  be  aborted  because  an  EV  crewmember’ s  life 
might  be  in  jeopardy.  In  that  case,  repressurization  of  the  airlock  is  the  immediate  priority. 

b.  The  second  exception  is  allowed  since  the  payload  in  question  has  the  capability  to  be  jettisoned  or 
stowed  remotely  ( e.  g. ,  cabin  switch  or  ground  command)  if  a  subsequent  orbiter  condition  would 
preclude  a  second  EVA  for  entry  safing. 
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A15-18  PAYLOAD  OPERATION/ DEPLOY  GUIDELINE 

PAYLOADS  OPERATIONS  THAT  REQUIRE  AN  UNSCHEDULED  EVA  AS  A  THIRD 
LEVEL  OF  REDUNDANCY  MAY  OPERATE  PRIOR  TO  4 8  HOURS  ASSUMING  THE 
UNSCHEDULED  EVA  CAN  BE  DELAYED  UNTIL  AFTER  48  HOURS.  PREFLIGHT- 
IDENTIFIED  EXCEPTIONS  WILL  BE  DOCUMENTED  IN  THE  FLIGHT  SPECIFIC 
FLIGHT  RULES,  SECTION  2. 


Due  to  the  possibility  that  the  crew  may  be  disabled  by  SAS,  payload  operations  which  would  require  a 
quick  mandatory  response  EVA  should  not  be  started  prior  to  48  hours.  Unscheduled  EVA’s  will  be 
defined  preflight  as  to  the  nature  of  the  response  time  required.  Certain  payloads  may  require  an 
unscheduled  EVA  earlier  than  48  hours.  These  payloads  will  have  processed  exemptions  to  the  generic 
EVA  rules  and  each  will  have  a  rule  in  the  Flight  Specific  Annex  to  govern  the  conduct  of  unscheduled 
EVA. 

A15-19  UNSCHEDULED  EVA  PREPARATION 

IF  A  FAILURE  HAS  OCCURRED  IN  A  PAYLOAD  THAT  WOULD  PLACE  CONTINUED 
OPERATION/DEPLOYMENT  ONE  FAILURE  AWAY  FROM  AN  UNSCHEDULED  EVA, 

THE  FLIGHT  DIRECTOR  MAY  DELAY  PAYLOAD  OPERATIONS  UNTIL  EMU 
CHECKOUT  AND  THE  10.2  EVA  PREBREATHE  PROTOCOL  ARE  COMPLETED  TO 
SET  UP  FOR  THE  POTENTIAL  UNSCHEDULED  EVA.  CASES  IDENTIFIED 
PREFLIGHT  WILL  BE  DOCUMENTED  IN  THE  FLIGHT  SPECIFIC  FLIGHT  RULES, 
SECTION  2. 


Based  on  the  nature  of  the  payload  failure  and  the  current  condition  of  orbiter  systems,  it  may  be 
appropriate  to  delay  payload  operations  or  a  deployment  until  preparations  can  be  completed  to 
accomplish  an  unscheduled  EVA.  Certain  payload  operations  are  allowed  to  continue  even  though  we 
may  be  one  failure  away  from  an  EVA.  This  is  due  to:  (1)  confidence  in  the  remaining  system,  (2)  the 
payload  may  be  jettisonable,  (3)  there  is  already  a  scheduled  EVA  available,  or  (4)  continuing  to  deploy 
is  safer  than  waiting  ( e.  g. ,  TDRS). 


A15-20  ECG  TELEMETRY  CHECKOUT 

IF  POSSIBLE,  ECG  TELEMETRY  SIGNAL  QUALITY  WILL  BE  CHECKED  PRIOR 
TO  EVA. 

The  rule  allows  for  troubleshooting  of  hardware  or  adjusting  of  sensors  prior  to  EVA  if  no  signal  is 
received.  Biomed  is  not  a  requirement  for  any  EVA. 

Rule  {A15-102N},  EMU  GO/NO-GO  CRITERIA,  references  this  rule.  @[090894- 1669 A]  ®[ED  ] 
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A15-21  LEAKING  RCS  THRUSTER/ APU  AVOIDANCE 

AN  EVA  CAN  BE  PERFORMED  DURING  A  KNOWN  RCS  JET  OR  APU  LEAK.  THE 
EVA  CREWMEMBER  WILL  AVOID  THE  IMMEDIATE  VICINITY  OF  THE  LEAKING 
JET  OR  APU. 

For  RCS  or  APU  leaks,  the  propellant  tends  to  sublimate  very  quickly  and  is  not  considered  to  be  a 
threat  to  the  crewmember  as  long  as  he  stays  out  of  the  vicinity.  The  propellant  has  no  effect  on  the 
EMU  in  small  quantities. 

A15-22  RCS /APU  THRUSTER  PLUME  AVOIDANCE 

AN  EVA  CREWMEMBER  SHALL  NOT  BE  POSITIONED  WITHIN  THE  FOLLOWING 
DISTANCES  OF  AN  RCS  THRUSTER  WITH  DRIVER  POWER  ON  OR  THE  EXHAUST 
PORT  OF  AN  OPERATING  APU  (ALONG  PRIMARY  AXIS)  .  ®[021 1 99-6747B] 

PRCS  -  27  FEET 

VRCS  -  3  FEET 

APU  -  3  FEET 

These  distances  are  conservative  estimates  based  on  the  thermal  effects  of  the  jets  on  the  EMU, 
particularly  the  visor,  which  is  most  sensitive  to  thermal  extremes.  These  numbers  were  generated  from 
analytical  tests  which  modeled  the  heat  flux  from  the  respective  jets  and  the  thermal  characteristics  of  the 
visor.  Crew  injury/EMU  damage  may  result  from  hydrazine  brought  into  the  cabin  after  being  picked  up 
from  an  operating  APU.  Flight  Rule  { A6-151A },  RCS  JET  DRIVER  MANAGEMENT  [ CIL],  requires 
primary  RJD’s  to  be  powered  off  while  the  crew  is  outside  the  payload  bay  envelope.  The  EVA  checklist 
“  CONTINGENCY  DAP/ JET  CONFIG”  directs  the  crew  as  to  which  jets  to  inhibit  or  power  off  based  on 
EVA  crew  location. 


A15-23  EV  CREW  IN  VICINITY  OF  ACTIVE  PAYLOAD  RETENTION 

LATCH  ASSEMBLIES 

WHEN  PAYLOAD  RETENTION  LATCH  ASSEMBLIES  MUST  BE  OPERATED 
AND  EV  CREWMEMBERS  MAY  BE  WITHIN  REACH,  THEN  THE  EV  CREW  SHALL 
STAY  CLEAR  OF  THE  LATCHES  AT  THE  TIME  OF  ACTUATION  AND  THE  EV 
CREWMEMBERS  SHALL  GIVE  THE  GO  FOR  LATCH  OPERATION. 


Latch  actuation  without  regard  for  EVA  crewmembers  constitutes  a  potential  pinch  hazard.  The  path 
traced  by  the  motion  of  a  latch  is  sufficiently  localized  for  EV  crewmembers  to  avoid  when  they  are 
warned  and  properly  positioned  during  the  actuation. 
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A15-24  EVA  OPERATIONS  IN  THE  GENERIC  PAYLOAD  BAY  ENVELOPE 

EVA  OPERATIONS  MAY  BE  CONDUCTED  IN  ANY  REGION  OF  THE  GENERIC 
PAYLOAD  BAY  ENVELOPE.  THE  GENERIC  PAYLOAD  BAY  ENVELOPE  IS 
DEFINED  AS  THOSE  REGIONS  OF  THE  PAYLOAD  BAY  ACCESSIBLE  TO  THE 
UNAIDED  EVA  CREWMEMBER  (E.G.,  NOT  ATTACHED  TO  THE  RMS,  ETC.)  WITH 


THE 

FOLLOWING  EXCEPTIONS:  ®[021 1 99-6747B] 

A. 

FOR 

X0  =  57  6 

TO  Xq  =  596, 

THE 

CREWMEMBER 

MUST 

REMAIN 

BELOW 

THE 

LEVEL  OF 

THE  PAYLOAD 

BAY 

DOOR  MOLD  : 

LINE  . 

B. 

FOR 

X0  =  57  6 

TO  Xq  =  815, 

THE 

CREWMEMBER 

MUST 

REMAIN 

ON  THE 

INBOARD  SIDE  OF  THE  STARBOARD  EVA  SLIDEWIRE. 

THIS  AREA  WILL  BE  PROTECTED  FROM  S-BAND  PER  RULE  {All-8}, 
ORBITER  S-BAND  OPERATIONS  DURING  EVA,  AND  KU-BAND  PER  RULE 
{All-7},  KU-BAND  OPERATIONS  DURING  EVA.  ®[ED  ] 

EVA  operations  for  the  unaided  crewmember  in  the  payload  bay  are  constrained  by  potential  RF 
radiation  exposure  from  only  two  sources.  Those  sources  are  represen  ted  by  the  restrictions  in 
paragraphs  A  and  B. 

S-band  radiation  from  the  orbiter  S-band  PM  antennas  creates  the  restriction  in  paragraph  A.  This  limit 
means  that  the  crewmember  must  stay  below  the  mold  line  for  the  first  20  inches  aft  of  the  576  bulkhead. 
This  requirement  is  based  upon  the  need  to  remain  1  meter  away  from  all  S-band  antennas. 

Paragraph  B  is  created  by  the  need  to  maintain  a  reasonable  level  of  Ku-band  communications  while  not 
overly  restricting  EVA  mobility.  This  limit  implies  that  the  crewmember  must  stay  on  the  inboard  side  of 
the  starboard  slidewire  for  the  first  20  feet  of  its  length.  This  limitation  will  allow  the  use  of  a  0-degree 
Beta  mask  and  a  Beta-only  operating  mode  for  the  Ku-band  system.  It  should  be  understood  that  this  rule 
does  not  require  the  use  of  any  specific  Beta  mask,  only  that  the  volume  was  designed  with  Beta  =  0  degree 
as  an  acceptable  value.  This  requirement  is  based  on  the  need  to  prevent  Ku-band  exposures  for  the  EVA 
crewmember  from  exceeding  the  20  V/M  certification  limit  for  the  EMU  at  Ku-band.  If  there  are  no 
planned  EVA  operations  outboard  of  the  starboard  slidewire,  then  the  normal  Ku-band  operating  mode  of 
Beta  +  mask  with  Beta  =  21  degrees  may  be  used.  ®[ED  ] 
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A15-25  ORB ITER  EVA  OPERATIONS  NEAR  S-BAND  ANTENNAS 

EVA  OPERATIONS  MAY  NOT  BE  CONDUCTED  WITHIN  1  METER  OF  ANY  ORBITER 
S-BAND  ANTENNA  UNLESS  STEPS  HAVE  BEEN  TAKEN  TO  PREVENT  THAT 
ANTENNA  FROM  RADIATING. 

An  S-band  dipole  antenna’s  “  near  field”  is  generally  considered  to  extend  approximately  1  meter  from 
the  antenna  in  all  directions.  Within  this  near  field,  exact  field  intensities  cannot  be  computed  and  as 
such  could  exceed  the  acceptable  level  for  the  EMU  (120  V/M).  If  an  antenna  is  totally  inhibited  (e.g.,  PI 
turned  OFF  or  S-band  FM  forced  to  the  lower  antenna  by  crew  switch ),  then  the  EVA  crewmember  is  not 
at  risk  in  approaching  these  antennas.  Since  an  S-band  PM  antenna  could  begin  radiating  without 
warning,  the  crewmember  must  stay  1  meter  away  to  ensure  his/her  safety 

Reference  Documentation:  United  Technology/Hamilton  Standard  Engineering  Memorandum 
EMUM-604,  April  30,  1992. 
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A15-26  KEEPOUT  ZONE  FOR  EVA  OPERATIONS  NEAR  THE  ORBITER 

UHF  PAYLOAD  BAY  ANTENNA 

A.  WHEN  THE  SPACE-TOSPACE  ORBITER  RADIO  (SSOR)  IS  IN  HIGH 
POWER  MODE,  THE  EVA  KEEPOUT  ZONE  IS  0.3  METER  (1.0  FT) 
OVERHEAD  AND  FROM  THE  SIDE  OF  THE  UHF  PLB  ANTENNA  RADOME 
SURFACE.  ®[040899-6873A]  ®[1 21 400-3856B] 

B.  WHEN  THE  SSOR  IS  IN  LOW  POWER  MODE,  THE  EVA  KEEPOUT  ZONE  IS 
0.1  METER  (0.33  FT)  OVERHEAD  AND  FROM  SIDE  OF  THE  UHF  PLB 
ANTENNA  RADOME  SURFACE. 

The  SSOR  and  UHF  PLB  antenna  are  required  for  EVA  communications  with  the  crew,  and  the  EV  crew 
will  nominally  translate  in  close  proximity  to  the  UHF  PLB  antenna.  During  EVA,  the  SSOR  nominally 
operates  in  low  power  mode  ( UHF  PWR  AMP  off)  and  a  smaller  keepout  zone  precludes  exposure  of  the 
EMU  to  excessive  RF  radiation  ( recommended  exposure  limit  of  60  V/m  rms  which  includes  6dB  of  safety 
margin).  If  the  SSOR  operates  in  high  power  mode  (UHF  PWR  AMP  on),  the  keepout  zone  increases.  If 
the  EV  crew  violates  the  keepout  zone  in  low  power  mode,  a  poten  tial  exists  to  temporarily  bias  the  EMU 
SOP  transducer  high  and  cause  RF  interference  to  the  SSER  (momen  tary  ratty  or  broken  comm).  If  the 
KOZ  is  violated  in  high  power,  potential  exists  to  cause  the  EMU  CWS  to  malfunction,  trip  EMU  current 
limiters,  damage  the  SSER,  and  exceed  the  physiological  limit  (102  V/m). 

The  SSOR  operating  frequency  also  affects  the  EMU.  If  the  SSOR  is  in  414.2  MHz  (nominal  frequency) 
and  inadvertently  switches  from  low  to  high  power  mode  while  the  crew  maintains  the  low  power  keepout 
zone,  sufficient  margin  still  remains  to  protect  the  crewmember  and  EMU  from  harm.  In  417.1  MHz,  the 
EMU  margin  is  still  sufficient  but  is  reduced,  resulting  in  greater  susceptibility  to  CWS  and  EMU 
current  limiter  malfunctions. 

Provided  that  the  crew  maintains  the  specified  keepout  zones,  the  physiological  limit  (72  V/m )  will  not  be 
exceeded.  The  analysis  showed  that  no  physiological  impacts  would  be  incurred  when  at  the 
physiological  limit  (72  V/m).  In  low  power  mode,  the  physiological  limits  are  reached  at  the  radome  top 
surface  and  at  0.0766  meter  (3  inches)  from  the  side.  In  high  power,  the  limits  are  reached  at  0.2  meter 
(9  inches)  from  the  radome  top  surface  and  0.19  meter  (7.5  inches)  from  the  side.  These  values  are 
based  on  a  60  V/m  output  and  are  therefore  conservative  for  an  actual  72  V/m  keepou  t  zone. 

The  following  telemetry  will  be  used  to  determine  whether  the  SSOR  is  in  high  or  low  power  mode  before 
the  EV  crew  approaches  the  UHF  PLB  antenna:  UHF  POWER  AMP  ( V74S2016E),  SSOR  POWER 
LEVEL  (V74E2045A),  and  SSOR  POWER  STATUS  (V74C2047A).  ®[i 21 400-3856B] 
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A15-26  KEEPOUT  ZONE  FOR  EVA  OPERATIONS  NEAR  THE  ORBITER 

UHF  PAYLOAD  BAY  ANTENNA  (CONTINUED) 

DOCUMENTATION :  Orbit  Flight  Techniques  Panel  #171,  EVA  Space-to-Space  Communications 
UHF  PLB  Antenna  Keep-Out  Zones,  NASA  Extravehicular  Mobility  Unit  (EMU)  with  ISS  EMU 
Umbilical  Electromagnetic  Compatibility  Certification  Test  Report  for  the  International  Space 
Station/Orbiter  Requirements  (Hamilton-Standard  EMU  1-13-025),  EMUM1-0463  STS-106,  ISS 
Mission  2A2.B  and  STS-92,  ISS  Mission  3A,  EVA  Keep  Out  Recommendations  For  EMU  w/SSER 
Radio  For  U.S.  and  Russian  Segment  Antennas,  NASA  Report,  EV4-00-039,  April  2000,  “ISS  USOS 
and  SSO  Antenna  RF  Exposure  Keep  Out  Zone  Data  Book,  ”  and  IEEE  Standards  for  Safety  Levels 
with  Respect  to  Human  Exposure  to  Radio  Frequency  Electromagnetic  Fields,  3  kHz  to  300  GHz  (IEEE 
C9 5. 1-1991).  ®[1 21 400-3856B] 

A15-27  THROUGH  A15-100  RULES  ARE  RESERVED 
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LOSS/FAILURE  DEFINITIONS 


A15-101  EVA  CAPABILITY 

EVA  CAPABILITY  IS  CONSIDERED  LOST  IF  UNABLE  TO  DEPRESSURIZE/ 
REPRESSURIZE  THE  AIRLOCK  WHILE  MAINTAINING  CABIN  INTEGRITY. 

The  inability  to  depressurize/repressurize  the  airlock  while  maintaining  cabin  integrity  resolves  to  a 
leaking  airlock  hatch.  If  either  hatch  leaks  at  greater  than  0.2  psi/min  airlock  pressure  decay  rate,  the 
EVA  capability  is  lost. 

A15-102  EMU  GO/NO-GO  CRITERIA 

THE  EMU  CAPABILITIES  LISTED  IN  THE  EMU  GO/NO-GO  MATRIX  ARE 
CONSIDERED  LOST  IF  ONE  OF  THE  FOLLOWING  CONDITIONS  ARE  MET: 

®[090894-1 669A] 

A.  SUIT  PRESSURE  INTEGRITY  -  EMU  PRESSURE  DECAY  >  0.3  PSI/MIN 
DURING  INTEGRITY  CHECK.  @[090894-1 669A] 

A  leak  >  0.3  psi/min  can  no  longer  be  considered  a  worst  case  for  EMU  specification  leakage  ( i.  e. ,  seal 
leaks  and  metabolic  use).  At  greater  than  0.3  psi/min,  there  is  some  other  leak  that  could  possibly 
propagate.  ®[090894-l  669A] 

The  automated  leak  check  will  report  failure  when  the  pressure  drop  is  0.3  psi  or  greater  for  1  minute. 

A  2-minute,  manual  leak  check  is  performed  during  EMU  checkout  where  failure  is  determined  by  a 
pressure  drop  of  0.3  psi  or  greater. 

For  loss  of  suit  pressure  integrity,  if  the  failure  occurs  prior  to  EVA,  the  EMU  is  considered  to  be 
non-fail-safe  and  is  therefore  NO-GO  for  EVA.  If  the  failure  occurs  during  EVA,  the  SCU  may  provide  a 
safe  configuration  if  the  leak  ( minor  leak)  does  not  allow  the  suit  pressure  to  drop  below  the  caution  and 
warning  SUIT  P  LOW  limit  (4.05  psid).  If  this  is  the  case,  then  a  TERMINATE  EVA  ( i.  e. ,  enter  airlock , 
connect  SCU)  is  required  for  the  affected  crewmember.  If  the  suit  leak  allows  the  suit  pressure  to  drop 
below  the  CWS  limit  (major  leak),  an  ABORT  EVA  ( i.e .,  both  crewmembers  enter  airlock  and  perform 
emergency  repress)  is  required.  ®[090894-l  669A  ] 
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A15-102  EMU  GO/NO-GO  CRITERIA  (CONTINUED) 

B.  PRIMARY  C>2  TANK  PRESSURE  INTEGRITY  -  PRIMARY  C£  PRESSURE 
DECAYS  AT  A  RATE  >  110  PSI/24  HRS  FROM  A  FULLY  CHARGED  STATE, 
AND  LEAK  RATE  IS  SUCH  THAT  IT  WILL  PRECLUDE  SAFE  COMPLETION 
OF  THE  INTENDED  EVA  TASK.  @[090894-1 669A] 

The  primary  O2  tanks  are  considered  fully  charged  when  they  are  pressurized  >  850  psi.  Leak  rates 
>  110  psi/24  hrs  are  indicative  of  a  significant  primary  tank  leak.  An  excessive  external  leak  of  the 
primary  O2  tanks  will  cause  the  primary  O2  supply  to  be  depleted  at  a  higher  than  normal  rate. 

However,  in  the  case  where  an  excessive  external  leak  is  detected,  real-time  analysis  may  indicate  that 
the  leak  will  not  preclude  an  EVA  for  the  intended  tasks.  Further  testing  may  determine  that  the  leak 
is  in  terned  to  the  suit  volume,  which  may  not  impact  the  O2  use  rate  during  EVA. 

The  EMU  is  considered  NO-GO  for  EVA  for  a  major  leak.  A  major  leak  is  a  leak  rate  that  is  too  high  to 
support  on  the  SCU  (i.e.,  requires  more  O2  than  can  be  provided  by  the  orbiter,  case  specific).  If  a 
major  leak  happens  during  EVA,  then  an  ABORT  EVA  is  required,  since  the  EMU  is  no  longer  capable 
of  remain  ing  at  vacuum.  A  minor  leak  is  a  leak  rate  that  can  be  supported  on  the  SCU.  The  EMU  is 
considered  GO  for  EVA  if  the  leak  is  minor  and  if  periodic  recharges  do  not  interfere  with  completing 
the  EVA  tasks.  The  EMU  is  considered  GO  to  remain  on  the  SCU  if  the  leak  is  a  minor  leak  and  if 
frequen  t  recharges  interfere  with  completing  the  EVA  tasks.  If  this  happens  during  EVA,  then  a 
TERMINATE  EVA  is  required  for  the  affected  crewmember.  Leak  propagation  is  not  a  concern  with 
primary  O2  tank  leaks  because  the  seeds  in  this  system  are  hard/static  seals. 

C.  PRESSURE  REGULATION  -  SUIT  PRESSURE  CANNOT  BE  MAINTAINED  IN 
A  RANGE  ABOVE  THE  SOP  REGULATION  PRESSURE  AND  BELOW  THE 
POSITIVE  PRESSURE  RELIEF  VALVE  (PPRV)  CRACKING  PRESSURE. 

If  the  primary  suit  regulator  cannot  maintain  suit  pressure  above  SOP  regulation  pressure,  the  SOP  will 
flow  during  the  EVA  and  the  emergency  oxygen  supply  will  be  consumed,  eventually  making  the  SOP 
incapable  of  supporting  30  minutes  ofDCM  purge  flow.  If  the  primary  suit  regulator  cannot  regulate 
below  the  positive  pressure  relief  valve  (PPRV)  cracking  pressure,  the  PPRV  will  open  during  the  EVA 
and  primary  oxygen  will  be  depleted  more  rapidly  than  normal. 

The  operational  specification  for  the  primary  regulator  with  the  O2  actuator  in  PRESS  or  EVA  is 
4.2  to  4.4  psid.  Checkout  values  outside  of  this  range  warrant  further  investigation  to  ensure  that  the 
requiremen  ts  of  this  rule  will  be  met.  If  the  primary  regulator  is  determined  to  be  stable  between  4.05  - 
4.55  psid,  then  SOP  flow  and  PPRV  cracking  should  not  be  a  concern  since  the  specifications  of  the  SOP 
regulator  and  PPRV  will  not  overlap  this  range.  If  the  primary  regulation  pressure  is  outside  of  the  4.05 
to  4.55  psid  range,  real-time  analysis  considering  the  preflight  performance  of  the  specific  EMU  will  be 
required.  @[090894-1 669A  ] 
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A15-102  EMU  GO/NO-GO  CRITERIA  (CONTINUED) 

The  specification  for  SOP  regulation  is  3.33  to  3.9  psid  ( dependen  t  on  flow  rate).  The  specification  for 
the  minimum  cracking  pressure  for  the  PPRV  is  4. 7  psid.  A  “SUIT  P  LOW ”  message  occurs  when 
sensed  suit  pressure  is  less  than  4.05  psid.  A  “SUIT  P  EMERG’’  message  occurs  when  sensed  suit 
pressure  is  less  than  3.10.  A  “SUIT  P  HIGH"  message  will  occur  when  sensed  suit  pressure  is  4.55  psid 
or  greater.  ®[090894-l  669A  ] 

For  scheduled  or  unscheduled  EVA’s,  the  EMU  is  considered  to  be  non-fail-safe  and  is  therefore  NO- 
GO.  For  contingency  EVA’s,  the  EMU  is  considered  GO  for  SCU  ops  to  be  available  for  rescue/assist 
scenarios.  For  either  types  of  EVA’s,  if  a  pressure  regulation  failure  happens  during  EVA,  a 
TERMINATE  EVA  is  required  for  the  affected  crewmember. 

D.  OPERATIONAL  SECONDARY  OXYGEN  PACK  (SOP) : 

1.  SOP  BOTTLE  PRESSURE  (AT  IV  AMBIENT  TEMPERATURES)  <  PRESSURE 
NEEDED  TO  PROVIDE  A  MINIMUM  OF  30  MINUTES  SECONDARY  Q. 

The  SOP  must  be  capable  of  supporting  ( with  DCM  purge  valve  open)  a  min  imum  of  30  min  utes.  The 
design  specification  for  the  EMU  SOP  bottle  pressure  is  ?  5800  psig  (at  ambient  TV  temperatures)  which 
guarantees  a  minimum  of  30  minutes  secondary  02-  However,  engineering  analysis  has  shown  that  the 
performance  characteristics  of  a  specific  EMU  may  permit  a  min  imum  of  30  minu  tes  secondary  O2for 
bottle  pressures  <  5800  psig.  If  the  bottle  pressure  is  <  5800  psig,  calculations  must  be  performed 
based  on  the  performance  of  the  specific  EMU  to  determine  the  actual  minimum  (30-minute)  bottle 
pressure. 

For  scheduled  or  unscheduled  EVA’s,  the  EMU  is  considered  to  be  non-fail-safe  and  is  therefore  NO- 
GO.  For  contingency  EVA’s,  the  EMU  is  considered  GO  for  SCU  ops  to  be  available  for  rescue/assist 
scenarios. 

2.  SOP  REGULATOR  IS  NOT  CAPABLE  OF  MAINTAINING  SUIT  PRESSURE 
ABOVE  3.33  PSI  AND  BELOW  PRIMARY  C£  REGULATION  PRESSURE 
FOR  30  MINUTES  DURING  EMERGENCY  DCM  PURGE. 

The  operational  specification  for  the  SOP  regulator  is  3.33  to  3.9  (dependent  on  flow  rate).  SOP 
checkout  values  outside  of  this  range  warrant  further  investigation  to  ensure  that  the  requirements  of  this 
rule  will  be  met.  Emergency  DCM  purge  is  representative  of  the  worst  case  oxygen  demand  that  could 
occur  during  an  EVA.  The  SOP  must  be  capable  of  maintaining  suit  pressure  at  a  safe  level  (>  3.33  psi) 
during  an  emergency  purge  configuration  (DCM  purge  valve  open).  An  SOP  that  is  regulating  above  the 
specification  limit  of  3.9  is  satisfactory  as  long  as  it  is  regulating  below  the  regulation  pressure  of  the 
primary  regulator.  If  the  SOP  regulates  above  the  primary  regulator  pressure,  the  SOP  oxygen  will  be 
consumed  instead  of  primary  oxygen.  If  this  occurs  during  EVA,  a  TERMINATE  EVA  is  required  for  the 
affected  crewmember.  @[090894-1 669A] 
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A15-102  EMU  GO/NO-GO  CRITERIA  (CONTINUED) 

For  scheduled  or  unscheduled  EVA’s,  the  EMU  is  considered  to  be  non-fail-safe  and  is  therefore  NO- 
GO.  For  contingency  EVA’s,  the  EMU  is  considered  GO  for  SCU  ops  to  be  available  for  rescue/cissist 
scenarios. 

3.  SOP  FIRST  STAGE  REGULATION  PRESSURE  CANNOT  BE  MAINTAINED 
BELOW  600  PSIG  AS  MEASURED  BY  THE  INTERSTAGE  GAUGE  DURING 
SOP  CHECKOUT.  @[090894-1 669A  ] 

The  primary  intent  of  the  interstage  gauge  (located  between  the  first-  and  second-stage  pressure 
regulators)  is  to  detect  excessive  leakage  or  failed  open  conditions  related  to  the  SOP  first-stage 
regulator.  Preflight  processing  also  uses  this  gauge  as  a  reference  point  for  first-stage  regulation. 

The  600  psig  value  is  based  on  nominal  first-stage  regulation  of  200  psig  added  to  the  +400  psig  gauge 
tolerance.  Due  to  the  inaccuracy  of  the  gauge  at  the  low  end  ( +400/-200  psig),  detection  of  regulator 
shifts  is  difficult.  However,  gauge  readings  are  worthwhile  for  comparison  with  pre-flight  data.  A  failed 
SOP  first-stage  regulator  followed  by  a  failed  SOP  second-stage  regulator  will  result  on  rapid  suit 
overpressurization  and  rupture. 

For  scheduled  or  unscheduled  EVA’s,  the  EMU  is  considered  to  be  non-fail-safe  and  is  therefore  NO- 
GO.  For  contingency  EVA’s,  the  EMU  is  considered  GO  for  SCU  ops  to  be  available  for  rescue/assist 
scenarios. 

E.  MINIMUM  RF  COMMUNICATIONS  (REF.  RULE  {A15-7},  MINIMUM  RF 
COMMUNICATIONS  DEFINITION) 

For  crew  safety,  two-way  voice  ( including  relay)  communication  must  be  available.  Crewmembers  must 
preserve  the  availability  to  vocally  communicate  in  case  assistance  or  aid  is  necessary  in  areas  where  the 
crewmember  might  not  be  able  to  maintain  visual  contact. 

For  scheduled  or  unscheduled  EVA’s,  the  EMU  is  considered  to  be  non-fail-safe  and  is  therefore  NO- 
GO.  For  contingency  EVA’s,  the  EMU  is  considered  GO  for  SCU  ops  to  be  available  for  rescue 
scenarios.  For  either  types  of  EVA’s,  if  the  failure  happens  during  EVA,  a  TERMINATE  EVA  is  required 
for  the  affected  crewmember. 

F.  POSITIVE  PRESSURE  RELIEF  VALVE  -  FAILS  CLOSED  DURING  DEPRESS 

This  failure  is  only  detected  during  depressurization.  The  EMU  is  considered  NO-GO  for  EVA  if  the 
valve  cannot  be  opened,  because  the  EMU  is  not  fail-safe  for  overpressurization.  ®[090894-l  669A] 
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A15-102  EMU  GO/NO-GO  CRITERIA  (CONTINUED) 

G.  VENTILATION  FLOW  -  INSUFFICIENT  FLOW  (<  4.0  ACFM)  TO  PROVIDE 
CO2  REMOVAL  FROM  THE  HELMET  OR  DEFOGGING  CAPABILITY. 

@[090894-1669  A] 

The  vent  flow  sensor  detects  low  flow  at  less  than  4.0  acfm,  and  the  CWS  message  (NO  VENT  FLOW)  is 
triggered  when  vent  flow  drops  below  this  level.  This  is  the  minimum  flow  required  to  adequately  remove 
CO 2  from  the  helmet.  CO 2  buildup  in  the  helmet  will  lead  to  hypercapnia  (excess  CO 2  in  the  blood 
stream)  which  increases  heart  and  respiration  rate  and  can  impair  a  crewmember’s  judgment  and  ability 
to  perform  the  EVA  task.  Hypercapnia  will  eventually  lead  to  an  unconscious  crewmember.  Normal 
ventilation  flow  is  6  to  8  acfm.  Helmet  purge  valve  may  be  used  to  provide  alternate  vent  flow  if  EMU 
consumables  can  be  managed  to  support  this. 

Insufficien  t  ventilation  flow  will  also  increase  the  fogging  of  the  visor.  This  will  hinder  the  crewmember’ s 
vision  and  will  impair  their  ability  to  perform  the  EVA  task.  Under  this  condition  while  EVA,  the 
crewmember  is  in  a  safe  configuration  while  attached  to  the  SCU.  The  EMU  is  somewhat  degraded,  but 
operational,  for  a  possible  crewmember  assist/rescue  scenario. 

H.  CO2  CONTROL  -  PPCO2  LEVEL  CANNOT  BE  MAINTAINED  BELOW  8.0 
MMHG. 

For  PPCO2  indication  of  8  mmHg  by  the  CWS,  the  actual  level  in  the  helmet  may  be  15  mmHg  or  higher 
depending  on  metabolic  rate.  Problems  arise  if  the  crewmember’ s  symptoms  coincide  with  this  PPCO2 
level  and  the  contaminant  control  cartridge  cannot  be  replaced.  This  PPCO2  level  will  cause 
physiological  changes  (hypercapnia)  that  can  impair  the  crewmember’s  judgment  and  ability  to  perform 
the  EVA  task.  Reference  Rule  {A13-52B},  PPCO2  CONSTRAINT.  ®[ED  ] 

Under  this  condition,  the  crewmember  is  in  a  safe  condition  while  attached  to  the  SCU  with  the  helmet 
purge  valve  open.  The  EMU  is  somewhat  degraded,  but  operational,  for  a  possible  crewmember 
assist/rescue  scenario. 

I.  BATTERY  POWER  -  EMU  BATTERY  IS  NOT  CAPABLE  OF  PROVIDING 
POWER. 

The  EMU  battery  provides  power  for  cdl  EMU  systems  once  off  of  the  SCU.  At  cabin  pressure,  the 
battery  may  be  replaced  by  a  spare  and  the  EMU  is  GO -For -EVA.  If  a  spare  is  unavailable,  the  EMU 
will  be  able  to  remain  on  the  SCU  for  a  possible  crewmember  assist/rescue  scenario.  @[090894-1 669A  ] 
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J.  THERMAL  CONTROL  -  THERMAL  CONTROL  CANNOT  BE  MAINTAINED  IN  A 
TOLERABLE  RANGE  THROUGHOUT  ALL  SUITED  OPERATIONS  WHILE  STILL 
PROVIDING  AN  ADEQUATE  LEVEL  OF  WATER  VAPOR  REMOVAL. 

@[090894-1669  A] 

Thermal  control  must  be  maintained  throughout  all  EMU  suited  operations.  If  water  vapor  produced 
by  the  crewmember  and  as  a  byproduct  of  the  chemical  reaction  of  CO 2  with  LiOH  is  not  removed, 
excessive  water  vapor  levels  in  the  EMU  will  cause  fogging  of  the  visor,  degrading  crewmember  visibility. 
If  cooling  con  trol  is  lost,  it  may  be  possible,  if  the  crewmember  is  too  cold,  for  the  crewmember  to  manage 
cooling  by  periodically  open  ing  and  closing  the  feedwater  shu  toff  valve.  An  other  option,  if  the 
crewmember  is  too  hot,  in  volves  opening  one  of  the  two  available  purge  valves  on  the  suit.  The  feasibility 
of  utilizing  these  options  is  case  dependen  t. 

If  thermal  con  trol  is  lost  via  the  SCU,  the  EMU  is  considered  GO  for  EVA,  since  cooling  will  be  restored 
once  at  vacuum  when  the  sublimator  is  activated.  If  this  is  the  case,  when  not  on  the  sublimator,  cooling 
must  be  provided  through  the  DCM  purge  valve,  assuming  that  the  SCU  can  support  the  purge  flow  for 
the  required  time  or  by  swapping  SCU’s  if  possible.  If  the  failure  happens  during  EVA,  the  EMU  is 
considered  GO  to  con  tinue  EVA.  If  thermal  con  trol  is  lost  via  the  EMU  (i.e.,  failure  in  either  sublimator 
or  LCVG),  the  EMU  is  considered  GO  to  remain  on  the  SCU,  since  cooling  will  be  provided  via  the  SCU 
(for  sublimator  failure)  or  will  be  provided  with  the  DCM  purge  valve  (for  LCVG  failure),  assuming  the 
SCU  can  support  the  purge  flow  for  the  required  time.  If  the  failure  happens  during  EVA,  a 
TERMINATE  EVA  is  required  for  the  affected  crewmember. 

K.  CRITICAL  INSTRUMENTATION: 

1.  LOSS  OF  EVA  CREW'S  CAPABILITY  TO  MONITOR  BOTH  SUIT 

PRESSURE  SENSOR  AND  DISPLAY  AND  CONTROL  MODULE  (DCM)  SUIT 
PRESSURE  GAUGE. 

The  capability  must  exist  to  monitor  suit  pressure  via  either  the  pneumatic  gauge  or  the  pressure 
transducer  at  all  times  during  the  EVA 

With  the  loss  of  both  suit  pressure  transducer  and  gauge,  there  is  no  indication  to  the  crewmember  of 
suit  pressure.  For  a  scheduled  or  unscheduled  EVA,  the  EMU  is  considered  NO-GO.  Since  a  third 
failu  re  has  to  occur  before  the  crewmember’ s  life  is  in  danger,  the  EMU  is  considered  GO  for  SCU  ops 
for  a  contingency  EVA  so  that  the  crewmember  is  available  for  rescue  ops.  @[090894-1 669A  ] 
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2.  LOSS  OF  OPERATIONAL  CWS  :  @[090894-1 669A] 

Reference  Rule  { A15-8J ,  OPERATIONAL  CAUTION  AND  WARNING  SYSTEM  (CWS)  DEFINITION. 

a.  BITE  LIGHT  ILLUMINATED  UNLESS  "LIMITS  BAD"  MESSAGE 
PRESENT . 

The  built-in  test  equipment  (BITE)  light  is  illuminated  when  the  BITE  circuitry  has  detected  either  a 
hardware  or  software  problem  within  the  CWS.  If  upon  inspection,  the  status  list  can  be  verified  to  be 
functioning  properly,  the  CWS  is  considered  operational.  If  the  status  list  cannot  be  verified  to  be 
operating  normally,  the  CWS  is  not  considered  to  be  operational.  If  the  BITE  is  illuminated  and  LIMITS 
BAD  message  is  present,  the  CWS  is  considered  to  be  operational  because  the  BITE  circuitry  has 
already  verified  that  the  status  list  is  good  and  the  problem  resides  in  PROMS  which  contains  only  CWS 
limits. 


b.  CREWMEMBER  OR  MCC  DETERMINES  INSUFFICIENT  RELIABLE 
DATA  AVAILABLE. 

For  the  loss  of  operational  CWS,  the  crewmember  is  in  a  safe  condition  while  attached  to  the  SCU.  The 
EMU  is  somewhat  degraded,  but  operational,  for  a  possible  crewmember  cissist/rescue  scenario. 

3.  DCM  DISPLAY  -  CREWMEMBER  IS  UNABLE  TO  READ  DCM  DISPLAY 
AND  MCC  CANNOT  MONITOR  EMU  DATA  VIA  REAL-TIME  DATA 
SYSTEM. 

EMU  is  considered  GO  ( fail-ops )  if  MCC  is  capable  of  monitoring  EMU  status  via  the  EMU  Reed-Time 
Data  System  (RTDS).  EMU  is  considered  GO  to  remain  on  the  SCU  if  MCC  monitoring  capability  is  not 
available.  If  the  failure  happens  during  EVA,  EMU  is  considered  GO  to  continue  EVA,  unless  MCC 
monitoring  capability  of  EMU  data  is  lost.  If  MCC  monitoring  capability  is  lost,  then  a  TERMINATE 
EVA  is  required  by  the  affected  crewmember.  @[090894-1 669A] 
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L.  SINGLE  COMPONENT  INSTRUMENTATION  -  LOSS  OF  ONE  OF  THE 
FOLLOWING  SENSORS:  ®[090894-1 669A  ] 


SUIT  PRESSURE  XDUCER 
XDUCER 

VENT  FLOW  SENSOR 
CO2  XDUCER 
BATTERY  VDC  XDUCER 
BATTERY  AMP  XDUCER 
O2  PRESSURE  XDUCER 


SUBLIMATOR  PRESSURE  XDUCER 
SOP  PRESSURE  XDUCER 
SOP  INTERSTAGE  GAUGE 
H20  GAS  PRESSURE  XDUCER 
H20  WATER  PRESSURE  XDUCER 
H20  TEMPERATURE  XDUCER 


EMU  is  considered  GO  (fail-ops).  For  the  loss  of  any  one  sensor  or  transducer,  the  integrity  of  the 
system  monitored  by  the  failed  sensor  can  be  monitored  via  other  sensors.  A  failure  in  that  system  will 
be  manifested  by  a  warning  message  from  another  sensor  or  by  some  other  noticeable  indication.  For 
CO 2  transducer  loss,  the  ability  to  detect  a  high  CO 2  level  relies  entirely  on  the  crewmember’s  ability  to 
detect  physiological  symptoms  and  take  appropriate  action  as  required,  such  as  purge  valve  activation 
(Rule  {A13-52B},  PPCO2  CONSTRAINT,  rationale  indicates  symptoms  of  CO 2  exposure).  For  SOP 
interstage  gauge  loss,  there  is  no  other  instrumentation  device  available  inflight  to  verify  SOP  first- 
stage  regulation.  For  any  single  sensor  loss,  consider  using  EMU  3  (if  available)  to  regain  full 
operational  capability,  depending  on  the  extent  of  resizing  necessary  to  accommodate  the  affected 
crewmember. 

M.  SCU  POWER  -  NO  POWER  PROVIDED  TO  EMU  THROUGH  SERVICE  AND 
COOLING  UMBILICAL. 

The  EMU  is  considered  fully  operational  on  battery  power.  Battery  may  need  to  be  changed  out  prior  to 
depressurization  to  preserve  full  EVA  time  capability.  EMU  is  considered  GO-for-EVA  under  this 
condition. 
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N.  ECG  TELEMETRY  -  NO  ECG  TELEMETRY  IS  PROVIDED  TO  MCC . 

The  EMU  is  considered  fully  operational.  Reference  Rule  (A15-20],  ECG  TELEMETRY  CHECKOUT. 

@[090894-1 669A  ] 

O.  LOSS  OF  OPERATIONAL  EMU  HEATED  GLOVE (S)  IS  NOT  A  CONSTRAINT 
TO  PERFORMING  AN  EVA.  ®[1 1 1 298-6755A] 

1.  FOR  A  FAILURE  OF  HEATED  GLOVES  PRE-EVA  AND  THERMAL 
ANALYSIS  INDICATING  SKIN  TEMPERATURE  VIOLATIONS  WITHOUT 
USE  OF  HEATED  GLOVES  BY  THE  CREW,  ACTION  WILL  BE  TAKEN  TO 
RESTORE  HEATED  GLOVE  POTENTIAL  OR  ESTABLISH  CREW  LIMITS 
WITHIN  MISSION  CAPABILITIES. 

The  actions  for  a  failure  are:  EVA  flights  fly  backup  heated  gloves  for  EV  crewmembers  which  should  be 
used  for  a  heater  element  failure;  replacement  of  batteries;  identify  to  the  crew  potential  keep-out  areas 
or  limit  handling  of  items  for  durations  as  specified  in  the  EMU  Glove  Palm  Certification  Curves  if 
capability  is  not  restored  (i.e.  scheduled  use  of  items  listed  in  paragraph  2  of  rule);  swapping  to  backup 
EMU  components  (i.e.  PLSS/HUT  or  arm  segments)  for  a  harness  failure.  The  last  action  may  place  an 
EV  crewmember  in  a  non  -optimum  sized  EMU  and  is  the  least  preferred  action  and  will  be  decided  reed 
time. 

The  EMU  is  considered  GO  for  a  failure  of  EMU  heated  glove(s)  before  the  EVA.  Reasonable  effort  will 
be  made  to  restore  the  capability  so  that  heated  gloves  will  be  available  to  the  EV  crewmember  if 
preflight  thermal  analysis  deems  likely  the  use  of  heated  gloves.  Need  for  heated  gloves  depends  on 
mission  attitude ,  timelines,  locations  of  EVA  tasks,  and  initial  hand  temperatures.  The  heated  glove 
system  for  the  EMU  is  a  simple  wire  harness  connecting  a  battery  to  the  heater  elemen  ts  in  the  glove 
fingertips  through  connectors  and  toggle  switches  rou  ted  along  the  outside  of  the  PLSS  and  arms.  For 
the  3-volt  system,  a  single  failure  will  result  in  the  loss  of  only  one  heated  glove  because  each  has  a 
separate  wire  harness  and  battery. 

Reference  Documentation:  JSC-39116  (CTSD-SS-1621)  EMU  Phase  VI  Glove  Thermal  Vacuum  Test 
and  Analysis  Final  Report,  “Glove  Palm  Certification  Limits”  graphs,  August  20,  1998. 

2.  FOR  LOSS  OF  OPERATIONAL  HEATED  GLOVE  DURING  THE  EVA,  THE 
FOLLOWING  OPTIONS,  LISTED  IN  PRIORITY,  ARE  AVAILABLE  TO 
THE  EV  CREW: 

a.  NOTIFICATION  TO  CREW  OF  POTENTIAL  COLD  AREAS  TO 
AVOID,  IF  POSSIBLE,  BASED  ON  THERMAL  ANALYSIS. 

b.  FOR  SINGLE  GLOVE  FAILURE,  USE  OF  NON-AFFECTED  HAND 
FOR  GRASPING  AND  HANDLING  COLD  OBJECTS  .  ®[1 1 1 298-6755A] 
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C.  USE  OF  BRT  (OR  OTHER  RESTRAINT  DEVICE)  TO  ALLOW 
HANDS-FREE  OPERATION.  ®[1 1 1 298-6755A] 

d.  USE  OF  ADJUSTABLE  THERMAL  MITTENS. 

e.  USE  OF  OTHER  EV  CREWMEMBER  FOR  OPERATIONS  THAT  ARE 
DEEMED  TOO  COLD  BY  THE  AFFECTED  EV  CREW  OR  LIMIT  HAND 
CONTACT  DURATION. 

f.  USE  OF  EMU  LCVG  BYPASS. 

g.  CREW  WOULD  NOT  WORK  DURING  NIGHT  PASSES. 

h.  EV  CREW  MAY  MOVE  TO  SUN  SIDE  TO  WARM  HANDS  AFTER 
TASK. 

For  ci  failure  of  the  EMU  heated  gloves  during  the  EVA,  the  EMU  is  GO  to  continue.  The  loss  may 
require  the  affected  EV  crewmember  to  modify  his/her  operations  as  deemed  necessary  by  that 
crewmember.  For  the  3-volt  system,  a  single  failure  will  result  in  the  loss  of  only  one  heated  glove 
because  each  has  a  separate  wire  harness  and  battery. 

Restraint  devices  can  be  used  to  hold  ORU’s  or  restrain  crewmembers  to  handrails.  Thermal  mittens 
may  be  used  as  an  added  layer  to  the  EMU  gloves  but  will  reduce  dexterity  of  the  hands.  The  other  EV 
crewmember  may  be  used  for  cold  tasks.  Least  preferred  options  include;  EMU  LCVG  bypass  may  be 
used  in  an  attempt  to  warm  the  crewmember’ s  core  temperature  in  an  effort  to  warm  the  arms  and  hands, 
not  working  during  night  passes,  or  having  the  affected  crewmember  warm  hands  on  the  sun  side  as 
required. 

The  crewmember  shall  be  reminded  to  preclude  affected  hancl(s)  from  becoming  too  cold  in  the  first 
place.  Once  the  hands  are  cold,  it  will  invalidate  the  crewmember’ s  sense  of  temperature  and  lower  their 
“threshold”  of  comfort.  The  affect  is  that  the  crewmember’ s  hand  does  not  need  to  warm  as  much  to 
give  the  sensation  of  being  comfortable;  therefore,  the  hand  will  start  at  a  colder  initial  temperature  the 
next  time  it  is  exposed.  Iterations  of  this  process  over  the  EVA  duration  could  lead  to  tissue  damage 
without  the  crewmember  being  aware. 

Reference  Documentation:  JSC-39116  (CTSD-SS-1621),  EMU  Phase  VI  Glove  Thermal  Vacuum  Test 
and  Analysis  Final  Report,  “Glove  Palm  Certification  Limits”  graphs,  August  20,  1998.  ®[1 1 1 298-6755A] 
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CRITICAL  INSTRUMENTATION: 
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A15-151  DEN I TROGENAT I ON 

DENITROGENATION  OF  THE  EVA  CREWMEMBER  WILL  BE  ACCOMPLISHED  IN 
ACCORDANCE  WITH  AEROMED  RULE  {A13-103},  EVA  PREBREATHE  PROTOCOL. 

Proper  denitrogenation  is  required  to  prevent  bends  in  the  EV  crewmember. 

A15-152  EMU  CONSUMABLES  WITH  REAL-TIME  EMU  DATA  DOWNLINK 

@[050400-71 99A] 

EVA  CREWMEMBERS  MUST  BE  COMPLETE  WITH  AIRLOCK  INGRESS  AND 
CONNECTED  TO  THE  SERVICE  AND  COOLING  UMBILICAL  (SCU)  WHEN  30 
MINUTES  REMAIN  OF  ANY  EMU  CONSUMABLE  AS  DETERMINED  BY  MCC . 

Thirty  minutes  is  considered  the  redlinefor  primary  consumables  ( O2,  power,  LiOH  and  water).  This 
30-minute  reserve  is  necessary  to  prevent  bringing  the  non-replenishable  redundant  oxygen  system 
(SOP)  on-line.  If  real-time  data  capability  with  MCC  is  available,  the  flight  control  team  can  use  this 
information  to  determine  which  consumable  will  reach  the  30-minute  limit  first.  MCC  consumables 
calculations  can  be  more  realistic  due  to  the  use  of  flight  specific  initial  loading  data  rather  than  the 
standard  minimum  required  values  used  by  the  EMU  Caution  and  Warning  System  (CWS).  A/G  voice 
must  be  available  for  MCC  to  alert  crew  when  they  are  approaching  the  30-minute  limit.  If  A/G  voice 
capability  is  available,  but  is  interrupted  by  periods  of  LOS,  MCC  can  confirm  consumables  status  with 
the  crew  prior  to  LOS.  The  affected  crewmember) s )  must  be  complete  with  airlock  ingress  and  pre¬ 
repress  when  30  minutes  remain  of  any  consumable.  If  consumables  allow,  the  other  crewmember  will 
continue  with  remaining  EVA  tasks  and  will  complete  sortie  cleanup.  Timeline  management  will  ensure 
that  the  EVA  sortie  cleanup,  airlock  ingress,  and  pre-repress  is  completed  prior  to  the  last  crewmember 
reaching  the  30-minute  redline.  Translation  time  back  to  the  airlock  will  be  determined  by  either  Neutral 
Buoyancy  Laboratory  (NBL)  or  Virtual  Reality  (VR)  Laboratory  crew  training.  EVA  tasks  will  be 
modified  or  deleted  real  time  to  ensure  that  the  EV  crewmember  is  connected  to  the  SCU  within  the 
timeframe  necessary  to  maintain  the  30-minute  reserve.  Connection  to  the  SCU  is  considered  a  safe 
configuration  because  the  SCU  can  support  the  loss  of  any  EMU  consumable.  Battery  and  LiOH  have  a 
finite  capacity;  however,  opening  the  helmet  purge  valve  while  on  the  SCU  compensates  for  the  loss  of 
LiOH,  and  configuring  the  EMU  to  accept  airlock  power  compensates  for  the  loss  of  battery.  In  the 
event  that  airlock  power  is  not  available,  opening  the  helmet  purge  valve  while  on  the  SCU  can 
compensate  for  the  loss  of  the  battery.  Oxygen  and  water  are  rechargeable  at  vacuum.  If  the  30  min  ute 
consumable  is  oxygen  or  water,  the  crewmembers  can  connect  to  the  SCU,  recharge  the  consumables, 
and  return  to  EVA  tasks.  This  rule  is  considered  an  operational  constraint. 

DOCUMENTATION :  Hamilton  Sundstrand  Engineering  Memorandum  EMUM1-0404  “  Consumable 
Tracking  During  EVA,  ”  March  15,  2000,  and  engineering  judgment.  @[050400-71 99A] 
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A15-153  EMU  CONSUMABLES  WITHOUT  REAL-TIME  EMU  DATA 

DOWNLINK 

A.  IF  NO  A/G  VOICE  CAPABILITY,  AN  EVA  CREWMEMBER  WILL  TERMINATE 
THE  EVA  WHEN  THE  CAUTION  AND  WARNING  SYSTEM  (CWS)  ISSUES  A 
30-MINUTE  ALERT  FOR  ANY  EMU  CONSUMABLE.  ©[050400-7200A] 

If  A/G  voice  and  real-time  EMU  data  capability  with  MCC  are  not  available,  the  EMU  CWS  will  be  used 
to  determine  which  consumable  will  reach  the  30-minute  limit  first.  If  the  EV  crewmember  has  no  ability 
to  communicate  with  MCC,  the  only  insight  into  the  EMU  consumables  is  via  the  CWS.  The  EV 
crewmember  will  rely  on  the  CWS  to  display  a  message  when  30  minutes  remain  of  any  EMU 
consumable.  The  CWS  consumable  messages  are  more  conservative  than  real-time  consumables  data. 
Oxygen  and  water  are  rechargeable  at  vacuum.  If  the  30-minute  consumable  is  oxygen  or  water,  the 
crewmembers  can  connect  to  the  SCU,  recharge  the  consumables,  and  return  to  EVA  tasks.  This  rule  is 
considered  an  operational  constraint. 

B.  IF  A/G  VOICE  CAPABILITY,  AN  EVA  CREWMEMBER  WILL  TERMINATE  THE 

EVA  WHEN  THE  CAUTION  AND  WARNING  SYSTEM  (CWS)  ISSUES  A  30- 
MINUTE  ALERT  FOR  OXYGEN,  LIOH,  OR  WATER  CONSUMABLES.  THE  EVA 

CREWMEMBER  MUST  BE  COMPLETE  WITH  AIRLOCK  INGRESS  AND 
CONNECTED  TO  THE  SERVICE  AND  COOLING  UMBILICAL  (SCU)  WHEN  30 
MINUTES  OF  POWER  REMAIN  AS  DETERMINED  BY  MCC  THROUGH  PERIODIC 
REPORTS  OF  EMU  STATUS. 

If  A/G  voice  is  available  but  real-time  EMU  data  is  not  available,  the  EMU  CWS  will  be  used  to 
determine  which  consumable  (oxygen,  LiOH,  or  water)  will  reach  the  30-minute  limit  first.  However, 
battery  power  can  be  tracked  on  the  ground  with  a  periodic  status,  because  the  power  usage  is  relatively 
constant  during  the  EVA  as  compared  with  other  consumables.  The  EV  crew  will  give  an  hourly  EMU 
status  for  the  first  6.5  hours  followed  by  an  increase  in  status  calls  to  every  10  minutes  so  that  MCC  can 
track  more  closely  the  battery  performance  towards  the  lower  end  of  its  capacity.  Oxygen,  LiOH  and 
water  calculations  depend  on  crewmember  metabolic  rate  requiring  more  frequent  status  checks  to  get 
an  accurate  estimate  of  use  rate.  The  CWS  messages  for  these  consumables  are  more  conservative  than 
real-time  consumables  data.  The  battery  30-minute  limit  will  be  calculated  by  the  ground  using  the 
periodic  status  checks.  Oxygen  and  water  are  rechargeable  at  vacuum.  If  the  30-minute  consumable  is 
oxygen  or  water,  the  crewmembers  can  connect  to  the  SCU,  recharge  the  consumables,  and  return  to 
EVA  tasks.  This  rule  is  considered  an  operational  constraint. 

DOCUMENTATION:  Hamilton  Sundstrand  Engineering  Memorandum  EMUM1-0404  “  Consumable 
Tracking  During  EVA,  ”  March  15,  2000,  and  engineering  judgment.  ®[050400-7200A] 
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A15-154  EMU  CONSUMABLES  PRE-EVA 

SUFFICIENT  CONSUMABLES  MUST  BE  AVAILABLE  TO  SUPPORT  THE  COMPLETE 
EVA  TIMELINE  PLUS  15  MINUTES  OF  EVA  EGRESS  ACTIVITIES,  15  MINUTES 
OF  INGRESS  ACTIVITIES,  AND  A  30-MINUTE  RESERVE.  @[050400-7201] 

This  rule  is  provided  as  an  operational  guide  in  planning  EVA  timelines  based  on  consumable 
constraints.  For  purposes  of  EMU  certification,  this  rule  assumes  6  hours  of  EVA  operations,  with 
5  minutes  for  post  depress,  10  minutes  for  egress,  10  minutes  for  ingress,  5  minutes  of  pre-repress 
and  30  minutes  ofreser\’e  to  make  a  total  of  7  hours  EVA  time.  In  addition,  a  30-minute  emergency 
oxygen  supply  is  provided.  @[050400-7201  ] 


A15-155  MANIPULATOR  FOOT  RESTRAINT  (MFR)  AND  PFR 

ATTACHMENT  DEVICE  (PAD)  GUIDELINES 

A.  ONLY  MINIMUM  COMMUNICATIONS  FOR  EVA  BETWEEN  THE  RMS  OPERATOR 
AND  THE  MFR/PAD  OPERATOR  ARE  REQUIRED.  (REF.  RULE  {A15-7}, 
MINIMUM  RF  COMMUNICATIONS  DEFINITION.) 

The  EVA  crewmember  on  the  MFR/PAD  has  the  best  vantage  point  from  which  to  direct  the  operator  of 
the  RMS  to  and  about  the  worksite.  Communications  between  the  RMS  operator  and  the  MFR/PAD 
operator  will  maximize  safety.  Minimum  communication  is  two-way  communication  with  the  orbiter  even 
if  relayed  through  the  other  EVA  person. 

B.  VISUAL  VERIFICATION  OF  MFR/PAD  POS I T ION/ CLEARANCE  IS 
REQUIRED . 

This  is  to  preclude  contact  and  possible  damage  to  payloads  and  structures  in  the  payload  bay  imparted 
by  the  RMS  and  MFR/PAD. 

C.  MFR/PAD  WILL  BE  OPERATED  ONLY  IN  THOSE  AREAS  WHERE  THE  RMS 
CANNOT  IMPART  EXCESSIVE  LOADS  TO  THE  EMU. 

In  certain  configurations,  the  arm  can  impart  excessive  loads  to  the  EMU  and  the  EVA  crewmember. 

The  PLSS  ( the  part  of  the  EMU  least  tolerant  to  impact  forces)  is  certified  for  a  maximum  400-lb  impact 
force  on  a  2-inch  diameter  sphere  at  a  2  ft/sec  velocity  before  impact.  The  RMS  will  be  kept  out  of 
regimes  where  impact  loads  of  this  type  are  possible  to  minimize  the  possibility  of  damage  to  the  EMU. 

A15-156  THROUGH  A15-200  RULES  ARE  RESERVED 
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EXTERNAL  AIRLOCK 


A15-201  EXTERNAL  AIRLOCK  HATCH  THERMAL  COVER 

DURING  EVA,  THE  EXTERNAL  AIRLOCK  HATCH  THERMAL  COVERS  FOR  THE 
UPPER  AND  AFT  HATCHES  SHOULD  REMAIN  CLOSED.  IF  EITHER  COVER 
OPENS  DURING  EVA,  AN  EVA  CREWMEMBER  WILL  RETURN  TO  THE  AIRLOCK  TO 
CLOSE  IT  AT  THE  NEXT  CONVENIENT  OPPORTUNITY.  @[061297-4904] 

This  rule  is  constrained  by  the  orbiter  cold  case  attitude  ( +XSI,  PLB  to  space,  beta  -  90,  or  -XLV,  PLB 
north,  beta  =  -75).  Design  analysis  that  considered  a  closed  hatch  and  thermal  cover  indicated  that  the 
water  lines  will  approach  freezing  temperatures  during  the  EVA  period,  even  with  the  heaters  enabled 
(for  the  analysis,  the  EVA  period  was  defined  as  10  hours  with  the  airlock  depressurized). 

The  airlock  internal  water  lines  are  thermally  insulated  from  the  airlock  structure  by  fiberglass 
standoffs.  The  segments  of  the  internal  water  lines  that  have  a  direct  view  of  deep  space  when  both  hatch 
and  thermal  cover  are  opened,  will  decrease  more  rapidly  than  the  airlock  structure.  Therefore,  there  is 
a  potential  of  the  internal  water  lines  freezing  if  the  hatch  thermal  cover  remains  open  during  the  EVA 
period. 

Analysis  indicates  that  when  the  airlock  is  pressurized,  there  is  no  concern  for  water  line  freezing 
regardless  of  the  position  of  the  hatch  thermal  cover. 

DOCUMENTATION :  Rockwell  OER  Presentation  Charts  September  18,  1996,  and  November  6,  1996, 
Rockwell  IL  270-200-97-007,  engineering  judgment.  ®[06i  297-4904  ] 
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A15-202  EXTERNAL  AIRLOCK  LCG  PRESSURE  AND  TEMPERATURE 

MANAGEMENT  USING  THE  EMU 

IN  THE  EVENT  THE  EXTERNAL  AIRLOCK  LIQUID  COOLING  GARMENT  (LCG) 
FLUID  LINES  EXPERIENCE  AN  UNEXPECTED  PRESSURE  OR  TEMPERATURE 
INCREASE  (REF  RULE  {A18-62},  EXTERNAL  AIRLOCK  WATER  LINE 
OVERPRESSURE/TEMPERATURE  MANAGEMENT) ,  THE  FOLLOWING  CONSTRAINTS 
AND  ACTIONS  APPLY:  ©[070899-6889A] 

A.  IF  THE  SERVICE  AND  COOLING  UMBILICAL  (SCU)  IS  DISCONNECTED 
FROM  THE  EMU: 

WITH  THE  EMU  O2  VALVES  CLOSED  AND  THE  TCV  IN  MAX  "C,"  THE  SCU 
CAN  BE  CONNECTED  TO  THE  EMU  AND  THE  EMU  FAN/PUMP  TURNED  ON 
FOR  A  MAXIMUM  OF  2  MINUTES,  IF  THE  EMU  WATER  TANKS  CONTAIN 
THE  NOMINAL  ULLAGE  AND  BEFORE  THE  LCG  WATER  LINE  TEMPERATURES 
IN  EITHER  ZONE  EXCEED  92  DEGREES  F. 

The  external  airlock  EMU  Liquid  Cooling  Garment  (LCG)  lines  are  routed  externally  to  the 
airlock/ 'orbit er  and  are  susceptible  to  pressure  (MSID  V64P0170A  { EV1 })  and  V64P0171A  { EV2J )  and 
temperature  ( MSID  V64T0182A  {ZN1}  and  V64T0185A  {ZN2})  increases  due  to  a  “hot”  orbiter 
attitude  or  failed  on  line  heaters.  There  are  no  accumulators,  shutoff  valves,  or  regulators  in  the  LCG 
loops,  which  are  in  a  hydraulic  lockup  condition  when  disconnected  from  the  EMU.  In  the  EMU,  the 
LCG  loop  is  connected  to  the  water  tanks  through  the  bypass  of  the  EMU  Coolant  Isolation  Valve.  The 
EMU  water  tanks,  with  nominal  1  pound  ullage,  will  act  as  an  accumulator  for  the  LCG  lines  through 
the  bypass  of  the  EMU  Coolant  Isolation  Valve. 

The  O2  valves  must  remain  closed  because  the  maximum  thermal  limit  for  O2  supplied  to  the  EMU  is 
90  deg  F.  LCG2  water  line  temperatures  ?  92  deg  F  in  both  zones  ensure  that  all  sections  of  the  LCG 
water  lines  are  below  the  EMU  thermal  limit  of  100  deg  F.  The  maximum  limit  for  the  EMU  water  line 
vent  tube  assembly  (WLVTA)  is  100  deg  F.  Anytime  the  EMU  TCV  is  out  of  the  max  “H”  position, 
water  will  flow  through  the  WLVTA. 

Although  not  designed  for  this  purpose,  the  EMU  can  be  used  as  a  contingency  device  for  lowering 
the  pressure  (and  temperature)  in  the  LCG  lines  by  using  the  EMU  fan/pump  to  circulate  the  LCG 
water  to  the  orbiter  LCG  HXfor  cooling.  The  EMU  fan/pump  should  not  be  on  for  longer  than  2 
minutes  without  O2  pressurization  of  the  EMU  water  tanks  due  to  potential  cavitation  and  damage  of 
the  pump.  Calculations  show  the  LCG  supply  “hot”  water  flows  through  the  LCVG  water  loop  in  45 
seconds  with  the  TCV  in  max  “  C.  ”  Two  minutes  will  ensure  that  the  water  can  pass  through  the  LCG 
HX  at  least  twice  for  cooling. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A15-202  EXTERNAL  AIRLOCK  LCG  PRESSURE  AND  TEMPERATURE 

MANAGEMENT  USING  THE  EMU  (CONTINUED) 

It  is  preferable  to  change  orbiter  attitude  if  possible  to  lower  the  pressure  (temperature)  of  the  LCG 
fluid  lines.  ®[070899-6889A] 

DOCUMENTATION :  Hamilton  Standard  Engineering  Memorandums  EMUM1-0085  and 
EMUM1-0195,  “STS-88  Hot  External  Airlock  Return  Temperatures  &  Revisions,  ”  and  engineering 
judgment.  ®[070899-6889A] 

B.  IF  THE  SERVICE  AND  COOLING  UMBILICAL  (SCU)  IS  CONNECTED  TO 
THE  EMU: 

1.  THE  EMU  FAN/PUMP  WILL  BE  TURNED  ON  FOR  A  MAXIMUM  OF  2 

MINUTES  BEFORE  THE  LCG  LINE  PRESSURE  REACHES  18  (16.6) 

PSIG  FOR  UNEXPECTED  AND  INCREASING  PRESSURE. 

2.  A  NOMINAL  EMU  WATER  TANK  ULLAGE  DUMP  MUST  BE  PERFORMED 
AFTER  AN  UNEXPECTED  PRESSURE  INCREASE  OR  IF  THE  LCG 
PRESSURE  DID  NOT  DECREASE  AFTER  SCU  CONNECTION. 

A  steady  pressure  increase  in  either  of  the  LCG  lines  (MSID  V64P0170A  {EV1 }  or  V64P0171A{EV2}) 
with  the  SCU  connected,  EMU  fan/pump  and  Oj  actuator  off,  indicates  the  EMU  water  tanks  no 
longer  contain  any  nominal  ullage  and  are  no  longer  acting  as  an  accumulator  for  the  LCG  lines.  In 
the  EMU,  the  LCG  loop  is  connected  to  the  water  tanks  through  the  bypass  of  the  EMU  Coolan  t 
Isolation  Valve.  At  19.0  ±1.0  psig,  the  EMU  Feedwater  Relief  Valve  will  open  and  vent  water  from 
the  EMU  water  tanks  into  the  airlock  (ref  Rule  j A18-61 j,  EXTERNAL  AIRLOCK  LCG  FLUID  LINE 
LOSS  DEFINITION ). 

Although  not  designed  for  this  purpose,  the  EMU  can  be  used  as  a  contingency  device  for  lowering  the 
pressure  (and  temperature)  in  the  LCG  lines  by  using  the  EMU  fan/pump  to  circulate  the  LCG  water  to 
the  orbiter  LCG  HXfor  cooling.  Therefore,  the  EMU  pump  will  be  turned  on  prior  to  reaching  18  psig 
(16.6  psig  indicated)  which  will  prevent  the  LCG  loop  pressure  from  reaching  the  Feedwater  Relief  Valve 
lower  regulation  of  18  psig.  The  EMU  fcm/pump  should  not  be  on  for  longer  than  2  minutes  withou  t  O2 
pressurization  of  the  EMU  water  tanks  due  to  potential  cavitation  and  damage  of  the  pump. 

If  the  LCG  line  water  has  been  cooled  using  the  EMU  fcm/pump  to  stop  a  pressure  increase,  or  if  the 
pressure  did  not  decrease  after  SCU  connection,  approximately  1  pound  of  water  must  be  dumped  from 
the  EMU  water  tanks  before  reaching  the  Feedwater  Relief  Valve  lower  regulation  of  18  psig  to  restore 
the  capability  for  the  EMU  to  act  as  an  accumulator  for  the  LCG  lines  through  the  bypass  of  the  EMU 
Coolant  Isolation  Valve.  In  place  of  using  the  EMU,  it  is  preferable  to  change  orbiter  attitude  if 
possible. 

DOCUMENTATION :  Reference  Hamilton  Standard,  EMUM-1337;  Hamilton  Standard  Engineering 
Memorandums  EMUM1-0085  and  EMUM1-0195,  “STS-88  Hot  External  Airlock  Return  Temperatures 
&  Revisions;  ”  and  engineering  judgment.  ®[070899-6889A] 
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A15-203  CABIN  ATMOSPHERE  DECONTAMINATION  FOLLOWING  EVA 

@[021199-6821  A] 

A.  FOLLOWING  A  NEGATIVE  DRAGER  TUBE  READING,  THE  CABIN  AIR  WILL 
BE  TREATED  UNDER  THE  ASSUMPTION  THAT  THE  AIRLOCK  VOLUME  IS 
CONTAMINATED  TO  THE  MINIMUM  SENSITIVITY  LEVEL  FOR  THE 
SPECIFIC  DRAGER  TUBE  (250  PPB  FOR  HYDRAZINES  AND  AMMONIA, 

AND  500  PPB  FOR  NO2 )  .  @[021 199-6821  A] 

This  rule  assumes  that  contamination  of  the  EMU  was  either  suspected  or  confirmed  and  action  was 
taken  to  eliminate  the  contaminants  from  the  affected  EVA  crewmember  (such  as  bakeout)  prior  to 
performing  airlock  repress.  Under  these  conditions,  a  Drager  tube  reading  is  required. 

Because  the  Drager  tubes  are  not  sensitive  enough  to  detect  acceptable  SMAC  levels,  lack  of  a 
reading  does  not  verify  that  the  contamination  level  is  below  the  7-day  SMAC.  The  assumed 
contamination  level  is  the  minimum  sensitivity  of  the  specific  Drager  tube.  The  minimum  sensitivities 
of  the  hydrazine/ammonia  and  nitrogen  dioxide  tubes  are  250  ppb  and  500  ppb,  respectively. 


DOCUMENTATION:  Drager-Tube  Handbook,  1994. 

B.  THE  FOLLOWING  ACTIONS  WILL  BE  TAKEN  IN  AN  ATTEMPT  TO  REDUCE 
THE  ASSUMED  CONTAMINANT  CONCENTRATION  BELOW  THE  DESIGNATED 
7-DAY  SMAC  LEVELS  AND  TO  PROTECT  THE  CREW  DURING  ATMOSPHERE 
SCRUBBING: 

1.  IMMEDIATELY  PRIOR  TO  AIRLOCK  HATCH  OPENING,  THE  IV  CREW 
WILL  DON  QDM' S  AND  BREATHE  C£ .  THE  IV  CREW  WILL  REMAIN 
ON  THE  QDM' S  FOR  20  MINUTES  FOLLOWING  HATCH  OPENING. 

2.  PRIOR  TO  AIRLOCK  HATCH  OPENING,  PERFORM  THE  FOLLOWING 
ACTIONS  AND  CONTINUE  FOR  3  HOURS  AFTER  AIRLOCK  HATCH 
OPENING: 

a.  INSTALL  TWO  ATCO  CANISTERS  TO  SCRUB  HYDRAZINES  AND 
AMMONIA  FROM  THE  CABIN  ATMOSPHERE. 

b.  PLACE  CABIN  TEMP  CONTROLLER  IN  THE  "FULL  COOL" 
POSITION. 

C.  INITIATE  AIR  FLOW  THROUGH  WCS  ODOR/BACTERIA  FILTER. 

d.  IV  CREW  WILL  DON  LONG  SLEEVES,  LONG  PANTS,  AND  GLOVES 
AS  PRACTICAL.  @[021 199-6821  A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A15-203  CABIN  ATMOSPHERE  DECONTAMINATION  FOLLOWING  EVA 

(CONTINUED) 

3.  FOLLOWING  AIRLOCK  HATCH  OPENING:  @[021199-6821  A] 

a.  EV  CREW  WILL  REMAIN  IN  EMU'S  FOR  20  MINUTES  FOLLOWING 
AIRLOCK  HATCH  OPENING. 

b.  WIPE  EMU'S  AND  AIRLOCK  WALLS  WITH  WET  TOWELS. 

C.  INSTALL/ACTIVATE  BOOSTER  FAN  AND  ASSOCIATED  DUCTWORK 
AS  SOON  AS  POSSIBLE. 

C.  FOLLOWING  A  NEGATIVE  READING  AND  COMPLETION  OF  THE  ATMOSPHERE 
SCRUBBING  ACTIVITIES  (REF  PARAGRAPH  B) ,  THERE  ARE  NO  MISSION 
DURATION  CONSTRAINTS. 

Following  EVA,  the  Drager  test  is  performed  with  the  airlock  pressure  at  5  psia.  Repressurizing  the 
airlock  to  10.2  psia  will  reduce  the  contaminant  concentration  by  a  factor  of  2  in  the  airlock  (2.9  by 
repressurizing  to  14.7 psia).  This  will  bring  the  concentration  below  the  24-hour  SMACfor  all  cases 
except  MMH. 

After  airlock  hatch  opening  and  the  atmospheres  have  mixed,  the  concen  tration  will  be  further  reduced 
by  a  factor  of  7  (tunnel  adapter )  and  12  (airlock  only)  depending  upon  the  specific  volume  configuration. 
This  will  bring  the  concentration  below  the  7 -day  SMACfor  all  cases  except  MMH. 

The  expected  contamination  level  following  dilution  by  volume  equalization,  assuming  good  atmospheric 
mixing,  will  be  approximately  11  ppb  (approximately  18  ppb  with  a  tunnel  adapter)  for  a  10.2  psia 
cabin.  For  a  14.7  psia  cabin  following  equalization,  the  expected  contamination  level  will  be 
approximately  7  ppb  (approx  12  ppb  with  a  tunnel  adapter). 

The  TV  crew  must  remain  on  the  QDM’s  and  the  EV  crew  must  remain  in  the  EMU  for  at  least  20  minutes 
following  hatch  opening  to  allow  time  for  the  two  atmospheres  to  mix  and  to  allow  any  localized  pockets 
of  contaminants  to  dissipate.  Twenty  minutes  was  chosen  as  a  time  to  allow  effective  mixing  withou  t 
requiring  further  action  to  control  the  O2  concentration  in  the  cabin.  Donning  long  sleeves,  long  pants 
and  gloves  will  minimize  the  amount  of  exposed  skin  and  further  protect  the  TV  crewmembers  from 
exposure  to  the  toxic  products  following  airlock  hatch  opening.  This  is  listed  as  “as  practical”  because 
there  is  currently  no  requirement  for  crewmembers  to  select  long  pants  and  long-sleeved  shirts  as  part  of 
their  in-flight  wardrobe.  ®[02i  1 99-6821  A] 
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Two  ambient  temperature  catalytic  oxidizer  (ATCO)  canisters  are  installed  to  remove  additional 
hydrazine,  MMH,  UDMH,  and  ammonia  from  the  cabin  atmosphere.  In  2  to  3,  hours  it  is  expected  that 
the  cabin  PPCOj  levels  will  increase  enough  to  require  replacemen  t  of  one  of  the  ATCO  can  isters  with  a 
fresh  LiOH  canister.  The  other  ATCO  canister  should  remain  in  place  as  long  as  practical.  The  ATCO 
canister  is  100  percen  t  effective  at  neutralizing  the  contaminants  from  the  air  that  passes  through  it. 

Based  upon  nominal  cabin  fan  airflow,  each  ATCO  canister  will  scrub  the  volume  equivalent  of  the  cabin 
atmosphere  every  90  minutes.  It  is  assumed  that  for  each  volume  equivalent  cycle  through  an  ATCO  can, 
approximately  63  percent  of  the  remaining  contaminants  have  been  neutralized.  Therefore,  in  3  hours, 
assuming  one  ATCO  is  replaced  with  a  LiOH  after  2  hours,  the  entire  cabin  atmosphere  will  have  passed 
through  cm  ATCO  canister  at  least  three  times  and  the  concentration  will  be  reduced  to  <  10  percent  of 
the  initial  concentration.  The  63  percent  contamination  reduction  number  is  based  upon  analysis  that 
shows  for  each  complete  volume  equivalent  cycle  through  a  LiOH  canister  slot,  because  the  atmospheric 
mixing  is  not  idecd,  only  63  percent  vs  100  percent  of  the  molecules  of  car  in  the  cabin  will  actually  flow 
across  the  catalyst  bed  in  the  ATCO  canister.  For  all  of  the  contamination  compounds,  including  MMH, 
final  concen  tration  will  be  below  the  7 -day  SMAC  within  3  hours  of  airlock  hatch  opening  and  initial 
ATCO  scrubbing.  @[021199-6821  A] 

Because  hydrazines  are  water  soluble,  wiping  the  EMU’s  with  wet  towels  will  dilute  the  contaminant  and 
transfer  the  con  taminan  t  to  the  towels  and  preven  t  additional  off-gassing  from  the  EMU.  The  contaminated 
towels  can  be  placed  in  Ziplock  bags.  Also,  due  to  the  solubility  of  hydrazines,  con  taminan  ts  can  be 
condensed  out  of  the  atmosphere  and  sent  in  solution  to  the  waste  water  system.  Therefore,  the  TV  crew  will 
place  the  cabin  temp  controller  to  the  “ FULL  COOL”  position  thus  maximizing  airflow  across  the  ARS 
condensing  heat  exchanger. 

The  WCS  odor/bcicteria  filter  is  designed  to  remove  ammonia  (NHj )  from  the  airflow  through  the  WCS. 
Activation  of  the  WCS  commode  will  initiate  the  maximum  airflow  through  the  odor/bacteria  filter  and 
aid  in  scrubbing  ammonia  from  the  cabin  atmosphere.  The  volume  equivalen  t  of  the  cabin  atmosphere 
will  flow  through  the  WCS  odor/bacteria  filter  approximately  every  60  minutes. 

The  booster  fan  is  reinstalled  and  activated,  with  associated  ductwork  connected,  as  soon  as  possible  to 
circulate  the  contaminated  atmosphere  from  the  airlock  to  the  cabin  in  cm  attempt  to  dilute  the  overall 
concentration  through  mixing  of  the  atmospheres  and  to  send  the  contaminated  atmosphere  through  the 
ARS  as  quickly  as  possible.  ®[02i  1 99-6821  A] 
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In  all  cases,  the  procedure  governed  by  this  rule  meets  the  criteria  listed  in  the  following  table  with  the 
exception  of  the  24-hour  SMAC  for  MMH.  Orbit  Flight  Techniques  ( November  12,  1998)  deemed  this 
acceptable  based  upon  the  ability  to  meet  the  24-hour  and  the  7 -day  SMAC  within  3  hours  of  cabin 
contamination.  Additionally,  White  Sands  personnel  have  been  previously  exposed  to  MMH  at  levels 
severed  orders  of  magnitude  higher  than  the  24-hour  SMAC  with  no  deleterious  effects.  @[021199-6821  A] 

The  table  below  lists  the  SMAC  levels  informally  proposed  by  the  JSC  Toxicology  group. 

TABLE  A15-203-I  -  SMAC  LEVELS  (PPB) 


CHEMICAL 

DRAGER 

DETECTION 

LEVEL 

1-HOUR 

24-HOURS 

7- DAYS 

N2H4 

250 

300 

40 

MMH 

250 

2 

2 

2 

UDMH 

250 

NOT  SET 

NOT  SET 

100 

N204  (NOz) 

500 

NOT  SET 

NOT  SET 

500 

nh3 

250 

— 

ISM 

DOCUMENTATION:  EVA  Console  Handbook,  Sec.  6.5  N2H4  Contamination  ( EVA/JSC-20597 ), 
engineering  judgment.  @[021 1 99-6821  A] 
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A15-204  EXTERNAL  AIRLOCK  EMU  SERVICING  CONSTRAINTS 

EMU  SERVICING  AND  OPERATION  IS  CONSTRAINED  BY  THE  FOLLOWING 
THERMAL  LIMITS:  ®[070899-6890A] 


02 

TWO 

SERVICING  MAY  BE  PERFORMED 

CONDITIONS  ARE  SATISFIED: 

WHEN 

EITHER 

OF 

THE  FOLLOWING 

1  . 

THE  O2  SUPPLY 
®[121400-3862A] 

TEMPERATURE 

IS  ? 

80  DEG 

F  ( 

INDICATED) . 

2  . 

THE  O2  SUPPLY 

LINE  TEMPERATURE 

SENSOR 

IS 

FAILED  AND: 

a.  THE  EXTERNAL  AIRLOCK  FLUID  LINE  HEATERS  ARE  CYCLING 
IN  BOTH  ZONES. 


OR 

b.  THE  EXTERNAL  AIRLOCK  FLUID  LINE  HEATERS  ARE  NOT 
CYCLING  AND  THE  LCG  SUPPLY  AND  POTABLE  SUPPLY 
TEMPERATURES  ARE  ?  72  DEG  F  (INDICATED) . 

C>2  servicing  is  defined  as  the  period  of  time  when  the  SCU  is  mated  to  the  EMU  and  the  airlock  O2 
valves  are  open.  Flow  analyses  were  performed  to  ensure  that  all  O2  delivered  to  the  airlock  is  less  than 
90  deg  F  since  temperature  gradients  can  exist  between  the  sensor  location  and  the  rest  of  the  line. 

Based  on  the  analyses,  an  O2  supply  line  temperature  (MSID  V64T0183A  through  STS-98;  the  MSID  will 
be  V64T0186A  starting  with  STS- 102)  less  than  or  equal  to  80  deg  F  ensures  the  O 2  flow  into  the  EMU 
is  less  than  90  deg  F.  If  the  O2  supply  temperature  sensor  fails,  then  heater  cycling  (MNA,  MNB,  or 
MNC  heaters )  on  the  fluid  lines  indicates  a  payload  bay  environment  below  70  deg  F  and,  therefore, 
environmental  heating  above  the  O2  limit  is  not  possible.  Also,  for  a  failed  O2  sensor,  maintaining  a 
supply  water  (MSID  V64T0181A  (ZN1 }  and  V64T0184A  { ZN2) )  and  LCG  supply  (MSID  V64T0182A 
(ZNlj  and  V64T0185A  ( ZN2 })  line  temperature  in  both  zones  below  72  deg  F  with  no  heater  cycling 
(implying  that  the  72  deg  F  is  due  to  environmental  heating  and  not  heater  operations )  ensures  that  the 
O2  line  temperature  is  below  90  deg  F.  The  O2  limit  of  90  deg  F  was  chosen  because  all  EMU  safety 
analysis  was  performed  with  this  limit.  Impacts  from  exceeding  this  limit  are  unknown.  There  is  also  a 
90  deg  F  maximum  inlet  temperature  to  the  helmet  that  EMU  must  meet.  There  is  currently  no  active 
method  of  cooling  the  O2  line.  ®[121400-3862A] 

Indicated  values  are  used  since  the  analyses  have  conservative  assumptions  that  cover  the 
instrumentation  error.  Applying  instrumentation  error  to  the  conservative  analysis  values  may 
unnecessarily  constrain  operations.  ©[121400-3862A] 
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A15-204  EXTERNAL  AIRLOCK  EMU  SERVICING  CONSTRAINTS 

(CONTINUED) 

B.  LCG  WATER  MAY  BE  CIRCULATED  THROUGH  A  MANNED  SUIT  IF  THE 

EXTERNAL  AIRLOCK  LCG2  WATER  LINE  TEMPERATURE  IN  BOTH  ZONES  IS 

?  92  DEG  F. 

LCG2  water  line  temperatures  ?  92  deg  F  in  both  zones  (MSID  V64T0182A  (ZN1}  and  V64T0185A 
{ ZN2 })  ensure  that  the  all  sections  of  the  LCG  water  lines  are  below  the  EMU  thermal  limit  of  100  deg 
F.  The  100  deg  F  thermal  limit  for  water  circulated  through  a  manned  suit  is  defined  by  Hamilton 
Sundstrand  to  ensure  crew  comfort. 

C.  LCG  WATER  MAY  BE  CIRCULATED  THROUGH  AN  UNMANNED  SUIT  IF 

EXTERNAL  AIRLOCK  LCG2  WATER  LINE  TEMPERATURE  IN  BOTH  ZONES  IS 

?  110  DEG  F. 

FOR  AN  UNMANNED  EMU,  IF  THE  EXTERNAL  AIRLOCK  LCG  LINE 
TEMPERATURE  IN  EITHER  ZONE  IS  <  110  DEG  F  BUT  >  92  DEG  F,  THE 
EMU  TCV  MUST  BE  PLACED  IN  THE  MAX  "H"  POSITION  PRIOR  TO 
INITIATING  WATER  CIRCULATION.  ®[070899-6890A] 

LCG2  water  line  temperatures  ?  110  deg  F  in  both  zones  { MSID  V64T0182A  {ZN1}  and  V64T0185A 
l ZN2 })  ensure  that  all  sections  of  the  LCG  water  lines  are  below  the  EMU  thermal  limit  of  120  deg  F. 

For  cm  unmanned  suit,  the  limit  of  120  deg  F  comes  from  the  EMU  certification  limit.  The  tubing  in  the 
HUT  is  molded  at  120  deg  F  and  may  deform  when  exposed  to  this  limit.  Placing  the  TCV  in  MAX  “H” 
(LCVG  bypass )  minimizes  the  EMU  exposure  to  hot  water.  ®[070899-6890A] 

D.  WATER  RECHARGE  MAY  BE  PERFORMED  IF  THE  EXTERNAL  AIRLOCK 
SUPPLY  WATER  LINE  TEMPERATURE  IN  BOTH  ZONES  IS?  95  DEG  F. 

®[121400-3862A] 

Supply  water  line  temperatures  ?  95  deg  F  in  both  zones  ( MSID  V64T0181A  {ZNlj  and  V64T0184A 
{ZN2})  ensure  that  all  sections  of  the  supply  water  line  are  below  the  EMU  thermal  limit  of  100  deg  F. 

The  thermal  limit  of  100  deg  F  for  water  recharge  protects  the  life  of  the  SCU  bacteria  filter  cartridge 
and  minimizes  the  risk  of  having  a  high  concentration  of  iodine  in  the  feedwater  bladders. 
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(CONTINUED) 

E.  BATTERY  RECHARGE  IS  NOT  CONSTRAINED  BY  EXTERNAL  AIRLOCK  LINE 
THERMAL  LIMITS. 

Battery  recharge  has  no  thermal  constraints  because  the  airlock  O2  valves  are  closed  to  isolate  O 2  flow, 
and  no  water  is  supplied  to  or  circulated  through  the  EMU. 

F.  EMU  O2  SERVICING  SHALL  BE  AVAILABLE  FOR  THE  DURATION  OF  AN 
EVA  PER  CONSTRAINTS  IN  PARAGRAPH  A.  EMU  LCG  COOLING  SHALL  BE 
AVAILABLE  FOR  THE  DURATION  OF  AN  EVA  PER  CONSTRAINTS  IN 
PARAGRAPH  B. 

To  protect  for  early  termination  of  an  EVA  due  to  EMU  failures,  and  provide  vehicle  consumables, 
the  EMU  O2  supply  must  be  available  at  all  times  during  an  EVA  to  provide  immediate  O2 
resupply/flow  through  the  Sendee  and  Cooling  Umbilical  (SCU).  The  LCG  supply  line  temperatures 
must  be  maintained  ?  92  deg  F  in  both  zones  (MSID  V64T0182A  {ZN1}  and  V64T0185A  {ZN2}) 
during  the  EVA  in  order  to  provide  cooling  to  the  EV  crew  in  the  case  of  cm  EMU  cooling  failure. 

DOCUMENTATION :  Hamilton  Standard  Engineering  Memorandums,  EMUM1-0085  and 
EMUM1-0195,  “STS-88  Hot  External  Airlock  Return  Temperatures  &  Revisions,  ”  EMUM1-0248, 

“EMU  Requirements  for  External  Airlock,  ”  EMUM1-0268,  “Additional  Limits  on  Airlock 
Interface  Temperatures,  ”  and  engineering  judgment.  ©[070899-6890A]  ®[1 21 400-3862A] 
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A15-205  EMU  DECONTAMINATION  DURING  EVA 

A.  IF  CHEMICAL  CONTAMINATION  OF  THE  EMU  IS  CONFIRMED  BY 

VISUAL  OBSERVATION  OR  CHEMICAL  DETECTION  EQUIPMENT,  THEN 
THE  HYDRAZINE  DECONTAMINATION  PROCEDURE  WILL  BE  EXECUTED. 
®[070899-6869A] 

For  confirmed  contamination,  the  decontamination  procedure  is  designed  to  reduce  the  hydrazine, 
ammonia,  or  oxidizer  levels  to  safe  values  based  on  analysis. 


Use  of  consumables  and  impact  to  the  crew  timeline  for  airlock  depress  and  bakeout  are  significant 
mission  impacts  and  will  not  be  performed  unless  contamination  of  the  EMU  is  confirmed  by  visual 
inspection  or  chemical  detection  equipment. 

B.  DRAGER  TUBES  WILL  ONLY  BE  UTILIZED  WHEN  EMU  CONTAMINATION  IS 
SUSPECTED . 


EMU  CONTAMINATION  IS  SUSPECTED  WHEN  THE  EMU  WAS  IN  THE 
VICINITY  OF  A  THRUSTER  OR  AMMONIA  SYSTEM  COMPONENT  WITH  A 
VISUALLY  OR  TELEMETRY  DETECTED  LEAK. 


Because  there  is  a  limited  supply  of  drager  tubes  on  board,  they  will  only  be  used  if  contamination  is 
suspected. 

Suspected  EMU  contamination  must  be  investigated  further  with  the  hydrazine  detection  equipment  to 
either  confirm  or  disprove  the  suspected  contamination  before  it  presents  a  hazard  to  the  TV  crew. 

Reference  Rule  {A15-203},  CABIN  ATMOSPHERE  DECONTAMINATION  FOLLOWING  EVA. 

®[070899-6869A] 
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SECTION  16  -  POSTLANDING 


GENERAL 


A16-1  CONVOY  POSITIONING 

CONVOY  POSITIONING  WILL  NOT  BE  CAUSE  TO  CONSTRAIN  RUNWAY  SELECTION. 

A16-2  VEHICLE  SYSTEM  RECONFIGURATION  CONSTRAINT 

SYSTEM  RECONFIGURATION  WHICH  WOULD  RESULT  IN  DESTROYING  VEHICLE 
TURNAROUND  PROBLEM  ANALYSIS  WILL  BE  AVOIDED  WHERE  POSSIBLE. 

A16-3  PRECREW  EGRESS  TROUBLESHOOTING  CONSTRAINT 

PRECREW  EGRESS  TROUBLESHOOTING  WILL  BE  LIMITED  TO  REGAINING  A 
CAPABILITY  REQUIRED  FOR  POSTLANDING  ACTIVITIES. 

Emphasis  will  be  on  configuring  the  Orbiter  in  a  safe  configuration  for  crew  egress.  Activities  that  can 
be  accomplished  by  the  exchange  crew  will  be  delayed  until  crew  egress  in  order  to  expedite  the  crew 
egress  timeline. 


A16-4  VEHICLE  SYSTEM  MOPING  CONSTRAINT 

IF  AN  EMERGENCY  POWERDOWN  IS  REQUIRED,  NO  VEHICLE  SYSTEM  MODING 
WILL  BE  ACCOMPLISHED  TO  PROTECT  VEHICLE  SYSTEMS  DATA. 


Emergency  powerdown  and  crew  safety  have  priority  over  vehicle  systems  data. 


A16-5  MEMORY  RECONFIGURATION  CONSTRAINT 

IF  THE  BFS  IS  ENGAGED  PRIOR  TO  THE  POSTLANDING  G3-TO-G9 
TRANSITION,  GNC  RECONFIGURATION  TO  A  SIMPLEX  PASS  GNC  9  MEMORY 
CONFIGURATION  WILL  NOT  BE  ATTEMPTED. 

Cause  for  the  BFS  engage  is  most  likely  a  combination  of  LRU  failures  and  GPC  failures.  No  attempt  at 
establishing  a  PASS  computer  will  be  performed  in  order  to  preserve  data  for  failure  reconstruction 
purposes.  SSME  repositioning  will  not  be  attempted  since  the  capability  is  not  supported  in  the  BFS. 
Rule  {A16-9J,  SSME  REPOSITIONING  CONSTRAINT,  references  this  rule. 
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A16-6  RECORDER  DUMP 

POSTLANDING  RECORDER  DUMPS  WILL  BE  ACCOMPLISHED  BY  MCC  SO  AS  NOT 
TO  CONSTRAIN  THE  CREW  EGRESS  TIMELINE. 

This  rule  clarifies  that  MCC  is  prime  for  recorder  dumps  and  crew  participation  will  be  minimal. 

Should  there  be  an  unexpected  need  for  onboard  assistance,  the  dump  will  be  delayed  until  the  astronaut 
support  crew  is  available. 


A16-7  GOM  HANDOVER 

A.  NOMINAL  HANDOVER  TO  THE  GOM  WILL  OCCUR  AT  CREW  EGRESS  OR  GSE 
COOLING  ACTIVATION,  WHICHEVER  OCCURS  LATER. 

B.  FOR  LOSS  OF  MCC  VOICE  AND  TELEMETRY,  OR  IF  A  MODE  V  OR  VI 
EMERGENCY  CONDITION  IS  DECLARED,  HANDOVER  TO  THE  GOM  WILL 
BE  ACCOMPLISHED  ASAP;  IF  TOTAL  LCC  CAPABILITY  IS  LOST,  NO 
CHANGE  TO  POSTLANDING  ACTIVITIES  WILL  OCCUR,  BUT  HANDOVER  TO 
THE  GOM  WILL  BE  DELAYED  UNTIL  THE  CAPABILITY  IS  REGAINED  OR 
THE  ORBITER  IS  POWERED  DOWN. 

C.  HANDOVER  TO  THE  GOM  WILL  OCCUR  AT  WHEELS  STOP  FOR  LOSS  OF  MCC 
COMMUNICATIONS  WITH  THE  VEHICLE. 


LCC  data  monitoring  is  available  to  the  Ground  Operations  Manager  if  loss  of  MCC  systems  insight 
and  communication  capability  occurs.  Handover  will  occur  ASAP  in  order  for  normal  postlanding 
operations  to  con  tinue.  If  LCC  monitoring  capability  is  lost,  systems  mon  itoring  will  con  tinue  to  be 
supported  by  the  MCC  until  no  longer  needed  (vehicle  powerdown  or  restoration  of  LCC  capability). 
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A16-8  CREW  EGRESS  METHOD  DETERMINATION  (FOR  MODE  V 

EGRESS) 


THE  CREW  WILL  DETERMINE  WHICH  OF  THE  FOLLOWING  MODE  V  EGRESS 
METHODS  WILL  BE  USED:  ®[041 1 96-1 881  A] 

A.  HATCH  ON  MODE  V  -  CREW  MANUALLY  OPENS  SIDE  HATCH.  WHENEVER 
POSSIBLE,  THE  CREW  WILL  USE  THIS  TECHNIQUE. 

B.  HATCH  JETTISON  MODE  V  -  CREW  PYROTECHNIC ALLY  JETTISONS  THE 
SIDE  HATCH.  A  CREW  WILL  USE  THIS  TECHNIQUE  ONLY  UNDER  THE 
FOLLOWING  CONDITIONS: 

1.  INTOLERABLE  CABIN  CONDITIONS  DUE  TO  FIRE,  SMOKE,  TOXIC 
GASSES,  OR  HIGH  TEMPERATURES  PRESENT  IN  THE  CREW  CABIN 
AND  NOT  READILY  ELIMINATED  BY  OTHER  ACTIONS. 

2.  IMMINENT  THREAT  TO  LIFE  AND  SAFETY  OF  THE  CREW  AS 
DETERMINED  BY  THE  CDR . 

C.  ESCAPE  PANEL  MODE  V  -  CREW  PYROTECHNIC ALLY  JETTISONS  THE 
WINDOW  8  ESCAPE  PANEL.  THIS  TECHNIQUE  WILL  BE  USED  ONLY  UNDER 
THE  CIRCUMSTANCES  LISTED  FOR  HATCH  JETTISON  IN  PARAGRAPH  B 
ABOVE,  AND  THEN  HATCH  JETTISON  IS  PREFERRED.  ESCAPE  PANEL 
MODE  V  WILL  BE  PERFORMED  ONLY  IF  SITUATIONS  REQUIRING 
IMMEDIATE  EGRESS  WHEN  THE  SIDE  HATCH  IS  (1)  BLOCKED,  (2) 

JAMMED,  (3)  STRUCTURALLY  DEFORMED,  (4)  OTHERWISE  SUSPECTED  OF 
BEING  UNABLE  TO  BE  JETTISONED,  OR  (5)  WHEN  GROUND  PERSONNEL 
ARE  IN  THE  HAZARD  ZONE  AROUND  THE  SIDE  HATCH. 

PYROTECHNIC  JETTISON  WILL  NOT  BE  UTILIZED  WHEN  AN  EXPLOSIVE/ 
FLAMMABLE  ATMOSPHERE  IS  PRESENT.  THE  CREW  SHOULD  MAKE  EVERY 
POSSIBLE  ATTEMPT  TO  COORDINATE  WITH  GROUND  PERSONNEL  BEFORE 
PYROTECHNIC  JETTISON. 


The  crew  is  in  the  best  position  to  determine  the  safest  egress  mode.  If  time  allows,  it  is  preferable  to 
reposition  the  egress  slide  on  the  side  hatch  and  then  open  the  hatch  normally  and  inflate  the  slide. 
This  preven  ts  firther  damage  to  the  vehicle.  If  the  crew  is  in  immediate  danger,  the  side  hatch  may  be 
jettisoned.  In  the  case  of  a  slide  failure,  the  crew  can  still  egress  out  the  side  hatch  using  the  sky 
genie  descent  devices..  An  egress  through  the  overhead  escape  panel  ( window  W8)  is  slower  and 
more  inherently  dangerous  and,  therefore,  should  not  be  performed  unless  egress  through  the  side 
hatch  is  impossible. 

The  crew  should  attempt  to  notify  the  crash/rescue  crew  of  their  intentions  either  by  orbiter  A/G, 

PRC- 112  survival  radio  (Channel  A),  or  light  signals  per  the  Entry  Checklist.  ®[041 1 96-1 881  A] 
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A16-9  SSME  REPOSITIONING  CONSTRAINT 

A.  SSME  REPOSITIONING  WILL  NOT  BE  ATTEMPTED  UNDER  ANY  OF  THE 
FOLLOWING  CONDITIONS:  @[031500-7180] 

1.  01  MDM  OA1 ,  DSC  OA1 ,  OR  BOTH  PCMMU' S  FAILED. 

The  GPC’s  depend  on  SSME  actuator  position  feedback  information  transmitted  through  OI  MDM  OA1 
and  the  PCMMU’s  to  properly  reposition  the  SSME’s.  The  SSME  actuator  position  feedback 
transducers  receive  power  through  DSC  OA1. 

2.  MULTIPLE  AEROSURFACE  POSITION  FEEDBACK  FAILURES  RESULTING 
IN  ERRONEOUS  OPS-9  SELECTED  POSITION.  REPOSITIONING  CAN 
BE  PERFORMED  IF  COMMFAULTING  ONE  OF  THE  FAILED  FEEDBACKS 
WILL  PROVIDE  A  GOOD  SELECTED  POSITION. 

The  OPS  9  aerosurface  position  feedback  selection  filter  utilizes  a  mid-value  selection  scheme  among  the 
first  three  feedbacks,  and  only  downmodes  to  use  the  channel  4  feedback  when  one  of  the  first  three  is 
commfaulted  by  powering  off  the  associated  FA  MDM  ( further  commfaults  would  result  in  averaging  the 
two  available  feedbacks  or  using  the  one  available  feedback).  Feedbacks  failed  by  OPS  3  or  6  RM,  or 
deselected  manually  by  the  crew,  are  still  considered  available.  If  two  of  the  feedbacks  among  channels 
1,  2,  and  3  are  failed,  a  bad  feedback  will  be  selected  and  the  subsequent  AI  Model  command  will  set  the 
commands  equal  to  this  erroneous  value  causing  a  large  step  input  to  the  actuator  command.  By 
commfaulting  one  of  these  failed  feedbacks,  the  selection  filter  will  use  the  channel  4  feedback  and  output 
a  good  selected  feedback.  Nominal  repositioning  can  con  tinue  with  this  FA  MDM  and  associated  FCS 
channel  off.  ( The  performance  of  OPS  9  repositioning  software  with  commfaulted  FA  MDM's  was 
verified  in  formal  SAIL  testing  on  September  28-30,  1998.  This  testing  confirmed  that  the  repositioning 
software  will  function  properly  with  up  to  three  FA  MDM’s  commfaulted.) 

3.  TWO  APU' S/HYDRAULICS  SYSTEMS  UNAVAILABLE. 

The  loss  of  two  APU ’s/hydraulic  systems  (due  to  system  failures  orfailed-closed  MPSfTVC  isolation 
valves)  will  keep  one  of  the  SSME’s  from  being  repositioned  since  each  engine  only  has  two  hydraulic 
systems  available  as  shown  below: 

Center  engine:  Hydraulic  systems  1  and  3. 

Right  engine:  Hydraulic  systems  2  and  3. 

Left  engine:  Hydraulic  systems  1  and  2. 

The  inability  to  reposition  one  engine  will  cause  the  repositioning  sequence  to  fail.  @[031500-7180  ] 
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A16-9  SSME  REPOSITIONING  CONSTRAINT  (CONTINUED) 

4.  BODY  FLAP  ANOMALY  ("HOLD,  CYCLE,  FAIL")  THAT  CANNOT  BE 
ISOLATED.  @[031500-7180] 

The  failure  of  the  body  flap  to  move  as  commanded  during  entry,  which  causes  the  messages  of  HOLD, 
CYCLE,  or  FAIL  to  occur,  signifies  a  problem  in  the  body  flap  drive  system  (messages  due  to  FCS  channel 
reconfigurations  do  not  apply).  In  cases  where  the  body  flap  happens  to  be  in  the  up  position,  a  recontact 
of  the  body  flap  with  the  SSME’s  may  occur  when  the  repositioning  sequence  is  activated.  If  the  condition 
is  due  to  a  failed  command  channel,  the  bad  channel  can  be  isolated  by  turn  ing  off  the  corresponding  FCS 
channel  for  afcdled  ASA  command,  or  by  shutting  down  the  corresponding  APU  for  a  failed  pilot  valve. 

5.  THE  DIFFERENCE  BETWEEN  ANY  SSME  ACTUATOR  COMMAND  (AVERAGE 
OF  THE  ACTIVE  ATVC  DRIVER  OUTPUTS)  AND  THE  INDICATED 
POSITION  IS  GREATER  THAN  2.0  DEGREES. 

Application  of  full  hydraulic  pressure  to  ATVC’ s,  with  a  command-actual  position  difference  of  greater 
than  2  degrees,  risks  damage  (possible  rupture)  to  the  hydraulic  lines  and  subsequent  loss  of  that 
hydraulic  system.  The  average  of  the  active  ATVC  driver  outputs  are  used  in  the  differencing  scheme  (as 
opposed  to  the  software  command)  to  eliminate  the  uncertainties  in  the  command  path.  The  2.0-degree 
constraint  takes  into  account  the  transducer  uncertainty  (ref  SODB  3.4.5. l.h.l). 

When  the  post-landing  repositioning  sequence  is  started,  the  MDM  commands  are  first  set  equal  to  the 
indicated  position  feedbacks  (AI  mode  1).  If  an  engine  actuator  position  measurement  is  in  error,  the 
resulting  Mode  1  command  will  likewise  be  in  error  by  the  same  amount,  resulting  in  a  step  change  in 
position  if  the  isolation  valves  are  open.  Should  this  step  exceed  2.0  degrees,  the  possibility  of  rupturing 
hydraulic  lines  exists.  Even  if  the  hydraulic  lines  are  not  ruptured,  the  command/position  delta  (if 
caused  by  transducer  failure)  may  result  in  cm  error  code  103  being  generated  and  displayed  on  SPEC 
105  which  in  turn  will  prevent  any  further  repositioning  of  the  SSME’s. 

6.  BFS  ENGAGED 

The  BFS  cannot  perform  SSME  repositioning  (ref  Rule  {A16-5},  MEMORY  RECONFIGURATION 
CONSTRAINT). 
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A16-9  SSME  REPOSITIONING  CONSTRAINT  (CONTINUED) 

B.  IF  SSME  REPOSITIONING  CANNOT  BE  PERFORMED,  THE  SPEEDBRAKE  AND 
BODY  FLAP  WILL  BE  REPOSITIONED  PROVIDED  THE  LANDING  IS  AT  KSC 
AND  THE  SSME'S  ARE  IN  THE  CHUTE  STOW  POSITION. 

The  primary  benefit  of  SSME  repositioning  is  that  it  allows  GSE  access  for  the  main  engine  turbopump 
bearing  purges.  To  prevent  a  significant  turnaround  impact,  these  purges  must  begin  within  48  hours  of 
landing.  Provided  the  landing  is  at  KSC  and  the  SSME’s  are  in  the  drag  chute  stow  position,  adequate 
access  for  the  purges  is  achieved  by  positioning  only  the  body  flap  and  speedbrake.  In  this  case,  the 
body  flap  is  manually  positioned  fill  down,  prior  to  the  OPS  9  transition.  For  01-28  and  subsequent 
flights,  fully  closing  (position  of  15  percent)  the  speedbrake  prior  to  the  OPS  9  transition  will  provide 
adequate  clearance  for  GSE  in  the  OPF.  For  01-27,  a  software  K-load  will  not  allow  the  speedbrake  to 
be  sufficiently  closed  prior  to  OPS  9.  Therefore,  the  speedbrake  must  be  closed  using  OPS  9  software 
and  SPEC  113.  If  the  landing  is  at  a  site  other  than  KSC,  or  the  SSME’s  are  not  in  the  drag  chute  stow 
position  at  touchdown,  then  full  SSME  repositioning  is  required  to  gain  access  for  the  turbopump 
purges.  @[031500-7180] 

A16-10  NORMAL  POSTLANDING  OPERATIONS 

NORMAL  POSTLANDING  OPERATIONS  WILL  BE  CONTINUED  EXCEPT  FOR  THE 
FOLLOWING  CONDITIONS: 

A.  LIGHTNING  WITHIN  5  MILES. 


The  KSC  Ground  Operations  Safety  Plan  ( GP-1098E )  requires  that  all  operations  be  terminated  for 
lightning  within  5  miles.  However,  if  orbiter  tow  operations  are  underway,  towing  may  continue  if  all 
personnel  on  foot  enter  a  covered  vehicle. 

B.  LIQUID  LEAKS,  HYPERGOLIC  VENTING,  OR  HAZARDOUS  MATERIALS 
TOXICITY  ABOVE  ALLOWABLE  LIMITS  (REF.  RULE  {A1 6-301}, 
CONTAMINATION/FLAMMABILITY /TOXICITY) . 

C.  MMH ,  N204,  OR  HYDRAZINE  CONCENTRATIONS  WITHIN  THE  POD/AFT 
COMPARTMENT.  (FOR  MMH  OR  HYDRAZINE,  REF.  RULE  {A16-11C}, 
EXPEDITED  POWERDOWN.)  (FOR  ^04,  REF.  RULE  {A16-204}, 
WINDWARD  APU  OPERATION  CONSTRAINT.) 

D.  LOSS  OF  COMMUNICATION/SYSTEMS  MONITORING  CAPABILITY  (REF. 
RULE  { A1 6-11 } ,  EXPEDITED  POWERDOWN). 

E.  ORBITER  CONDITIONS  REQUIRING  EXPEDITED/EMERGENCY  POWERDOWN 
(REF.  RULE  {A16-12},  EMERGENCY  POWERDOWN). 


VOLUME  A  06/20/02  FINAL  POSTLANDING  16-6 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A16-11  EXPEDITED  POWERDOWN 

AN  EXPEDITED  POWERDOWN  IS  DEFINED  TO  ALLOW  ACCOMPLISHMENT  OF  ET 
DOOR  OPENING  (RTLS/TAL  ONLY) ,  OMS /RCS-SAF ING,  NOMINAL  GPC 
POWERDOWN  FOLLOWED  IMMEDIATELY  BY  AN  EMERGENCY  POWERDOWN. 
@[012402-5079  ] 

AN  EXPEDITED  POWERDOWN  AND  MODE  V  CREW  EGRESS  WILL  BE 
ACCOMPLISHED  FOR: 

A.  LOSS  OF  ALL  COMMUNICATIONS  (INCLUDING  VISUAL  SIGNALS  AND  MCC 
RELAY)  BETWEEN  CREW  AND  CONVOY  ELEMENTS. 

NOTE:  RULE  {A16-8},  CREW  EGRESS  METHOD  DETERMINATION  (FOR  MODE 

V  EGRESS)  GOVERNS  THE  MODE  V  EGRESS  METHOD  THE  CREW  WILL 
USE.  @[041 196-1 881  A] 


Crew  safety  could  be  compromised  with  the  loss  of  communication  between  the  crew  and  convoy 
personnel.  Possible  orbiter  problems  that  occur  during  landing  and  rollout  not  reflected  in  orbiter 
systems  would  not  be  available  to  the  crew  ( i.  e. ,  tire  fire,  explosive/flammable  conditions,  etc.). 

B.  LOSS  OF  ALL  TELEMETRY  (MCC  AND  LCC)  AND  ONBOARD  SYSTEMS 

MONITORING  (BFS ,  C&W  PANEL,  AND  FDA)  VISIBILITY.  IF  COMM  IS 
AVAILABLE  TO  CREW,  MCC  WILL  DETERMINE  IF  MODE  V  IS  REQUIRED. 


As  long  as  insight  into  critical  vehicle  systems  and  communication  with  the  crew  are  maintained,  normal 
postlanding  operations  can  continue.  Critical  systems  information  is  available  at  KSC  (LCC)  that 
allows  the  LCC  to  be  an  acceptable  source  for  orbiter  systems  monitoring. 

C.  A  NONISOLATABLE  CMS,  RCS,  OR  APU  FUEL  LEAK  OR  FOR  AN 

ISOLATED  LEAK  WHEN  THERE  HAS  BEEN  INSUFFICIENT  TIME  FOR  FUEL 
SUBLIMATION  (RTLS,  TAL,  AO A,  OR  POST-DEORBIT  IGNITION) .  FOR 
THESE  CASES,  A  MODE  V  CREW  EGRESS  WILL  BE  IMPLEMENTED.  RCS 
JET  LEAKS  AND  APU  SEAL  CAVITY  DRAIN  LEAKS  ARE  EXEMPTED  FROM 
THIS  CATEGORY. 


Leaking  OMS,  RCS,  or  APU  fuel  poses  a  toxicity  and  fire  hazard.  An  expedited  powerdown  should  be 
performed  in  order  to  minimize  the  danger  to  the  flightcrew  and  ground  operations  personnel.  If  a  fuel 
leak  occurs  and  is  isolated  during  an  RTLS,  TAL,  AOA,  or  post-deorbit  ignition,  there  is  insufficient  time 
for  the  fuel  to  sublimate,  arid  an  expedited  powerdown  is  prudent. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A16-11  EXPEDITED  POWERDOWN  (CONTINUED) 

An  isolated  RCS  jet  leak  does  not  pose  a  risk  to  the  orbiter/crew  with  continued  postlanding  operations. 
In  the  event  of  an  APU  fuel  pump  seal  failure,  the  APU  seed  cavity  drain  dumps  hydrazine  overboard. 
Once  the  APU  is  shut  down,  the  leak  is  isolated. 

Rules  { A16-10C}  and  D,  NORMAL  POSTLANDING  OPERATIONS,  and  (A6-206J,  RCS 
MANIFOLD/LEG  LEAK  PRESSURIZATION,  reference  this  rule.  ®[ED  ] 

D.  A  CONFIRMED  OR  SUSPECTED  FIRE  FOR  WHICH  A  FIRE  SUPPRESSION 
BOTTLE  HAS  BEEN  DISCHARGED  DURING  ENTRY. 

Vehicle  damage  can  pose  hazards  to  crew  safety  after  afire  is  extinguished,  especially  if  its  location  is 
unknown.  Wires  melted  together  could  cause  any  number  of  hazards  (e.g.,  inadvertent  GPC 
commanding  causing  fuel  valves  to  open,  etc.).  In  addition,  if  the  fire  occurred  in  an  avionics  bay 
severed  hours  (minutes  for  a  cabin  fire)  before  landing,  the  crew  should  exit  the  vehicle  to  avoid 
breathing  Halon  and  toxic  combustion  byproducts  which  slowly  leak  out  of  the  avionics  bay  and 
panels. 

E.  A  NON- I SOLATABLE  H2  LEAK  GREATER  THAN  6.5  LB/HR  (5.5  LB/HR 
FOR  SPACELAB/PAYLOAD  RETURN) . 

Leaking  H2  poses  a  possible  fire  hazard  in  the  midbody.  An  H2  concentration  of  4  percent  represents 
the  lower  ignitcible  limit  ofH2  (deflagrates  or  burns  rapidly). 

Rule  {A16-205FJ,  EARLY  APU  SHUTDOWN,  references  this  rule.  @[072398-6577] 

Normally,  KSC  is  prime  for  recommending  an  expedited  powerdown/crew  egress  based  on  detected  H2 
concentrations.  For  known  H2  leaks  prior  to  touchdown,  this  rule  identifies  the  H2  leak  rate  criteria  to 
be  used  by  MCC  in  determining  whether  an  expedited  powerdown/crew  egress  should  be  performed  prior 
to  KSC  assessment  ( i.  e. ,  for  large  leaks).  These  leak  rates  are  based  on  a  4  percent  concentration 
35  minutes  after  wheels  stop. 

For  leak  rates  below  6.5  (5.5)  Ib/hr,  KSC  is  prime  for  determining  whether  or  not  cm  expedited 
powerdown  is  required,  based  on  actual  detection  ofH2-  The  MCC  H2  leak  rate  prediction  is  based  on 
the  in  itial  size  of  the  leak  once  detected,  a  homogenous  mixing  in  the  midbody,  and  no  consideration  for 
venting  or  leakage  of  H2  from  the  midbody  at  wheel  stop. 

DOCUMENTATION:  ECLS  Console  Handbook,  SCP  4.6.2,  and  KSC  OMI S0026,  Revision  L. 
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A16-11  EXPEDITED  POWERDOWN  (CONTINUED) 

F.  AN  INCOMPLETE  MPS  LH2  DUMP  (NEGATIVE  INERT)  OR  FAILURE  TO 
PRESSURIZE  THE  MPS  LH2  MANIFOLD  ABOVE  ATMOSPHERIC  PRESSURE 
ON  AN  RTLS  OR  TAL  ABORT.  @[012402-5079] 

Failure(s)  in  the  MPS  LH2  system  during  the  MPS  dump  and  inert  will  result  in  an  incomplete  LH2 
dump  (negative  inert )  on  RTLS  and  TAL  aborts.  Analysis  (reference  Rockwell  Interned  Letter  no.  287- 
100-94-186  dated  October  12,  1994)  has  shown  that  the  loss  of  a  dump  path  or  the  loss  of  helium 
pressurization  (during  the  MPS  dump)  will  trap  between  approximately  0.8  to  40.8  pounds  ofLH2 
residuals  in  the  MPS  LH2  manifold  depending  on  the  specific  scenario.  Loss  of  a  clump  path  may  be 
caused  by  failure  of  one  of  the  following  LH2  valves:  outboard  or  inboard  fill/drain  valve,  backup  dump 
valves,  topping  valve,  prevalve,  or  SSMEfuel  bleed  valve.  Loss  of  helium  pressurization  may  be  caused 
by  n  umerous  reasons  such  as:  relief  isolation  valve  fails  closed,  relief  valve  fails  open,  inboard  fill/drain 
fails  open,  clogged  orifice,  etc.  In  these  failure  cases,  concern  exists  for  crew  and  convoy  safety  because 
analysis  ( reference  Boeing  Interned  Letter  SHA0-01-043  dated  April  26,  2001 )  predicts  the  MPS  LH2 
man  ifold  will  exceed  its  relief  setting  and  ven  ting  of  hydrogen  residuals  (poten  tially  explosive  mixture) 
will  occur  as  early  as  10.8  minutes  after  touchdown.  In  addition,  nominal  leakage  in  the  MPS  system 
could  lead  to  the  buildup  of  cm  explosive  mixture  of  hydrogen  in  or  around  the  aft  compartmen  t. 
@[012402-5079  ] 

After  discussion  at  the  Ascent/Entry  Flight  Techniques  Panel  (AEFTP  # 168  on  October  27,  2000)  and 
subsequent  discussions  with  KSC  ground  operations  and  KSC  safety,  it  was  decided  that  the  appropriate 
action  for  MPS  dump  failu  res  on  RTLS  and  TAL  aborts  is  to  perform  an  expedited  powerdown. 

Rationale  for  this  decision  is  based  on  the  potential  hazard  to  the  flight  crew  and  ground  personnel  due 
to  uncertainties  in  the  hazards  of  the  trapped  hydrogen  residuals.  Although,  residuals  due  to  a  failure  in 
the  MPS  system  on  a  TAL  abort  can  be  lower  than  the  residuals  on  a  nominal  RTLS  abort,  an  expedited 
powerdown  will  still  be  performed  on  the  TAL  because  of  the  limited  ground  operations  equipment 
available  to  assess  and  manage  the  situation  at  the  TAL  site.  Expedited  powerdown  actions  are  not 
required  for  AO  A  aborts  or  nominal  missions  because  sufficient  time  exists  on  orbit  to  fully  inert  the 
MPS  LH2  manifold  of  all  LH2  residuals.  @[012402-5079  ] 

After  discussion  at  the  AEFTP  Meeting  (AEFTP  # 168  on  October  27,  2000)  and  subsequent  discussions 
with  KSC  ground  operations  and  KSC  safety,  it  was  also  decided  that  the  failure  to  pressurize  the  MPS 
LH2  manifold  above  atmospheric  pressure  on  RTLS  and  TAL  aborts  would  result  in  the  ingestion  of  air 
into  the  LH2  manifold  resulting  in  the  creation  of  cm  explosive  mixture  (reference  Boeing  Interned  Letter 
SHA0-01-043  dated  April  26,  2001).  The  hazards  of  cm  explosive  mixture  in  the  MPS  manifold  that  the 
flight  crew  and  ground  operations  personnel  would  be  exposed  to  are  difficult  to  quantify.  However, 
these  hazards  represent  an  unnecessary  risk,  and,  therefore,  this  scenario  warrants  an  expedited 
powerdown. 

Rules  (A5-210},  ENTRY  MPS  PROPELLANT  DUMP  FAILURES,  { A5-201 j,  MPS  DUMP  INHIBIT 
[CIL],  and  { A5-209 },  ENTRY  MPS  HELIUM  PURGING  FOR  CRITICAL  VEHICLE 

POWER/COOLING,  reference  this  rule.  @[030994-1 604B]  @[030994-1617]  ©[090894-1730A  ]  ®[01 2402-5079  ] 

®[ED  ] 


VOLUME  A  11/21/02  FINAL,  PCN-1  POSTLANDING  16-9 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A16-12  EMERGENCY  POWERDOWN 

AN  EMERGENCY  POWERDOWN  WILL  BE  IMPLEMENTED  POST-ROLLOUT  FOR  THE 
FOLLOWING  CONDITIONS  OR  AS  REQUESTED  BY  THE  FLIGHT  DIRECTOR  OR 
CONVOY  COMMANDER: 

An  emergency  powerdown  will  be  performed  if  Orbiter  systems  cannot  support  continued  operations  or  if 
orbiter  conditions  compromise  crew  safety.  The  normal  egress  mode  is  preferred  if  allowed  by  system 
conditions.  Loss  of  cooling  will  allow  an  orderly  egress  to  con  tinue. 

If  conditions  exist  that  compromise  crew  safety  (fire,  smoke,  explosive  conditions,  etc.),  a  MODE  V 
egress  is  warranted.  Based  on  knowledge  of  Orbiter  conditions  and  systems  indications,  the  Flight 
Director  and  Convoy  Commander  are  able  to  recognize  problems  and  recommend  the  appropriate 
action/egress  mode. 

A.  NORMAL  EGRESS  (SIDE  HATCH,  CONVOY  CREW  ASSIST) : 

1.  LOSS  OF  BOTH  FREON  COOLANT  LOOPS. 

If  both  loops  are  lost,  the  emergency  powerdown  is  required  because  there  is  absolutely  no  cooling 
of  the  vehicle.  The  fuel  cell  stack  temperature  will  reach  the  specification  limit  of  250  degrees  F  within 
approximately  50  minutes.  In  addition,  the  electrolyte  concentration  will  reach  the  25  percent 
operational  limit  in  approximately  75  minutes.  At  this  point,  continued  operation  of  the  fuel  cells  is 
questionable.  This  assumes  a  simultaneous  purge  of  all  three  fuel  cells  and  a  12.54  kWH  (4.18  kWH/fuel 
cell)  power  level.  If  the  failure  occurred  on  orbit,  the  situation  would  be  time-critical  postlanding. 
Purging  H2  into  the  atmosphere  should  be  avoided  if  at  all  possible  (ref.  Rule  {A16-301}, 
CONTAMINATION/  FLAMMABILITY/TOXICITY).  Without  the  purge,  the  fuel  cells  will,  flood  in 
approximately  18  minutes  based  on  an  8.0  kWH  (2.67  kWH/fuel  cell)  power  level  (ref.  Rules  { A2-54 }, 
RTLS,  TAL,  AND  AO  A  ABORTS  FOR  SYSTEMS  FAILURES  [CIL];  and  {A2-205},  EMERGENCY 
DEORBIT).  Upon  completion  of  the  emergency  powerdown,  a  normal  crew  egress  can  be  performed. 

DOCUMENTATION :  Dual  Freon  Loop  Failure  Entry  Analysis,  Rockwell  International  IL  388-301-79- 
018,  and  SODB  table  3. 4. 4. 1-1. 

2.  LOSS  OF  BOTH  H20  COOLANT  LOOPS. 

If  both  loops  are  lost,  the  emergency  powerdown  is  required  because  there  is  no  cooling  to  water  and  air 
cooled  equipmen  t  in  the  cabin.  If  the  failure  occurred  on  orbit,  avionics  equipmen  t  and  GPC’s  would  be 
cycled  to  their  thermal  limits  in  order  to  maintain  as  much  redundancy  as  possible  during  critical 
mission  phases.  Since  this  failure  scenario  does  not  contain  any  hazard  to  the  crew,  an  orderly,  normal 
egress  can  be  accomplished. 

DOCUMENTATION :  MDTSCO  analysis  l.l-ECLSS-09,  Dual  Water  Coolant  Loop  Failed  Entry 
Contingency. 
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A16-12  EMERGENCY  POWERDOWN  (CONTINUED) 

3.  LOSS  OF  BOTH  NH3  SYSTEMS  WHEN  CRITICAL  TEMPERATURES  ARE 
(RULE  {A16-51},  NO  GROUND  COOLING/EARLY  VEHICLE  POWER 
TERMINATION)  EXCEEDED. 

Postlanding,  orbiter  cooling  is  provided  by  the  heat  sink  capacity  remaining  from  the  on-orbit  radiator 
coldsoak,  the  NH 3  system,  and  the  ground-cooling  cart.  In  the  event  that  the  ground-cooling  cart  is  not 
available,  AT/3  must  supply  the  cooling  once  the  radiator  coldsoak  has  been  used.  Therefore, 
subsequen  t  loss  of  both  AT/3  systems  will  even  tually  lead  to  loss  of  all  vehicle  cooling,  and  loss  of  all 
vehicle  cooling  has  the  same  result  as  described  in  the  loss  of  both  Freon  loops  in  paragraph  A.l. 

DOCUMENTATION :  Engineering  judgment. 

B.  MODE  V  EGRESS: 

1.  WHEEL  WELL  FIRE  OR  BRAKE  FIRE  THAT  POTENTIALLY  WILL 
PROPAGATE  TO  THE  WHEEL  WELL.  EGRESS  WILL  BE  BASED  ON 
CONVOY  COMMANDER  RECOMMENDATION. 

2.  EXPLOSIVE/FLAMMABLE  CONDITIONS  (REF.  RULE  {A16-301}, 
CONTAMINATION/FLAMMABILITY/TOXICITY) . 

3.  SMOKE,  FIRE,  OR  OBVIOUS  STRUCTURAL  DAMAGE. 

4.  INTOLERABLE  CABIN  CONDITIONS . 

NOTE:  RULE  {A16-8},  CREW  EGRESS  METHOD  DETERMINATION  (FOR  MODE 

V  EGRESS)  GOVERNS  THE  MODE  V  EGRESS  METHOD  THE  CREW  WILL 
USE.  @[041196-1 881  A] 

It  is  preferable  to  perform  a  normal  egress.  However,  if  cabin  conditions  warrant,  a  MODE  V 
egress  may  be  performed.  An  emergency  powerdown  should  be  implemented  for  the  conditions  listed  in 
paragraph  Bl,  2,  3  above  in  order  to  eliminate  electrical  ignition/isolate  volatile  propellant  sources  that 
could  make  the  vehicle  anomalous  condition  worse.  A  confirmed  MPS  LH2  leak  is  considered  to  be  an 
explosive/flammable  condition  (ref.  rule  {A5-201},  MPS  DUMP  INHIBIT  [CIL]).  @[030994-1 604B] 

®[ED  ] 

DOCUMENTATION :  Engineering  judgment. 

Rule  { A16-10EJ ,  NORMAL  POSTLANDING  OPERATIONS,  references  this  rule. 


VOLUME  A  11/21/02  FINAL,  PCN-1  POSTLANDING  16-11 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A16-13  SIDE  HATCH  OPENING  CONSTRAINT 

IF  CABIN  PRESSURE  EXCEEDS  LANDING  SITE  ATMOSPHERIC  PRESSURE  BY 
MORE  THAN  3.2  PS  ID,  THEN  THE  CABIN  VENT  VALVES  WILL  BE  USED  TO 
DEPRESSURIZE  THE  CABIN  TO  BRING  THE  PRESSURE  DIFFERENTIAL  BELOW 
3.2  PSID  BEFORE  ATTEMPTING  TO  OPEN  THE  SIDE  HATCH. 

An  unisolatable  leak  into  the  cabin  could  result  in  cabin  pressure  being  as  much  as  16  psid  greater  than 
landing  site  atmosphere  pressure  (the  cabin  relief  valves  relieve  at  16  psid).  Rockwell  International  has 
verified  side  hatch  structural  capability  to  vent  excess  cabin  pressure  postlanding  only  as  high  as  3.2 
psid.  The  3.2  psid  pressure  differential  was  selected  for  verification  because  it  is  the  maximum  expected 
to  be  encountered  at  the  highest  altitude  landing  site  (White  Sands)  under  normal  cabin  pressure 
conditions. 

DOCUMENTATION :  Side  Hatch  Structural  Capability  to  Release  Cabin  Pressure  Following  Rollout, 
Rockwell  International  Internal  Letter  No.  280-106-82-016,  May  7,  1983. 


A16-14  THROUGH  A16-50  RULES  ARE  RESERVED 


VOLUME  A  06/20/02  FINAL  POSTLANDING  16-12 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


COOLING 


A16-51  NO  GROUND  COOLING/EARLY  VEHICLE  POWER  TERMINATION 

POSTLANDING  LOSS  OF  COOLING  WILL  BE  DEFINED  AS  FOLLOWS:  @[012694-1599] 

A.  IF  MCC  VOICE  AND  TELEMETRY  ARE  AVAILABLE,  COOLING  WILL  BE 

DECLARED  LOST  AND  AN  EMERGENCY  POWERDOWN  PERFORMED  WHEN  ANY 
OF  THE  FOLLOWING  CONDITIONS  OCCUR: 

1.  FUEL  CELL  COOLANT  RETURN  TEMP  >  140  DEGREES  (135  DEGREES) 
F  OR  LOCAL  FUEL  CELL  KOH  <  24  PERCENT  (29  PERCENT) 

2.  AVIONICS  BAY  AIR  OUTLET  TEMP  EXCEEDS  THE  FOLLOWING  LIMITS 
PRIOR  TO  ENT  C/L  "LRU  DEACT" : 

a.  AVIONICS  BAY  1  OR  2  AIR  OUTLET  TEMP  >  133  DEGREES 
(128  DEGREES)  F 

b.  AVIONICS  BAY  3  AIR  OUTLET  TEMP  >117  DEGREES 
(112  DEGREES)  F 

3.  AVIONICS  BAY  AIR  OUTLET  TEMP  EXCEEDS  THE  FOLLOWING  LIMITS 
POST  ENT  C/L  "LRU  DEACT": 

a.  AVIONICS  BAY  1  OR  2  AIR  OUTLET  TEMP  >113  DEGREES 
(108  DEGREES)  F 

b.  AVIONICS  BAY  3  AIR  OUTLET  TEMP  >107  DEGREES 
(102  DEGREES)  F 

4.  CABIN  TEMPERATURE  >  95  DEGREES  (90  DEGREES)  F 

5.  MIDBODY  COLDPLATE  OUTLET  TEMP  >115  DEGREES 
(110  DEGREES)  F 

6.  AFT  COLDPLATE  OUTLET  TEMP  >  112  DEGREES  (107  DEGREES)  F 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A16-51  NO  GROUND  COOLING/EARLY  VEHICLE  POWER  TERMINATION 

(CONTINUED) 


The  FCP  coolant  return  temp  is  a  direct  indication  of  the  status  of  the  FCP  cooling  capability. 

Inadequate  cooling  of  the  fuel  cell  may  result  in  fuel  cell  KOH  concentrations  <  24  percent,  which 
indicate  a  wet  fuel  cell  and  impending  fuel  cell  flooding. 

Avionics  bay  temperatures  above  the  listed  limits  indicate  LRU  outlet  temperature  >  130  degrees  F  limit. 
Cabin  temperatures  above  95  degrees  F  will  cause  overtemp  conditions  for  flight  deck  avionics.  The 
limits  listed  above  will  not  result  in  hardware  damage  or  certification  violation  if  cm  emergency 
powerdown  is  executed  when  the  limit  is  reached.  @[012694-1599  ] 

B.  FOR  LOSS  OF  MCC  VOICE  OR  TELEMETRY,  AN  EMERGENCY  POWERDOWN 

PERFORMED  WHEN  ANY  OF  THE  FOLLOWING  CONDITIONS  OCCUR:  @[012694-1599] 

1.  FUEL  CELL  CONDENSER  EXIT  TEMP  >164  DEGREES  F 

2.  AVIONICS  BAY  AIR  OUTLET  TEMP  EXCEEDS  THE  FOLLOWING  LIMITS 
PRIOR  TO  ENT  C/L  "LRU  DEACT" : 

a.  AVIONICS  BAY  1  OR  2  AIR  OUTLET  TEMP  >  133  DEGREES 

(128  DEGREES)  F 

b.  AVIONICS  BAY  3  AIR  OUTLET  TEMP  >117  DEGREES 

(112  DEGREES)  F 

3.  AVIONICS  BAY  AIR  OUTLET  TEMP  EXCEEDS  THE  FOLLOWING  LIMITS 
POST  ENT  C/L  "LRU  DEACT": 

a.  AVIONICS  BAY  1  OR  2  AIR  OUTLET  TEMP  >113  DEGREES 

(108  DEGREES)  F 

b.  AVIONICS  BAY  3  AIR  OUTLET  TEMP  >107  DEGREES 

(102  DEGREES)  F 

Postlanding  cooling  tests  performed  after  STS-58  indicate  that  loss  of  the  508  GSE  cooling  cart  will  not 
result  in  violations  of  the  above  limits  if  the  radiators  are  flowing,  and  PLB  purge  air  is  available.  The 
purge  air  for  this  test  was  controlled  to  approximately  45  degrees  F.  If  PLB  purge  is  not  available,  or  is 
insufficient,  cm  emergency  powerdown  should  be  implemented  when  the  appropriate  thermal  limit  is  violated. 

DOCUMENTATION:  MACD  AC  1.1  ECLSS  122  and  SODB  3.4.4.1.11,  page  3.4.4. 1-3,  engineering 
judgmen  t,  and  STS-58  Post  Mission  report. 

Rule  { A16-12A}.3 ,  EMERGENCY  POWERDOWN,  references  this  rule.  ®[oi  2694-1 599  ] 
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A16-52  EXTENDED  COOLING 

ORBITER  COOLING  MAY  BE  EXTENDED  AS  FOLLOWS: 

A.  MAINTAIN  RADIATOR  FLOW. 

B.  POWERDOWN  AS  QUICKLY  AS  POSSIBLE  PER  THE  NORMAL  POST-ROLLOUT 
PROCEDURES  (DEPENDING  ON  LANDING  SITE  AND  OTHER  FAILURE 
SITUATIONS) . 


It  is  highly  desirable  to  hand  over  the  vehicle  in  a  powered  condition  in  order  to  expedite  turnaround 
operations.  Crew  requirements  or  vehicle  systems  management  may  dictate  a  need  to  operate  the  vehicle 
for  a  greater  than  normal  amount  of  time  without  ground  cooling. 

DOCUMENTATION :  Engineering  judgment. 


A16-53  FREON  LOOP  CONFIGURATION 

THE  FPV  IN  BOTH  FREON  LOOPS  WILL  BE  PLACED  TO  THE  "ICH" 

POSITION  IF  BOTH  THE  EVAPORATOR  OUTLET  TEMPERATURES  ARE  LESS 
THAN  32  DEGREES  (34.4  DEGREES)  F.  IF  THE  PAYLOAD  LOOP  DOES  NOT 
CONTAIN  WATER,  A  REAL-TIME  CALL  WILL  BE  MADE  TO  PLACE  BOTH 
FPV'S  TO  THE  "P/L"  POSITION. 

Provided  that  both  orbiter  water  loops  and  a  payload  water  loop  (if  installed)  are  flowing,  the  ICH 
position  provides  orbiter  water  loop  freeze  protection  for  Freon  temperatures  as  low  as  6  degrees  F 
and  payload  water  loop  protection  for  Freon  temperatures  as  low  as  -30  degrees  F  (extrapolated).  If 
left  in  the  P/L  position,  the  payload  water  loop  would  freeze  at  a  Freon  temperature  of  32  degrees  F 
and  the  orbiter  water  loops  at  -30  degrees  F  (extrapolated)  Freon  temperature.  For  payload  flow 
rates  <  150  Ib/hr,  the  P/L  water  loop  will  freeze  eventually,  but  is  delayed  if  the  FPV  is  placed  in  the 
ICH  position. 

DOCUMENTATION:  Lockheed  analysis,  LEMSCO  19630. 
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A16-54  AMMONIA  BOILER  MANAGEMENT 

THE  AMMONIA  BOILER  WILL  BE  ACTIVATED  WHEN  THE  FLASH  EVAPORATOR 
OUTLET  TEMPERATURE  >  55  DEGREES  F. 

The  standard  orbiter  entry  cooling  configuration  is  to  utilize  radiator  heat  sink  capacity  (cold  soak)  from 
160k  feet  altitude  until  depletion.  Normally  this  occurs  post-rollout.  At  that  time  the  ammonia  boiler  is 
activated  to  maintain  thermal  control.  Upon  ammonia  activation,  specification  leakage  past  the  primary 
control  valves  will  result  in  ammonia  boiler  outlet  temperatures  dropping  17  degrees  F.  Delaying 
ammonia  activation  until  flash  evaporator  outlet  temperatures  are  greater  than  55  degrees  F  protects 
downstream  H2O  loop  componen  ts  from  freezing. 

DOCUMENTATION:  Engineering  judgment.  SODB,  volume  1,  4. 6. 3.1 1.2.  b.  6  and  c. 3 

A16-55  THROUGH  A16-100  RULES  ARE  RESERVED 


VOLUME  A  06/20/02  FINAL  POSTLANDING  16-16 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


ET  UMBILICAL  DOOR 


A16-101  ET  UMBILICAL  DOOR  POSITIONING 

A.  FAILURE  TO  OPEN  THE  ET  UMBILICAL  DOOR  WILL  REQUIRE  NO  CHANGE 
TO  NORMAL  POSTLANDING  PROCEDURES. 

For  normal  postlanding,  the  ET  doors  are  opened  by  the  flightcrew  to  facilitate  ground  handling  at  KSC, 
EAFB,  and  NOR.  If  the  doors  cannot  be  opened  by  the  crew,  ground  turnaround  time  of  the  vehicle  will 
be  extended  somewhat.  There  are  no  safety  concerns  if  this  cannot  be  done. 

B.  THE  ET  DOORS  MUST  BE  OPENED  ASAP  POSTLANDING  FOR  TAL  OR  RTLS . 
FOR  NORMAL  EOM,  AO A,  OR  CLS,  THEY  MUST  BE  OPENED  ASAP  IF 
THERE  IS  EVIDENCE  OF  POTENTIAL  FOR  H>  BUILDUP. 

Hydrogen  poses  an  explosion  hazard.  Opening  the  ET  doors  as  soon  as  possible  after  wheel  stop  will 
help  to  vent  the  trapped  hydrogen  into  the  atmosphere. 

C.  WHEN  OPENING  IS  REQUIRED,  THE  ET  DOORS  WILL  BE  DRIVEN  TO  THE 
POSTLANDING  POSITION  OF  110  +  30  DEGREES.  THERE  IS  NO 
CONSTRAINT  ON  OPENING  THE  ET  DOORS  POSTLANDING  FOR  BLOWING 
DUST  OR  SAND. 

The  postlanding  ET  door  position  of  110  ±30  degrees  takes  into  consideration  allowable  tolerances  for 
wind  loads  on  door  mechanism  (stationary  vehicle  or  while  being  towed )  and  tolerances  on  clearance  for 
mounting  the  GSE  jacks  when  used  to  prepare  the  vehicle  for  transport  on  the  Shuttle  carrier  aircraft.  It 
has  been  established  that  the  doors  can  be  opened  regardless  of  blowing  sand  or  dust  (ref.  Ascent/Entry 
Flight  Techniques  #5,  7/27/83). 
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A16-151  VENT  DOOR  POSITIONING 

A.  VENT  DOOR  POSITIONING  IS  NOT  A  CONSTRAINT  TO  NORMAL 
POSTLANDING  OPERATIONS  (REGARDLESS  OF  BLOWING  SAND  OR  DUST) . 

KSC  prefers  to  have  the  vent  doors  configured  to  the  purge  position  (midbody  vents  closed;  forward  and 
aft  vents  in  purge )  in  order  to  expedite  vehicle  turnaround  time.  However,  if  this  cannot  be 
accomplished,  having  the  doors  open,  as  is  the  case  when  the  vehicle  lands,  all  doors  open  is  considered 
to  be  a  safe  configuration  (hazardous  gas  buildup  prevention).  Hazardous  gas  protection  is  of  higher 
priority  than  blowing  sand  or  dust  protection.  Other  normal  crew-initiated  postlanding  procedures  can 
continue  since  the  procedures  are  unaffected  by  the  position  of  the  vent  doors. 

B.  IF  PURGING  CAN  BE  ACCOMPLISHED,  THE  VENT  DOORS  WILL  BE 
CONFIGURED  AS  FOLLOWS: 

1.  ALL  MIDBODY  VENT  DOORS  CLOSED. 

2.  ALL  FORWARD  AND  AFT  VENT  DOORS  IN  THE  PURGE  POSITION. 
These  are  the  desired  positions  of  the  vent  doors  for  vehicle  purging. 

C.  IF  PURGING  CANNOT  BE  ACCOMPLISHED  OR  IS  LOST  AFTER 
INITIATION,  THE  PREFERRED  VENT  DOOR  POSITION  IS  OPEN 
(REGARDLESS  OF  BLOWING  SAND  OR  DUST) . 

Reference  rule  rationale  for  paragraph  A. 
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A16-201  HYDRAULIC  CIRCULATION  PUMP  OPERATION 


A.  FOLLOWING  APU  SHUTDOWN,  HYDRAULIC  CIRCULATION  PUMPS  WILL  BE 

OPERATED  IF  ANY  OF  THE  FOLLOWING  BONDLINE  TEMPERATURES  EXCEED 
245  DEGREES  F  UNTIL  THE  HYDRAULIC  RETURN  LINE  TEMPERATURES 
HAVE  PEAKED  AND  BEGUN  TO  DECREASE .  LOSS  OF  ONE  OR  MORE  OF 
THESE  PUMPS  WILL  NOT  CONSTRAIN  NORMAL  POSTLANDING  OPERATIONS. 
SHOULD  POWER  PROBLEMS  DICTATE,  CIRCULATION  PUMPS  MAY  BE 
OPERATED  ONE  AT  A  TIME  IN  5-MINUTE  INTERVALS;  OTHERWISE,  ALL 
THREE  WILL  BE  OPERATED  SIMULTANEOUSLY  (MCC  CALL) : 


V09T1006A 

V09T1026A 

V09T1002A 

V09T1702A 

V09T1004A 

V09T1624A 


LIB  ELVN  LWR  BL  Y-235 
BODY  FLAP  LWR  CL  BL  T 
LWR  L  WING  BL  X  1278, 
AFT  FUS  LWR  CL  BL  T. 
TOP  R  WING  BL  X  1278, 
CAB  CL  BL  LWR  X  560  T 


T  (OV-102  ONLY) . 
(OV-102  ONLY) . 
Y-240  T. 

Y  240  T. 


When  vehicle  bondline  temperatures  have  exceeded  245  degrees  F,  heat  soakback  would  cause 
temperatures  to  rise  in  the  hydraulic  fluid  to  the  point  where  seals  would  degrade  resulting  in  fluid 
leakage.  Turning  on  the  circulation  pumps  will  help  transport  hotter  fluid  to  cooler  areas,  thus  reducing 
the  chances  of  seal  degradation. 

If  bus  power  problems  arise  such  that  it  is  desirable  not  to  run  all  three  circulation  pumps  at  once,  then 
each  pump  can  be  run  at  5 -minute  intervals. 

B.  MPS  HELIUM  WILL  BE  PROVIDED  TO  AN  ENGINE  PRIOR  TO  HYDRAULIC 
CIRCULATION  PUMP  OPERATION  POSTLANDING  IF  THE  ASSOCIATED 
MPS/TVC  ISOLATION  VALVE  IS  OPEN. 

Maintaining  helium  pressure  on  the  closed  side  of  the  engine  valves  will  insure  that  the  valves  do  not 
drift  open  when  hydraulic  circulation  pump  pressure  is  applied  to  the  TVC  actuators.  Keeping  the 
engine  valves  closed  prevents  engine  contamination  and  reduces  the  number  of  helium  regulator  cycles. 
@[072795-1786] 


VOLUME  A  06/20/02  FINAL  POSTLANDING  16-19 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A16-202  APU  REQUIREMENTS 

POSTLANDING  ACTIVITIES  WITH  APU' S  OPERATING,  IN  ORDER  OF 
PRIORITY,  ARE: 

A.  BODY  FLAP  REPOSITIONING  (OPS  3)  .  ©[012402-5090A] 

B.  SSME  REPOSITIONING  (OPS  9,  PASS) . 

C.  SPEED  BRAKE  REPOSITIONING  (OPS  9,  PASS) . 

D.  HYDRAULIC  LOAD  TEST  (OPS  3) . 

Body  flap  repositioning  ( full  down )  must  be  performed,  in  OPS  3,  in  preparation  for  a  poten  tial  SSME 
repositioning  failure.  Even  if  SSME  repositioning  is  NO-GO,  this  measure  can  help  reduce  the  cost  of 
turnaround  operations  and  is  desirable.  SSME  repositioning,  available  in  PASS  OPS  9,  is  required 
every  flight  to  position  the  engines  for  ferry  operations  (Edwards/  Northrup)  and  to  prevent  rain  from 
entering  into  the  nozzle,  possibly  damaging  engine  components.  In  the  event  SSME  repositioning  is  not 
accomplished  and  landing  occurred  at  KSC,  the  speedbrake  must  be  repositioned  (in  PASS  OPS  9)  in 
order  to  expedite  and  reduce  the  cost  of  turnaround  operations.  The  hydraulic  load  test  is  performed  in 
OPS  3  to  test  the  capability  of  the  APU’s  after  the  fifth  flight  of  a  particular  APU.  However,  the  load  test 
can  be  rescheduled  to  another  flight  and  is  not  critical  to  postlanding  operations.  ®[012402-5090A] 

A16-203  APU/HYDRAULIC  LOAD  TEST  TERMINATION 

AN  APU/HYDRAULIC  LOAD  TEST  WILL  BE  TERMINATED  FOR  ANY  OF  THE 
FOLLOWING: 

A.  ANY  PROBLEM  REQUIRING  AN  EXPEDITED  OR  EMERGENCY  POWERDOWN. 

B.  INSUFFICIENT  CONSUMABLES. 

C.  INABILITY  TO  OBTAIN  DATA  (REAL  TIME  OR  RECORDED) . 

D.  LESS  THAN  TWO  GOOD  APU/HYDRAULIC  SYSTEMS. 

The  APU/hydraulic  load  test  is  conducted  to  gather  data  on  APU  catalyst  bed  roughness;  i.e.,  the 
efficiency  of  fuel  decomposition  and  hydraulic  system  main  pump  performance  degradation.  The  test 
entails  manually  cycling  the  elevons,  rudder,  and  body  flap  with  hydraulic  system  1  depressed  and  then 
system  2  depressed.  The  duration  of  motion  is  about  80  seconds.  For  the  cases  listed  above,  the  load 
test  should  be  terminated  since  the  data  being  obtained  is  not  critical  and  can  be  obtained  during 
postlanding  of  a  later  flight. 
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A16-204  WINDWARD  APU  OPERATION  CONSTRAINT 

TO  AVOID  EXCEEDING  VERTICAL  TAIL  STRUCTURAL  TEMPERATURE  LIMITS, 
THE  WINDWARD  APU(S)  WILL  NOT  BE  OPERATED  LONGER  THAN  THE 
ALLOWABLE  POSTLANDING  APU  RUN  TIME,  OBTAINED  FROM  THE  POSTLANDING 
OPERATIONS  PLOT. 


POSTLANDING  OPERATIONS 


ALLOWABLE 
APU  RUNNING 
TIME,  MIN 


0  5  10  15  20  25  30  35 

STEADY  STATE  CROSS  WIND  COMPONENT  IN  ±Y0  DIRECTION,  KNOTS 


If  the  postlanding  run  time  exceeds  the  allowable  run  time,  vertical  tail  overtemperature  and  subsequen  t 
structural  damage  can  occur  if  the  APU  plume  has  ignited.  There  are  no  constraints  to  run  time  if  the 
APU  plume  has  not  ignited;  however,  due  to  the  difficulty  in  visually  determining  whether  the  plume  is 
burning  or  not,  the  worst  case  is  assumed. 

Reference  SPDB  3. 2. 1.1. 


VOLUME  A  06/20/02  FINAL  POSTLANDING  16-21 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A16-205  EARLY  APU  SHUTDOWN 

AN  APU  (OR  APU'S)  WILL  BE  SHUTDOWN  ASAP  POST-WHEEL  STOP: 

A.  IF  A  FUEL  OR  OXIDIZER  LEAK  IS  SUSPECTED  OR  DETECTED  IN  THE 
MPS,  OMS,  RCS ,  OR  ANY  APU,  EVEN  IF  THE  LEAKS  HAVE  BEEN 
ISOLATED  (DOES  NOT  APPLY  FOR  RCS  JET  LEAKS)  .  @[030994-1 604B] 

The  requirements  for  APU  operations  postlanding,  SSME  repositioning,  and  hydraulic  load  test  are 
not  considered  mandatory.  In  cases  where  fuel  or  oxidizer  leaks  are  suspected  or  detected,  the  APU’s 
should  be  shut  down  ASAP  to  reduce  chances  of  the  leak  developing  into  a  greater  flammability  hazard, 
brought  on  by  the  operation  of  hot,  rotating  machinery.  Note  that  an  APU  fuel  tank  N2  leak  is 
considered  a  fuel  leak. 

APU’s  will  not  be  shut  down  early  for  RCS  jet  leaks  since  these  types  of  leaks  are  isolated  and  external  to 
the  orbiter.  No  flammability  hazard  exists  for  continued  APU  operations  with  known  RCS  jet  leaks. 

Rules  (A5-201J,  MPS  DUMP  INHIBIT  [CIL],  and  (A6-206J,  RCS  MANIFOLD/LEG  LEAK 
PRESSURIZATION,  reference  this  rule.  @[030994-1 604B]  ®[ED  ] 

B.  IF  A  FIRE  IS  OBSERVED  IN  A  WHEEL  WELL  OR  TIRE/BRAKE  AREA. 

THE  HYDRAULIC  LANDING  GEAR  EXTEND  AND  BRAKE  ISOLATION  VALVES 
WILL  BE  CLOSED  PRIOR  TO  SHUTTING  DOWN  THE  APU' S . 

Afire  in  the  wheel  well  or  landing  gear  area  could  involve  hydraulic  fluid.  Closing  the  landing  gear 
isolation  valves  will  isolate  the  fluid  from  the  gear  area,  thus  preventing  any  further  feeding  of  the  fire. 
The  APU’s  should  be  shut  down  in  an  effort  to  reduce  high-pressure  flow  of  hydraulic  fluid  to  the  gear 
area  should  an  isolation  valve  fail  to  close. 

C.  IF  THERE  IS  A  NON- I SOLATABLE  LEAK  IN  ITS  ASSOCIATED  HYDRAULIC 
SYSTEM. 

The  APU  should  be  shut  down  postlanding  to  minimize  hydraulic  leakage  into  the  aft  compartment. 
Postlanding  operations  requiring  hydraulic  power  are  not  mandatory  and  can  be  performed  if  there  are 
two  remaining  good  systems. 

D.  IF  THE  APU  SHIFTS  TO  HIGH  SPEED  WITH  NORMAL  SPEED  SELECTED. 

The  APU  should  be  shut  down  postlanding  to  protect  against  a  possible  uncontained  overspeed. 
Postlanding  operations  requiring  the  APU’s  are  not  mandatory  and  can  be  performed  if  there  are  two 
remaining  good  systems. 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A16-205  EARLY  APU  SHUTDOWN  (CONTINUED) 

E.  FOR  INSUFFICIENT  LUBE  OIL  OR  HYDRAULIC  COOLING. 

The  APU  should  be  shut  down  postlanding  to  minimize  bearing  and  gear  wear  due  to  degraded 
lubrication  capability.  Postlanding  operations  requiring  the  APU’s  are  not  mandatory  and  can  be 
performed  if  there  are  two  remaining  good  systems. 

F.  FOR  A  NON-I SOLATABLE  H2  LEAK  GREATER  THAN  6.5  LB/HR  (5.5 
LB/HR  FOR  SPACELAB/PAYLOAD  RETURN)  .  @[072398-6577] 

Leaking  H2  poses  a  possible  fire  hazard  in  the  orbiter  midbody.  The  leaking  H2  is  lighter  than  air  and 
may  escape  from  the  payload  bay  at  the  payload  bay  door  [PLED)  aft  bulkhead  interface  and  from  where 
payload  bay  doors  interface  along  the  centerline.  Pressure  seals  are  located  at  the  PLBD/bulkhead 
interface  as  well  as  along  the  PLED  centerline.  However ,  the  integrity  of  the  pressure  seals  to  contain 
H2  is  unknown.  The  APU  exhaust  ducts  are  located  at  the  base  of  the  vertical  tail  and  are  in  close 
proximity  to  the  aft  bulkhead/PLBD  interface.  The  APU  exhaust  plume  is  assumed  to  be  ignited,  which 
could  provide  an  ignition  source  for  the  H2  in  the  payload  bay. 

Reference  rule  {A16-11E},  EXPEDITED  POWERDOWN.  @[072398-6577] 

A16-206  THROUGH  A16-250  RULES  ARE  RESERVED 
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FUEL  CELLS 


A16-251  FUEL  CELL  LIFETIME 

FUEL  CELL  LIFETIME  CONSIDERATION  WILL  NOT  BE  A  CONSTRAINT  DURING 
POSTLANDING  OPERATIONS  THROUGH  CREW  EGRESS. 

Fuel  cell  lifetime  concerns  will  not  preclude  normal  postlanding  operations  through  crew  egress  because 
of  the  desire  to  perform  nominal  postlanding  procedures.  The  additional  time  impact  to  fuel  cell  lifetime 
from  touchdown  through  crew  egress  is  insignificant. 

A16-252  THROUGH  A16-300  RULES  ARE  RESERVED 


VOLUME  A  06/20/02  FINAL  POSTLANDING  16-24 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


CONTAMINATION/FLAMMABILITY 


A16-301  CONTAMINATION/FLAMMABILITY/TOXICITY 

A.  THE  CONVOY  COMMANDER  WILL  NOTIFY  THE  FLIGHT  DIRECTOR  OF  ANY 
EXPLOSIVE,  FLAMMABLE,  AND/OR  TOXIC  CONDITIONS  THAT  EXIST  THAT 
PRECLUDE/DELAY  NORMAL  CREW  EGRESS  OPERATIONS. 

B.  FOR  EXTERNAL  LEAKS  OR  HYPERGOLIC  VENTING  WHERE  CONTAMINATION 
IS  SUSPECT  BUT  BELOW  MAXIMUM  ALLOWABLE  LIMITS,  NORMAL 
POSTLANDING/CREW  EGRESS  OPERATIONS  WILL  BE  CONTINUED. 

Reference  the  postlanding  Operational  Maintenance  Instructions  (OMI)for  contamination/ 
flammability/toxicity  limits.  Convoy  personnel  are  primarily  responsible  for  the  detection  of  hazardous 
substances  that  may  preclude  normal  crew  egress  operations.  Notification  of  explosive/  toxic  limit 
violation  is  consistent  with  the  Flight  Director’s  responsibility  to  ensure  adequate  vehicle  safing  and 
allow  normal  crew  egress.  Postlanding  operations  will  continue  as  long  as  hazardous  substance 
concentrations  are  within  acceptable  limits  (i.e.,  below  established  explosive/toxic  limit  criteria). 

Contamination,  flammability,  and  toxic  limits  have  been  identified  in  the  KSC  Ground  Operations  Safety 
Plan  and  are  consistent  with  the  most  stringent  OSHA/NIOSH  standards. 

Rules  {A16-10B},  NORMAL  POSTLANDING  OPERATIONS;  and  (A16-12AJ.1,  and  B.2,  EMERGENCY 
POWERDOWN,  reference  this  rule. 


A16-302  EMERGENCY  OXYGEN  SYSTEM  REQUIREMENTS 

A.  THE  CREW  WILL  ACTIVATE  THE  EMERGENCY  OXYGEN  SYSTEM  FOR  ANY 
UNAIDED  EMERGENCY  EGRESS. 


For  an  unaided  egress,  the  KSC  Safety  Assessment  Team  will  not  be  available  to  test  for  the  hazardous 
materials  toxicity  limits  so  the  emergency  oxygen  system  will  be  activated  to  protect  against  unknown 
contamination. 

DOCUMENTATION :  Engineering  judgment. 

B.  THE  CREW  WILL  ACTIVATE  EMERGENCY  OXYGEN  SYSTEM  FOR  ANY 

NONEMERGENCY  EGRESS  WHERE  THE  CABIN  OR  EXTERNAL  ATMOSPHERE  IS 
EITHER  CONTAMINATED  OR  UNKNOWN. 


This  rule  protects  the  crew  from  the  hazards  of  toxic  materials. 
DOCUMENTATION :  Engineering  judgment. 
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SECTION  17  -  LIFE  SUPPORT 

SMOKE  DETECTION/FIRE  SUPPRESSION  LOSS 
DEFINITIONS 

A17-1  FIRE/POST-FIRE  DEFINITIONS  .  17-1 
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ARS  AIR  SYSTEM  MANAGEMENT 
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SECTION  17  -  LIFE  SUPPORT 


SMOKE  DETECTION/FIRE  SUPPRESSION  LOSS  DEFINITIONS 


A17-1  FIRE/POST-FIRE  DEFINITIONS 

A.  FIRE  SHALL  BE  DEFINED  AS  ONE  OR  MORE  OF  THE  FOLLOWING: 
1 .  CREW  OBSERVANCE  OF  FLAME  OR  SMOKE 


2.  FOR  AN  AVIONICS  BAY,  ANY  ONE  OF  THE  FOLLOWING:  @[090894-1674] 

a.  TWO  SMOKE  DETECTOR  CONCENTRATION  LEVELS  OVER  2000 
UG/M*  *  3  IN  THE  SAME  COMPARTMENT 

b.  ONE  CONCENTRATION  LEVEL  2000  UG/M**3  AND  INCREASING, 
AND  THE  ALTERNATE  DETECTOR  HAS  FAILED  SELF  TEST 

c.  ONE  CONCENTRATION  LEVEL  2000  UG/M**3  AND  INCREASING, 
AND  CONFIRMATION  BY  ELECTRICAL  DATA  OF  A  SUSTAINED 
SHORT 


A  confirmation  is  required  to  accurately  detect  afire  condition;  this  confirmation  can  be  via  a  separate 
smoke  detector  indicating  a  concentration  level  over  2000  ug/m**3,  or  crew  observations.  In  the  event 
the  alternate  smoke  detector  fails  a  self  test  in  an  avionics  bay,  afire  condition  will  be  assumed.  Any 
indications  of  a  sustained  short  in  the  affected  avionics  bay  will  also  be  considered  as  confirmation  of  a 
fire. 

In  the  event  of  a  cabin  fire,  the  crew  will  most  likely  react  to  olfactory  sensing  prior  to  the  annunciation 
of  a  smoke  detector(s),  since  the  human  nose  is  significantly  more  sensitive.  Also,  visual  cues  will  most 
likely  be  used  as  confirmation  of  a  fire  condition  rather  than  relying  solely  upon  two  smoke  detector 
indications.  For  a  cabin  fire,  the  crew  must  locate  the  fire  and  therefore  confirm  its  existence  prior  to 
discharging  a  Halon  bottle.  Without  confirmation  of  the  fire  there  can  be  no  guarantee  that  the  Halon 
was  discharged  in  the  appropriate  place  or  had  any  affect  on  the  fire.  @[090894-1674  ] 
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A17-1  FIRE/POST-FIRE  DEFINITIONS  (CONTINUED) 

B.  POST-FIRE  SHALL  BE  DEFINED  AS  THE  FOLLOWING: 

1.  CREW  OBSERVANCE  THAT  FIRE  HAS  BEEN  SUPPRESSED 

2.  SMOKE  DETECTOR  CONCENTRATIONS  INDICATE  STABLE  OR 
DECREASING 

3.  FOR  AN  AV  BAY  FIRE,  A  HALON  BOTTLE  HAS  BEEN  DISCHARGED 
AND  THE  AFFECTED  LRU  UNPOWERED.  @[090894-1674] 

If  the  crew  continues  to  observe  afire  or  increasing  smoke,  the  fire  condition  still  exists.  If  a  fire  has 
been  suppressed  by  either  Halon  discharge  or  removal  of  power,  the  smoke  detector  concentration 
indications  should  stabilize  or  decrease.  An  avionics  bay  fire  is  considered  suppressed,  when  the 
avionics  bay  fans  have  been  deactivated,  Halon  has  been  discharged  into  the  bay,  and  the  affected  LRU’s 
have  been  unpowered.  @[090894-1674  ] 

DOCUMENTATION :  SODB  4.6.5.1.e;  engineering  judgment;  and  materials  branch  discussions. 
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A17-2  SMOKE  DETECTION  LOSS  DEFINITION 

A.  AVIONICS  BAY  SMOKE  DETECTION  SHALL  BE  CONSIDERED  LOST  FOR  ANY 

ONE  OF  THE  FOLLOWING  REASONS : 

1.  ONE  SMOKE  DETECTOR  FAILS  BOTH  PORTIONS  OF  THE  CIRCUIT 
TEST  AND  THE  OTHER  SMOKE  DETECTOR  FAILS  EITHER  PORTION  OF 
THE  CIRCUIT  TEST. 

2.  POWER  TO  BOTH  THE  DETECTORS  IN  THAT  AVIONICS  BAY  CANNOT 
BE  MAINTAINED. 

3.  LOSS  OF  AIR  CIRCULATION  (BOTH  AVIONICS  BAY  FANS  FAILED) 

IN  THE  BAY. 

B.  CREW  CABIN  SMOKE  DETECTION  SHALL  BE  CONSIDERED  LOST  FOR  ANY 

ONE  OF  THE  FOLLOWING  REASONS : 

1.  ALL  THREE  DETECTORS  FAIL  BOTH  PORTIONS  OF  THE  CIRCUIT 
TEST  . 

2.  POWER  TO  ALL  THREE  CABIN  DETECTORS  CANNOT  BE  MAINTAINED. 

3.  LOSS  OF  AIR  CIRCULATION  (BOTH  CABIN  FANS  FAILED)  IN  THE 
CREW  CABIN. 


Each  smoke  detector  outputs  two  smoke  detection  indications  ( an  alarm  indication  and  a  concentration 
measurement),  and  these  two  measurements  are  independent  of  one  another  except  for  a  smoke  detector 
hardware  failure.  The  only  hardware  failure  that  can  be  detected  by  the  circuit  test  is  an  air  pump 
failure  which  would  force  the  detector  to  fail  both  portions  of  the  circuit  test.  If  the  smoke  detector- 
passes  either  portion  of  the  circuit  test,  the  air  pump  is  then  verified  as  operative,  and  the  concen  tration 
readout  sent  to  the  GPCfor  FDA  limit  sensing  is  considered  a  valid  indication. 

Power  is  required  for  the  smoke  detectors  to  operate.  Loss  of  air  circulation  prevents  particulates  from 
reaching  the  smoke  detector  in  a  timely  manner  if  the  combustion  is  not  close  to  the  smoke  detector.  If 
only  one  indication  is  left  in  an  avionics  bay,  the  system  is  considered  suspect  to  the  point  of  being 
unreliable. 

DOCUMENTATION:  R.  I.  Vendor  drawings  VS70-620109,  V070-623420,  and  V70-960099.  Rule 
{A17-1001 },  LIFE  SUPPORT  GO/NO-GO  CRITERIA,  references  this  rule. 
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A17-3  FORWARD  AVIONICS  BAY  FIRE  SUPPRESSION 

FORWARD  AVIONICS  BAY  FIRE  SUPPRESSION  IS  CONSIDERED  LOST  IF: 

A.  THE  "AGENT  DISCHARGE"  PBI  IS  ILLUMINATED  WITH  NO  CONCURRENT 
AURAL  CUE. 

The  system  is  suspect  to  the  point  of  being  unreliable.  An  AGENT  DISCHARGE  light  indicates  an 
“empty”  bottle.  Without  an  aural  cue,  it  would  not  be  known  when  or  how  fast  the  agent  discharged. 

B.  50  HOURS  HAS  ELAPSED  AFTER  THE  "AGENT  DISCHARGE"  PBI  IS 
ILLUMINATED  AND  WITH  A  CONCURRENT  AURAL  CUE. 

The  avionics  bays  are  not  airtight  and  will  allow  the  Halon  1301  fire  suppressant  to  dissipate  into  the 
cabin  over  a  period  of  time.  However,  the  resultant  concentration  of  Halon  1301  in  an  avionics  bay  from 
a  fully  charged  bottle  will  stay  above  the  required  4  percent  needed  to  extinguish  a  fire  for  50  hours. 

DOCUMENTATION:  SODB  4.6.5.2.A.2.R. 

C.  FOR  AV  BAY  3A  WITH  ENHANCED  MIDDECK  COOLING  AND  ACTIVELY 
COOLED  PAYLOADS:  28  HOURS  HAS  ELAPSED  AFTER  THE  "AGENT 
DISCHARGE"  PBI  IS  ILLUMINATED  WITH  A  CONCURRENT  AURAL  CUE. 
@[040899-2497  ] 

Avionics  bays  that  have  been  modified  for  enhanced  middeck  cooling,  and  have  actively  cooled  payloads 
stowed  in  the  bay,  have  a  higher  leakage  rate  than  avionics  bays  that  have  not  been  modified.  As  such, 
Halon  1301  fire  suppressant  will  dissipate  into  the  cabin  faster  from  the  enhanced  avionics  bays.  The 
resultant  concentration  of  Halon  1301  in  an  enhanced  avionics  bay  from  a  fully  charged  bottle  will  stay 
above  the  required  4  percent  needed  to  extinguish  a  fire  for  28  hours.  If  the  av  bay  has  enhanced 
cooling  capability;  however,  no  actively  cooled  payloads  have  been  manifested,  then  paragraph  B 
applies  because  the  payload  ducts  have  been  capped. 

DOCUMENTATION :  BN  A  287-200-098-017,  Middeck  Bay  3 A  Leakage  Analysis.  @[040899-2497  ] 

Rule  (A1 7-1001  j,  LIFE  SUPPORT  GO/NO-GO  CRITERIA,  references  this  rule. 
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SMOKE  DETECTION/FIRE  SUPPRESSION  MANAGEMENT 


A17-51  MANAGEMENT  FOLLOWING  LOSS  OF  SMOKE  DETECTION 

A.  AVIONICS  BAY: 

1.  HALON  DISCHARGE  CRITERIA 

DURING  ANY  PHASE  OF  FLIGHT,  A  HALON  BOTTLE  WILL  BE 
DISCHARGED  IF  THERE  IS  EQUIPMENT  FAILURE  IN  THAT  AVIONICS 
BAY  AND  THE  FAILURE  IS  ATTRIBUTED  TO  A  SUSTAINED  SHORT. 

IF  THE  MCC  IS  NOT  AVAILABLE  TO  DETERMINE  IF  A  SHORT  WAS 
PRESENT,  THE  REMAINING  EQUIPMENT  IN  THE  BAY  WILL  BE 
POWERED  DOWN  UNTIL  THE  ASSESSMENT  CAN  BE  MADE.  A  HALON 
BOTTLE  WILL  BE  DISCHARGED  IF  SECONDARY  CUES  ARE  PRESENT. 
@[090894-1674] 

An  equipment  failure  due  to  a  sustained  short  could  provide  an  ignition  source  for  afire  and  should  be 
considered  afire  condition.  A  short  that  has  cleared  has  effectively  eliminated  the  ignition  source  and 
should  not  be  considered  afire  condition.  If  the  MCC  is  not  available  when  a  piece  of  equipment  fails, 
powerdown  of  the  bay  is  considered  the  best  compromise  to  safe  the  bay  while  not  prematurely 
discharging  Halon.  If  the  crew  confirms  afire  condition  with  secondary  cues  such  as  simultaneous  or 
subsequent  equipment  failure  or  crew  observance  of  smoke,  a  Halon  bottle  will  be  discharged. 

2 .  POWERDOWN  MANAGEMENT  FOR  AVIONICS  BAYS  1  AND  2 

a.  FOR  AVIONICS  BAYS  1  AND  2,  A  POST-OMS-2  POWERDOWN  OF 
ALL  AIR-COOLED  EQUIPMENT  AND  THE  AVIONICS  BAY  FAN  IN 
THE  AFFECTED  AVIONICS  BAY  SHALL  BE  ACCOMPLISHED.  ALL 
THIS  EQUIPMENT  MAY  BE  POWERED  UP  FOR  ENTRY. 


Air-cooled  equipment  and  avionics  bay  fan  will  be  powered  down  to  (1)  prevent  the  propagation  of  any 
fire  by  removing  the  convection  currents  that  would  feed  O2  to  the  fire  and  (2)  eliminate  friction 
generated  by  the  fan  as  a  potential  ignition  source.  This  action  safes  the  avionics  bay  from  any 
combustion  except  for  arc  tracking  during  the  critical  time  of  powering  up  equipment  required  for  entry. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A17-51  MANAGEMENT  FOLLOWING  LOSS  OF  SMOKE  DETECTION 

(CONTINUED) 

b.  PRIOR  TO  POWERUP  OF  EQUIPMENT  IN  THE  AFFECTED 

AVIONICS  BAY  FOR  ENTRY,  A  HANDHELD  HALON  BOTTLE  WILL 
BE  DISCHARGED  IN  THAT  BAY. 

The  affected  avionics  bay  will  be  safed  by  Halon  discharge  because  the  possibility  exists  that  afire 
condition  could  occur  without  proper  and  timely  fire  suppression  since  smoke  detection  is  lost.  Firing 
of  a  handheld  bottle  is  preferred  since  it  allows  the  crew  the  option  of  firing  the  remotely  controlled 
Halon  bottle  during  entry,  if  it  becomes  necessary  and  the  remote  bottle  is  still  available.  @[090894- 
1674] 

3.  AVIONICS  BAY  3  MANAGEMENT: 

a.  FOR  AVIONICS  BAY  3,  A  POST-OMS-2  POWERDOWN  OF  ALL 
AIR-COOLED  EQUIPMENT  (EXCEPT  COMMUNICATIONS 
EQUIPMENT,  CAUTION  AND  WARNING  EQUIPMENT,  AND  THE 
AVIONICS  BAY  FAN)  SHALL  BE  ACCOMPLISHED.  ALL  OF  THIS 
EQUIPMENT  MAY  BE  POWERED  UP  FOR  ENTRY.  A  LOCKER  IN 
FRONT  OF  AVIONICS  BAY  3  WILL  BE  REMOVED  TO  EXPOSE  THE 
BAY  TO  THE  CABIN  ENVIRONMENT  FOR  SMOKE  DETECTION. 
@[090894-1674] 

The  communication  and  caution  and  warning  equipment  (air-cooled  equipment )  in  avionics  bay  3  is 
required  for  flight  and  cannot  be  unpowered.  This  precludes  fire  suppression  by  lack  of  convection 
currents  because  the  fan  is  still  running.  Removal  of  a  locker  in  front  of  avionics  bay  3  will  expose  the 
bay  to  the  cabin  environment,  thus  allowing  the  cabin  smoke  detectors  and  the  crew  to  monitor  the 
powered  equipment  for  evidence  of  a  fire.  The  alternative  would  be  to  leave  the  locker  in  place  and 
discharge  a  handheld  Halon  bottle  to  safe  the  bay  since  air-cooled  equipment  remains  powered  up. 

This  action  would  cause  possible  early  mission  termination  due  to  Halon  discharge  constraints  (ref. 

Rule  {A13-152A},  CABIN  ATMOSPHERE  CONTAMINATION ). 

b.  PRIOR  TO  POWERUP  OF  EQUIPMENT  IN  AVIONICS  BAY  3  FOR 
ENTRY,  ANY  PREVIOUSLY  REMOVED  LOCKERS  WILL  BE 
REINSTALLED  AND  A  HANDHELD  HALON  BOTTLE  WILL  BE 
DISCHARGED  IN  THE  BAY. 

The  avionics  bay  3  will  be  safed  by  Halon  discharge  prior  to  entry  because  the  possibility  exists  that  a 
fire  condition  could  occur  without  proper  and  timely  fire  suppression  since  smoke  detection  is  lost. 

Firing  of  a  handheld  bottle  is  preferred  since  it  allows  the  crew  the  option  of  firing  the  remotely 
controlled  Halon  bottle  during  entry,  if  it  becomes  necessary,  and  the  remote  bottle  is  still  available. 
@[090894-1674] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A17-51  MANAGEMENT  FOLLOWING  LOSS  OF  SMOKE  DETECTION 

(CONTINUED) 

B.  CREW  CABIN 

A  CREWMEMBER  MUST  REMAIN  AWAKE  AT  ALL  TIMES  FOLLOWING  LOSS  OF 
SMOKE  DETECTION  IN  THE  CREW  CABIN  TO  MONITOR  FOR  SMOKE/FIRE. 

A  crewmember  must  be  available  for  monitoring  the  cabin  since  a  sleeping  crew  may  not  be  awakened  by 
a  smoke/fire  condition. 

C.  MINIMAL  SMOKE  DETECTION  MANAGEMENT 

IF  ONLY  TWO  SMOKE  DETECTION  INDICATIONS  REMAIN  IN  THE  CABIN 
OR  AVIONICS  BAY,  THE  CIRCUIT  TEST  SHALL  BE  PERFORMED  EVERY 
DAY  UNTIL  EOM . 

Each  smoke  detector  has  two  separate  indications  (hardware  alarm  and  GPC  concentration  readout). 
Thus,  nominally,  the  cabin  has  six  indications,  and  each  avionics  bay  has  four  indications.  If  only  two  of 
these  indications  are  available  in  an  area,  the  circuit  test  should  be  performed  every  day  to  verify  that 
the  minimum  requirement  is  still  met. 

Note:  The  risk  of  an  avionics  bay  fire  is  extremely  low  due  to  the  design  of  the  vehicle.  The  design 

limits  ignition  sources  and  provides  little  fuel  for  afire.  Any  ignition  that  did  occur  would  most 
likely  be  due  to  wire  bundle  arc  tracking  on  which  Halon  has  no  effect. 

Note:  The  powerdown  of  the  air-cooled  equipment  causes  little  procedural  impact  on  orbit  but  is  a 
severe  impact  during  dynamic  flight  phases  (ascent  through  OMS-2,  deorbit  prep  through 
landings). 

Note:  The  discharge  of  a  handheld  Halon  bottle  in  the  avionics  bay  has  little  postlanding  turnaround 
impact. 

DOCUMENTATION :  Engineering  judgment;  Flammability  Requirements,  NHB  8060.1b,  p.  1-1;  and 
Halon  1301  Fire  Extinguishment  in  Avionics  Bays,  M.  Pedley. 

Rule  { A1 7-1001 },  LIFE  SUPPORT  GO/NO-GO  CRITERIA,  references  this  rule. 
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A17-52  MANAGEMENT  FOLLOWING  LOSS  OF  FIRE  SUPPRESSION  IN 

AN  AVIONICS  BAY 

FOR  LOSS  OF  FIRE  SUPPRESSION  IN  AN  AVIONICS  BAY,  NO  ACTION  WILL 
BE  TAKEN  UNLESS  THE  SMOKE  DETECTORS  IN  THE  AFFECTED  AVIONICS  BAY 
INDICATE  A  FIRE  CONDITION.  AT  THAT  TIME  A  HANDHELD  HALON  BOTTLE 
WILL  BE  DISCHARGED  INTO  THE  AVIONICS  BAY. 

A  HANDHELD  HALON  BOTTLE  WILL  BE  DISCHARGED  INTO  THE  AFFECTED 
AVIONICS  BAY  PRIOR  TO  SEAT  INGRESS  IF  ONE  HAS  NOT  BEEN  PREVIOUSLY 
DISCHARGED  INTO  THE  AVIONICS  BAY. 


If  a  fire  condition  exists  in  an  avionics  bay,  then  the  handheld  Halon  bottles  will  be  used  to  suppress  the 
fire.  During  deorbit,  however,  the  crew  may  not  be  able  to  reach  the  affected  bay  to  discharge  a 
handheld  Halon  bottle  to  suppress  afire;  therefore,  it  is  prudent  to  discharge  a  handheld  Halon  bottle  in 
the  avionics  bay  prior  to  seat  ingress  to  prevent  the  ignition  and/or  propagation  of  a  fire.  This  action 
has  no  adverse  turnaround  impacts. 

DOCUMENTATION :  Engineering  judgment. 

Rule  (A1 7-1001 },  LIFE  SUPPORT  GO/NO-GO  CRITERIA,  references  this  rule. 
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A17-53  FIRE  AND  POST-FIRE  ACTIONS 

A.  AVIONICS  BAY  FIRE  ACTIONS 

IF  A  FIRE  CONDITION  IS  DETECTED  IN  THE  AVIONICS  BAY  DURING 
ANY  PHASE  OF  FLIGHT,  THE  FOLLOWING  ACTIONS  WILL  BE 
ACCOMPLISHED  AS  SOON  AS  POSSIBLE: 

1.  AN  AVIONICS  BAY  HALON  BOTTLE  WILL  BE  DISCHARGED  IN  THAT 
AVIONICS  BAY. 

2.  THE  AVIONICS  BAY  FAN  WILL  BE  TURNED  OFF. 

3.  THE  CREW  WILL  DON  THE  HRA/LES  HELMETS  WITH  VISORS  DOWN. 

B.  CREW  CABIN  FIRE  ACTIONS 

IF  A  FIRE  CONDITION  IS  DETECTED  IN  THE  CABIN  DURING  ANY  PHASE 
OF  FLIGHT,  THE  FOLLOWING  ACTIONS  SHALL  BE  ACCOMPLISHED  AS 
SOON  AS  POSSIBLE: 

1.  THE  CABIN  FAN  SHALL  BE  TURNED  OFF. 

2.  THE  CREW  SHALL  DON  HRA/LES  HELMETS  WITH  VISORS  DOWN. 

3.  THE  CREW  SHALL  DISCHARGE  THE  HANDHELD  HALON  BOTTLE  IN  THE 
APPROPRIATE  FIRE  PORT. 


A  Halon  discharge  should  safe  the  avionics  bay  from  any  further  combustion  except  for  arc  tracking 
upon  which  Halon  has  no  effect.  In  the  case  of  a  cabin  fire,  the  HRA/LES  helmets  protect  the  crew  from 
breathing  potentially  toxic  gases;  donning  of  the  LES  will  be  considered  later  if  appropriate.  The 
discharged  Halon  should  suppress  the  fire  in  most  conditions.  Also  the  cabin  fan  and  avion  ics  fan 
produces  convection  air  currents  that  will  feed  oxidizer  to  afire.  Without  convection  currents  afire 
should  extinguish  itself  due  to  a  lack  of  oxidizer  and  also  localize  toxins  in  the  vicinity  of  combustion 
until  the  crew  has  donned  protective  gear. 

DOCUMENTATION :  Materials  Processing  in  Space:  Early  Experiments,  NASA  SP-443. 
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A17-53  FIRE  AND  POST-FIRE  ACTIONS  (CONTINUED) 

C.  AVIONICS  BAY  POST-FIRE  ACTIONS 

FOLLOWING  A  FIRE  CONDITION  FOR  WHICH  A  HALON  BOTTLE  HAS  BEEN 
DISCHARGED  INTO  AN  AVIONICS  BAY: 

1.  IN  ORDER  TO  MINIMIZE  ELECTRICAL  AND  FRICTIONAL  IGNITION 
SOURCES,  A  POWERDOWN  OF  ALL  EQUIPMENT  IN  THAT  AVIONICS 
BAY  SHALL  BE  ACCOMPLISHED  WITH  THE  EXCEPTION  OF  THE  IMU 
FANS,  INSTRUMENTATION  REQUIRED  FOR  THE  CREW  AND  MCC  TO 
ASSESS  POST-FIRE  SAFETY  STATUS,  AND  COMMUNICATIONS 
EQUIPMENT  WHICH  WILL  BE  POWERED  DOWN  ONLY  IF  INDICATIONS 
SHOW  IT  HAS  FAILED.  @[090894-1 673A] 

a.  THE  POWERED  DOWN  EQUIPMENT  IN  THE  AFFECTED  AVIONICS 
BAY  WILL  BE  DECLARED  LOST  UNTIL  PROVEN  GO  FOR  GO/NO- 
GO  CRITERIA. 

b.  THE  ONLY  EQUIPMENT  TO  BE  CONSIDERED  FOR  REACTIVATION 
WILL  BE  EQUIPMENT  REQUIRED  TO  RESTORE  SINGLE-FAULT 
TOLERANCE  FOR  ENTRY.  @[090894-1 673A] 

Without  direct  insight  into  the  affected  bay,  the  damage  to  the  equipment  is  unknown.  Some  of  the 
equipment  may  not  have  been  in  use  during  the  fire  or  may  have  suffered  failures  not  immediately 
detectable;  therefore,  the  equipmen  t  must  be  considered  NO-GO  for  all  GO/NO-GO  purposes.  For 
avionics  bay  1,  IMU  fans  ( located  in  the  avionics  bay )  must  remain  operating  since  the  IMU’s  (not 
located  in  avionics  bays )  cannot  operate  for  more  than  30  minutes  without  cooling.  If  a  fan  has  failed,  a 
redundant  fan  will  be  activated  immediately.  For  avionics  bay  3,  communication  is  considered  too 
important  during  the  entry  phase  of  flight  to  allow  it  to  become  unpowered  without  a  confirmed  failure. 
For  all  three  avionics  bays,  in  order  to  maintain  insight  into  the  health  of  the  remaining  systems  and  to 
implement  the  post-fire  cabin  depress  and  purge  at  8  psi,  the  instrumentation  equipment  is  required. 
Instrumen  tation  is  required  in  order  to  properly  limit  the  rate  of  the  cabin  depress  such  that  a  positive 
delta  pressure  is  maintained  on  the  avionics  bay  while  a  dedicated  avionics  bay  purge  is  in  place.  The 
positive  delta  pressure  on  the  avionics  bay  will  ensure  that  the  toxic  combustion  products  from  the  fire 
are  not  forced  into  the  cabin. 

Repowered  equipment  in  the  affected  avionics  bay  should  be  restricted  to  that  required  to  achieve  single- 
fault  tolerance  to  entry  systems  so  exposure  to  the  source  of  the  fire  can  be  minimized.  The  health  of  the 
systems  and/or  crew  cannot  be  guaranteed  following  afire;  therefore,  entry  may  be  necessary  following 
cabin  evaluation. 
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A17-53  FIRE  AND  POST-FIRE  ACTIONS  (CONTINUED) 

2.  AFTER  THE  DISCHARGE  OF  A  HALON  BOTTLE  IN  AN  AVIONICS  BAY, 
AN  OVERBOARD  PURGE  OF  THAT  BAY  WILL  BE  INITIATED.  IF 
COMBUSTION  PRODUCTS  ARE  DETECTED  IN  THE  CABIN,  THE  CREW 
WILL  REMAIN  ON  THE  QDM' S  AND  A  CABIN  DEPRESS  TO  8  PSI 
FOLLOWED  BY  A  CONTINUOUS  CABIN  PURGE  AT  8  PSI  WILL  BE 
PERFORMED.  THE  PURGE  WILL  BE  TERMINATED  AND  THE  CREW 
ALLOWED  TO  BREATHE  CABIN  AIR  ACCORDING  TO  THE  CRITERIA 
OUTLINED  IN  RULE  { A1 3 - 1 52C } . 7 ,  CABIN  ATMOSPHERE 
CONTAMINATION. 

Post-fire,  a  cabin  depress  to  8  psia  and  continuous  purge  at  8  psia  will  manage  O2  concentrations  below 
maximum  levels  as  well  as  decrease  the  concentration  of  discharged  Halon  and  any  toxic  gases  that 
were  produced  by  afire.  This  action  will  extend  the  time  on  orbit  so  as  to  potentially  avoid  an  ELS  entry 
by  effectively  reducing  the  amount  ofN2  needed  to  control  O2  concentrations.  Since  in  cm  8  psi  cabin 
condition,  the  O2  concentration  is  allowed  to  reach  40  percent  which  increases  the  flammability 
poten  tial,  the  crew  should  make  sure  that  the  fire  has  been  fully  extinguished  before  initiating  the  depress 
to  prevent  flares.  If  sufficient  N2  is  available  to  reach  a  PLS,  it  is  not  necessary  to  go  to  8  psi.  @[090894- 
1673A] 

A  cabin  depress  without  first  purging  the  affected  avionics  bay  directly  overboard,  would  create  a 
negative  pressure  differential  between  the  cabin  and  avionics  bay  that  would  draw  any  Halon  and/or 
toxic  combustion  products  from  the  avion  ics  bay  into  the  cabin.  Therefore,  the  50-hour  period  between 
the  Halon  discharge  in  an  avionics  bay  and  the  diffusion  of  a  potentially  hazardous  level  of  Halon  into 
the  cabin  (ref.  Rule  (A13-152A},  CABIN  ATMOSPHERE  CONTAMINATION )  could  not  be  guaran  teed 
following  a  cabin  depress  without  first  initiating  an  avionics  bay  purge.  A  dedicated  avionics  bay  purge 
of  at  least  3  Ib/hr  directly  overboard  will  maintain  a  positive  delta  pressure  on  the  avionics  bay  with 
respect  to  the  cabin  during  a  controlled  cabin  depress  to  8  psi,  thus  ensuring  that  any  Halon  and/or 
combustion  products  would  not  be  drawn  into  the  cabin.  In  order  to  maintain  the  positive  delta  pressure 
on  the  affected  avionics  bay,  the  cabin  EQ  clP/clT  must  be  controlled  to  below  a  maximum  of  -0.1  psi/min 
during  the  transition  from  the  curren  t  cabin  pressure  to  8  psi. 

In  the  case  of  a  fire  following  the  depletion  of  all  available  Halon,  lowering  of  the  O2  concentrations  to 
15  percent  could  be  used  as  cm  alternative  means  of  fire  suppression. 

Note:  A  safe  level  of  toxicity  in  the  cabin  cannot  be  guaranteed  following  afire  condition,  but  a 

cabin  depress  without  initiating  a  dedicated  avionics  bay  purge  would  quicken  the 
diffusion  rate  of  toxins  into  the  cabin.  @[090894-1 673A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A17-53  FIRE  AND  POST-FIRE  ACTIONS  (CONTINUED) 

3.  THE  RCRS  WILL  BE  MANUALLY  SHUT  DOWN  FOLLOWING  AN  ORBITER 
AVIONICS  BAY  FIRE. 

See  Rule  { A17-156 j,  RCRS  MANUAL  SHUTDOWN  CRITERIA,  for  rationale. 


DOCUMENTATION :  Engineering  judgmen  t 
D.  CREW  CABIN  POST-FIRE  ACTIONS 

POST-FIRE  THE  FOLLOWING  ACTIONS  SHALL  BE  ACCOMPLISHED: 

1.  THE  CREW  WILL  POWER  DOWN  SUSPECT  EQUIPMENT. 

The  crew  should  power  down  suspect  equipment  because  the  equipment  health  cannot  be  guaranteed  and 
is  a  potential  ignition  source. 

2.  THE  CREW  SHALL  PERFORM  A  FLIGHT  DECK  AVIONICS  CHECKOUT 
FOR  SUSPECT  EQUIPMENT  AND/OR  EQUIPMENT  REQUIRED  FOR 
ENTRY . 


If  required  for  entry,  the  equipment  should  be  checked  out  before  use. 

3.  FOLLOWING  A  FIRE/HALON  BOTTLE  DISCHARGE,  IF  COMBUSTION 

PRODUCTS  ARE  DETECTED  IN  THE  CABIN,  THE  CREW  WILL  REMAIN 
ON  THE  QDM'S.  THE  CREW  SHALL  PERFORM  A  CABIN  DEPRESS  TO 
8  PSI  AND  A  CONTINUOUS  PURGE  AT  8  PSI  WILL  BE  PERFORMED. 
THE  PURGE  MAY  BE  TERMINATED  AND  THE  CREW  ALLOWED  TO 
BREATHE  CABIN  AIR  ACCORDING  TO  THE  CRITERIA  OUTLINED  IN 
RULE  {A13-152C}  .  7,  CABIN  ATMOSPHERE  CONTAMINATION.  @[090894- 
1673A] 

Post-fire,  a  cabin  depress  to  8  psi  and  continuous  purge  at  8  psi  will  manage  O2  concentrations  below 
maximum  levels  as  well  as  decrease  the  concen  tration  of  discharged  Halon  and  any  toxic  gases  that  were 
produced  by  afire.  This  action  will  extend  the  time  on  orbit  so  as  to  potentially  avoid  an  ELS  entry  by 
effectively  reducing  the  amount  ofN2  needed  to  control  O2  concentrations. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A17-53  FIRE  AND  POST-FIRE  ACTIONS  (CONTINUED) 

Following  afire  condition,  the  health  of  the  systems  and/or  crew  cannot  be  guaranteed;  therefore, 
following  a  cabin  atmosphere  evaluation,  entry  may  be  necessary.  Since  in  cm  8  psi  cabin  condition,  the 
O2  concentration  is  allowed  to  reach  40  percent  which  increases  the  flammability  potential,  the  crew 
should  make  sure  that  the  fire  has  been  fully  extinguished  before  initiating  the  depress  to  prevent  flares. 
If  sufficien  t  N2  is  available  to  reach  a  PLS,  it  is  not  necessary  to  go  to  8  psi. 

In  the  case  of  a  fire  following  the  depletion  of  all  available  Hctlon,  lowering  of  the  O2  concentrations  to 
15  percent  could  be  used  as  an  alternative  means  of  fire  suppression.  @[090894-1 673A] 

DOCUMENTATION :  SODB  4. 6. 5. 2.  a.  2.  r;  engineering  judgment;  and  Hctlon  1301  Fire  Extinguishmen  t 
in  Avionics  Bays,  M.  Pedley. 

4.  THE  RCRS  WILL  BE  MANUALLY  SHUT  DOWN  FOLLOWING  AN  ORBITER 
CABIN  FIRE. 

See  Rule  (A17-156J,  RCRS  MANUAL  SHUTDOWN  CRITERIA  for  rationale. 

DOCUMENTATION :  Engineering  judgmen  t 

Rule  {A1 7-1001 },  LIFE  SUPPORT  GO/NO-GO  CRITERIA,  references  this  rule. 
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A17-54  MANAGEMENT  FOLLOWING  HALON  DISCHARGE  WITHOUT  FIRE 

CONFIRMATION 

A.  AVIONICS  BAY:  @[090894-1 673A] 

FOLLOWING  A  BOTTLE  EMPTY  INDICATION,  AN  AVIONICS  BAY  PURGE 
WILL  BE  PERFORMED.  IF  THE  TIME  OF  DISCHARGE  CAN  BE 
ACCURATELY  DETERMINED,  EARLY  MISSION  TERMINATION  CRITERIA  AS 
SPECIFIED  IN  RULE  {A13-152A},  CABIN  ATMOSPHERE  CONTAMINATION, 
MAY  BE  WAIVED  ON  MCC  CALL.  IF  THE  TIME  OF  DISCHARGE  OF  THE 
HALON  BOTTLE  CANNOT  BE  DETERMINED,  A  WORSE  CASE  TIME  OF 
DISCHARGE  AT  LIFT-OFF  WILL  BE  APPLIED. 

A  dedicated  overboard  purge  of  the  affected  avionics  bay  will  begin  to  decrease  the  concentration  of 
Haion  in  the  bay  and  ensure  that  it  does  not  migrate  into  the  cabin.  The  purge  should  be  initiated  as 
soon  as  possible  in  order  to  avoid  potential  mission  termination  due  to  toxic  concentrations  of  Haion  in 
the  cabin.  If  the  time  of  discharge  cannot  be  accurately  determined ,  it  must  be  assumed  that  the  bottle 
began  leaking  at  the  worst  case  time  of  lift-off.  The  MCC  indication  of  an  empty  bottle  provides  no 
insight  into  the  start  of  a  potential  leak  or  the  time  of  discharge.  A  140  db  audible  cue  and  a  rapid  rise 
in  smoke  concen  trations  are  the  only  indications  to  determine  time  of  discharge  and  this  only  applies  to  a 
bottle  discharging  all  of  its  contents  within  a  matter  of  seconds.  Reference  Rule  {A13-152},  CABIN 
ATMOSPHERE  CONTAMINATION,  for  EOM  determination  due  to  Haion  concen  trations  from  an 
avionics  bay  Haion  bottle. 

B.  CABIN: 

IF  THE  START  OF  A  LEAK  FROM  A  HANDHELD  BOTTLE  CAN  BE 
ACCURATELY  DETERMINED,  THE  REMAINING  CONTENTS  OF  THE  BOTTLE 
WILL  BE  DISCHARGED  OVERBOARD  THROUGH  THE  AIRLOCK  DEPRESS 
VALVE . 

Discharge  of  the  remaining  contents  of  a  handheld  Haion  bottle  directly  overboard  will  reduce  the 
concentration  of  Haion  in  the  cabin  and  potentially  minimize  the  EOM  impacts.  The  time  of  the  start  of 
the  leak  is  critical  because ,  coupled  with  the  discharge  duration  through  the  depress  valve ,  there  is  no 
other  way  to  effectively  determine  how  much  Haion  has  leaked  into  the  cabin.  The  nominal  discharge 
time  for  a  handheld  Haion  bottle  is  15  -  19  seconds.  Neither  the  crew  nor  the  MCC  have  insight  into  an 
empty  or  leaking  handheld  bottle  unless  the  crew  can  audibly  detect  a  leak.  Reference  rule  {A13-152B}. 
CABIN  ATMOSPHERE  CONTAMINATION  for  EOM  determination  due  to  Haion  concentrations  from  a 
handheld  Hcilon  bottle. 

Another  option  for  disposal  of  a  leaking  handheld  bottle  is  to  place  it  in  the  airlock  and  expose  it  to 
vacuum.  However,  since  there  is  no  effective  way  to  determine  the  leak  rate  of  the  bottle,  it  is  not 
possible  to  determine  how  much  Hcilon  has  leaked  into  the  cabin  or  how  long  the  bottle  must  be  exposed 
to  vacuum  before  it  is  completely  empty.  ©[090894-1673A] 

A17-55  THROUGH  17-100  RULES  ARE  RESERVED 
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ATMOSPHERE  REVITALIZATION  SYSTEM  (ARS)  AIR  LOSS  DEFINITIONS 


A17-101  CABIN  FAN 

A  CABIN  FAN  IS  CONSIDERED  LOST  IF  THE  FAN  DELTA  PRESSURE  IS  <4.20 
(4.49)  INCHES  H20  OR  >6.80  (6.51)  INCHES  H20  AND  CREW  DETECTS 

LOSS  OF  AIR  FLOW. 

With  a  delta  P  of  4.2  inches  H2O  ( low  on  the  portion  of  performance  band)  the  flow  is  approximately 
1575  Ib/hr.  This  is  considered  to  be  the  maximum  flow  available  with  low  delta  P  with  intact  systems  (no 
leakage;  therefore,  proper  cooling  to  all  areas). 

The  minimum  required  flowrate  for  proper  cooling  is  1400  Ib/hr  (at  the  high  portion  of  the  performance 
band);  the  delta  P  required  to  maintain  the  flow  is  6.8  inches  H2O.  A  delta  P  higher  than  this  will  not 
meet  the  required  minimum  cooling. 

Measurement  accuracy  is  ±  3.6  percent  of  full  scale  (0.036  x  8  inches  H2O  =  0.288). 
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A17-102  CABIN  ATMOSPHERIC  CONTROL 

CABIN  ATMOSPHERIC  CONTROL  IS  CONSIDERED  LOST  IF: 

A.  UNABLE  TO  MAINTAIN  CABIN  TEMPERATURE  CONTROL  AT  <95  DEG  (90 
DEG)  F. 

Temperatures  above  95  deg  F  would  cause  an  overtemperature  condition  in  the  avionics  on  the  flight 
deck.  The  lower  limit  for  the  flight  deck  avionics  is  40  deg  F  which  cannot  be  achieved  if  the  vehicle  is  in 
the  full,  on-orbit  avionics  configuration.  From  analysis  and  flight  experience,  the  water  pump  outlet 
temperature  will  run  8  deg  to  10  deg  F  below  cabin  temperature;  therefore,  a  39  deg  F  cabin 
temperature  would  result  in  a  water  pump  outlet  temperature  below  the  freezing  point  of  water. 

DOCUMENTATION:  SODB  4.6.1. 3.4-I.1,  l.l-ECLSS-122 

B.  UNABLE  TO  SATISFY  BIOMED  CONSTRAINTS  ON  PPCC£  (REF.  RULE 
{ A13-52 } ,  PPC02  CONSTRAINT). 

See  Rule  {A13-52},  PPC02  CONSTRAINT,  rationale. 

DOCUMENTATION:  SODB  3.4.6.1  and  SODB  4.6.1.3.1-C. 

C.  HUMIDITY  CONTROL 

1.  UNEXPLAINED  DECREASE  IN  THE  WASTE  WATER  TANK  FILL  RATE 
(NORMALLY  6  ±1  LB/DAY-CREWMEMBER) . 

The  increase  in  waste  tank  quantity  is  used  in  determining  status  of  humidity  control  instead  of  change 
in  the  humidity  level.  On  STS-5  when  fan  separator  B  became  degraded  due  to  blockage  at  the  separator 
inlet,  the  humidity  level  did  not  change.  The  failure  was  detected  by  the  flight  controllers  when  the  waste 
quantity  increase  became  a  slower  rate.  From  past  flights,  the  combined  waste  water  quantity  fill  rate 
from  metabolic  production  and  the  LiOH-COj  reaction  has  been  about  0.25  Ib/hr-crewmember  (6 
Ib/day-crewmember).  If  the  waste  quantity  is  increasing  only  from  the  crew’s  use  of  the  WCS  (3.49 
Ib/day-crewmember),  the  crew  will  inspect  the  crew  module  for  condensation. 

DOCUMENTATION:  SODB  4.6.2.2.4,  1.3-TM-DF86T50-54. 

2.  VISUAL  CONDENSATION  ON  THE  STRUCTURE  OR  THE  EQUIPMENT. 

If  humidity  con  trol  fails,  moisture  in  the  air  will  condense  on  equipmen  t  and/or  parts  of  the  vehicle 
structure  with  a  corresponding  temperature  below  the  dewpoint. 

DOCUMENTATION:  Flight  experience  and  SEH-SETO-87-014. 
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A17-103  LOSS  OF  AVIONICS  BAY  FAN 

A.  AV  BAY  COOLING  ©[040899-2498A] 

AVIONICS  BAY  FAN  SHALL  BE  CONSIDERED  LOST  IF  THE  FAN  DELTA 
PRESSURE  IS  <  2.5  INCHES  OF  B^O  OR  >  4.3  INCHES  OF  H20. 

A  delta  pressure  of  2.5  inches  ofH20  is  considered  the  minimum  value  which  provides  adequate  airflow 
required  for  avionics  bay  cooling.  This  minimum  value  corresponds  to  the  estimated  fan  delta  pressure 
of  two-phase  fan  operation.  This  delta  pressure  should  also  provide  adequate  cooling  flow  in  the  case 
of  duct  leakage  or  degraded  fan  performance. 

The  maximum  delta  pressure  which  provides  minimum  airflow  for  required  cooling  is  4.3  inches  ofH20. 
This  maximum  delta  pressure/minimum  airflow  is  based  on  a  temperature  violation  of  the  GPC’s.  A 
delta  pressure  >  4.3  inches  ofH20  will  not  meet  the  required  minimum  flowrate  for  adequate  cooling.  A 
delta  pressure  exceeding  this  value  would  be  indicative  of  possible  duct  blockage  or  filter  blockage. 

The  minimum  and  maximum  delta  pressure  values  are  in  general  agreement  with  current  LCC  and 
OMRSD  limits  which  are  based  on  analytical  predictions  of  flowrates  as  described  in  reference 
documentation. 

Fan  delta  pressure  is  a  coarse  representation  of  avionics  bay  cooling  performance.  Other  indicators 
to  determine  the  effectiveness  of  the  cooling  are  avionics  bay  air  outlet,  active  water  coolant  loop  heat 
exchanger  inlet  and  outlet  temperatures,  and  H2O  flowrate.  Therefore,  measurement  error  for  delta 
pressure  will  not  be  used  to  determine  the  loss  of  an  avionics  bay  fan. 

DOCUMENTATION:  RI-D  IL-287-203-91-003,  IL-287-203-90-86,  and  engineering  judgment.  (SODB 
request  submitted.) 

B.  UPGRADED  AV  BAY  FANS  FOR  ENHANCED  MIDDECK  COOLING:  @[040899- 
2498A] 

AN  UPGRADED  AV  BAY  FAN  SHALL  BE  CONSIDERED  LOST  IF  THE  FAN 
DELTA  PRESSURE  IS  <  4.5  INCHES  OF  B£0  OR  >  7.8  INCHES  OF  H20. 

The  new  upgraded  av  bay  fans  are  identical  to  the  current  cabin  fans,  with  the  exception  of  the  housing. 
As  of  January  1999,  the  new  av  bay  fans  are  currently  installed  in  Av  Bay  3 A  of  OV- 104.  OV-103  and 
OV-105  will  receive  the  upgraded  fans  sometime  in  the  future;  however,  the  Shuttle  Program  has  not 
determined  when  that  will  be.  OV-102  is  not  scheduled  to  receive  the  upgraded  fans. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  LIFE  SUPPORT  17-17 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A17-103  LOSS  OF  AVIONICS  BAY  FAN  (CONTINUED) 

A  delta  pressure  of  4.5  inches  ofH20  is  considered  the  minimum  value  which  provides  adequate  airflow 
required  for  avionics  cooling.  This  minimum  value  corresponds  to  the  estimated  fan  delta  pressure  of 
two  phase  fan  operation.  This  delta  pressure  should  also  provide  adequate  cooling  flow  in  the  case  of 
duct  leakage  or  degraded  fan  performance. 

The  maximum  delta  pressure  which  provides  minimum  airflow  for  required  cooling  is  7.8  inches  ofH20. 
The  maximum  delta  pressure/minimum  airflow  is  based  on  temperature  violation  of  the  GPC’s.  A  delta 
pressure  of  7.8  inches  ofH20  will  not  meet  the  required  minimum  flow  rate  for  adequate  cooling.  A 
delta  pressure  exceeding  this  value  would  be  indicative  of  duct  blockage  or  filter  blockage. 

Fan  delta  pressure  is  a  coarse  representation  of  avionics  cooling  performance.  Other  indicators  to 
determine  the  effectiveness  of  the  cooling  are  avionics  bay  outlet,  active  water  coolant  loop  heat 
exchanger  inlet  and  outlet  temperatures,  and  H2O  flowrate.  Therefore,  measurement  error  for  delta 
pressure  will  not  be  used  to  determine  the  loss  of  an  avionics  bay  fan. 

DOCUMENTATION :  BN  A  Memo  No.  287-200-098-019,  Bay  3 A  Enhanced  Avionics  Fan  Delta  Pressure 
Limit.  ©[040899-2498A] 
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A17-104  I MU  FAN 

AN  IMU  FAN  IS  CONSIDERED  LOST  IF: 

A.  FAN  DELTA  PRESSURE  IS  <  3.70  (3.94)  OR  >  4.95  (4.71)  INCHES 

H20. 

The  minimum  required  flowrate  for  proper  cooling  is  144  Ib/hr  which  is  supplied  by  a  maximum  delta  P 
of  4.95  inches  H2O  ( temperature  dependent  value).  A  delta  P  any  higher  than  this  would  not  be  able  to 
supply  the  air  flowrate  required  for  proper  cooling. 

A  delta  P  of  3.7  inches  H2O  produces  a  flow  of  approximately  185  Ib/hr.  This  is  considered  to  be  the 
maximum  fan  flow  available  for  an  intact  system.  Therefore,  any  lower  delta  P  would  have  to  be 
produced  by  a  system  with  questionable  integrity  (leakage).  Measurement  accuracy  is  ±3.4  percent  of 
full  scale  ( 0.034  x  7  inches  PI2O  =  0.238). 

B.  IMU  FAN  SPEED  INDICATES  ABNORMAL  WHEN  FAN  IS  SELECTED. 

IMU  fan  speed  range  for  normal  speed  indication  is  10,000  ±  240  to  12,720  ±  700  rpm.  Fan  speeds 
outside  this  range  indicate  degraded  fan  operations  not  producing  the  necessary  flow  for  cooling  or  a 
breach  of  system  integrity. 

DOCUMENTATION :  Hamilton  Standard  Component  Data  Handbook  SP01T80,  Specification  Number 
SVHS  6416. 
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A17-105  AVIONICS  BAY  COOLING 

AVIONICS  BAY  COOLING  IS  LOST  IF: 

A.  ASCENT/ENTRY: 

UNABLE  TO  MAINTAIN  AVIONICS  BAY  AIR  OUTLET  TEMPERATURE  < 

130  DEG  (125  DEG)  F. 

For  a  fully  powered  avionics  bay,  air  outlet  temperatures  above  130  deg  F  would  result  in  an 
overtemperature  condition  of  the  avionics  in  that  avionics  bay.  @[030994-1609  ] 

DOCUMENTATION:  SODB  3.4.6. 1.1 . 

B.  ON-ORBIT: 

1.  FOR  A  14.7  PSI  CABIN,  UNABLE  TO  MAINTAIN  AVIONICS  BAY  AIR 
OUTLET  TEMPERATURE  BELOW:  @[090894-1 673A] 

a.  120  DEG  (115  DEG)  F,  IF  TWO  GPC'S  IN  RUN. 

b.  108  DEG  (103  DEG)  F,  IF  ONLY  ONE  GPC  IN  RUN. 

c.  100  DEG  (95  DEG)  F,  IF  NO  GPC'S  IN  RUN. 

2.  FOR  A  10.2  PSI  CABIN,  UNABLE  TO  MAINTAIN  AVIONICS  BAY  AIR 
OUTLET  TEMPERATURE  BELOW: 

a.  117  DEG  (112  DEG)  F,  IF  TWO  GPC'S  IN  RUN. 

b.  101  DEG  (96  DEG)  F,  IF  ONLY  ONE  GPC  IN  RUN. 

c.  89  DEG  (84  DEG)  F,  IF  NO  GPC'S  IN  RUN. 

3.  FOR  AN  8  PSI  CABIN,  UNABLE  TO  MAINTAIN  AVIONICS  BAY  AIR 
OUTLET  TEMPERATURE  BELOW: 

a.  127  DEG  (122  DEG)  F,  IF  TWO  GPC'S  IN  RUN  (AV  BAY  1, 
WITH  COLLINS  TACAN,  ONLY) . 

122  DEG  (117  DEG)  F,  IF  TWO  GPC'S  IN  RUN  (AV  BAY  1, 
WITH  GOULD  TACAN,  ONLY) . 

119  DEG  (114  DEG)  F,  IF  TWO  GPC'S  IN  RUN  (AV  BAY  2 
ONLY) . 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  LIFE  SUPPORT  17-20 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


_ FLIGHT  RULES _ 

A17-105  AVIONICS  BAY  COOLING  (CONTINUED) 

b.  109  DEG  (104  DEG)  F,  IF  ONLY  ONE  GPC  IN  RUN  (AV  BAY 

1,  WITH  COLLINS  TACAN,  ONLY) . 

105  DEG  (100  DEG)  F,  IF  ONLY  ONE  GPC  IN  RUN  (AV  BAY 

1,  WITH  GOULD  TACAN,  ONLY) . 

101  DEG  (96  DEG)  F,  IF  ONLY  ONE  GPC  IN  RUN  (AV  BAYS  2 
&  3)  .  @[090894-1 673A] 

c.  87  DEG  (82  DEG)  F,  IF  NO  GPC'S  IN  RUN  (AV  BAY  1 

ONLY)  .  @[090894-1 673A] 

83  DEG  (78  DEG)  F,  IF  NO  GPC'S  IN  RUN (AV  BAYS  2  &  3) . 

The  airflow  in  each  of  the  avionics  bays  is  distributed  such  that  each  LRU  has  enough  airflow  to  remain 
under  its  maximum  operational  temperature  limit  based  upon  a  design  requirement  of  95  degrees  F 
maximum  avionics  bay  inlet  temperature.  Since  the  inlet  temperature  is  not  a  measured  parameter,  the 
air  outlet  temperature  sensor  must  be  used  to  determine  if  adequate  cooling  is  available  to  the  individual 
LRU’s.  The  measured  avionics  bay  air  outlet  temperature  is  a  mixed  air  temperature  for  cdl  LRU’s 
(active  &  inactive )  in  the  respective  bay  and  is  therefore  an  indication  of  the  average  heat  load.  When  an 
LRU  is  powered  off,  its  relatively  cooler  airflow  will  mix  with  the  warmer  air  from  the  active  LRU’s, 
resulting  in  a  mixed  air  temperature,  in  most  cases,  lower  than  that  of  cm  active  LRU.  For  example,  with 
a  single  active  GPC,  a  mixed  air  outlet  temperature  of  130  degrees  F  would  result  in  a  GPC  operating 
above  its  maximum  operational  limit  of  130  degrees  F.  Consequently,  a  measured  avionics  bay  air  outlet 
temperature  which  corresponds  to  a  maximum  inlet  temperature  of  95  degrees  F  will  be  LRU 
configuration  dependen  t.  When  set  up  for  on-orbit  operations  (assuming  nominal  on-orbit  configuration: 
TACAN,  MLS,  etc.,  are  unpowered),  the  GPC  is  the  largest  heat  load  and  each  GPC  affects  approximately 
one-third  of  the  airflow  in  that  bay.  Therefore,  the  configuration  dependent  air  outlet  temperature  limit 
for  on-orbit  is  driven  primarily  by  the  individual  avionics  bay’s  GPC  configuration.  The  derived  outlet 
temperature  limits  assume  no  airflow  blockage  within  the  avionics  bay/LRU  ducting. 

Three  different  analyses  were  performed  for  cabin  pressures  of  14. 7,  10.2,  and  8,0  psia.  The  14. 7  psia 
case  protects  against  the  design  requirement  of  95  degrees  F  maximum  avionics  bay  inlet  temperature. 
Based  upon  the  airflow  distribution  unique  to  each  avionics  bay,  the  individual  GPC  operating 
temperatures  were  derived  to  be  122  and  126  degrees  F  for  avionics  bays  # 1  and  #2  respectively.  The 
resulting  mixed  air  temperatures  (avionics  bay  air  outlet  temperature)  is  listed  in  section  1  of  the  rule 
since  it  is  the  monitored  parameter.  Consequently,  there  is  between  4  and  8  degrees  F  margin  depending 
on  the  specifics  of  the  avionics  bay. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A17-105  AVIONICS  BAY  COOLING  (CONTINUED) 

Since  there  are  no  design  requirements  for  the  10.2  and  8.0  psia  cases,  the  analyses  were  performed  as 
follows: 

In  order  to  be  consistent  between  the  two  nominal  cases  (10.2  and  14.7  psia),  the  10.2  analysis  protected 
the  same  individual  GPC  box  outlet  temperatures  as  the  14. 7  psia  case,  and  backed  out  an  air  inlet 
temperature  of  approximately  80  degrees  F.  From  these  two  parameters,  the  mixed  air  outlet 
temperature  was  calculated  and  listed  in  section  2  of  the  rule.  The  analysis  was  performed  taking  into 
account  the  decrease  in  airflow  due  to  the  lower  cabin  pressure.  The  expected  decrease  in  airflow  at 
10.2  psia  is  based  upon  a  linear  function  of  the  airflow  at  14. 7  psia  and  the  lower  cabin  pressure. 
@[090894-1 673A] 

Since  the  8. 0  psia  case  is  a  contingency  scenario,  the  analysis  protected  against  the  maximum  GPC 
operating  temperature  of  130  degrees  as  opposed  to  the  derived  design  limit  used  for  the  14.7  and  the 
10.2  psia  cases.  Therefore,  based  upon  a  GPC  operating  temperature  of  130  degrees  F,  the  analysis 
calculated  the  mixed  cur  outlet  temperatures  listed  in  section  3  of  the  rule.  The  8.0  psi  case  has  limits 
which  are  specific  to  the  avionics  bays  as  compared  to  the  10.2  and  14.7 psi  cases.  This  is  due  to  the 
fact  that  the  lower  pressure  of  8.0  psi  magnifies  the  impacts  of  the  different  avionics  bay  airflow 
configurations  (including  whether  Gould  or  Collins  TACAN’s  are  installed  in  the  avionics  bay).  For  the 
higher  pressure  cases,  the  airflow  differences  did  not  cause  a  divergence  in  results  significant  enough  to 
be  considered  separately.  @[090894-1 673A] 

Avionics  bay  airflow  reconfigurations  due  to  the  installation  of  the  new  Collins  TACAN’s  has  no  impact 
on  the  avionics  bay  air  outlet  temperature  limits  at  either  8,  10.2  or  14. 7  psi  cabin  pressures.  @[030994- 
1609] 

DOCUMENTATION :  Memo  DF7-93-46,  Avion  ics  Bay  Temperature  Limits  Analyses  for  On-Orbit  and 
Post-Landing;  Memo  DF7-94-36,  ,  Avionics  Bay  Temperature  Limits  Analyses  for  On-Orbit  and  Post- 
Landing  Addendum,  SODB  3.4. 5. 3,  3.4. 5. 4,  4. 6. 1.4.2,  and  4.6.1-41;  IBM  855440-010,  Flight  GPC 
Thermal  Analysis  Report;  and  RI  Memo  287-203-90-086,  “  Update  To  Avionics  Bay  Changes  For 
Installation  of  New  GPC’s  and  New  TACAN’s.  @[090894-1 673A]  “ 

C.  BOTH  FANS  ARE  LOST.  @[030994-1609] 

If  unable  to  get  the  required  airflow,  the  avionics  bay  is  considered  lost. 

DOCUMENTATION :  Engineering  judgment. 
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A17-106  REGENERATIVE  CQ2  REMOVAL  SYSTEM  (RCRS)  LOSS 

DEFINITION 

THE  RCRS  IS  CONSIDERED  LOST  IF: 

A.  UNABLE  TO  MAINTAIN  PPCO2  BELOW  7.6  MM  HG . 

RCRS  CO 2  removal  capability  will  not  be  effective  if  the  vacuum  vent  line  isol  valve  closes  the  vacuum 
vent  duct  blocks,  orforARS  duct  leakage  occurs. 

RCRS  operations  are  not  possible  if  both  con  troller  A  and  B  have  failed  since  the  RCRS  requires  an 
automatic  controller  (no  manual  RCRS  override  capability). 

RCRS  auto  shutdown  logic  will  shut  down  the  RCRS  if  bed  pressures,  bed  delta  pressures,  or  compressor 
RPM  and  valve  position  indications  are  not  acceptable. 

Reference  Rule  {A  1 3 -52 A  }.2,  PPC02  CONSTRAINT,  rationale. 

DOCUMENTATION:  RCRS  Critical  Design  Review,  March  15-17,  1990. 

B.  UNABLE  TO  MAINTAIN  PPCO2  INSIGHT. 

See  Rule  (A17-155BJ.4,  REGENERATION  C02  REMOVAL  SYSTEM  (RCRS)  MANAGEMENT,  for 
rationale. 

DOCUMENTATION :  Engineering  judgment. 

A17-107  THROUGH  A17-150  RULES  ARE  RESERVED 
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ARS  AIR  SYSTEM  MANAGEMENT 


A17-151  CABIN  ATMOSPHERE  CONTROL 

A.  THE  CABIN  TEMPERATURE  CONTROL  BYPASS  VALVE  WILL  BE 
AUTOMATICALLY  DRIVEN  TO  THE  "FULL  COOL"  POSITION  FOR  ASCENT 
AND  ENTRY. 

The  heat  load  in  the  cabin  is  large  enough  to  require  full  cool  during  these  phases.  Having  the  valve  in 
full  cool  is  SOP.  This  is  done  to  protect  against  the  high  heat  loads  in  the  cabin  during  an  8  psi  ascent 
or  entry  situation. 

DOCUMENTATION:  SEH-ITA-80-245. 

B.  WHEN  TIME  PERMITS  THE  LIOH  CANISTERS  WILL  BE  REMOVED  FOR 
AN  8  PSI  ENTRY. 

The  canister  removal  increases  the  fan  efficiency  for  cooling  which  is  critical  at  a  reduced  pressure.  One 
fan  increases  inflow  from  820  Ib/hr  ( with  LiOH  in)  to  870  Ib/hr  ( with  LiOH  out).  This  rule  also  assumes 
the  crew  is  wearing  launch/entry  suit  (LES)  helmets  or  that  the  PPC02  level  is  under  control  before 
removing  the  canisters. 

DOCUMENTATION:  1.2-TM-B1709-24. 

C.  LIOH  CANISTER (S)  WILL  NORMALLY  BE  REPLACED  PRESLEEP  AND 

POSTSLEEP  OR  WHEN  PPCC^  IS  VERIFIED  TO  BE  ?7.6  (6.1)  MMHG . 

Changeouts  are  scheduled  so  normal  housekeeping  activities  will  not  interfere  with  mission  or  payload 
operations.  Single  or  dual  canister  changeouts  are  based  on  an  analysis  to  maximize  LiOH  utilization  as 
a  function  of  crew  size.  Additionally,  the  rule  specifies  that  a  changeout  will  occur  when  PPCO2 
increases  above  7.6  mmHG  which  is  the  level  we  will  manage  PPCO2  to  prevent  possible  physiological 
changes  to  the  crew. 

DOCUMENTATION:  SEH-ITA-85-145,  SODB  3.4.6.1,  SODB  4.6.1. 3. 1-C. 

D.  WINDOW  SHADES  MAY  BE  USED  TO  MINIMIZE  LOCAL  CABIN  TEMPERATURE 
GRADIENTS . 

The  effects  of  solar  heat  loads  transmitted  through  the  windows  to  the  cabin  and  flight  deck  can 
essentially  be  negated  by  installing  the  shades. 

DOCUMENTATION:  SEH-ITA-82-028T. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A17-151  CABIN  ATMOSPHERE  CONTROL  (CONTINUED) 

E.  CABIN  FANS  WILL  NOT  BE  CYCLED  PRE-MECO.  @[040899-2570] 

The  cabin  fan  large  ac  loads  during  the  first  stage  are  nearly  at  their  maximum  level.  Cycling  fans  (8.0 
amps  startup)  could  create  a  voltage  transien  t  to  the  main  engine  controllers  jeopardizing  engine 
performance. 

F.  UPGRADED  AVIONICS  BAY  FANS  WILL  NOT  BE  CYCLED  PRE-MECO. 

Upgraded  avionics  fans  have  been  installed  in  OV-104  and  will  later  be  installed  in  OV-103  and  OV-105 
to  provide  additional  cooling  to  middeck  payloads.  The  startup  transient  currents  associated  with  these 
fans  are  significan  tly  larger  than  the  older  avionics  fans  (7.4  cimps/phase  vs  2.0  amps/phctse).  Cycling 
fans  could  create  a  voltage  transient  to  the  main  engine  controllers,  jeopardizing  engine  performance. 
@[040899-2570  ] 
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A17-152  CABIN  TEMPERATURE  CONTROL  AND  MANAGEMENT 

CREW  CABIN  TEMPERATURE  WILL  BE  MANAGED  IN  THE  FOLLOWING  MANNER: 
@[022201-4146  ] 

A.  ASCENT: 

THE  CABIN  TEMPERATURE  CONTROL  BYPASS  VALVE  WILL  BE 
AUTOMATICALLY  DRIVEN  TO  THE  "FULL  COOL"  POSITION  FOR  ASCENT. 


The  heat  load  in  the  cabin  is  large  enough  to  require  full  cool  during  this  phase.  Having  the  valve  in  full 
cool  is  SOP.  This  is  done  to  protect  against  the  high  heat  loads  in  the  cabin  during  an  8  psi  ascent 
situation. 

DOCUMENTATION:  SEH-ITA-80-245. 

B.  ON-ORBIT: 

THE  CREW  MAY  ADJUST  THE  CABIN  TEMPERATURE  CONTROLLER  TO  ANY 
DESIRED  POSITION  TO  SATISFY  CREW  COMFORT,  REGARDLESS  OF  THE 
TEMPERATURE  INDICATED  ON  THE  CABIN  TEMPERATURE  SENSOR.  ONE 
EXCEPTION  TO  THIS  IS  THAT  IF  LOWERING  THE  CABIN  TEMPERATURE 
IS  REQUIRED  TO  MAINTAIN  ACCEPTABLE  ISS  DEWPOINT  LEVELS  DURING 
DOCKED  OPS,  THIS  WILL  HAVE  PRIORITY  OVER  CREW  COMFORT.  OTHER 
EXCEPTIONS  TO  THIS  RULE  WILL  BE  DOCUMENTED  IN  THE  FLIGHT- 
SPECIFIC  ANNEX.  @[022201-4146] 

1.  THE  FOLLOWING  SENSORS  MAY  BE  USED  TO  MEASURE  CABIN 
TEMPERATURE:  @[022201-4146] 


INSTRUMENT 


CABIN  TEMP  DUCER 

MICRO-WIS 

MULTIMETER 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A17-152  CABIN  TEMPERATURE  CONTROL  AND  MANAGEMENT 

(CONTINUED) 


The  cabin  temperature  transducer  is  normally  used  to  measure  cabin  temperature.  However ,  the  cabin 
temperature  transducer  can  be  affected  by  ambient  conditions  immediately  surrounding  the  transducer. 
In  order  to  lessen  the  effects,  the  box  surrounding  the  transducer  is  normally  taped  to  minimize  this 
influence,  but  STS-103  data  indicated  that  this  transducer  could  still  be  affected  by  other  heat  loads  in 
the  near  vicinity.  Furthermore,  DTO  664,  performed  on  STS-60,  STS-62,  STS-59,  STS-64,  and  STS-66, 
showed  that  the  cabin  temperature  could  vary  significantly  throughout  the  cabin.  For  example,  on  STS- 
103,  the  cabin  temperature  transducer  reading  was  approximately  7-11  deg  F  higher  than  multimeter 
readings  taken  at  various  locations.  These  data  indicate  that  a  difference  between  the  cabin 
temperature  transducer  and  the  actual  cabin  temperature  should  not  be  discoun  ted  during  flight. 
Therefore,  if  a  more  accurate  temperature  reading  at  the  avionics  inlet  is  required,  other  sources  can  be 
used. 


2.  IF  THE  CABIN  TEMPERATURE  IS  TOO  COLD,  THE  FOLLOWING 
ACTIONS  WILL  BE  PERFORMED  IN  ORDER  OF  PRIORITY: 

a.  MANUALLY  PIN  CABIN  HEAT  EXCHANGER  BYPASS  VALVE  IN  THE 
REQUIRED  POSITION. 

b.  POWERUP  PANEL  AND  FLOOD  LIGHTS. 

C.  POWERUP  AIR  COOLED  EQUIPMENT. 

d.  OPERATE  BOTH  WATER  LOOPS  WITH  FULL  INTERCHANGER  FLOW. 

e.  DEACTIVATE  THE  FES.  @[022201-4146] 

f.  OPERATE  THE  RADIATOR  CONTROLLER  OUTLET  TEMPERATURE  IN 
"HI"  (57  DEG  ±  2  DEG  F)  .  @[022201-4146] 

Each  action  will  decrease  the  amount  of  heat  rejected  from  the  cabin  or  increase  the  cabin  heat  load, 
thus  allowing  cm  incremental  temperature  increase. 

DOCUMENTATION:  RI IL  287-203-91-025,  SODB  RI-1344. 
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A17-152  CABIN  TEMPERATURE  CONTROL  AND  MANAGEMENT 

(CONTINUED) 

3.  IF  PRE-FLIGHT  OR  REAL-TIME  ANALYSIS  PREDICTS  A  VIOLATION 
OF  THE  UPPER  CABIN  TEMPERATURE  LIMIT  DEFINED  IN  {A13-31}, 
CREW  CABIN  TEMPERATURE  LIMITS,  THE  CABIN  TEMP  CNTLR  BYP 
VLV  WILL  BE  AUTOMATICALLY  DRIVEN  TO  THE  "FULL  COOL" 
POSITION  POSTSLEEP  ON  THE  DAY  OF  THE  EVENT.  IF  THE  CREW 
THEN  BECOMES  UNCOMFORTABLE  DUE  TO  THIS  CONFIGURATION, 

THEY  MAY  ADJUST  THE  CABIN  TEMPERATURE  CONTROLLER  TO  ANY 
DESIRED  POSITION  TO  SATISFY  CREW  COMFORT. 

For  each  flight,  BN  A  produces  a  Thermal  Verification  Analysis  at  the  L-5  Month  and  L-l  Month  time 
periods.  An  overall  ATCS  analysis,  the  Thermal  Verification  Analysis,  provides  the  predicted  cabin 
temperatures  for  each  flight  analyzed.  Using  this  analysis,  extensive  preflight  coordination  is 
performed  by  EECOM  and  BNA  to  ensure  the  cabin  temperature  constraint  is  not  violated.  As  part  of 
this  coordination,  paragraph  a  will  be  used  to  provide  a  “cabin  coldsoak”  prior  to  any  event  that  is 
foreseen  as  possibly  causing  the  crew  to  be  uncomfortably  warm.  Events  that  may  require  a  cabin 
coldsoak  include  rendezvous,  10.2  psi  operations,  ISS  ingress/egress  operations,  or  other  operations 
during  which  the  ARS  cannot  react  quickly  enough  to  protect  the  upper  limits.  For  most  cases, 
ensuring  the  orbit er  ATCS  configuration  is  in  the  10.2  Psi  cabin  configuration,  in  addition  to 
paragraph  a  above,  will  ensure  that  the  cabin  temperature  does  not  exceed  the  upper  limit.  @[022201- 
4146] 


4.  IF  THE  INDICATED  CABIN  TEMPERATURE  EXCEEDS:  @[022201-4146] 


CABIN  PRESSURE  (PSIA) 

HARDWARE  UPPER  LIMIT  (DEG  F) 

14.7 

95 

10.2 

85 

INTERMEDIATE  PRESSURE 

85  +  (CABIN  P-  10.2)  X  2.22 

THEN  THE  MCC  MAY  REQUEST  THAT  THE  CREW  OBTAIN  ADDITIONAL 
TEMPERATURE  DATA  ON  SPECIFIC  AVIONICS  BOXES  TO 
CHARACTERIZE  ANY  POSSIBLE  EFFECTS  ON  AVIONICS  LIFETIME. 
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The  upper  temperature  limit  for  the  avionics  hardware  is  based  on  protecting  the  maximum  air  outlet 
temperature  of  130  deg  F  for  ail  flight  deck  avionics.  Since  outlet  temperature  cannot  be  measured 
directly,  an  inlet  temperature  limit  is  used  to  protect  the  outlet  temperature  constraint.  At  14. 7  psi,  the 
SODB  inlet  temperature  limit  is  95  deg  F.  To  derive  the  upper  cabm  temperature  limit  at  lower  cabin 
pressures,  the  95  deg  limit  was  scaled  to  account  for  the  air  density  reduction  and  still  protect  the  130 
deg  outlet  temperature  limit.  Since  the  previous  limit  (80  deg  F)  at  10.2  had  been  violated  on  occasion 
and  the  limit  waived  real  time,  a  higher  upper  hardware  limit  was  recommended  (85  deg  F).  An  analysis 
was  performed  by  Boeing  to  assess  the  impact  to  the  avionics  lifetime  of  increasing  the  limit  by  5  deg  F. 
Per  the  aforemen  tioned  analysis,  there  is  negligible  impact  to  the  reliability/lifetime  of  the  avionics 
equipmen  t  so  the  hardware  limit  was  changed  to  85  deg  F. 

DOCUMENTATION :  SODB  4.6.1.3.4-d,  4.6.1.4.3-a,  and  SD2-99-005,  “  Revised  Cabin  Temperature 
Requirements,”  OFTPM82.  @[022201-4146] 

5.  IF,  FOLLOWING  AN  AVIONICS  TEMPERATURE  CHARACTERIZATION, 

IT  IS  FOUND  THAT  THE  AVIONICS  LIMITS  ARE  BEING  VIOLATED, 
THE  FOLLOWING  ACTIONS  WILL  BE  CONSIDERED:  @[022201-4146] 

a.  INCREASE  AIRFLOW  TO  THE  AVIONICS  BY  OPENING  ACCESS 
DOORS  IF  INLET  TEMPERATURES  ARE  WARMER  THAN  THE  CABIN 
ENVIRONMENT . 

Previous  flight  data  have  shown  that  the  temperatures  behind  the  panels  can  be  higher  than  the  cabin 
environmen  t.  Opening  the  access  doors  to  the  avionics  is  an  easy  way  to  improve  mixing  of  the  cooler 
cabin  cur  with  the  cur  behind  the  panels  and  possibly  reduce  the  inlet  temperatures  below  the  limit. 

b.  USE  WINDOW  SHADES  TO  MINIMIZE  LOCAL  CABIN  TEMPERATURE 
GRADIENTS . 

Installing  the  shades  can  essentially  negate  the  effects  of  solar  heat  loads  transmitted  through  the 
windows  to  the  cabin  and  flight  deck.  This  action  may  be  taken  any  time  the  crew  desires  to  minimize 
temperature  gradients. 

DOCUMENTATION:  SEH-ITA-82-028T.  @[022201 -41 46  ] 

C.  POWER  DOWN  SELECTED  EQUIPMENT  FROM  THE  FOLLOWING 
MATRIX.  THE  PRIORITY  AND  DEPTH  OF  POWERDOWN  WILL 
DEPEND  ON  MISSION  ACTIVITIES  AND  THE  TRENDS  IN  CABIN 
TEMPERATURE.  @[022201-4146] 
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EQUIPMENT 

ELECTRICAL 
LOAD  (WATTS) 

IMPACT  OF  POWERDOWN  (RNDZ,  EVA) 

LIGHTS 

0-300 

MINIMAL 

GALLEY  WATER  HTR 

500 

MINIMAL  -  NO  HOT  WATER 

GALLEY  OVEN  HTR 

196 

MINIMAL  -  CREW  WATER  DISPENSER  DISABLED 

GALLEY  OVEN  FAN 

31.7 

MINIMAL  -  FOOD  TAKES  LONGER  TO  HEAT 

COLOR  PRINTER 

23.6 

MINIMAL  -  PRINTER  CAN  BE  PWRD  UP  FOR  MSG  PRINTING  AND 
PWRD  DOWN  WHEN  COMPLETE. 

TV  MONITOR 

COLOR 

56  (NOM) 

MAJOR  -  DURING  RNDZ  REQD  TO  VIEW  CENTERLINE  CAMERA, 
EXTERNAL  IMAGES  AND  SVS 

86  (MAX) 

MAJOR  -  DURING  EVA  REQD  TO  VIEW  CREW  IN  OBSTRUCTED 

WORK  AREAS 

VCU 

46 

MAJOR  -  DURING  RNDZ  CANNOT  VIEW,  RECORD,  AND  DOWNLINK 
VIDEO.  NO  INCO  OR  CREW  TV  OPERATIONS  POSSIBLE,  EXCEPT  IN¬ 
CABIN  CAMCORDER  RECORDING. 

8MM  VTR  (TEAC) 

10 

MINIMAL  -  NO  VIDEO  RECORDING 

CAMCORDER 

10 

MINIMAL  -  NO  VIDEO  IMAGING  AND  RECORDING  IN  CABIN 

MEDS  MDU  (IF  FLOWN) 

66 

MINIMAL  -  ONLY  4  MDU’S  REQD  FOR  RNDZ 

2  MDU'S  REQD  FOR  EVA 

MEDS  IDP  (IF  FLOWN) 

55 

MINIMAL  -  2  IDP’S  REQD  FOR  REDUNDANCY  FOR  RNDZ  &  EVA 

MCDS  CRT  (IF  FLOWN) 

101.7 

MINIMAL  -  ONLY  2  CRTS  REQD  FOR  RNDZ  AND  CRT4  MUST  BE  ONE 

1  CRT  REQD  FOR  EVA 

MCDS  DEU  (IF  FLOWN) 

183.7 

MINIMAL  -  2  DEUS  REQD  FOR  RNDZ  AND  CRT4  MUST  BE  ONE 

1  DEU  REQD  FOR  EVA 

MIDDECK  CCU  AUD 

PWR 

4  (STBY/RCV) 

12  (XMIT) 

IF  NO  M/D  AUDIO  REQUIREMENTS,  NO  IMPACT 

DDU 

111.7 

MAJOR  DURING  RNDZ  -  2  DDU’S  REQD  FOR  MANUAL  FIT  CNTL 
MINIMAL  DURING  EVA 

OIU 

12 

MAJOR  -  OIU  USED  NORMALLY  FOR  ISS  TELEMETRY/CMD.  ECOM 
POSSIBLE  BACKUP. 

OTHER  EQUIPMENT 

WILL  BE  DETERMINED  REAL  TIME 

@[022201-4146  ] 


NOTES: 

IMPACT  SEVERITY  IF  LRU  UNPOWERED  DURING  RNDZ/EVA  @[022201-4146  ] 
MINIMAL  -  IMPACT  TO  OPERATIONS  NOT  SEVERELY  HAMPERED 
MARGINAL  -  WILL  REQUIRE  CREW  ACTION  FOR  SOME  SITUATIONS 
MAJOR  -  NOT  DESIRED,  FLIGHT  SAFETY  COMPROMISED 
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The  matrix  above  lists  selected  equipmen  t  that  will  be  powered  off  and  includes  the  electrical  load  and 
the  impact  of  powerdown.  The  priority  of  the  equipment  in  the  matrix  depends  on  mission  activities. 

C.  ENTRY: 

CABIN  TEMPERATURE  WILL  BE  MANAGED  AS  FOLLOWS  TO  ENSURE 

ADEQUATE  ENTRY  TEMPERATURES  IN  ACCORDANCE  TO  RULE  {A13-31}, 

CREW  CABIN  TEMPERATURE  LIMITS: 

1.  PRE-SLEEP  OF  EOM-1 ,  THE  CABIN  TEMP  CONTROLLER  WILL  BE 
AUTOMATICALLY  DRIVEN  TO  A  POSITION  TO  ACHIEVE  A  CABIN 
TEMP  OF  70  DEG  F  AT  CREW  WAKE  ON  ENTRY  DAY. 

2.  PRE-SLEEP  OF  EOM-1,  IF  SLEEP  TEMPERATURES  WILL  BE 
UNACCEPTABLY  COLD,  PER  CDR  AND  SURGEON  AGREEMENT,  THE 
CABIN  TEMP  CONTROLLER  POSITION  CAN  BE  CONFIGURED  TO 
PROVIDE  A  COMFORTABLE  SLEEP  ENVIRONMENT  WHILE  STILL 
STRIVING  TO  ACHIEVE  THE  OPTIMAL  COLDSOAK.  @[092701-4860] 

3.  THE  CABIN  TEMPERATURE  CONTROLLER  BYPASS  VLV  WILL  BE 
AUTOMATICALLY  DRIVEN  TO  THE  "FULL  COOL"  POSITION,  POST 
SLEEP  OF  ENTRY  DAY. 

4.  ACTION  WILL  NOT  BE  TAKEN  TO  REDUCE  CABIN  TEMPERATURE  IF 
THE  D/O  PREP  TIMELINE  HAS  BEEN  ENTERED. 

5.  FOR  WAVEOFF  DAYS,  PREFLIGHT  ANALYSIS  WILL  DICTATE  THE 
LEVEL  OF  ACCEPTABLE  POWER  (EITHER  GROUP  B  OR  C 
POWERDOWN)  TO  OBVIATE  CABIN  TEMPERATURE  CONCERNS.  @[092701- 
4860] 

Per  Rule  { A13-31} ,  CREW  CABIN  TEMPERATURE  LIMITS,  the  Individual  Cooling  Units  (ICU’s),  used 
during  ascent/entry  since  STS-88,  were  designed  to  remove  340  BTU’s/hr  at  an  ambient  temperature  of 
75  deg  F,  which  is  the  metabolic  heat  load  produced  by  a  resting,  minimally  active  crewmember.  The 
actions  above  seek  to  ensure  that  the  temperatures  documented  in  the  Section  13  rule  are  met  and  still 
provide  comfortable  temperatures  for  the  crewmembers  during  the  sleep  period  prior  to  entry  day. 
@[022201-4146  ] 
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Flight  data  from  several  flights  indicated  that  achieving  a  cabin  temperature  of  70  deg  F,  at  crew  wake 
on  entry  day,  would  satisfy  the  defined  limits  and  still  provide  comfortable  temperatures  for  the 
crewmembers  during  the  sleep  period  prior  to  entry  day.  At  the  OFTP  #176  in  August  1999,  the 
recommended  position  for  the  Cabin  Temp  Selector  to  achieve  this  temperature  was  approximately  the 
10  o’clock  position.  Flight  demands  may  necessitate  a  different  position  for  future  flights.  If  other 
temperature  data  indicate  that  the  cabin  temperature  transducer  has  a  significant  bias,  the  position  of 
the  cabin  temperature  controller  selector  can  also  be  biased  to  target  an  actual  temperature  of  70  deg  F, 
rather  than  a  cabin  temperature  transducer  indicated  temperature  of  70  deg  F.  @[022201-4146  ] 

Pre-sleep  ofEOM-1,  if  sleep  temperatures  will  be  unacceptably  cold,  per  CDR  and  surgeon  agreemen  t, 
the  cabin  temp  controller  position  can  be  configured  to  provide  a  comfortable  sleep  environment  while 
still  striving  to  achieve  the  optimal  coldsocik.  @[092701-4860  ] 

The  Cabin  Temperature  Controller  Bypass  Valve  will  be  driven  to  the  “Full  Cool  ”  position,  post-sleep, 
to  continue  the  cabin  coldsocik  for  entry. 

Analyses  produced  by  Boeing  North  America  at  the  L-5  month  and  L-l  month  milestones  provide 
feedback  to  MOD  on  whether  or  not  these  temperature  limits  are  met  during  the  flight  planning  process. 
Predicted  violations  will  be  worked  on  a  flight-by-flight  basis,  if  required. 

If  a  limit  is  violated  during  the  Deorbit  Prep/Entry  timeframe,  there  are  no  easy  actions  remaining  to 
reduce  the  cabin  heat  load.  Powerdowns  of  orbiter  or  payload  equipmen  t  would  be  necessary  but  are  not 
desirable  during  this  time  period.  The  risks  in  troduced  by  turn  ing  off  entry-related  equipmen  t  ou  tweigh 
the  slight  increased  risks  to  crew  health  that  temps  above  75  deg  F  may  cause. 

In  order  to  produce  water  for  additional  entry  attempts  ( for  weather  wave-off  days,  etc.),  the  Flash 
Evaporator  is  normally  deactivated  for  weather  extension  days.  This  configuration,  in  conjunction  with 
the  nominal  debris  protect  attitude  of-ZLV  -XW,  caused  concerns  that  the  entry  cabin  temperature 
constraints  could  not  be  met.  BNA  produced  cm  analysis  (November  3,  1999),  in  this  configuration,  with 
a  Group  B  powerdown.  Temperatures  were  found  to  be  acceptable  for  cm  extension  day  with  only  a 
Group  B  powerdown  in  place.  Temperatures  were  elevated  for  the  actively  cooled  payload  case,  with  a 
3000  W  payload  allocation.  Flights  with  actively  cooled  payloads  will  require  additional  analyses  to 
ensure  adherence  to  the  entry  cabin  temperature  limit.  Because  of  this,  the  rule  allows  for  either  a 
Group  B  or  C  powerdown  to  be  performed,  dependent  on  the  flight  manifest. 

DOCUMENTATION :  OFTP  #176  Meeting  Minutes,  August  1999;  engineering  judgment;  flight  data; 
“Revised  Cabin  Temperature  Requirements,  ”  SD2-99-005.  @[022201-4146  ] 
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A17-153  CABIN/AVIONICS  BAY  FAN  MANAGEMENT 

A.  FOR  LOSS  OF  AN  AVIONICS  BAY  FAN  DELTA  PRESSURE  TRANSDUCER, 

THE  SECOND  FAN  WILL  BE  TURNED  ON  AND  LEFT  ON  UNTIL  EOM . 

Since  the  crew  and  the  ground  operator  have  lost  insight  into  fan  performance  with  the  loss  of  a  fan  delta 
pressure  transducer,  two  fans  will  be  tu  rned  on  to  protect  against  a  fan  failing  undetected.  This  rule  still 
applies  for  upgraded  avionics  fans  (cabin  fans)  installed  in  av  bay  3A.  Even  though  the  fans  are  larger 
than  regular  avionics  fans,  the  crew  may  not  be  able  to  detect  a  fan  loss  by  sound  as  men  tioned  in 
paragraph  B  of  this  rule.  Mission  duration  may  be  impacted  due  to  a  higher  consumables  usage  with  an 
additional  fan  powered  on.  ©[040899-2499B] 

DOCUMENTATION :  Engineering  judgment. 

B.  FOR  LOSS  OF  A  CABIN  FAN  DELTA  PRESSURE  TRANSDUCER,  BOTH  CABIN 
FANS  WILL  BE  TURNED  ON  DURING  SLEEP  PERIODS. 

Since  the  crew  and  the  ground  operator  have  lost  insight  into  fan  performance  with  the  loss  of  a  fan  delta 
pressure  transducer,  two  fans  will  be  turned  on  during  sleep  periods  to  protect  against  a  fan  failing 
undetected  while  the  crew  is  asleep.  The  crew  can  detect  cabin  fan  loss  (sound)  during  awake  periods. 
Mission  duration  may  be  impacted  due  to  a  higher  consumables  usage  with  an  additional  fan  powered 
on.  ®[040899-2499B] 

DOCUMENTATION :  Engineering  judgment. 
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A17-154  MANAGEMENT  OF  DEGRADED  ROTATING  EQUIPMENT 

A.  ANY  ROTATING  EQUIPMENT  (EXCEPT  THE  CABIN  FAN)  THAT  LOSES  A 
SIN-GLE  PHASE  WILL  BE  SWITCHED  TO  THE  ALTERNATE  EQUIPMENT. 
®[032395-1752A] 

All  equipment  with  the  exception  of  the  cabin  fan  and  the  upgraded  avionics  fan  can  be  restarted  on  two 
phases.  @[040899-2500  ] 

Since  the  lifetime  of  two-phase  operations  is  confirmed  to  168  hours  (for  new  equipmen  t)  and  the  two- 
phase  equipment  operates  below  normal  performance,  it  is  prudent  to  switch  from  the  two-phase 
equipment. 

The  JSC  test  and  OV-101  fan  test  at  Rockwell -Downey  showed  that  when  a  cabin  fan  was  started  on  two 
phases  that  it  popped  the  3  AMP  cb’s  powering  the  fans. 

If  a  cabin  fan  loses  a  phase,  it  is  prudent  to  continue  operating  the  two  phase  cabin  fan  since  it  may  not 
be  possible  to  restart  that  fan  if  it  is  turned  off  and  loss  of  one  cabin  fan  results  in  an  MDF  (reference 
Rule  [A17-1001 ),  LIFE  SUPPORT  GO/NO-GO  CRITERIA).  In  the  case  of  an  upgraded  avionics  fan, 
which  is  the  same  as  a  cabin  fan,  it  is  not  necessary  to  continue  operating  an  upgraded  av  bay  fan  on  two 
phases  since  the  loss  of  one  avfan  has  no  mission  duration  impacts.  Further,  it  is  not  recommended  to 
continue  operating  the  fan  on  two  phases  since  two  phase  operation  is  below  nominal  performance  and 
could  cause  damage  to  the  fan.  Should  a  second  failure  occur  which  causes  loss  of  the  remaining  fan, 
there  is  an  IFM  to  swap  power  supplies  assuming  the  second  failure  is  not  a  power  supply  failure. 
@[040899-2500] 

B.  FOR  ROTATING  EQUIPMENT  THAT  IS  DEGRADED  FROM  NORMAL  OPERATING 
LEVELS,  BUT  ABOVE  LOSS  DEFINITIONS  FOR  REASONS  OTHER  THAN 
LOSS  OF  A  PHASE,  THE  FOLLOWING  MANAGEMENT  WILL  BE  APPLIED: 

1.  FOR  EQUIPMENT  THAT  WOULD  CAUSE  EARLY  MISSION  TERMINATION 
IF  THE  EQUIPMENT  COULD  NOT  BE  RESTARTED,  THE  DEGRADED 
EQUIPMENT  WILL  CONTINUE  TO  BE  OPERATED,  PROVIDED  NO 
SAFETY  HAZARD  EXISTS. 

If  equipment  is  degrading  for  reasons  other  than  loss  of  a  phase  (bearing  seizure,  material  failure,  etc.) 
then  restarting  that  piece  of  equipment  could  not  be  guaranteed  (static  friction  being  greater  than 
dynamic  friction  ).  If  the  equipmen  t  is  required  GO  for  GO/NO-GO  purposes,  then  it  would  have  to  be 
shown  that  it  would  restart  once  it  was  deactivated.  This  could  cause  early  mission  termination. 

Therefore,  it  would  be  prudent  to  remain  on  the  degraded  equipment  until  the  performance  violates  its 
loss  definition,  provided  no  safety  hazard  exists.  @[032894-1 751  A] 
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2.  FOR  EQUIPMENT  THAT  WOULD  NOT  CAUSE  EARLY  MISSION 

TERMINATION  IF  IT  COULD  NOT  BE  RESTARTED,  THE  DEGRADED 
EQUIPMENT  WILL  BE  SWITCHED  TO  THE  ALTERNATE  EQUIPMENT. 
@[032894-1 751  A] 

Since  the  equipmen  t  is  not  required  GO  for  GO-NO/GO  purposes ,  it  would  be  pruden  t  to  switch  from  the 
degraded  equipmen  t.  This  would  eliminate  the  risk/probability  of  a  safety  hazard  while  having  no  EOM 
impacts. 

Documentation:  SODB  Vol.  TV  4. 1.6. 3,  4. 1.6. 4,  Hamilton  Standard,  SP  01TB0  [Item  SV  6405  ( Avionics 
Fans),  SV  6470  (Humidity  Separator),  SV  6416  (IMU fans)],  MCR  6159  (Rockwell’s  pitch  to  the  CCB  on 
10/12/79  about  starting  fans  on  two  phases).  Engineering  judgment.  @[032395-1 751  A] 
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A17-155  REGENERATIVE  CQ2  REMOVAL  SYSTEM  (RCRS)  MANAGEMENT 

A.  ASCENT/ENTRY  OPERATIONS 

THE  RCRS  WILL  BE  DEACTIVATED  FOR  ASCENT  AND  ENTRY. 

The  RCRS  requires  a  vacuum  source  to  operate  properly.  Since  a  vacuum  source  is  not  available  during 
ascen  t  and  entry,  the  unit  is  deactivated.  LiOH  canisters  provide  PPCO2  con  trol  during  these  periods. 

If  the  RCRS  remains  activated  through  entry,  the  loss  of  vacuum  source  will  cause  the  RCRS  to  shut 
down  and  will  not  damage  the  RCRS. 

DOCUMENTATION :  Engineering  judgment. 

B.  ORBIT  OPERATIONS 

1.  ACTIVATION/DEACTIVATION 

THE  RCRS  WILL  BE  ACTIVATED  AS  SOON  AS  PRACTICAL  ONCE  ON 
ORBIT  POST-OMS  2  AND  DEACTIVATED  AS  LATE  AS  PRACTICAL 
PRE-DEORBIT  BURN. 

The  RCRS  serves  a  highly  critical  PPCO2  removal  function.  Without  a  successful  RCRS  activation, 
mission  duration  is  limited  by  the  number  of  LiOH  canisters  flown.  Early  on-orbit  RCRS  activation 
allows  immediate  determination  of  whether  the  unit  is  operating  properly  allowing  the  crew  maximum 
utility  of  the  remaining  LiOH  canisters  for  entry  planning.  Troubleshooting  and  failure  impact  can  then 
begin  as  soon  as  this  information  is  known. 

Deactivating  the  RCRS  late  in  the  deorbit  timeframe  minimizes  usage  of  the  manifested  LiOH  canisters 
in  the  event  the  mission  is  waved  off  for  weather  or  system  failures.  When  the  RCRS  is  deactivated,  a 
fresh  LiOH  canister  will  have  been  installed  to  control  CO2  levels  through  the  remainder  of  deorbit 
prep  and  through  entry. 

DOCUMENTATION :  Engineering  judgment. 

2.  REACTIVATION 

IF  THE  RCRS  HAS  BEEN  DEACTIVATED  FOR  DEORBIT  PREP,  THE 
RCRS  WILL  NOT  BE  REACTIVATED  FOR  WAVE-OFF  ORBITS,  BUT 
WILL  BE  REACTIVATED  FOR  A  WAVE-OFF  DAY  IF  CONSUMABLES 
PERMIT . 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A17-155  REGENERATIVE  CQ2  REMOVAL  SYSTEM  (RCRS)  MANAGEMENT 

(CONTINUED) 


For  wave- off  orbits,  the  RCRS  is  not  reactivated  since  RCRS  activation  coupled  with  LiOH  canister 
removal  during  the  busy  deorbit  prep  period  creates  an  unacceptably  high  crew  workload. 

For  wave-off  days,  the  RCRS  is  reactivated  to  save  LiOH  but  only  if  cryogenic  consumables  permit  the 
additional  power  consumption.  Generally,  sufficient  stowed  LiOH  cans  will  permit  at  least  two  days  of 
mission  extension.  The  LiOH  canister  installed  for  RCRS  deactivation  will  be  removed  for  later  use. 

DOCUMENTATION :  Engineering  judgment. 

3.  CABIN  AND  AIRLOCK  DEPRESS 

THE  RCRS  WILL  BE  DEACTIVATED  DURING  A  CABIN  DEPRESS  OR  AN 
AIRLOCK  DEPRESS. 

The  RCRS  controller  logic  will  shut  down  during  cabin  depresses  or  during  an  airlock  depress  since  the 
failure  logic  criteria  will  be  satisfied  due  to  vacuum  vent  line  or  cabin  pressure  inputs.  When  the  unit 
shuts  down,  a  fault  summary  message  (S66  CO 2  RL  SYS  MALF)  will  be  generated  and  a  fault  light 
( panel  M051F)  lit.  Once  shutdown  has  occurred,  the  unit  must  be  powered  down  and  repowered  in  an 
orderly  fashion  to  regain  RCRS  operations.  Due  to  the  high  probability  of  this  shutdown  occurring 
during  a  critical  time  period,  it  is  preferred  to  manually  shut  down  the  unit  during  these  events.  After 
these  time  periods,  the  RCRS  will  be  reactivated. 

CO 2  removal  during  this  period  is  of  little  concern  since  the  deactivation  duration  is  short  (-20  minutes) 
and  since  the  partial  pressure  of  CO  2  will  decrease  simply  from  the  reduction  of  cabin  or  airlock 
pressure. 

4.  FOR  LOSS  OF  THE  RCRS,  LIOH  CANS  WILL  BE  INSTALLED  AND 
WILL  DETERMINE  EOM . 

When  the  RCRS  is  lost  (loss  ofPPC02  insight  or  total  functioned  loss  (ref.  Rule  {A17-106}, 
REGENERATIVE  C02  REMOVAL  SYSTEM  (RCRS)  LOSS  DEFINITION )),  either  proper  evaluation  of 
the  RCRS  CO2  removal  capability  is  not  possible  or  CO2  control  is  lost.  Without  PPCO2  insight,  the 
proper  action  is  to  install  and  remove  LiOH  cans  on  a  regular  basis  to  ensure  adequate  CO2  control. 

Similarly,  installation  of  LiOH  cans  subsequent  to  a  toted  RCRS  functioned  loss  is  required  to  regain 
proper  CO2  control. 

Due  to  the  limited  number  of  cans  stowed,  their  number  will  determine  EOM. 
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A17-156  RCRS  MANUAL  SHUTDOWN  CRITERIA 

THE  RCRS  WILL  BE  MANUALLY  SHUT  DOWN  FOLLOWING  EITHER  A  CABIN  OR 
AN  AVIONICS  BAY  FIRE. 

In  the  event  of  either  an  orbiter  cabin  or  avionics  bay  fire,  presenting  the  RCRS  CO2  removal  capability 
is  of  primary  importance  due  to  the  limited  number  ofLiOH  canisters  flown.  Fire/smoke  contaminants 
will  be  removed  from  the  orbiter  atmosphere  with  either  fresh  or  used  LiOH/charcoal  and  ATCO 
canisters.  Exposure  of  the  RCRS  solid  amine  beds  to  fire  contaminants  causes  irreversible  damage  to 
the  RCRS  CO  2  removal  capability.  Of  the  most  probable  orbiter  fire  combustion  products  (CO  2,  CO, 
COF2,  HF,  HCL,  HCN,  SO2,  HOx,  CFgBr),  the  HCF,  HF,  and  HCN  react  irreversibly  with  solid  amine. 
Once  absorbed,  these  gases  will  not  be  removed  on  exposure  to  vacuum  through  normal  operation  but 
will  remain  on  the  surface  adsorption  sites,  degrading  RCRS  CO2  removal  capability.  Additionally, 
RCRS  post-fire  contaminant  removal  is  inefficient  due  to  the  limited  RCRS  airflow.  After  the 
contaminants  have  been  removed  from  the  air  environment  via  FiOH/ATCO  canisters,  the  RCRS  will  be 
reactivated  to  continue  CO 2  removal  operations.  Reference  Flight  Rule  (A17-53CJ.3  and  D.4,  FIRE 
AND  POST-FIRE  ACTIONS. 

DOCUMENTATION :  Engineering  judgment. 


A17-157  LIOH  RED LINE  DETERMINATION 

A  MINIMUM  OF  2  DAYS  OF  UNUSED  LIOH  CANS  MUST  BE  HELD  IN  RESERVE 
FOR  CONTINGENCY  USE  THROUGH  PLANNED  NOMINAL  END  OF  MISSION.  A 
MAXIMUM  PPCO2  OF  7.6  MMHG  WILL  BE  PROTECTED,  UNLESS  MISSION- 
SPECIFIC  PAYLOAD  CONSTRAINTS  (REFERENCE  PAYLOAD  ANNEX  FOR  THAT 
MISSION)  DICTATE  MORE  RESTRICTIVE  LIMITS.  @[032395-1749] 

Since  the  capability  of  a  used  (bagged)  can  is  assessed  only  through  analysis  and  cannot  be  guaranteed, 
only  unused  LiOH  cans  will  be  counted  towards  the  redline.  Enough  unused  standard  LiOH  canisters 
should  be  held  in  reserve  to  allow  a  minimum  of  2  days  of  CONUS  landing  site  opportunities  in  the  event 
the  prime  form  of  CO2  removal  is  lost  (i.e.,  CO2  removal  system,  LiOH  cans  in  excess  of  redline,  ISS 
CO2  removal  system  while  docked ).  If  a  repair  cannot  be  completed  before  using  LiOH  from  the  2-day 
reserve,  a  next  PLS  should  be  declared.  The  only  form  of  CO  2  removal  after  all  LiOH  is  depleted  would 
be  to  perform  cabin  air  overboard  purges  which  will  support  as  little  as  2  hours  of  CO 2  control 
(assumes  seven  crewmembers,  start  and  maintain  7.6  mmHg  CO2,  N2  consumables  at  redline).  As  a 
guideline,  the  number  ofLiOH  canisters  required  for  2  days  at  7.6  mmHg  equals  the  number  of 
crewmembers  on  board  (a  LiOH  canister  provides  CO2  removal  for  approximately  50  man-hours). 
Real-time  or  mission-specific  assessments  may  override  this  guideline.  @[032395-1749  ] 
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A17-158  MANAGEMENT  OF  LIOH  CANS  FOR  ADDITIONAL  DAYS 

A.  WHEN  ADDITIONAL  MISSION  DAYS  ARE  DESIRED,  A  CHANGEOUT  PLAN 
UTILIZING  A  PPCO2  LEVEL  OF  7 . 6  MMHG  MAY  BE  USED  IF  NEEDED  TO 
CREATE  LIOH  MARGIN.  IN  ORDER  TO  ACHIEVE  MAXIMUM  MISSION 
DURATION  AND  TO  MINIMIZE  BAGGING  AND  REUSE  OF  CANS,  7.6 
CHANGEOUT  SCHEDULES  SHOULD  BE  IMPLEMENTED  AS  SOON  AS 
POSSIBLE.  MISSION-SPECIFIC  PAYLOAD  CONSTRAINTS  MAY  DICTATE 
WHETHER  THIS  MAXIMUM  PPCC^  LEVEL  (AND  THEREFORE  THE  MISSION 
EXTENSION)  CAN  BE  SUPPORTED.  FLIGHT  SPECIFIC  EXCEPTIONS  WILL 
BE  DOCUMENTED  IN  THE  ANNEX.  ®[032395-1748A] 

B.  WHEN  EXTENSION  OF  MISSION  DURATION  REQUIRES  USED  (BAGGED) 

LIOH  CANS,  THE  FOLLOWING  GUIDELINES  WILL  APPLY: 

1.  NO  BAGGED  CAN  WITH  LESS  THAN  1  LBM  OF  LIOH  REMAINING  WILL 
BE  CONSIDERED. 

2.  BAGGED  CANS  WILL  BE  USED  AS  EARLY  AS  POSSIBLE. 

3.  ONE  USED  CAN  WILL  BE  UTILIZED  IN  COMBINATION  WITH  ONE 
FRESH  CAN. 

4.  THE  PPCO2  WILL  BE  NORMALLY  MANAGED  BELOW  7.6  MMHG. 
ADDITIONAL  PAYLOAD  CONSTRAINTS  MAY  REQUIRE  LOWER  PPCG» 
LEVELS;  HOWEVER,  THESE  LOWER  LEVELS  WILL  MAKE  RE-USE  OF 
CANS  LESS  EFFECTIVE. 


When  mission  days  are  added  to  a  flight  after  pre-flight  planning  has  already  dictated  the  use  of  a 
“standard”  LiOH  changeout  schedule  ( cue  card),  a  “7.6  Changeout  Schedule”  is  the  preferred  way  to 
ensure  desired  mission  extension.  Utilizing  fresh  LiOH  until  a  PPCO2  level  of  7.6  mmHg  is  reached 
maximizes  the  efficiency  of  each  can.  Analysis  and  implementation  of  such  a  plan  is  straightforward, 
since  the  amount  of  LiOH  in  each  fresh  (unused)  can  is  always  known.  The  amount  of  LiOH  in 
previously  used  cans  is  not  known.  This  amount  is  arrived  at  by  analysis  only  and  is  subject  to  variables 
such  as  actual  crew  metabolic  rates,  exactly  when  a  can  has  been  changed  out,  and  how  well  it  has  been 
sealed. 

Whenever  a  7.6  plan  is  being  considered,  it  should  always  be  implemented  as  soon  as  possible.  The 
longer  a  decision  is  delayed  about  the  use  of  a  7.6  plan,  the  greater  the  uncertainty  (amount  of  LiOH  in 
bagged  cans).  ®[032395-i748A] 
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A17-158  MANAGEMENT  OF  LIOH  CANS  FOR  ADDITIONAL  DAYS 

(CONTINUED) 


Circumstances  may  be  such  that  mission  duration  extension  can  only  be  achieved  through  the  use  of 
previously  used  LiOH  cans.  However,  cans  with  less  than  1  Ibm  of  usable  LiOH  remaining  do  not  have 
sufficient  CO  2  removal  capability  to  be  of  practical  use.  ®[032395-l  748A] 

Since  the  amoun  t  of  LiOH  in  used  cans  is  estimated,  they  should  be  used  as  much  as  possible  before  the 
end  of  the  mission.  Further,  since  CO 2  removal  rate  degrades  substantially  as  the  quantity  of  LiOH 
remaining  decreases,  it  is  not  always  possible  to  maintain  acceptable  CO2  rates,  even  though  LiOH  is 
being  consumed  out  of  the  can.  Installing  a  used  can  with  afresh  can  allows  the  used  can  to  completely 
deplete  while  the  fresh  can  maintains  con  trol  over  CO2  levels. 

DOCUMENTATION :  Engineering  judgmen  t.  @[032395-1 748A] 

A17-159  THROUGH  A17-200  RULES  ARE  RESERVED 
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PRESSURE  CONTROL  SYSTEMS  (PCS)  LOSS  DEFINITIONS 


A17-201  CABIN  PRESSURE  INTEGRITY 

CABIN  PRESSURE  INTEGRITY  IS  CONSIDERED  LOST  IF: 

A.  ASCENT: 

1.  A  NONISOLATABLE  LEAK  >  0.15  PSIA/MIN  WILL  RESULT  IN  THE 
INTACT  ABORT  THAT  WILL  PROVIDE  THE  EARLIEST  AVAILABLE 
RETURN  AND  LANDING  TIME. 

2.  A  NONISOLATABLE  LEAK  >  0.02  PSIA/MIN,  AND?  0.15 
PSIA/MIN,  WILL  RESULT  IN  AN  AOA  ABORT  (GROUND  CALL) . 

3.  FOR  A  NONISOLATABLE  LEAK  ?  TO  0.02  PSIA/MIN,  OR  ANY  LEAK 
WHICH  OCCURS  AFTER  THE  CLOSE  OF  THE  AOA  WINDOW,  PARAGRAPH 
B  WILL  DETERMINE  EOM . 

NOTE:  ALL  DP/DT  VALUES  REFERENCED  IN  THIS  RULE  ARE  ASSUMED  TO 

BE  AN  EQUIVALENT  DP/DT  AT  14.7  PSI  CABIN  PRESSURE  AND 
NEGATIVE  IN  SIGN. 

The  rationale  for  selecting  one  dp/dt  on  which  to  call  an  immediate  abort  comes  from  the  assumption 
that  any  penetration  through  the  cabin  wall  always  has  the  possibility  of  propagating,  thereby  increasing 
the  leak  rate.  The  numbers  contained  in  this  rule  and  rationale  are  leak  rates  which  confirm  a  cabin 
leak  during  the  different  phases  of  ascent.  Additionally,  the  numbers  include  a  margin  to  protect  for 
an  increase  in  the  leak  rate.  The  leak  rate  of  0.15  psia/min  is  the  dp/dt  limit  for  an  orbit  3  deorbit 
opportunity  which  protects  for  an  8  psi  cabin  to  the  ground.  In  order  to  provide  margin  against  an 
increase  in  the  leak  rate,  the  intact  abort  that  results  in  the  quickest  return  and  landing  will  be  selected 
for  any  cabin  leak  rate  that  remains  above  0.15  psia/min  (both  on-orbit  and  ground  call).  @[120894-1740  ] 

The  highest  probability  of  the  leak  occurring  is  during  the  first  few  minutes  of  flight  when  the  drop  in 
atmospheric  pressure  creates  a  large  delta  in  pressure  across  the  cabin  wall.  However,  during  the  first 
2  minutes  of  flight,  cabin  stretch  (by  ?  -0.07  psia/min)  and  LESflow  (by  ?  +0.02  psia/min)  will  bias  any 
dp/dt  that  is  associated  with  a  true  leak.  By  selecting  a  leak  rate  of  0.15  psia/min  as  the  immediate  abort 
call,  a  dp/dt  of  this  size  will  provide  positive  indication  of  a  cabin  leak  at  any  point  during  ascent. 
@[120894-1740  ] 
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A17-201  CABIN  PRESSURE  INTEGRITY  (CONTINUED) 

A  leak  rate  in  the  range  0.02  <  dp/dt  ?  0.15  will  allow  continuing  to  orbit  and  then  performing  leak 
isolation  procedures  to  determine  whether  the  leak  can  be  stopped.  A  leak  rate  of  -0.02  would  cdlow  a 
landing  at  the  next  PLS.  However,  an  AO  A  will  be  performed  to  provide  additional  margin  should  the 
leak  rate  increase.  This  leak  rate  is  small  enough  to  cdlow  conservatism,  but  also  large  enough  to  not  be 
masked  by  the  post-MECO  transient  (?  -0.02)  so  that  a  NO-GO  call  for  APU  shutdown  can  be  made  for 
a  reed  leak.  ®[i  20894-1 740  ]  ®[ED  ] 

The  onboard  AO  A  call  will  be  0.08  psici/min  which  will  be  used  for  crew  loss  of  communication 
procedures.  This  leak  rate  trips  the  class  1  Klaxon  alarm  and,  therefore,  cues  the  crew  to  a  possible 
cabin  leak  and  to  cross  check  with  a  cabin  pressure  decrease.  The  C&W  dp/dt  limit  is  set  at  0.08 
psici/min  to  prevent  nuisance  alarms  during  the  period  from  lift  off  to  MECO  when  cabin  pressure  is 
transient  due  to  LES  helmet  flow,  thermal  cmd  external  pressure  drop  effects. 

DOCUMENTATION:  Engineering  judgmen  t.  @[120894-1740]  ®[ED  ] 

B.  ON-ORBIT: 

A  NONISOLATABLE  LEAK  SUCH  THAT  O2/N2  CONSUMABLES  CAPABILITY 
WILL  NOT  ALLOW  A  NEXT  PLS  ENTRY  AT  14.7  (10.2  IF  ALREADY  IN 

10.2  PSIA  OPS)  PSIA  PLUS  THE  GREATER  CONSUMABLE  REQUIREMENT 
OF  THE  FOLLOWING: 

1.  A  48-HOUR  FLIGHT  EXTENSION  AT  14.7  (10.2  IF  ALREADY  IN 

10.2  PSIA  OPS)  PSIA  BEYOND  THE  NEXT  PLS  OPPORTUNITY,  OR 

2.  THE  PLANNED  CONSUMABLES  FOR  THE  165-MINUTE,  8  PSIA 
CONTINGENCY  RETURN  REQUIREMENT 

Cabin  pressure  integrity  for  on-orbit  operations  is  defined  to  be  lost  at  the  point  where  normal 
operations  can  no  longer  take  place  (i.e.,  14.7  (10.2  if  already  in  10.2  psia  ops )  psia  cabin  plus  all 
reserves  remaining  intact).  The  two  reserves  which  must  be  included  to  define  loss  of  cabin  pressure 
integrity  are:  (1)  The  required  consumables  to  maintain  14.7  (10.2  if  already  in  10.2  psia  ops)  psia  for 
two  mission  extension  days,  or  (2)  Loss  of  the  165-minute,  8  psia  contingency  reserve  which  would  not 
allow  cm  emergency  deorbit  should  one  become  necessary.  Allowing  for  all  three  of  the  above  named 
consumable  requirements  does  not  leave  sufficient  margin  between  loaded  quantities  cmd  what  is 
required  for  contingency.  Therefore,  only  the  greater  of  the  two  reserves  is  required  in  addition  to  the 
14.7  (10.2  if  already  in  10.2  psia  ops)  psia  cabin  maintenance  to  the  next  PLS. 

Rules  (A2-301}, CONTINGENCY  ACTION  SUMMARY;  and  {A17-305},  14.7  PSIA  CABIN 
REPRESSURIZATION  LIMITATION;  {A9-251},  CRYO  HEATER  MANAGEMENT  FOR  ASCENT;  and 
(A1 7-1001 },  LIFE  SUPPORT  GO/NO-GO  CRITERIA,  reference  this  rule. 
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A17-202  8  PSIA  CABIN  CONTINGENCY  165-MINUTE  RETURN 

CAPABILITY 

THE  8  PSIA  CABIN  CONTINGENCY  (165  MINUTES)  RETURN  CAPABILITY  IS 
CONSIDERED  LOST  IF: 

A.  AT  LEAST  2.5  LB  O2 /HR/CREWMEMBER  CANNOT  BE  SUPPLIED  TO  THE 
LES  HELMETS. 

The  8  psia  cabin  may  present  an  unacceptable  atmosphere  for  normal  breathing  (PPO2  can  drop  below 
2.5  psia),  in  which  case  the  LES  helmets  must  be  worn.  A  20  lb /hr  flowrate  to  the  LES  helmet  manifold  is 
necessary  to  provide  eight  LES  helmets  with  2.5  Ib/hr  O2  (11.0  liters/minute).  This  means  sufficient 
upstream  pressure  must  be  supplied  from  the  ciyo  tanks  to  accommodate  LES  helmet  flowrates  during 
LES  helmet  operations.  The  2.5  Ib/hr  can  supply  enough  O2  to  allow  regular  breathing  both  at  rest  and 
during  a  state  of  excitemen  t  in  a  resting  position. 

DOCUMENTATION:  (TWO-WAY MEMO  RECEIVED  FROM  J.  WALIGORA/SD5  DATED  2/2/87). 

B.  TOTAL  N2  QUANTITY  IS  LESS  THAN  THE  N2  REDLINE .  @[050400-7196] 

The  N2  Redline  (also  defined  as  the  8  psia  cabin  contingency  165-minute  return  capability  requirement) 
is  determined  by  the  summation  ofN2  tank  measurement  error  and  residuals  (MER)  and  the  N2 
required  to  support  the  8  psia  cabin  pressure  maintenance  duration  following  a  bleed  down  to  8  psia. 

1.  FOR  AN  INITIAL  CABIN  PRESSURE  OF  14.7  PSIA,  THE  N? 

REDLINE  IS  THE  VOLUME-DEPENDENT  AMOUNT  SHOWN  IN  THE 
FOLLOWING  TABLE.  @[050400-7196] 
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A17-202  8  PSIA  CABIN  CONTINGENCY  165-MINUTE  RETURN 

CAPABILITY  (CONTINUED) 


VEHICLE  CONFIGURATION 

N2  REDLINE  (LI 

BM  N2) 

2  TKS 

3  TKS 

4  TKS 

5  TKS 

6  TKS 

7  TKS 

8  TKS 

103.9 

111.7 

119.3 

126.8 

134.1 

141.4 

148.7 

ORB  +  INT  ARLK  +  TNL  ADPTR 

101.0 

108.8 

116.4 

123.9 

131.2 

138.5 

145.8 

ORB  +  INT  ARLK  +  TNL  ADPTR  +  SHORT 
TNL  +  SINGLE  HAB 

76.7 

84.5 

92.1 

99.6 

106.9 

114.2 

121.5 

ORB  +  INT  ARLK  +  TNL  ADPTR  +  SHORT 
TNL  +  DOUBLE  HAB 

53.0 

60.8 

68.4 

75.9 

83.2 

90.5 

97.8 

ORB  +  INT  ARLK  +  TNL  ADPTR  +  LONG 
TNL  +  SINGLE  HAB 

72.5 

80.3 

87.9 

95.4 

102.7 

110.0 

117.3 

ORB  +  INT  ARLK  +  TNL  ADPTR  +  LONG 
TNL  +  DOUBLE  HAB 

48.2 

56.0 

63.6 

71.1 

78.4 

85.7 

93.0 

ORB  +  EXT  ARLK 

99.1 

106.9 

114.5 

122.0 

129.3 

136.6 

143.9 

ORB  +  EXT  ARLK  +  TNL  ADPTR 

95.8 

103.6 

111.2 

118.7 

126.0 

133.3 

140.6 

ORB  +  EXT  ARLK  +  TNL  ADPTR  + 

SHORT  TNL  +  SINGLE  HAB 

71.6 

79.4 

87.0 

94.5 

101.8 

109.1 

116.4 

ORB  +  EXT  ARLK  +  TNL  ADPTR  + 

SHORT  TNL  +  DOUBLE  HAB 

48.3 

56.1 

63.7 

71.2 

78.5 

85.8 

93.1 

ORB  +  EXT  ARLK  +  TNL  ADPTR  +  LONG 
TNL  +  SINGLE  HAB 

67.8 

75.6 

83.2 

90.7 

98.0 

105.3 

112.6 

@[050400-7196] 


The  8  psia  cabin  pressure  maintenance  duration  requirement  is  based  on  the  amount  ofN2  required  to 
support  a  cabin  leak  caused  by  a  0.45-inch  diameter  hole  and  a  landing  165  minutes  later.  The  165 
minutes  consists  of  two  distinct  durations:  1)  The  volume-dependent  time  required  for  the  cabin  pressure 
to  “bleed  down”  from  an  initial  cabin  pressure  to  8  psia  during  which  no  N2  is  used,  and  2)  The 
duration  at  8  psia  where  the  emergency  8  psia  cabin  regulators  flow  N 2  (and  O2)  to  make  up  for  the 
cabin  air  loss  and  to  maintain  the  cabin  pressure  at  8  psia.  The  entire  orbiter  volume,  including 
modules,  will  be  used  to  support  the  cabin  leak.  Larger  volumes  allow  for  a  longer  bleed  down  time  to  8 
psia,  and  N2  will  not  be  used  until  the  cabin  pressure  reaches  8  psia;  as  the  toted  usable  volume 
increases,  the  amoun  t  ofN2  required  to  make  the  balance  of  the  165 -minute  duration  decreases. 
@[050400-7196] 
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A17-202  8  PSIA  CABIN  CONTINGENCY  165-MINUTE  RETURN 

CAPABILITY  (CONTINUED) 


The  165-minute  contingency  return  requirement  assumes  an  intermittent  flow  of  17  Ibm/hr  O  2  from  the 
direct  O2  orifice  and  an  intermittent  flow  of  23  Ibm/hr  O  2  from  the  cabin  pressure  regulator  to  manage 
O2  levels  in  the  cabin  environment.  It  also  assumes  a  starting  cabin  pressure  of  14.7 psia,  PPO2  of  3.20 
psia,  and  temperature  of  70  deg  F.  The  actual  amount  ofN2  required  to  support  the  8  psia  cabin 
maintenance  duration  is  shown  in  the  table  below.  @[050400-7196  ] 


VEHICLE  CONFIGURATION 

VOLUME  (ft3) 

8  PSIA  MAINTENENCE 
REQ’T  (LBMN2) 

Orb  +  Int  Arlk 

2475 

85.2 

Orb  +  Int  Arlk  +  Tnl  Adptr 

2605 

82.3 

Orb  +  Int  Arlk  +  Tnl  Adptr  +  Short  Tnl  +  Single  Hab 

3718 

58.0 

Orb  +  Int  Arlk  +  Tnl  Adptr  +  Short  Tnl  +  Double  Hab 

4824 

34.3 

Orb  +  Int  ArLk  +  Tnl  Adptr  +  Long  Tnl  +  Single  Hab 

3921 

53.8 

Orb  +  Int  Arlk  +  Tnl  Adptr  +  Long  Till  +  Double  Hab 

5027 

29.5 

Orb  +  Ext  Arlk 

2703 

80.4 

Orb  +  Ext  Arlk  +  Tnl  Adptr 

2833 

77.1 

Orb  +  Ext  Arlk  +  Tnl  Adptr  +  Short  Tnl  +  Single  Hab 

3946 

52.9 

Orb  +  Ext  Arlk  +  Tnl  Adptr  +  Short  Tnl  +  Double  Hab 

5052 

29.6 

Orb  +  Ext  ArLk  +  Tnl  Adptr  +  Long  Tnl  +  Single  Hab 

4149 

49.1 

Orb  +  Ext  Arlk  +  Tnl  Adptr  +  Long  Tnl  +  Double  Hab 

5255 

24.2 

N2  tank  measurement  error  (4.05  Ibm/tcmk  RSS’d)  and  residuals  (6.5  Ibm/tcmk)  are  shown  in  the  table 
below.  Nominal  management  of  the  N2  systems  (ref  Rule  {A17-257J,  N2  SYSTEM  MANAGEMENT)  has 
both  N2  systems  being  used  as  one  system.  Therefore,  MER  determination  should  be  based  on  all  N2 
tanks  being  used  to  supply  N2  to  the  cabin. 


N?  (LBM) 

2  TKS 

3  TKS 

4  TKS 

5  TKS 

6  TKS 

7  TKS 

8  TKS 

Measurement  Error 

5.7 

7.0 

8.1 

9.1 

9.9 

10.7 

11.5 

Residuals 

13.0 

19.5 

26.0 

32.5 

39.0 

45.5 

52.0 

MER  (TOTAL) 

18.7 

26.5 

34.1 

41.6 

48.9 

56.2 

63.5 

@[050400-7196] 
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A17-202  8  PSIA  CABIN  CONTINGENCY  165-MINUTE  RETURN 

CAPABILITY  (CONTINUED) 


2.  FOR  AN  INITIAL  CABIN  PRESSURE  OF  10.2  PSIA,  ADD  THE 

FOLLOWING  N2  QUANTITY  TO  THE  14.7  PSIA  REQUIREMENT  IN 
PARAGRAPH  1  TO  GET  THE  N2  REDLINE  (165-MIN  CONTINGENCY 
RETURN  CAPABILITY  REQUIREMENT)  .  @[050400-7196] 


IF  THE  FOLLOWING  VOLUME  IS  AT  10.2 

ADD  THIS  QUANTITY  TO  THE 
14.7  PSIA  REDLINE  (LBM  N2) 

ORB  +  INT  ARLK 

40.8 

ORB  +  INT  ARLK  +  TNL  ADPTR 

42.6 

ORB  +  INT  ARLK  +  TNL  ADPTR  +  SHORT  TNL  +  SINGLE  HAB 

56.7 

ORB  +  INT  ARLK  +  TNL  ADPTR  +  SHORT  TNL  +  DOUBLE  HAB 

69.7 

ORB  +  INT  ARLK  +  TNL  ADPTR  +  LONG  TNL  +  SINGLE  HAB 

59.5 

ORB  +  INT  ARLK  +  TNL  ADPTR  +  LONG  TNL  +  DOUBLE  HAB 

73.9 

ORB  +  EXT  ARLK 

43.9 

ORB  +  EXT  ARLK  +  TNL  ADPTR 

46.3 

ORB  +  EXT  ARLK  +  TNL  ADPTR  +  SHORT  TNL  +  SINGLE  HAB 

59.1 

ORB  +  EXT  ARLK  +  TNL  ADPTR  +  SHORT  TNL  +  DOUBLE  HAB 

71.9 

ORB  +  EXT  ARLK  +  TNL  ADPTR  +  LONG  TNL  +  SINGLE  HAB 

62.6 

ORB  +  EXT  ARLK  +  TNL  ADPTR  +  LONG  TNL  +  DOUBLE  HAB 

76.2 

If  the  orbiter  volume  is  at  10.2  psia,  the  additional  /V2  is  the  amount  required  to  give  the  same  165 -min 
return  capability  for  a  cabin  leak  at  an  initial  cabin  pressure  of  10.2  psia  as  exists  with  an  initial  cabin 
pressure  of  14.7  psia.  Because  the  bleed  down  duration  from  10.2  to  8  psia  is  shorter  than  the  bleed 
down  time  from  14.7  to  8  psia,  the  8  psia  cabin  pressure  maintenance  duration  is  longer;  therefore,  more 
N2  is  required.  To  determine  the  toted  8  psia  maintenance  duration  requirement  for  an  initial  pressure 
of  10.2  psia,  the  N2  quantity  from  the  table  above  should  be  added  to  the  8  psia  maintenance  N2 
requirement  from  the  table  in  the  Paragraph  B.l  rationale. 

DOCUMENTATION :  DF7/93-39,  Cabin  Leak  Analysis  (0.45  in  Hole  in  Cabin,  165-Minute  Return 
Capability),  11/16/93;  and  Level  B  Groundrules  and  Constraints.  ®[i  21 593-1 597  ] 

Rules  (A17-302CJ,  10.2  PSIA  CABIN  DEPRESSURIZATION  CONSTRAINTS;  {A17-1001D},  LIFE 
SUPPORT  GO/NO-GO  CRITERIA;  and  {A2-54D}.6,  RTLS,  TAL,  AND  AOA  ABORTS  FOR  SYSTEMS 
FAILURES  [ CIL],  reference  this  rule.  @[050400-7196  ] 
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A17-203  PPQ2  CONTROL 

PPC>2  CONTROL  IS  CONSIDERED  LOST  WHEN  BOTH  AUTOMATIC  AND  MANUAL 
METHODS  OF  CONTROLLING  PCS  OXYGEN  SUPPLY  CAN  NO  LONGER  CONTROL 
THE  AMOUNT  OF  OXYGEN  FLOWING  INTO  THE  CABIN. 

The  ability  to  control  PPO2  inside  the  crew  module  is  dependent  on  the  integrity  of  the  oxygen  supply 
lines,  valves,  sensors,  and  automatic  controllers.  Control  is  considered  lost  on  the  low  side  when  oxygen 
can  no  longer  be  fed  to  the  cabin.  This  will  even  tually  result  in  the  PPO2  level  inside  the  cabin  dropping 
to  unsafe  limits  due  to  crew  metabolic  consumption  of  oxygen  and  cabin  leakage. 

PPO2  con  trol  is  considered  lost  on  the  high  side  when  an  unisolatable  oxygen  leak  occurs  or  the  crew  is 
required  to  wear  their  launch/en  try  suit  helmets  for  a  period  of  time  which  causes  the  percent  oxygen 
level  in  the  cabin  to  exceed  the  GO/NO-GO  criteria  for  a  PLS  (ref.  Rule  {A  17-1001  Dj.  3,  LIFE 
SUPPORT  GO/NO-GO  CRITERIA).  Depending  on  the  leak  rate,  early  termination  will  probably  be 
necessary  due  to  high  oxygen  concentration  within  the  cabin. 

DOCUMENTATION :  Engineering  judgment. 

Rules  {A1 7-301  j,  CABIN  ATMOSPHERE  MANAGEMENT;  and  {A17-1001D},  LIFE  SUPPORT  GO/NO- 
GO  CRITERIA,  reference  this  rule. 
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A17-204  N2  SUPPLY 

A.  THE  PCS  N2  SUPPLY  IS  CONSIDERED  LOST  IF  THE  Nj  TANK  PRESSURE 

IS  <  200  (375)  PSIA.  ®[ED  ] 

The  /V2  regulators  control  the  N2  pressure  to  the  cabin  regulators  to  200  +  15  psig.  If  the  N2  tank 
pressure  is  <  200  psia,  the  N2  regulator  loses  control  and  regulator  flow  may  not  be  adequate  to  meet 
the  demand  of  the  14. 7  psi  cabin  regulator.  Below  200  psia,  the  N2  supply  is,  for  all  practical  purposes, 
lost. 

DOCUMENTATION:  SODB  4.6.1. 1.4.A.3. 

MODULE 

B.  LOST  IF  N2  TANK  PRESSURE  IS  <300  PSIA/20.7  BARS. 

The  operating  range  of  the  N2  tank  is  300  to  3306  psi.  The  N2  tank  residual  is  7  pounds  mass  (Ibm)  at  a 
tank  pressure  of 300  psia. 

Reference:  SLODB  3.2.4  and  MSFC  Memorandum  for  Record,  EP  45  (83-103),  August  31,  1983, 
Subject:  Updated  SL-1  O2/N2  Consumables  Analysis  Results.  ®[ED  ] 

A17-205  PPQ2  SENSOR  LOSS  DEFINITION 

A  SINGLE  PP02  SENSOR  WILL  BE  CONSIDERED  LOST  IF  IT  DEVIATES  MORE 
THAN  0.15  PSI  FROM  THE  NEAREST  READING  OF  THE  TWO  SENSORS  THAT 
ARE  WITHIN  0.15  PSI  OF  EACH  OTHER. 

A  SUBSEQUENT  SENSOR  FAILURE  WILL  BE  DETERMINED  BY  ANALYSIS  USING 
PREVIOUS  SIGNATURES  AND  C£  FLOWRATES. 

The  initial  failure  of  a  PPO2  sensor  will  be  determined  by  comparison  with  the  readings  of  the  other  two 
sensors.  The  sensors  that  are  reading  within  0.15  psi  (±3.0  percent  full  scale)  of  each  other  are  assumed 
to  be  nominal  and  the  deviant  sensor  (>0.15  psi  from  the  nearest  PPO2  reading)  will  be  considered 
failed  based  on  this  assumption. 

Because  there  are  only  two  remaining  sensors,  no  “voting  out”  capability  exists;  so,  subsequent  PPO2 
sensor  failures  will  have  to  be  determined  through  the  analysis  of  previous  PPO2  signatures  from  both 
the  current  and  past  flight  data,  by  the  frequency  of  O2/N2  controller  cycles,  and  by  O2.flow  rates. 

Note  that  the  PPO2  sensors  have  different  accuracy  specifications  based  on  ambient  temperature. 
Between  70  deg  and  85  deg  F,  the  sensor  accuracy  is  ±1.5  percent  of  full  scale;  outside  this  band  the 
accuracy  drops  to  ±3.0  percent  of  full  scale.  The  greater  error  is  assumed  for  this  rule. 

DOCUMENTATION :  Engineering  judgment  and  MCR  16202. 
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A17-206  LES  02  SUPPLY  SYSTEM  LOSS  DEFINITION 

ONE  (OF  TWO)  LES  O2  SUPPLY  SYSTEMS  IS  LOST  IF  THE  ASSOCIATED  (£ 
CROSSOVER  VALVE  OR  ECLSS  C£  SUPPLY  VALVE  CANNOT  BE  OPENED,  OR  FOR 
ANY  OTHER  BLOCKAGE  IN  THAT  LEG  OF  THE  SYSTEM  (E.G.,  CHECK  VALVE 
FAILED  CLOSED)  .  @[050495-1 756B] 

The  LES  manifold  is  required  to  support  procedures  for  afire  or  toxic  spill  case.  For  these  cases,  the 
crew  immediately  dons  the  LESH/QDM.  At  14. 7  ( 10.2 )  psia,  the  maximum  crew  breathing  rate  is  5.5 
(3.8)  Ibm/hr/crewman.  If  this  rate  cannot  be  met  then  on  the  LESH,  the  anti-suffocation  device  will  open 
allowing  ambient  air  to  be  ingested,  possibly  subjecting  the  crew  to  harmful  gases/combustion  products. 
When  the  crew  is  on  the  QDM’s,  they  may  be  starved  of  Oj,  possibly  forcing  them  to  remove  the  masks. 
For  a  5  to  8  man  crew  at  14. 7  psia,  this  rate  cannot  be  met  by  a  single  O2  supply  system  ( 24  Ibm/hr). 

For  a  5  or  6  man  crew  at  10.2  psia,  the  safety  tolerance  is  marginal. 

For  the  cabin  leak  case,  the  crew  dons  the  LESH/QDM’ s  at  a  pressure  below  10.2  psia;  therefore,  the 
breathing  requirement  is  lowered  (2.7  Ib/hr/crewman)  and  one  O2  system  can  supply  enough  O2for  this 
contingency.  Also,  it  would  be  acceptable  for  the  anti-suffocation  valves  to  periodically  open  since  there 
is  not  a  contamination  concern.  @[050495-1 756B] 

The  8  psia  cabin  may  present  an  unacceptable  atmosphere  for  normal  breathing  (PPO2  can  drop  below 
2.7  psia),  in  which  case  the  LESH/QDM’ s  must  be  worn.  A  21.6  lb/hr  flowrate  to  the  LES  helmet 
manifold  is  necessary  to  provide  eight  LESH/QDM’ s  with  2.7  lb/hr  O2  (11.8  liters/minute).  This  means 
sufficient  upstream  pressure  must  be  supplied  from  the  cryo  tanks  to  accommodate  LESH/QDM  flowrates 
during  LESH/QDM  operations.  The  2. 7  Ib/hr  can  supply  enough  O2  to  allow  regular  breathing  both  at 
rest  and  during  a  state  of  excitemen  t  in  a  resting  position.  @[050495-1 756B] 

The  O2  supply  system  can  be  obstructed  by  the  O2  XOVR  valve,  ECLSS  O2  SUPPLY  valve,  or  CHECK 
valve  failing  closed,  as  well  as  a  blockage. 

DOCUMENTATION:  Two-way  memo  received  from  J.  Waligora/SD5,  dated  2/2/87.  ®[050495-i756B] 
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PCS  SYSTEMS  MANAGEMENT 

A17-251  NORMAL  PCS  CONFIGURATION 

NORMAL  PCS  COMPONENT  CONFIGURATION  WILL  BE  AS  FOLLOWS: 

A.  PCS  1  WILL  BE  OPERATED  FROM  LIFT-OFF  TO  MISSION  MIDPOINT. 

PCS  2  WILL  BE  OPERATED  FROM  MISSION  MIDPOINT  TO  EOM . 

As  part  of  the  redundant  component  checkout  that  is  normally  performed  midway  through  the  mission, 
the  PCS  system  will  be  reconfigured  to  the  alternate  PCS  system  to  verify  system  health  and  maximize 
total  operating  lifetime.  Additionally,  PCS  2  will  be  selected  since  it  is  impractical  for  KSC  to  perform  a 
redundant  component  checkout  during  ground  turnaround. 

DOCUMENTATION :  Engineering  judgment. 

B.  NORMAL  PCS  VALVE  CONFIGURATION: 

1.  ASCENT/ENTRY: 

a.  BOTH  PCS  1  AND  2  14.7  PSIA  CABIN  REGULATOR  INLET 
VALVES  -  CLOSED. 

b.  PCS  1  O2/N2  CONTROL  VALVE  -  OPEN. 

c.  PCS  2  O2/N2  CONTROL  VALVE  -  CLOSED. 

d.  O2  REGULATOR  INLET  VALVES  -  CLOSED. 

(NOTE:  8.0  PSIA  EMERGENCY  REGULATORS  CANNOT  BE  DISABLED.) 

2.  ORBIT: 

a.  PCS  1(2)  14.7  PSIA  CABIN  REGULATOR  INLET  VALVES  -  OP; 

PCS  2(1)  14.7  CABIN  REGULATOR  INLET  VALVES  -  CLOSED. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A17-251  NORMAL  PCS  CONFIGURATION  (CONTINUED) 

b.  PCS  1(2)  O2/N2  CONTROL  VALVE  -  AUTO; 

PCS  2(1)  O2/N2  CONTROL  VALVE  -  CLOSED. 

c.  O2  REGULATOR  INLET  VALVE  1(2)  -  OPEN; 

O2  REGULATOR  INLET  VALVE  2(1)  -  CLOSED. 

The  above  ascent/entry  configuration  is  the  desirable  switch  setup  in  the  event  of  a  cabin  leak  during 
these  flight  phases.  This  configuration  and  associated  rationale  is  different  from  the  orbit  configuration 
for  a  cabin  leak,  since  the  crew,  on  orbit,  has  more  time  to  react  to  the  leak  and  they  are  able  to  move 
about  and  reach  the  necessary  switches. 

For  ascent/entry,  the  cabin  regulator  inlet  valves  must  be  configured  prior  to  entering  these  flight  phases 
due  to  the  crew  not  being  able  to  reach  these  switches  once  in  their  seats.  The  configuration  of  the 
O2/N2  con  trol  valves  allows  for  one  PCS  system  to  be  active  to  respond  to  a  cabin  leak  once  cabin 
pressure  reaches  8.0  psia.  For  large  leaks  ( meaning  a  leak  where  the  stabilization  pressure  is  below  6.5 
psia  with  only  one  system  active),  the  crew  will  procedurally  activate  PCS  system  2  upon  reaching  6.5 
psia  cabin  pressure,  to  gain  a  minimum  of  75  lb/hr  additional  N2flow.  For  the  smaller  leaks  (<75 
lb/lir),  only  one  PCS  system  active  is  the  preferred  configuration.  The  O2  regulator  inlet  valves  are 
closed  to  supply  all  O2flow  to  the  crew  and  any  extra  O2  will  flow  to  the  cabin,  du  ring  a  cabin  leak,  via 
the  direct  O2  valve. 

For  orbit  operations,  paragraph  A  of  this  rule  defines  PCS  system  configuration  for  the  mission.  This 
determines  which  cabin  regulator  inlet  valves  and  O2/N2  control  valves  apply  in  the  orbit  portion  of  this 
rule.  Normally,  while  on  orbit,  only  one  PCS  system  is  used  to  automatically  control  cabin  atmosphere. 
Therefore,  the  active  PCS  system  will  have  the  14. 7  psia  cabin  regulator  open  to  maintain  a  14. 7  psia 
cabin,  the  O2/N2  control  valve  in  auto  to  automatically  regulate  oxygen/nitrogen  partied  pressure,  and 
the  O2  regulator  inlet  valve  open  to  allow  O 2  flow  during  O2  cycles. 

DOCUMENTATION :  Engineering  judgment. 
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A17-252  CABIN  PRESSURE  RELIEF  VALVES 

BOTH  CABIN  POSITIVE  PRESSURE  RELIEF  VALVES  WILL  BE  ENABLED  DURING 
ALL  FLIGHT  PHASES. 

The  failure  of  a  pressure  relief  valve  to  open  will  not  be  detected  until  an  overpressure  condition  exists. 
Because  of  the  potential  for  an  overpressure  condition  with  possible  catastrophic  results,  the  redundant 
pressure  relief  function  is  enabled  at  all  times. 

DOCUMENTATION :  Engineering  judgment. 

DOCUMENTATION :  Engineering  judgment. 


A17-253  CABIN  VENT  VALVES 

THE  CABIN  VENT  VALVES  WILL  BE  CLOSED  PRELAUNCH  AND  THE  CB' S 
OPENED  AFTER  ASCENT.  THE  CB'S  WILL  REMAIN  OPEN  FOR  THE  REMAINDER 
OF  THE  FLIGHT  THROUGH  POSTLANDING  HANDOVER. 

The  cabin  vent  valves  are  opened  to  vent  the  cabin  after  the  prelaunch  cabin  leak  check  at  T  minus  30 
minutes  and  closed  at  T  minus  20  minutes.  After  ascent  the  circuit  breakers  are  opened  to  prevent 
accidental  opening  of  the  valves.  Circuit  breaker  opening  is  postponed  until  after  ascent  because  they 
cannot  be  reached  by  the  crew  prior  to  lift-off  or  during  powered  flight. 
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A17-254  CABIN  02  CONCENTRATION 

CABIN  C>2  CONCENTRATION  WILL  BE  MAINTAINED  WITHIN  THE  SPECIFIED 
LIMITS  FOR  THE  FOLLOWING  CABIN  PRESSURES: 

A.  FOR  14.7  PSIA  OPERATIONS,  THE  CABIN  O2  CONCENTRATION  LEVEL 
WILL  BE  MAINTAINED  BELOW  25.9  PERCENT. 

Orbiter  cabin  materials  and  all  middeck  payload/experiments  are  required  to  be  compatible  ( non-fire- 
propagating )  with  25.9  percent  O2  concentration  and  have  been  qualified  by  test.  Any  materials  or 
payloads  flown  which  do  not  meet  O2  concentration  requirements  as  stated  in  the  Shuttle/Payload 
Middeck  Accommodations  document  must  have  a  waiver  from  the  program  office  prior  to  flight. 
Instrumentation  error  for  percent  O2  is  derived  by  dividing  worst  case  (high)  PPO2  phis  instrumentation 
error  (0.075)  by  worst  case  (low)  cabin  pressure  minus  instrumentation  error  (0.24)  and  equating  this 
value  to  25.9  percent.  Then  the  indicated  values,  without  the  instrumentation  error,  are  divided  to  arrive 
at  the  percent  O2  error. 

DOCUMENTATION:  NHB  8060.  IB  and  NSTS  21000-IDD-MDK. 

B.  FOR  10.2  PSIA  OPERATIONS,  THE  CABIN  O2  CONCENTRATION  LEVEL 
WILL  BE  MAINTAINED  BELOW  30.0  PERCENT. 

Testing  on  orbiter  cabin  materials  has  demonstrated  that  orbiter  materials  are  non-fire-propagating  at 
O2  concentrations  up  to  30  percent.  Middeck  payloads/experiments  are  required  to  be  compatible  with  a 
30  percent  O2  atmosphere  at  a  cabin  pressure  of  10.2  psi.  Currently,  all  planned  scheduled/unscheduled 
and  contingency  EVA’s  will  be  performed  at  10.2  psi,  if  possible.  However,  until  the  vehicle  is  certified 
for  10.2  psi  operations,  a  waiver  is  required  to  allow  O2  concentrations  up  to  30  percent. 

DOCUMENTATION:  MCR  11891  and  NSTS  21000-IDD-MDK. 
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A17-254  CABIN  02  CONCENTRATION  (CONTINUED) 

C.  FOR  8.0  PSIA  OPERATIONS,  THE  CABIN  O2  CONCENTRATION  LEVEL 

WILL  BE  MAINTAINED  BELOW  40  PERCENT  IF  REMAINING  CONSUMABLES 
ALLOW  LESS  THAN  36  HOURS  TO  ACCOMPLISH  A  LANDING.  IF  GREATER 
THAN  36  HOURS  EXISTS,  35  PERCENT  WILL  BE  THE  UPPER  LIMIT 
WHILE  AT  8.0  PSIA.  ©[090894-1673A] 

1.  FOR  CABIN  LEAK  SCENARIOS,  OR  SITUATIONS  WHERE  IT  IS 
POSSIBLE,  AN  UPPER  LIMIT  OF  30  PERCENT  WILL  APPLY  TO 
THE  TRANSITION  FROM  14.7  PSIA  OPERATIONS  TO  8.0  PSIA 
OPERATIONS . 

2.  WHEN  A  DEPRESS  TO  8  PSI  IS  USED  AS  A  METHOD  TO  CONTROL 
RISING  O2  CONCENTRATIONS,  AN  UPPER  LIMIT  OF  40  PERCENT 
WILL  APPLY  TO  THE  TRANSITION  FROM  14.7  PSIA  OPERATIONS  TO 
8.0  PSIA  OPERATIONS. 

The  8.0  psia  cabin  operations  is  a  contingency  situation  only  requiring  a  landing  no  further  than  the 
next  PLS.  The  30  percent  limit  during  the  transition  represents  an  O2  concentration  which  is 
considered  acceptable  at  all  operating  cabin  pressures  (14.7,  10.2,  8.0)  for  contingency  situations. 
However,  for  scenarios  where  the  depress  to  8  psi  is  required  as  a  method  for  controlling  rising  O2 
concentrations  below  the  maximum  limits  ( such  as  when  the  crew  is  required  to  remain  on  the  QDM. 
LES’sfor  extended  periods  of  time  or  during  an  unisolatable  O2  leak  into  the  cabin),  it  is  not  possible 
or  practical  to  maintain  the  O2  concentration  below  30  percent.  Therefore,  in  these  cases,  the  8.0  psia 
upper  limit  of  40  percent  will  apply.  For  example,  in  cm  avionics  bay  fire  case,  a  depress  rate  great 
enough  to  maintain  30  percent  maximum  O2  concentrations  will  also  result  in  a  negative  differential 
pressure  on  the  avionics  bay,  with  respect  to  the  cabin,  causing  the  Halon  and  toxic  combustion 
products  to  be  drawn  into  the  cabin  (reference  the  rationale  for  Rule{A17-53C}.  2,  FIRE  AND  POST¬ 
FIRE  ACTIONS).  For  these  cases,  it  is  considered  less  risk  to  manage  the  O2  concentration  between  30 
and  40  percent  in  order  to  extend  on-orbit  time  and  avoid  exposing  the  crew  to  toxic  gasses.  The 
decision  to  manage  oxygen  concen  tration  up  to  40  percen  t  while  at  8.0  psia  is  based  on  several  factors. 
First,  Rule  (A  13 -5 3 A  j.2,  MINIMUM  PP02  CONSTRAINTS,  requires  the  minimum  acceptable  PPO2 
level  for  8.0  psia  operations  to  be  2.35  psi  in  order  for  the  crew  to  remain  off  the  launch/entry  suit 
helmets  (LESH)/Quick  Don  Masks  ( QDM’s)  in  a  contingency  situation.  This  is  equivalent  to  a  30 
percen  t  O2  level  which  is  equivalent  to  the  limit  to  which  cabin  materials  have  been  tested.  If  the  crew 
were  to  don  the  LESH  once  PPO2  dropped  below  2.35  psi,  the  resulting  excess  flow  of  oxygen  would  not 
allow  maintaining  the  O2  concentration  below  30  percent.  Therefore,  it  is  not  possible  to  both  maintain 
percen  t  O2  under  acceptable  limits  (30  percen  t)  and  maintain  an  acceptable  breathing  atmosphere  for 
the  crew,  without  helmets,  at  8.0  psia.  Secondly,  Halon  1301  effectively  is  degraded  at  O2  percentages 
higher  than  40  percent;  however,  test  data  shows  it  can  extinguish  afire  in  8.0  psici/40  percent  O2 
concentration.  Finally,  40  percent  allows  the  crew  more  on-orbit  stay  time  and  less  crew  involvement 
with  the  direct  O2  valve  than  an  upper  limit  less  than  40  percent.  ®[090894-i  673A] 
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A17-254  CABIN  02  CONCENTRATION  (CONTINUED) 

The  36-hour  decision  point  for  which  upper  limit  to  apply  to  oxygen  concentration  at  8.0  psi  is 
arbitrary.  A  reason  for  having  two  upper  limits  while  at  8.0  psi  is  to  avoid  extended  operations  at 
high  O2  concentration  levels.  Leak  rates  which  allow  less  than  36  hours  will  be  large  enough  to  keep 
the  oxygen  concentration  from  remaining  above  35  percent  for  long  periods  of  time.  ( Ref.  Rule  {A13- 
53A }.  2,  MINIMUM  PP02  CONSTRAINTS. ).  ®[090894-i  673A] 

Documentation:  PRCB  PCIN  41004,  NASA  TR-25 5-001. 

Rules  {A17-53},  FIRE  AND  POST-FIRE  ACTIONS;  and  (A13-152CJ,  CABIN  ATMOSPHERE 
CONTAMINATION,  reference  this  rule. 
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A17-255  8  PSIA  EMERGENCY  CABIN  CONFIGURATION 

THE  14.7  PSIA  CABIN  REGULATOR  INLET  VALVES  WILL  BE  CLOSED  AND  THE 
CABIN  WILL  BE  ALLOWED  TO  BLEED  TO  8  PSIA  ONLY  IF:  @[090894-1 673A] 

A.  CABIN  LEAK:  O2/N2  CONSUMABLES  ARE  INSUFFICIENT  TO  ALLOW  THE 
ORBITER  TO  EFFECT  A  NEXT  PLS  ENTRY  AT  14.7  (10.2  IF  ALREADY 
IN  10.2  PSIA  OPS)  PSIA  CABIN  PRESSURE  PLUS  A  24-HOUR  FLIGHT 
EXTENSION  AT  8  PSIA. 

Operation  at  14. 7  psia  is  preferred  because,  at  8  psia,  a  powerdown  is  required  and  the  crew  must  wear 
the  LES  helmet.  However,  if  inadequate  consumables  exist  to  allow  both  a  14.7  (10.2  if  already  in  10.2 
PSIA  ops)  psia  cabin  pressure  to  the  next  PLS  opportunity  and  1  extension  day  at  8  psia,  the  cabin  will 
be  immediately  reconfigured  to  the  8 psia  emergency  configuration  ( i. e. ,  14.7  cabin  regulators  closed 
and  associated  powerdowns  performed ). 

If  it  is  determined  that  enough  consumables  exist  to  allow  the  14.7  (10.2  if  already  in  10.2  PSIA  ops)  psia 
cabin  pressure  to  the  next  PLS  plus  the  24-hour  extension  day  at  8  psia,  then  the  14.7  ( 10.2  if  already  in 
10.2  PSIA  ops)  psia  cabin  will  be  maintained  to  the  next  PLS  opportunity  to  attempt  a  normal  entry.  If 
entry  cannot  be  performed  at  the  PLS  opportunity,  then  the  cabin  must  be  reconfigured  to  the  8  psia 
emergency  configuration  for  the  remainder  of  the  mission  and  an  entry  performed  prior  to  consumables 
depletion  ®[090894-1673A] 

DOCUMENTATION :  Engineering  judgment. 

Rule  (A17-254J,  CABIN  02  CONCENTRATION,  references  this  rule. 

B.  CABIN/ AV  BAY  FIRE  OR  LEVEL  4  HAZARDOUS  SPILL:  THE  CREW  IS 
REQUIRED  TO  WEAR  THE  LES/QD,  FOR  AN  EXTENDED  PERIOD  OF  TIME 
TO  PROTECT  THEMSELVES  AGAINST  A  CONTAMINATED  CABIN 
ATMOSPHERE.  @[090894-1 673A] 

A  cabin  depress  to  8  psi  and  continuous  purge  at  8  psi  will  manage  O2  concentration  below  maximum 
levels  as  well  as  decrease  the  concentration  of  discharged  Halon  and  any  potentially  toxic  gases  that 
were  produced  by  a  fire  or  hazardous  elements  that  were  spilled  into  the  cabin  atmosphere.  This  action 
could  extend  the  time  on  orbit  so  as  to  avoid  an  ELS  entry  (ref.  Rule  (A17-53J,  FIRE  AND  POST-FIRE 
ACTIONS,  and  (A1 3-155),  ORBITER  HAZARDOUS  SUBSTANCE  SPILL  RESPONSE).  ®[ED  ] 

DOCUMENTATION:  Engineering  judgment  ®[090894-l  673A] 

Rule  (A17-254J,  CABIN  02  CONCENTRATION,  references  this  rule. 
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A17-256 


02  BLEED  ORIFICE  MANAGEMENT 


THE  O2  BLEED  ORIFICE  WILL  BE  INSTALLED  IN  AN  LEH  VALVE  QUICK 
DISCONNECT  (QD)  ,  PRESLEEP  ON  FLIGHT  DAY  1,  IF  PP(£  LEVELS  ARE 
BELOW  3.20  PSIA  AND  REMOVED  DURING  DEORBIT  PREPARATION  ACTIVITIES 
ON  ENTRY  DAY. 

The  O2  bleed  orifice,  sized  specifically  for  metabolic  consumption  of  O2  based  on  crew  size,  is  installed 
to  keep  the  14.7  cabin  regulator  inlets  in  the  low  flow  region  of  the  regulator.  This  eliminates  nuisance 
O2/N2  FLOW  HIGH  alarms  caused  by  WCS  cycles  and  02/N2.flow  switchovers.  Normally,  the  bleed 
orifice  is  installed  presleep  on  flight  day  1,  ifPP02  levels  permit.  Due  to  oxygen  introduced  into  the 
cabin  via  LESflow  during  ascent,  however,  the  PPO2  may  be  elevated  to  such  a  degree  that  bleed  orifice 
installation  is  not  necessary  until  postsleep  on  flight  day  2.  Delaying  the  installation  will  allow 
metabolic  consumption  to  lower  PPO2  to  nominal  levels. 

The  bleed  orifice  is  not  used  during  ascent/entry  since  the  PCS  system  is  deactivated  and  there  is  no 
concern  of  generating  nuisance  flow  alarms. 


DOCUMENTATION:  Flight  data. 


A17-257 


N2  SYSTEM  MANAGEMENT 


BOTH  N2  SYSTEMS  WILL  NORMALLY  BE  OPERATED  AS  ONE  SYSTEM. 

Nominal  operations  for  N2  systems  1  and  2  has  both  systems  fully  open  ( i.  e. ,  supply  valves,  regulator 
inlet  valves,  etc.)  so  N2  will  be  depleted  simultaneously  from  all  tanks.  One  of  the  drawbacks  of 
operating  both  nitrogen  systems  as  a  single  system  is  the  possibility  of  losing  more  than  one  system’s 
nitrogen  quan  tity  in  the  even  t  of  a  massive  tank  leak.  However,  by  operating  both  systems  fully  open,  the 
risk  is  removed  of  a  supply  valve  failing  closed  and  cu  tting  off  one  N2  system  for  the  remainder  of  the 
mission.  The  likelihood  of  a  supply  valve  failing  closed  is  considered  greater  than  the  possibility  of  a 
massive  tank  leak,  and  therefore  the  system  is  operated  to  protect  against  failure  of  one,  or  both,  of  the 
N2  supply  valves  failing  closed.  Also,  by  depleting  nitrogen  equally  from  both  systems,  the  quantity  of 
N2  remaining  in  a  good  system  is  maximized. 


DOCUMENTATION :  Engineering  judgment. 

Rule  {A17-202B},  8  PSIA  CABIN  CONTINGENCY  165-MINUTE  RETURN  CAPABILITY,  references 
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A17-258  LOSS  OF  CABIN  INTEGRITY  Tfoay  DEFINITION  AND  TIG 

SELECTION 

a.  tmax  is  defined  as  the  latest  deorbit  tig  that  will  allow  a 

LANDING  BEFORE  THE  DEPLETION  OF  N?  CONSUMABLES.  IF 
CONSUMABLES  WILL  BE  DEPLETED  BEFORE  A  PLS  LANDING,  AN  ELS 
LANDING  WILL  BE  EFFECTED. 

B.  THE  MINIMUM  ACCEPTABLE  CABIN  PRESSURE  PRIOR  TO  ATMOSPHERIC 
REPRESSURIZATION  IS  8  PSIA.  THE  PCS  SHALL  BE  CONFIGURED  TO 
MAINTAIN  8  PSIA.  NOTE:  EXTENDED  TIME  ON  ORBIT  AT  A  LOWER 
CABIN  PRESSURE  WILL  BE  SACRIFICED  TO  MAINTAIN  A  CABIN 
PRESSURE  OF  8  PSIA. 

C.  A  DEORBIT  TIG  FOR  LOSS  OF  CABIN  PRESSURE  INTEGRITY  SHALL 
OCCUR  AT  OR  BEFORE  TMAX • 

7 'max  ,s  defined  as  the  deorbit  TIG  that  synchronizes  touchdown  with  the  depletion  ofN2  consumables. 
Note  that  Tmax  is  independent  of  landing  site  availability  and  does  not  account  for  cooling  certification 
violations  due  to  loss  of  cabin  pressure. 

The  Tmax  prediction  is  based  on  an  assumed  8-psia  emergency  regulator  maximum  flowrate  of  125  Ib/hr 
ofN2  each  (while  the  spec  max  flow  is  75  Ib/hr,  OMRSD  testing  shows  that  the  actual  average  max  flow 
is  about  125  Ib/hr).  It  also  assumes  that  the  time  from  TIG  to  touchdown  is  60  minu  tes  and  that  O2  is 
managed  between  2.2  and  3.0  psia  ( ref.  Rules  {A1 7-254},  CABIN  02  CONCENTRATION,  and  {A13-53}, 
MINIMUM  PP02  CONSTRAINTS).  N2  depletion  is  defined  in  Rule  [A1 7-204},  N2  SUPPLY,  as  tank 
pressure  below  200  (375)  psia.  ®[ED  ] 

The  vehicle  avionics  are  not  certified  to  withstand  cabin  pressures  below  8  psia  due  to  cooling 
requirements.  Also,  a  cabin  pressure  of  8  psia  is  the  minimum  pressure  which  will  allow  the  crew  to 
function  normally  for  any  length  of  time  withou  t  a  prebreathe.  Reference  Rule  {A13-51A},  CABIN 
PRESSURE.  For  these  reasons,  maintaining  8  psia  (if  possible)  is  mandatory. 

In  maintaining  8  psia,  N2  supplies  will  be  exhausted  as  necessary.  No  N2  conservation  steps  that  involve 
lowering  the  cabin  stabilization  pressure  below  8  psia  will  be  attempted.  Therefore,  the  time  on  orbit 
that  could  be  achieved  if  the  cabin  was  allowed  to  stabilize  at  a  lower  pressure  will  be  sacrificed  to 
maintain  8  psia. 
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A17-258  LOSS  OF  CABIN  INTEGRITY  Tfoay  DEFINITION  AND  TIG 

SELECTION  (CONTINUED) 

Actual  TIG  determination  will  be  based  on  Tmax  and  not  the  cabin  stabilization  pressure.  Obviously, 
TIG  must  occur  at  or  before  Tmax  so  that  N2  consumables  do  not  deplete  before  touchdown,  thereby 
allowing  the  cabin  to  drop  to  near  zero  pressure. 

If  a  PLS  site  is  available  at  8  psia,  it  would  be  the  most  desirable  landing  site.  Landing  site  options  at 
cabin  pressures  lower  than  8  psia  will  be  very  limited  ( probably  one,  if  any)  due  to  the  rapid  depletion  of 
N2  (a  leak  would  have  to  be  over  250  ib/hr  for  cabin  pressure  to  stabilize  below  8  psia).  Therefore, 
landing  site  selection  at  cabin  stabilization  pressures  lower  than  8  psia  need  not  be  addressed. 

All  other  rules  regarding  acceptable  PPO2  levels  for  breathing  and  O2  concen  tration  levels  in  the  cabin 
must  be  upheld  during  a  cabin  leak  in  order  to  effect  a  safe  entry. 

DOCUMENTATION :  NASA  memo  from  James  M.  Wciligora/SD5  -  7/14/86,  EVA  Prebreathe  N2  vs. 
Decompression  Sickness  Risk  Table,  engineering  judgmen  t,  and  KSC  8-psia  reg  OMRSD  ground 
checkout  testing.  @[050400-7196  ] 
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A17-259  LES  02  SUPPLY  SYSTEM  LOSS  MANAGEMENT 

A.  IF  AN  C>2  SYSTEM  IS  LOST  DUE  TO  AN  C£  XOVR  VALVE  FAILURE, 

CHECK  VALVE  FAILURE,  OR  BLOCKAGE,  AN  IFM  TO  RESTORE  FLOW  WILL 
BE  PERFORMED  .  ®[050495-1756B] 

If  an  O2  XOVR  valve  or  check  valve  is  failed  closed,  the  ability  to  protect  the  crew  from  a  contaminated 
cabin  is  probably  lost.  For  the  blockage  case,  the  IFM  will  be  performed  if  the  blockage  is  in  such  a 
place  that  allows  the  IFM  to  be  viable.  The  IFM  will  restore  full  functionality  to  the  LES  MANIFOLD. 

B.  UNTIL  THE  IFM  IS  COMPLETE,  MIDDECK  EXPERIMENTS  INVOLVING 
LEVEL  3  OR  4  TOXIC  MATERIALS  THAT  HAVE  FEWER  THAN  THE  SAFETY 
PANEL  APPROVED  NUMBER  OF  LEVELS  OF  CONTAINMENT  SHOULD  NOT  BE 
PERFORMED,  UNLESS  DOING  SO  CLEARLY  DOES  NOT  INCREASE  THE  RISK 
FOR  A  SPILL. 


Experiments  involving  Level  3  or  4  toxic  materials  that  have  fewer  than  the  Safety  Panel  approved 
number  of  levels  of  containment  have  lost  a  level  of  containment.  Performing  these  experiments  while  an 
LES  O2  SUPPLY  SYSTEM  is  lost  may  subject  the  crew  to  unnecessary  risk.  Experiments  in  isolatable 
volumes  (Spacehab,  etc.)  are  not  affected  by  this  rule.  ©[050495-1756B]  @[092701-4872  ] 

C.  CONSIDERATION  WILL  BE  GIVEN  TO  PERFORMING  A  REAL-TIME  TEST 
OF  THE  LES  MANIFOLD  CAPABILITIES.  IF  THE  SINGLE  C£  SYSTEM 
SUPPLIES  ENOUGH  O2  TO  PREVENT  THE  ANTI-SUFFOCATION  VALVES 
FROM  OPENING  WHILE  ALL  CREWMEMBERS  ARE  BREATHING  RAPIDLY, 
THEN  THE  LES  O2  SUPPLY  SYSTEM  MAY  BE  CONSIDERED  GO.  @[050495- 
1756B] 

It  is  generally  believed  that  each  crewmember  consumes  approximately  5.5  Ib/hr  of02  while  breathing 
on  the  LES  or  QDM’s,  which  exceeds  the  capacity  of  a  single  O2  supply  system.  However,  usage  varies 
with  each  crew,  so  it  is  possible  that  a  single  system  could  support. 

Documen  tation:  STS-26  flight  data,  engineering  judgment. 

Reference  Rule  (A1 7-206 },  LES  02  SUPPLY  SYSTEM  LOSS  DEFINITION.  @[050495-1 756B] 
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A17-260  PCS  02 /N2  CONTROLLER  CHECKOUT 

A.  THE  IN-FLIGHT  CHECKOUT  OF  THE  PCS  O2/N2  CONTROLLERS  REQUIRES 
A  SWITCHOVER  IN  EACH  DIRECTION  WHILE  OPERATING  AT  A  CABIN 
PRESSURE  OF  14.7  PSIA  WITH  THE  C£/N2  CONTROLLER  SWITCH  IN  THE 
"AUTO"  POSITION.  ALTHOUGH  NOT  REQUIRED,  CHECKOUT  OF  BOTH 
SYSTEMS  IS  DESIRABLE  AND  WILL  BE  ACCOMPLISHED  ON  A  NON¬ 
INTERFERENCE  BASIS  WITH  MISSION  OBJECTIVES.  @[032901-4188  ]  ®[ED  ] 

Checkout  of  the  PCS  O2/N2  Controllers  is  performed  in-flight  due  to  impacts  associated  with  performing 
the  checkout  during  ground  processing.  Switchover  is  based  on  the  change  in  sensed  ppC>2  across  the 
upper  and  lower  set  points  of  the  controller.  Observing  switchovers  from  both  O2  to  N2  and  from  N2  to 
O2  verify  that  the  O2/N2  Controller  is  operating  properly  in  its  control  range.  Both  switchovers  must  be 
obser\>ed  during  the  same  flight  in  order  to  complete  a  controller  checkout.  Full  vehicle  checkout 
requires  four  switchovers:  one  in  each  direction,  and  on  each  controller  while  operating  at  a  cabin 
pressure  of  14. 7  psia.  The  Space  Shuttle  Master  Verification  Plan  (MVP)  requires  at  least  one  PCS 
system  performance  to  be  verified  each  flight.  The  PCS  is  normally  reconfigured  mid-flight  to  provide 
checkout  time  on  both  systems.  However,  mission  events  may  require  reconfiguration  to  be  delayed  to 
obtain  a  full  checkou  t  on  one  controller. 

DOCUMENTATION:  OMRS  File  IX,  DV61IFC.030  and  ARP CS  Performance  Verification. 

B.  IF  A  "NATURAL"  SWITCHOVER  DURING  AUTOMATIC  14.7  PSI 
OPERATIONS  DOES  NOT  OCCUR,  THE  FOLLOWING  STEPS  WILL  BE 
EXECUTED,  IN  PRIORITY  ORDER,  TO  INDUCE  A  SWITCHOVER  AND 
ENSURE  THE  CHECKOUT  OF  AT  LEAST  ONE  CONTROLLER: 

1.  TERMINATE  FLOW  TO  THE  O2  BLEED  ORIFICE. 

2.  PLACE  THE  O2/N2  CONTROLLER  SWITCH  IN  THE  "CLOSED" 
POSITION  (O2)  DURING  CREW  SLEEP. 

Nominally,  during  14.7 psi  operations,  the  O2/N2  Controller  switch  is  in  “AUTO”  while  the  crew  is 
awake  and  “OPEN”  (N2)  during  sleep  (to  preclude  switchover  from  O2  to  N2  which  can  cause  an  N2 
Flow  Hi  alarm ).  Some  missions  do  not  provide  enough  time  in  auto  mode  to  satisfy  a  complete  checkout 
of  both  controllers  due  to  10.2  psi  operations,  pressures  above  14.7  psi  due  to  ISS  repress,  etc.  In 
addition,  some  crews’  metabolic  O2  use  is  well  matched  to  the  makeup  flow  from  the  O2  Bleed  Orifice 
and  therefore  pp02  does  not  change  enough  to  drive  a  switchover.  Auto  switchovers  cannot  be  predicted 
preflight;  predictions  require  trend  data  for  the  specific  crew  during  several  wake  and  sleep  periods. 
@[032901-4188] 
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A17-260  PCS  Q2/N2  CONTROLLER  CHECKOUT  (CONTINUED) 

Terminating  O2  Bleed  Orifice  flow  will  cause  pp02  to  decrease  more  rapidly,  increasing  the  likelihood 
of  a  switchover  from  N2  to  O2 ■  Similarly,  configuring  the  O2/N2  control  valve  to  flow  O2  during  crew 
sleep  will  slow  the  decrease  ofPP02  and  possibly  cause  PPO2  to  rise  overnight.  This  action  will 
expedite  a  switchover  from  O2  to  N2  once  the  O2/N2  controller  is  configured  back  to  “AUTO”  during 
crew  wake.  In  this  case,  O2  will  be  managed  prior  to  sleep  to  prevent  alarms  during  sleep.  These 
methods  require  ground  analysis  for  prediction  and  additional  crew  switch  throws.  @[032901-4188  ] 

Switchovers  observed  during  represses  do  not  satisfy  the  PCS  checkout  requirement  because  the  data 
gathered  could  be  lower  fidelity  due  to  the  transient  PPO2  levels  and  short  time  between  switchovers 
during  the  variable  pressure  environmen  t  of  a  repress.  Therefore,  switchovers  observed  during  represses 
will  only  be  used  for  PCS  checkout  verification  in  the  event  that  a  ‘natural’  or  ‘induced’  switchover  has 
not  been  observed  due  to  unexpected  events. 

If  a  complete  in-flight  PCS  checkout  of  at  least  one  O2/N2  Con  troller  cannot  be  accomplished  on  a 
mission,  then  additional  ground  testing  is  required  prior  to  the  next  flight  of  that  vehicle.  If  a  full  in¬ 
flight  checkout  is  not  accomplished,  ground  personnel  will  document  the  specific  switchovers  that  did  not 
occur  and  will  ensure  that  the  PCS  is  placed  in  the  appropriate  configuration  to  achieve  the  required 
switchovers  during  the  next  flight  of  the  vehicle. 

DOCUMENTATION :  Engineering  judgment  and  In-flight  Checkout  of  the  Orbiter  Pressure  Con  trol 
System,  EC3-00-011  @[032901-4188  ] 

A17-261  THROUGH  A17-300  RULES  ARE  RESERVED 
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10.2  PSIA  CABIN  ATMOSPHERE  OPERATION 


A17-301  CABIN  ATMOSPHERE  MANAGEMENT 

THE  CABIN  ATMOSPHERE  WILL  BE  MANUALLY  MANAGED  TO  MAINTAIN  THE 
CABIN  PRESSURE  BETWEEN  10.0  AND  10.4  PSIA  AND  THE  CABIN  PP(§ 
BETWEEN  2.55  AND  2.80  PSIA,  INDICATED. 

Operation  at  these  conditions  satisfies  the  10.2  EVA  protocol  for  bends  prevention,  provides  adequate 
PPO2,  and  maintains  an  acceptable  O2  concentration  below  30  percent.  The  10.0  psia  cabin  pressure 
minimum  avoids  a  powerdown  due  to  cooling  requirements.  The  10.4  psia  cabin  pressure  avoids  C&W 
alarms  from  being  tripped.  The  C&W  upper  limit  is  set  at  10.6  to  avoid  breaking  the  8.44  PPN2  limit  for 
EVA  prebreathe.  A  PPO2  of  2.55  psia  prevents  the  crew  from  having  to  don  LES  helmets  for  2.50  psia 
minimum  metabolic  PPO2  at  a  10.2  psia  cabin  pressure.  2.80  psia  PPO2  is  within  the  30  percen  t  O2 
concentration  flammability  limit  during  10.2  psia  operations  (ref.  Rule  {A13-53Aj.l,  MINIMUM  PP02 
CONSTRAINTS). 

Rule  {A13-103C}.!,  EVA  PREBREATHE  PROTOCOL,  references  this  rule. 


A17-302  10.2  PSIA  CABIN  DEPRESSURIZATION  CONSTRAINTS 

CABIN  DEPRESSURIZATION  WILL  NOT  BE  PERFORMED  IF  ANY  OF  THE 
FOLLOWING  CONDITIONS  EXIST: 

A.  CABIN  PRESSURE  TRANSDUCER  HAS  FAILED,  OR  THE  CABIN  PRESSURE 
TRANSDUCER  HAS  DRIFTED  BEYOND  ±1.2  PERCENT  FULL-SCALE  AND 
NEITHER  OF  THE  FOLLOWING  IS  AVAILABLE: 

1.  UPLINK  OF  A  PASS  SM  CABIN  PRESSURE  CALIBRATION 
COEFFICIENT  REAL-TIME  COMMANDER  OR, 

2.  AN  EMU  FEEDWATER  PRESSURE  SENSOR  THAT  CAN  BE  VERIFIED  AS 
ACCURATE  TO  WITHIN  ±0.24  PSIA  FOR  USE  AS  AN  ALTERNATE 
CABIN  PRESSURE  TRANSDUCER.  @[111094-1687] 


The  available  01  backup  measurements  to  determine  cabin  pressure,  airlock/overboard  delta  P,  and  the 
delta  P  between  supply  H2O  inlet  P  and  H2O  regulator  P  are  not  accurate  enough  to  keep  the  cabin 
within  specified  pressure  and  PPO2  limits.  The  airlock/overboard  delta  P  transducer  can  give  as  much 
as  ±2.0  psi  inaccuracy  on  the  true  cabin  pressure.  Using  the  H2O  regulator  inlet  pressure  transducers 
and  the  H2O  supply  inlet  pressure  can  give  as  much  as  ±2.8  psi  inaccuracy.  Therefore,  the 
depressurization  should  not  be  performed  using  only  these  since  these  transducers  do  not  provide 
accurate  means  of  determining  cabin  pressure  and  O2  concentration.  ®[1 1 1 094-1 687  ] 
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A17-302  10.2  PSIA  CABIN  DEPRESSURIZATION  CONSTRAINTS 

(CONTINUED) 


One  of  the  requirements  for  the  10.2  psi  certification  (PCIN  60154)  was  to  ensure  the  cabin  pressu  re 
transducer  would  be  within  ±1.2  percent  full-scale  (±0.24  psi)  accuracy  prior  to  launch.  The  OMRSD 
requires  the  transducer  to  be  within  ±1.0  percen  t  prior  to  the  vehicle  leaving  the  OPF.  This  allows  for 
some  drift  to  occur  between  OPF  processing  and  launch.  A  single  point  check  is  then  performed  during 
PPO2  sensor  calibration  approximately  2  weeks  prior  to  launch.  If  the  transducer  is  determined  to  have 
drifted  beyond  ±1.2  percent  during  the  single  point  check,  then  a  SCALING  COEFFICIENT  SET 
UPDATE  (01-21  and  subs)  will  be  required  for  any  10.2  psi  operations  using  the  last  seven-point 
calibration  verification  for  that  vehicle.  ®[1 1 1 094-1 687  ] 

The  EMU  feedwater  pressure  sensor  is  certified  as  Crit  1  flight  instrumentation.  The  spec  accuracy  of 
the  EMU  feedwater  pressure  sensor  is  ±0.4  psia  (±2.5  percent  full-scale);  however,  actual  performance 
of  the  sensor  far  exceeds  the  specifications  during  vacuum  chamber  testing.  The  actual  sensor 
performance  varies  with  each  EMU  and  is  calibrated  prior  to  each  mission.  If  the  orbiter  cabm  pressure 
sensor  were  to  fail,  an  EMU  would  be  unstowed,  powered  up,  and  a  reading  made  of  the  feedwater 
pressure  (AIRLK  P  XX.X  on  the  EMU  DCM)  with  the  feedwater  shutoff  valve  closed  (WATER  -  OFF). 

The  downlinked  value  of  feedwater  pressure  sensor  is  given  to  two  decimal  places;  however,  it  requires 
that  the  EMU  UHF  comm  be  active.  The  reading  should  be  taken  as  soon  as  possible  (within  1/2  hour  is 
preferred)  after  the  failure  of  the  cabin  pressure  sensor  is  detected.  The  reported  EMU  reading  will  be 
compared  to  the  last  valid  reading  of  the  orbiter  cabm  pressure  sensor  and  the  vacuum  chamber 
feedwater  pressure  sensor  calibration  data  to  verify  that  ±0.24  psia  accuracy  (the  10.2  certification 
requirement)  can  be  met.  @[050400-7196  ] 

Use  of  the  EMU  for  monitoring  cabin  pressure  will  only  be  required  during  the  depress  to  10.2  psi  and 
the  10.2  psi  main  tenance  activities.  It  is  not  necessary  for  the  EMU  to  remain  powered  continuously. 

This  will  not  pose  a  constraint  to  missions  where  only  two  EMU’s  are  manifested  since  the  cabin 
atmosphere  will  be  managed  to  preclude  the  need  for  a  10.2  psi  maintenance  during  the  EVA  when  no 
EMU’s  are  available  in  the  orbiter.  If  there  are  no  other  EVA ’s  scheduled,  the  cabin  can  be  repressed  to 
14. 7  psi  during  the  EVA.  @[050400-7196  ] 

Additional  methods  are  available  to  perform  coarse  checks  of  the  EMU  feedwater  pressure  reading 
without  the  orbiter  cabm  pressure  sensor.  These  methods  include  comparisons  of  the  airlock/overboard 
(cabin/airlock)  delta  pressures  and  the  delta  pressure  between  the  supply  H2O  inlet  pressure  and  H2O 
regulator  pressure,  and  Fluke  MultiCal  Pressure  Sensor.  The  Fluke  MultiCal  Pressure  Sensor  is 
curren  tly  not  certified  as  Crit  1  hardware  and  is  therefore  not  available  for  use  as  an  alternate  means  of 
monitoring  for  10.2  psi  operations. 

If  10.2  EVA  protocol  cannot  be  utilized,  the  EVA  crew  will  be  required  to  prebreathe  for  4  hours 
(14.7  EVA  protocol)  prior  to  each  EVA.  The  10.2  EVA  protocol  requires  only  a  40-minute  prebreathe. 
@[111094-1687] 
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A17-302  10.2  PSIA  CABIN  DEPRESSURIZATION  CONSTRAINTS 

(CONTINUED) 


DOCUMENTATION: 

PCN  60154 

- 

10.2  PSI  CERTIFICATION  WAIVER/QSA. 

MCR  11891 

- 

ESTABLISHMENT  AND  CERTIFICATION  OF  ORBITER  FOR  EVA 
OPERATIONAL  ENVIRONMENTS. 

SS-P-0002-1400 

- 

CPDS  SS  DOWNLIST/UPLINK  SOFTWARE  REQUIREMENTS. 

SCR90173A 

- 

ADD  CABIN  P  TO  SCALING  COEFF  U/L  CMD. 

SV799 100/S 

- 

PLSS  S/A  D  (PORTABLE  LIFE  SUPPORT  SYSTEM  SPECIFICATIONS  AND 
DRAWINGS) 

BOEING  FEPC  EMU  FLIGHT  DATA  BOOK 

JSC  EMU  CHAMBER  TESTING,  AND  ENGINEERING  JUDGMENT 

@[111094-1687] 


B.  TWO  OF  THE  THREE  PPO2  SENSORS  ARE  FAILED.  @[090894-1455] 

During  the  depress  to  10.2  psici  and  while  at  10.2  psia,  the  cabin  atmosphere  is  maintained  manually, 
using  PPO2  as  one  of  the  determining  parameters.  Because  the  PPO2  transducers  have  a  history  of 
drifting  and  PPO2  must  be  maintained  within  tight  limits,  one  parameter  is  not  sufficient  to  guarantee 
that  PPO2  will  be  maintained  within  limits;  therefore,  there  needs  to  be  at  least  one  confirming  sensor  to 
insure  an  accurate  PPO2  and  O2  concentration  reading. 


If  C&W/FDA  limits  cannot  be  annunciated  for  PPO2 ,  the  crew  will  have  to  closely  monitor  it  to  maintain 
the  proper  atmosphere.  @[090894-1455  ] 

DOCUMENTATION :  Engineering  judgment. 

C.  TOTAL  N2  QUANTITY  IS  LESS  THAN:  @[050400-7196] 

1.  THE  NOMINAL  MISSION  REQUIREMENT,  PLUS 

2  .  THE  N2  REDLINE  REQUIREMENT  (FROM  THE  TABLE  IN  PARAGRAPH 
B.l  OF  RULE  {A17-202},  8  PSIA  CABIN  CONTINGENCY  165- 

MINUTE  RETURN  CAPABILITY) ,  PLUS 

3.  IF  NOT  INCLUDED  IN  THE  NOMINAL  MISSION  REQUIREMENT,  THE 
VOLUME-DEPENDENT  AMOUNT  REQUIRED  TO  REPRESS  THE  CABIN 
FROM  10.2  TO  14.7  PSIA,  PER  THE  FOLLOWING  TABLE.  (NOTE: 
ONLY  THE  VOLUME  THAT  IS  ACTUALLY  BEING  REPRESSED  SHOULD 
BE  USED.)  @[050400-7196] 
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A17-302  10.2  PSIA  CABIN  DEPRESSURIZATION  CONSTRAINTS 

(CONTINUED) 


CONFIG  (VOLUMES  TO  BE  DEPRESSED) 

mMum  1 

■HSHH 

ORB  +  INT  ARLK 

2475 

54.8 

ORB  +  INT  ARLK  +  TNL  ADPTR 

2605 

57.7 

ORB  +  INT  ARLK  +  TNL  ADPTR  +  SHORT  TNL  + 

SINGLE  HAB 

3718 

82.4 

ORB  +  INT  ARLK  +  TNL  ADPTR  +  SHORT  TNL  + 
DOUBLE  HAB 

4824 

106.9 

ORB  +  INT  ARLK  +  TNL  ADPTR  +  LONG  TNL  + 

SINGLE  HAB 

3921 

86.9 

ORB  +  INT  ARLK  +  TNL  ADPTR  +  LONG  TNL  + 

DOUBLE  HAB 

5027 

111.4 

ORB  +  EXT  ARLK 

2703 

59.9  i 

ORB  +  EXT  ARLK  +  TNL  ADPTR 

2833 

62.8 

ORB  +  EXT  ARLK  +  TNL  ADPTR  +  SHORT  TNL  + 
SINGLE  HAB 

3946 

87.4 

ORB  +  EXT  ARLK  +  TNL  ADPTR  +  SHORT  TNL  + 
DOUBLE  HAB 

5052 

111.9 

ORB  +  EXT  ARLK  +  TNL  ADPTR  +  LONG  TNL  + 

SINGLE  HAB 

4149 

91.9 

ORB  +  EXT  ARLK  +  TNL  ADPTR  +  LONG  TNL  + 

DOUBLE  HAB 

5255 

116.4 

@[050400-7196] 


If  the  10.2  depress  had  been  scheduled  preflight,  the  amoun  t  ofN2  requ  ired  to  repress  the  cabin  would 
be  contained  in  the  Nominal  Mission  Requirement. 

The  repress  requirement  listed  in  the  above  table  assumes  a  cabin  temp  of  70  deg  F  and  a  repress  of  N2 
only,  which  is  conceivable  though  conservative. 


Some  volumes  may  have  requirements  against  operating  at  10.2  psia.  It  may  also  be  advantageous  to 
preserve  N2  by  isolating  volumes  prior  to  depressing  to  10.2  psia.  Only  the  volumes  to  be  repressed 
from  10.2  psia  should  be  used. 

DOCUMENTATION :  Engineering  judgmen  t.  @[050400-7196  ] 
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A17-303  CABIN  REPRESSURIZATION  PRIOR  TO  DEORBIT 

PRIOR  TO  DEORBIT,  THE  CABIN  WILL  BE  REPRESSURIZED  BACK  TO 
14.7  PSIA. 

An  entry  at  a  cabin  pressure  less  than  14. 7  psia  would  require  a  powerdown  (loss  of  cabin  pressure, 

8  psi  powerdown )  which  is  undesirable  during  entry.  A  concern  also  exists  about  the  structural  integrity 
of  some  componen  ts  exposed  to  cabin  pressures  less  than  14.7  psi  during  entry.  These  components 
would  require  a  postflight  structural  analysis  to  determine  if  they  should  be  replaced  prior  to  next  flight, 
resulting  in  extended  turnaround  time  and  unnecessary  cost  to  the  program. 

DOCUMENTATION :  Minutes  of  Initial  10.2  psia  Certification  meeting,  August  18,  1986. 

A17-304  10.2  PSIA  CABIN  PRESSURE  MANAGEMENT  FOR  MULTIPLE 

EVA'  S 

FOR  MULTIPLE  EVA'S,  THE  CABIN  WILL  REMAIN  AT  10.2  PSIA  UNTIL  THE 
LAST  SCHEDULED  EVA  HAS  BEEN  COMPLETED. 

Cabin  repressurization  from  10.2  to  14.7  psia  requires  45  lb  of  N2  and  11  lb  of  02-  Repressurizing  the 
cabin,  knowing  that  another  EVA  is  pending,  would  cause  an  unnecessary  use  of  consumables. 

DOCUMENTATION :  Engineering  judgment. 
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A17-305  14.7  PSIA  CABIN  REPRESSURIZATION  LIMITATION 

CABIN  REPRESSURIZATION  WILL  NOT  BE  PERFORMED  IF  A  CABIN  LEAK  OF 
UNKNOWN  ORIGIN  OCCURS  WHILE  THE  CABIN  PRESSURE  IS  BEING  MANAGED 
AT  10.2  PSIA. 

By  repressing  the  cabin  with  a  declared  unknown  leak  in  the  pressurized  module,  a  structural  pressure 
cycle  will  be  imparted  on  the  cabin  which  could  cause  the  leak  to  enlarge.  If  the  leak  is  of  known  origin 
and  the  source  of  the  leak  ensures  the  hole  will  not  become  larger  by  repressing  the  cabin  to  14.7  psia, 
then  a  cabin  repressurization  may  be  performed  if  it  can  be  done  within  the  consumables  guidelines  of 
Rule  [A17-201B},  CABIN  PRESSURE  INTEGRITY. 

DOCUMENTATION :  Engineering  judgment. 

A17-306  10.2  PSIA  CABIN  TEMPERATURE  CONSTRAINT 

CABIN  REPRESSURIZATION  TO  14.7  PSIA  WILL  BE  PERFORMED  IF  THE 
CABIN  TEMPERATURE  CANNOT  BE  MAINTAINED  <80  DEG  F. 

The  maximum  air  outlet  temperature  for  all  flight  deck  avionics  is  130  deg  F.  At  a  10.2  psia  cabin 
pressure,  the  avionics  have  a  50  deg  F  delta  temperature  across  the  LRU.  Therefore,  the  flight  deck 
avionics  must  have  an  air  inlet  of  less  than  or  equal  to  80  deg  F  so  that  the  avionics  will  not  overtemp. 
This  rule  is  designed  to  protect  the  IMU’s  which  cannot  be  powered  down  and  are  flight-critical 
avionics. 

DOCUMENTATION:  SEH-ITA-83-179T. 

Rule  l A1 7-308},  ATCS  (10.2  PSIA  CABIN)  CONFIGURATION,  references  this  rule. 

A17-307  PAYLOAD  10.2  PSIA  CABIN  OPERATIONS 

PAYLOADS  WITHIN  THE  CREW  MODULE  THAT  HAVE  NOT  BEEN  CERTIFIED  TO 
OPERATE  IN  A  30  PERCENT  C£  ENVIRONMENT  WILL  BE  POWERED  OFF  DURING 
10.2  PSIA  CABIN  OPERATIONS. 

The  Orbiter  Middeck/Payload  Standard  Interface  Control  Document  (ICD)  gives  a  requirement  that 
payloads  must  be  compatible  with  a  31  percent  O2  environment  at  10.2  psia  cabin  pressure.  This  avoids 
creating  an  ignition  source  in  a  high  oxygen  concentrated  environment.  This  rule  applies  to  payloads 
which  may  have  a  waiver  or  some  other  reason  for  being  manifested  on  a  flight  with  a  scheduled  cabin 
depress. 

DOCUMENTATION:  Orbiter  Middeck/Payload  Standard  ICD,  ICD  2-1  M001,  March  1984. 


VOLUME  A  06/20/02  FINAL  LIFE  SUPPORT  17-68 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A17-308  ATCS  (10.2  PSIA  CABIN)  CONFIGURATION 

ATCS  CONFIGURATION  WILL  BE  AS  FOLLOWS: 

A.  WITH  ONLY  ONE  FLOW  PROPORTIONING  VALVE  (FPV)  IN  THE 
INTERCHANGER  (ICH)  POSITION,  A  FES  PRIMARY  CONTROLLER  MUST  BE 
ACTIVATED.  ®[ED  ] 

With  only  one  FPV  in  the  ICH  position,  the  FES  is  required  to  maintain  cabin  temperature  <  80  deg  F 
and  the  avionics  bay  air  outlet  temperatures  <  130  deg  F  (per  Rule  {A1 7-306 j,  10.2  PSIA  CABIN 
TEMPERATURE  CONSTRAINT).  ®[ED  ] 

B.  WITH  BOTH  FPV' S  IN  THE  ICH  POSITION,  THE  FES  MAY  BE 
DEACTIVATED  IF  ORBITER  ATTITUDES  ALLOW  THE  RADIATORS  TO 
CONTROL  THE  EVAP  OUT  T  <  52  DEG  F.  ®[ED  ] 

This  should  maintain  cabin  temperature  <  80  deg  F  and  the  avionics  bay  air  outlet  temperatures 
<  130  deg  F  (per  Rule  (A17-306),  10.2  PSIA  CABIN  TEMPERATURE  CONSTRAINT).  However, 
the  FES  is  normally  activated  during  10.2  psia  operations  to  minimize  fluctuations  in  cabin 
temperature  and  cabin  pressure. 

During  periods  when  the  orbiter  attitude  allows  sunlight  into  the  orbiter  windows,  the  cabin  temperature 
may  experience  fluctuations  that  exceed  80  deg  F.  For  those  cases,  the  window  sunshades  should  be 
installed  on  the  affected  windows  to  minimize  the  thermal  impact. 

DOCUMENTATION:  SEH-ITA-83-179T;  flight  data  (STS-7,  STS-41D,  STS-31). 

A17-309  CABIN  PRESSURE  TIME  AT  10.2  PSIA 

TIME  AT  10.2  PSIA  WILL  BE  MINIMIZED  AS  MUCH  AS  PRACTICAL. 

Operations  at  10.2  psia  run  closer  to  the  flammability  and  cooling  limits  (than  at  14.7 psia)  as  well  as 
putting  the  orbiter  in  an  off-nominal  configuration  for  emergency  deorbit.  For  these  reasons,  time  at 
10.2  psia  should  be  minimized.  However,  the  prebreathe  protocol  that  requires  the  crew  to  be  at  10.2 
psia  for  36  hours  prior  to  an  EVA  should  have  priority  over  the  these  concerns.  The  36-hour  period  is 
required  to  avoid  the  initial  1-  hour  prebreathe  prior  to/during  cabin  depress. 

Documentation:  SEH-ITA-83-179T,  Minutes  of  Initial  10.2  psia  Certification  meeting,  August  18,  1986. 
Reference  Rule  (A13-103),  EVA  PREBREATHE  PROTOCOL.  ®[oi  2694-1 600  ] 
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WASTE  COLLECTION  SYSTEM  (WCS) / 
VACUUM  VENT  LOSS  DEFINITIONS 


A17-351  WCS  SEPARATOR 

THE  WCS  SEPARATOR  IS  CONSIDERED  LOST  IF: 

A.  UNABLE  TO  ESTABLISH  DC  OR  AC  POWER  TO  THE  WCS  SEPARATOR. 

B.  THE  SEPARATOR  IS  FLOODED  AND  CANNOT  BE  CLEARED. 

The  primary  function  of  the  WCS  separator  is  to  separate  waste  water  from  the  cabin  atmosphere.  If  the 
separator  is  flooded  and  cannot  be  cleared,  or  it  will  not  start  because  it  is  unpowered,  it  is  considered 
lost. 

DOCUMENTATION :  Engineering  judgment. 

A17-352  WCS  URINE  COLLECTION 

WCS  URINE  COLLECTION  CAPABILITY  IS  CONSIDERED  LOST  IF  UNABLE  TO 
TRANSPORT  URINE  TO  THE  WASTE  WATER  SYSTEM  THROUGH  EITHER  PATH  IN 
THE  WCS. 

The  primary  function  of  the  WCS  urine  collection  system  is  to  transport  liquid  waste  water  to  the  waste 
water  tank.  If  the  line  is  blocked,  leaking,  or  both  separators  are  lost  or  any  combination  of  failures 
which  prevents  the  WCS  from  transporting  urine  to  the  waste  water  system,  the  urine  collection  mode  is 
considered  lost. 

DOCUMENTATION :  Engineering  judgmen  t  and  schematic. 
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A17-353  WCS  COMMODE 

THE  WCS  COMMODE  IS  CONSIDERED  LOST  AND  SHOULD  NO  LONGER  BE 
OPERATED  IF: 

A.  UNABLE  TO  OPEN  THE  SLIDE  VALVE. 

B.  THE  COMMODE  IS  FULL  AND  CANNOT  BE  EMPTIED. 

C.  UNABLE  TO  ESTABLISH  SUFFICIENT  AIRFLOW  THROUGH  COMMODE  OUTLET 
TO  CONTAIN  FECAL  MATTER  WHEN  THE  SLIDE  VALVE  IS  OPEN. 

D .  VACUUM  VENT  CANNOT  BE  REMOVED  FROM  COMMODE  FOR  WCS  USAGE . 

E.  THE  FECAL  STORAGE  TANK  IS  RUPTURED. 

The  commode  must  be  able  to  collect  and  retain  fecal  matter.  Operation  of  the  WCS  with  any  of  the 
above  conditions  ( except  paragraph  D)  results  in  potential  fecal  matter  in  the  cabin  environment,  which 
is  unacceptable  for  reason  of  crew  health. 

For  conditions  A,  B,  C,  and  E,  lengthy  IFM  procedures  may  have  to  be  executed.  If  the  WCS  cannot  be 
repaired,  the  mission  may  be  terminated  early  because  only  a  finite  number  of  bags  are  carried  on  the 
orbiter. 

If  the  vacuum  vent  (ref.  paragraph  D)  cannot  be  removed  from  the  commode  during  WCS  usage,  the 
WCS  is  at  least  partially  open  to  vacuum.  Furthermore,  operation  of  the  WCS  under  this  condition 
could  damage  the  slide  valve  and/or  its  seals.  Several  EECOM/IFM  methods  exist  to  remove  the  vacuum 
vent  from  the  commode  ( e.g.,  STS-33  in-flight  anomaly),  but  the  intent  of  this  rule  is  to  cease  WCS 
operations  while  the  WCS  is  being  evaluated  and  repaired. 

DOCUMENTATION :  Engineering  judgment  and  schematic. 
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A17-354  VACUUM  VENT  LOSS  DEFINITION 

VACUUM  VENT  CAPABILITY  IS  LOST  IF  THE  VACUUM  VENT  ISOLATION  VALVE 
FAILS  CLOSED  AND  THE  WCS  WASTE  COLLECTOR  PRESSURE  EXCEEDS  1.0 
PSIA  WITH  THE  COMMODE  NOT  IN  USE. 

The  primary  functions  of  the  vacuum  vent  are  to  vent  gaseous  waste,  particularly  H2  gas  extracted  from 
fuel  cell  product  water  (approximately  9.75  x  E-5  Ib/hr),  overboard  and  to  provide  a  means  for 
evacuation  and  depressurization  of  the  airlock  for  EVA.  The  vacuum  vent  isolation  valve  is  constructed 
such  that  an  orifice  in  the  valve  plate  allows  a  flow  of  approximately  3  Ib/hr  even  with  the  valve  fully 
closed.  Assuming  the  commode  is  not  in  use,  an  increasing  WCS  waste  collector  pressure  would  indicate 
an  obstruction  somewhere  in  the  vacuum  vent  line,  the  line  pressure  is  increasing  from  the  buildup  of 
hydrogen  from  the  hydrogen  separators,  and  cabin  air  from  the  WCS  wet  trash  vents  as  the  line  attempts 
to  equalize  to  cabin  pressure.  The  choice  of  1.0  psia  as  a  failure  definition  is  not  precise;  however,  since 
the  time  required  to  reach  1.0  psia  after  the  failure  occurs  is  short  (approximately  10  minutes),  it  is  used 
to  eliminate  transducer  inaccuracy  as  the  cause  and  to  ensure  time  to  identify  a  real  problem. 

This  mixture  of  hydrogen  and  oxygen  (from  the  air)  could  produce  localized  pockets  of  potentially 
flammable/detonable  mixture,  and  an  alternate  means  to  vent  this  mixture  overboard  is  required.  While 
this  is  no  longer  possible  to  vent  gaseous  waste  overboard  through  the  vacuum  vent  line,  the  capability  to 
depressurize  the  airlock  for  EVA  can  still  be  accomplished  through  use  of  the  hatch  “  B”  equalization 
valves,  or  in  the  case  of  a  Spacehab  module,  through  the  use  of  the  hatch  “  C”  equalization  valves. 

®[ED  ] 

DOCUMENTATION :  Engineering  judgment  and  schematic. 

Rule  (A1 7-405 1,  VACUUM  VENT  SYSTEMS  MANAGEMENT  [CIL],  references  this  rule. 
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WCS /VACUUM  VENT  MANAGEMENT 


A17-401  WCS  USAGE  CONSTRAINT 

THE  WCS  WILL  NOT  BE  USED  IF: 

A.  THE  CABIN  IS  BEING  REPRESSURIZED. 

Possible  low  O2  concentrations  resulting  from  high  N2flow  during  cabin  repressurization  could  cause 
possible  acute  hypoxia  of  the  crewmember  using  the  WCS.  Due  to  the  small  area  that  the  WCS  is  in  and 
due  to  the  location  of  the  WCS  in  relation  to  the  PCS  panel,  M010W,  exposure  to  the  WCS  area  should 
be  minimized. 

DOCUMENTATION:  CSD-SH-194. 

B.  AN  EMU  IS  BEING  DRAINED. 

The  WCS  fan  separator  maximum  waste  water  flowrate  is  0.09  Ibm/sec.  With  a  crewmember  using  the 
WCS  at  a  flowrate  of  0.088  Ibm/sec,  the  separator  will  flood  when  the  EMU  waste  water  is  also  drained 
through  the  WCS. 

DOCUMENTATION:  SODB  4.6.2.2.1.a.l.a  and  4.6.2.2.3.b.2.b. 

A17-402  LEAKING  WCS  WATER  LINES 

FOR  AN  UNREPARABLE  LEAK  IN  THE  WCS  URINE  LINE  FROM  THE  INLINE 
FILTER  TO  THE  WCS/WASTE  WATER  INTERFACE  QUICK  DISCONNECT,  NO 
LIQUIDS  WILL  BE  TRANSPORTED  THROUGH  THE  WCS. 

This  is  to  prevent  water  from  flowing  into  the  cabin.  Free  water  in  the  cabin  could  cause  crew  exposure 
to  bacteria  and  toxins  con  tained  in  waste  water  or  the  possibility  of  an  electrical  circuit  malfunction. 

DOCUMENTATION :  Engineering  judgment  and  schematic. 
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A17-403  ALTERNATE  FECAL  COLLECTION 

IF  THE  WCS  COMMODE  IS  LOST,  THE  CREW  WILL  USE  THE  APOLLO  FECAL 
BAG  TO  COLLECT  FECAL  MATTER. 


Waste  bags  are  the  alternate  method  of  collecting  waste.  The  standard  man  ifest  provides  40  bags  to 
accommodate  at  least  a  PLS  plus  2  days  (3  days). 

DOCUMENTATION:  Engineering  judgment  and  Crew  Compartment  Configuration  Drawings,  drawing 
SED-32 101 800-306. 

A17-404  ALTERNATE  URINE  COLLECTION 

IF  THE  WCS  URINE  COLLECTION  CAPABILITY  IS  LOST,  THE  CREW  WILL  USE 
THE  APPROPRIATE  CONTINGENCY  DEVICE:  THE  MALE  URINE  COLLECTION 
DEVICE  (UCD )  OR  THE  FEMALE  URINE  ABSORPTION  SYSTEM  (UAS) . 

UCD’s  and  UAS’s  are  alternate  measures  for  collecting  urine.  The  standard  manifest  provides  58 
UCD’s  (four  are  dedicated  to  the  EMU’s )  and  36  UAS’s  to  accommodate  at  least  a  PLS  plus  2  days  (3 
days). 

DOCUMENTATION :  Engineering  judgment  and  Crew  Compartment  Configuration  Drawings,  drawing 
SED-32101 800-306. 
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A17-405  VACUUM  VENT  SYSTEMS  MANAGEMENT  [CIL] 

A.  SHOULD  THE  VACUUM  VENT  ISOLATION  VALVE  FAIL  CLOSED,  WCS  WASTE 
COLLECTOR  PRESSURE  WILL  BE  UTILIZED  TO  MONITOR  PROPER  VENTING 
OF  GASEOUS  WASTE  OVERBOARD  THROUGH  THE  VACUUM  VENT  ORIFICE. 

B.  IF  VACUUM  VENT  CAPABILITY  IS  LOST,  THE  WCS  VACUUM  VALVE  MUST 
REMAIN  OPEN  FOR  THE  DURATION  OF  THE  MISSION,  INCLUDING  ENTRY. 

C.  IF  VACUUM  VENT  CAPABILITY  IS  LOST,  THE  FOLLOWING  STEPS  WILL 
BE  ACCOMPLISHED: 

1.  THE  "CONTINGENCY  VACUUM  VENT  OPERATION"  IFM  WILL  BE 
ACCOMPLISHED  TO  RESTORE  VACUUM  VENT  CAPABILITY. 

2.  WCS  COMMODE  OPS  WILL  BE  TERMINATED  UNTIL  VACUUM  VENT 
CAPABILITY  IS  RESTORED. 

3.  THE  IFM  HOSE  WILL  BE  DISCONNECTED  AT  THE  CONTINGENCY 
WATER  CROSSTIE  WASTE  QD  DURING  WASTE  WATER  DUMPS. 

4.  THE  "CONTINGENCY  VACUUM  VENT  OPERATION"  IFM  WILL  REMAIN 
INSTALLED  THROUGH  ENTRY. 

Failure  of  the  vacuum  vent  isolation  valve  in  the  closed  position  will  not  adversely  impact  nominal  WCS 
operations;  however,  WCS  waste  collector  pressure  will  be  closely  monitored  to  ensure  proper  operation 
of  the  vacuum  vent  system.  If  vacuum  vent  capability  is  considered  lost  (ref  Rule  { A17-354} ,  VACUUM 
VENT  LOSS  DEFINITION),  WCS  commode  ops  will  be  terminated  until  vacuum  ven  t  capability  is 
restored  through  use  of  the  CONTINGENCY  VACUUM  VENT  OPERATION  IFM  to  minimize  hydrogen 
release  into  the  cabin  and  to  stop  the  rapid  (within  minutes)  formation  of  a  flammable/detonable  gas 
mixture  with  the  WCS/vacuum  vent  ducting.  Upon  indications  of  vacuum  vent  failure,  preliminary 
analysis  calls  for  implementation  of  the  IFM  within  1  to  2  hours  to  preclude  formation  of  localized 
pockets  of  a  potentially  flammable/detonable  mixture.  At  no  time  should  the  WCS  vacuum  valve  be  closed 
as  this  would  result  in  a  potentially  flammable/detonable  gas  mixture  forming  in  the  vacuum  vent  duct  in 
a  matter  of  minutes.  Once  the  IFM  is  accomplished,  it  will  remain  in  place  for  the  duration  of  the  mission 
through  entry  to  ensure  safe,  overboard  venting  of  hydrogen  gas.  To  prevent  possible  waste  water  backup 
into  the  cabin,  the  IFM  hose  will  be  disconnected  at  the  contingency  water  crosstie  waste  QD  during 
waste  water  dumps. 

DOCUMENTATION :  Engineering  judgment  and  schematic.  Informal  letter  from  Michael  D.  Pedley  to 
John  Wong;  Subject:  Compatibility  of  Nyloseal  tubing  with  a  hydrogen/air  mixture,  dated  September  6, 
1990. 
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WASTE  WATER  LOSS  DEFINITIONS 


A17-451  WASTE  WATER  TANK 

THE  WASTE  WATER  TANK  IS  CONSIDERED  LOST  IF: 

A.  UNABLE  TO  FILL  THE  TANK. 

B.  THE  TANK  OR  INLET  MANIFOLD  HAS  AN  IRREPARABLE  LEAK. 

C.  THE  WASTE  TANK  QUANTITY  IS  AT  98  (93)  PERCENT  AND  WASTE  DUMP 
CAPABILITY  IS  LOST. 

D.  THE  WASTE  TANK  HAS  A  BELLOWS  LEAK  AND  THE  WASTE  LIQUID 
PRESSURE  IS  >  5  PSID  ABOVE  THE  H20  N2  REGULATOR  INLET 
PRESSURE.  ®[ED  ] 

The  primary  purpose  of  the  waste  tank  is  to  collect  and  store  waste  water.  If  the  line  to  the  waste  tank  is 
blocked  or  has  an  irreparable  leak,  or  if  the  waste  water  tank  is  full  and  cannot  be  dumped,  the  waste 
tank  is  considered  lost.  For  an  irreparable  leak,  the  waste  tank  will  be  unable  to  store  waste  water.  For 
a  bellows  leak,  there  is  no  way  to  determine  the  quantity  in  the  waste  water  tank.  The  waste  liquid 
pressure  normally  reads  approximately  the  same  as  H2O  N2  regulator  inlet  pressure.  If  the  waste  liquid 
pressure  is  ?5  psid,  then  the  waste  water  tank  is  full  and  will  not  be  allowed  to  store  any  more  water, 
because  then  water  will  transfer  into  the  N2  system  by  passing  through  the  hydrophobic  filter. 

DOCUMENTATION:  Engineering  judgment  and  SODB,  4. 6. 2. 2. 4. c.  2. 
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A17-452  WASTE  WATER  DUMP  CAPABILITY 

THE  WASTE  WATER  DUMP  CAPABILITY  IS  CONSIDERED  LOST  IF: 

A.  THE  WASTE  WATER  DUMPLINE  TEMPERATURE  CANNOT  BE  MAINTAINED 
>  32  DEG  (37  DEG)  F. 

This  is  the  minimum  temperature  at  which  a  successful  dump  may  be  accomplished  to  prevent  any  ice 
from  forming  on  the  nozzle  and  to  prevent  the  water  in  the  dumpline  from  freezing. 

The  contingency  crosstie  will  not  be  used  because  it  is  downstream  of  the  dump  isolation  valve.  This  is 
to  prevent  the  stagnant  water  in  the  waste  water  dumpline  from  forming  into  ice,  while  the  waste  water  is 
being  dumped  through  the  supply  water  nozzle. 

DOCUMENTATION:  SEH-TCH-85-036. 

B.  THE  WASTE  WATER  DUMPLINE  IS  BLOCKED  AND  THE  CREW  IS  UNABLE  TO 
USE  THE  CONTINGENCY  CROSSTIE. 

If  the  dumpline  is  blocked,  the  primary  path  to  dump  waste  water  is  unusable.  If  the  crew  cannot  use  the 
contingency  crosstie  to  dump  waste  water  through  the  supply  water  nozzle  (see  Rule  { A18-52 }, 
SUPPLY/WASTE  WATER  CROSSCONNECT),  the  only  other  method  to  dump  waste  water  has  been  lost. 

DOCUMENTATION :  Engineering  judgment. 

C.  AN  IRREPARABLE  LEAK  IN  THE  LINE  EXISTS  PAST  THE  WASTE  DUMP 
ISOLATION  VALVE. 

This  is  to  prevent  free  water  in  the  cabin  if  the  leak  is  inside  the  crew  module.  If  the  leak  is  outside  the 
576  bulkhead,  it  is  to  prevent  ice  from  forming  under  the  payload  bay  liner  causing  damage  to  the 
equipment  that  is  located  under  the  liner. 

DOCUMENTATION :  Engineering  judgmen  t  and  schematic. 
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A17-452  WASTE  WATER  DUMP  CAPABILITY  (CONTINUED) 

D.  BOTH  WASTE  NOZZLE  TEMPERATURE  TRANSDUCERS  ARE  FAILED,  THE  RMS 
IS  UNAVAILABLE  TO  OBSERVE  A  WASTE  WATER  DUMP,  AND  THE  CREW  IS 
UNABLE  TO  USE  THE  CONTINGENCY  CROSSTIE. 

With  no  insight  into  the  nozzle  temperatures,  waste  water  dumps  will  not  be  permitted  (without  the  RMS 
observing)  to  prevent  forming  an  icicle  on  the  nozzle  due  to  an  undetectable  heater  failure.  If  available, 
the  RMS  must  be  used  to  observe  all  subsequent  dumps.  Once  ice  growth  outward  from  the  nozzle  is 
visually  observed,  the  dump  shall  be  terminated  (see  Rule  { A17-505C j,  WASTE  WATER  DUMP 
NOZZLE  TEMPERATURE  CONSTRAINTS).  If  the  crew  cannot  use  the  contingency  crosstie  to  dump 
waste  water  through  the  supply  water  nozzle  (see  Rule  {A18-52J,  SUPPLY/WASTE  WATER 
CROSSCONNECT),  the  only  remaining  method  to  dump  waste  water  has  been  lost. 

DOCUMENTATION :  Engineering  judgment. 

E.  THE  NOZZLE  TEMPERATURE  CRITERIA  FOR  DUMPING  WASTE  WATER 
CANNOT  BE  MET  AND  THE  CREW  IS  UNABLE  TO  USE  THE  CONTINGENCY 
CROSSTIE . 

If  the  nozzle  temperature  criteria  cannot  be  met,  the  primary  path  to  clump  waste  water  is  unusable 
(ref.  Rule  { A17-505 },  WASTE  WATER  DUMP  NOZZLE  TEMPERATURE  CONSTRAINTS).  If  the  crew 
cannot  use  the  contingency  crosstie  to  dump  waste  water  through  the  supply  water  nozzle  ( ref.  Rule 
{A18-52},  SUPPLY/WASTE  WATER  CROSSCONNECT),  the  only  other  method  to  dump  waste  water  has 
been  lost. 

DOCUMENTATION :  Engineering  judgment. 
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WASTE  WATER  MANAGEMENT 


A17-501  ALTERNATE  PRESSURE  VALVE  MANAGEMENT 

THE  ALTERNATE  PRESSURE  VALVE  WILL  NORMALLY  BE  CLOSED  THROUGHOUT 
THE  FLIGHT. 

The  alternate  pressure  valve  is  a  backup  means  of  supplying  pressure  (cabin  pressure)  to  the  water- 
system.  Normal  water  system  pressurization  utilizes  the  gaseous  nitrogen  system.  Activation  of  this 
valve  only  lowers  available  water  system  pressure  to  cabin  pressure  and  should  be  used  in  a  contingency 
mode  only. 

DOCUMENTATION:  Engineering  judgment,  SODB  4.6. 1.1.1  r,  SODB  figures  4.6. 1-3  and  4.6. 1-4. 


A17-502  WASTE  DUMP  NOZZLE  ICE  FORMATION 

A.  IF  ICE  IS  DETECTED  ON  THE  WASTE  DUMP  NOZZLE,  ALL  FURTHER 
DUMPS  FROM  EITHER  NOZZLE  WILL  BE  DISCONTINUED  UNTIL  SUCH  TIME 
AS  THE  ABSENCE  OF  THE  ICE  CAN  BE  VERIFIED.  ®[061 396-1 878C] 

B.  ONCE  THE  ABSENCE  OF  ICE  CAN  BE  VERIFIED  VISUALLY  OR  BY  THE 
OBSERVATION  OF  NOMINAL  NOZZLE  HEATER  CYCLES,  DUMPS  FROM  THE 
SUPPLY  NOZZLE  MAY  BE  PERFORMED. 

C.  SUBSEQUENT  WASTE  DUMPS  MAY  BE  CONSIDERED  IF  SUFFICIENT  ULLAGE 
(WASTE  TANK  +  CWCS)  IS  NOT  AVAILABLE  TO  MAKE  NOMINAL  EOM,  AND 
A  METHOD  TO  VISUALLY  OBSERVE  THE  NOZZLE  IS  AVA I L ABLE .  @[061396- 
1878C] 

Detectable  ice  buildup  on  the  waste  dump  nozzle  has  been  known  to  compound  the  ice  formation  on  the 
supply  nozzle  due  to  the  close  proximity  of  the  nozzles  to  each  other  ( approximately  6.5  to  7.0  inches). 
Frost  has  not  been  a  problem.  If  the  ice  can  be  procedurally  removed,  supply  dumping  can  be  resumed 
because  the  mechanism  aiding  in  the  supply  nozzle  ice  growth  no  longer  exists.  The  original  problem 
causing  the  waste  nozzle  to  ice  is  probably  still  present  so  the  risk  of  creating  more  ice  is  reduced  by  not 
allowing  any  more  waste  dumps.  When  a  method  is  available  to  visually  observe  the  nozzle  for  ice 
formation,  the  dump  can  be  stopped  when  it  is  observed  that  the  ice  is  starting  to  grow  outward  from  the 
nozzle  and  before  the  ice  becomes  a  problem.  ®[061 396-1 878C] 

DOCUMENTATION :  Engineering  judgment;  CSD-SH-291;  flight  data  STS-8,  STS  41-B,  STS  41-D  and 
STS-65.  ®[061 396-1 878C] 

Rule  I A1 7-505},  WASTE  WATER  DUMP  NOZZLE  TEMPERATURE  CONSTRAINTS,  references  this 

rule.  ®[061 396-1 878C] 
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A17-503  WASTE  WATER  STORAGE 

THE  FOLLOWING  TECHNIQUES  WILL  BE  USED,  IN  ORDER  OF  PRIORITY,  TO 
MANAGE  WASTE  WATER. 

The  priorities  for  management  of  liquid  waste  are  necessary  to  provide  for  protection  of  the  crew’s 
health  while  maintaining  ability  to  complete  certain  mission  objectives. 

A.  PLAN  TO  DUMP  THE  WASTE  WATER  THROUGH  THE  WASTE  WATER  DUMP 
NOZZLE  BEFORE  THE  WASTE  QUANTITY  REACHES  80  PERCENT.  DEORBIT 
WAVEOFF  PLANS  WILL  INCLUDE  A  WASTE  DUMP  PRIOR  TO  THE  TANK 
REACHING  8  0  PERCENT.  ®[042502-5329B] 

Filling  the  waste  tank  up  to  80  percent  helps  minimize  the  number  of  dumps  that  need  to  be  performed 
during  a  mission.  The  80  percent  limit  allows  time  for  the  ground  arid  crew  to  react  in  case  of  problems 
executing  the  dump  (ice,  blockage,  crew  or  attitude  availability,  etc.)  and  put  off  con  tingency  measu  res 
such  as  constraining  WCS  ops  or  offloading  waste  water  into  a  CWC. 

B.  IF  REQUIRED  TO  SUPPORT  THE  LAST  POSSIBLE  LANDING  DAY  FOR  A 

MISSION,  FILL  THE  WASTE  TANK  TO  NO  MORE  THAN  93  (88)  PERCENT 

AT  2  HOURS  AFTER  THE  LAST  LANDING  OPPORTUNITY  FOR  THAT  DAY. 

Allowing  the  tank  to  exceed  80  percent  in  this  case  may  avoid  a  waste  dump  on  a  waveojf  day  and 
thereby  save  crew  time,  attitude  maneuvers,  and  propellant.  Ninety-three  (88)  percent  and  the  2  hours 
after  the  last  landing  opportunity  allow  adequate  ullage  for  postlanding  prior  to  vehicle  powerdown,  as 
well  as  expansion  of  gas  in  the  waste  water  tank  when  the  water  tanks  are  “unpressurized”  due  to 
vacuum  vent  inerting. 

Paragraphs  A  and  B  are  the  most  acceptable  way  to  manage  the  waste  water  system  because  they  provide 
for  protection  of  the  crew’s  health  by  isolating  the  waste  water  from  the  supply  water  system  and  from 
the  crew  compartment. 

C.  UTILIZE  THE  CONTINGENCY  WATER  COLLECTION  BAG  (CWC) . 

Paragraph  C  also  protects  crew  health  and  ground  turnaround  of  the  supply  water  system;  however,  it 
raises  significant  operational  concerns,  including  crew  time  for  unstowing,  using  and  restowing 
equipmen  t,  temporary  stowage  of  the  CWC  in  the  middeck,  planning  for  CWC  clump  and/or  stowage  for 
landing,  and  possibility  of  odor  from  the  CWC  (unlikely  due  to  CWC  redesign).  ®[042502-5329B] 
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A17-503  WASTE  WATER  STORAGE  (CONTINUED) 

D.  USE  THE  CONTINGENCY  WATER  CROSSTIE  TO  DUMP  WASTE  WATER 
THROUGH  THE  SUPPLY  WATER  DUMP  NOZZLE. 

The  contingency  water  crosstie  limits  the  amount  of  line  that  has  to  be  replaced  during  ground 
turnaround  ( potable  water  is  protected  from  contamination  by  the  dump  isolation  and  tank  A  outlet 
valves). 

E.  TERMINATE  THE  FLIGHT  EARLY. 

F.  CONFIGURE  SUPPLY  WATER  TANK  B  AS  A  SPARE  WASTE  TANK  AFTER  THE 
LAST  EMU  RECHARGE  FOR  ALL  PLANNED  EVA'S. 

Waste  water  will  contaminate  FES  feedline  A  and  the  EMU  supply  line.  In  addition,  vehicle  turnaround 
at  KSC  is  impacted  when  the  potable  water  system  is  contaminated  by  waste  water. 

DOCUMENTATION:  Engineering  judgment,  schematic,  and  1.3-TM-DF86050-014. 

A17-504  MINIMUM  WASTE  TANK  QUANTITY  AFTER  DUMPING 

WASTE  TANK  WILL  NOT  BE  DUMPED  TO  0  PERCENT  (5  PERCENT) . 

This  is  to  prevent  the  metal  bellows  from  being  subjected  to  stress  while  hard  on  the  stops.  If  the  waste 
tank  is  at  0  percen  t,  a  vacuum  will  exist  on  the  waste  dumpline  and  the  waste  tank  bellows.  If  there  is  a 
vacuum  on  the  water  side  of  the  bellows,  a  cabin  leak  will  occur  when  the  WCS  and  the  humidity 
separator  liquid  check  valve  cracks.  If  the  pressure  on  the  water  side  decreases  sufficiently,  the  bellows 
will  exceed  their  maximum  operational  pressure  of  28  psid  or  its  burst  pressure  of  32  psid. 

DOCUMENTATION :  Engineering  judgment,  schematic,  and  MC-262-0067. 
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A17-505 


WASTE  WATER  DUMP  NOZZLE  TEMPERATURE  CONSTRAINTS 


A. 


THE  WASTE  DUMP  NOZZLE  TEMPERATURE  SHOULD  NOT  EXCEED  350  DEG  F 
WHILE  THE  NOZZLE  HEATERS  ARE  ACTIVATED. 


The  maximum  design  operating  temperature  of  the  waste  water  dump  nozzle  is  350  deg  F.  External  tiles 
surrounding  the  nozzle  are  likely  to  debond  if  this  temperature  is  exceeded. 

B.  NORMALLY,  WASTE  WATER  DUMPS  WILL  BE  INITIATED  WHEN  THE  NOZZLE 
TEMPERATURES  ARE  GREATER  THAN  150  DEG  F. 


This  is  the  minimum  temperature  (on  STS-35)  at  which  waste  water  dumps  have  been  accomplished ). 
DOCUMENTATION:  STS-35  flight  data  and  STS-35  SPAN-MER  CHIT  037. 


C. 


IF  THE  RMS  IS  USED  TO  OBSERVE  A  WASTE  H20  DUMP,  THE  DUMP  WILL 
BE  TERMINATED  IF  EITHER: 

1.  THE  WASTE  WATER  DUMP  NOZZLE  TEMPERATURE  IS  <  45  DEG  F. 

THE  NOZZLE  MAY  BE  REHEATED  FOR  ANOTHER  DUMP  ATTEMPT; 

OR 

2.  ICE  GROWTH  OUTWARD  FROM  THE  NOZZLE  IS  VISUALLY  OBSERVED. 
ANOTHER  DUMP  WILL  NOT  BE  ATTEMPTED  UNTIL  THE  ICE 
FORMATION  IS  MELTED.  NOZZLE  GLAZING  OR  FROSTING  IS  NOT 
CAUSE  TO  TERMINATE  THE  DUMP. 


The  minimum  temperature  limit  prevents  ice  from  forming  on  the  nozzle.  Instrumentation  error  is  not 
considered  when  the  RMS  is  available  to  monitor  for  ice  formation.  The  clump  can  be  stopped  when  it  is 
observed  that  the  ice  is  starting  to  grow  outward  from  the  nozzle  and  before  it  becomes  a  problem. 

DOCUMENTATION:  SODB  3. 4.6.2,  table  3. 4. 6.2.1,  and  flight  data. 
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A17-505  WASTE  WATER  DUMP  NOZZLE  TEMPERATURE  CONSTRAINTS 

(CONTINUED) 


D.  IF  THE  RMS  IS  NOT  OBSERVING  THE  WASTE  WATER  DUMP,  THE  DUMP 

WILL  BE  TERMINATED  IF  THE  WASTE  DUMP  NOZZLE  TEMPERATURE  IS  < 
50  DEG  F.  THE  NOZZLE  MAY  BE  REHEATED  FOR  ANOTHER  DUMP 
ATTEMPT . 


This  is  the  minimum  temperature  used  in  past  missions  at  which  successful  waste  water  dumps  have  been 
accomplished.  Another  dump  attempt  will  be  done  only  if  the  slope  of  the  dump  nozzle  temperature 
indicates  a  normal  profile  (to  preven  t  the  formation  of  ice  on  the  nozzle). 

DOCUMENTATION:  STS-49  and  STS-46  flight  data. 

E.  IF  PLATEAUING  IS  OBSERVED  ANYTIME  IN  THE  NOZZLE  TEMPERATURE 
WARM-UP  PROFILE,  NO  FURTHER  WASTE  H?  0  DUMPS  WILL  BE 
PERFORMED . 

The  plateauing  effect,  indicating  that  ice  has  formed  on  the  nozzle,  has  been  obsen’ed  on  past  flights.  To 
preven  t  more  ice  from  forming  on  the  nozzle,  no  dumps  will  be  performed  until  Rule  j A17-502J ,  WASTE 
DUMP  NOZZLE  ICE  FORMATION,  is  satisfied. 

DOCUMENTATION:  SEH-ITA-84-134  and  flight  data. 

Rule  {A1 7-452),  WASTE  WATER  DUMP  CAPABILITY,  references  this  rule. 
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A17-506  WASTE  WATER  SYSTEM  LEAK  MANAGEMENT 

FOR  WASTE  WATER  SYSTEM  LEAKS,  THE  FOLLOWING  GUIDELINES  WILL 
PERTAIN: 

A.  IF  FREE  WASTE  WATER  IS  IN  THE  CABIN,  THE  "FREE  FLUID 
DISPOSAL"  IFM  PROCEDURE  WILL  BE  PERFORMED  IMMEDIATELY.  IF 
PRACTICAL,  THE  WASTE  WATER  TANK  WILL  BE  DUMPED  TO  5  PERCENT 
PRIOR  TO  INITIALLY  PERFORMING  THE  "FREE  FLUID  DISPOSAL"  IFM 
PROCEDURE . 

Immediate  removal  of  free  waste  water  is  necessary  to  protect  the  crew  from  the  bacteria  and  toxins  in 
the  waste  water.  Free  fluid  in  the  cabin  is  an  unacceptable  condition  because  of  LRU  exposure  to  the 
free  liquid  causing  an  electric  circuit  malfunction  and  possible  subsequent  LRU  failures. 

Dumping  the  waste  water  tank  creates  additional  ullage  so  that,  if  the  IFM  procedure  causes  a  blockage 
in  the  waste  water  dump  line,  waste  water  will  continue  to  collect  to  maximize  the  on-orbit  stay  period. 
STS-32  experienced  free  water  in  the  lower  equipment  bay  due  to  degraded  humidity  separator 
collection.  The  FREE  FLUID  DISPOSAL  IFM  was  employed  to  dump  the  water  overboard  via  the  waste 
water  dump  nozzle.  However,  while  employing  the  IFM  procedure  on  the  third  occasion  during  the 
mission  on  FD  10,  the  waste  water  dump  line  became  blocked  by  matter  collected  using  the  free  fluid 
nozzle  (wand).  The  mission  was  then  limited  by  the  remaining  ullage  in  the  waste  water  tank  and  the 
CWC  volume. 

For  the  STS-36  humidity  separator  failure,  the  waste  water  tank  was  dumped  prior  to  using  the  FREE 
FLUID  DISPOSAL  IFM.  Even  though  no  blockage  occurred  in  the  waste  water  dump  line,  the  mission 
on-orbit  stay  was  maximized  by  having  additional  ullage  created  by  the  dump. 

DOCUMENTATION:  Ref.  STS-32  MER  Anomaly  #21,  January  19,  1990;  STS-32  CAR  No.  32RF21; 
STS-36  MER  Anomaly  #11,  April  3,  1990;  STS-36  CAR  No.  36RF13;  and  engineering  judgmen  t. 

B.  IF  THE  WASTE  TANK  HAS  AN  IRREPARABLE  EXTERNAL  LEAK,  THE  TANK 
WILL  BE  VENTED  TO  CABIN  PRESSURE  AND  DUMPED  OVERBOARD  (IF 
POSSIBLE) .  PROVISIONS  WILL  BE  MADE  FOR  COLLECTION  OF  LIQUID 
WASTE  USING  CWC.  IF  POSSIBLE,  NO  FURTHER  WASTE  WATER  WILL  BE 
ALLOWED  TO  ACCUMULATE  IN  THE  WASTE  TANK.  @[090894-1 665A] 
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A17-506  WASTE  WATER  SYSTEM  LEAK  MANAGEMENT  (CONTINUED) 

Venting  a  leaking  waste  tank  equalizes  the  pressure  to  that  of  the  cabin,  which  serves  to  reduce  the 
outflow  of  waste  water  into  the  cabin.  Dumping  the  waste  tank  is  necessary  to  further  prevent  waste 
water  flow  into  the  cabin  and  should  be  done  unless  otherwise  prevented  from  doing  so.  Since  the 
orbiter  has  only  one  waste  tank,  the  CWC  is  used  to  collect  liquid  waste  from  the  Humidity  and  WCS 
Fan  Separators.  The  CWC  is  then  dumped  periodically,  based  on  the  actual  flight  waste  production 
rate.  Each  flight  typically  carries  two  CWC’s,  rated  at  95  Ibm  H2O.  For  a  typical  7 -person  crew, 
this  is  about  45  hours  capability  per  CWC  based  on  0.3  lb/hr  per  crewmember.  ®[090894-l  665A] 

®[041 1 96-1 874A] 

C.  IF  AN  UNISOLABLE  N2  LEAK  INVOLVING  THE  WASTE  TANK  IS  PRESENT, 
THE  N2  SUPPLY  TO  THE  WATER  PRESSURIZATION  SYSTEM  WILL  BE  SHUT 
OFF.  LEAK  LOCATION  PERMITTING,  AN  IFM  TO  ISOLATE  THE  WASTE 
TANK  FROM  THE  REST  OF  THE  WATER  PRESSURIZATION  SYSTEM  WILL  BE 
PERFORMED.  THE  REMAINING  PARTS  OF  THE  WATER  SYSTEM  WILL  BE 
RETURNED  TO  NORMAL  PRESSURE  ONCE  THAT  IFM  IS  COMPLETE  (LEAK 
LOCATION  PERMITTING) . 

For  an  unisolable  N2  leak,  the  N2  pressurant  supply  to  the  water  pressurization  manifold  is  temporarily 
shut  off  to  prevent  continuous  N 2  flow  into  the  cabin.  Returning  to  normal  water  system  pressurization 
is  highly  desirable,  since  the  FES  is  sometimes  adversely  affected  by  lower  system  pressures  (depending 
on  orbiter  power  level  and  cooling  needs). 

DOCUMENTATION :  STS-55  flight  experience  and  engineering  judgment. 


VOLUME  A  06/20/02  FINAL  LIFE  SUPPORT  17-85 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A17-507  QMS  &  PRCS  BURNS  WITH  FREE  H2Q  IN  THE  CABIN 

CONSIDERATION  WILL  BE  GIVEN  TO  DELAYING  NON-CRITICAL  OMS  AND  PRCS 
BURNS  WHEN  THE  PRESENCE  OF  FREE  B^O  IN  THE  CREW  CABIN  IS 
CONFIRMED.  @[051195-1755] 

In  microgravity,  the  surface  tension  of  water  tends  to  force  free  water  to  collect  in  globules.  OMS  and 
PRCS  burns  have  the  potential  to  disperse  free  H2O  throughout  the  Cabin/LEB,  possibly  being  dislodged 
to  the  surfaces  of  electrically  powered  LRU’s/wire  bundles,  thus  providing  the  potential  for  an  electrical 
short. 

Several  flights  have  had  instances  where  large  amounts  ofH20  was  present  in  the  LEB.  During  STS-27 
and  STS-32,  approximately  2  gallons  of  free  H2O  was  found  present  in  the  lower  equipment  bay.  This 
water  was  found  to  be  dispersed  and  present  on  the  surfaces  of  several  pieces  of  equipment  in  the  LEB. 

On  STS-27,  some  of  this  water  seeped  through  two  middeck  panels. 

The  amount  ofH20  present,  its  location  and  adherence  to  equipment  or  structure,  and  the  criticality  of 
the  burn  will  determine  if  delaying  of  the  burn  will  be  necessary. 

DOCUMENTATION:  Engineering  judgment.  @[051195-1755] 
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GALLEY  MANAGEMENT  LIFE  SUPPORT  ®[021 600-71 39A] 


A17-551  IODINE  REMOVAL  IMPLEMENTATION 

A.  HARDWARE  INSTALLATION  AND  REMOVAL 

1.  ON  FLIGHT  DAY  1,  IODINE  REMOVAL  HARDWARE  SHALL  BE 
INSTALLED . 

2.  ON  ENTRY  DAY,  IODINE  REMOVAL  HARDWARE  SHALL  BE  REMOVED 
AND  STOWED  AFTER  THE  CREW  HAS  DRAWN  WATER  IN  PREPARATION 
FOR  FLUID  LOADING. 

3.  IF  A  1-DAY  DEORBIT  WAVEOFF  IS  DECLARED,  IODINE  HARDWARE 
NEED  NOT  BE  REINSTALLED  AFTER  DEORBIT  PREP  BACKOUT . 


Galley  Iodine  Removal  hardware  consists  of  the  Galley  Iodine  Removal  Assembly  (GIRA)  or  the  Low 
Iodine  Residual  System  (LIRS).  The  GIRA  is  an  assembly  of  a  microbial  filter  and  an  activated 
carbon/ion  exchange  (ACTEX)  cartridge  which  eliminates  iodine  from  chilled  galley  water  and  reduces 
the  concen  tration  to  about  1.5  ppm  in  galley  ambient/hot  water.  The  LIRS  is  a  single  piece  of  hardware 
designed  to  reduce  the  iodine  levels  in  both  the  galley  chilled  and  hot  water  to  about  0.25  mg/L.  The 
hardware  is  installed  as  soon  as  practical  to  maintain  the  crew  iodine  consumption  to  less  than  1 
mg/day/crewmember.  It  is  removed  after  crew  fluid  loading  prep  is  complete.  During  the  time  period  of 
a  1-day  waveoff,  the  crew  will  not  consume  enough  iodine  to  be  a  health  risk.  Therefore,  reinstallation  is 
not  required. 

Reference  Rule  {A13-30},  IODINE  REMOVAL  REQUIREMENT. 

DOCUMENTATION:  NSTS  07700,  VolX-Book  1,  Para  3.3.1.2.4.9,  defines  the  total  iodine 
consumption  per  day/crewperson. 

4.  IF  LIRS  IS  MANIFESTED  AND  THERE  IS  A  FAILURE  OF  ANY  LIRS 
HARDWARE  THAT  CANNOT  BE  REPAIRED,  THE  GIRA  SHALL  BE 
INSTALLED  IN  ITS  PLACE.  THE  GIRA  WILL  THEN  BE  USED  UNTIL 
FLUID  LOADING  PREP  IS  COMPLETE  AT  END  OF  MISSION. 

5.  FOR  THE  FAILURE  OF  BOTH  THE  LIRS  AND  GIRA,  THE  SYSTEM  IN 
PLACE  WILL  BE  REMOVED  AND  THE  MISSION  WILL  CONTINUE  TO 
COMPLETION. 


The  requirement  is  to  minimize  the  amount  of  iodine  consumed  by  the  crew.  This  will  be  accomplished 
within  the  capacity  of  the  hardware  without  compromising  primary  mission  objectives.  ®[021 600-71 39A] 
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A17-551  IODINE  REMOVAL  IMPLEMENTATION  (CONTINUED) 

B.  WATER  CONSUMPTION  CONSTRAINTS  ®[021 600-71 39A] 

1.  WHILE  THE  GIRA  IS  IN  USE,  CONSUMPTION  OF  AMBIENT  OR  HOT 
WATER  DISPENSED  BY  THE  GALLEY  SHOULD  BE  LIMITED  TO  16 
OUNCES  PER  DAY  PER  CREWMEMBER.  CONSUMPTION  OF  CHILLED 
WATER  IS  NOT  CONSTRAINED. 


Hot  water  in  the  amount  of  16  ounces  at  1.5  ppm  iodine  +  iodide  is  equivalent  to  0.7  mg  of  iodine  + 
iodide.  The  galley  will  dispense  in  incremen  ts  as  small  as  0.5  ounces.  If  additional  hot  water  is  desired, 
water  from  the  chilled  side  can  be  heated  in  a  drink  bag  or  food  container  in  the  gcdley  oven.  Note  that 
the  ground  has  no  means  to  monitor  hot  water  consumption. 

Reference  Rule  {A13-30},  IODINE  REMOVAL  REQUIREMENT. 

2.  THERE  ARE  NO  CONSTRAINTS  TO  WATER  CONSUMPTION  WHILE  THE 
LIRS  IS  IN  USE. 


Iodine  levels  are  low  enough  in  both  the  chilled  and  ambient/hot  water  to  maintain  the  iodine 
consumption  below  the  daily  limit. 

C.  GALLEY  SLEEP  CONFIGURATION 

1.  IF  THE  GIRA  IS  IN  USE  DURING  SLEEP  PERIODS,  THE  CHILLED 
SUPPLY  LINE  WILL  BE  DISCONNECTED  FROM  THE  GIRA  HARDWARE 
AND  CONNECTED  TO  THE  SUPPLY  TEE  AT  THE  CHILLED  LINE  QD . 
IODINATED  CHILLED  WATER  WILL  BE  CIRCULATED  BY  CYCLING  THE 
GALLEY/RHS  SWITCH.  THE  GIRA  CONNECTION  WILL  BE  RESTORED 
IN  POSTSLEEP.  UNIODINATED  CHILLED  WATER  WILL  BE 
CIRCULATED  BY  CYCLING  THE  GALLEY/RHS  SWITCH. 


This  configuration  will  bypass  the  GIRA  during  chilled  water  recirculations  and  leave  iodinated  water  in 
the  galley  overnight  to  inhibit  microbial  growth.  The  iodine  is  provided  by  the  MCV  connected  on  the 
ambien  t  line.  In  the  morning,  uniodinated  water  will  be  restored  to  the  chilled  lines  for  crew 
consumption  by  returning  the  GIRA  to  its  original  configuration.  ®[021 600-71 39A] 
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A17-551  IODINE  REMOVAL  IMPLEMENTATION  (CONTINUED) 

2.  FOR  DUAL  SHIFT  FLIGHTS  UTILIZING  THE  GIRA,  IN  EACH  24- 
HOUR  PERIOD,  THE  GALLEY  WILL  BE  PLACED  IN  THE  SLEEP 
CONFIGURATION  FOR  A  MINIMUM  OF  1  CONTINUOUS  HOUR. 

®[021 600-71 39A] 

In  order  to  provide  microbial  control  in  the  chilled  water  side  of  the  galley  during  dual  shift  flights,  it  is 
recommended  that  the  ACTEX  cartridge  and  microbe  filter  be  bypassed  for  a  minimum  of  1  hour  during 
each  24 -hour  period  (2  hours  is  optimum ).  This  is  accomplished  by  placing  the  GIRA  hardware  in  the 
Sleep  configuration  described  in  C.l  above.  The  volume  of  the  chilled  water  loop  is  approximately  4 
ounces  or  120  ml.  The  recirculation  pump  operates  at  a  rate  of  1  L/minfor  20-seconds  every  8  minutes 
causing  about  2.4  L  iodincited  water/hour  to  circulate  through  the  system.  The  resulting  iodinated  water 
dwell  time  is  sufficient  to  inhibit  microbial  growth. 

3.  IF  THE  LIRS  IS  IN  USE,  NO  RECONFIGURATION  FOR  SLEEP  IS 
REQUIRED . 

There  is  sufficient  iodine  in  the  chilled  water  from  the  LIRS  to  protect  the  water  from  microbial  growth 
during  sleep  periods. 

D.  NOMINAL  EMU  DRINK  BAG  FILL  -  FOR  EACH  EVA,  THE  EMU  DRINK  BAGS 
SHALL  BE  FILLED  FROM  THE  AUX  PORT. 

EMU  drink  bags  will  be  filled  from  the  Aux  port  based  on  crew  specific  preflight  tests  ofTSH  levels.  The 
amount  of  iodine  consumed  from  cm  EMU  drink  bag  filled  in  this  manner  will  not  be  detrimental  to  crew 
members  with  low  TSH  levels. 

E.  ALTERNATE  EMU  DRINK  BAG  FILL: 

1.  FOR  EACH  EVA,  THE  EMU  DRINK  BAGS  SHALL  BE  FILLED  DIRECTLY 
DOWNSTREAM  OF  THE  IODINE  REMOVAL  HARDWARE. 

2.  THE  BAGS  MUST  BE  USED  WITHIN  24  HOURS  OF  FILLING. 

3.  AFTER  EACH  EVA,  THE  EMU  DRINK  BAGS  WILL  BE  FILLED  WITH 
WATER  FROM  THE  GALLEY  AUX  PORT. 

4.  IODINATED  WATER  WILL  BE  DRAWN  INTO  THE  EMU  BAG  DRINK 

VALVE  .  ®[021 600-71 39A] 
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A17-551  IODINE  REMOVAL  IMPLEMENTATION  (CONTINUED) 

5.  THE  BAG  WILL  SIT  UNTIL  THE  NEXT  EVA  OR  POST  EVA  ENTRY 
PREP  OR  NO  LESS  THAN  1  HOUR.  ®[021 600-71 39A] 

6.  THE  AMOUNT  OF  WATER  ADDED  WILL  BE  AT  LEAST  EQUAL  TO  ONE 
HALF  THE  TOTAL  VOLUME  OF  THE  BAG. 

If  preflight  tests  indicate  crew  TSH  levels  are  high,  the  EMU  drink  bags  will  be  filled  with  low  (LIRS)  or 
uniodinated  (GIRA)  water  for  each  EVA.  The  iodine  concentration  of  the  water  used  to  fill  the  bags  is 
not  sufficien  t  to  inhibit  microbial  growth  in  the  drink  bag  for  greater  than  24  hours.  If  the  GIRA  is 
installed,  the  bag  must  be  filled  from  the  chilled  side.  If  the  LIRS  is  installed,  the  bag  can  be  filled  from 
either  the  ambient  or  chilled  side.  After  an  EVA,  the  bags  will  be  filled  with  partially  iodinated  water 
from  the  Galley  Auxiliary  port  to  combat  any  microbial  growth  in-between  EVA’s  or  until  the  bags  are 
drained  in  the  Post  EVA  Entry  Prep.  This  sit  time  must  be  no  less  than  1  hour.  When  filled  with 
iodinated  water,  water  must  be  drawn  into  the  EMU  bag  drink  valve  to  ensure  that  this  area  is  also 
flushed  with  iodinated  water.  Iodinated  water  must  be  added  at  a  ratio  of  1  to  2  in  order  to  achieve  a 
minimum  iodine  concentration  to  combat  microbial  growth  ( i.  e. ,  add  a  minimum  16  oz ■  iodinated  water 
to  a  32  oz-  bag). 

Reference  Rule  {A13-30},  IODINE  REMOVAL  REQUIREMENT.  ®[02i 600-71 39A] 
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SPACEHAB  FIRE /SMOKE  @[111501-4992] 


A17-601  SPACEHAB  FIRE /SMOKE  DETECTION  LOSS 

A.  SPACEHAB  SMOKE  DETECTION  SHALL  BE  CONSIDERED  LOST  FOR  ANY  ONE 
OF  THE  FOLLOWING  REASONS: 

1.  ONE  SMOKE  DETECTOR  FAILS  BOTH  PORTIONS  OF  THE  CIRCUIT 
TEST  AND  THE  OTHER  SMOKE  DETECTOR  FAILS  EITHER  PORTION  OF 
THE  CIRCUIT  TEST  (LOSS  OF  THREE  OF  THE  FOUR  SMOKE 
INDICATIONS) . 

Each  smoke  detector  electronics  assembly  provides  a  frequency  output  for  continuous  monitoring,  rate 
and  concentration  alarm  signals,  reset  capability  to  recycle  the  alarm  signal  for  hazard  evaluation,  and 
a  built-in  self  test  circuit  to  verify  the  status  of  the  smoke  sensor.  If  either  the  concentration  of  particles 
(from  potential  fire  and  smoke  sources )  or  the  rate  of  concentration  increase  measured  by  the  sensor 
becomes  larger  than  defined  values,  a  continuous  alarm  signal  is  generated.  To  obtain  a  rate  alarm,  the 
sensor  output  frequency  must  change  at  a  rate  of  4.0  Hz/sec  for  eight  consecutive  time  intervals  of  2.5 
seconds  each.  The  concentration  alarm  is  obtained  whenever  the  sensor  output  frequency  exceeds  820 
±36  Hz  (approximately  2000  to  2500  ? g/m **3)  for  two  consecutive  time  intervals  of  2.5  seconds  each. 
Energizing  the  self-test  circuit  generates  an  internal  signal,  which  examines  the  sensor  electronics  and 
produces  an  alarm  signal  to  signify  a  properly  functioning  unit.  This  sequence  verifies  sensor  signal 
circuit  continuity  from  the  sensor  since  a  circuit  failure  would  prevent  obtaining  an  alarm  signal.  The 
only  hardware  failure  that  can  be  detected  by  the  circuit  test  is  an  air  pump  failure,  which  would  force 
the  detector  to  fail  both  portions  of  the  circuit  test.  If  the  smoke  detector  passes  either  portion  of  the 
circuit  test,  the  air  pump  is  then  verified  as  operative,  and  the  concentration  readout  sent  to  the  GPCfor 
FDA  limit  sensing  (Class  0  only,  does  not  produce  alarm )  is  considered  a  valid  indication.  If  only  one 
indication  is  left  in  the  Spacehab,  the  system  is  considered  suspect  to  the  point  of  being  unreliable. 

2 .  POWER  TO  THE  DETECTORS  CANNOT  BE  MAINTAINED . 

Power  is  required  for  the  smoke  detectors  to  operate.  ®[1 11501-4992  ] 
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A17-601  SPACEHAB  FIRE/SMOKE  DETECTION  LOSS  (CONTINUED) 

3.  LOSS  OF  AIR  CIRCULATION  DEFINED  PER  THE  FOLLOWING:  ®[1 11501- 

4992] 

a.  (SM/LDM)  ONLY)  LOSS  OF  ATMOSPHERIC  REVITALIZATION 
SYSTEM  (ARS)  FAN  AND  CABIN  FAN  ®[ED  ] 

b.  (RDM)  ONLY)  LOSS  OF  BOTH  HFA  FANS 

Loss  of  air  circulation  prevents  particulates  from  reaching  the  smoke  detector  in  a  timely  man  ner  if  the 
combustion  is  not  close  to  the  smoke  detector.  In  the  SM/Logistics  Double  Module  (LDM)  configuration, 
either  the  ARS  or  cabin  fan  provides  sufficient  airflow  for  smoke  detection. 

For  the  RDM,  any  single  fan  provides  airflow  to  the  smoke  sensors.  Analysis  to  ensure  adequate  air 
circulation  with  the  habitable  volume  of  the  Research  Double  Module  [RDM)  for  crew  comfort  and  to 
preclude  areas  of  stagnation,  has  been  performed  with  at  least  one  HFA  fan  operating  nominally.  When 
all  three  fans  are  operating  nominally,  the  airflow  is  approximately  680  cfm,  which  results  in  the  module 
air  volume  being  recirculated  approximately  every  3.5  minutes.  For  loss  of  either  a  single  HFA  fan  or 
the  ARS  fan,  the  airflow  is  reduced  to  approximately  460  cfin,  which  results  in  the  module  air  volume 
being  recirculated  approximately  every  5  minutes  such  that  smoke  detection  may  only  be  slightly  delayed. 
For  loss  of  the  ARS  fan  and  a  single  HFA  fan,  the  airflow  is  approximately  270  cfm,  which  results  in  the 
module  air  volume  being  recirculated  approximately  every  9  minutes  such  that  delay  in  smoke  detection 
is  still  not  considered  significan  t  enough  to  be  considered  lost.  The  stated  times  are  average  times  for 
each  case  and  actual  times  for  smoke  detection  is  dependen  t  on  location  and  severity  of  the  fire.  Note 
that  without  the  ARS  fan  operating,  the  mixing  box  cap  must  be  removed  for  adequate  smoke  detection  in 
the  forward  module  subfloor  volume  (reference  Rule  {A17-757},  RDM  MIXING  BOX  CAP).  With  only 
the  ARS  fan  operating  and  neither  HFA  fan  operating,  the  airflow  within  the  aft  module  subfloor  volume 
may  not  be  sufficien  t  to  provide  timely  movemen  t  of  smoke  particles  from  this  location  to  the  smoke 
sensors.  Since  no  analysis  has  been  performed  for  this  fan  configuration,  smoke  detection  is  considered 
lost  in  this  case.  If  both  HFA  fans  are  failed,  opening  pcinel(s)  above  the  aft  subfloor  volume  may 
improve  air  circulation  in  this  region  until  cm  IFM  can  be  performed  to  recover  an  HFA  fan.  Reference: 
Boeing  MEMO  2C-SPACEHAB-01044  and  A90-SPACEHAB-2000192.  ®[i  11501-4992  ]  ®[ED  ] 
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A17-601  SPACEHAB  FIRE/SMOKE  DETECTION  LOSS  (CONTINUED) 

B.  FOR  LOSS  OF  ONE  OF  THE  FOUR  SMOKE  INDICATIONS,  NOMINAL 
SPACEHAB  OPERATIONS  MAY  CONTINUE.  @[111501-4992] 


Three  smoke  indications  remain  that  can  be  used  to  provide  monitoring  capability  and  fire  confirmation, 
half  of  one  smoke  detector  and  a  second/redundant  smoke  detector. 

C.  FOR  LOSS  OF  TWO  OF  THE  FOUR  SMOKE  INDICATIONS,  SPACEHAB 
OPERATIONS  MAY  CONTINUE;  HOWEVER,  A  SMOKE  SENSOR  TEST  IS 
REQUIRED  EVERY  24  HOURS. 


Two  of  four  smoke  indications  are  lost  when  one  smoke  sensor  fails  both  portions  of  the  circuit  test  or 
both  smoke  sensors  fail  either  portion  of  the  circuit  test.  A  smoke  sensor  test  is  required  every  24  hours 
to  verify  that  the  remaining  two  smoke  detection  indications  are  valid. 

D.  FOR  LOSS  OF  SMOKE  DETECTION,  SPACEHAB  OPERATIONS  MAY  CONTINUE 
IF  A  CREWMEMBER  IS  AWAKE  IN  THE  MODULE  AT  ALL  TIMES  TO 
MONITOR  FOR  SMOKE/FIRE.  IF  AN  AWAKE  CREWMEMBER  WILL  NOT  BE 
IN  THE  MODULE,  THE  MODULE  WILL  BE  DEACTIVATED  (EXCEPT  FOR  PL 
AFT  MN  B)  AND  CONFIGURED  FOR  SAFE  ENTRY  AND  THE  HATCH  CLOSED 
UNTIL  THE  CREW  RETURNS. 


An  awake  crewmember  must  be  available  for  monitoring  the  module  for  smoke/fire.  If  cm  awake 
crewmember  is  not  inside  the  module,  the  Spacehcib  must  be  configured  for  a  safe  entry.  This 
configuration  will  force  the  deactivation  of  certain  experimen  ts. 

PL  AFT  MN  B  remains  powered  because  it  is  the  only  source  of  power  to  the  Spacehab  water  line  heaters 
that  protect  the  Spacehab  water  line  from  freezing.  ®[i  11501-4992  ] 
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A17-602  SPACEHAB  FIRE/SMOKE  CONFIRMATION 

A.  CONFIRMATION  OF  A  FIRE  WILL  BE  ANY  ONE  OR  MORE  OF  THE 
FOLLOWING:  @[111501-4992] 

1 .  CREW  OBSERVANCE  OF  SMOKE  OR  FLAME 

2.  FOR  A  SPACEHAB  MODULE  WITH  A  CLOSED  HATCH,  ANY  ONE  OF  THE 
FOLLOWING: 

a.  BOTH  SMOKE  DETECTOR  CONCENTRATION  LEVELS  OVER  2000 
?  G/M*  *  3 

b.  ONE  CONCENTRATION  LEVEL  2000  ?G/M**3  AND  INCREASING 
(SUBSEQUENT  TO  A  SENSOR  TEST,  WHEN  POSSIBLE),  AND  THE 
ALTERNATE  DETECTOR  HAS  FAILED  CIRCUIT  TEST 

c.  ONE  CONCENTRATION  LEVEL  2000  ?G/M**3  AND  INCREASING, 
AND  CONFIRMATION  BY  ELECTRICAL  DATA  OF  A  SUSTAINED 
SHORT 


A  confirmation  is  required  to  accurately  detect  afire  condition;  this  confirmation  can  be  via  a  separate 
smoke  detector  indicating  a  concentration  level  over  2000  ? g/m * *3  or  crew  observations.  In  the  event 
the  alternate  smoke  detector  fails  both  portions  of  the  circuit  test,  per  Rule  {A17-601},  SPACEHAB 
FIRE/SMOKE  DETECTION  LOSS,  the  functional  detector  must  be  tested  successfully  every  24  hours.  A 
sensor  test  is  not  possible  during  ascent/entry  since  the  crew  does  not  have  access  to  the  SSP.  Any 
indications  of  a  sustained  short  in  the  module  with  a  concentration  above  2000  7  g/m*  *3  will  also  be 
considered  as  confirmation  of  fire. 

B.  CONFIRMATION  OF  SMOKE  DETECTION,  AS  DEFINED  IN  PARAGRAPH  A, 
IS  REQUIRED  PRIOR  TO  FIRE  SUPPRESSION  SYSTEM  (FSS)  OR 
PORTABLE  FIRE  EXTINGUISHER (S )  DISCHARGE. 

A  secondary  cue  is  mandatory  for  FSS  or  portable  extinguisher  discharge.  Paragraph  A  defines  the  cues 
required  to  confirm  fire/smoke  and  ensures  that  action  is  not  taken  for  a  failed  sensor. 

C.  VISIBLE  SMOKE  AND/OR  FIRE  IS  A  CONFIRMED  EMERGENCY  WITH  OR 
WITHOUT  SMOKE  DETECTOR  WARNING. 

Self-explanatory.  ®[1 11501-4992  ] 
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A17-603  SPACE HAB  FI RE /SMOKE  MANAGEMENT 

A.  ASCENT /ENTRY  @[111501-4992] 

FOR  A  CONFIRMED  SPACEHAB  FIRE  (SEE  RULE  {A17-602A},  SPACEHAB 
FIRE/SMOKE  CONFIRMATION,  FOR  CONFIRMATION  CUES),  THE  FSS  WILL 
BE  ARMED  AND  DISCHARGED. 

The  Payload  Safety  Review  Panel  approved  SH  HR  F-l,  which  states  that  the  module  material  selection 
and  design  practices  should  prevent  initiation  and/or  propagation  of  a  fire.  Based  on  this,  the  most 
likely  cause  of  smoke  in  the  module  would  be  from  a  transient  electrical  short. 

The  STS-60  Flight  Techniques  Panel  concluded  on  November  23,  1993,  that,  for  a  confirmed  fire  during 
ascent,  the  FSS  should  be  discharged.  This  panel  consisted  of  represen  tatives  of  Crew  Safety, 

Emergency,  Environmental  and  Consumables  Management  (EECOM),  STS-60  CDR,  Safety,  Flight 
Surgeon,  and  Spacehab.  Flight  experiences  (STS-6,  STS-28,  and  STS-35)  indicate  that  short-term 
electrical  transients  do  not  typically  produce  enough  smoke  to  exceed  smoke  sensor  noise  levels,  which  is 
far  below  alarm  thresholds.  Once  the  fire  confirmation  criteria  outlined  in  Rule  {A1 7-602 j,  SPACEHAB 
FIRE/SMOKE  CONFIRMATION,  has  been  satisfied,  it  can  be  inferred  that  the  cause  of  smoke  in  this 
case  would  not  be  self-safing  and  that  crew  action  must  be  taken.  Based  on  proper  material  selection 
and  stowage,  removal  of  power  from  the  module  should  be  adequate  to  safe  the  situation.  However,  if 
removal  of  main  power  to  the  module  was  required,  it  would  not  be  advisable  to  subsequen  tly  repower 
the  module  (removal  of  power  was  the  only  corrective  action  taken  to  safe  the  situation).  Additionally, 
the  sustained  burning  described  could  have  released  highly  toxic  combustion  products  into  the  module 
atmosphere,  and  it  should  remain  isolated  from  the  orbiter.  Since  module  ingress  after  an  event  of  this 
magnitude  is  unlikely,  and  since  removal  of  power  removes  insight  into  fire  propagation  (smoke 
concentration  readings),  it  is  considered  prudent  to  maximize  protection  by  discharging  Halon  from  the 
FSS. 

Documentation:  SH  HR  F-l,  STS-60  OFTP  Minutes  (November  23,  1993),  STS-6,  STS-28,  STS-35  flight 
experience,  and  engineering  judgment. 

B.  ON-ORBIT 

1.  FLIGHT  CREW  RESPONSIBILITIES 

THE  COMMANDER  (CDR)  AND  PILOT  (PLT )  WILL  EXIT  THE 
SPACEHAB  MODULE  AT  THE  INITIAL  SMOKE  DETECTOR  WARNING  OR 
OBSERVANCE  OF  SMOKE/FLAME. 

Should  smoke  incapacitate  a  portion  of  the  crew  ( i.  e. ,  the  Spacehab  crewmember(s)),  evacuating  the 
CDR  and  PLT  will  guarantee  the  availability  of  healthy  crewmembers  to  accomplish  entry  and  landing. 
@[111501-4992] 
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A17-603  SPACEHAB  FIRE/SMOKE  MANAGEMENT  (CONTINUED) 

2.  SPACELAB  EMERGENCY  BREATHING  SYSTEM  (SEBS)  @[111501-4992] 

®[ED  ] 

a.  SEBS  WILL  BE  PARTIALLY  DONNED  AT  THE  INITIAL  WARNING. 

b.  THE  SEBS  WILL  BE  DONNED  AND  ACTIVATED  ONLY  IF  THE 
FIRE/SMOKE  IS  CONFIRMED  AS  DEFINED  IN  RULE  {A17-602}, 
SPACEHAB  FIRE/SMOKE  CONFIRMATION. 

C.  SEBS  WILL  BE  UTILIZED  BY  THE  CREWMEMBER  ( S )  UNTIL  THEY 
EXIT  FROM  THE  SPACEHAB  MODULE  AND  HAVE  CLOSED  AND 
LATCHED  THE  SPACEHAB  HATCH. 


Partially  donned  means  that  the  SEBS  shall  be  unstowed  and  be  readied  for  use  without  actually  putting 
on  the  facemask.  Hydrogen  cyanide  (HCN),  hydrogen  fluoride  (HF),  hydrogen  bromide  (Hbr),  and 
carbon  monoxide  (CO)  are  four  potentially  toxic  thermal  degradation  products  ofHalon  1301, 
insulation,  and  paint.  Levels  exceeding  the  spacecraft  maximum  allowable  concentration  criteria 
(SMAC)  could  be  produced  from  discharging  a  single  fire  suppression  system  (FSS)  bottle  on  afire. 
Reference  Rule  {A13-152B},  CABIN  ATMOSPHERE  CONTAMINATION. 

3.  AT  THE  FIRST  INDICATION  OF  FIRE/SMOKE,  THE  ATMOSPHERE 
REVITALIZATION  SUBSYSTEM  (ARS)  FAN  WILL  BE  DEACTIVATED 
AND  PL  ISO  VLV  WILL  BE  CLOSED,  EXCEPT  WHEN  OPERATING  IN 
THE  LDM  REDUCED  POWER  MODE  WHERE  THE  ARS  FAN  WILL  BE 
DEACTIVATED  AND  THE  PL  ISO  VLV  CLOSED  UPON  CONFIRMATION 
OF  A  FIRE. 


Removal  of  power  to  the  ARS  fan  and  closing  the  PL  ISO  VLV  is  necessary  to  determine  smoke  source 
(Spacehctb  or  orbiter),  will  reduce  the  chance  of  a  fire  spreading,  and  will  reduce  the  circulation  of 
fumes  and  smoke  into  the  orbiter.  A  Spacelab  analysis  showed  that  crew  movement  had  a  negligible 
effect  on  overall  cabin  atmosphere  with  the  fans  off.  By  analogy,  toxic  gases,  fumes,  etc.,  in  the 
Spacehctb  module  will  likely  only  propagate  by  diffusion.  In  the  LDM  reduced  power  mode,  the 
Spacehctb  ARS  fan  will  not  be  deactivated  until  afire  has  been  confirmed  because  the  cabin  fan  is  not 
operating  to  provide  continued  smoke  detection.  ®[1 11501  -4992  ] 
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4.  FOR  A  CONFIRMED  SPACEHAB  FIRE,  THE  FOLLOWING  ACTIONS  WILL 

BE  USED  IN  PRIORITY  AS  REQUIRED  TO  SUPPRESS  THE  FIRE: 

@[111501-4992  ] 

a.  REMOVE  INDIVIDUAL  LINE  REPLACEABLE  UNIT  (LRU)  POWER 
(IF  CREW  CAN  DETERMINE  SOURCE  OF  SMOKE),  FOLLOWED  BY 
CREW  EVALUATION. 

b.  IF  POSSIBLE,  USE  PORTABLE  FIRE  EXTINGUISHER  ON 
INDIVIDUAL  LRU,  FOLLOWED  BY  CREW  EVALUATION. 

C.  PERFORM  MAIN  POWER  KILL  BY  ARMING  THE  FSS,  FOLLOWED 
BY  CREW  EVALUATION. 

d.  SECURE  MODULE  FOR  ENTRY  AND  LANDING,  OPEN  MANUAL 
CABIN  DEPRESS  VALVE  (CDV) ,  EGRESS  MODULE,  CLOSE 
HATCH,  AND  DISCHARGE  THE  FSS. 

e.  DEPRESS  THE  SPACEHAB  MODULE  USING  THE  CDV  IF  SIGNS  OF 
FIRE  PERSISTS  AFTER  FSS  DISCHARGE. 

The  crew  will  attempt  to  remove  power  from  the  fire  source  (if  the  source  can  be  determined).  If  that 
does  not  work  and  the  crew  can  identify  the  individual  LRU,  the  crew  can  use  the  Portable  Fire 
Extinguisher  to  try  to  put  out  the  fire.  This  is  to  limit  the  exposure  to  Halon  1301  to  the  crewmembers 
that  are  in  the  Spacehcib  module  yet  provide  adequate  fire  suppression  in  the  affected  area.  If  the 
individual  LRU  cannot  be  identified  or  individual  LRU  powerdown  does  not  stop  the  fire,  then  the  crew 
will  arm  the  FSS  to  issue  a  MAIN  POWER  KILL,  which  eliminates  the  most  likely  source  of  the 
ignition/fire  and  stops  the  circulation  of  air/oxygen  to  the  fire.  The  crew  will  then  monitor  conditions  to 
determine  if  the  fire  has  been  scifed.  If  the  fire  has  been  extinguished,  but  the  module  atmosphere 
contaminated,  cleanup  procedures  must  be  initiated  and  the  module  isolated  from  the  orbiter,  until  the 
cleanup  is  complete. 

If  the  fire  is  not  safed,  the  module  must  be  secured  for  entry  and  prepared  for  Halon  discharge. 

Spacehcib  securing/stowing  will  be  limited  to  that  which  is  required  for  a  safe  orbiter  entry  and  landing 
configuration.  Required  stow  items  will  be  listed  on  the  Spacehab  Fire/Smoke  cue  card.  Isolating  the 
module  will  provide  protection  of  the  crew  from  the  fire,  smoke,  and  impending  Halon  release.  This 
isolation  will  also  increase  the  effectiveness  of  the  fire  suppression  system  by  constraining  the  volume. 

The  manual  cabin  depress  valve  must  be  opened  prior  to  module  egress  to  allow  for  remote 
depressurization  of  the  Spacehab  module  if  signs  of  a  fire  (temperature/pressure  increasing,  PPO2 
decreasing )  continue  after  FSS  discharge  or  failure.  ®[1 11501  -4992  ] 
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5.  SPACEHAB  REPOWERING/REVISIT  @[111501-4992] 
a.  AFTER  FSS  DISCHARGE: 

(1)  SPACEHAB  WILL  REMAIN  UNPOWERED  (EXCEPT  FOR  THE 
AFT  PL  MN  B  BUS)  FOR  THE  REMAINDER  OF  THE 
FLIGHT . 


After  Spacehcib  FSS  discharge,  fire  suppression  capability  is  limited  to  the  orbiter  hand-held  fire 
extinguishers  (if  not  previously  used)  or  depressurization  of  the  module,  which  does  not  require  main 
power.  The  AFT  PL  MN  B  bus  provides  power  to  the  H2O  loop  line  heaters  to  prevent  freezing. 

(2)  SPACEHAB  WILL  NOT  BE  REVISITED. 


If  the  FSS  is  used,  the  Spacehcib  en  vironmen  t  has  been  compromised.  The  unknown  combustion 
byproducts  concentration  resulting  from  afire  requiring  the  FSS  discharge  as  well  as  the  resultant 
Hcilon  concen  tration  precludes  revisiting  the  module  for  any  reason. 

b.  AFTER  PORTABLE  FIRE  EXTINGUISHER  DISCHARGE  FOR  A 
CONFIRMED  FIRE 

(1)  THE  MODULE  MAY  REMAIN  POWERED,  UNLESS  THE 
PORTABLE  FIRE  EXTINGUISHER  WAS  UNSUCCESSFUL  OR 
THERE  IS  AN  INDICATION  OF  A  FIRE  STILL  IN 
PROGRESS . 

(2)  THE  SPACEHAB  MODULE  WILL  NOT  BE  REVISITED,  UNLESS 
THE  ATMOSPHERE  CAN  BE  DEEMED  SAFE  PER  ALL 
FLIGHTS  RULE  {A13-152},  CABIN  ATMOSPHERE 
CONTAMINATION.  @[111501-4992] 
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C.  FOR  AN  ACCIDENTAL  DISCHARGE  OF  A  SINGLE  PORTABLE  FIRE 
EXTINGUISHER  ANYWHERE  IN  THE  SPACEHAB  MODULE  OR  FOR  A 
SINGLE  FIXED  LEAKING  PORTABLE  FIRE  EXTINGUISHER  OR 
FSS  BOTTLE  WITH  NO  SMOKE/FIRE  CONFIRMATION,  THE  CREW 
MAY  BE  EXPOSED  TO  THE  HABITABLE  ENVIRONMENT  FOR  72- 
100  HOURS  FOR  A  SPACEHAB  SINGLE  MODULE  CONFIGURATION 
AND  THE  ENTIRE  MISSION  FOR  DOUBLE  MODULE 
CONFIGURATIONS.  REAL-TIME  DISCUSSION  OF  MISSION 
EXTENSION  WILL  BE  DEPENDENT  UPON  SUCH  FACTORS  AS  CREW 
SYMPTOMS  AND/OR  PERFORMANCE.  @[111501-4992] 

The  above  criterion  was  established  based  upon  information  from  NASA’s  Hcilon  1301  Human 
Inhalation  Study  (reference  JSC  23845,  August  1989),  the  National  Research  Council  (NRC),  and  JSC 
Toxicology  Group.  The  human  study  involved  exposing  eight  volunteers  to  Halon  1301  for  a  period  of 
24  hours  at  a  concentration  of  1  percent  (10,000  ppm).  The  effects  on  both  physiology  and  performance 
were  studied  using  a  computerized  battery  of  tests  on  reaction  time,  decision-making,  etc.  No  significant 
changes  in  any  physiological  parameters  were  noted.  There  were  no  alterations  of  any  blood  counts  or 
chemistries,  no  pulmonary  function  changes,  no  cardiac  dysrhythmias,  and  no  merited  status  changes. 
There  were  no  significant  biological  decrements  in  performance  recorded  from  the  p  re- expo  sure 
baselines.  Based  on  this  study,  exposure  of  crewmembers  to  Halon  concen  tration  levels  above  1  percen  t 
is  not  recommended. 

As  a  result  of  recommendations  published  in  the  “Documentation  of  the  Spacecraft  Maximal  Allowable 
Concentration  Values  on  Brornotrifluoromethane”  (White  Paper;  JSC  Toxicology  Group),  the  NRC 
approved  revised  SMAC  levels  for  Halon  1301  on  November  18,  1993.  These  guidelines  state  that  for 
24-hour  exposure,  the  SMAC  level  is  0.35  percent  (3500  parts  per  million),  and  for  7  or  30-day 
exposure,  the  SMAC  level  is  0.18  percent  (1800  ppm).  The  JSC  Toxicology  Group  sponsored  the 
mentioned  study  and  established  SMAC  levels  with  approval  from  the  NRC. 

Discharge  of  a  portable  fire  extinguisher  and/or  a  single  fixed  leaking  fire  extinguisher  into  the  open 
Spacehcib  module  will  produce  an  equilibration  with  the  habitable  environment.  Habitable  environment 
is  defined  as  the  orbiter  crew  cabin  volume  plus  the  Spacehcib  module  volume.  A  Halon  1301  level  of 
approximately  0.20  percent  to  0.26  percent  (2000  ppm  to  2600  ppm)  will  be  achieved  in  the  Spacehcib 
single  module,  and  based  on  the  SMAC  values  mentioned  above,  the  crewmembers  can  be  exposed  to  this 
environment  for  72-100  hours.  In  the  Spacehcib  double  module  (LDM/RDM),  the  Halon  1301  level  will 
remain  below  the  30  day  SMAC  value  due  to  the  added  volume.  The  crew  can  be  exposed  to  this 
en  viron  men  t  for  the  en  tire  mission  .  ®[1 1 1 501-4992  ] 
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A  real-time  decision  to  possibly  land  earlier  than  nominal  EOM  will  be  made  by  MCC  after  the  crew  has 
been  exposed  to  Halon  1301.  Although  a  concentration  of  0.20  percent  is  less  than  the  24-hour  SMAC 
value  but  slightly  greater  than  the  7  or  30-day  SMAC  value  for  exposure  to  Halon  1301,  the  actual 
mission  duration  or  extension  is  dependent  upon  such  factors  as  crew  symptoms  and/or  performance. 
@[111501-4992] 

Reference:  Rule  {A13-152},  CABIN  ATMOSPHERE  CONTAMINATION. 
d.  AFTER  DEPRESSURIZATION: 

(1)  SPACEHAB  WILL  REMAIN  UNPOWERED  FOR  THE  REMAINDER 
OF  THE  FLIGHT  (EXCEPT  FOR  AFT  PL  MN  B  BUS) . 

(2)  SPACEHAB  AND  ORBITER  WATER  LINE  HEATERS  OR 

ORB I TER  ATTITUDE  CONTROL  FOR  THERMAL  MANAGEMENT 
TO  AVOID  FREEZING  AND  OVERPRESSURIZING  THE 
PAYLOAD  HEAT  EXCHANGER  WILL  BE  REQUIRED. 

(3)  SPACEHAB  WILL  NOT  BE  REPRESSURIZED. 


After  depressurization,  the  state  and  operational  capability  of  the  avionics  is  unknown.  The  AFT  PL  MN 
B  bus  provides  power  to  the  H2O  loop  line  heaters  to  prevent  freezing. 

C.  LOSS  OF  BOTH  THE  SPACEHAB  FSS  BOTTLE  DISCHARGE  CAPABILITIES; 
MONITOR  AND  CONTROL  PANEL  (MCP)  AND  FIRE  SUPPRESSION  CONTROL 
UNIT  (FSCU) ;  AND  LOSS  OF  SPACEHAB  DEPRESSURIZATION  CAPABILITY 
WILL  REQUIRE  THE  MODULE  TO  BE  DEACTIVATED  AND  UNPOWERED. 


Loss  of  both  fire  suppression  methods  and  loss  of  depressurization  capability  in  Spacehab  would  make 
the  module  zero  fault  tolerant  to  a  fire.  ®[1 1 1 501-4992  ] 
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SPACEHAB  ECS  MANAGEMENT  ®[1 1 1501  -501 0A] 


A17-651  SPACEHAB  ENVIRONMENTAL  CONTROL  AND  LIFE  SUPPORT 

(ECLS)  REQUIREMENTS  @[111501-4993] 

A.  THE  ANNEX  WILL  USE  THE  FOLLOWING  FORMAT  TO  ENSURE  ORBITER 
COMPATIBILITY : 

DURING  OPERATIONS  OF  SPACEHAB  ACTIVELY  COOLED  EXPERIMENTS, 

THE  ORBITER  CABIN  ATMOSPHERE  MUST  BE  MAINTAINED  WITHIN  THESE 
SPECIFIED  LIMITS: 

(PAYLOAD  1)  OPERATING  RANGE 

PPCO2  TBD  <  MMHG  <  TBD 

TEMPERATURE  TBD  <  T  <  TBD 

TOTAL  PRESS,  PPO2,  ETC  TBD 

B.  PAYLOADS  WHICH  REQUIRE  SPECIFIC  ENVIRONMENTAL  CONTROLS  IN 
EXCESS  OF  NORMAL  SUBSYSTEM  REQUIREMENTS  ARE  DOCUMENTED  IN  THE 
FLIGHT-SPECIFIC  ANNEX. 

Documenting  payload  cooling  limits  in  this  rule  in  the  annex  ensures  that  the  proper  orbiter  cooling 
configuration  will  be  established  for  the  flight.  The  operating  range  indicates  absolute  minimum  and 
maximum  acceptable  temperatures  of  the  payload  coolant  as  it  exits  the  payload  heat  exchanger. 

Analysis  of  heat  exchanger  performance  will  use  payload  heat  load  data  as  supplied  in  PIP  annex  2 
paragraph  1.  The  stability  requirement  dictates  special  payload  limits  to  minimize  oscillations  within 
the  operating  range.  The  stability  values  reflected  here  are  those  introduced  by  changes  in  the  orbiter 
Freon  inlet  temperature  and  do  not  account  for  perturbations  due  to  changes  in  payload  heat  load. 

Certain  middeck  and/or  Spacehab  payloads  may  require  unique  atmosphere  conditions  that  are  outside 
of  the  normal  range  of  operations  of  the  ARS.  Documentation  of  the  payload  constraints  in  this  rule 
ensures  that  the  atmosphere  is  managed  within  the  specified  limits. 

C.  EXPERIMENTS  THAT  WILL  NORMALLY  RELEASE  GASES  INTO  THE  CABIN 
ARE  DOCUMENTED  IN  THE  FLIGHT-SPECIFIC  ANNEX.  @[111501-4993] 
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A17-652 

SPACEHAB  SUBSYSTEM  FANS/AIR  LOOP  ®[1 11501 -501  OA] 

SPACEHAB  ARS,  CABIN,  OR  HFA  FAN  SHALL  BE  CONSIDERED  LOST  IF  ITS 
RESPECTIVE  FAN  DELTA  PRESSURE  IS?  0.2  INCHES  H20. 

The  accuracy  of  the  delta  pressure  sensor  measuremen  t  is  ?  0.1  inches  H2O.  Each  fan  has  two 
redundant  sensors.  The  RDM  HFA  fan  pair  share  the  same  two  delta  pressure  sensors.  ®[1 11501 -501 OA] 
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MODULE  ATMOSPHERE  MANAGEMENT 


A17-701  MODULE  ATMOSPHERIC  CONTROL  ®[1 11501  -501 0A] 

THE  ORBITER  ENVIRONMENT  WILL  BE  MANAGED  TO  ALLOW  THE  MODULE  TO 
OPERATE  WITHIN  THE  FOLLOWING  GUIDELINES: 

A.  MODULE  PRESSURE  BETWEEN  10.0  AND  15.95  PSI  @[021600-7104] 

Spacehab  systems  are  certified  to  operate  above  a  cabin  pressure  greater  than  or  equal  to  10  psia.  The 
positive  pressure  relief  valves  are  designed  to  maintain  Spacehab  pressure  below  its  maximum  design 
pressure  (MDP)  of  15.95  psia. 

B.  MODULE  PPO2  PER  RULE  {A13-53A},  MINIMUM  PP02  CONSTRAINTS 

The  orbiter  ECLSS  is  designed  to  maintain  theses  levels.  The  most  likely  cause  of  low  PPO2  in  the 
Spacehab  module  would  be  inadequate  air  exchange  with  the  orbiter  or  an  orbiter  malfunction. 

C.  MODULE  PPCO2  PER  RULE  {A13-52A},  PPC02  CONSTRAINT 

The  orbiter  ECLSS  is  designed  to  maintain  theses  levels.  The  most  likely  cause  of  low  PPCO2  in  the 
Spacehab  module  would  be  inadequate  air  exchange  with  the  orbiter  or  an  orbiter  malfunction. 

D.  MODULE  TEMPERATURE  BETWEEN  65  AND  8  0  DEG  F  @[021600-7104] 

The  Spacehab  thermal  control  system  is  designed  to  maintain  these  levels  during  open  hatch  operations. 

E.  HUMIDITY 

1.  SM/LDM:  MODULE  DEWPOINT  <  FAN  HX  INLET  H20  TEMP 

2.  RDM:  NO  CONSTRAINT  ON  ORBITER 

The  Spacehab  single  and  logistics  double  modules  have  no  provision  for  condensate  removal.  Therefore, 
module  humidity  ( dewpoint )  must  be  maintained  below  the  water  loop  temperature  at  the  inlet  to  the 
air/water  heat  exchanger  to  avoid  uncontained  condensation.  Spacehab  RDM  has  a  condensing  heat 
exchanger;  therefore,  humidity  control  is  not  a  concern  as  long  as  the  rotary  separator  is  functioning 
nominally.  ®[1 11501  -501 0A] 
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A17-701  MODULE  ATMOSPHERIC  CONTROL  (CONTINUED) 

F.  IF  ANY  OF  THE  ABOVE  CONDITIONS  CANNOT  BE  MAINTAINED, 
CONSIDERATION  WILL  BE  GIVEN  TO  REDUCING  THE  NUMBER  OF 
CREWMEMBERS  IN  THE  MODULE  OR  DEACTIVATION  OF  SOME 
EXPERIMENTS.  EXCEPTIONS  WILL  BE  DOCUMENTED  IN  THE  FLIGHT- 
SPECIFIC  ANNEX.  ®[1 1 1501 -501 OA] 


The  module  atmospheric  composition  is  controlled  during  open  hatch  operations  by  the  mixing  of 
orbiter/module  airflow.  The  orbiter  and  module  systems  must  be  operated  to  yield  an  environment  as 
described  in  order  to  provide  crew  habitability  and  stay  within  certification  limits.  ®[1 11501  -501  OA] 


A17-702  PARTIAL  PRESSURE  OF  OXYGEN  (PPQ2)  SENSORS  @[111501- 

5010  A] 

NOMINAL  SPACEHAB  OPERATIONS  MAY  CONTINUE  FOR  LOSS  OF  BOTH  SENSORS 
IF  THE  SPACEHAB  ARS  FAN  IS  OPERATIONAL.  ®[030994-1 606A  ] 

Av  long  as  there  is  airflow  between  the  Spacehab  module  and  the  orbiter,  PPOj  parameters  should  be 
very  close  to  orbiter  readings.  ®[1 11501  -501 0A] 


A17-703  PARTIAL  PRESSURE  OF  CARBON  DIOXIDE  (PPCQ2 )  SENSORS 

®[1 11501-501 0A] 

NOMINAL  SPACEHAB  OPERATIONS  MAY  CONTINUE  FOR  LOSS  OF  BOTH  SENSORS 
IF  THE  SPACEHAB  ARS  FAN  IS  OPERATIONAL.  ®[030994-1 606A  ] 

Av  long  as  there  is  airflow  between  the  Spacehab  module  and  the  orbiter,  PPCO2  parameters  should  be 
very  close  to  orbiter  readings.  ®[1 11501  -501 0A] 
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A17-704  CAB  IN /HF  A  FAN  ®[1 11501  -501 0A] 

A.  FOR  LOSS  OF  A  SINGLE  PHASE,  THE  CABIN/HFA  FAN  MAY  CONTINUE  TO 
BE  OPERATED  ON  TWO-PHASE  POWER.  ®[021 600-71 05A] 

Cabin  fan  and  HFAfan  can  be  used  in  terchangeably  throughout  these  rules,  depending  on  the  Spacehab 
module  configuration.  Both  fans  are  used  to  circulate  air  within  the  Spacehab  module.  Cabin  fan  is 
applicable  for  Spacehab  SM  and  LDM  configurations.  HFAfan  is  applicable  for  the  Spacehab  RDM 
configuration. 

The  cabin/HFAfan  was  operated  during  preflight  testing  on  two  phases.  The  cabin/HFA  fan  may  be 
operated  but  not  started  on  only  two  phases. 

If  the  cabin/HFA  fan  is  operating  on  the  SH INV  and  phase  A  fails,  the  fan  will  stop  working  because 
phase  A  of  the  SH  INV  provides  the  sync  pulse  required  for  SH  INV  phases  B  and  C  to  operate. 

However,  the  fan  will  continue  to  operate  on  the  SH  INV  on  two-phase  power  if  phase  A  continues  to 
operate  with  either  phase  B  or  phase  C. 

B.  FOR  LOSS  OF  THE  CABIN/HFA  FAN,  AN  IFM  WILL  BE  CONSIDERED  TO 
CHANGE  OUT  THE  FAN. 

For  loss  of  the  cabin  fan  in  the  SM/LDM  or  a  single  HFAfan  in  the  RDM,  Spacehab  has  determined  that 
the  ARS  fan  in  the  SM/LDM  or  the  ARS  fan  and  a  single  HFAfan  in  the  RDM  can  supply  enough  airflow 
to  maintain  smoke  detection  capability  throughout  the  module.  However,  the  temperature  in  the  module 
may  not  be  maintained.  Based  on  temperature  and  other  environmental  parameters,  it  is  possible  that 
the  IFM  could  be  postponed  or  the  mission  con  tinued  using  only  the  ARS  fan  in  the  SM/LDM  or  the  ARS 
fan  and  a  single  HFAfan  in  the  RDM.  Smoke  detection  is  considered  lost  in  the  aft  subfloor  volume  of 
the  RDM  if  both  HFAfans  are  lost.  Reference  Rule  (A1 7-601},  SPACEHAB  FIRE/SMOKE  DETECTION 
LOSS.  ®[1 1 1501 -501 0A] 
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A17-704  CAB IN /HF A  FAN  (CONTINUED) 

C.  RDM  HFA  FANS  STARTUP  ®[1 1 1 501 -501 OA] 

1.  BOTH  HFA  FANS  WILL  BE  ACTIVATED  PRIOR  TO  POWERING  ON  THE 
ARS  FAN. 

2.  IF  BOTH  HFA  FANS  ARE  TO  BE  OPERATED  SIMULTANEOUSLY,  THE 
AIR  BYPASS  VALVE  ( ABV)  SHALL  BE  SET  TO  80-210  COUNTS 
PRIOR  TO  POWERING  THE  SECOND  HFA  FAN. 

Preflight  testing  by  Boeing  has  shown  that  the  HFA  fans  will  operate  in  a  degraded  mode  if  the  second 
HFA  fan  is  activated  while  the  ARS  fan  is  operating  and  when  the  ABV  is  not  positioned  in  an  acceptable 
range.  No  immediate  damage  to  the  fans  is  associated  with  operation  in  this  mode,  only  degraded 
system  performance  (>  30  percent  reduction  in  HFA  flow).  During  activation,  it  will  be  the  MCC's 
responsibility  to  command  the  ABV  to  80-210  counts  because  the  crew  does  not  have  the  capability  to 
command  the  ABV.  The  crew  can  manually  set  the  valve  to  the  desired  range,  but  this  action  would  be 
very  time  consuming.  Reference  Rule  { A17-705 },  ATMOSPHERE  REVITALIZATION  SYSTEM  (ARS) 
FAN. 
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A17-705  ATMOSPHERE  REVITALIZATION  SYSTEM  (ARS)  FAN  @[021600- 

7106B]  @[111 501 -51 01  A] 

A.  FOR  LOSS  OF  A  SINGLE  PHASE,  THE  ARS  FAN  MAY  CONTINUE  TO  BE 
OPERATED  ON  TWO-PHASE  POWER. 

The  ARS  fan  was  operated  on  two  phases  during  preflight  testing.  The  ARS  fan  may  be  operated  but  not 
started  on  only  two  phases.  ®[1 11501  -501 0A] 

If  the  ARS  fan  is  operating  on  the  SH INV  and  phase  A  fails,  the  fan  will  stop  working  because  phase  A  of 
the  SH  INV  provides  the  sync  pulse  required  for  SH  INV  phases  B  and  C  to  operate.  However,  the  fan 
will  continue  to  operate  on  the  SH  INV  on  two-phase  power  if  phase  A  continues  to  operate  with  either 
phase  B  or  phase  C.  @[021 600-71 06B] 

B.  FOR  LOSS  OF  THE  ARS  FAN,  AN  IFM  WILL  BE  PERFORMED  (BASED  ON 
PPCO2,  ETC.)  TO  CHANGE  OUT  THE  FAN.  UNTIL  THE  IFM  IS 
PERFORMED,  ALLOWABLE  CREW  TIME  IN  THE  MODULE  IS  LIMITED  BY 
DEWPOINT,  PPO2,  AND  PPCO2  RESTRICTIONS  PER  RULE  {A17-701}, 
MODULE  ATMOSPHERIC  CONTROL.  @[101096-4494] 

Withou  t  the  ARS  fan,  air  exchange  with  the  orbiter  is  degraded.  In  the  Spacehab  RDM,  smoke  detection 
in  the  forward  subfloor  volume  is  considered  lost  when  the  ARS  fan  is  not  operating  with  the  mixing  box 
cap  installed.  As  long  as  one  HFAfan  is  operating,  smoke  detection  capability  can  be  regained 
throughout  the  RDM  by  removing  the  mixing  box  cap.  Reference  Rule  {A17-757j,  RDM  MIXING  BOX 
CAP. 

C.  ( SM/LDM  ONLY)  THE  ARS  FAN  SHALL  NOT  BE  OPERATED  WITH  THE  PL 
ISO  VALVE  CLOSED  UNLESS  THE  ASCENT/DESCENT  INLET  STUB  IS  OPEN 
OR  THE  FLEX  DUCT  IS  REMOVED.  @[021 600-71 06B] 

Operation  of  the  ARS  fan  with  the  PL  ISO  valve  closed  and  flex  duct  connected  in  the  Spacehab  single 
or  logistics  double  module  configurations  may  cause  failure  of  the  ARS  fan.  Reference  Rule  {A17- 
756},  SM/LDM  ASCENT/DESCENT  INLET  STUB.  @[021 600-71 06B] 

D.  (RDM  ONLY)  THE  ARS  FAN  SHALL  BE  DEACTIVATED  PRIOR  TO  POWERING 
ON  A  SECOND  HFA  FAN. 

Preflight  testing  by  Boeing  has  shown  that  the  HFA  fans  will  operate  in  a  degraded  mode  if  a  second 
HFAfan  is  powered  up  while  the  ARS  fan  is  operating.  Reference  Rule  {A17-704},  CABIN/HFA  FAN. 

No  immediate  damage  to  the  fans  is  associated  with  operation  in  this  mode,  only  degraded  system 
performance  (>  30  percent  reduction  in  HFA  flow). 

DOCUMENTATION :  Boeing  RDM  Certification  Acceptance  Review  Presentation,  October  4-5,  2000, 
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A17-706  SPACEHAB  FAN  CONFIGURATIONS 

THE  FOLLOWING  FAN  CONFIGURATION  WILL  BE  USED  FOR  NOMINAL  SPACEHAB 
SM/LDM  OR  RDM  OPERATIONS  FOR  ASCENT,  ON-ORBIT,  AND  ENTRY:  @[111501- 
5000] 

A.  ASCENT 

1.  SM/LDM: 

a.  UNPOWERED  SPACEHAB  MODULE 

(1)  ARS  FAN  -  ON,  CONFIGURED  TO  SPACEHAB  INVERTER 
POWER,  BUT  NOT  OPERATIONAL  SINCE  THE  SPACEHAB 
INVERTER  IS  UNPOWERED 

(2)  CABIN  FAN  -  OFF,  CONFIGURED  TO  SPACEHAB  INVERTER 
POWER 

(3)  AFT  MODULE  FAN  -  OFF  ( LDM  ONLY) 


When  the  Spacehab  module  is  unpowered  for  ascent,  all  subsystem  equipment  is  OFF.  Although  the  ARS 
fan  is  configured  ON,  it  is  not  operational  because  its  power  source  is  configured  to  an  unpowered 
Spacehab  inverter.  This  configuration  simply  allows  the  ARS  fan  to  be  activated  by  commanding  its 
power  source  from  Spacehab  inverter  to  orbit er  AC. 

b.  POWERED  SPACEHAB  NODULE 

(1)  ARS  FAN  -  ON,  USING  SPACEHAB  INVERTER  POWER 

(2)  CABIN  FAN  -  OFF,  BUT  CONFIGURED  TO  SPACEHAB 
INVERTER  POWER 

(3)  AFT  MODULE  FAN  -  OFF  (LDM  ONLY) 

IF  THE  ARS  FAN  FAILS,  IT  WILL  BE  COMMANDED  OFF  AND 
THE  CABIN  FAN  COMMANDED  ON  ASAP  POST  MAIN  ENGINE 
CUTOFF  (MECO) .  FOR  FAILURE  OF  THE  SPACEHAB  INVERTER, 
REFERENCE  RULE  {A9-354},  SPACEHAB  AC  MANAGEMENT. 

®[ED  ]  ®[ED  ] 
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A17-706  SPACEHAB  FAN  CONFIGURATIONS  (CONTINUED) 


The  ARS  or  cabin  fan  is  required  to  maintain  airflow  for  heat  rejection  and  fire/ smoke  detection  in  the 
module.  The  cabin  fan  is  unpowered,  but  configured  to  inverter  power  to  allow  it  to  serve  as  a  backup  in 
case  the  ARS  fan  fails.  Without  switching  fans,  all  fire/ smoke  detection  capability  is  lost.  Since  no  on¬ 
board  command  capability  exists  in  OPS  1  (SM  GPC  not  available),  the  fans  will  be  reconfigured  via 
ground  command  post  MECO.  The  aft  module  fan  uses  Spacehcib  DC  power  and  is  not  powered  for 
ascent.  ®[i  1 1 501-5000  ] 

2.  RDM:  @[111501-5000] 


a . 

HFA 

FAN 

1 

-  ON, 

USING  SPACEHAB 

INVERTER 

POWER 

b . 

HFA 

FAN 

2 

-  OFF, 

CONFIGURED 

TO 

SPACEHAB 

INVERTER 

POWER 

c . 

ARS 

FAN 

- 

ON,  CONFIGURED  TO 

ORBITER  AC, 

BUT  NOT 

OPERATIONAL  SINCE  ORBITER  AC  IS  NOT  AVAILABLE  TO 
PAYLOADS  FOR  ASCENT 

IF  HFA  FAN  1  FAILS,  IT  WILL  BE  COMMANDED  OFF  AND  HFA 
FAN  2  COMMANDED  ON  ASAP  POST  MAIN  ENGINE  CUTOFF  (MECO) . 
FOR  FAILURE  OF  THE  SPACEHAB  INVERTER,  REFERENCE  RULE 
{ A9-354  }  ,  SPACEHAB  AC  MANAGEMENT.  ®[ED  ]  ®[ED  ] 

The  Spacehcib  RDM  is  always  powered  for  ascent.  An  HFA  fan  is  required  to  maintain  airflow  for  heat 
rejection  and  fire/smoke  detection  in  the  module.  HFA  fan  1  is  preferred  over  HFA  fan  2  because 
contingency  commanding  is  only  available  to  turn  HFA  fan  1  OFF  and  HFA  fan  2  ON.  HFA  fan  2  is 
unpowered  but  configured  to  inverter  power  to  allow  it  to  serve  as  a  backup  in  case  HFA  fan  1  fails. 
Without  switching  fans,  all  fire/smoke  detection  capability  is  lost.  Since  no  on-board  command 
capability  exists  in  OPS  1  (SM  GPC  not  available),  the  fans  will  be  reconfigured  via  ground  command 
post  MECO.  The  ARS  fan  is  not  operational  during  ascent;  however,  it  is  configured  ON,  but  to  orbiter 
AC  power  which  is  not  available  during  ascent.  In  this  configuration,  the  ARS  fan  can  be  activated 
whenever  power  is  applied  to  the  payload  AC  2  bus  in  the  event  of  a  failure  that  preven  ts  Spacehcib 
commanding. 
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A17-706  SPACEHAB  FAN  CONFIGURATIONS  (CONTINUED) 

B.  ON-ORBIT 

1.  SM/LDM: 

a.  ARS  FAN  -  ON,  USING  ORBITER  AC  POWER 

b.  CABIN  FAN  -  ON,  USING  ORBITER  AC  POWER 

C.  AFT  MODULE  FAN  -  ON,  USING  SPACEHAB  DC  POWER  ( LDM 
ONLY) 

IF  ORBITER  AC  POWER  IS  UNAVAILABLE,  REFERENCE  RULE 
{ A9-354  }  ,  SPACEHAB  AC  MANAGEMENT.  ®[i  11501-5000]  ®[ED  ] 

®[ED  ] 

2.  RDM:  @[111501-5000] 

a.  ARS  FAN  -  ON,  USING  ORBITER  AC3  POWER 

b.  HFA  FAN  1  -  ON,  USING  SPACEHAB  INVERTER  POWER 

c.  HFA  FAN  2  -  ON,  USING  ORBITER  AC2  POWER 

FOR  FAILURE  OF  THE  SPACEHAB  INVERTER  OR  ORBITER  AC, 
REFERENCE  RULE  {A9-354},  SPACEHAB  AC  MANAGEMENT.  ®[ED  ] 
®[ED  ] 

All  subsystem  fans  for  Spacehab  SM/LDM  or  RDM  are  nominally  operating  on-orbit  to  obtain  the  best 
air  circulation  throughout  the  module.  It  is  highly  desired  to  power  the  ARS  fan  from  orbiter  AC  in 
order  to  main  tain  fan  operation  in  case  of  an  inadverten  t  loss  of  the  Spacehab  inverter.  Powering  any  of 
the  fans  via  the  Spacehab  inverter(s)  or  orbiter  AC  is  acceptable  and  is  preferred  over  not  running  the 
fans.  In  the  RDM,  HFA  fan  I  is  powered  by  the  Spacehab  inverters  and  HFA  fan  2  is  powered  by  orbiter 
AC  to  maintain  airflow  in  case  of  a  failure  of  either  power  source,  as  well  as  to  offload  orbiter  AC  2. 
Operation  of  both  HFA  fans  from  the  same  power  source  is  acceptable,  but  will  impact  troubleshooting 
in  the  case  of  a  failed  fan. 
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A17-706  SPACEHAB  FAN  CONFIGURATIONS  (CONTINUED) 

C.  ENTRY 

1.  SM/LDM: 

a.  ARS  FAN  -  ON,  USING  SPACEHAB  INVERTER  POWER 

b.  CABIN  FAN  -  OFF,  CONFIGURED  TO  ORBITER  AC 
C.  AFT  MODULE  FAN  -  OFF  (LDM  ONLY) 

IF  THE  ARS  FAN  FAILS,  IT  WILL  BE  COMMANDED  OFF  AND  THE 
CABIN  FAN  COMMANDED  ON  USING  ORBITER  AC  POWER  ASAP 
PROVIDED  THE  TOTAL  AC  LOAD  (ORBITER  +  SPACEHAB)  CAN  BE 
MANAGED  TO  STAY  WITHIN  LIMITS  SPECIFIED  IN  RULE  £,9-155}, 
AC  INVERTER  THERMAL  LIFE.  FOR  FAILURE  OF  THE  SPACEHAB 
INVERTER,  REFERENCE  RULE  {A9-354},  SPACEHAB  AC 
MANAGEMENT  .  ®[ED  ]  ®[ED  ] 

The  ARS  or  cabin  fan  is  required  to  maintain  airflow  for  heat  rejection  and  fire/ smoke  detection  in  the 
module.  The  cabin  fan  is  unpowered  but  configured  to  orbiter  AC  power  to  allow  it  to  sen’e  as  a  backup 
in  case  the  ARS  fan  or  Spacehcib  inverter  fails.  Without  switching  fans,  all  fire/ smoke  detection 
capability  is  lost.  Since  no  on-board  command  capability  exists  in  OPS  3  (SM  GPC  not  available),  the 
fans  will  be  reconfigured  via  ground  command.  The  aft  module  fan  uses  Spacehcib  DC  power  and  is  not 
powered  for  entry.  ®[1 1 1 501-5000  ] 
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A17-706  SPACEHAB  FAN  CONFIGURATIONS  (CONTINUED) 


RDM:  @[111501-5000] 

a.  HFA 

FAN 

1 

-  ON, 

USING  INVERTER 

POWER 

b .  HFA 

FAN 

2 

-  OFF, 

CONFIGURED  TO 

ORBITER  AC 

C.  ARS 

FAN 

_ 

OFF 

IF  HFA  FAN  1  FAILS,  IT  WILL  BE  COMMANDED  OFF  AND  HFA  FAN 
2  COMMANDED  ON  USING  ORBITER  AC  POWER  ASAP  PROVIDED  THE 
TOTAL  AC  LOAD  (ORBITER  +  SPACEHAB)  CAN  BE  MANAGED  TO  STAY 
WITHIN  LIMITS  SPECIFIED  IN  RULE  {A9-155},  AC  INVERTER 
THERMAL  LIFE.  FOR  FAILURE  OF  THE  SPACEHAB  INVERTER, 
REFERENCE  RULE  {A9-354},  SPACEHAB  AC  MANAGEMENT.  ®[ED  ] 
®[ED  ] 

An  HFA  fan  is  required  to  maintain  airflow  for  heat  rejection  and  fire/smoke  detection  in  the  module. 

HFA  fan  1  is  preferred  over  HFA  fan  2  because  contingency  commanding  is  only  available  to  turn  HFA 
fan  1  OFF  and  HFA  fan  2  ON.  HFA  fan  2  is  unpowered,  but  configured  to  orbiter  AC  to  allow  it  to 
serve  as  a  backup  in  case  HFA  fan  1  or  the  Spacehab  inverter  fails.  Without  switching  fans,  all 
fire/smoke  detection  capability  is  lost.  Since  no  on-board  command  capability  exists  in  OPS  3  (SM  GPC 
not  available),  the  fans  will  be  reconfigured  via  ground  command.  The  ARS  fan  is  OFF  during  entry  and 
is  not  considered  a  viable  option  to  regain  smoke  detection  should  both  HFA  fans  fail  (reference  Rule 
{. A17-601 j,  SPACEHAB  FIRE/SMOKE  DETECTION  LOSS).  ®[i  1 1 501 -5000  ] 

A17-707  THROUGH  A17  750  RULES  ARE  RESERVED 
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ATMOSPHERE  INTEGRITY 


A17-751  MODULE  PRESSURE  INTEGRITY  ®[1 11501  -501 0A] 

FOR  A  NON-I SOLATABLE  MODULE  PRESSURE  LEAK,  THE  MODULE  WILL  BE 

MANAGED  AS  FOLLOWS : 

A.  IF  PRIOR  TO  THE  MISSION  MDF ,  THE  MODULE  WILL  BE  ISOLATED  FROM 
THE  ORBITER  AS  REQUIRED  TO  PRESERVE  AN  MDF  +2  DAYS  WITHOUT 
VIOLATION  OF  ORBITER  N2  REDLINES . 

B.  IF  AFTER  THE  MISSION  MDF,  THE  MODULE  WILL  BE  ISOLATED  FROM 
THE  ORBITER  AS  REQUIRED  TO  PRESERVE  LANDING  AT  THE  NEXT  PLS 
+2  DAYS  WITHOUT  VIOLATION  OF  ORBITER  N?  REDLINES. 

C.  FOR  CASES  WHERE  ORBITER  REDLINES  FOR  THE  PLANNED  EOM  +2-DAY 
DURATION  CANNOT  BE  PROTECTED  WHILE  FEEDING  A  MODULE  LEAK,  THE 
DECISION  TO  SHORTEN  THE  MISSION  OR  ISOLATE  THE  MODULE  WILL  BE 
BASED  ON  MISSION  PRIORITIES  AND  LANDING  SITE  AVAILABILITY. 

D.  ALL  POWER,  EXCEPT  FOR  PL  AFT  MNB,  WILL  BE  REMOVED  FROM  THE 
MODULE  IF  THE  PRESSURE  DROPS  BELOW  10.0  PSIA. 


Mission  success  items  such  as  module  operations  cannot  be  allowed  to  impact  the  ability  of  the  orbiter 
to  reach  an  MDF  or  PLS.  Adequate  protection  ( +2  days)  must  always  be  available  in  the  event  of 
unforeseen  circumstances  such  as  weather  or  systems  problems  preventing  deorbit.  For  cases  where 
orbiter  and  crew  safety  are  not  in  jeopardy,  mission  priorities  (balanced  with  other  factors)  will  be  used 
to  determine  proper  tradeoffs.  Also,  Spacehab  equipment  is  not  certified  for  operations  below  10.0  psia; 
however,  Spacehab  accepts  all  risks  associated  with  operating  sensors  below  spec  value.  PL  AFT  MN  B 
must  remain  powered  because  it  is  the  only  source  of  power  to  the  SH  waterline  heaters  that  protect  the 
waterline  from  freezing.  ®[1 11501  -501 0A] 


A17-752  NEGATIVE  PRESSURE  RELIEF  VALVE  COVERS  ®[1 11501 -501 0A] 

THE  MODULE'S  NEGATIVE  PRESSURE  RELIEF  VALVE  COVERS  WILL  BE  OUT 
AND  LOCKED  OPEN  DURING  ASCENT.  THE  COVERS  WILL  BE  CLOSED  ON 
ORBIT  AND  REMAIN  CLOSED  DURING  ENTRY. 


This  action  prevents  chatter  damage  to  valve  seats  during  periods  of  ascent  vibration.  ®[1 11501 -501 0A] 
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A17-753  CABIN  DEPRESS  VALVE  (CDV)  ®[1 11501  -501 0A] 

A.  THE  MANUAL  CABIN  DEPRESS  VALVE  LOCATED  IN  THE  SPACEHAB  MODULE 
WILL  BE  LEFT  CLOSED  AT  ALL  TIMES  UNLESS  OPENED  BY  THE  CREW 
DURING  A  FIRE/SMOKE  ALARM  OR  HAZARDOUS  SPILL  INITIATED  MODULE 
EGRESS . 


Leaving  the  CDV  nominally  closed  eliminates  a  potential  leak  source.  The  CDV  assembly  consists  of  a 
28-volt  dc  motor  driven  butterfly  valve  in  series  with  a  manually  operated  butterfly  valve. 

B.  IN  THE  EVENT  THE  FIRE  SUPPRESSION  SYSTEM  (FSS)  FAILS,  THE 
MODULE  WILL  BE  DEPRESSURIZED  USING  THE  REMOTELY  ACCESSED 
MOTORIZED  CABIN  DEPRESS  VALVE. 


Depressurization  is  the  final  method  to  eliminate  afire  or  reduce  hazardous  spill  concentration. 

Reference  Rule  {A13-156},  SPACEHAB  HAZARDOUS  SUBSTANCE  SPILL  RESPONSE,  and  Rule  {An- 
603  },  SPACEHAB  FIRE/SMOKE  MANAGEMENT.  ®[i  11501  -501 0A] 

A17-754  EXPERIMENT  VENT  VALVE  ®[i  11501-4995]  ®[1 1 1 501-501 0A] 

A.  IF  THE  EXPERIMENT  VENT  VALVE  IS  NOT  IN  USE,  THE  VALVE  WILL  BE 
CLOSED . 

B.  THE  EXPERIMENT  VENT  VALVE  WILL  ALWAYS  BE  CLOSED  WHEN  ALL  THE 
CREW  IS  ASLEEP  UNLESS  REQUIRED  FOR  EXPERIMENT  OPERATION  AS 
DEFINED  IN  THE  FLIGHT-SPECIFIC  ANNEX.  ®[1 1 1 501 -501 0A] 


Closing  the  valve  will  significantly  reduce  the  likelihood  of  a  slow  leak  or  of  an  inadvertent  opening  of 
the  vent.  For  certain  experiment  complements,  a  vent  line  is  attached  and  flown  on  the  experiment  vent 
valve.  When  this  is  the  case,  only  the  vent  valve  is  closed. 
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A17-755  PPRV  MANAGEMENT  ®[1 1 1501  -501 0A] 

THE  TWO  SPACEHAB  PPRV' S  WILL  BE  CLOSED  PRIOR  TO  ANY  PLANNED 
INCREASE  OF  CABIN  PRESSURE  GREATER  THAN  15.35  (15.00)  PSIA.  WHEN 

THE  CABIN  PRESSURE  RETURNS  TO  BELOW  15.35  (15.00)  PSIA  OR  WHEN 

THE  SPACEHAB  MODULE  IS  ISOLATED,  THE  SPACEHAB  PPRV' S  WILL  BE 
REOPENED . 

The  Spacehob  module  has  a  maximum  design  pressure  (MDP)  of  15.95  psia,  which  shall  not  be 
exceeded.  Based  on  the  lower  limit  of  the  Spacehab  PPRV  crack  pressure  acceptance  specification 
(15.35  psia),  the  Spacehab  PPRV’s  will  be  closed  prior  to  any  planned  pressure  increase  above  the  crack 
pressure  to  presence  consumables  (0.35  psia  is  allowed  for  sensor  and  pressure  control  band 
uncertainty ).  Orbiter  PPRV’s  will  provide  redundancy  for  pressure  relief  for  the  module  as  long  as  the 
Spacehab  hatch  remains  open.  The  Spacehab  PPRV’s  will  be  reopened  after  the  pressure  has  decreased 
below  the  crack  value  or  when  the  module  is  isolated  in  order  to  re-enable  this  design  safety  feature. 

®[1 1 1501 -501 0A] 
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A17-756  SM/LDM  ASCENT/DESCENT  INLET  STUB  ®[1 11501  -501 0A] 

THE  ASCENT/DESCENT  INLET  STUB  WILL  REMAIN  CLOSED  DURING  OPEN 
HATCH  OPERATIONS.  IF  THE  SPACEHAB  HATCH  IS  CLOSED  WITHOUT 
DISCONNECTING  THE  DUCTWORK  BETWEEN  THE  SPACEHAB  TUNNEL  AND  THE 
ORBITER  PL  ISOLATION  VALVE,  THE  ASCENT/DESCENT  INLET  STUB  WILL  BE 
OPENED  BEFORE  MODULE  EGRESS  EXCEPT  IN  AN  EMERGENCY. 

The  Spacehab  SM/LDM  is  launched  with  the  flex  duct  between  the  Spacehab  tunnel  and  the  orbiter  PL 
isolation  valve  disconnected  and  the  ascent/descent  inlet  stub  closed.  During  Spacehab  activation,  the 
crew  connects  this  flex  duct  to  provide  air  exchange  from  the  orbiter  to  the  Spacehab.  The 
Ascent/Descent  inlet  stub  remains  closed  so  that  Spacehab  air  is  not  drawn  into  the  Ascent/Descent  inlet 
stub  to  ensure  good  air  exchange  with  the  orbiter. 

Opening  the  Ascent/Descent  inlet  stub  prior  to  module  egress  or  disconnecting  the  PL  ISO  Valve  flex 
duct  prior  to  hatch  closure  allows  the  ARSfan  to  operate  and  draw  air  from  these  openings.  Nominally, 
the  crew  will  disconnect  the  flex  duct  between  the  Spacehab  tunnel  and  the  PL  isolation  valve  prior  to 
closing  the  Spacehab  hatch  and  leave  the  Ascent/Descent  inlet  stub  closed.  The  option  exists  to  leave  the 
flex  duct  connected  for  closed  hatch  operations  ( e.  g. ,  Spacehab  closeout  for  EVA  or  docking),  but  since 
the  time  savings  is  minimal,  the  flex  duct  is  normally  disconnected  before  closing  the  hatch.  However,  if 
the  ductwork  is  left  connected,  the  Ascent/Descent  inlet  stub  will  be  opened  to  allow  the  ARSfan  to  serve 
as  backup  to  the  cabin  fan.  If  the  cabin  fan  fails,  the  ARSfan  is  required  to  provide  air  flow  for  smoke 
detectors  and  equipment  cooling.  If  the  module  is  egressed  due  to  an  emergency  ( e.  g. ,  cabin  leak,  toxic 
spill,  fire),  the  ductwork  and  ascent/descent  inlet  stub  will  not  be  reconfigured  prior  to  the  emergency 
egress. 

Reference  Rule  {A17-705J,  ATMOSPHERE  REVITALIZATION  SYSTEM  (ARS)  FAN.  ®[111501-5010A] 
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A17-757  RDM  MIXING  BOX  CAP 

A.  ASCENT /ENTRY  @[111501-5000] 

THE  MIXING  BOX  CAP  SHALL  BE  UNCAPPED/REMOVED  FOR 
ASCENT/ENTRY. 


The  mixing  box  will  be  uncapped  for  ascent/entry  to  allow  airflow  to  cool  electronics  and  provide  smoke 
detection  in  thefwd  module  subfloor  when  the  ARS  fan  is  not  operating  with  an  HFAfan  operating. 

B.  ON-ORBIT 

1.  THE  MIXING  BOX  CAP  SHALL  BE  INSTALLED  DURING  SPACEHAB 
ACTIVATION. 


The  mixing  box  will  be  capped  to  allow  proper  airflow  throughout  the  module  when  the  ARS  fan  is 
operating. 

2.  THE  MIXING  BOX  CAP  SHALL  BE  UNCAPPED /REMOVED  IF  THE 
MODULE  IS  TO  REMAIN  POWERED  WITH  THE  ARS  FAN  OFF. 


Air  cooling  and  smoke  detection  is  highly  degraded  in  the  forward  subfloor  volume  with  the  mixing  box 
cap  installed  and  the  ARS  fan  not  operating.  If  an  HFAfan  is  operating,  removing  the  mixing  box  cap 
will  regain  air  cooling  and  smoke  detection  in  thefwd  subfloor  for  contingency  operations. 

Reference:  Rule  {A17-705},  ATMOSPHERE  REVITALIZATION  SYSTEM  (ARS)  FAN.  ®[i  11501-5000  ] 

A17-758  RDM  LIOH  CANISTER 

A  LIOH  CANISTER  WILL  BE  INSTALLED  IN  THE  C(£  REMOVAL  ASSEMBLY 
PRIOR  TO  ANY  NOMINAL  HATCH  CLOSURE  TO  PRESERVE  LIFE  SCIENCE 
EXPERIMENTS  REQUIRING  CCI?  REMOVAL  DURING  CLOSED  HATCH  OPERATIONS 
AS  DEFINED  IN  THE  FLIGHT  SPECIFIC  ANNEX.  @[111501-5000] 

The  LIOH  canister  is  only  used  during  Spacehab  closed  hatch  operations  to  preserve  life  science 
experiments.  During  open  hatch  operations,  the  Spacehab  RDM  is  dependent  on  the  orbiterfor 
conditioned  air.  ®[1 1 1 501-5000  ] 

A17-759  THROUGH  A17-800  RULES  ARE  RESERVED 
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LIFE  SUPPORT  GO/NO-GO  CRITERIA 


A17-1001  LIFE  SUPPORT  GO/NO-GO  CRITERIA 


SYSTEM/COMPONENTS/FUNCTIONS 

ASCENT 
ABORT  IF: 

INVOKE 

MDF  IF: 

ENTER  NEXT 
PLS  IF: 

A.  FIRE  PROTECTION: 

1 .  AV  BAY  SMOKE  DETECTION  SYS 

(2  PER  BAY)  [1] 

2.  CABIN,  SMOKE  DETECTION  SYS 

3.  FIRE  SUPPRESSION  SYS 
(1  BOTTLE  PER  BAY) 

4.  FIRE  DETECTED/SUPPRESSED  [16] 

5.  HALON  DISCHARGE,  CABIN  OR  AV  BAY 

(W/O  FIRE  CONFIRMATION)  [16] 

B.  ARS  AIR: 

1.  CABIN  FANS  (2) 

2.  AV  BAY  COOLING 

a.  AV  BAY  1  [4] 

b.  AV  BAY  2  [4] 

c.  AV  BAY  3  [4] 

3.  IMU  FANS  (3)  [5] 

C.  CABIN  ATMOSPHERE: 

1.  C02  CONTROL 

2.  CABIN  TEMP  CONTROL 

3.  HUMIDITY  CONTROL 

4.  RCRS 

D.  PCS: 

1.  CABIN  PRESS  INTEGRITY 

2.  165-MIN  8-PSI  CONTINGENCY  RETURN 

3.  PP02 

4.  LES  02  SUPPLY  SYSTEM  (2) 

04/28/94  FINAL, 
PCN-20 

3  ?  [3] 

[2] 

1  ? 

2  ?  [20] 

[6] 

[7] 

[6] 

[7] 

[8] 

[9]  [7] 

2  ? 

[10] 

[10] 

[11] 

[11] 

[19] 

[12] 

1?  [17] 

2?  [18] 

®[050495-1756B]  ®[0201 96-1 81 OA  ]  ®[ED  ] 
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A17-1001  LIFE  SUPPORT  GO/NO-GO  CRITERIA  (CONTINUED) 


SYSTEM/COMPONENTS/FUNCTIONS 

ASCENT 
ABORT  IF: 

INVOKE 

MDF  IF: 

ENTER  NEXT 
PLS  IF: 

E.  WASTE  COLLECTION: 

1.  FECAL  COLLECTION  (WCS/APOLLO  BAGS) 

2.  URINE  COLLECTION  (WCS/URINE  BAGS) 

F.  WASTE  H20: 

1.  WASTE  H20  TANK  (1)  [14] 

2.  DUMP  CAPABILITY 

[13] 

[13] 

[13] 

[13] 

[15] 

[15] 

®[1 21 593-1 589  ]  ®[0201 96-181 OA] 


LEGEND: 


NO  REQUIREMENT  ( 


REQUIRED 
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)  QUANTITY 
]  NOTE  REFERENCE 

NEXT  PAGE 
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A17-1001  LIFE  SUPPORT  GO/NO-GO  CRITERIA  (CONTINUED) 


NOTES: 

[1]  ALL  AIR-COOLED  EQUIPMENT  INCLUDING  THE  FAN  WILL  BE  UNPOWERED  (EXCEPT  FOR  THE 
COMMUNICATIONS  EQUIPMENT,  CAUTION  &  WARNING  EQUIPMENT,  AND  FAN  IN  AV  BAY  3A).  ALL  EQUIPMENT 
MAY  BE  REPOWERED  FOR  ENTRY  IF  SAFED  WITH  A  HALON  BOTTLE.  REFERENCE  RULES  {A17-51AJ.2  &  3, 
MANAGEMENT  FOLLOWING  LOSS  OF  SMOKE  DETECTION.  @[090894-1675  ] 

[2]  IF  TOXIC  COMBUSTION  PRODUCTS  CANNOT  BE  SATISFACTORILY  REMOVED  FROM  THE  CABIN  ATMOSPHERE, 
THE  CREW  WILL  REMAIN  ON  THE  QDM/LES  BREATHING  100  PERCENT  02  UNTIL  ORBITER  EGRESS.  AN  ELS  OR 
PLS  LANDING  IS  REQUIRED  BASED  UPON  AVAILABLE  CONSUMABLES  FOR  MAINTAINING  THE  02 
CONCENTRATION  WITHIN  ACCEPTABLE  LIMITS.  REFERENCE  RULE  {A13-152C},  CABIN  ATMOSPHERE 
CONTAMINATION  AND  {A1 7-254},  CABIN  02  CONCENTRATION.  @[070201 -4726A] 

IF  THE  EXTENT  OF  THE  DAMAGE  TO  THE  EQUIPMENT  AND  WIRE  BUNDLES  IS  UNKNOWN,  EVEN  IF  THE 
ATMOSPHERE  HAS  BEEN  CLEANED  UP.  A  NEXT  PLS  LANDING  WILL  BE  PERFORMED  TO  MINIMIZE  THE  RISK  OF 
THE  OCCURRENCE  OF  AN  ADDITIONAL  FIRE  OR  ARC  TRACKING.  @[090894-1675]  @[070201 -4726A] 

[3]  UNLESS  CREW  PERSON  REMAINS  AWAKE  DURING  SLEEP  PERIODS  TO  MONITOR  FOR  SMOKE  CONDITIONS. 

REF.  RULE  {A17-2},  SMOKE  DETECTION  LOSS  DEFINITION 

[4]  LOSS  OF  BOTH  FANS  IN  ANY  ONE  BAY  IS  A  GO-TO-ORBIT  CASE.  THE  AVIONICS  BAY  WILL  BE  RECONFIGURED 
POST-MECO  (TACAN'S  AND  MLS  ONLY)  AND  POST-OMS-1  (ALL  AIR-COOLED  EQUIPMENT). 

[5]  LOSS  OF  THREE  IMU  FANS  IS  A  GO-TO-ORBIT  CASE  WITH  IMU  CYCLING.  VACUUM  CLEANER  FAN  WILL  BE 
INSTALLED  ON  ORBIT.  ENTER  FIRST  DAY  PLS.  @[0201 96-1 81 0A] 

[6]  MDF  FOR  LOSS  OF  COOLING  TO  TWO  GPC'S  (DUE  TO  UNACCEPTABLE  TEMPERATURE). 

[7]  ENTER  NEXT  PLS  IF  A  SINGLE  ELECTRICAL  FAILURE  (AC  BUS)  COULD  CAUSE  THE  LOSS  OF  AIR  COOLING  TO 
TWO  AV  BAYS. 

[8]  MDF  FOR  LOSS  OF  SMOKE  DETECTION  (LOSS  OF  AIR  FLOW  ONLY). 

[9]  PLS  FOR  LOSS  OF  COOLING  TO  THE  C&W. 

[1 0]  AN  ALTERNATE  MODE  OF  C02/HUMIDITY  CONTROL  WOULD  BE  TO  PERFORM  CABIN  PURGES  (OR  PARTIAL 
DUMPS)  VIA  THE  AIRLOCK  DEPRESSURIZATION  VALVE. 

[11]  QUANTITY  OF  LIOH  CANISTERS  AND  CREW  SIZE  WILL  DETERMINE  EOM. 

[12]  PLS  REQUIRED  IF  AUTO/MANUAL  PP02  CONTROL  CANNOT  MAINTAIN  AEROMED  MINIMUM  (REF.  RULE  {A13- 
53AJ.1 ,  MINIMUM  PP02  CONSTRAINTS)  AND  LESS  THAN  30  PERCENT  C^  AT  TOUCHDOWN.  ELS  REQUIRED  IF 
40  PERCENT  02  IS  EXPECTED  TO  BE  EXCEEDED  PRIOR  TO  NEXT  PLS  TOUCHDOWN. 

[13]  WITHOUT  THE  WCS,  THE  CREW  REQUIRES  SUFFICIENT  BAGS  FOR  AT  LEAST  A  PLS  PLUS  2  DAYS  (3  DAYS). 

EOM  IS  DEPENDENT  ON  DEFECATION/URINATION  RATE,  NUMBER/GENDER  OF  CREW,  AND  NUMBER  OF 
ALTERNATE  COLLECTION  DEVICES. 

[14]  CWC  AND  UCD  ULLAGE  WILL  DETERMINE  EOM.  @[121593-1589] 

[15]  ULLAGE  WILL  DETERMINE  EOM. 

[1 6]  FOR  CONFIRMED  DISCHARGE  INTO  AN  AVIONICS  BAY,  AN  OVERBOARD  PURGE  OF  THE  AFFECTED  BAY  WILL  BE 
INITIATED  AS  A  MEANS  OF  REDUCING  HALON  CONCENTRATIONS  AND  EXTENDING  AVAILABLE  ON-ORBIT  TIME. 
FOR  A  LEAKING  HANDHELD  HALON  BOTTLE  IN  THE  CABIN,  THE  BOTTLE  WILL  BE  DISCHARGED  OVERBOARD 
THROUGH  THE  AIRLOCK  DEPRESS  VALVE.  REFERENCE  THE  AEROMED  FLIGHT  RULE  {A13-152},  CABIN 
ATMOSPHERE  CONTAMINATION,  FOR  EOM  DETERMINATION  DUE  TO  HALON  TOXICITY  CONCERNS.  REFERENCE 
AEROMED  FLIGHT  RULE  [A13-54],  100  PERCENT  OXYGEN  USE  CONSTRAINT,  FOR  MAXIMUM  TIME  CREW  CAN 
REMAIN  ON  100  PERCENT  02.  @[090894-1675  ] 

[17]  MDF  DUE  TO  INABILITY  TO  SUPPORT  LES/QDM  FLOW  TO  ENTIRE  CREW  IN  THE  EVENT  OF  A  CONTAMINATED 
CABIN  (E.G.,  FIRE  OR  TOXIC  SPILL).  IF  REAL-TIME  TEST  INDICATES  THAT  ENTIRE  CREW  CAN  BE  SUPPORTED  OR 
AN  IFM  ALLEVIATES  THE  PROBLEM,  AN  MDF  IS  NOT  REQUIRED  (REF.  RULE  {A1 7-259C],  LES  02  SUPPLY  SYSTEM 
LOSS  MANAGEMENT). 

[18]  INABILITY  TO  SUPPORT  8  PSIA  CABIN  (REF.  RULE  [A17-203A],  PP02  CONTROL).  @[050494-1 756B] 

[19]  ABORT  RTLS/TAL  FOR  ORBITER  -DP/DT  >  0.15:  AOA  FOR  ORBITER  -DP/DT  >  0.02. 

[20]  ELS  WILL  PROBABLY  BE  REQUIRED  IF  THE  NEXT  PLS  OR  SLS  IS  GREATER  THAN  8  HOURS.  AS  LONG  AS  CABIN 
ENVIRONMENT  IS  ACCEPTABLE  A  PLS  WILL  BE  TARGETED.  @[0201 96-1 81 0A  ] 
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A17-1001  LIFE  SUPPORT  GO/NO-GO  CRITERIA  (CONTINUED) 

D.  PCS 

The  requirement  for  cabin  pressure  integrity  is  dependent  on  the  leak  rate.  Ascent  aborts  are 
summarized  in  Rule  {A17-201AJ,  CABIN  PRESSURE  INTEGRITY.  No  requiremen  t  exists  for  cm 
MDF  due  to  the  philosophy  that  the  flight  will  be  terminated  once  the  integrity  of  the  cabin  has 
been  declared  lost.  {Ref.  Rule  {A17-201 },  CABIN  PRESSURE  INTEGRITY,  for  rationale  defining 
cabin  pressure  integrity.) 

The  165-minute,  8-psici  contingency  return  is  defined  by  two  requiremen  ts;  the  first  being  the  N2 
required  to  perform  the  contingency  return  and  the  second  being  a  functioned  launch/entry  suit 
(LES)  helmet  for  each  crewmember  which  will  supply  enough  oxygen  to  allow  the  crewmember  to 
breathe  normally. 

The  N2  consumable  is  budgeted  to  provide  enough  N2for  nominal  mission  requirements  and 
remain  above  the  N2  redline  (contingency  return  capability  +  measurement  error  +  residuals)  at 
EOM.  If  an  N2  leak  develops  or  nominal  flight  activities  (i.e.,  MMU  recharges,  cabin  represses, 
etc.)  cause  us  to  break  the  N2  redline  prior  to  EOM,  a  next  day  PLS  will  be  declared.  The  PLS  is 
required  due  to  insufficien  t  consumables  to  maintain  an  8-psia  cabin  for  165-minute  contingency 
return  in  the  event  of  a  hole  in  the  cabin  equivalent  to  0.45  inch. 

An  LEH  is  defined  to  be  lost  when  it  can  no  longer  supply  2.5  Ib/hr  O2  to  the  crewmember.  This 
implies  either  a  hardware  failure  or  a  failure  in  cryogenic  oxygen  supply  which  will  not  provide 
the  necessary  amoun  t  of  O2  to  the  crewmember.  Since  the  165-minute,  8  psia  contingency  return 
will  cause  cabin  pressure  and  PPO2  to  drop  below  safe  metabolic  limits  for  breathing  cabin 
atmosphere,  the  LES  helmet  will  have  to  be  used  prior  to  touchdown  to  supply  enough  oxygen  to 
each  crewmember.  Therefore,  one  lost  helmet  is  loss  of  the  contingency  return  requirement.  (Ref. 
Rule  {A1 7-202 J,  8  PSIA  CABIN  CONTINGENCY  165 -MINUTE  RETURN  CAPABILITY,  for  loss 
of  165 -minute,  8-psia  contingency  return  definition.) 

IfPP02  cannot  be  maintained  within  the  specified  control  band  (Ref.  Rule  {A17-203},  PP02 
CONTROL)  using  either  auto  or  maimed  control,  a  next  day  PLS  will  be  declared  to  avoid 
operations  with  a  30  percent  or  greater  O2  concentration  (Ref.  Rule  {A17-254A},  CABIN  02 
CONCENTRATION ),  or  cm  oxygen  deficient  cabin  which  cannot  support  crew  metabolic  needs 
(Ref.  Rule  {A13-53  Aj.l,  MINIMUM  PP02  CONSTRAINTS). 
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Memos/Documents 

JSC -07700  Vol.  10,  Rev  D,  9/30/83 

Con  tract  NAS9- 14000  Orbiter  Vehicle  End  Item  Specification  for  the  Space  Shuttle  System, 
Part  1,  Performance  and  Design  Requirements,  1/3/83 

NHB  8060.  IB,  Flammability,  Odor,  and  Offgassing  Requ  irements  and  Test  Procedures  for 
Materials  in  Environments  that  Support  Combustion,  9/81 

On-Orbit  Flight  Techniques  #28  minutes,  9/26/78 

Master  Measurement  List,  2/15/85 

NASA/JSC  Memo  from  James  Waligora,  EVA  Prebreathe  v.v.  Decompression  Sickness  Risk 
Table,  7/14/86 

JSC-18504,  STS  Operational  Flight  Design  -  Standard  Groundrules  and  Constraints, 

Level  B,  9/84 

Minutes  of  Initial  10.2  psia  Certification  Meeting  -  8/18/86 
JSC-  22276,  STS  Medical  Console  Handbook 

Orbiter  Middeck/Payload  Standard  Interfaces  Control  Document  -  ICD  2-1  M001, 

March  198. 


Rockwell  International  Documen  ts 

Certification  Approved  Request  -  Attachment  #2,  5/22/80 

Shuttle  Operational  Data  Book  -  volume  1,  revision  D,  section  4.6.1,  10/84 

SEH-ITA-83-179T  -  ECLSS  Analysis  of  10.2  psia  Cabin  Pressure  Control  Demonstration, 

1983 

SEH-ITA-83-349T  -  Relative  Effect  of  Interchanger  Water  Flowrates  on  ARS 
Temperatures:  10/14/83 

F.  WASTE  H20 

1.  The  waste  tank  if  the  primary  means  of  storing  waste  water.  Without  a  place  to  store  waste 
water,  the  crew  would  lose  humidity  control,  urine  collection  capability,  and  EMU  drain 
capability.  The  CWC  serves  as  a  spare  waste  water  storage  container.  Waste  water  can  be 
drained  into  it  from  the  waste  tank  via  the  Contingency  Cross-tie  Waste  QD.  Alternatively, 
the  CWC  can  function  as  a  spare  waste  tank,  where  waste  water  is  fed  directly  into  it  (again 
via  the  Contingency  Cross-tie  Waste  QD).  In  either  case,  the  CWC  would  last  about  47  hours 
( assuming  seven  crew  members).  This  would  require  dumping  the  CWC  when  it  is  full  or  using 
a  second  one  to  hold  more  waste  water.  ®[i  21 593- 1 589] 

2.  If  waste  dump  capability  is  lost,  the  ullage  in  the  waste  tank  and  the  CWC  will  determine 

the  end  of  mission.  When  the  tank  is  full,  the  crew  would  lose  humidity  con  trol,  WCS  urine 
collection  capability,  and  EMU  drain  capability.  ®[i  21593- 1589] 
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SECTION  18  -  THERMAL 

SUPPLY  WATER  LOSS  DEFINITIONS 

A18-1  SUPPLY  WATER  TANK 

THE  SUPPLY  WATER  TANK  IS  CONSIDERED  LOST  IF: 

A.  UNABLE  TO  EXTRACT  WATER  FROM  OR  REFILL  THE  TANK. 

B.  THE  TANK  HAS  AN  IRREPARABLE  LEAK. 

C.  THE  TANK  HAS  A  BELLOWS  LEAK. 

The  primary  purpose  of  the  supply  water  tanks  is  to  store  excess  fuel  cell  water  for  crew  consumption , 
EMU  recharges,  and  for  ATCS  FES  usage.  A  water  tank  cannot  be  used  if  unable  to  perform  these 
functions.  A  bellows  leak  is  loss  of  a  tank  because  N2  gas  is  ingested  into  the  supply  water,  and  it  has 
been  shown  that  gas  adversely  affects  the  performance  of  the  FES  by  causing  shutdowns. 

DOCUMENTATION :  Engineering  judgment  and  flight  data. 
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A18-2  SUPPLY  WATER  DUMPLINE 

THE  SUPPLY  WATER  DUMPLINE  IS  CONSIDERED  LOST  IF: 

A.  THE  DUMPLINE  TEMPERATURE  CANNOT  BE  MAINTAINED  TO  >  32  DEG 
(37  DEG)  F. 

B.  THE  DUMPLINE  IS  BLOCKED. 

C.  THE  DUMPLINE  IS  RUPTURED. 

D.  BOTH  SUPPLY  WATER  NOZZLE  TEMPERATURE  MEASUREMENTS  ARE  FAILED. 

E.  THE  NOZZLE  TEMPERATURE  CRITERIA  OUTLINED  IN  RULE  {A18-56}, 
SUPPLY  WATER  DUMP  NOZZLE  TEMPERATURE  CONSTRAINT,  CANNOT  BE 

MET.  ®[ED  ] 

The  primary  purpose  of  the  dumpline  is  to  provide  a  transport  path  for  the  supply  water  to  the  dump 
nozzle.  If  the  dumpline  is  blocked,  ruptured,  frozen,  or  temperatures  are  not  within  an  acceptable  range, 
the  transport  path  cannot  be  utilized  to  effectively  perform  this  function.  For  the  above  failures,  the  flash 
evaporator  is  used  to  dump  supply  water  before  consideration  is  given  to  using  the  potable  contingency 
crosstie. 

DOCUMENTATION:  Engineering  judgment,  flight  data,  STS-8,  STS-41B,  and  SEH-TCS-85-036. 
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A18-3  SUPPLY  WATER  DUMP  CAPABILITY 

THE  SUPPLY  WATER  DUMP  CAPABILITY  IS  CONSIDERED  LOST  IF: 

A.  THE  SUPPLY  WATER  DUMPLINE  IS  LOST  AND  THE  CREW  IS  UNABLE  TO 
USE  THE  CONTINGENCY  CROSSTIE  TO  DUMP  SUPPLY  WATER  THROUGH  THE 
WASTE  WATER  NOZZLE,  OR  INTO  A  CWC  AND  ®[071 494-1 647A] 

B.  UNABLE  TO  DUMP  SUPPLY  WATER  THROUGH  THE  FES. 

If  the  dumpline  is  lost,  the  primary  path  to  dump  supply  water  is  lost.  If  the  crew  cannot  use  the 
contingency  crosstie  or  the  FES,  for  any  reason,  the  alternate  methods  to  dump  supply  water  have  also 
been  lost. 

DOCUMENTATION :  Engineering  judgment. 

A18-4  THROUGH  A18-50  RULES  ARE  RESERVED 
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SUPPLY  WATER  MANAGEMENT  -  THERMAL 


A18-51  SUPPLY  H2Q  TANK  A  MANAGEMENT 

SUPPLY  H20  DUMPS  AND  FES  OPERATIONS  WHICH  REQUIRE  TANK  A  t£0  WILL 
BE  MINIMIZED.  TANK  A  H20  CAN  BE  UTILIZED  TO  ACHIEVE  LANDING 
OPPORTUNITIES.  ®[111 094-1 689A] 

Iodine  has  been  found  to  be  a  cause  of  corrosion  in  the  FES  cores.  This  corrosion  has  caused  several 
FES  cores  to  develop  Freon  leaks.  All  four  supply  H2O  tanks  are  iodinated  prelaunch  but  tank  A 
remains  iodinated  throughout  a  flight.  Minimizing  FES  and  nozzle  dumps  which  utilize  tank  A  H2O  will 
minimize  the  overall  quantity  of  iodinated  H2O  which  will  pass  through  the  FES  core.  If  supply  H2O 
management  cannot  be  accomplished  with  tank  B  only,  then  the  crossover  valve  will  be  opened  and  H2O 
will  be  managed  out  of  tanks  B  and  D.  Supply  H2O  from  tank  A  will  be  used  for  crew  consumption, 
contingencies,  and  to  make  entry  opportunities  if  required. 

DOCUMENTATION:  STS-65  MER-SPAN  CHIT  012.  ®[i  1 1 094-1 689A] 
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A18-52  SUPPLY/WASTE  WATER  CROSSCONNECT 

THE  CONTINGENCY  WATER  CROSSTIE  CAPABILITY  WILL  BE  USED  TO: 

A.  PROVIDE  SUPPLY  OR  WASTE  WATER  DUMP  CAPABILITY  THROUGH  THE 
ALTERNATE  DUMP  NOZZLE. 

Provides  for  dumpline  redundancy  in  the  event  of  a  dumpline  failure  for  either  system. 
DOCUMENTATION :  Engineering  judgment. 

B.  PROVIDE  CONTINGENCY  COOLING  WATER  FROM  THE  WASTE  WATER  TANK 
TO  THE  FES. 

Certain  launch  day  PLS  opportunities  cannot  be  met  without  increasing  available  supply  water 
consumables.  This  is  done  by  filling  the  waste  tank  with  supply  water.  In  the  event  that  the  PLBD’s  do 
not  open,  the  additional  supply  water  that  was  loaded  in  the  waste  tank  must  be  used.  The  contingency 
crosstie  capability  allows  the  connection  of  the  waste  water  system  to  the  supply  water  system  so  that  the 
supply  water  loaded  in  the  waste  tank  is  available  to  the  FES. 

DOCUMENTATION :  Engineering  judgment. 

C.  PROVIDE  CONTINGENCY  WATER  COLLECTION  (CWC)  BAG  WITH  FILL 
CAPABILITY. 

A  single  waste  tank  with  a  maximum  liquid  capacity  of  168  lb  exists  for  each  orbiter.  Under  various 
crew  sizes  and  flight  timelines,  the  amount  of  waste  liquid  generated  exceeds  the  168-lb  storage  capacity. 
The  waste  tank  must  be  dumped  under  these  conditions.  If  the  waste  tank  cannot  be  dumped,  additional 
ullage  for  the  expected  generated  waste  liquids  must  be  made  available.  The  CWC  provides  the 
additional  ullage.  In  order  for  this  ullage  to  be  useful  to  the  crew,  the  fill  capability  for  the  CWC  must 
be  provided  via  the  contingency  crosstie. 

DOCUMENTATION :  Engineering  judgment. 

Rule  (A17-452J,  WASTE  WATER  DUMP  CAPABILITY,  references  this  rule. 
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A18-53  SUPPLY  WATER  TANK  A  OUTLET  VALVE  MANAGEMENT 

A.  TANK  A  OUTLET  VALVE  WILL  NORMALLY  REMAIN  CLOSED  THROUGHOUT 
THE  FLIGHT.  IT  WILL  BE  OPENED  AS  REQUIRED  TO  ENSURE  SUPPLY 
WATER  COLLECTION  CAPABILITY  AND  THE  NECESSARY  ULLAGE  FOR  FUEL 
CELL  WATER  COLLECTION.  @[031500-7185] 

Under  nominal  water  system  management  and  configuration,  the  tank  A  outlet  valve  is  closed  to  presence 
the  sterility  of  water  used  for  crew  consumption.  In  the  event  that  immediate  supply  water  ullage  is 
required  in  the  supply  water  system  ( i.  e. ,  ECLSS  water  line  blockage),  water  tank  A  outlet  valve  is 
opened  to  provide  the  necessary  ullage  for  fuel  cell  water  collection.  Tank  A  outlet  valve  is  opened 
because  the  risk  of  flooding  three  fuel  cells  outweighs  microbial  concerns  affecting  potable  water  for  the 
crew.  IFM  procedures  exist  to  guarantee  potable  water  for  crew  consumption  once  the  requirement  for 
supply  water  collection  capability  is  satisfied. 

B.  FOR  ISS  FLIGHTS  THAT  REQUIRE  WATER  TRANSFER,  THE  TANK  A 
OUTLET  VALVE  MAY  BE  OPENED  TO  TIE  TANKS  A  AND  B  TOGETHER  IN 
ORDER  TO  MAXIMIZE  WATER  TRANSFER  CAPABILITY.  TANKS  A  AND  B 
WILL  BE  ISOLATED  FROM  TANKS  C  AND  D  BY  CLOSING  THE  SUPPLY 
WATER  CROSSOVER  VALVE. 


For  ISS  flights  where  the  transfer  of  water  will  take  place,  tanks  A  and  B  will  be  tied  together 
(reference  Rule  (A1 8-57 A}.  2,  ON-ORBIT  SUPPLY  WATER  TANK  MANAGEMENT).  In  addition, 
FES  PRI B  will  be  selected  to  minimize  the  amount  of  iodine  that  would  pass  through  the  FES. 
Engineering  has  a  concern  that  iodine  in  the  supply  water  system  causes  corrosion  in  the  FES  core 
(reference  Rule  {A18-51},  SUPPLY H20  TANKA  MANAGEMENT). 

DOCUMENTATION:  Engineering  judgmen  t.  @[031500-7185] 
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A18-54  SUPPLY  WATER  TANK  A  PRESSURE  CONTROL  MANAGEMENT 

FOR  LAUNCH,  THE  SUPPLY  WATER  GN?  TANK  A  SUPPLY  AND  SUPPLY  WATER 
GN2  TANK  VENT  VALVES  WILL  BE  IN  THE  "CLOSED"  AND  "VENT" 
CONFIGURATION,  RESPECTIVELY.  THE  VALVES  WILL  BE  PLACED  IN  THE 
"OPEN"  AND  "PRESS"  POSITIONS  BEFORE  WATER  TANK  A  REACHES  98  (93) 

PERCENT  AND  PRIOR  TO  DEPLETION  OF  TANK  B. 

The  orientation  of  the  orbiter  and  the  acceleration  during  launch  both  work  against  the  flow  of  fuel  cell 
product  water  into  the  supply  water  tanks.  Without  reducing  the  pressurization  of  water  tank  A  to  cabin 
pressure,  the  fuel  cells  will  vent  product  water  through  the  fuel  cell  relief  line  instead  of  transporting  the 
water  to  the  water  tanks.  The  supply  water  G/V2  tank  A  supply  and  supply  water  GN2  tank  vent  valves 
must  be  placed  in  the  CLOSED  and  VENT  position  in  order  to  depressurize  water  tank  A. 

The  valves  must  be  placed  in  the  OPEN  and  PRESS  position  in  order  to  pressurize  water  tank  A.  If  tank 
A  is  not  pressurized  prior  to  quantity  reaching  100  percent,  delta  pressure  across  the  tank  bellows  can 
exceed  15  psid  resulting  in  serious  damage  to  the  bellows.  Tank  A  must  also  be  pressurized  prior  to  the 
depletion  of  tank  B  to  prevent  the  FES  from  shutting  down. 

DOCUMENTATION :  Engineering  judgment;  flight  data,  1.3  -  TM  -  DF86050  -  013;  and  SODB 
4.6.1.1.11. 
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A18-55  SUPPLY  WATER  DUMP 

THE  METHOD  OF  DUMPING  SUPPLY  WATER  WILL  BE  AS  FOLLOWS  IN  ORDER  OF 
PRIORITY : 


A.  IF  PAYLOAD  AND  CREW  TIMELINE  CONSTRAINTS  ALLOW,  UTILIZE  THE 
SUPPLY  WATER  DUMPLINE. 

B.  UTILIZE  THE  FES. 


C.  UTILIZE  THE  POTABLE  H20  CONTINGENCY  CROSSTIE  AND  DUMP  INTO  A 
CWC  . 


D  . 


UTILIZE  THE  WASTE  WATER  DUMPLINE  VIA  THE  WASTE  WATER 
CONTINGENCY  CROSSTIE.  ®[071 494-1 647A] 


This  rule  outlines  the  desired  medical  and  environmental  systems  operation  priority  of  dumping  excess 
supply  water.  Payload  constraints  will  be  considered  when  applicable.  Utilization  of  the  FES  to  dump 
excess  supply  water  will  be  considered  to  minimize  crew  work  load  and  propellant  usage.  The  dumpline 
will  remain  higher  priority  than  the  FES,  to  minimize  nozzle  pulses  on  the  FES.  This  priority  is 
consistent  with  ensuring  crew  health  by  maintaining  supply  water  system  sterility.  Dumping  supply 
water  through  the  supply  dumpline,  FES  or  into  a  CWC  guarantees  water  system  sterility.  Dumping  into 
the  two  CWC’ s  onboard  will  create  an  additional  14-18  hours  of  ullage  (depending  on  KW  level). 
Connection  of  the  supply  water  system  to  the  waste  dumpline  increases  the  risk  of  contamination  to  the 
supply  water  system.  ®[071 494-1 647A] 

DOCUMENTATION :  Engineering  judgment. 
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A18-56  SUPPLY  WATER  DUMP  NOZZLE  TEMPERATURE  CONSTRAINT 

A  SUPPLY  WATER  DUMP  WILL  BE  TERMINATED  IF  BOTH  OF  THE  SUPPLY 
WATER  NOZZLE  TEMPERATURES  ARE  LESS  THAN  90  DEG  F.  NO  FURTHER 
DUMPS  WILL  BE  ATTEMPTED  THROUGH  THE  SUPPLY  DUMP  NOZZLE.  MINIMUM 
NOZZLE  TEMPERATURE  FOR  SUPPLY  DUMP  INITIATION  WILL  BE  100  DEG  F. 

Utilizing  the  normal  supply  dump  procedures,  the  supply  water  nozzle  temperatures  should  rise  and  not 
decrease  when  the  dump  is  initiated  at  a  nozzle  temperature  of  100  deg  F.  If  instead  of  continuing  to 
increase,  the  nozzle  temperature  decreases,  then  some  problem  exists  with  the  dump  nozzle  which  could 
lead  to  ice  formation  if  the  nozzle  temperature  drops  below  45  deg  F.  The  90  deg  F  limit  was  established 
simply  as  an  indication  that  the  nozzle  temperature  is  indeed  decreasing  from  its  original  100  deg  F 
starting  temperature  and  a  cue  that  termination  of  the  supply  dump  can  be  effected  in  a  timely  manner  to 
preven  t  ice  formation. 

MCC  GO/NO-GO  requiremen  t  and  visual  references  to  frosting  or  glazing  is  not  required  due  to  the  fact 
that  ice  formation,  glazing,  or  frosting  on  the  new  supply  dump  nozzle  does  not  occur  until  nozzle 
temperatures  are  well  below  45  deg  F. 

The  procedural  act  of  dumping  supply  water  calls  for  termination  of  the  supply  water  dump  if  the  nozzle 
temperatures  drop  below  90  deg  F for  no  more  than  4  seconds.  The  90  deg  F  lower  limit  is  well  above 
the  temperature  at  which  ice,  glazing,  or  frosting  of  the  nozzle  would  occur.  ®[ED  ] 

Rule  {A18-2E},  SUPPLY  WATER  DUMPLINE,  references  this  rule. 
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A18-57  ON-ORBIT  SUPPLY  WATER  TANK  MANAGEMENT  @[031500-7185] 

A.  ON-ORBIT  SUPPLY  WATER  SYSTEM  CONFIGURATIONS: 

1.  NOMINAL  CONFIGURATION: 


a . 

TANK 

A 

INLET 

VALVE  - 

OPEN; 

TANK 

A 

OUTLET 

VALVE  ■ 

-  CLOSED 

b . 

TANK 

B 

INLET, 

OUTLET 

VALVE 

(TWO) 

-  OPEN; 

TANK 

C 

INLET, 

OUTLET 

VALVE 

(TWO) 

-  OPEN; 

TANK 

D 

INLET, 

OUTLET 

VALVE 

(TWO) 

-  OPEN 

c . 

XOVR 

VALVE  - 

OPEN 

2.  WATER  TRANSFER  CONFIGURATION: 

a.  TANK  A  INLET,  OUTLET  VALVE  (TWO)  -  OPEN; 

TANK  B  INLET  VALVE  -  CLOSED,  WITH  CB  PULLED; 
TANK  B  OUTLET  VALVE  -  OPEN 

b.  TANK  C  INLET,  OUTLET  VALVE  (TWO)  -  OPEN; 

TANK  D  INLET,  OUTLET  VALVE  (TWO)  -  OPEN 

C.  XOVR  VALVE  -  CLOSED,  WITH  CB  PULLED  @[031500-7185] 
THIS  RULE  CONTINUED  ON  NEXT  PAGE 
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A18-57  ON-ORBIT  SUPPLY  WATER  TANK  MANAGEMENT  (CONTINUED) 

3.  EVA  EMU  WATER  RECHARGE:  @[031500-7185] 

a.  NOMINAL  CONFIGURATION  -  SUPPLY  WATER  TANK  C  INLET  AND 
OUTLET  VALVES  MAY  BE  CLOSED  TO  PROTECT  EVA  EMU  WATER 
RECHARGES . 

b.  WATER  TRANSFER  CONFIGURATION  -  EMU  WATER  RECHARGES 
WILL  BE  PERFORMED  USING  SUPPLY  WATER  TANK  B.  THIS 
CONFIGURATION  POSES  NO  THREAT  OF  H?  CONTAMINATION; 
THEREFORE,  NO  RECONFIGURATION  SHOULD  BE  REQUIRED. 

Nominal  management  is  accomplished  through  water  tanks  B,  C,  and  D  with  the  crossover  valve  open. 
Tanks  B,  C,  and  D  are  usually  tied  together  to  provide  maximum  flexibility  for  filling  and  dumping. 

Tanks  B,  C,  and  Dfeed  water  to  FES  PRI  A.  Tank  C  can  be  isolated  depending  on  mission  requirements. 
Tank  C  is  normally  isolated  at  EOM  deorbit  prep  to  protect  for  waveoff  opportunities. 

Water  Transfer  management  is  accomplished  through  water  tanks  C  and  D  with  the  crossover  valve 
closed.  Supply  tanks  A  and  B  are  tied  and  allowed  to  be  filled  to  100  percen  t  to  provide  additional 
ullage  capacity  for  water  transfer.  In  this  configuration,  the  tank  B  inlet  valve  and  crossover  valve 
circuit  breakers  are  opened.  These  breakers  are  opened  to  prevent  cm  inadvertent  switch  throw  from 
contaminating  tanks  A  and  B,  possibly  eliminating  capability  to  transfer  water  for  the  rest  of  the  flight. 

In  addition,  FES  PRI  B  will  be  selected,  fed  by  tanks  C  and  D,  to  minimize  the  amoun  t  of  iodine  that 
would  pass  through  the  FES.  Engineering  has  a  concern  that  iodine  in  the  supply  water  system  causes 
corrosion  in  the  FES  core  (reference  Rule  {A18-51},  SUPPLY  H20  TANK  A  MANAGEMENT). 

In  a  Nominal  configuration,  tank  C  may  be  isolated  for  EVA  to  protect  against  ingestion  of  hydrogen¬ 
laden  fuel  cell  water  into  the  EMU.  In  sufficient  quantities,  H2  has  the  potential  for  creating  a 
flammable  condition  within  the  EMU.  On  STS-82,  H2  was  introduced  into  the  supply  water  system 
through  the  alternate  path  with  tanks  B,  C,  and  D  tied  together.  Unlike  the  primary  path,  which  has  cm 
H2  Separator,  the  alternate  path  does  not  have  H2  separation  capability.  Tank  C  was  isolated  until  all 
planned  EVA’s  and  EMU  water  recharges  were  accomplished.  After  the  last  EVA,  tank  C  was  reopened 
and  managed  with  tanks  B  and  D  until  EOM. 

DOCUMENTATION :  Engineering  judgment,  flight  data,  H84-22-HS  Hamilton  Standard,  and  I.2-TM- 
DF86050-02.8.  @[031 500-71 85  ] 
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A18-57  ON-ORBIT  SUPPLY  WATER  TANK  MANAGEMENT  (CONTINUED) 

B.  TO  REFILL  SUPPLY  WATER  TANKS  C  AND/OR  D,  FLOW  THROUGH  THE  B/C 
CHECK  VALVE  WILL  BE  MINIMIZED.  @[031500-7185] 

In  a  Nominal  configuration,  refilling  of  tanks  B,  C,  and  D  will  be  handled  by  opening  the  crossover 
valve.  Closing  the  tank  B  inlet  and  the  crossover  valve  would  result  in  a  configuration  that  is  one  failure 
away  (i.e.,  B/C  check  valve  failed  closed)  from  forcing  the  fuel  cell  water  to  relieve  overboard.  By 
opening  the  crossover  valve  instead,  the  fuel  cell  water  will  retain  its  path  redundancy. 

In  a  Water  Transfer  configuration,  water  produced  by  the  fuel  cells  will  enter  tanks  C  and  D  through  the 
B/C  check  valve  once  tanks  A  and  B  are  full.  Water  planning  will  be  utilized  to  minimize  the  amoun  t  of 
water  that  must  flow  through  the  B/C  check  valve.  Water  management  must  consider  water  transfer  from 
tanks  A  and  B,  FES  use  from  tanks  C  and  D,  and  the  supply  water  redlines.  Tanks  C  and  D  must  be 
refilled  through  the  B/C  check  valve  to  maintain  total  water  above  the  redlines  and  cdlow  continued 
water  transfer.  When  necessary,  the  tank  A  inlet  valve  may  be  closed  to  control  the  timeframe  that  the 
B/C  check  valve  is  required  (e.g.,  to  avoid  reliance  on  the  B/C  check  valve  during  crew  sleep).  After  all 
water  transfer  has  taken  place,  the  supply  water  tanks  will  be  reconfigured  to  a  nominal  on-orbit 
configuration  ( reference  paragraph  A ). 

C.  FOR  REFILL,  TANKS  C  AND  D  WILL  NOT  BE  ALLOWED  TO  EXCEED 

98  (93)  PERCENT. 

Tanks  are  fill-restricted  to  98  (93)  percen  t  to  preven  t  hardfilling  the  tanks  which  could  result  in  venting 
FC  water  overboard.  Tank  A  (or  A  and  B)  is  not  constrained  because  the  FC  water  alternate  path  is  a 
backup  to  the  A/B  check  valve  and  will  prevent  FC  water  from  relieving  overboard.  @[031500-7185  ] 
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A18-58  SUPPLY  WATER  SYSTEM  LEAK  MANAGEMENT 

FOR  SUPPLY  WATER  SYSTEM  LEAKS,  THE  FOLLOWING  GUIDELINES  WILL 
PERTAIN: 

A.  IF  FREE  SUPPLY  WATER  IS  IN  THE  CABIN,  THE  "FREE  FLUID 
DISPOSAL"  IFM  PROCEDURE  WILL  BE  PERFORMED  IMMEDIATELY.  IF 
PRACTICAL,  THE  WASTE  WATER  TANK  WILL  BE  DUMPED  TO  5  PERCENT 
PRIOR  TO  INITIALLY  PERFORMING  THE  "FREE  FLUID  DISPOSAL"  IFM 
PROCEDURE . 

Free  fluid  in  the  cabin  is  an  unacceptable  condition  because  of  LRU  exposure  to  the  free  liquid  causing 
an  electric  circuit  malfunction  and  possible  subsequent  LRU  failures. 

Dumping  the  waste  water  tank  creates  additional  ullage  so  that,  if  the  IFM  procedure  causes  a  blockage 
in  the  waste  water  dump  line,  waste  water  will  continue  to  collect  to  maximize  the  on-orbit  stay  period. 
STS-32  experienced  free  water  in  the  lower  equipment  bay  due  to  degraded  humidity  separator 
collection.  The  FREE  FLUID  DISPOSAL  IFM  was  employed  to  dump  the  water  overboard  via  the  waste 
water  dump  nozzle.  However,  while  employing  the  IFM  procedure  on  the  third  occasion  during  the 
mission  on  FD  10,  the  waste  water  dump  line  became  blocked  by  matter  collected  using  the  free  fluid 
nozzle  (wand).  The  mission  was  then  limited  by  the  remaining  ullage  in  the  waste  water  tank  and  the 
CWC  volume. 

For  the  STS-36  humidity  separator  failure,  the  waste  water  tank  was  dumped  prior  to  using  the  FREE 
FLUID  DISPOSAL  IFM.  Even  though  no  blockage  occurred  in  the  waste  water  dump  line,  the  mission 
on-orbit  stay  was  maximized  by  having  additional  ullage  created  by  the  dump. 

DOCUMENTATION:  Ref.  STS-32  MER  Anomaly  #21,  January  19,  1990;  STS-32  CAR  No.  32RF21; 
STS-36  MER  Anomaly  #11,  April  3,  1990;  STS-36  CAR  No.  36RF13;  and  Engineering  judgmen  t. 

B.  ANY  SUPPLY  WATER  TANK  WITH  AN  IRREPARABLE  OR  NONISOLATABLE 
LEAK  WILL  BE  VENTED,  DUMPED,  ISOLATED,  AND  NOT  USED  FOR  THE 
REMAINDER  OF  THE  MISSION.  THE  TANK  WILL  REMAIN  DEPRESSURIZED 
UNTIL  DUMPED. 

A  leaking  supply  water  tank  cannot  be  pressurized  without  forcing  water  out  of  the  tank.  If  the  tank  is 
dumped  and  isolated  from  further  fuel  cell  water  collection,  then  the  remaining  water  tanks  can  be 
repressurized  and  normal  operations  can  continue  until  end  of  mission.  A  tank  that  is  depressurized  is 
not  likely  to  leak  in  a  zero  gravity  field  as  no  pressure  differential  exists  to  force  the  water  out  of  the 
tank. 

DOCUMENTATION :  Engineering  judgment. 
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A18-58  SUPPLY  WATER  SYSTEM  LEAK  MANAGEMENT  (CONTINUED) 

C.  FOR  A  SUPPLY  WATER  TANK  OUTLET  MANIFOLD  LEAK,  TWO  TANKS  NOT 
SUPPLYING  THE  LEAK  WILL  BE  SELECTED  ALONG  WITH  THE  PROPER 
FLASH  EVAPORATOR  SUBSYSTEM  (IF  REQUIRED) .  THE  LEAKING 
MANIFOLD  WILL  BE  ISOLATED  FOR  THE  REMAINDER  OF  THE  MISSION. 


Any  water  system  manifold  leak  has  the  poten  tial  of  reducing  the  ability  of  two  water  tanks  to  supply 
water  under  demand  conditions.  By  isolating  the  leaking  manifold,  the  amount  of  free  water  introduced 
into  the  cabin  is  minimized  while  maintaining  water  system  support  integrity. 


DOCUMENTATION :  Engineering  judgment. 

D.  FOR  A  SUPPLY  WATER  TANK  INLET  MANIFOLD  LEAK,  THE  WATER  TANKS 
WILL  REMAIN  DEPRESSURIZED. 


When  water  tanks  are  depressurized  for  an  inlet  manifold  leak,  the  available  water  supply  to  the  leak  has 
been  reduced  such  that  the  rate  at  which  water  is  expelled  into  the  cabin  cannot  exceed  FC  generation 
rate. 

DOCUMENTATION :  Engineering  judgment. 
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A18-59  SUPPLY  WATER  REDLINE 

A.  THE  MINIMUM  SUPPLY  WATER  QUANTITY  ACCEPTABLE  TO  ALLOW  FOR 
ANYTIME  ENTRY  REQUIREMENTS  IS  175  LBM . 

Analysis  results  conclude  that  175  Ibm  of  water  is  sufficien  t  to  supply  orbiter  cooling  requirements  for  an 
anytime  165-minute  emergency  deorbit. 

DOCUMENTATION :  Anytime  Contingency  Deorbit  Water  Redline,  STSOC  Transmittal  Form  No. 
FDD-SA-88-220-082,  5/25/88. 

B.  FOR  A  NORMAL  ORBITER  CONFIGURATION,  SUPPLY  WATER  SHOULD  BE 
MANAGED  SO  THAT  281  LBM  IS  AVAILABLE  4  HOURS  PRIOR  TO  EVERY 
PLS  TIG  TIME  (THIS  SHOULD  BE  MAINTAINED  UNTIL  THE  PLS  TIG  IS 
PASSED) . 

C.  RETURN  PAYLOAD  COOLING  WATER  REQUIREMENTS  ARE  SPECIFIED  IN 
THE  APPROPRIATE  FLIGHT-SPECIFIC  ANNEX. 

Normal  orbiter  configuration  assumes  no  active  payload  cooling  ( both  FCLflow  proportioning  valves 
in  ICH  position )  and  normal  orbiter  power  levels.  For  active  payload  cooling  cases ,  additional  water 
is  required,  depending  on  flight-specific  cooling  requiremen  ts.  This  redline  is  derived  as  a  minimum 
water  quantity  required  to  support  a  nominal  deorbit  timeline.  Contingency  return  cases  require  less 
water  (175  Ibm)  due  to  a  shorter  deorbit  time.  Failures  requiring  EVA  (PLED  fail  to  close)  would 
require  a  1-day  wave  off  to  accumulate  extra  water  required  to  support  the  new  deorbit  and  EVA 
timeline.  The  study  used  to  define  this  redline  uses  the  following  major  assumptions: 

a.  RAD  coldsoak  (RADS  HI,  Topping  FES-ON)  starts  at  TIG  minus  3:56. 

b.  RAD  bypass  at  TIG  minus  2:50. 

c.  PLBD’s  closed  at  TIG  minus  2:35. 

d.  FES  deactivated  at  TD  minus  12  minutes. 

e.  Entry  power  level  of  19  kw. 

Measuremen  t  error,  crew  consumption  and  10  percent  dispersion  are  included  in  the  analysis. 

DOCUMENTATION :  Anytime  Contingency  Deorbit  Water  Redline,  STSOC  Transmittal  Form  No. 
FDD-SA-88-220-082,  5/25/88. 
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A18-60  EXTERNAL  AIRLOCK  WATER  LINES 

THE  EXTERNAL  AIRLOCK  WATER  LINES  ARE  CONSIDERED  LOST  IF:  @[061297- 
4904] 

A.  THE  EXTERNAL  AIRLOCK  WATER  LINE  TEMPERATURES  IN  EITHER  ZONE  1 
OR  ZONE  2  CANNOT  BE  MAINTAINED  TO  >  32  DEG  (40  DEG)  F. 

The  external  airlock  water  lines  consist  of  six  differen  t  water  lines  broken  up  into  two  zones,  routed 
between  the  Xo=576  bulkhead  and  the  external  airlock.  They  are: 

One  EMU/ISS  transfer  supply  water  line 

One  EMU  waste  water  return  line 

Two  EMU  liquid  cooling  garment  supply  lines  (one  for  each  EMU) 

Two  EMU  liquid  cooling  garment  return  lines  (one  for  each  EMU) 

Each  line  is  wrapped  with  triply  redundant  heater  strings  in  each  of  the  two  zones.  Redundant 
temperature  transducers  are  available  for  each  zone  (two  each  for  zones  1  and  2)  and  they  are  located  to 
be  representative  of  the  temperature  in  all  six  of  the  lines  when  water  is  not  flowing.  A  third  transducer 
(V64T0185A)  is  available  on  zone  2  but,  because  of  its  location  arid  subsequent  sluggish  response,  it  is 
not  used  for  fault  detection.  It  is  mainly  used  to  detect  a  short  between  heater  segments. 

Due  to  the  location  of  each  of  the  sensors,  they  do  not  indicate  the  exact  temperature  of  the  coldest 
segment  of  the  six  water  lines.  Per  analysis,  the  following  indicated  temperatures  reflect  when  the 
coldest  segmen  t  of  the  lines  has  reached  32  deg.  These  values  do  not  include  the  measuremen  t  error  of 
the  transducer: 

H20  SPLYTZN1  (V64T0181A)  -  34  deg  F 
LCG2  SPLYTZN1  (V64T0182A)  -  47  deg  F 
QD  PNL  TZN2  (V64T0183A)  -  42  deg  F 
H20  SPLYTZN2  (V64T0184A)  -  36  deg  F 
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A18-60  EXTERNAL  AIRLOCK  WATER  LINES  (CONTINUED) 

B.  THE  EXTERNAL  AIRLOCK  STRUCTURAL  TEMPERATURES  CANNOT  BE 
MAINTAINED  TO  >  32  DEG  (40  DEG)  F. 

Preliminary  analysis  indicates  that  with  the  airlock  depressed  and  the  hatch  and  thermal  cover  open,  the 
in  ternal  water  line  temperatures  decrease  faster  than  the  indicated  structural  temperatures  (reference 
Rule  { A15-201 },  EXTERNAL  AIRLOCK  HATCH  THERMAL  COVER).  During  EVA  and  while  the 
ductwork  is  disconnected,  the  only  active  thermal  control  for  the  interior  of  the  airlock  is  provided  by  the 
structural  heaters.  Based  upon  attitude,  there  is  a  concern  for  water  line  freezing  if  an  active  heater 
zone  fails. 

DOCUMENTATION:  Engineering  judgment  and  Rockwell  I. L.  270-200-95-152,  Rev  1.  @[061297-4904] 
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A18-61  EXTERNAL  AIRLOCK  LCG  FLUID  LINE  LOSS  DEFINITION 

THE  LCG  FLUID  LINES  SHALL  BE  CONSIDERED  LOST  I F :  ®[061 297-4904 ] 

A.  WITH  THE  SCU  DISCONNECTED  FROM  THE  EMU,  THE  LCG  PRESSURE 

CANNOT  BE  MAINTAINED  ?  28.1  (26.4)  PSIG. 

B.  WITH  THE  SCU  CONNECTED  TO  THE  EMU  AND  THE  EMU  UNPOWERED,  THE 

LCG  PRESSURE  CANNOT  BE  MAINTAINED?  18  (16.6)  PSIG. 

The  pressure  in  either  of  the  LCG  lines  (MSID  V64P0170A  or  V64P0171A)  shall  be  maintained  below 
the  SCU  certified  maximum  operating  pressure  of  28.1  psig,  in  order  to  protect  the  SCU  from  exposure 
to  proof  pressure  cycles  (SCU  proof  pressure  is  42.2  psig,  burst  pressure  is  56.2  psig).  The  SCU  can  be 
connected  to  the  EMU  to  relieve  the  pressure  in  the  LCG  lines. 

A  steady  pressure  increase  in  either  of  the  LCG  lines  with  the  SCU  connected,  EMU  fan/pump  and  O2 
actuator  off,  indicates  the  EMU  water  tanks  no  longer  contain  any  nominal  ullage  and  are  no  longer 
acting  as  an  accumulator  for  the  LCG  lines.  In  the  EMU,  the  LCG  loop  is  connected  to  the  water  tanks 
through  the  bypass  of  the  EMU  coolant  isolation  valve.  At  19.0  ±1.0  psig,  the  EMU  feedwater  relief 
valve  will  open  and  vent  water  from  the  EMU  water  tanks  into  the  airlock. 

DOCUMENTATION :  Hamilton  Standard  EMUM-1337,  S/AD  SV7 677 30/2  (Service  &  Cooling 
Umbilical  Drawing),  and  engineering  judgment.  @[061 297-4904  ] 
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A18-62  EXTERNAL  AIRLOCK  WATER  LINE 

OVERPRESSURE/TEMPERATURE  MANAGEMENT 

UNEXPECTED  PRESSURE  AND/OR  TEMPERATURE  INCREASES  IN  THE  EXTERNAL 
AIRLOCK  LIQUID  COOLING  GARMENT  (LCG)  FLUID  LINES  WILL  BE  MANAGED 
AS  FOLLOWS  IN  ORDER  OF  PRIORITY:  @[061297-4904] 

A.  DEACTIVATION  OF  WATER  LINE  HEATERS 

B.  CHANGE  ORBITER  ATTITUDE,  IF  OPERATIONAL  AND  PAYLOAD 
CONSTRAINTS  ALLOW 

C.  CIRCULATE  THE  WATER  IN  THE  LCG  LINES  VIA  THE  EMU  FAN/PUMP 
(REF  RULE  { A1 5-2 02 } ,  EXTERNAL  AIRLOCK  LCG  PRESSURE  AND 
TEMPERATURE  MANAGEMENT  USING  THE  EMU) . 


There  is  no  accumulator  located  on  the  LCG  fluid  lines,  and  they  are  configured  in  a  closed  loop  system. 
The  only  room  for  thermal  expansion  in  these  fluid  lines  is  via  the  flexible  portion  of  the  SCU  lines,  when 
disconnected  from  the  EMU,  or  the  available  ullage  in  the  EMU  water  tanks  when  the  SCU  is  connected 
to  the  EMU.  It  is  possible,  in  “hot”  thermal  attitudes,  that  the  available  expansion  in  the  LCG  lines  may 
not  be  sufficient  to  prevent  a  hydraulic  lockup  condition,  without  taking  action  to  lower  the 
pressure/temperature  of  the  fluid  lines. 

DOCUMENTATION:  Engineering  judgmen  t.  @[061297-4904] 
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ARS  H20  LOOP  LOSS  DEFINITIONS 


A18-101  ARS  WATER  LOOP 

AN  ARS  WATER  LOOP  IS  CONSIDERED  LOST  IF: 

A.  ACCUMULATOR  QUANTITY  EQUALS  0  (?  5)  PERCENT. 

When  the  accumulator  is  empty,  voids  are  created  in  the  water  loop  causing  pump  cavitation. 
DOCUMENTATION :  Engineering  judgment. 

B.  INTERCHANGER  FLOWRATE  CANNOT  BE  MAINTAINED  ?  600  (649)  LB/HR 

IN  THE  "MIN  BYP"  POSITION. 

At  flowrate  <  600  Ib/hr,  avionics  bay  2  coldplates  cannot  be  maintained  below  their  130  deg  F  upper 
limit  in  a  normal  entry  (five  GPC’s). 

DOCUMENTATION:  SEH-ECS-86-106. 

C.  ACTIVE  LOOP  PUMP  OUTLET  TEMPERATURE  CANNOT  BE  MAINTAINED  TO 
<  85  DEG  (82.75  DEG)  F  AT  A  14.7  PSIA  CABIN  PRESSURE. 

The  maximum  air  supply  temperature  to  the  avionics  bays  is  95  deg  F  at  14. 7  psia  cabin  pressure  by 
design  specification.  The  air  temperature  leaving  the  avionics  heat  exchanger  is  about  10  deg  F  hotter 
than  the  water  coolant  loop  pump  outlet  temperature.  Avionics  equipment  may  overheat  if  pump  outlet 
temperature  cannot  be  maintained  to  less  than  85  deg  F. 

DOCUMENTATION:  MF0004-009,  REV  A;  Flight  data  (E.G.  SEH-ITA-82-333). 

D.  THERE  IS  CONFIRMED  INTERLOOP  LEAKAGE  ( WATER-TO-WATER  OR 
FREON-TO-WATER) . 

For  a  water-to-water  loop  leak,  the  loops  are  now  operating  as  one  loop.  ( Ref.  Rule  { A18-151DJ ,  ARS 
WATER  LOOP.)  The  next  failure,  an  external  leak,  could  result  in  loss  of  both  loops.  For  a  Freon- 
to-water  loop  leak,  high  pressures  and  material  incompatibilities  between  Freon  21  and  water  loop 
components  increase  the  probability  of  an  external  leak  in  the  water  loop  and  exposing  the  crew  to  the 
toxic  Freon  21.  To  reduce  such  probability,  the  affected  water  loop  is  not  to  be  operated  unless 
required.  (Ref.  Rule  {A18-101E},  ARS  WATER  LOOP.) 

DOCUMENTATION:  Engineering  judgment;  JSC-08934,  vol.  3,  4. 6. 1.2. 1.2. 
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A18-101  ARS  WATER  LOOP  (CONTINUED) 

E.  THERE  IS  CONFIRMED  ACCUMULATOR  BELLOWS  FAILURE  CAUSING  GN? 
AND  WATER  COOLANT  TO  MIX. 

For  an  accumulator  bellows  failure  causing  GN2  to  mix  with  water  coolant,  nitrogen  bubbles  will  pass 
through  the  pump  if  the  affected  loop  is  activated.  The  pump  would  operate  erratically  as  would  be 
demonstrated  by  the  pump  delta  P  and  interchanger  flowrate.  Since  a  reliable  continuous  pump 
operation  cannot  be  expected,  the  loop  should  be  considered  lost. 

DOCUMENTATION :  Engineering  judgment. 
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ARS  H20  LOOP  LOSS  MANAGEMENT 


A18-151  ARS  WATER  LOOP 

A.  NORMAL  CONFIGURATION  FOR  ASCENT/ENTRY: 

BYPASS  VALVE  CONTROL  IN  THE  "MAN"  MODE  AND  THE  INTERCHANGER 
FLOW  PRESET  TO  950  ±  50  LB/HR  ON  BOTH  LOOPS. 


1 . 

LOOP 

1 

-PUMP 

B  WITH  CONTROL  "OFF" 

2  . 

LOOP 

2 

-PUMP 

CONTROL  "ON" . 

The  heat  load  mismatch  between  Freon  and  water  loops  at  the  interchanger  causes  the  bypass  valve 
controller  to  operate  improperly  at  high  heat  loads  when  in  the  AUTO  mode.  Reference  the 
Environmental  Systems  Console  Handbook  for  a  complete  description  of  this  mismatch.  The  optimum 
water  loop  flowrate  for  both  the  cabin  temperatures  and  the  avionics  temperatures  is  determined  by 
analysis  to  be  950  Ib/hrfor  when  the  Freon  loop  FPM’s  are  in  either  ICH  or  P/L  positions.  For  these 
reasons,  it  is  desirable  to  operate  at  this  constant  950  Ib/hr  flowrate  with  the  bypass  valve  in  the  MAN 
mode,  during  Ascen  t/En  try. 

Water  loop  2  is  used  as  the  active  loop  because  of  the  “undetected  failure”  concern.  Water  loop  2  has 
one  pump  and  water  loop  1  has  two  pumps.  If  water  loop  1  were  to  be  the  prime  active  loop,  the  pump  in 
water  loop  2  could  fail  and  remain  undetected  until  loop  1  failed  and  loop  2  was  needed. 

Water  loop  1  is  preset  to  a  950  Ib/hr  flowrate  so  that,  when  needed,  it  can  be  brought  on  line  with 
optimum  performance. 

DOCUMENTATION:  1.2-TM-B1 109-27;  SEH-ITA-82-029. 

B.  CONFIGURATION  FOR  ON  ORBIT: 

1 .  AUTO  MODE 

BYPASS  VALVE  CONTROL  IN  THE  AUTO  MODE:  LOOP  2  -  PUMP 
CONTROL  "ON",  AND  LOOP  1  -  PUMP  B  WITH  "GPC"  CONTROL  AND 
BYPASS  VALVE  IN  MAN  MODE. 
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A18-151  ARS  WATER  LOOP  (CONTINUED) 

2 .  MANUAL  MODE 

BYPASS  VALVE  CONTROL  IN  THE  MAN  MODE  AND  THE  INTERCHANGER 
FLOW  PRESET  TO  950  ±  50  LB/HR  ON  BOTH  LOOPS:  LOOP  1  - 
PUMP  B  WITH  "GPC"  CONTROL,  AND  LOOP  2  -  PUMP  CONTROL 
"ON." 

Flight  data  has  indicated  that  the  heat  load  mismatch  at  the  Freon/H20  interchcmger  is  not  as  severe  as 
previously  predicted  by  analysis.  Water  loop  control  temperature  ( PUMP  OUT  TEMP)  is  not  significantly 
affected  by  the  FREON/H2O ICH  heat  load  mismatch.  During  STS-44.  H2O  LOOP  2  performed  nominally 
in  the  AUTO  mode.  Postflight  crew  comments  about  cabin  temperature  indicate  AUTO  mode  is  also 
beneficial  to  the  persistent  cabin  temperature  problem.  Reference  OFTP  8-14-91,  12-13-91. 

H2O  loop  1,  pump  B,  is  in  the  GPC  position  for  periodic  cycling  to  satisfy  thermal  conditioning 
requirements.  Pump  A  is  normally  operated  on  the  ground.  @[041196-1882  ] 

DOCUMENTATION:  SEH-ITA-83-151 

C.  BOTH  WATER  LOOPS  WILL  BE  TURNED  ON  IF  THE  EVAPORATOR  OUTLET 
TEMPERATURES  IN  BOTH  FREON  LOOPS  ARE  <32  DEG  (34.6  DEG)  F. 
(REF.  { A18-251E } ,  FREON  COOLANT  LOOPS  (FCL) . ) 

Turning  both  water  loops  on  allows  more  heat  to  be  transferred  to  the  water  loops  at  their  coldplates  and 
heat  exchangers,  which  at  the  same  time  reduces  the  in  terchanger  heat  transfer  effectiveness  from  water- 
to-Freon  loops.  Analysis  has  shown  that  with  both  water  loops  operating  and  both  Freon  FPM’s  at  the 
ICH  positions,  freezing  of  water  is  prevented  until  the  Freon  inlet  temperature  to  the  interchcmger  drops 
below  6  deg  F. 

DOCUMENTATION:  LEMSCO  19630. 

D.  FOR  A  WATER-TO-WATER  LOOP  LEAK,  BOTH  WATER  LOOPS  WILL  BE 
ACTIVATED . 

Depending  on  the  loading  of  the  water  loops,  it  is  possible  to  empty  the  accumulator  of  the  operating 
loop  into  the  nonoperating  loop  in  the  case  of  cm  in  terloop  leak.  Operating  both  loops  eliminates  this 
problem. 

DOCUMENTATION :  Engineering  judgment. 
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A18-151  ARS  WATER  LOOP  (CONTINUED) 

E.  FOR  A  FREON-TO-WATER  LOOP  LEAK,  THE  AFFECTED  WATER  LOOP  WILL 
NOT  BE  OPERATED  UNLESS  REQUIRED. 

For  a  Freon-to-water  loop  leak,  pressures  in  the  water  loop  can  get  up  to  135  psig  (proof  pressure)  and 
higher  if  the  affected  water  loop  is  operated.  In  addition,  several  components  in  the  water  loop  are 
incompatible  with  Freon  21  and  may  fail  to  seal  or  function.  Operating  the  affected  water  loop  will 
circulate  Freon  21  in  the  loop  and  accelerate  seal  degradation.  The  high  pressures  and  material 
incompatibilities  together  increase  the  probability  of  an  external  leak  in  the  water  loop  and  exposing  the 
crew  to  the  toxic  Freon  21.  @[082593- 1527  ] 

F.  FOR  A  WATER  LOOP  LEAK,  THE  AFFECTED  LOOP  WILL  BE  DEACTIVATED. 

When  there  is  a  coolant  leak  into  the  cabin  from  the  water  loop,  it  becomes  zero-fault  tolerant  to  crew 
safety  because  the  next  failure,  a  Freon-to-water  leak  at  the  interchanger,  will  introduce  toxic  Freon  21 
into  the  crew  habitable  area.  Deactivating  the  leaking  loop  may  slow  the  leak  rate  ( depending  on  the 
location  of  the  leak  on  the  loop )  and  minimize  the  risk  of  transferring  Freon  into  the  cabin  should  an 
interchanger  leak  occur.  This  would  allow  this  loop  to  be  used  in  the  contingency  event  the  other  water 
loop  should  fail. 

DOCUMENTATION:  Engineering  judgment;  JSC-08934,  volume  3,  section  4. 6. 1.2. 1.2. 

Rule  {A18-101D},  ARS  WATER  LOOP,  references  this  rule. 
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ACTIVE  THERMAL  CONTROL  SYSTEM  (ATCS)  LOSS  DEFINITIONS 


A18-201  FREON  COOLANT  LOOPS  (FCL) 

AN  FCL  IS  CONSIDERED  LOST  IF: 

A.  CALCULATED  FREON  FLOWS,  WHICH  ASSUME  THE  RADIATORS  ARE 

BYPASSED  AND  THE  FLOW  PROPORTIONING  MODULE  (FPM)  IN  "ICH," 
CANNOT  BE  MAINTAINED  GREATER  THAN: 

1.  INTERCHANGER  FLOW  EQUALS  1800  (1925)  LB/HR. 

The  minimum  interchanger  flowrate  required  to  support  a  one  Freon  loop  entry  (with  three  GPC’s)  is 
1800  Ib/hr.  This  flowrate  is  required  to  ensure  that  the  fuel  cell  coolant  return  temperature  is 
maintained  below  its  140  deg  F  limit  until  just  before  touchdown.  ( The  exceedance  is  of  short  enough 
duration  that  no  fuel  cell  damage  will  occur.) 

DOCUMENTATION:  G189A  analysis  dated  8/4/89. 

A  Freon  loop  with  a  flow  proportioning  valve  failed  in  the  PL  position  is  considered  lost  because,  with 
loss  of  the  other  loop,  it  will  not  provide  enough  cooling  to  the  interchanger  (av  bays  and  cabin )  during 
a  one  Freon  loop  entry.  Assuming  one  FCL  powerdown  and  an  additional  two  GPC's  powered  down 
(one  GPC/ avionics  bay  powered  up),  avionics  bays  1,  2,  and  3  violate  mixed  air  outlet  temperature 
limits.  The  PL  position  provides  only  51  percent  ( 1500  Ib/hr/lp)  of  the  total  Freon  flow  to  the 
interchanger,  while  the  ICH  position  provides  81  percent  (2400  Ib/hr/lp).  Freon  loop  total  flow  is  not 
greatly  affected  by  the  FPM  position  and  thus,  FC  cooling  is  not  a  concern  for  this  failure.  ®[041 097- 
SI  04B] 

DOCUMENTATION:  SE-TSAT-95-010.  Reference  SODB  Volume  III,  par.  4.5.4. 1.2,  memo  ED5-90-48, 
and  IBM  report  90-544-004 for  GPC  cooling  requirements.  ®[041 097-31 04B] 

2.  AFT  COLDPLATE  FLOW  EQUALS  211  (236)  LB/HR. 

The  minimum  aft  coldplate flow  required  for  a  one  Freon  loop  entry  is  211  Ib/hr.  This  flowrate  is 
required  to  maintain  the  aft  avionics  bay  4  coldplate  temperature  below  the  112  deg  F  limit  and  the  aft 
avionics  RGA  outlet  temperature  below  the  120  deg  F  limit.  This  assumes  that  the  aft  coldplate 
equipment  is  powered  up  for  a  nominal  deorbit  prep  and  entry  (no  powerdown),  and  no  waveojfs  are 
performed. 

225  (250)  Ib/hr  aft  coldplate  flow  is  required  to  support  a  nominal  entry,  with  two  weather  waveoff  revs 
(3-  hour  extended  deorbit  prep)  with  no  powerdown  or  cycling  of  the  aft  coldplate  equipment. 
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A18-201  FREON  COOLANT  LOOPS  (FCL)  (CONTINUED) 

If  PLS  is  declared  for  low  aft  coldplate  Freon  flow,  then  all  landing  sites  should  be  made  available  to 
maximize  a  single  opportunity  if  a  good  FCL  should  fail.  If  the  good  FCL  should  fail  and  deorbit  cannot 
be  accomplished,  backout,  powerdown,  and  another  single  deorbit  attempt  the  next  day  will  not  violate 
orbiter  cooling  requirements  (as  long  as  flow  is  greater  than  211  lbs/hr  total). 

DOCUMENTATION:  SE-TSAT-93-068,  SEH-ITA-84-249T,  and  Engineering  judgment.  ®[oi  2694-1 542A] 

B.  PUMP  INLET  PRESSURE  <  33.5  (48.5)  PSIA 

Pump  cavitation  will  occur  for  a  pressure  at  the  pump  inlet  below  Freon  vaporization  point.  Since  there 
is  not  a  measurement  of  pump  inlet  temperature,  the  maximum  pump  inlet  temperature  vaporization 
pressure  is  used.  The  FCL ’s  were  designed  for  a  90  deg  F  inlet  to  the  midbody  coldplates  for  one  FCL 
operation  (90  deg  F  pump  outlet  temperature).  Therefore,  based  on  design,  the  maximum  pump  inlet 
temperature  without  exceeding  the  midbody  coldplate  outlet  temperature  is  88  deg  F.  This  corresponds 
to  a  vaporization  pressure  of  32  psici  for  Freon. 

However,  the  location  of  the  pressure  transducer  is  at  the  upstream  of  the  pump  inlet  filter,  and  the 
pressure  loss  through  the  filter  must  be  accounted  for  to  make  sure  the  pump  inlet  pressure  is  above 
vaporization  point.  The  maximum  pressure  drop  of  the  filter  is  1.5  psid;  therefore,  the  pressure  shall 
be  no  less  than  33.5  psid  to  ensure  proper  pump  performance.  The  pump  cavitation  will  cause  erratic 
discharge  pressure  and  pumping  flowrate. 

DOCUMENTATION:  SODB  figure  4.6.3-8;  SODB  TBD. 

C.  THERE  IS  A  CONFIRMED  INTERLOOP  LEAKAGE  ( FREON-TO-FREON ) . 

The  FCL,  as  related  to  fluid  volume,  would  now  be  acting  as  one  FCL.  One  additional  failure  (external 
fluid  leak)  would  result  in  loss  of  both  FCL’s.  For  GO/NO-GO  purposes,  one  FCL  would  be  considered 
lost  in  the  event  of  interloop  leakage. 

DOCUMENTATION :  N/A,  engineering  judgment. 

D.  ACCUMULATOR  QUANTITY  EQUALS  0  (3)  PERCENT. 

When  there  is  no  Freon  left  in  the  accumulator,  voids  are  created  in  the  FCL,  causing  pump  cavitation. 
DOCUMENTATION :  N/A,  engineering  judgment. 
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A18-201  FREON  COOLANT  LOOPS  (FCL)  (CONTINUED) 

E.  FOR  THE  PURPOSES  OF  MAKING  ASCENT  ABORT  CALLS,  A  FREON  LEAK 

IS  CONFIRMED  BY  AN  OTHERWISE  UNEXPLAINED  1.6  PERCENT  DECREASE 
IN  ACCUMULATOR  QUANTITY  AND  A  CORRESPONDING  2  PSI  DROP  IN 
PUMP  IN  PRESSURE  FROM  LIFT-OFF  VALUES. 

An  earliest  possible  abort  is  required  for  loss  of  two  Freon  loops.  A  1.6  percent  quantity  drop  and  2  psi 
drop  in  PUMP  IN  PRESSURE  is  the  minimum  amount  needed  to  confirm  a  loop  leaking  during  ascent. 
Quantity  and  pressure  always  increase  slightly  during  ascent  due  to  the  heat  loads;  therefore,  any  drop 
in  quantity  and  pressure  is  always  indicative  of  a  leak.  If  for  any  reason,  the  ascent  heat  loads  should 
decrease  ( i.  e. ,  H20  loop  failure),  this  could  cause  a  drop  in  pressure  and  quantity,  and  the  loop  would 
not  be  called  lost  on  this  criteria.  Once  a  loop  is  leaking,  the  FCL  loss  is  imminent  and  is  considered 
failed  for  abort  calls.  Pressing  to  orbit  with  leaking  loops  is  not  desirable,  since  the  loss  of  two  Freon 
loops  du  ring  entry  could  result  in  loss  of  crew/vehicle. 

DOCUMENTATION :  Flight  history  and  engineering  judgment. 
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A18-202  TOPPING  EVAPORATOR 

THE  TOPPING  EVAPORATOR  IS  CONSIDERED  LOST  IF: 

A.  BOTH  PRIMARY  CONTROLLERS  AND  THE  SECONDARY  CONTROLLER  CANNOT 
MAINTAIN  PROPER  CONTROL,  AS  DEFINED  IN  THE  CONTROLLER  LOSS 
DEFINITION. 


The  topping  evaporator  cannot  function  without  a  controller.  Reference  controller  loss  definitions,  Rules 
{A1 8-204},  FES  PRIMARY  A  (B)  CONTROLLER,  and  {A1 8-205},  FES  SECONDARY  CONTROLLER. 

DOCUMENTATION:  Hamilton  Std,  SEM  62408. 

B.  FORWARD  OR  AFT  TOPPING  DUCTS  CANNOT  BE  MAINTAINED  ?  100  DEG 
(120  DEG)  F. 

This  temperature  ensures  that,  as  the  topping  evaporator  boils  water,  the  H20  vapor  does  not  condense 
and  freeze  in  the  ducts.  If  freezing  occurs,  the  back  pressure  in  the  Flash  Evaporator  System  (FES)  core 
increases,  which  raises  the  boiling  point.  This  may  result  in  an  overtemp  shutdown. 

DOCUMENTATION:  Hamilton  Std,  SEM  62449. 

C.  BOTH  A  AND  B  FEEDLINES  ARE  LOST. 

If  both  feedlines  are  lost ,  H2O  cannot  be  supplied  to  the  topping  evaporator.  Reference  Rule  { A18-206 }, 
FES  H20  FEEDLINE,  loss  definition. 

DOCUMENTATION :  N/A,  system  schematic  analysis. 
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A18-203  HIGH-LOAD  EVAPORATOR 

THE  HIGH-LOAD  EVAPORATOR  IS  CONSIDERED  LOST  IF: 

A.  BOTH  PRIMARY  CONTROLLERS  AND  THE  SECONDARY  CONTROLLER  CANNOT 
MAINTAIN  PROPER  CONTROL,  AS  DEFINED  IN  THE  CONTROLLER  LOSS 
DEFINITION. 

The  high-load  evaporator  cannot  function  without  a  controller.  Ref.  Rules  {A18-204J,  FES  PRIMARY  A 
(B)  CONTROLLER;  and  { A18-205} ,  FES  SECONDARY  CONTROLLER. 

DOCUMENTATION:  Hamilton  Std,  SEM  62408. 

B.  INBOARD  OR  OUTBOARD  HIGH-LOAD  DUCT  SECTIONS  CANNOT  BE 
MAINTAINED  ?  150  DEG  (170  DEG)  F.  ®[ED  ] 

This  temperature  ensures  that,  as  the  high-load  evaporator  boils  water,  the  H2O  vapor  does  not 
condense  and  freeze  in  the  duct.  If  freezing  occurs,  the  back  pressure  in  the  FES  core  increases,  which 
raises  the  boiling  point.  This  may  result  in  an  overtemp  shutdown. 

C.  BOTH  A  AND  B  FEEDLINES  ARE  LOST. 

If  both  feedlines  are  lost,  H2O  cannot  be  supplied  to  the  high-load  evaporator.  Reference  Rule 
{A18-206},  FES  H20  FEEDLINE,  loss  definition. 

DOCUMENTATION :  N/A,  system  schematic  analysis. 
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A18-204  FES  PRIMARY  A  (B)  CONTROLLER 

THE  FES  PRIMARY  A  (B)  CONTROLLER  IS  CONSIDERED  LOST  IF: 

A.  UNABLE  TO  MAINTAIN  EVAPORATOR  OUTLET  TEMPERATURE  BETWEEN 
36  DEG  F  AND  42  DEG  F  WHEN  THE  EVAPORATOR  IS  ENABLED. 

®[ED  ] 

If  the  controller  is  controlling  at  temperatures  outside  this  range,  three  failures  have  occurred  in  the  PRI 
A  controller  ( one  control  sensor  and  two  shutdown  sensors )  and  two  failures  have  occurred  in  the  PRI  B 
controller  (one  control  sensor  and  one  shutdown  sensor).  Based  on  the  number  of  failures,  the 
controllers  are  not  considered  reliable  and,  therefore,  must  be  considered  failed.  The  primary  controller 
con  trols  between  38  deg  and  40  deg  F  and  is  enabled  at  an  inlet  temperature  of  41  deg  F.  The  36  deg  F 
lower  limit  is  based  on  the  fact  that  the  undertemperature  shutdown  logic  on  each  controller  will  shut 
down  the  controller  if  the  evaporator-outlet  temperature  remains  below  37  ±  0.25  deg  F  for  20  seconds. 
The  42  deg  F  upper  limit  is  based  on  the  fact  that  the  overtemperature  shutdown  logic  will  shut  down  the 
con  troller  if  the  evaporator-outlet  temperature  does  not  decrease  to  less  than  41.5  ±  0.25  deg  F  when  the 
FES  is  enabled. 

DOCUMENTATION:  Hamilton  Std,  SEM  62408. 

B.  AUTO  SHUTDOWN  CIRCUITRY  WILL  NOT  ALLOW  FES  TO  REMAIN  ONLINE. 

Auto  shutdown  logic  will  shut  down  the  FES  if  temperatures  and  temperature  decrease  rates  are  not 
satisfied. 

DOCUMENTATION:  Hamilton  Std,  SEM  62408. 

C.  A (B )  FEEDLINE  IS  LOST. 

If  the  A(B)  feedline  is  lost,  the  primary  A(B)  controller  will  not  operate  (no  H2O). 

Reference  Rule  {A18-206},  FES  H2O  FEEDLINE,  loss  definition. 

DOCUMENTATION :  N/A,  system  schematic  analysis. 

Rules  { A18-202A  j,  TOPPING  EVAPORATOR;  and  (A18-203A},  HIGH-LOAD  EVAPORATOR,  reference 
this  rule. 
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A18-205  FES  SECONDARY  CONTROLLER 

THE  FES  SECONDARY  CONTROLLER  IS  CONSIDERED  LOST  IF  IT  IS  UNABLE 
TO  MAINTAIN  EVAPORATOR  OUTLET  TEMPERATURE  BETWEEN  >  60  DEG  F  AND 
<  65  DEG  F. 

The  control  band  for  the  secondary  controller  is  62  deg  ±  2  deg  F.  If  the  secondary  controller  is 

con  trolling  below  60  deg  F,  a  failure  in  the  con  troller  has  occurred  and  it  cannot  be  considered  reliable. 

The  FES  secondary  controller  does  not  have  shutdown  logic.  In  the  event  the  orbiter  heat  load  exceeds 
the  FES  capability,  the  evaporator  outlet  temperature  will  be  maintained  greater  than  its  normal  control 
band  without  shutdown. 

The  SODB  requires  the  maximum  temperature  of  air  entering  the  avionics  boxes  to  be  less  than  95  deg  F 
and  less  than  130  deg  F  at  the  outlet  of  the  boxes.  At  a  65  deg  F  evaporator  outlet  temperature  with  flow 
proportioning  valves  of  both  Freon  loops  configured  to  the  ICH  position  and  H2O  loop  flowrate  adjusted 
to  full  interchanger  flow,  analyses  indicate  that  these  limits  will  not  be  violated  for  a  normal  on-orbit 
ARS  heat  load  (seven  crewmembers,  one  GPC  per  avionics  bay,  etc.)  in  a  14.7 psia  cabin  environment. 
Powering  up  an  additional  GPC  in  the  avionics  bay  will  raise  the  measured  outlet  air  temperature  by 
approximately  10  deg  to  15  deg  F.  This  will  cause  frequent  temperature  excursions  over  the  130  deg  F 
limit  at  the  box  outlet,  leaving  little  or  no  margin  for  the  operation  of  additional  equipment  in  the  same 
avionics  bay.  Since  adequate  thermal  control  cannot  be  maintained  for  a  fully  powered  ARS  when 
evaporator  outlet  temperatures  are  greater  than  65  deg  F,  the  FES  is  considered  lost. 

Rules  (A18-202AJ,  TOPPING  EVAPORATOR;  and  {A18-203A},  HIGH-LOAD  EVAPORATOR,  reference 
this  rule. 

DOCUMENTATION:  Hamilton  Std,  SEM  62408;  283-440-84-005;  STS85-0246;  JSC  08934,  4.6.1. 
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A18-206  FES  H2Q  FEEDLINE 

THE  FES  H20  FEEDLINE  IS  CONSIDERED  LOST  IF: 

A.  TEMPERATURES  IN  ANY  SECTION  ARE  <32  DEG  (40  DEG)  F. 

At  32  deg  F,  the  H2O  in  the  lines  will  freeze. 

DOCUMENTATION :  N/A,  engineering  judgment. 

B.  FEEDLINE  ACCUMULATOR  N2  CHARGE  IS  LOST  ( "NOK"  INDICATION 
PRESENT) . 


The  N2  charge  is  required  to  prevent  water  hammer  effect  which  could  cause  erratic  FES  operations. 


DOCUMENTATION :  N/A,  engineering  judgmen  t. 

C.  THERE  IS  A  CONFIRMED  LEAK  IN  THE  FEEDLINE  SUCH  THAT  B£0  USAGE 
RATE  WILL  NOT  SUPPORT  NOMINAL  ENTRY. 


If  the  leak  is  large  enough  that  H2O  requirements  for  entry  cannot  be  met,  the  feedline  cannot  be  used. 
DOCUMENTATION :  N/A,  engineering  judgment. 

D.  SUPPLY  ISOLATION  VALVE  IS  FAILED  CLOSED  (B  FEEDLINE  ONLY) . 
If  the  valve  is  failed  closed,  the  feedline  cannot  supply  H2O  to  the  FES. 

DOCUMENTATION:  N/A,  System  schematic  analysis. 

Rules  {A18-202C},  TOPPING  EVAPORATOR;  {A18-203C},  HIGH-LOAD  EVAPORATOR;  and 
{A18-204C},  FES  PRIMARY  A  (B)  CONTROLLER,  reference  this  rule. 
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A18-207  AMMONIA  BOILER  SUBSYSTEM  (ABS) 

THE  ABS  SUBSYSTEM  IS  CONSIDERED  LOST  IF: 

A.  UNABLE  TO  MAINTAIN  EVAPORATOR  OUTLET  TEMPERATURE  AT  ?  31  DEG 
F  AND  ?  65  DEG  F. 

The  control  point  for  the  ammonia  boiler  is  34  deg  ±  3  deg  F.  Less  than  31  deg  F  is  unacceptable  due  to 
the  potential  for  freezing  the  orbiter  water  loops  or  a  payload  water  loop,  if  installed.  If  the  EVAP  OUT 
TEMP  reaches  32  deg  F,  a  C&W  will  be  annunciated  and  the  EVAP  OUT  TEMP  LOW  procedure  will  be 
worked.  This  will  provide  freeze  protection  for  temperatures  down  to  6  deg  F. 

If  the  NHj  boiler  is  controlling  above  65  deg  F,  adequate  thermal  control  of  the  vehicle  cannot  be 
maintained. 

DOCUMENTATION:  Lockheed  analysis ,  LEMSCO  19630;  283-440-84-005;  STS85-0245;  JSC  08934, 
4.6.1. 

B.  NH3  QUANTITY  EQUALS  0  (3)  LB  AS  DETERMINED  BY  P-V-T 

RELATIONSHIPS  (GROUND  ONLY) . 

When  there  is  no  NHj  left,  the  ABS  cannot  cool.  The  NHj  system  does  not  have  a  quantity  reading  and, 
therefore,  quantity  must  be  determined  by  tank  pressure  and  tank  temperature.  Temperature  does  not 
remain  constant  on  orbit,  and,  therefore,  P-V-T  ounces  must  be  used  to  determine  quantity. 

DOCUMENTATION :  N/A,  engineering  judgment. 
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A18-208  RADIATOR  FLOW  CONTROL  ASSEMBLY  (RFCA) 

THE  RFCA  IS  CONSIDERED  LOST  IF: 

A.  FAILED  IN  RADIATOR  BYPASS  POSITION. 

The  radiator,  as  a  heat  rejection  source,  is  unusable.  Therefore,  the  RFCA  is  considered  lost. 
DOCUMENTATION :  N/A,  engineering  judgment. 

B.  UNABLE  TO  MAINTAIN  CONTROLLER  OUTLET  TEMPERATURE  >  32  DEG 
(35  DEG)  F. 

The  potential  exists  for  freezing  the  FES  water  spray  valves,  the  ARS  water  coolant  loops,  and  the 
payload  water  loop  (if  installed)  if  the  RFCA  cannot  maintain  >  32  deg  F  control. 

DOCUMENTATION :  N/A,  engineering  judgment. 

C.  CANNOT  MAINTAIN  EVAPORATOR  OUTLET  TEMPERATURE  <  65  DEG  F  WITH 
THE  FES  DISABLED. 

The  SODB  requires  the  maximum  temperature  of  air  en  tering  the  avion  ics  boxes  to  be  less  than  95  deg  F 
and  less  than  130  deg  F  at  the  outlet  of  the  boxes.  At  a  65  deg  F  evaporator  outlet  temperature  with  flow 
proportioning  valves  of  both  Freon  loops  configured  to  the  ICH  position  and  H2O  loop  flowrate  adjusted 
to  full  interchanger  flow,  analyses  indicate  that  these  limits  will  not  be  violated  for  a  normal  on-orbit 
ARS  heat  load  (seven  crewmembers,  one  GPC  per  avionics  bay,  etc.)  in  a  14.7 psia  cabin  environment. 
Powering  up  an  additional  GPC  in  the  avionics  bay  will  raise  the  measured  outlet  air  temperature  by 
approximately  10  deg  to  15  deg  F.  This  will  cause  frequen  t  temperature  excursions  over  the  130  deg  F 
limit  at  the  box  outlet,  leaving  little  or  no  margin  for  the  operation  of  additional  equipment  in  the  same 
avionics  bay.  Since  adequate  thermal  control  cannot  be  maintained  for  a  fully  powered  ARS  when 
evaporator  outlet  temperatures  are  greater  than  65  deg  F,  the  RFCA  is  considered  lost. 

DOCUMENTATION:  283-440-84-005;  STS85-0245;  JSC-08934,  4.6.1. 

Rule  (A18-255BJ,  RADIATOR  FLOW  CONTROL  ASSEMBLY  (RFCA),  references  this  rule. 

A18-209  THROUGH  A18-250  RULES  ARE  RESERVED 
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ATCS  MANAGEMENT 


A18-251  FREON  COOLANT  LOOPS  (FCL) 

A.  BOTH  FCL '  S ,  WITH  ONE  PUMP  OPERATING  IN  EACH  FCL,  ARE  REQUIRED 
FOR  NORMAL  OPERATIONS. 

To  operate  with  only  one  FCL  on  orbit  could  require  a  minor  powerdown  (to  15  kW)  and  would  require 
the  use  of  the  FES  or  flying  in  a  cold  attitude.  If  -ZLV  (the  most  common  attitude)  is  flown,  a  negative 
net  H2O  storage  rate  would  exist.  To  eliminate  these  types  of  constraints  and  issues,  both  FCL ’s  are 
operated. 

DOCUMENTATION:  SEH-ITA-80-054T. 

B.  THE  FOLLOWING  TEMPERATURES  SHALL  NOT  BE  EXCEEDED: 

1.  FOR  ASCENT/ENTRY  (RADIATORS  BYPASSED):  140  DEG  (132  DEG) 
F  AT  RADIATOR  INLET. 

2.  ON-ORBIT  (RADIATORS  IN  FLOW): 

a.  65  DEG  (60  DEG)  F  AT  EVAPORATOR  OUTLET  FOR  NO  FES 

OPERATIONS  (BOTH  LOOPS  IN  ICH  POSITION) . 

b.  68  DEG  (63  DEG)  F  AT  RADIATOR  OUTLET  FOR  FES 

OPERATIONS . 

In  all  cases  (pre-liftoff,  while  on  orbit,  and  pre-deorbit)  orbiter  power  levels  are  planned  to  ensure  that 
these  limits  are  not  exceeded. 

The  maximum  capability  of  the  FES  (full  up  mode )  is  148,000  Btu/hr  (test  data).  This  is  equivalen  t  to  a 
140  deg  F  radiator  inlet  temperature. 

The  SODB  requires  the  maximum  temperature  of  air  en  tering  the  avionics  boxes  to  be  less  than  95  deg  F 
and  less  than  130  deg  F  at  the  outlet  of  the  boxes.  At  a  65  deg  F  evaporator  outlet  temperature  with  flow 
proportioning  valves  of  both  Freon  loops  configured  to  the  ICH  position  and  H2O  loop  flowrate  adjusted 
to  full  interchanger  flow,  analyses  indicate  that  these  limits  will  not  be  violated  for  a  normal  on-orbit 
ARS  heat  load  (seven  crewmembers,  one  GPC  per  avionics  bay,  etc.)  in  a  14.7 psia  cabin  environment. 
Powering  up  an  additional  GPC  in  the  avionics  bay  will  raise  the  measured  outlet  air  temperature  by 
approximately  10  deg  to  15  deg  F.  This  will  cause  frequent  temperature  excursions  over  the  130  deg  F 
limit  at  the  box  outlet,  leaving  little  or  no  margin  for  the  operation  of  additional  equipment  in  the  same 
avionics  bay. 
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A18-251  FREON  COOLANT  LOOPS  (FCL)  (CONTINUED) 

The  maximum  capability  for  the  topping  evaporator  is  39,000  Btu/hr  (SODB,  based  on  test  data).  This  is 
equivalent  to  a  68  deg  F  radiator  outlet  temperature. 

DOCUMENTATION:  SEH-ITA-81-107;  283-440-84-005;  STS85-0245;  JSC  08934,  4.6.1. 

C.  IF  IT  IS  REQUIRED  TO  DEACTIVATE  AN  OPERATING  FCL  OR  BYPASS  A 
RADIATOR: 

1.  THE  ASSOCIATED  RADIATOR  WILL  BE  STOWED. 

Stowing  the  radiators  prevents  Freon  freezing  ( except  in  total  deep  space  attitudes). 

DOCUMENTATION :  SODB  TBD  ( request  submitted). 

2.  ATTITUDES  THAT  EXCLUDE  EARTH  OR  SUN  VIEWING  (DEEP  SPACE) 
WILL  BE  LIMITED  TO  NO  MORE  THAN  1  HOUR. 

For  an  initial  Freon  temperature  of  -40  deg  F,  it  will  take  approximately  1.5  hours  for  Freon  to  freeze. 
Since  there  is  no  insight  into  the  actual  temperature  of  the  Freon  in  the  radiators,  a  conservative  limit 
of  1  hour  was  chosen. 

DOCUMENTATION :  SODB  TBD  ( request  submitted). 

3.  ORBITER  ATTITUDES  WILL  BE  MANAGED  TO  MAINTAIN  THE 
ACCUMULATOR  QUANTITY  ?  5  PERCENT  INDICATED. 

For  a  good  FCL  ( not  leaking),  the  minimum  acceptable  accumulator  quantity  is  5  percent  indicated. 
Taking  instrumentation  accuracy  into  account,  the  actual  quantity  could  be  2  percent.  At  2  percent 
quantity,  the  loop  can  still  be  activated  if  needed  in  an  emergency.  At  0  percen  t  quantity,  thermal 
conditioning  would  be  required  prior  to  activating  the  FCL. 

DOCUMENTATION :  N/A,  engineering  judgment. 

4.  CLOSING  THE  AFFECTED  RADIATOR'S  PLBD  WILL  BE  CONSIDERED 
IF  ATTITUDE  CONSTRAINTS  CANNOT  BE  MET. 

Closing  the  PLBD  increases  the  temperature  of  the  FCL. 

DOCUMENTATION:  Flight  data. 
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A18-251  FREON  COOLANT  LOOPS  (FCL)  (CONTINUED) 

D.  THE  FLOW  PROPORTIONING  VALVE  (FPV)  IN  BOTH  FCL' S  WILL 
NORMALLY  BE  PLACED  IN  THE  "ICH"  POSITION  FOR  ALL  PHASES  OF 
FLIGHT.  EITHER  OR  BOTH  FPV' S  MAY  BE  PLACED  IN  "P/L"  IF  A 
PAYLOAD  REQUIREMENT  EXISTS. 

Placing  the  FPV’s  in  the  ICH  position  maximizes  the  Freon  flowrate  to  the  H2O  Freon  interchanger: 
approximately  4800  Ib/hr  in  the  ICH  position  vs.  approximately  3000  Ib/hr  in  the  P/L  HX  position.  This 
maximizes  cooling  to  the  cabin  and  avionics  bays  via  the  water  loop.  However,  placing  both  loops  in  the 
P/L  position  does  not  increase  the  temperatures  a  significant  amount  ( 5  deg  to  7  deg  F). 

DOCUMENTATION:  Flight  data. 

E.  THE  FPV  IN  BOTH  FCL' S  WILL  BE  PLACED  TO  THE  "ICH"  POSITION 
IF  BOTH  THE  EVAPORATOR  OUTLET  TEMPERATURES  ARE  <  32  DEG 
(34.4  DEG)  F.  IF  THE  PAYLOAD  LOOP  DOES  NOT  CONTAIN  WATER, 

A  REAL-TIME  CALL  WILL  BE  MADE  TO  PLACE  BOTH  FPV' S  TO  THE 
"P/L"  POSITION. 

This  will  preven  t  or  delay  the  freezing  of  the  payload  and  orbiter  water  loops.  Provided  that  both  orbiter 
water  loops  and  a  500  Ib/hr  flowrate  payload  water  loop  (if  installed)  are  flowing,  the  ICH  position 
provides  orbiter  water  loop  freeze  protection  for  Freon  temperatures  as  low  as  6  deg  F,  and  payload 
water  loop  protection  for  Freon  temperatures  as  low  as  -30  deg  F  (extrapolated).  If  left  in  the  P/L 
position,  the  payload  water  loop  would  freeze  at  Freon  temps  of  32  deg  F  and  the  orbiter  water  loops  at  - 
30  deg  F  (extrapolated)  Freon  temperatures.  For  payload  flowrates  <150  Ib/hr,  the  payload  water  loop 
will  freeze  eventually,  but  is  delayed  if  the  FPV  is  placed  in  the  ICH  position. 

DOCUMENTATION:  Lockheed  analysis,  LEMSCO  19630. 

F.  IF  AN  FCL  IS  DEACTIVATED,  THE  ASSOCIATED  PRESSURE  CONTROL  (£ 
SYSTEM  (PCS)  SUPPLY  VALVE  WILL  BE  CLOSED. 

If  the  FCL  is  deactivated,  Freon  in  the  stagnant  loop  will  freeze  if  O2  is  flowing  (cryogenic  O2 
temperature  is  -254  deg  F).  Since  the  O2  is  no  longer  being  warmed  by  the  Freon,  the  O2  restrictor 
seal  will  leak  when  exposed  to  the  cryogenic  temperatures.  Normal  flow  of  O2  is  0.5  Ib/hr  for  crew 
metabolic  usage.  For  0.1  Ib/hr  O2flow,  the  stagnant  FCL  will  freeze  in  10  minutes.  For  a  10  Ib/hr 
flowrate  the  FCL  will  freeze  in  100  seconds.  Lab  test  results  indicate  that  the  O2  restrictor  seal  will 
leak  when  exposed  to  -100  deg  to  -240  deg  F  temperatures.  The  leak  will  stop  when  the  temperature 
gets  above  -47  deg  F. 

DOCUMENTATION:  SEH-ITA-80-236T;  LTR  4309-3101. 
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A18-251  FREON  COOLANT  LOOPS  (FCL)  (CONTINUED) 

G.  FOR  A  FREON-TO-WATER  LOOP  LEAK,  THE  RADIATORS  WILL  NOT  BE 
COLDSOAKED  FOR  ENTRY  AND  ATTITUDES  THAT  EXCLUDE  EARTH  OR  SUN 
VIEWING  (DEEP  SPACE)  WILL  BE  AVOIDED. 

For  a  Freon-to-water  loop  leak,  it  is  possible  to  get  water  into  the  Freon.  Coldsoaking  the  Freon 
increases  the  chances  of  freezing  this  water,  which  may  affect  the  performance  of  the  Freon  loop.  This 
risk  outweighs  the  gain  of  a  coldsocik.  It  is  not  likely  that  water  will  be  introduced  into  the  Freon  loop 
until  the  pressures  in  the  two  loops  equalize;  therefore  if  coldsocik  starts  before  the  leak  occurs,  it  should 
be  stopped  anytime  before  the  affected  water  loop’s  accumulator  quantity  reaches  100  (97)  percent.  The 
radiator  controllers  should  be  returned  to  the  norm  set  point,  and  to  avoid  decreasing  the  Freon 
temperature  in  the  radiators,  deep  space  attitudes  should  be  avoided. 

DOCUMENTATION :  N/A,  engineering  judgment. 

H.  IF  AN  FCL'S  RFCA  IS  FAILED  IN  BYPASS  (MINIMUM  RADIATOR  FLOW), 
THE  AFFECTED  FCL  WILL  BE  DEACTIVATED,  AND  A  POWERDOWN  TO  AT 
LEAST  15  KW  WILL  BE  PERFORMED.  THE  FCL  WILL  BE  REACTIVATED 
FOR  DEORBIT  PREPARATION. 

An  RFCA,  failed  in  bypass  or  minimum  radiator  flow,  will  result  in  negative  H2O  production  if  the  FES 
is  activated,  or  temperature  violations  if  the  FES  is  deactivated.  Deactivating  the  FCL  will  alleviate 
these  problems  and  only  requires  a  powerdown  to  15  kW.  (Also  reference  paragraphs  C  and  F. ) 

DOCUMENTATION:  SEH-ITA-80-054T;  SEH-ECS-86-102T. 

I.  FOR  AN  EXTERNAL  FREON  LEAK  (INCLUDING  FREON  TO  HYDRAULIC), 
WHICH  WILL  NOT  SUPPORT  NEXT  PLS,  THE  AFFECTED  LOOP  WILL  BE 
DEACTIVATED  IN  AN  ATTEMPT  TO  SLOW  THE  LEAK  RATE  FOR  USE 
DURING  ENTRY. 

Deactivating  the  pump  decreases  pressure  around  the  loop,  slowing  most  leaks.  This  is  done  to  save  the 
loop  for  deorbit/entry.  Reactivating  the  affected  Freon  loop  for  entry  would  allow  a  full  powerup  and 
opening  of  the  associated  O2  supply  valve  required  to  provide  an  adequate  O2  source  for  greater  than 
four  crewmembers  on  LES. 

DOCUMENTATION :  Engineering  judgment. 

Rule  {A18-151C},  ARS  WATER  LOOP,  references  this  rule. 
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A18-252  FLASH  EVAPORATOR  SYSTEM  (FES) 

A.  NO  MORE  THAN  ONE  FES  CONTROLLER  SHALL  BE  ACTIVATED  AT  ANY 
TIME  . 

If  two  controllers  are  activated,  both  may  pulse  water  when  required  thereby  providing  an  increased  rate 
of  cooling.  This  will  most  likely  result  in  an  FES  undertemperature  shutdown  or  afreezeup  of  the  FES 
core. 

DOCUMENTATION:  Flight  data  STS-51-B. 

B.  FOR  INITIAL  TROUBLESHOOTING  OF  ON-ORBIT  FES  SHUTDOWNS,  ONLY 
ONE  RESTART  ON  EACH  PRIMARY  CONTROLLER  WILL  BE  ATTEMPTED. 
DURING  ASCENT  OR  ENTRY,  THE  SECONDARY  CONTROLLER  WILL  BE 
ACTIVATED  IF  RESTARTS  ON  THE  PRIMARY  CONTROLLERS  WERE 
UNSUCCESSFUL. 

Repeated  FES  restarts  after  an  unexplainable  FES  shutdown  may  add  ice  in  the  core  if  icing  was  the 
initial  cause  of  the  shutdown.  Minimizing  the  number  of  restarts  to  one  per  controller  minimizes  de-icing 
time  on  orbit.  During  high  heat  load  periods  such  as  ascent  or  entry,  every  effort  should  be  made  to 
avoid  vehicle  overtemperature.  Therefore,  it  is  worth  the  risk  to  make  another  attempt  using  the 
secondary  controller.  The  alternative  is  to  open  the  PLBD  post-OMS-1  or  to  establish  radiator  flow 
during  entry. 

DOCUMENTATION :  Flight  data;  engineering  judgment. 

C.  THE  HIGH-LOAD  EVAPORATOR  CONTROL  SWITCH  WILL  BE  PLACED  IN  THE 
"OFF"  POSITION  DURING  ORBITAL  OPERATIONS  WHEN  RADIATOR 
COOLING  IS  VERIFIED  (CONTROLLER  OUTLET  TEMPERATURE  <  68  DEG 
(62.8  DEG)  F) . 

The  high-load  evaporator  is  unstable  at  low  heat  loads  and  will  cause  an  FES  shutdown  under  these 
conditions.  This  has  been  seen  on  several  flights.  The  topping  evaporator  can  main  tain  <  40  deg  F 
evaporator  outlet  temperature  for  a  maximum  FES  inlet  temperature  of  68  deg  F  (39,000  Btu/hr).  Also, 
in  disabling  the  high-load  evaporator,  the  orbiter  can  maintain  attitude  control  with  the  vernier  RCS  jets 
instead  of  the  primary  jets  (minimizes  propellant  usage).  Jet  duty  cycle  is  also  a  concern  ifVRCS  is  used 
for  attitude  control  while  in  high  load  operations. 

DOCUMENTATION:  Flight  data. 
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A18-252  FLASH  EVAPORATOR  SYSTEM  (FES)  (CONTINUED) 

D.  THE  TOPPING  EVAPORATOR  WILL  BE  USED  WITH  A  PRIMARY  CONTROLLER 
TO  SUPPLEMENT  RADIATOR  COOLING  AND  MAY  BE  USED  FOR  DUMPING 
EXCESS  FC  WATER  ON  ORBIT. 

The  topping  evaporator  will  maintain  a  stable  evaporator  outlet  temperature  when  the  radiators 
cannot  control  to  <  41  deg  F.  The  topping  evaporator  is  used  particularly  when  the  orbiter  is  in  a 
“  warm  ”  radiator  attitude  and  the  payload  requires  low  temperatures  or  steady  temperatures.  Rule 
{A18-55},  SUPPLY  WATER  DUMP ,  covers  dumping  ofFC  water.  The  secondary  controller  which 
controls  the  evaporator  outlet  temperature  of  62  deg  F  cannot  normally  be  used  since  the  radiator 
ou  tlet  temperatures  are  normally  less  than  62  deg  F.  The  FES  is  normally  on  for  either  a  payload 
need  or  for  10.2  psi  cabin  operations ,  both  of  which  require  considerably  less  than  a  62  deg  F  Freon 
temperature. 

DOCUMENTATION :  N/A,  engineering  judgment. 

E.  FES  DUCT  TEMPERATURES  MUST  BE  GREATER  THAN  THE  MINIMUM  VALUES 
LISTED  BELOW  PRIOR  TO  FES  STARTUP,  EXCEPT  FOR  TIME-CRITICAL 
DEORBITS : 


DUCT  (DEG  F) 

1.  HIGH-LOAD  -  INBOARD,  OUTBOARD  150  (170) 

2.  TOPPING  -  FORWARD,  AFT  100  (120) 

These  temperatures  ensure  that,  as  the  FES  boils  water,  the  duct  is  sufficiently  warm  so  that  the  water 
vapor  does  not  condense  and  begin  to  freeze  in  any  portion  of  the  FES  outlet  ducting. 

DOCUMENTATION:  Hamilton  Standard  SEM  #62449. 

F.  FES  ICING  @[082593-1528] 

1.  THE  FES  SHOULD  NOT  BE  OPERATED  WITH  THE  SUPPLY  WATER 

TANKS  VENTED  UNLESS  ABSOLUTELY  NECESSARY  TO  STAY  WITHIN 
ORBITER  OR  PAYLOAD  CONSTRAINTS. 
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2.  A  FES  CORE  FLUSH  CAN  BE  ATTEMPTED  AFTER  SUSPECTED  ICING. 
THE  PREFERRED  METHOD  IS  TO  BYPASS  THE  RADIATORS  USING  THE 
FLOW  CONTROL  VALVES  AND  THEN  USE  THE  SECONDARY  FES 
CONTROLLER  TO  FLUSH  ICE  FROM  THE  CORE. 

Vendor  test  results  show  that  even  at  a  pressure  of  20  psia,  ice  can  build  up  in  the  topping  core.  This 
was  especially  evident  at  heat  loads  between  23  and  32  kBtu/hr;  however,  even  at  lower  heat  loads,  icing 
is  possible.  When  the  tanks  are  vented  to  cabin  pressure  (15.0  psia  or  less),  there  is  increased  risk  of 
building  ice  in  the  topping  core.  During  STS-55,  the  FES  operated  with  the  radiator  set  point  in  HI, 
water  dump  mode  (24.3  kBtu/hr),  successfiilly  for  10.1  hours  while  the  tanks  were  vented  to  14.7 psia.  It 
con  tinued  to  operate  normally  in  and  out  of  standby  with  the  radiator  set  point  in  NORM  and  heat  loads 
between  0  and  17.5  Btu/hr.  When  a  second  dump  was  attempted,  the  FES  overtemp  shut  down  after  2.3 
hours  due  to  icing.  Even  after  repressurizing  the  water  tanks,  the  FES  could  not  be  restarted.  It  was 
suspected  that  the  ice  build  up  was  gradual,  interfering  with  the  FES’s  capability  to  function  and  finally 
resulting  in  the  shutdown. 

The  ice  was  later  removed  using  a  topping  core  flush  procedure  proven  during  SESL  testing  which  had 
the  Freon  loop  radiators  bypassed,  inducing  a  high  heat  load,  and  cycling  the  secondary  FES  controller. 

If  the  FES  is  used  with  the  tanks  vented  for  any  reason  and  icing  causes  a  FES  shutdown,  this  flush 
procedure  could  be  used  at  the  earliest  available  time  to  flush  the  core  and  resume  normal  FES 
operations  as  required.  If  possible,  the  radiator  set  point  should  be  left  in  HI  to  help  thaw  the  core; 
however,  this  is  not  required  prior  to  performing  the  flush  procedu  re.  User  of  the  flow  con  trol  valves  is 
preferred  to  minimize  the  risk  encountered  during  radiator  bypass. 

DOCUMENTATION :  STS-55  mission  data;  Hamilton  Standard  SESL  Test  Data  documented  in  Internal 
Correspondence  Letter:  SPACE  SHUTTLE  ORBITER  Flash  Evaporator  Program,  Justification  for 
Increased  Feedwater  Pressure  and  Addition  of  an  Accumulator  to  the  Vehicle  Feedwater  System, 

February  15,  1978  (analysis  78-37,  File  2.16.2). 

G.  IF  ICING  IS  SUSPECTED  IN  AN  EVAPORATOR  CORE  DURING  ASCENT, 

THE  SECONDARY  CONTROLLER  WILL  BE  SELECTED  ON  BOTH  CORES  (AND 
ALTERNATE  FEEDLINE,  IF  REQUIRED,  ON  THE  SECONDARY  HI  LOAD) 
PRIOR  TO  RADIATOR  ACTIVATION  IN  AN  ATTEMPT  TO  FLUSH  THE  CORES 
AND  PROVIDE  DIAGNOSTIC  INFORMATION. 
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During  STS-26,  FES  shutdowns  occurred  during  38  to  55  minutes  MET.  Both  primary  controllers  were 
selected  and  repeatedly  shut  down.  The  secondary  topper  was  selected  and  appeared  to  operate 
nominally.  A  postlanding  inspection  indicated  corrosion  in  the  topping  core  surface  which  degraded  the 
evaporation  process  and  gave  ice  a  foothold.  Use  of  the  secondary  con  troller  cleared  the  ice  out  of  the 
topping  core  (secondary  topper  uses  both  A  and  B  H2O  spray  nozzles  alternately,  has  no  shutdown 
feature,  and  operates  at  a  higher  control  temperature),  but  the  high  load  core,  which  was  considered 
suspect,  was  not  tested  until  the  radiator  bypass  FES  checkout  toward  the  end  of  the  flight.  An  earlier 
indication  of  system  status  is  preferred. 

After  radiator  activation,  the  secondary  controller  will  not  operate,  since  radiator  output  temperature 
will  be  below  the  secondary  control  temperature.  Flushing  the  core  with  secondary  controller  would 
require  bypassing  the  radiators  on  orbit. 

DOCUMENTATION :  STS-26  Flight  Data,  engineering  judgment. 

H.  THE  FES  FEEDLINE  A (B )  HEATERS  WILL  BE  DEACTIVATED  IF  THE 

HIGH-LOAD  LINE  TEMPERATURE  EXCEEDS  250  DEG  F  (OSH)  FOR  1  HOUR 
AND  THE  ACCUMULATOR  LINE  TEMPERATURE  FOR  FEEDLINE  A (B )  IS  NOT 
CYCLING.  THE  ALTERNATE  HEATERS  MAY  BE  SELECTED.  IF  THE 
ACCUMULATOR  LINE  TEMPERATURE  INDICATES  THAT  THE  THERMOSTAT  IS 
DITHERING,  HEATER  OPERATION  CAN  CONTINUE  SO  LONG  AS  THE 
ACCUMULATOR  LINE  TEMPERATURE  IS  WITHIN  THE  NORMAL  CONTROL 
BAND.  ®[0921 95-1 790A] 

FES  feedline  A  and  B  high-load  line  temperatures  (V63T1895A  and  V63T1896A)  have  exceeded  the 
upper  limit  of 250  deg  F  during  several  missions  with  no  adverse  effects.  If  the  250  deg  F  limit  is 
exceeded  for  extended  periods  (?  Ihour),  however,  the  water  in  the  feedline  may  boil  to  such  an  extent 
that  damage  could  result.  This  could  cause  a  vapor  barrier  in  the  line  and  possible  heater  burnout  or 
FES  shutdown  when  the  high-load  evaporator  is  used  for  entry.  Heater  failure  will  occur  at  a  line 
temperature  of 400  deg  F.  This  will  be  reached  approximately  1  hour  after  exceeding  250  deg  F  with  a 
failed-on  heater.  The  accumulator  line  heater  and  the  high-load  line  heater  are  controlled  by  the  same 
thermostat.  The  accumulator  line  temperatures  A  (V63TI892A)  and  B  ( V63TI894A)  indicate  that  the 
associated  thermostat  is  operating  properly.  If  the  accumulator  line  temperature  indicates  that  the 
thermostat  is  dithering,  operation  of  the  heaters  can  con  tinue.  Flight  experience  from  STS-68  with  a 
dithering  thermostat  showed  no  overheating  damage  after  8  hours  of  operation.  The  dithering 
thermostat  is  acceptable,  provided  that  the  thermostat  is  not  constantly  on  at  a  temperature  near  the 
upper  limit  of  the  normal  control  band.  ®[092195-1790A] 
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DOCUMENTATION :  Flight  data  and  MER-SPAN  Mission  Action  Requests  26  for  STS  41-D  and  13  for 
STS  61 -A.  documen  t  the  acceptability  of  exceeding  the  250  deg  F  limit  for  1  hour.  STS-68  PR  #PV6- 
275540  (IFA  #5,  EICN  ECL-5-08-0398)  indicates  that  no  damage  or  evidence  of  overheating  were  found 
during  postflight  inspection  and  replacemen  t  of  dithering  thermostat.  ®[092195-1790A] 

I.  IF  A  1-DAY  WAVE-OFF  IS  DECLARED  AFTER  RADIATOR  BYPASS,  THE 
TOPPING  EVAPORATOR  WILL  BE  DEACTIVATED,  AS  REQUIRED,  DURING 
THE  EXTENSION  DAY.  DISABLING  THE  FES  WILL  TAKE  PRECEDENCE 
OVER  ANY  FES  REQUIREMENT  FOR  PAYLOAD  OPERATIONS  BEING 
CONSIDERED  FOR  THE  EXTENSION  DAY.  CONSIDERATION  WILL  BE 
GIVEN  TO  ENABLING  THE  FES  WHEN/IF  SUPPLY  f£0  QUANTITIES  ARE 
SUFFICIENT  TO  SUPPORT  FUTURE  DEORBIT  OPPORTUNITIES. 

After  the  radiators  have  been  bypassed,  the  FES  is  the  sole  means  of  vehicle  cooling.  During  this  time, 
the  net  H2O  rate  is  approximately  -55  Ib/hr.  If  a  wave-off  is  called  after  the  radiator  panels  have  been 
bypassed,  supply  H2O  quantities  may  not  support  multiple  deorbit  opportunities  at  a  later  time. 
Disabling  the  FES  and  allowing  the  radiators  to  maintain  vehicle  cooling  during  extension  days  will 
allow  supply  H2O  quantities  to  increase  so  that  future  deorbit  opportunities  may  be  supported. 
Maximizing  deorbit  opportunities  is  a  high  priority  than  conducting  unplanned  payload  operations  on 
extension  day. 

DOCUMENTATION :  Engineering  judgment. 
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A18-253  AMMONIA  BOILER  SUBSYSTEM  (ABS) 

A.  IF  RADIATORS  HAVE  BEEN  COLDSOAKED,  BOTH  NH3  CONTROLLERS  WILL 
REMAIN  OFF,  EXCEPT  WHEN  REQUIRED  FOR  ENTRY  COOLING  BELOW  120K 
FEET.  WHEN  RADIATOR  HEAT  SINK  CAPACITY  IS  DEPLETED,  ONE  Nf$ 
CONTROLLER  WILL  BE  ACTIVATED.  THE  ALTERNATE  CONTROLLER  WILL 
BE  ACTIVATED  WHEN  THE  FIRST  SYSTEM  IS  DEPLETED. 

If  the  radiators  are  coldsoaked  in  deorbit  preparation,  the  radiators  can  provide  adequate  cooling  from 
FES  deactivation  to  touchdown.  Also,  since  NHj  is  a  consumable  which  can  be  depleted,  leaving  the 
NHj  system  off  until  the  radiator  heat  sink  capacity  is  depleted  will  maximize  orbiter  cooling  capability 
postlanding  ( length  of  time)  until  GSE  cooling  carts  can  be  connected  to  the  orbiter. 

B.  THE  ABS  MAY  BE  ACTIVATED  POST-EI  IF  ADDITIONAL  COOLING  IS 
REQUIRED . 

For  the  ABS  to  operate,  enough  gravitational  force  is  required  in  the  relative  direction  of  the  tank  outlet 
to  keep  the  NHj  at  the  outlet  and  not  allow  the  helium  pressurant  to  escape  first  (NHj  tanks  do  not  have 
a  bladder  system).  The  vehicle  orientation  combined  with  the  gravitational  force  is  correct  for  ABS 
activation  for  altitudes  of 400k  feet  (El)  or  less.  Therefore,  if  cooling  is  required  (no  radiator  colds  oak, 
no  FES,  etc.),  the  ABS  is  operable  post-EI  and  may  be  used. 

DOCUMENTATION:  SODB  3.4.6.3-2B. 

C.  FOR  A  LOST/DEGRADED  FCL : 

1.  IF  AN  FCL  IS  TOTALLY  LOST  (E.G.,  NO  FLOW),  ITS  ASSOCIATED 
ABS  CONTROLLER  WILL  BE  DEACTIVATED  AND  NOT  REACTIVATED. 

IN  THE  EVENT  NO  OTHER  COOLING  IS  AVAILABLE  DURING  ENTRY, 
THE  ABS  WILL  BE  REACTIVATED  AND  MANUAL  CYCLING  MAY  BE 
REQUIRED  TO  PREVENT  WATER  LOOP  FREEZING. 

NHj  system  A  controller  uses  three  temperature  sensors  on  the  FCL  1  outlet  line  while  NHj  system  B 
controller  uses  three  sensors  on  the  FCL  2  outlet.  If  FCL  1(2)  is  lost  and  NHj  A(  B)  controller  is 
selected,  the  temperature  at  the  control  sensors  of  the  lost  loop  will  not  provide  proper  con  trol  of  the 
cooling.  This  will  result  in  the  ABS  flowing  NHj  at  whatever  rate  the  inoperative  sensors  demand,  which 
may  result  in  too  much  cooling,  thus  undertemping  the  active  loop,  or  too  little  cooling,  causing  an 
overtemperature  condition.  Some  manual  cycling  of  the  NHj  controller  while  observing  the  evaporator 
outlet  temperature  may  be  possible,  but  should  be  used  only  if  no  other  cooling  options  exist. 

DOCUMENTATION :  N/A,  system  schematic  analysis. 
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2.  FOR  A  DEGRADED  FCL  IF  THE  DIFFERENCE  IN  TOTAL  FLOW 

BETWEEN  THE  TWO  FCL'’ S  IS  >  450  LB/HR,  THE  DEGRADED  FCL' S 
NH3  SYSTEM  WILL  BE  SELECTED  IF  COOLING  IS  REQUIRED. 

For  a  difference  in  total  flow  between  the  two  FCL’s  of  greater  than  450  Ib/hr,  activating  the  good  loop 
NHj  system  will  result  in  NHj  system  outlet  temperatures  <  32  degrees  F.  This  can  cause  freezing  of 
low  flowrate  payload  water  loops  and  rupture  of  the  payload  heat  exchanger. 

DOCUMENTATION:  SEH-ECS-85-052T. 

D.  nh3  controllers  will  be  alternated  flight  to  flight  for 

POSTLANDING  COOLING,  WHEN  PRACTICAL,  SO  THAT  EACH  OF  THE  FOUR 
IS  USED  AT  LEAST  ONCE  EVERY  FOUR  FLIGHTS  (TO  SATISFY  STEP)  . 
ABS  SECONDARY  MODE  OPERATION  WILL  BE  SELECTED  ONLY  WHEN  DATA 
TO  THE  GROUND  AND  VOICE  COMMUNICATION  ARE  AVAILABLE. 

NHj  controller  alternation  is  implemented  to  accomplish  periodic  checkout  of  the  secondary  controllers, 
which  is  a  program  requirement  but  results  in  an  unacceptable  impact  to  vehicle  turnaround  if  done 
postflight  (KSC  checkout).  Secondary  mode  operation  on  the  ABS  is  attended  by  slightly  higher  risk  due 
to  the  design  of  the  undertemperature  protection,  such  that  an  ABS  failure  causing  undertemperature 
results  in  an  automatic  switchover  from  the  primary  to  the  secondary,  but  not  from  secondary  to  primary. 
For  this  reason,  the  secondary  controller  should  be  selected  only  when  data  and  communication  are 
available  so  that  ground  controllers  have  visibility  into  and  can  react  quickly  to  any  ABS  problem  that 
might  develop. 

DOCUMENTATION:  MD3/84-20;  DF/83-178. 

A18-254  ABS  AMMONIA  REDLINE 

ABS  AMMONIA  -  THERE  I S  NO  REQUIREMENT  FOR  NK>  AFTER  ORBIT 
INSERTION. 

There  is  no  requirement  for  NHj  after  nominal  orbit  insertion.  The  FES  and  radiators  are  used  for  orbit 
and  entry  cooling.  The  NHj  boiler  is  not  required  until  post-rollout  and  an  emergency  powerdown  can 
be  performed  if  NHj  is  not  available.  The  ammonia  boiler  is  required  for  launch  aborts  since  the 
radiators  cannot  be  coldsoaked  in  these  cases.  Therefore,  after  nominal  ascent  and  insertion  have  been 
completed,  there  is  no  requirement  for  the  NHj  boiler. 

DOCUMENTATION:  Flight  data. 
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A18-255  RADIATOR  FLOW  CONTROL  ASSEMBLY  (RFCA) 

A.  ASCENT  OPERATIONS: 

1.  THE  RADIATORS  WILL  BE  BYPASSED  FOR  ASCENT,  EXCEPT  IN  CASE 
OF  LOSS  OF  FES  OPERATION. 


The  radiators  are  used  as  a  backup  heat  sink  in  case  of  loss  of  topping,  high-load,  or  total  FES  during 
ascent.  If  the  radiators  are  not  bypassed  for  launch,  this  heat  sink  would  not  be  available.  There  are 
also  some  ground  problems  with  launching  in  radiator  flow.  Should  radiator  flow  be  initiated  with  the 
GSE  cooling  system  still  connected  ( anytime  the  vehicle  is  on  the  pad,  pre-lift-off,  or  during  a  launch 
hold),  the  GSE  cannot  react  quickly  enough  to  the  decreased  heat  load.  This  could  result  in  very  low 
orbiter  Freon  temperatures.  For  these  reasons  radiator  flow  prior  to  lift-off  is  not  attempted. 

DOCUMENTATION:  SEH-ITA-83-OI7T. 

2.  IF  THE  TOTAL  FES  FAILS,  RADIATOR  FLOW  WILL  BE  INITIATED. 


During  ascent,  the  FES  is  the  only  means  of  cooling  the  vehicle.  If  the  total  FES  is  lost,  radiator  flow  is 
initiated  for  cooling.  This  takes  advantage  of  any  coldsoak  that  exists  in  the  radiators.  If  only  one 
evaporator  is  lost,  the  secondary  controller  can  be  used  with  the  good  evaporator  core.  Flight  data  from 
STS-26  showed  that  the  secondary  topper  can  handle  nominal  ascent  loads  and  control  to  62  deg  F. 


DOCUMENTATION:  SEH-ITA-81-107,  SEH-ITA-80-047T,  and  STS-26  flight  data. 


3.  IF  THE  RADIATOR  BYPASS  VALVE  FAILS  IN  BYPASS  (NOT  IN 

TRANSIT)  DURING  RADIATOR  FLOW  INITIATION,  THE  ALTERNATE 
CONTROLLER  WILL  BE  SELECTED.  IF  THE  ALTERNATE  CONTROLLER 
IS  INOPERATIVE  OR  THE  VALVE  WAS  FAILED  IN  TRANSIT, 
ATTEMPTS  WILL  BE  MADE  TO  MANUALLY  POSITION  IT  TO  FULL 
RADIATOR  FLOW.  IF  THE  VALVE  REMAINS  IN  AN  INTERMEDIATE 
POSITION  OR  WAS  MANUALLY  POSITIONED  TO  FULL  RADIATOR 
FLOW,  THE  CONTROLLER  AC  CB'S  WILL  BE  OPENED  AND 
CONSIDERATION  GIVEN  TO  ATTITUDE  CONSTRAINTS  FOR  UNDER 
TEMPERATURE  PROTECTION  MEASURES  ON  ORBIT. 
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If  the  bypass  valve  fails  in-transit  during  flow  initiation,  the  alternate  controller  will  not  be  selected  since 
the  possibility  exists  that  the  valve  could  be  driven  back  to  bypass  (initialization  sequence )  and  stick 
there.  If  it  is  already  stuck  in  bypass,  changing  con  trollers  does  not  increase  the  risk.  For  either  case, 
attempts  should  be  made  to  drive  the  valve  manually  to  radiator  flow  so  that  proper  cooling  from  both 
FCL  's  is  available.  Opening  the  controller  ac  circuit  breaker  ensures  that  the  valve  will  not  be 
inadverten  tly  driven  to  bypass  where  it  might  stick  ( possibly  permanen  tly )  causing  early  mission 
termination. 

B.  ON-ORBIT  OPERATIONS: 

1.  NORMALLY,  THE  RADIATORS  WILL  BE  LEFT  IN  THE  STOWED 

POSITION  BUT  MAY  BE  DEPLOYED  IF  ANY  OF  THE  FOLLOWING 
CONDITIONS  EXIST: 

a.  IF  THE  AVERAGE  NET  WATER  STORAGE  RATE  IS  ?0  AND/OR 
THE  SUPPLY  WATER  QUANTITY  REDLINE  WILL  BE  VIOLATED 
BASED  ON  EXPECTED  WATER  STORAGE  RATES. 

b.  IF  MINIMIZING  FES  OPERATION,  FROM  A  PAYLOAD 
STANDPOINT,  IS  DESIRED. 

C.  IF  AN  EVAPORATOR  OUTLET  TEMPERATURE  WILL  RESULT  IN 

VIOLATION  OF  AN  ORBITER  OR  PAYLOAD  LIMIT  WHEN  THE  FES 
CANNOT  BE  OPERATED . 


The  radiators  normally  remain  stowed.  If  deployed,  and  a  failure  occurs  such  that  the  radiators  cannot 
be  stowed,  an  EVA  would  be  required  to  cut  the  radiator  deploy/stow  linkage  to  allow  the  EVA 
crewmember  to  manually  stow  the  radiator.  The  PLED  will  not  close  if  the  radiator  is  deployed. 

Deploying  the  radiators,  in  most  attitudes,  increases  cooling  capacity  by  utilizing  additional  surface 
area.  Therefore,  if  present  cooling  capabilities  are  not  adequate  or  if  FES  usage  is  great  enough  to 
jeopardize  mission  success/completion,  any  available  cooling  capacity  should  be  used.  See  also  the 
rationale  for  Rule  {A18-208C},  RADIATOR  FLOW  CONTROL  ASSEMBLY  (RFCA). 

DOCUMENTATION :  N/A,  engineering  judgment. 

2.  THE  RADIATOR  PANEL  OUT  TEMPERATURES  SHOULD  NOT  BE  ALLOWED 
TO  DECREASE  BELOW  -90  DEG  F  (-85  DEG  F)  TO  PROTECT 
AGAINST  WATER  CONTENT  COMING  OUT  OF  SOLUTION  AND 
FREEZING.  IF  THIS  VIOLATION  OCCURS,  ACTION  WILL  BE  TAKEN 
TO  INCREASE  THE  TEMPERATURES  IN  THE  RADIATORS. 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  THERMAL  18-47 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A18-255  RADIATOR  FLOW  CONTROL  ASSEMBLY  (RFCA)  (CONTINUED) 

The  SODB  (volume  1,  table  3. 4. 6.3-1)  lists  the  minimum  operating  temperature  for  the  RFCA  at  -85  deg 
F.  This  limit  protects  up  to  20  ppm  of  water  content  in  Freon  and  allows  for  cold  spots  in  the  radiators. 
The  maximum  allowable  H2O  content  in  the  Freon  loops  is  15  ppm.  Data  indicates  that,  at 
approximately  -93  deg  F,  15  ppm  moisture  precipitates  as  ice  crystals.  If  this  temperature  is  exceeded, 
ice  crystals  can  form  and  damage  the  temperature  sensor  and  cause  flow  loss  by  collecting  on  RFCA 
filters.  The  -90  deg  F  limit  was  added  to  protect  against  the  maximum  allowable  limit  ofH20  in  Freon 
21  (15  ppm)  and  to  give  the  operations  team  some  margin  in  mission  planning.  The  -90  deg  F 
temperature  has  only  been  exceeded  once  in  flight  (STS-35).  It  is  believed  that,  since  the  -90  deg  F 
protects  the  allowable  con  ten  t  of  H2O  from  freezing  and  would  rarely  be  reached,  the  -90  deg  F  limit 
would  protect  the  RFCA  and  not  impact  the  mission  timeline.  Since  the  radiator  panel  out  temperatures 
are  the  inlet  temperatures  to  the  RFCA,  this  limit  must  be  protected.  Actions  may  include  stowing 
radiators,  positioning  radiators  to  normal,  and  an  attitude  change.  The  -85  deg  F  is  the  limit  without 
transducer  error  included.  Due  to  the  large  range  of  the  RAD  PNL  out  temperature  transducer  (-250  deg 
to  400  deg  F)  a  5  percent  error  would  make  the  lower  limit  (-53  deg  F)  unreasonable.  Flight  experience 
has  shown  that  the  transducer  has  performed  better  than  the  5  percent  error  allowed. 

DOCUMENTATION:  JSC-08934,  3.4.6.3-1.  RIILNo.  287-203-90-090. 

C.  ENTRY  OPERATIONS: 

1.  IF  VEHICLE  STATUS  PERMITS,  THE  RADIATORS  WILL  NORMALLY  BE 
COLDSOAKED  1  HOUR  PRIOR  TO  PLBD  CLOSURE  BY  PLACING  THE 
RADIATOR  CONTROLLER  IN  THE  HIGH  TEMPERATURE  CONTROL  MODE, 
AND  THEN  BY  BYPASSING  THE  RADIATORS  AT  PLBD  CLOSURE. 

This  coldsoak  provides  heat  sink  capacity  which  may  be  used  in  a  nominal  entry  to  delay  ABS  activation 
until  post-rollout,  or  which  may  be  used  in  the  event  of  a  FES  failure  to  provide  some  cooling  prior  to  the 
availability  of  the  ABS  at  entry  interface.  The  radiator  controller  is  placed  in  the  high  temperature 
control  mode  instead  of  bypassing  the  radiators  in  order  to  conserve  both  supply  water  and  propellant. 
Greater  than  1  hour  is  acceptable  in  the  normal  cold  soak  attitude  and  configuration. 

DOCUMENTATION:  SEH-ITA-85-001T. 
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A18-255  RADIATOR  FLOW  CONTROL  ASSEMBLY  (RFCA)  (CONTINUED) 

2.  IF,  DUE  TO  AUTO  CONTROLLER  PROBLEMS,  THE  BYPASS  VALVE  HAS 
BEEN  MANUALLY  POSITIONED  IN  "RAD  FLOW"  PRIOR  TO  DEORBIT, 
OR  IF  THE  BYPASS  VALVE  IS  STUCK  IN  TRANSIT,  ATTEMPTS  WILL 
NOT  BE  MADE  TO  POSITION  IT  TO  "BYPASS"  AT  PLBD  CLOSURE. 

If  positioned  to  “bypass,  ”  the  valve  could  permanently  stick  and  radiator  flow  could  not  be  initiated. 

For  loss  of  FES  or  partial  loss  of  FES,  radiator  flow  is  required. 

DOCUMENTATION :  N/A,  engineering  judgment. 

3.  RADIATOR  FLOW  WILL  NORMALLY  BE  INITIATED  AT  V  =  12K  FPS 
(APPROXIMATELY  175K  FEET)  AND  NO  LATER  THAN  130K  FEET. 
RADIATOR  FLOW  MAY  BE  INITIATED  EARLIER  IF  REQUIRED. 

®[ED  ] 

Once  radiator  flow  is  initialized,  90  seconds  must  pass  before  the  valves  go  to  the  flow  position.  If 
radiator  flow  is  initiated  at  17 5k  feet,  flow  will  begin  around  154k  feet.  This  is  prior  to  FES  shutdown 
( approximately  100k  to  110k  feet)  and  eliminates  thermal  transients.  If  initiated  at  130k  feet,  radiator 
flow  will  begin  around  110k  feet,  or  right  at  FES  shutdown.  Radiator  flow  can  be  initiated  earlier  in 
contingency  situations. 

DOCUMENTATION:  Flight  data. 

4.  IF  EITHER  RFCA  AUTOMATICALLY  BYPASSES  WHEN  RADIATOR  FLOW 
IS  INITIATED,  THAT  CONTROLLER  WILL  BE  CYCLED  ONCE. 

This  situation  occurred  on  past  flights  where  certain  conditions  (a  warm  slug  of  fluid  immediately 
followed  by  a  cold  slug  of  fluid)  caused  the  controller  logic  to  bypass  the  radiators.  Procedures  were 
changed  to  alleviate  this  condition;  however,  should  it  exist,  cycling  the  controller  one  time  remedies  this 
situation. 

DOCUMENTATION :  Flight  experience. 
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A18-256  RADIATOR  ISOLATION  VALVE  MANAGEMENT 

A.  ASCENT/ENTRY  OPERATIONS:  @[090999-681 5A] 

THE  RADIATOR  ISOLATION  VALVES  ARE  CONFIGURED  TO  THE  RAD  FLOW 
POSITION  AND  OFF. 


The  radiators  are  used  as  a  backup  heat  sink  in  case  of  loss  of  topping,  high-load,  or  total  FES  during 
ascent.  To  minimize  operational  impacts,  the  isolation  valves  are  configured  for  radiator  flow. 

The  cb’s  that  provide  power  to  the  bypass  valves  and  control  electronics  will  be  configured  closed  to 
provide  the  capability  to  manually  bypass  the  radiators  to  isolate  an  additional  portion  of  the  affected 
loop,  should  the  need  arise. 


DOCUMENTATION :  Engineering  judgmen  t. 

B.  ON-ORBIT  OPERATIONS 

1.  NORMALLY,  AUTOMATIC  RADIATOR  ISOLATION  CAPABILITY  WILL  BE 
CONFIGURED  FOR  "AUTO"  OPERATIONS  DURING  ON-ORBIT 
OPERATIONS . 

2.  IF  A  RADIATOR  IS  ISOLATED  BY  THE  AUTO  SOFTWARE,  AND 
GROUND  DATA  INDICATES  NO  FCL  LEAK,  THE  AFFECTED  LOOP'S 
ISOLATION  VALVE  WILL  BE  RECONFIGURED  MANUALLY  TO  RADIATOR 
FLOW. 

3.  IF  A  LEAK  IS  DETECTED  ON  AN  FCL,  BEFORE  AUTO  ISOLATION  IS 
INITIATED,  THE  AFFECTED  LOOP'S  RADIATOR  WILL  BE  MANUALLY 
ISOLATED  IN  ORDER  TO  ISOLATE  AND  STOP  THE  LEAK. 

4.  IF  A  FCL'S  RADIATOR  ISOLATION  VALVE  IS  FAILED  IN  BYPASS 
OR  A  LEAK  HAS  BEEN  ISOLATED,  THE  AFFECTED  FCL  WILL  BE 
DEACTIVATED,  AND  A  POWERDOWN  TO  AT  LEAST  15  KW  WILL  BE 
PERFORMED.  THE  FCL  WILL  BE  REACTIVATED  FOR  DEORBIT 
PREPARATION. 

5.  IF  RADIATOR  ISOLATION  CAPABILITY  IS  LOST  ON  EITHER  OR 
BOTH  LOOPS,  THERE  ARE  NO  MISSION  DURATION  CONSTRAINTS. 

NO  ADDITIONAL  ATTITUDE  CONSTRAINTS  FOR  ORBITAL  DEBRIS 
WILL  BE  LEVIED.  @[090999-681 5A] 
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A18-256  RADIATOR  ISOLATION  VALVE  MANAGEMENT  (CONTINUED) 

Analysis  indicates  that  depletion  of  a  Freon  loop,  due  to  debris  puncture  of  a  radiator  tube,  allows  for 
reaction  times  of  only  seconds,  even  for  small  diameters  (i.e.,  a  0.10  in  diameter  puncture  will  deplete  the 
loop  within  75  to  80  seconds ).  Due  to  this  concern,  hardware  and  software  has  been  incorporated  that 
will  cdlow  the  automatic  or  manual  isolation  of  a  leaking  radiator,  based  upon  accumulator  quantity. 

This  “AUTO”  capability  will  normally  be  activated  during  on-orbit  operations,  to  ensure  adequate 
protection  of  the  Freon  loops,  for  the  duration  of  the  mission.  @[090999-681 5A] 

Because  the  software  is  dependent  upon  a  single  accumulator  quantity  transducer  for  each  loop,  the 
capability  exists  to  either  manually  position  the  isolation  valve  to  the  radiator  flow  position  or  the 
radiator  isolated  position.  Should  automatic  isolation  be  initiated  by  the  software,  data  evaluation  by 
the  MCC  is  required  to  confirm  or  deny  a  real  leak  ( the  MCC  has  additional  insight  not  available  to  the 
crew,  radiator  leg  pressures  and  isolation  valve  positions,  that  cdlow  for  confirmation  of  leaks).  If  no 
leak  is  detected,  the  valve  may  be  moved  back  to  radiator  flow  using  the  manual  capability  to  preven  t 
another  inadvertent  auto  isolation. 

The  software  in  the  GPC  is  intended  to  isolate  the  radiator  upon  detection  of  large  leaks,  based  solely 
upon  the  accumulator  quantity  (V63Q1130A/1330A  <  12  percent).  In  the  event  that  a  small  leak  is 
detected,  prior  to  detection  by  the  software,  the  affected  loop ’s  radiator  can  be  manually  isolated  in 
order  to  troubleshoot  and  possibly  isolate  the  leak.  If  leak  isolation  is  unsuccessful,  radiator  flow  may 
be  regained  for  nominal  loop  operations  until  depletion  of  the  loop. 

A  radiator  isolation  valve  failed  in  bypass,  or  is  positioned  in  bypass  due  to  a  leak,  will  result  in  a 
negative  H2O  storage  rate  if  the  FES  is  activated,  or  temperature  violations  if  the  FES  is  deactivated. 
Deactivating  the  FCL  will  alleviate  these  problems  and  only  requires  a  powerdown  to  15  kW.  {Ref  Rule 
{A1 8-25 1C}  and  F,  FREON  COOLANT  LOOPS  (FCL)). 

Radiator  isolation  capability  does  not  affect  the  odds  of  debris  penetration.  It  is  assumed  that  attitude 
planning  already  considers  debris  impact  odds  while  satisfying  payload  and  other  mission  objectives. 

DOCUMENTATION:  MCR  92184B,  “ Freon  Radiator  Iso  Valve  Automation  ”;  AEFTP  #145,  December 
19,  1997;  Radiator  Shielding  &  Isolation  CDR,  10/7/97;  SEH-ECS-86-102T;  and  engineering  judgmen  t. 
@[090999-681 5A] 
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A18-257  POSTLANDING  NH3  TERMINATION 

DURING  THE  POSTLANDING  TIMEFRAME,  THE  NH3  SYSTEM  WILL  BE 
DEACTIVATED  AS  SOON  AS  POSSIBLE  FOLLOWING  THE  OBSERVANCE  OF  NH> 
SYSTEM  BLOW  DOWN.  @[052401-4674] 

The  intent  of  this  rule  is  to  avoid  drawing  ambient  air  into  the  NHg  system.  The  NHg  system  is 
pressurized  with  helium  gas.  Once  the  NHg  is  depleted,  the  tank  pressure  will  drop  as  helium  quickly 
exits  the  system.  The  system  also  cools  as  this  occurs.  If  the  system  is  allowed  to  drop  to  ambien  t 
pressure  and  the  system  experiences  any  residual  cooling,  the  pressure  inside  the  tank  could  then  drop 
below  ambien  t  pressure  and  draw  air  into  the  depleted  NHg  tank.  The  blow  down  from  NHg  depletion  to 
ambient  pressure  takes  approximately  3  minutes. 

This  is  especially  undesirable  at  KSC  where  the  salt  content  in  the  air  will  cause  system  corrosion. 
DOCUMENTATION :  Flight  data,  Engineering  judgment  @[052401-4674] 
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EECOM  HEATER  MANAGEMENT 


A18-301  TCS  HEATER  CONFIGURATION 

A.  THE  FOLLOWING  HEATERS  WILL  BE  ENABLED  FOR  LIFT-OFF: 

1.  FES  TOP  NOZZLE  (LEFT  AND  RIGHT)  ®[ED  ] 

2.  FUEL  CELL  RELIEF  LINE 

3.  FES  TOPPING  AND  HIGH-LOAD  DUCT 

4 .  FUEL  CELL  WATER  LINE 

NOTE:  IN  ALL  CASES,  UNLESS  THERMAL  CONDITIONS  REQUIRE 

OTHERWISE,  ONLY  A  SINGLE  HEATER  SYSTEM  WILL  NORMALLY  BE 
ENABLED . 

FES  heaters  are  activated  prior  to  lift-off  and  remain  on  through  lift-off  to  ensure  that  duct  temperatures 
are  high  enough  to  prevent  freezing  of  the  water  vapor  in  the  ducts  upon  FES  activation.  Nozzle  heaters 
are  not  required  for  nominal  situations,  but  are  desired  in  case  of  high  FES  carryover. 

For  the  fuel  cell  relief  line  heater  and  water  line  heater,  see  Rule  {A9-53},  FC  H2O  SYSTEM  HEATERS. 

DOCUMENTATION:  HAMILTON  STD.  SEM  62449. 

B.  THE  FES  FEEDLINE  HEATERS  WILL  BE  ENABLED  POST-OMS-1: 


The  feedline  heaters  are  enabled  at  this  time  to  prevent  freezing  of  the  water  in  these  lines.  With  PLBD’s 
open  it  is  estimated  that  in  a  cold  attitude  these  lines  will  freeze  in  approximately  45  minutes  and  in  a 
warm  attitude  in  approximately  1.5  hours. 

DOCUMENTATION:  ES2-81-256M. 

C.  THE  FOLLOWING  HEATERS  WILL  BE  ENABLED  AFTER  SEAT  EGRESS: 

1.  VACUUM  VENT  NOZZLE 

2.  SUPPLY/WASTE/VACUUM  VENT  LINE 
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A18-301  TCS  HEATER  CONFIGURATION  (CONTINUED) 

3.  EXTERNAL  AIRLOCK  STRUCTURAL  AND  WATER  LINE  @[061297-4904] 


Prelaunch  PLB  thermal  conditioning  maintains  proper  temperatures;  therefore,  the  associated  heaters 
are  not  required.  As  a  general  guideline,  power  not  required  for  ascent  is  inhibited  from  use.  The 
heaters  should  be  enabled  as  soon  as  practical  once  on  orbit  so  possible  freezing  water  will  not  become 
a  concern  when  the  PLBD’s  are  opened  and  so  the  WCS  can  be  used  normally,  if  required. 


DOCUMENTATION :  Rockwell  I.L.  270-200-95-152,  Rev  1,  and  engineering  judgment.  @[061297-4904] 


D  . 


THE  FOLLOWING  HEATERS  WILL  BE  ENABLED  WHEN  REQUIRED: 

1.  SUPPLY  DUMP  NOZZLE 

2.  WASTE  DUMP  NOZZLE 

3.  FUEL  CELL  PURGE 

4.  HIGH-LOAD  DUCT 


The  high-load  evaporator  and  high-locid  duct  heaters  are  disabled  on  orbit.  Prior  to  re-enabling  the 
high-load  evaporator,  the  duct  heaters  must  be  reactivated  to  prevent  freezing  of  the  water  vapor  in  the 
ducts  upon  high-load  activation. 

FC  purging  and  water  dumping  are  normally  performed  only  during  the  presleep  and  post  sleep  periods, 
and  thus,  not  continuously  required.  Using  the  heaters  during  the  overboard  venting  prevents  the 
possibility  of  water  freezing  and  rendering  the  nozzles  worthless  for  future  mandatory  dumps  and  purges. 

DOCUMENTATION :  HAMILTON  STD.  SEM  62449  and  engineering  judgment. 
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A18-302  TCS  HEATER  REDUNDANCY 

ALL  REDUNDANT  HEATERS  WILL  NORMALLY  HAVE  ONLY  ONE  CIRCUIT  ENABLED 
AT  A  TIME. 

The  heaters  are  designed  so  that  only  one  circuit  is  necessary. 

DOCUMENTATION :  Engineering  judgment  and  flight  data. 

A18-303  REDUNDANT  TCS  HEATER  VERIFICATION 

AT  APPROXIMATELY  THE  MIDPOINT  IN  THE  FLIGHT,  ALL  REDUNDANT 
HEATERS  WILL  BE  RECONFIGURED  TO  THE  ALTERNATE  CIRCUITS  TO  VERIFY 
SYSTEM  HEALTH  AND  MAXIMIZE  TOTAL  SYSTEM  OPERATING  LIFETIME. 

The  heaters  will  be  switched  to  verify  that  the  redundant  heater  works.  This  is  necessary  because  KSC 
has  difficulty  verifying  the  operation  of  most  heaters ,  since  ambient  temperatures  at  the  Cape  will 
prevent  automatic  heater  operation.  The  heaters  are  designed  such  that  both  heater  circuits  are  encased 
in  a  common  insulator.  For  this  reason,  if  the  “a”  circuit  is  used  exclusively  and  fails,  then  both 
circuits,  including  the  circuit  that  has  never  been  used,  would  have  to  be  replaced.  By  alternating  their 
use,  total  system  lifetime  is  maximized. 

DOCUMENTATION:  N/A;  system  schematic  analysis. 
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A18-304  TCS  HEATER  OPERATIONS  FOR  LOSS  OF  INSTRUMENTATION 

IF  INSTRUMENTATION  IS  LOST  ON  REDUNDANT  HEATER  SYSTEMS  OF  THE 
FOLLOWING  COMPONENTS,  BOTH  SYSTEMS  WILL  BE  OPERATED 
SIMULTANEOUSLY  FOR  THE  REMAINDER  OF  THE  FLIGHT: 

A.  HIGH-LOAD  FES  DUCT/NOZZLE  (WHILE  OPERATING) 

B.  TOPPING  FES  DUCT  (FORWARD  OR  AFT) 

C.  SUPPLY  AND  WASTE  WATER  DUMP  LINES 

D.  EXTERNAL  AIRLOCK  STRUCTURAL  AND  WATER  LINES  @[061297-4904] 

This  is  done  to  protect  against  an  undetected  heater  failure  which  could  cause  freezing  of  water  vapor  in 
the  duct  upon  FES  activation  and  loss  of  FES,  freezing  of  water  in  the  dump  lines  resulting  in  the  loss  of 
mandatory  dump  capability,  or  freezing  of  water  in  the  external  airlock  water  lines. 

The  water  line  heaters  protect  against  freezing  of  water  in  the  externally  routed  airlock  water  lines 
resulting  in  a  loss  of  EMU  servicing  and  ISS  water  transfer.  They  are  triply  redundant;  therefore,  only 
two  of  the  three  strings  are  required  in  this  scenario.  Each  of  the  two  zones  for  the  water  lines  have  two 
transducers  for  monitoring  heater  performance. 

The  external  airlock  structural  heaters  protect  against  the  freezing  of  the  internally  routed  airlock  water 
lines  during  periods  when  the  airlock  is  at  vacuum  resulting  in  a  loss  of  EMU  servicing  and  ISS  water 
transfer  and  against  condensation  build-up  in  the  external  airlock  avionics  bay  where  the  docking 
avionics  are  installed.  Each  of  the  three  structural  heater  zones  have  only  one  temperature  transducer 
for  the  monitoring  of  heater  performance. 

DOCUMENTATION:  Hamilton  Standard  SEM  62449;  Rockwell  I.L.  270-200-95-152,  Rev  1,  and  270- 
200-97 -007 ;  and  engineering  judgment.  @[061297-4904  ] 
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A18-305  LOSS  OF  HEATER  SM  CAPABILITY 

IF  SM  CAPABILITY  IS  LOST,  BOTH  SYSTEMS  OF  THE  TOPPING  FES  DUCT 
HEATER  SYSTEMS  WILL  BE  ENABLED  FOR  THE  REMAINDER  OF  THE  FLIGHT. 


If  SM  capability  is  lost,  so  is  onboard  alert  capability  for  these  temperatures.  If  a  heater  failed,  the  crew 
would  not  be  alerted,  causing  possible  loss  of  a  critical  function.  Both  heaters  are  enabled  so  that  an 
undetected  failure  of  one  will  not  present  a  problem.  Afailed-on  heater  here  cannot  produce  a  high 
enough  temperature  to  present  a  problem. 

DOCUMENTATION:  JSC-18549. 

A18-306  EXTERNAL  AIRLOCK  HEATER  LOSS  MANAGEMENT 

FOR  LOSS  OF  EITHER  THE  EXTERNAL  AIRLOCK  WATER  LINE  HEATERS  OR 
STRUCTURAL  HEATERS,  ATTITUDE  MANAGEMENT  WILL  BE  USED  TO  PRECLUDE 
FREEZING  OF  THE  EXTERNAL  AIRLOCK  INTERNAL  AND  EXTERNAL  WATER 
LINES.  @[061297-4904] 

Loss  of  the  external  airlock  water  lines  will  result  in  the  loss  of  EMU  servicing  and  ISS  water  transfer 
capabilities. 

DOCUMENTATION :  Engineering  judgment  and  Rockwell  I.L.  270-200-95-152,  Rev  1,  and  270-200-97- 
007.  @[061297-4904] 
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A18-351  EECOM  SOFTWARE  REQUIREMENT 

THE  WATER  LOOP  GPC  CYCLING  MODE,  FES/ABS  ON-OFF  COMMANDS  OR  ANY 
ECLSS  COMPUTATIONS  WILL  NOT  BE  REQUIRED  FOR  CONTINUING  ANY  FLIGHT 
PHASE  AS  LONG  AS  MANUAL  BACKUP  METHODS  ARE  INTACT. 

The  GPC  modes  for  the  FES  and  the  NH3  boiler  are  used  only  during  ascen  t  and  entry  to  reduce  the 
number  of  switch  throws  required  by  the  crew  during  critical  phases.  The  inactive  H2O  loop  is  cycled 
periodically  on  orbit  via  the  GPC  mode  for  thermal  conditioning  purposes  only.  If  the  manual  modes  for 
these  systems  are  working,  the  GPC  modes  are  not  required.  @[041196-1882  ] 

DOCUMENTATION:  SEH-ITA-83-151T. 
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A18-401  THERMAL  PROTECTION  SYSTEM  (TPS)  BONDLINE 

TEMPERATURES 

A.  ORBITER  ATTITUDE  WILL  BE  MANAGED  TO  MAINTAIN  BONDLINE 

TEMPERATURES  AT  GREATER  THAN  -170  DEG  (-137.5  DEG)  F  AND  LESS 
THAN  THE  MAXIMUM  ENTRY  INTERFACE  TEMPERATURES,  DEFINED  IN 
PARAGRAPH  B. 

The  minimum  temperature  of  -170  deg  F  corresponds  to  the  temperature  at  which  glassy  transition 
occurs  on  the  RTV  (becomes  brittle).  Maximum  allowable  entry  and  postlanding  bondline  temperatures 
are  dependen  t  on  the  type  of  structu  re  underlying  the  TPS,  and  on  structural  thermal  stress  limits,  as 
follows: 

a.  Underlying  Material  Limits: 

(1)  ALUMINUM  350  deg  F.  (400  deg  F  or  greater)  is  a  lifetime  constraint. 

(2 )  GRAPHITE  EPOXY  SKIN 

(a)  OMS  POD  250  deg  F  (presumes  water  ingestion  into  the  laminated  skin) 

(b)  PLBD  350  deg  F 

DOCUMENTATION :  SODB,  Table  3. 4. 1.3;  Shuttle  Vehicle  Systems  Temperature  Limits  and  STS 
Operational  Flight  Rules  Review  Meeting;  RI IL  SAS-TA-P/C/TCS-87-03 1 ;  and  RI IL  SETO-TCS-87-066- 
RI,  On-Orbit  Thermal  Constraints  Summary,  Revision  1. 

b.  Structural  Stress  Limits: 

Midbody  structural  stress  is  generated  by  temperature  gradients  present  in  the  vehicle.  Bondline 
temperatures  are  used  to  determine  the  magnitude  of  the  gradien  ts  and  therefore  the  amount  of 
structural  stress.  Limits  have  been  established  for  the  bonclline  temperatures,  and  exceeding  these  limit 
could  result  in  less  than  1.4  factor  of  safety  for  design  entry  loads.  @[030994- 1598A] 
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Predicted  values  for  bondline  temperatures  are  calculated  by  the  Simplified  Thermal  Evaluation 
Program  (STEP)  analyses  based  on  actual  and  predicted  vehicle  attitudes  during  the  mission.  Accuracy 
of  STEP  has  been  determined  by  comparing  calculated  temperatures  to  past  flight  data.  Resulting  delta- 
temperature  biases  needed  to  correct  each  bondline  MSID  have  been  tabulated.  To  complete  a  STEP 
analysis,  the  appropriate  biases  are  added  to  STEP  outputs  to  obtain  the  corrected  prediction  values. 
These  predictions  are  compared  to  flight-specific  limits  similar  to  those  shown  in  the  table  of  paragraph 
B  to  verify  that  bondline  temperatures  will  be  acceptable  at  El.  The  correction  biases  are,  strictly,  only 
applicable  to  attitudes,  durations,  sequences,  and  beta-angle,  which  duplicate  flight  data  used  to 
generate  the  biases  (ref.  Annex  Flight  Rule,  THERMAL  PROTECTION  SYSTEM  (TPS)  BONDLINE 
TEMPERATURES,  and  Rule  (A1 8-45 1C},  ORBITER  THERMAL  CONSTRAINTS  AND  ATTITUDE 
MANAGEMENT  [CIL].  ®[ED  ] 


DOCUMENTATION:  STEP  Accuracy  Definition  Document,  RI IL  SE-TCS-93-042,  May  14,  1993,  and 
NASA  JSC  Memo  ES2-93-096. 

Rules  {A2-110},  STRUCTURES  THERMAL  CONDITIONING;  (A2-129J,  ORBITER  ON-ORBIT  HIGH 
DATA  RATE  REQUIREMENTS;  and  (A1 8-45 IB},  ORBITER  THERMAL  CONSTRAINTS  AND 
ATTITUDE  MANAGEMENT  [CIL],  reference  this  rule. 

B.  MAXIMUM  ALLOWABLE  BONDLINE  ENTRY  INTERFACE  (El)  TEMPERATURES 
ARE  BASED  ON  STRUCTURAL  CONSTRAINTS  AND  FLIGHT-SPECIFIC 
PARAMETERS  FOR  ENTRY  AND  VEHICLE  LOADING.  THE  MAXIMUM 
GENERICALLY-ACCEPTABLE  BONDLINE  TEMPERATURE  MEASUREMENTS  ARE 
SHOWN  BELOW.  SPECIFIC  MAXIMUM  VALUES  (RELAXED  FROM  THE 
GENERIC  LIMITS)  FOR  EACH  FLIGHT  WILL  BE  PROVIDED  IN  THE 
FLIGHT-SPECIFIC  FLIGHT  RULES  ANNEX.  EACH  FLIGHT-SPECIFIC 
BONDLINE  LIMIT  WILL  REPRESENT  THE  WORST-CASE  LIMIT  FROM 
ANALYSIS  OF  ALL  POSSIBLE  DEORBIT  OPPORTUNITIES  FOR  THAT 

FLIGHT.  ®[030994-1 598A] 
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DESCRIPTION 

TEMPERATURE 

MEASUREMENT 

NOS. 

OV-1 03/1 04/1 05 
MAX  LIMIT,  DEG  F 

OV-1 02 

MAX  LIMIT,  DEG  F 

PORT 

V09T1012 

75 

52 

V09T1030 

[1] 

58 

58 

V09T1724 

29 

46 

V34T1102 

96 

71 

V34T1106 

75 

120 

V43T4722 

250  (237) 

[3] 

250  (237) 

f31 

STBD 

V09T1014 

75 

52 

V09T1028 

[1] 

58 

58 

V09T1720 

29 

46 

V34T1104 

96 

71 

V34T1108 

75 

120 

V43T5722 

250  (237) 

[3] 

250  (237) 

f31 

TOP 

V09T1004 

81 

81 

V09T1024 

81 

81 

V09T1524 

60 

61 

V09T1510 

215(198) 

[3] 

215(198) 

[3] 

V09T1514 

215(198) 

[3] 

215(198) 

[3] 

V09T1020 

250  (235) 

[3] 

250  (238) 

f31 

PLBD  [2] 

V37T1000 

[1] 

63 

69 

V37T1002 

[1] 

84 

88 

V37T1004 

[1] 

84 

88 

V37T1006 

m 

63 

69 

BOTTOM 

V09T1000 

28 

30 

V09T1002 

28 

30 

V09T1016 

99 

103 

V09T1022 

81 

91 

V09T1624 

78 

44 

V09T1702 

47 

37 

V34T1110 

32 

42 

V34T1112 

29 

38 

V09T1006 

190(177) 

[3] 

V09T1026 

190(177) 

_EL_ 

NOTES: 

[1]  GRAPHITE  EPOXY  SKIN. 

[2]  CLOSED  PLBD  TEMPERATURES  ARE  NOT  PREDICTED  BY  STEP. 

[3]  THESE  LIMITS  ARE  BASED  MATERIAL  LIMITS  AS  OPPOSED  TO  THE  OTHER  LOWER  LIMITS  BASED  ON 
STRUCTURAL  THERMAL  STRESS  LIMITS.  THIS  TPS  MATERIAL  IS  HRSI.  TEMPERATURES  HIGHER  THAN  THOSE 
LISTED  WOULD  CAUSE  VIOLATION  OF  THE  MAXIMUM  POST-ROLLOUT  STRUCTURAL  MATERIAL  TEMPERATURES 
OF  250  DEGREES  F  FOR  GRAPHITE  EPOXY  (OMS  POD)  OR  350  DEGREES  F  FOR  ALUMINUM.  THESE  PREENTRY 
LIMITS  ARE  DEFINED  FROM  THE  WORST-CASE  ENTRY  TRAJECTORY  AVAILABLE. 


DOCUMENTATION:  SODB  Tables  3.4.1. 3-2  and  3.4. 1.3-3,  and  SODB  Vol  V,  Table  4. 1.2-1;  STEP 
Accuracy  Definition  Document,  RI IL  SE-TCS-93-042,  May  14,  1993;  and  NASA,  JSC  Memo  ES2-93-096. 

®[030994-1 598A] 
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A18-451  ORBITER  THERMAL  CONSTRAINTS  AND  ATTITUDE 

MANAGEMENT  [CIL] 

A.  ORBITER  ATTITUDE  WILL  BE  MANAGED  TO  MAINTAIN  ORBITER  SYSTEMS 
WITHIN  LIMITS  LISTED  IN  THE  FOLLOWING  MATRIX:  [CIL] 


SYSTEM 

CONCERN 

LIMIT 

CORRECTIVE  ACTION 

MISSION  IMPACT  IF 
PROBLEM  NOT  FIXED 

PAYLOAD 

BAY 

DOOR 

?  EXCESSIVE  OVERLAP 

UL  =  5  INCHES 

?  TOP  SUN 

?  REF.  RULES  {A1 0-207}, 
PLBD  OVERLAP,  AND 
{A10-206},  PLBD  CLOSE 
GO/NO-GO 

?  EXCESSIVE  GAP 

UL  =  2  INCHES 

?  TAIL  SUN 

?  DOORS  DO  NOT  FULLY 
CLOSE 

?  FORCONT  [6] 

PLBDOPS,  BET 
<200°  F 

?  FOR  NOM  PLBD 

OPS,  BET 
<160°  F 

?  TOP  SUN 

OR 

?  PTC  (IF  TIME 

PERMITS) 

?  DOORS  MAY  NOT  CLOSE 
DUE  TO  OBSTRUCTION 

?  REF.  RULE  {A-206},  PLBD 
CLOSE  GO/NO-GO 

PROP 
-  FRCS 

PROP  LINES  [1] 

PROP  BULK 

BULK 

LL  =  +  40°  F 

LL  =  +  40°  F 

UL  =  +100°  F  [2] 

UL  =  +100°  F 

?  NOSE  SUN  (FWD  HTR- 
NOT  NEEDED  FOR 

ENTRY) 

?  TAIL  SUN 

?  FROZEN  OR  HOT  LINES 
COULD  CAUSE  LOSS  OF 
COMPONENT 

?  SEE  OMS/RCS  FLIGHT 
RULES  FOR  SPECIFIC 
LOSS 

?  REF.  RULE  {A6-258}, 

ARCS  BULK  PROPELLANT 

TEMPERATURE 

MANAGEMENT 

ARCS 

PROP 

BULK 

PROP  BULK 

LL  =  +  50°  F 

LL  =  +  70°  F  [3] 

UL  =  +100°  F  [2] 

?  ATTITUDE  CONSTRAINTS 
ARE  NOT  NORMALLY 
REQUIRED  IF  ARCS  PROP 
“B”  HEATERS 

ARE  OPERATIONAL 

?  IF  ONLY  “A”  HEATERS 

ARE  AVAILABLE,  THE 
FOLLOWING  ACTIONS 
APPLY 

-  IF  “A"  HTRS  OPER¬ 
ATING,  TOP  SUN, 

PITCH  DWN  30  DEG, 

ROLL  ?20  DEG 

-  IF  “A"  HTRS  NOT 
OPERATING,  NOSE 

SUN,  PITCH  UP 

10  DEG 

?  NOSE,  SUN,  PITCH  UP 

10  DEG 
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A18-451  ORBITER  THERMAL  CONSTRAINTS  AND  ATTITUDE 

MANAGEMENT  [CIL]  (CONTINUED) 

A.  ORBITER  ATTITUDE  VERSUS  SYSTEMS  LIMITS  (ALL  PHASES)  -  CONTINUED 


SYSTEM 

CONCERN 

LIMIT 

CORRECTIVE  ACTION 

MISSION  IMPACT  IF 
PROBLEM  NOT  FIXED 

OMS 

PROP 

BULK 

PROP 

BULK 

LL  =  +30°  F  [4] 

LL  =  +40°  F 

UL  =  +125°  F  [5] 

UL  =  +100°  F 

?  LINES:  TAIL  SUN 
?  TANKS 

-  IF  HTRS  OPERATING, 

TOP  SUN,  PITCH  DWN 

30  DEG,  ROLL  ?20  DEG 

-  IF  HTRS  NOT 
OPERATING,  NOSE 

SUN,  PITCH  UP  10  DEG 

?  NOSE,  SUN,  PITCH  UP 

10  DEG 

CRSFD 

LNS 

PROP 

BULK 

LL  =  +40°  F 

LL  =  N/A 

?  TOP  SUN,  PITCH  DOWN 

30  DEG 

?  FROZEN  OR  HOT  LINES 
COULD  CAUSE  LOSS  OF 
COMPONENT 

PROP 

BULK 

UL  =  +125°  F  [5] 

UL  =  N/A 

?  NOSE  SUN,  PITCH  UP  10 
DEG 

?  SEE  OMS/RCS  FLIGHT 
RULES  FOR  SPECIFIC 
LOSS 

RMS 

QUALIFICATION  LIMITS  IF 
HEATERS  ARE  FAILED 

LL  =  -  33°  F  (ABE) 

LL  =  -  42°  F  (LED) 

UL  =  +178°  F  (ABE) 

UL  =  +205°  F  (LED) 

?  TOP  SUN 

?  NOSE  SUN  OR  TAIL  SUN 

?  NO  RMS  OPERATIONS 
?  REF.  RULE  {A1 2-3}, 
TEMPERATURE 
CONSTRAINTS  [CIL] 

APU  [CIL] 

2  HTR  FAIL, 

FUEL  FREEZE 

LL  =  +35°  F 

IF  PROBLEM  ON: 

?  SERVICE  LINES 
?  FUEL  FEEDLINES 
?  TANK 

?  SEAL  CAVITY 

DRAIN  LINES 

APU  1,2: 

PORT  SIDE  SUN 

APU  3: 

STARBOARD  SIDE  SUN 

IF  PROBLEM  ON 
COMPONENT  ON 
BULKHEAD: 

APU  1, 2,  3: 

TOP  SUN  OR  TAIL  SUN 
(TOP  SUN  QUICKEST 
WARMUP) 

NOTE:  DEPENDING  ON 
PROBLEM  AND  PREVIOUS 
ATTITUDES.  ATTITUDE 
CHANGE  MAY  NOT 

PREVENT  FREEZING 

?  EARLY  MISSION 
TERMINATION  (MDF) 
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ORBITER  THERMAL  CONSTRAINTS  AND  ATTITUDE 
MANAGEMENT  [CIL]  (CONTINUED) 


A.  ORBITER  ATTITUDE  VERSUS  SYSTEMS  LIMITS  (ALL  PHASES)  -  CONCLUDED 


SYSTEM 

CONCERN 

LIMIT 

CORRECTIVE  ACTION 

MISSION  IMPACT  IF 
PROBLEM  NOT  FIXED 

BONDLINES 

GLASSY 

TRANSITION 

LL  =  -170°  F 

PTC 

IF  TIME  CRITICAL: 

?  TOP  SUN  FOR  UPPER 
SURFACE 

?  BOTTOM  SUN  FOR 

LOWER  SURFACE 

?  POSSIBLE  TILE  LOSS 

MIDBODY  THERMAL 
STRESS  DURING  ENTRY 

?  REF.  RULES 
{A2-110}, 
STRUCTURES 
THERMAL 

CONDITIONING  AND 
{A1 8-401 B},  TPS 
BONDLINE  TEMPS 

?  REF.  RULES  [A2-1 10}, 
STRUCTURES  THERMAL 
CONDITIONING  AND  {A18- 
401 B},  TPS  BONDLINE 
TEMPERATURES 

?  REF.  RULES  [A2-1 10}, 
STRUCTURES  THERMAL 
CONDITIONING  AND  {A18- 
401 B},  TPS  BONDLINE 
TEMPERATURES 

FES 

2  HTR  STRINGS  FAIL, 
FEEDLINES  FREEZE 

LL  =  +32°  F 

?  FES  OPS  AND/OR 
ATTITUDE  MGMT  WILL  BE 
USED  TO  AVOID 

FREEZING 

?  EARLY  MISSION 
TERMINATION 

HYDRAULICS 

?  AFT  COMPARTMENT: 
MAIN  PUMP, 
RESERVOIR,  SUPPLY/ 
RETURN  LINES 

LL  =  -40°  F 

?  TAIL  SUN 

?  MAIN  HYD  PUMP  LOSS 

?  BODY  FLAP,  PDU, 
RETURN  LINES 

LL  =  -40°  F 

?  TAIL  SUN 

?  LOSS  OF  BODY  FLAP 
CONTROL 

?  ELEVON  RETURN 

LINES 

LL  =  -40°  F 

?  TOP  SUN 

?  LOSS  OF  ELEVON 
CONTROL 

?  MAIN  LANDING  GEAR 

LL  =  -35°  F 

?  BOTTOM  SUN 

?  LANDING  GEAR  WILL 

NOT  DEPLOY  IN  10 
SECONDS 

?  NOSE  LANDING  GEAR 

LL  =  -20°  F 

?  BOTTOM  SUN 

?  LANDING  GEAR  WILL 

NOT  DEPLOY  IN  10 
SECONDS 

?  NOSE  LANDING  GEAR 
STEERING 

LL  =  -10°  F 

?  BOTTOM  SUN 

?  IMPACTS  NWS 

?  MIDBODY  LINES 

LL 

o 

O 

LO 

II 

_l 

_l 

?  BOTTOM  SUN 

?  LOSS  OF  HYD  CONTROL 
OF  LG  DEPLOY  AND  NWS 

?  RSB,  TVC,  ISOL  VLVS, 
COMPONENTS/LINES 

LL  =  -40°  F 

?  TAIL  SUN 

?  LOSS  OF  RSB  AND  ISOL 
VLV  CONTROL 

@[030994-1 598A] 
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A18-451  ORBITER  THERMAL  CONSTRAINTS  AND  ATTITUDE 

MANAGEMENT  [CIL]  (CONTINUED) 

NOTES: 

[1]  STAGNANT  LINES  FOR  BOTH  THE  OMS  AND  RCS: 

OXI D  LL  =  +20°  F 

UL  =  +150°  F 

FULL  =  -30°  F 

UL  =  +150°  F 

[2]  +100°  F  UPPER  LIMIT  FOR  BULK  PROPELLANT,  BASED  ON  EXPULSION  EFFICIENCY.  TEMPERATURE  SENSOR  IS 
LOCATED  ON  TANK  SKIN  WHICH  HAS  UPPER  LIMIT  OF  +150°  F  FOR  LOCALIZED  REGIONS. 

[3]  +70°  F  FOR  ENTRY  FOR  ZOT  PREVENTION.  ON-ORBIT  (TANK  CERTIFICATION)  LIMIT  =  +50°  F.  REFERENCE  RULES 
{A6-256},  OMS/RCS  HEATER  PERFORMANCE  MONITORING;  AND  {A6-258},  ARCS  BULK  PROPELLANT 
TEMPERATURE  MANAGEMENT. 

[4]  +30°  F  COLD  SLUG  START  TRANSIENT. 

[5]  +125°  F  HOT  SLUG  START  TRANSIENT. 

[6]  BENDING  EFFECT  TEMPERATURE  (BET)  =  (LOWER  BONDLINE  AVG.  T  -  SILL  LONGERON  AVG.  T)  +  (70°  F  -  SILL 
LONGERON  AVG.  T) 
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A18-451  ORBITER  THERMAL  CONSTRAINTS  AND  ATTITUDE 

MANAGEMENT  [CIL]  (CONTINUED) 

B.  ORBITER  SYSTEMS  CONSTRAINTS  VERSUS  BETA  ANGLE  AND  ORBITER 
ATTITUDE  ARE  LISTED  IN  THE  FOLLOWING  MATRIX.  THE  MATRIX 
SERVES  AS  A  GUIDELINE  FOR  ASSESSMENT  OF  THERMAL  ATTITUDE 
RESTRICTIONS  WHEN  A  MORE  DETAILED  (E.G.,  STEP)  ANALYSIS  HAS 
NOT  BEEN  COMPLETED.  THE  TABLE  DOES  NOT  INCLUDE  POTENTIAL 
CONSTRAINTS  FOR  BET,  TIRES,  DRAG  CHUTE,  EDO  PALLET,  OR 
BONDLINES.  ONLY  THE  MOST  CONSTRAINING  FACTOR  IS  LISTED  FOR 
A  GIVEN  ATTITUDE.  REFERENCE  SODB,  VOLUME  V  IF  ADDITIONAL 
INFORMATION  IS  NEEDED.  @[030994-1 598A] 

0°TO  <20°? 


ORBITER  ATTITUDE  m 

LIMIT  [21 

CONCERN  [31 

RECOVERY  [41 

LVLH 

(EARTH  INERTIAL) 

NONE 

NONE 

NONE 

SOLAR 

INERTIAL 

(THREE 

AXES 

INERTIAL) 

(-X  SI) 

TAIL  TO  SUN 

(ANYOMICRON) 
ALL  ROLL 

ANGLES 

71  HR 

NLG  HYDRAULIC  LINES 

IN  MID  FUSELAGE 

LL  =  -50  F 

[5]  (V58T0127.1 134A) 

5  HR  OF  PTC  OR  TOP 
SUN  [7] 

72  HR 

MLG  HYDRAULIC  COMP 

LL  =  -355  F  [5]  [10] 

7  HR  OF  PTC  [7] 

(±Y  SI) 

SIDE  TO  SUN 

(ANYOMICRON) 
ALL  PITCH 

ANGLES 

110  HR 

ARCS  PROPELLANT  [11] 

LL  =  +50°  F 

LL  =  +70°  F  [12] 

(REF.  RULES  {A6-256}, 
OMS/RCS  HTR  PRFM 

MON; 

AND  {A6-258},  ARCS 

BULK  PROP  TEMPMGT) 

PREFERENCE: 

20  HR  NOSE  SI 

PITCHED  UP  10 
DEGREES  [8] 

(-Z  SI) 

TOP  TO  SUN 

(ANYOMICRON) 
ALL  YAW 

ANGLES 

160  HR 

ARCS  PROPELLANT  [11] 

LL  =  +50°  F 

LL  =  +70°  F  [12] 

(REF.  RULES  {A6-256}, 
OMS/RCS  HTR  PRFM 

MON;  AND  {A6-258}, 

ARCS  BULK  PROP  TEMP 
MGT) 

PREFERENCE: 

20  HR  NOSE  SI 

PITCHED  UP 

10  DEGREES  [8] 
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A18-451  ORBITER  THERMAL  CONSTRAINTS  AND  ATTITUDE 

MANAGEMENT  [CIL]  (CONTINUED) 

B.  ORBITER  SYSTEMS  CONSTRAINTS  VERSUS  BETA  ANGLE  -  CONTINUED 

20° TO  <60°? 


ORBITER  ATTITUDE  m 

LIMIT  [21 

CONCERN  [31 

RECOVERY  ]4] 

LVLH 

(-ZLV) 

TOP  TO  EARTH 

(+Y  VV)  STBD  ON 

V  (+BETA) 

13  HR 

OME  PROPELLANT  LINE 
UL  =  +125°  F 

(REF.  RULE  {A6-256}, 
OMS/RCS  HTR  PRFM 

MON) 

30  HR  PTC  OR 

NOSE  SUN 

(-Y  VV) 

PORT  ON  V 
(-BETA) 

(+X,  VV) 

NOSE  OR  TAIL 

ON  V  FOR  BETA 
>30  DEG 

100  HR 

ARCS  PROPELLANT  [11] 
LL  =  +50°  F 

LL  =  +70°  F  [12] 

(REF.  RULES  {A6-256}, 
OMS/RCS  HTR  PFRM 

MON; 

AND  (A6-258],  ARCS 

BULK  PROP  TEMPMGT) 

PREFERENCE: 

20  HR  NOSE  SI 

PITCHED  UP 

10  DEGREES  [8] 

(+ZLV) 

BOTTOM  TO 
EARTH 

(-Y  VV) 

PORT  ON  V 
(+BETA) 

13  HR 

OME  PROPELLANT  LINE 
UL  =  +125°  F 

(REF.  RULE  {A6-256}, 
OMS/RCS  HTR  PFRM 

MON) 

30  HR  PTC  OR 

NOSE  SUN 

(+YVV) 

STBD  ON  V 
(-BETA) 

(-XLV) 

TAIL  TO 

EARTH 

(+Y  VV)  STBD 

ON  V 
(-BETA) 

100  HR 

ARCS  PROPELLANT  [11] 
LL  =  +50°  F 

LL  =  +70°  F  [12] 

(REF.  RULES  {A6-256}, 
OMS/RCS  HTR  PFRM 

MON;  AND  {A6-258}, 

ARCS  BULK  PROP  TEMP 
MGT) 

PREFERENCE: 

20  HR  NOSE  SI 

PITCHED  UP 

10  DEGREES  [8] 

(-Y  VV) 

PORT  ON  V 
(+BETA) 

(+Z  VV) 

BOTTOM  OR  TOP 
ON  V  FOR  BETA 
>  30  DEG 

(+XLV) 

NOSE  TO 

EARTH 

(+Y  VV)  STBD 

ON  V  (+BETA) 

100  HR 

ARCS  PROPELLANT  [11] 
LL  =  +50°  F 

LL  =  +70°  F  [12] 

(REF.  RULES  {A6-256}, 
OMS/RCS  HTR  PFRM 

MON;  AND  {A6-258}, 

ARCS  BULK  PROP  TEMP 
MGT) 

PREFERENCE: 

20  HR  NOSE  SI 

PITCHED  UP 

10  DEGREES  [8] 

(-Y  VV) 

PORT  ON  V 
(-BETA) 

®[030994-1598A] 
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A18-451  ORBITER  THERMAL  CONSTRAINTS  AND  ATTITUDE 

MANAGEMENT  [CIL]  (CONTINUED) 

B.  ORBITER  SYSTEMS  CONSTRAINTS  VERSUS  BETA  ANGLE  -  CONTINUED 

20° TO  <60°? 


ORBITER  ATTITUDE  [1] 

LIMIT  [21 

CONCERN  [31 

RECOVERY  [41 

SOLAR 

INERTIAL 

(THREE 

AXES 

INERTIAL) 

(-X  SI) 

TAIL  TO  SUN 

(ANYOMICRON) 

ALL  ROLL 

ANGLES 

6  HR 

OMS  OXIDIZER  HI  PT 
BLEED  LINE  QD 

LL  =  +20  °F 

(ANALYSIS) 

6  HR  OF  PTC 

13  HR 

OME  PROPELLANT  LINE 
UL  =  +125°F 

(REF  RULE  {A6-256}, 
OMS/RCS  HTR  PFRM 

MON) 

30  HR  OF  PTC 

OR  NOSE  SUN 

(±Y  SI) 

SIDE  TO 

SUN 

(ANYOMICRON) 
ALL  PITCH 

ANGLES 

90  HR 

ARCS  PROPELLANT  [11] 

LL  =  +50°  F 

LL  =  +70° 

[12] 

(REF.  RULES  {A6-256}, 
OMS/RCS  HTR  PFRM 

MON;  AND  {A6-258}, 

ARCS  BULK  PROP  TEMP 
MGT) 

PREFERENCE: 

20  HR  NOSE  SI 

PITCHED  UP 

10  DEGREES  [8] 

(-Z  SI)  TOP 

TO  SUN 

(ANYOMICRON) 
ALL  YAW  ANGLES 

160  HR 

ARCS  PROPELLANT  [11] 

LL  =  +50°  F 

LL  =  +70°  F  [12] 

(REF.  RULES  {A6-256}, 
OMS/RCS  HTR  PFRM 

MON;  AND  {A6-258}, 

ARCS  BULK  PROP  TEMP 
MGT) 

PREFERENCE: 

20  HR  NOSE  SI 

PITCHED  UP 

10  DEGREES  [8] 

@[030994-1 598A] 
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B.  ORBITER  SYSTEMS  CONSTRAINTS  VERSUS  BETA  ANGLE  -  CONTINUED 


60° TO  <90°? 


ORBITER  ATTITUDE  [1] 

LIMIT  [21 

CONCERN  [31 

RECOVERY 

[4] 

(-ZLV) 

TOP  TO 

EARTH 

(+Y  VV) 

STBD  ON  V 
(+BETA) 

6  HR 

OME  PROPELLANT  LINE 
UL  =  +125°  F 

14  HR  NOSE  SUN 

(-Y  VV) 

PORT  ON  V 
(-BETA) 

(REF.  RULE  {A6-256}, 
OMS/RCS  HTR  PFRM 

MON) 

(+Y  VV) 

STBD  ON  V 
(-BETA) 

38  HR 

NLG  HYDRAULIC 

LINES  IN  MID 

FUSELAGE 

6  HR  OF  PTC  OR 
TOP  SUN 

[7] 

(-Y  VV) 

PORT  ON  V 
(+BETA) 

LL  =  -50  F  [5] 

(V58T0127.1 134A) 

(+X  VV) 

NOSE  OR 

TAIL  ON  V 

90  HR 

ARCS  PROPELLANT  [11] 
LL  =  +50°  F 

LL  =  +70°  F  [12] 

PREFERENCE: 

20  HR  NOSE  SI 
PITCHED  UP 

10  DEGREES 

[8] 

(REF.  RULES  {A6-256}, 
OMS/RCS  HTR  PFRM 

MON;  AND  {A6-258},  ARCS 
BULK  PROP  TEMPMGT) 

LVLH 

(+ZLV) 

BOTTOM  TO 
EARTH 

(+X  VV) 

NOSE  OR 

TAIL  ON  V 

98  HR 

MLG  HYDRAULIC 

LL  =  -35?  F  [5]  [10] 

6  HR  PTC 

[7] 

(+Y  VV) 

STBD  ON  V 
(-BETA) 

6  HR 

OME  PROPELLANT 

LINE 

UL  =  +125°  F 

NOSE  SUNTBD 

(-Y  VV) 

PORT  ON  V 
(+BETA) 

(REF.  RULE  {A6-256}, 
OMS/RCS  HTR  PFRM 

MON) 

6  HR 

OMS  OXIDIZER  HI  PT 
BLEED  LINE  QD 

LL  =  +20°  F 

6  HR  OF  PTC 

(-XLV) 

TAIL  TO 

EARTH 

(±Z  VV) 

BOTTOM  OR 

TOP  ON  V 

90  HR 

ARCS  PROPELLANT  [11] 
LL  =  +50  °  F 

LL  =  +70°  F  [12] 

PREFERENCE: 

20  HR  NOSE  SI 
PITCHED  UP 

10  DEGREES 

[8] 

(-Y  VV) 

PORT  ON  V 
(+BETA) 

(REF.  RULES  {A6-256}, 
OMS/RCS  HTR  PFRM 

MON;  AND  {A6-258}, 

ARCS  BULK  PROP  TEMP 
MGT) 

(+Y  VV) 

STBD  ON  V 
(-BETA) 

@[030994- 1598A] 
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B.  ORBITER  SYSTEMS  CONSTRAINTS  VERSUS  BETA  ANGLE  -  CONTINUED 


60°  TO  <90° 


ORBITER  ATTITUDE  m 

LIMIT  [21 

CONCERN  [31 

RECOVERY  [41 

(+XLV) 

NOSE  TO 

EARTH 

(±Z  VV) 

BOTTOM  OR 

TOP  ON  V 

90  HR 

ARCS  PROPELLANT  [11] 
LL  =  +50  °  F 

LL  =  +70°  F  [12] 

(REF.  RULES  {A6-256}, 
OMS/RCS  HTR  PFRM 

MON;  AND  {A6-258}, 

ARCS  BULK  PROP  TEMP 
MGT) 

PREFERENCE: 

20  HR  NOSE  SI 

PITCHED  UP 

10  DEGREES  [8] 

(-Y  VV) 

PORT  ON  V 
(-BETA) 

(+Y  VV) 

STBD  ON  VA 
(+BETA) 

(-YLV) 

PORT  SIDE 

TO  EARTH 

(-Z  VV) 

TOP  ON  V 
(-BETA) 

38  HR 

NLG  HYDRAULIC 

LINES  IN  MID 

FUSELAGE 

6  HR  OF  PTC 

OR  TOP  SUN  [7] 

(+Z  VV) 

BOTTOM  ON  V 
(+BETA) 

LL  =  -50°  F 

(V58T0127.1 134A)  [5] 

LVLH 

(CONCLUDED) 

(-Z  VV) 

TOP  ON  V 
(+BETA) 

6  HR 

OMS  OXIDIZER  HI 

PT  BLEED  LINE  QD 

LL  =  +20  °  F 

6  HR  OF  PTC 

(BETA  >80  DEG, 

ANALYSIS) 

(+Z  VV) 

BOTTOM  ON 

V  (-BETA) 

MS  PROPELLANT  LINE 

UL  =  +  125?  F 

14  HR  OF  NOSE  SUN 
(REF  RULE  {A6-256}, 
OMS/RCS  HTR  PFRM 
MON) 

(+YLV) 

STBD  SIDE 

TO  EARTH 

(-Z  VV) 

TOP  ON  V 
(-BETA) 

6  HR 

OME  PROPELLANT  LINE 
UL  =  +  125?  F 
(REF.  RULE  {A6-256}, 
OMS/RCS  HTR  PFRM 

MON) 

14  HR  NOSE  SUN 

(+Z  VV) 

BOTTOM  ON  V 
(+BETA) 

(-Z  VV) 

TOP  ON  V 
(+BETA) 

38  HR 

NLG  HYDRAULIC 

LINES  IN  MID 

FUSELAGE 

6  HR  OF  PTC 

OR  TOP  SUN  [7] 

(+Z  VV) 

BOTTOM  ON  V 
(-BETA) 

LL  =  -50°  F  [5] 

(V58T0127.1 134A) 

@[030994-1 598A] 
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A18-451  ORBITER  THERMAL  CONSTRAINTS  AND  ATTITUDE 

MANAGEMENT  [CIL]  (CONTINUED) 

B.  ORBITER  SYSTEMS  CONSTRAINTS  VERSUS  BETA  ANGLE  -  CONTINUED 

60° TO  <90°? 


ORBITER  ATTITUDE  [i[ 

LIMIT  [21 

CONCERN  [31 

RECOVERY  [41 

SOLAR 
INERTIAL 
(THREE  AXIS 
INERTIAL) 

(-X  SI) 

TAIL  TO  SUN 

(ANYOMICRON) 
ALL  ROLL 

ANGLES 

6  HR 

OME  PROPELLANT  LINE 
UL  =  +125°  F 

(REF.  RULE  {A6-256}, 
OMS/RCS  HTR  PFRM 

MON) 

14  HR  NOSE  SUN 

6  HR 

HSBH 

6  HR  OF  PTC 

(+X  SI) 

NOSE  TO  SUN 

(ANYOMICRON) 
ALL  ROLL 

ANGLES 

110  HR 

NLG  HYDRAULIC 

LINES  IN  MID 

FUSELAGE 

LL  =  -50°  F  [5] 

(V58T0127.1 134A) 

3  HR  OF  PTC 

OR  TOP  SUN  [7] 

(±Y  SI) 

SIDE  TO  SUN 

(ANYOMICRON) 
ALL  PITCH 

ANGLES 

90  HR 

ARCS  PROPELLANT  [11] 
LL  =  +50  °  F 

LL  =  +70°  F  [12] 

(REF.  RULES  {A6-256}, 
OMS/RCS  HTR  PFRM 

MON;  AND  {A6-258}, 

ARCS  BULK  PROP  TEMP 
MGT) 

PREFERENCE: 

20  HR  NOSE  SI 

PITCHED  UP  TO 

10  DEGREES  [8] 

(-Z  SI) 

TOP  TO  SUN 

(ANY 

OMICRON) 

ALL  YAW  ANGLES 

160  HR 

ARCS  PROPELLANT  [11] 
LL  =  +50°  F 

LL  =  +70°  F  [12] 

(REF.  RULES  {A6-256}, 
OMS/RCS  HTR  PFRM 

MON;  AND  {A6-258}, 

ARCS  BULK  PROP  TEMP 
MGT) 

PREFERENCE: 

20  HR  NOSE  SI 

PITCHED  UP 

10  DEGREES  [8] 

(+ZSI) 

BOTTOM  TO  SUN 

@[030994-1 598A] 
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MANAGEMENT  [CIL]  (CONTINUED) 

NOTES: 

[1]  DEVIATIONS  FROM  THE  SPECIFIED  ATTITUDES  MAY  NEED  TO  BE  FURTHER  ANALYZED. 

[2]  THE  ATTITUDE  HOLD  CONSTRAINED  DURATION  IS  FROM  PTC  EQUILIBRIUM  TEMPERATURES  TO  THE  LIMIT 
TEMPERATURE. 

[3]  ALL  CONCERNS  ARE  SAFETY  ISSUES  UNLESS  OTHERWISE  NOTED. 

[4]  UNLESS  OTHERWISE  NOTED,  FLYING  THE  RECOVERY  ATTITUDE  ALLOWS  REPETITION  OF  THE  CONSTRAINED 
ATTITUDE  FOR  THE  CONSTRAINED  DURATION.  ALL  RECOVERY  IS  TO  PTC  EQUILIBRIUM  TEMPERATURE  UNLESS 
OTHERWISE  NOTED. 

[5]  SYSTEMS  PERFORMANCE  IS  AFFECTED. 

[6]  RESERVED  ®[030994-1 598A] 

[7]  RECOVERY  IS  TO  THE  MINIMUM  OPERATIONAL  LIMIT  TEMPERATURE  FROM  THE  MINIMUM  NON-OPERATIONAL 
LIMIT  TEMPERATURE  OR  ATTITUDE  THERMAL  EQUILIBRIUM  TEMPERATURE  (WHICHEVER  IS  WARMER). 

[8]  THIS  ATTITUDE  RESULTS  IN  ONLY  A  MINIMAL  RATE  OF  INCREASE  (<  2°  F/DAY)  OF  ARCS  BULK  PROPELLANT 
TEMPERATURE.  THE  CONSTRAINED  DURATION  CANNOT  BE  REPEATED. 

[9]  RESERVED  ®[030994-1598A] 

[1 0]  TCS  DESIGN  DATA  BOOK  SECTION  L  REFERENCE. 

[11]  ATTITUDE  CONSTRAINTS  ARE  NOT  NORMALLY  REQUIRED  IF  ARCS  PROP  “B”  HEATERS  ARE  OPERATIONAL.  THE 
ARCS  CONCERN  IS  VALID  IF  ONLY  THE  “A”  HEATERS  ARE  AVAILABLE. 

[12]  ARCS  PROP  +  70° F  FOR  ENTRY  FOR  ZOT  PREVENTION.  ON-ORBIT  (TANK  CERTIFICATION)  LIMIT  =  +  50°  F. 

There  are  six  areas  of  concern  where  orbiter  structure  and/or  systems  thermal  constrain  ts  can  be 
exceeded  if  an  unfavorable  orbiter  vehicle  attitude  is  maintained  for  an  excessive  period  of  time.  The 
maximum/minimum  temperature,  the  time  in  the  constraining  attitude,  and  the  cittitude/time  used  to 
recover  from  a  violation  of  the  constraints  are  all  dependent  on  the  structure  or  orbiter  system  involved, 
the  vehicle  (OV102,  103,  104)  used,  Sun  beta  angle,  and  the  three  basic  attitude  control  modes  used;  i. e. , 
LVLH,  ORB  RATE  ( single  axis),  and  inertial  ( three  axis)  hold.  The  six  areas  of  concern,  their  limits 
(temperature  or  time),  and  the  impact  (lifetime  (L),  system  performance  (P),  and  safety  of  flight  (S) )  of 
violating  the  limits  are  identified  below:  ®[030994-l  598A] 
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Concern 

Attitude/limit 

Impact 

OMS  oxidizer  hi-point 
bleed  line,  QD  minimum 
temperature 

6  hours,  tail  Sun  port  side  or 
bottom  to  Ecirth/+20°  F 

Oxidizer  line  freeze/rupture,  QD 
leakage  (S) 

NLG  hydraulic  line  in 
mid  fuselage  min  imum 
temperature 

30-44/53-92  hours,  teal  or  nose 

Sun,  bottom  to  space/-50°/-65°  F 
( OP/non-OP ) 

NLG  deploy  time  >  10  seconds  (P) 

MLG  hydraulic 
component  minimum 
temperature 

61-72/98-160  hours,  tail  or  nose 

Sun,  bottom  to  space/-35°/-60°  F 
( OP/non-OP) 

MLG  deploy  time  >10  seconds  (P) 

ARCS  bulk  propellant, 
minimum  temperature 

90-160  hours,  top  or  side  Sun/  70° 

F  (if  ARCS  “B”  heaters  are 
inoperative) 

Thruster  (ZOT)  problem  (L).  Two  yaw 
jets  per  side  (S) 

Bondline  maximum 
temperature 

(1)  Material  Strength  Limit: 

1-5  hours  bottom  Sun/Ref 

Rule  {A18-401B},  THERMAL 
PROTECTION  SYSTEM 
(TPS)  BONDLINE 
TEMPERATURE 

(1)  Bondline  temperature  may  exceed 
maximum  structural  limit  during 
entry  and/or  after  landing. 
Aluminum  350°  F  (>  400°  F)  (L) 
graphite  epoxy  skin  (S): 

-  OMS  POD  250°  F 

-  PLBD  350°  F 

(2)  Midbody  Structural  Thermal 
Stress:  Limit  is  a  function  of 
Beta-angle  and  attitude  prior  to 
entry.  (Ref.  Rules  {A2-110}, 
STRUCTURES  THERMAL 
CONDITIONING,  and  (A18- 
401  Bj,  TPS  BONDLINE 
TEMPERATURES) 

(2)  Excessive  temperature  gradients 
can  result  in  stresses  that  exceed 
certification  limits. 

OME  propellant  line 
maximum  temperature 

6-13  hours,  tail  Sun/125°  F 

Violates  engine  certification  limits 
(S),  possible  engine  cooling  problem 

@[030994-1 598A] 
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A18-451  ORBITER  THERMAL  CONSTRAINTS  AND  ATTITUDE 

MANAGEMENT  [CIL]  (CONTINUED) 

B.  ORBITER  SYSTEMS  CONSTRAINTS  VERSUS  BETA  ANGLE  -  CONCLUDED 
Matrix  Limitations: 

This  table  is  intended  as  a  first  iteration  for  attitude  planning.  The  orbiter  attitudes  listed  represent 
“pure”  orientations.  Flight-specific  STEP  analysis  will  confirm  the  acceptability  of  the  integrated 
attitude  timeline.  The  table  limits,  which  represent  the  constrained  attitude  durations  in  hours,  were 
derived  from  analyses  initialized  to  PTC  equilibrium  temperatures.  These  durations  define  the  time  it 
takes  to  go  from  PTC  equilibrium  temperature  to  the  system  limit.  The  concern  column  lists  the  vehicle 
structured/ system  limit  that  constrains  the  attitude  duration.  In  most  cases,  flying  the  recovery  attitude 
provides  the  capability  to  repeat  the  constrained  attitude  for  the  constrained  duration.  Exceptions  to  this 
recovery  attitude  definition  exist  for  hydraulic  systems,  the  TPS  bondline,  and  the  ARCS  propellan  t 
temperature  limits.  For  hydraulics,  the  recovery  attitude  allows  the  system  temperature  to  recover  to  its 
temperature  limit  (presumes  that  the  limit  can  be  exceeded ).  For  the  TPS  bondlines,  preentry  thermal 
conditioning  (in  addition  to  the  normal  end  of  mission  timeline)  may  be  required.  In  the  case  of  the 
ARCS  propellant  minimum  temperatures,  the  recovery  attitude  will  “maintain  ”  the  bulk  propellant 
temperature  above  its  limit.  In  all  three  cases,  the  recovery  to  the  limiting  temperatures  must  be 
accomplished  prior  to  entry.  ®[030994-l  598A] 

DOCUMENTATION :  Space  Shuttle  Thermodynamics  Design  Data  Book,  TCS,  SD73-SH0226,  Volume 
IE,  Book  V,  9/85;  Shuttle  Vehicle  Systems  Temperature  Limits  and  STS  Operational  Flight  Rules  Review, 
RI-IL  SAS-TA-P/C/TCS-87-031;  On-Orbit  Thermal  Constraints  Summary,  Revision  1,  RI-IL  SETO-TCS- 
87-066-R1;  and  Shuttle  Operational  Data  Book,  JSC-08934,  Volume  V,  Table  3.1-1,  April  1993. 

®[030994-1 598A] 

Rules  { A10-22J ,  APU  START/RESTART  LIMITS,  and  {A10-30},  LOSS  OF  APU 
HEATERS/INSTRUMENTATION  [CIL],  reference  this  rule. 
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C.  ORBITER  SYSTEMS  CONSTRAINTS  THAT  ARE  APPLIED  BY  THE  USE  OF 
THE  SIMPLIFIED  THERMAL  EVALUATION  PROGRAM  (STEP)  ARE  LISTED 
IN  THE  FOLLOWING  TABLES.  THESE  CONSTRAINTS  INCORPORATE  STEP 
ACCURACY  EVALUATION  DATA  AND  REPRESENT  THE  WAY  IN  WHICH 
VEHICLE  CONSTRAINTS  ARE  ANALYZED  BY  APPLICATION  OF  A  BIAS  AS 
GIVEN  IN  TABLE  {A18-451-I}  OR  AS  REFERENCED.  THE  LISTED 
BIASES  ARE  CONSERVATIVE  ONLY  FOR  ATTITUDES  AND  TPS 
CONFIGURATIONS  THAT  HAVE  BEEN  PREVIOUSLY  FLOWN.  IT  IS 
UNDERSTOOD  THAT  IF  ACTUAL  ATTITUDES,  DURATIONS,  SEQUENCES, 

AND  BETA-ANGLES  ARE  BEING  FLOWN  FOR  THE  FIRST  TIME,  A  LARGER 
ERROR  CAN  RESULT  WHICH  SHOULD  CAUSE  LIMIT  VIOLATIONS  AND 
REQUIRE  REAL-TIME  CORRECTIVE  ACTION. 

FOR  THE  OMS  OXIDIZER  HIGH-POINT  BLEED  QUICK  DISCONNECT  (QD) , 
IF  THE  ENVIRONMENT  CONSTRAINT  CANNOT  BE  MET  DIRECTLY,  THE 
HEATER  DUTY  CYCLE  WILL  BE  VERIFIED  TO  BE  ACCEPTABLE  USING 
FIGURE  { A18-451-II  }  . 

DETERMINATION  OF  WHETHER  AN  RCS  THRUSTER  CONSTRAINT  MAY  EXIST 
WILL  BE  DONE  USING  FIGURE  { A1 8-45 1-1 I I }  AND  { A18-451-IV} .  IF 
A  LIMIT  VIOLATION  IS  POSSIBLE,  PREFLIGHT  COORDINATION  WITH 
ENGINEERING  DIRECTORATE  WILL  DETERMINE  ACCEPTABLE  ATTITUDES. 

THE  DRAG  CHUTE  WILL  BE  ANALYZED  BY  ASSUMING  THAT  IT  IS  THE 
SAME  TEMP  AS  THE  ENVIRONMENT  OF  HYDRAULIC  SYSTEM  2  RSB  RETURN 
TEMP  (V58T0298)  AND  RSB  SEAL  DRAIN  LINE  TEMP  AT  LOWER  AFT  OF 
VERTICAL  STABILIZER  (V58T1600) . 

EDO  CRYO  PALLET  CONSTRAINT  ASSESSMENT  WILL  BE  COORDINATED 
WITH  ENGINEERING  DIRECTORATE  PREFLIGHT.  @[030994-1 598A] 
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MANAGEMENT  [CIL]  (CONTINUED) 

TABLE  A18-451-I  -  DELTA  TEMPERATURE  BIAS  TO  BE  APPLIED  TO  STEP 
PREDICTIONS  TO  CHECK  THERMAL  CONSTRAINT  LIMITS 


GENERAL  CONSTRAINTS 

LIMIT  -°F 

L  LOWER 

DELTA  TEMP  [A]  TO  BE  ADDED  TO  STEP 

U  UPPER 

OV-1 03/1 04/1 05 

OV-1 02 

MLG  TIRE  (BRAKE  LINE) 

L  VARIABLE 

CURVE  1 

CURVE  2 

V58T1 700/1 750 

BET  (PLBD  CLOSURE) 

U  160/200 

+36°  F 

+36°  F 

OMS  ENGINE  OX/FUEL  LINE 

U  125/150 

LL 

o 

O 

LL 

o 

o 

V43T421 6/4642/521 6/5642 

NLG  HYD  LINE  IN  MID 

V58T0127  (X=853) 

L  -50/-65 

-13°  F 

-17°  F 

V58T1143  (X=1 020) 

L  -50/-65 

-15°  F 

-15°  F 

ZOT:  V42T 2200/2300/3200/3300 

L  70 

-7°  F 

-7°  F 

OMS  OX  HI  POINT  BLEED 

LINE  QD 

ENV  V34T1108 

L  20 

-23°  F  [B] 

-23°  F  [B] 

T/S  V43T6235 

DATA  UNAVAILABLE 

RCS THRUSTERS 

U  150/175 

DATA  UNAVAILABLE 

DRAG  CHUTE 

L  -60 

DATA  UNAVAILABLE 

EDO  CRYO  PALLET  TANKS 

U  110 

DATA  UNAVAILABLE 

[A]  CURVE  NUMBERS  REFER  TO  FIGURE  {A18-45I}. 

[B]  THESE  DELTA  TEMPERATURES  ARE  FOR  OMS  OX  HPBL  QD  ENVIRONMENT  ONLY,  NOT  FOR  El  LIMIT. 
@[030994-1 598A] 
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TABLE  A18-451-I  -  DELTA  TEMPERATURE  BIAS  TO  BE  APPLIED  TO  STEP 
PREDICTIONS  TO  CHECK  THERMAL  CONSTRAINT  LIMITS  (CONTINUED) 


BONDLINE  El  TEMPERATURES 

SENSOR 

OV-1 03/1 04/1 05 

OV-1  02 

LIMIT 

-°F 

MIN 

MAX 

DELTA  TEMP  (°F)  [A] 

LIMIT 

-°F 

MIN 

MAX 

DELTA  TEMP  (°F) 

[A] 

P 

S 

V09T1012 

75 

90 

+  12°  F 

52 

67 

+  24°  F 

0 

1 

V09T1030 

58 

67 

CURVE  3 

58 

67 

CURVE  3 

R 

D 

V09T1724 

29 

83 

CURVE  4 

46 

100 

CURVE  5 

T 

E 

V34T1102 

96 

114 

+  29°  F 

71 

89 

+  43°  F 

V34T1106 

75 

93 

+  26°  F 

120 

138 

+  20°  F 

S 

S 

V09T1014 

75 

90 

+  10°  F 

52 

67 

+  22°  F 

T 

1 

V09T1028 

58 

67 

CURVE  3 

58 

67 

CURVE  3 

B 

D 

V09T1720 

29 

83 

CURVE  4 

46 

100 

CURVE  5 

D 

E 

V34T1104 

96 

114 

+  29°  F 

71 

89 

+  43°  F 

V34T1108 

75 

93 

+  26°  F  [B] 

120 

138 

+  20°  F 

[B] 

T 

V09T1004 

E| 

CURVE  6 

81 

100 

CURVE  6 

O 

V09T1024 

H 

CURVE  6 

81 

100 

CURVE  6 

P 

V09T1524 

60 

+  1 1  °  F 

61 

61 

+  19°  F 

P 

V37T1000 

63 

63 

CLOSED  PLBD 

69 

69 

CLOSED  PLBD 

L 

V37T1002 

84 

84 

TEMPS  NOT 

88 

88 

TEMPS  NOT 

B 

V37T1004 

84 

84 

PREDICTED 

88 

88 

PREDICTED 

D 

V37T1006 

63 

63 

BY  STEP 

69 

69 

BY  STEP 

V09T1000 

28 

100 

CURVE  7 

30 

102 

CURVE  8 

B 

V09T1002 

28 

100 

CURVE  7 

30 

102 

CURVE  8 

O 

V09T1016 

99 

158 

+  4°  F 

103 

162 

+  4°  F 

T 

V09T1022 

81 

140 

CURVE  9 

91 

150 

CURVE  9 

T 

V09T1624 

78 

137 

CURVE  10 

44 

103 

+  21  °  F 

O 

V09T1702 

47 

72 

CURVE  11 

37 

62 

CURVE  11 

M 

V34T1 1 1 0 

32 

91 

CURVE  12 

42 

101 

CURVE  13 

V34T1112 

29 

88 

CURVE  14 

38 

97 

CURVE  15 

[A]  CURVE  NUMBERS  REFER  TO  FIGURE  {A18-451  -I}. 

[B]  THESE  DELTA  TEMPERATURES  ARE  FOR  IE  LIMIT  ONLY,  NOT  FOR  OMS  OX  HPBL.  @[030994-1 598A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  THERMAL  18-77 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A18-451  ORBITER  THERMAL  CONSTRAINTS  AND  ATTITUDE 

MANAGEMENT  [CIL]  (CONTINUED) 


STEP  PREDICTED  TEMPERATURE  (DEG  F) 


OV-103 

MSID 

CURVE 

OV-102 

MSID 

CURVE 

V09T1000 

7 

V09T1000 

8 

V09T1002 

7 

V09T1002 

8 

V09T1004 

6 

V09T1004 

6 

V09T1022 

9 

V09T1022 

9 

V09T1024 

6 

V09T1024 

6 

V09T1028 

3 

V09T1028 

3 

V09T1030 

3 

V09T1030 

3 

V09T1624 

10 

V09T1624 

11 

V09T1702 

11 

V09T1702 

5 

V09T1720 

4 

V09T1720 

5 

V09T1724 

4 

V09T1724 

13 

V34T1110 

12 

V34T1110 

15 

V34T1112 

14 

V34T1112 

2 

V58T1700 

1 

V58T1700 

2 

V58T1750 

1 

V58T1750 

2 

FIGURE  A18-451-I  -  DELTA  TEMPERATURE  BIAS  TO  BE  APPLIED  TO  STEP 
PREDICTIONS  TO  CHECK  THERMAL  CONSTRAINT  LIMITS 
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STEP  PREDICTH5  TEMPERATURE  (DEG  F) 


OV-103 

MSID 

CURVE 

OV-102 

MSID 

CURVE 

V09T1000 

7 

V09T1000 

8 

V09T1002 

7 

V09T1002 

8 

V09T1004 

6 

V09T1004 

6 

V09T1022 

9 

V09T1022 

9 

V09T1024 

6 

V09T1024 

6 

V09T1028 

3 

V09T1028 

3 

V09T1030 

3 

V09T1030 

3 

V09T1624 

10 

V09T1624 

11 

V09T1702 

11 

V09T1702 

5 

V09T1720 

4 

V09T1720 

5 

V09T1724 

4 

V09T1724 

13 

V34T1110 

12 

V34T1110 

15 

V34T1112 

14 

V34T1112 

2 

V58T1700 

1 

V58T1700 

2 

V58T1750 

1 

V58T1750 

2 

FIGURE  A18-451-I  -  DELTA  TEMPERATURE  BIAS  TO  BE  APPLIED  TO  STEP 
PREDICTIONS  TO  CHECK  THERMAL  CONSTRAINT  LIMITS  (CONTINUED) 
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STEP  PREDICTED  IHVIPERATURE  (DEG  F) 


OV-103 

MSID 

CURVE 

OV-102 

MSID 

CURVE 

V09T1000 

7 

V09T1000 

8 

V09T1002 

7 

V09T1002 

8 

V09T1004 

6 

V09T1004 

6 

V09T1022 

9 

V09T1022 

9 

V09T1024 

6 

V09T1024 

6 

V09T1028 

3 

V09T1028 

3 

V09T1030 

3 

V09T1030 

3 

V09T1624 

10 

V09T1624 

11 

V09T1702 

11 

V09T1702 

5 

V09T1720 

4 

V09T1720 

5 

V09T1724 

4 

V09T1724 

13 

V34T1110 

12 

V34T1110 

15 

V34T1112 

14 

V34T1112 

2 

V58T1700 

1 

V58T1700 

2 

V58T1750 

1 

V58T1750 

2 

FIGURE  A18-451-I  -  DELTA  TEMPERATURE  BIAS  TO  BE  APPLIED  TO  STEP 
PREDICTIONS  TO  CHECK  THERMAL  CONSTRAINT  LIMITS  (CONTINUED) 
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STEP  accuracy  biases  were  generated  by  evaluation  of  attitudes  normally  flown.  Application  to  other 
attitudes  may  result  in  predicted  temperatures  that  differ  from  actual  values  by  additional  bias 
uncertainty. 

Documentation:  STEP  Accuracy  Definition  Document,  RI IL  SE-TCS-93-042,  May  14,  1993;  and  OV- 
103  Orbiter  On-Orbit  Thermal  Constraints,  RI  IL  SE-TCS-94-004,  January  17,  1994. 

Rule  (A1 8-401),  THERMAL  PROTECTION  SYSTEM  (TPS)  BONDLINE  TEMPERATURES,  references 
this  rule. 
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A18-501  MAXIMUM  OFF  TIME  FOR  COOLING  EQUIPMENT 

ORBIT  @[0511 94-1 61 OA] 

THE  FOLLOWING  IS  A  LISTING  OF  THE  MAXIMUM  TIME  THAT  COOLING 
EQUIPMENT  CAN  BE  OFF  BEFORE  POWERDOWN  ACTION  IS  REQUIRED: 


A.  CABIN 

FANS: 

©[032802-5276C] 

1  . 

20 

MIN 

(FOR  OLD  DDU) 

2  . 

30 

MIN 

(FOR  MDU) 

B.  AVIONICS  FAN  -  26  MIN 

C.  IMU  FANS  -  45  MIN 

D.  H20  LOOPS  -  10  MIN 

E.  BOTH  FREON  LOOPS  -  10  MIN 

Cooling  equipment  off  time  is  constrained  by  the  requirements  of  the  LRU’s  that  they  cool.  If  cooling 

equipment  remains  off  for  a  time  exceeding  the  LRU  specific  cooling  limits,  then  a  powerdown  may  be 

required  due  to  a  potential  overtemp  condition. 

a.  The  CABIN  fans  can  only  be  off  for  20  minutes  due  to  the  cooling  constraints  of  the  Display  Driver 
Units  (old  DDU’s)  if  any  old  DDU  is  flown.  If  only  passively  cooled  Device  Driver  Units  (new 
DDU’s)  are  flown  in  place  of  all  of  the  Display  Driver  Units,  the  CABIN  fans  can  only  be  off  for  30 
minutes  due  to  the  cooling  constraints  of  the  Multifunction  Display  Units.  ©[032802-5276C] 

b.  The  AVIONICS  bay  fans  can  only  be  off  for  26  minutes  due  to  the  cooling  constraints  of  the  GPC’s. 

c.  The  IMU  fans  can  only  be  off  for  45  minutes  due  to  the  cooling  constraints  of  the  IMU’s. 

d.  The  H2O  loops  can  only  be  off  for  10  minutes  due  to  the  cooling  constraints  of  the  S-band  power 
amplifier. 

e.  Both  FREON  loops  can  only  be  off  for  10  minutes  due  to  the  cooling  constraints  of  the  S-band 
power  amplifier.  Note  that  the  catastrophic  failure  may  occur  as  early  as  50  minutes  due  to  loss  of 
cooling  to  the  fuel  cells. 

Documentation:  SODB  Vol.  Ill,  Table  4. 5.0-1,  Dual  Freon  Loop  Failure  Entry  Analysis,  Rockwell 

International,  IL  #388-301-79-018,  7/21/81.  @[051 194-1 61  OA] 
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WATER  LOOP 


A18-551  SPACEHAB  SUBSYSTEM  WATER  LOOP  @[111501 -5011  A] 

LOST  IF: 

A.  PUMP  ACCUMULATOR  QUANTITY  IS  ?  0  (3.4)  PERCENT  AND  SYMPTOMS 

OF  PUMP  CAVITATION  ARE  PRESENT. 

Spacehab  has  identified  this  percentage  as  an  indication  of  accumulator  failure;  3.4  percent  is  the  range 
of  uncertainty  of  the  quantity  sensor. 

B.  FLOW  CANNOT  BE  MAINTAINED  GREATER  THAN: 

1.  ASCENT/ENTRY:  130  POUNDS  PER  HOUR  (LB/HR) 

Analysis  indicates  this  minimum  flow  is  required  to  reject  powered  Spacehab  ascent/entry  heat  loads. 

2.  ON-ORBIT:  140  LB/HR 

For  a  Spacehab  continuous  heat  load  of  2  kW,  this  is  the  minimum  flow  which  will  avoid  violating  the 
maximum  coolant  return  temperature  of  104  degrees  F. 

C.  THERE  ARE  SYMPTOMS  OF  PUMP  CAVITATION  AND  THE  PUMP  INLET 
PRESSURE  IS  LESS  THAN  20  PSIA. 

Pump  will  operate  erratically  and  may  cavitate  at  pressures  less  than  specified  value. 

D.  FLOW  TO  THE  PAYLOAD  HEAT  EXCHANGER  (PLHX)  CANNOT  BE 

MAINTAINED  GREATER  THAN  50  (55)  LB/HR.  @[021600-711 1  A] 

The  water  line  heaters  are  activated  to  preclude  water  freezing  in  case  the  flow  through  the  PLHX 
decreases  below  50  Ib/hr.  The  manual  bypass  IFM  may  result  in  flow  rate  to  the  PLHX  less  than  50  (55) 
Ib/hr.  The  PLHX  flow  in  the  RDM  configuration  is  measured  via  a  flow  sensor  with  an  uncertainty  of  5 
Ib/hr  at  50  Ib/hr.  The  PLHX  flow  in  the  Single  Module/Logistics  Double  Module  (SM/LDM) 
configurations  is  not  measured  directly  and  verification  will  be  done  analytically.  In  the  event  of  water 
line  heater  failure,  attitude  adjustment  would  be  necessary  to  prevent  water  freezing. 

Reference:  Rule  {A18-555},  WATER  LINE  HEATER  MANAGEMENT,  and  ICD  21095,  Interface  Review 
Notice  37.  ®[1 21593-1 594  ]  @[111501-5011  A] 
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A18-552  SPACEHAB  SUBSYSTEM  WATER  LOOP  MANAGEMENT  ®[1 11501  -5011  A] 

A.  THE  SPACEHAB  SUBSYSTEM  WATER  LOOP  SHOULD  BE  OPERATING  AT  ALL 
TIMES  WHEN  THE  MODULE  IS  POWERED;  ONLY  ONE  PUMP  WILL  BE 
RUNNING  AT  ANY  TIME. 


Pump  2  can  operate  on  orbiter  or  inverter  power.  Pump  1  can  only  operate  on  inverter  power. 

B.  FOR  A  DECLARED  FAILURE  OF  THE  SPACEHAB  SUBSYSTEM  WATER  LOOP 
AS  DEFINED  IN  RULE  {A18-551},  SPACEHAB  SUBSYSTEM  WATER  LOOP: 

1.  LIMITED  SPACEHAB  EXPERIMENT  OPERATIONS  MAY  CONTINUE. 

2.  WATER  LINE  HEATERS  WILL  BE  ACTIVATED. 

3.  IF  THE  WATER  LINE  HEATERS  ARE  LOST  OR  INEFFECTIVE, 
CONTROL  THE  ORBITER  ATTITUDE  TO  PRECLUDE  WATER  LINE 
FREEZING  OR  PAYLOAD  HEAT  EXCHANGER  OVER  PRESSURIZATION. 
(REFERENCE  RULE  {A18-555},  WATER  LINE  HEATER  MANAGEMENT, 
FOR  ACCEPTABLE  ATTITUDES.) 


Although  heat  rejection  via  water  cooling  has  been  lost,  limited  heat  can  be  rejected  via  air  exchange 
with  the  orbiter.  This  would  require  some  subsystem  and  experiment  equipment  to  be  powered  off.  This 
configuration  is  also  more  beneficial  than  total  module  deactivation  since  module  temperatures  are  more 
easily  controlled.  The  water  line  heaters  must  be  activated  so  that  the  lines  between  the  module  and  the 
orbiter’ s  payload  heat  exchanger  interface  do  not  freeze.  Attitude  changes  are  the  least  desirable  option 
to  control  water  line  temperatures. 

C.  THE  SUBSYSTEM  WATER  LOOP  OR  WATER  LINE  HEATERS  MUST  BE  ACTIVE 
PRIOR  TO  PAYLOAD  BAY  DOOR  OPENING  AND  MUST  REMAIN  ACTIVE 
UNTIL  POST  LANDING. 


No  analysis  has  been  done  to  determine  if  the  subsystem  water  loop  will  freeze  if  the  water  loop  or  water 
line  heater  is  not  active  when  the  payload  bay  doors  are  closed  during  entry.  ®[1 11501 -5011  A] 
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A18-553  SPACEHAB  SUBSYSTEM  PUMP  OPERATIONS  ®[l  11501-5012] 

A.  FOR  LOSS  OF  A  SINGLE  PHASE,  THE  SUBSYSTEM  WATER  PUMP  MAY 
CONTINUE  TO  BE  OPERATED  ON  TWO-PHASE  POWER. 

The  Subsystem  Water  Pump  was  operated  on  two  phases  during  preflight  testing.  The  Subsystem  Water 
Pump  may  be  operated  but  not  started  on  only  two  phases. 

If  the  Subsystem  Water  Pump  is  operating  on  the  Spacehab  INV  and  phase  A  fails,  the  pump  will  stop 
working  because  phase  A  of  the  Spacehab  INV  provides  the  sync  pulse  required  for  Spacehab  INV  phases 
B  and  C  to  operate.  However,  the  Subsystem  Water  Pump  will  continue  to  operate  on  the  Spacehab  INV 
on  two-phase  power  if  phase  A  continues  to  operate  with  either  phase  B  or  phase  C. 

B.  THE  FOLLOWING  SUBSYSTEM  WATER  PUMP  CONFIGURATION  WILL  BE  USED 
FOR  NOMINAL  SPACEHAB  SM/LDM  OR  RDM  OPERATIONS  FOR 
ASCENT/ENTRY  AND  ON-ORBIT: 

1.  ASCENT/ENTRY 

a.  POWERED  SPACEHAB  MODULE 

(1)  SUBSYSTEM  WATER  PUMP  1  -  ON,  USING  SPACEHAB 
INVERTER  POWER 

(2)  SUBSYSTEM  WATER  PUMP  2  -  OFF,  CONFIGURED  TO 
SPACEHAB  INVERTER  POWER 

FOR  FAILURE  OF  WATER  PUMP  1,  WATER  PUMP  2  WILL  BE 
COMMANDED  ON  ASAP  POST-MECO  OR  DURING  ENTRY.  FOR 
FAILURE  OF  THE  SPACEHAB  INVERTER,  REFERENCE  RULE 
{ A9-354  }  ,  SPACEHAB  AC  MANAGEMENT.  ®[ED  ] 

Subsystem  water  pump  2  is  configured  to  inverter  power  to  allow  it  to  serve  as  a  backup  in  case  pump  1 
fails.  Without  switching  pumps,  module  heat  rejection  is  lost.  Subsystem  water  pump  1  can  only  be 
powered  from  the  Spacehab  inverter.  Pump  2  can  be  powered  from  Spacehab  inverter  or  orbiter  AC 
power.  Since  no  on-board  command  capability  exists  in  OPS  1  (Single  Module  General  Purpose 
Computer  (SM  GPC)  not  available),  the  pumps  will  be  reconfigured  via  ground  command  post  MECO  or 
during  entry.  ®[1 1 1 501  -5012] 
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A18-553  SPACEHAB  SUBSYSTEM  PUMP  OPERATIONS  (CONTINUED) 

b.  UNPOWERED  SPACEHAB  MODULE  ( SM/LDM  ASCENT  ONLY) 

@[111501-5012] 

SUBSYSTEM  WATER  PUMP  2  IS  CONFIGURED  ON  AND  TO 
ORBITER  POWER,  BUT  THE  PUMP  WILL  NOT  BE  OPERATING 
SINCE  ORBITER  AC  POWER  IS  NOT  AVAILABLE  TO  PAYLOADS 
DURING  ASCENT. 


When  the  Spacehcib  module  is  unpowered  for  ascent,  this  configuration  allows  the  Spcicehcib  Subsystem 
Pump  to  be  activated  whenever  power  is  applied  to  the  payload  AC  bus  in  the  event  of  a  failure  that 
prevents  Spacehcib  commanding.  Spacehcib  is  always  powered  for  entry. 

2.  ON-ORBIT 

a.  SUBSYSTEM  WATER  PUMP  2  -  ON,  USING  ORBITER  AC 

b.  SUBSYSTEM  WATER  PUMP  1  -  OFF,  CONFIGURED  TO  SPACEHAB 
INVERTER  POWER 

PUMP  1  WILL  BE  COMMANDED  ON  FOR  FAILURE  OF  PUMP  2.  FOR 
FAILURE  OF  THE  SPACEHAB  INVERTER  OR  ORBITER  AC,  REFERENCE 
RULE  { A9-354  }  ,  SPACEHAB  AC  MANAGEMENT.  ®[ED  ] 

A  subsystem  water  pump  is  required  to  provide  heat  rejection  for  the  module.  Operation  of  either  pump 
on  Spacehcib  inverter  power  is  acceptable,  but  orbiter  AC  power  is  preferred  to  maintain  pump  operation 
in  case  of  ci  Spacehcib  Main  Power  Kill.  Subsystem  pump  2  is  preferred  because  pump  1  cannot  be 
configured  to  orbiter  AC  power.  ®[1 1 1 501  -5012] 
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A18-554  WATER  LINE  HEATERS  ®[1 11501  -5011  A] 

WATER  LINE  HEATERS  WILL  BE  CONSIDERED  LOST  IF  ANY  ONE  OF  THE 
FOLLOWING  IS  TRUE: 

A.  SPACEHAB  WATER  LINE  STATUS  IS  0  INSTEAD  OF  1  WHEN  ACTIVATED. 

B.  IF  ORBITER  WATER  LINE  HEATERS  INSTALLED,  HEATER  AMPS  <  1.0 
WHEN  ACTIVATED. 

Spacehab  water  line  heaters  and  orbiter  water  line  heaters  are  required  to  protect  the  Spacehab  water 
lines  from  freezing.  When  the  Spacehab  module  is  directly  against  the  576  bulkhead,  the  orbiter  set  of 
heaters  will  not  be  installed.  In  this  case,  the  water  line  heaters  will  be  considered  lost  per  paragraph  A. 
If  installed,  orbiter  water  line  heater  amps  ?  1.0  would  indicate  that  the  heaters  are  operating.  ®[1 11501- 
5011  A] 
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A18-555  WATER  LINE  HEATER  MANAGEMENT 

A.  THE  WATER  LINE  HEATERS  WILL  BE  ACTIVATED  FOR  ANY  OF  THE 

FOLLOWING  CONDITIONS  (WHEN  THE  PLBD'S  ARE  OPEN):  @[111501 -5011  A] 

1.  LOSS  OR  DEACTIVATION  OF  SPACEHAB  WATER  LOOP 
Loss  of  water  loop  results  in  loss  of  flow  through  the  PLHX. 

2.  PRIOR  TO  PERFORMING  AN  IFM  TO  ADJUST  THE  WFCV  MANUAL 
BYPASS  VALVES 


Crew  adjustment  of  the  bypass  valves  may  result  in  water  flow  rates  to  the  PLHX  below  50  Ib/hr,  leaving 
the  water  lines  susceptible  to  freezing.  Reference:  ICD  21095,  Interface  Review  Notice  37. 

3 .  WHEN  MAIN  DC  AND  AC  POWER  HAVE  BEEN  REMOVED  FROM  THE 
SPACEHAB 


IfPLBD’s  remain  open  after  emergency  deactivation,  water  line  heaters  must  be  active  since  the  pumps 
are  no  longer  operational.  Note  that  emergency  power  from  PL  AFT  MN  B  must  be  supplied  to  the 
Spacehab  for  the  water  line  heaters  to  receive  power.  ®[iii 501-5011  A] 

4.  LOSS  OF  THE  DMU  DATA  STREAM  TO  THE  PDI  WHILE  CONTINUING 
SPACEHAB  OPERATIONS  @[111 501 -5011  A] 

Heaters  are  turned  on  since  the  status  of  the  water  pumps  is  no  longer  available. 

5.  WHEN  CONTINUING  SPACEHAB  OPERATIONS  WITH  A  DEGRADED 
WATER  LOOP,  CONSIDERATION  WILL  BE  GIVEN  TO  DEACTIVATING 
THE  HEATERS  IF  IT  CAN  BE  SHOWN  THAT  FLOW  TO  THE  PLHX  IS 
?  50  LB/HR. 

A  degraded  water  loop  could  result  in  reduced  flow  to  the  PLHX,  while  providing  sufficient  heat 
rejection  to  continue  the  mission.  After  the  heaters  are  activated,  if  power  savings  are  required,  the 
heaters  may  be  deactivated  if  the  flow  through  the  PLHX  is  high  enough  that  there  is  not  a  potential  for 
freezing  the  water  loop. 

Reference:  Rule  {A18-551},  SPACEHAB  SUBSYSTEM  WATER  LOOP. 
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A18-555  WATER  LINE  HEATER  MANAGEMENT  (CONTINUED) 


B. 


THERMAL  CONDITIONING  BY  ADJUSTING  THE  ORBITER  ATTITUDE  WILL 
BE  USED  TO  PREVENT  WATER  LINE  FREEZING  IF  THE  WATER  LINE 
HEATERS  CANNOT  BE  VERIFIED  ACTIVE  AND  THE  WATER  LOOP  IS  OFF. 


In  the  event  of  a  water  line  heater  failure,  no  other  means  exists  to  prevent  the  water  lines  from  freezing. 

C.  IF  THE  SPACEHAB  WATER  LINE  HEATERS  ARE  LOST,  PER  RULE 

{ A1 8-554 } ,  WATER  LINE  HEATERS,  AND  WATER  LOOP  FLOW  TO  THE 
PLHX  IS  LESS  THAN  50  LB/HR,  A  TOP  SUN  ATTITUDE  IS 
REQUIRED . 

ALTERNATIVE  ATTITUDES  OTHER  THAN  THE  TOP  SUN  CAN  BE 
ACCOMMODATED  ONLY  PER  THE  FOLLOWING  TABLE.  OTHER  ALTERNATIVE 
ATTITUDES  WILL  ONLY  BE  PERFORMED  AFTER  THERMAL  ANALYSIS  CAN 
BE  ACCOMPLISHED. 


NUMBER  OF  ORBITS  IN  ALTERNATIVE  ATTITUDE 
ALLOWED  AFTER: 

ALTERNATIVE  ATTITUDE 
FROM  -ZSI 

4  ORBITS  OF - 
ZSI 

8  ORBITS  OF  - 
ZSI 

12  ORBITS  OF  - 
ZSI 

5 

8 

NOT  ANALYZED 

-60<?<+60 

ANY  -ZLV 

1 

1 

1 

-60<?<+60 

WORST  CASE  COLD  ? 

2 

4 

6 

-60<?<+60 

?XLV ?  ZVV 

1 

1 

2 

+? 

-XLV  +YVV  OR  +XLV  -YVV 

1 

1 

2 

-? 

-XLV  -YVV  OR  +XLV  +YVV 

?  -  EXCLUDING  TOP  EARTH  OR  SUN  VIEWING  ®[1 1 1 501-501 1  A] 


Freezing  of  the  water  lines  may  result  in  orbiter  Freon  loop  payload  heat  exchanger  damage  which  puts 
both  Freon  loops  at  risk  of  leaking.  Analysis  results  indicate  that  the  onset  of  freezing  of  the  water  lines 
may  occur  as  early  as  10  minutes  after  this  failure  in  an  attitude  which  excludes  Earth  or  Sun  viewing; 
12  minutes  for  typical  ?  XL  V  rendezvous  attitudes;  and  30  minutes  for  a  -ZLV  attitude.  To  protect 
against  the  worst  case,  a  maneuver  to  a  top  Sun  attitude  should  be  initiated  immediately.  ®[1 11501  -5011  A] 

A  nominal  rendezvous  lasting  no  more  than  9  hours  can  be  flown  only  if  preceded  by  12  or  more  orbits 
of  top  Sun  (analyzed  for  Beta  angles  between  -60  deg  and  +60  deg).  This  applies  only  if  the 
rendezvous  attitude  is  predominantly  ‘1XLV1ZVV. 


Top  Sun/alternative  attitude  times  in  table  cannot  be  ratioed  to  longer  durations.  For  example,  the  4/5 
-ZSI/-ZLV  ratio  cannot  be  flown  as  cm  8/10  attitude  sequence. 
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A18-555  WATER  LINE  HEATER  MANAGEMENT  (CONTINUED) 

For  Beta  angles  >  ?  ?  60  deg ? ,  the  -ZSI  attitudes  can  be  biased  in  pitch  or  roll  only  as  required  to  avoid 
upfiring  RCS  jet  or  orbiter  maneuvering  engine  ( OME )  line  thermal  violations.  However ,  in  the  event  of 
conflicting  constraints,  the  water  loop  must  be  considered  a  high  priority  to  be  protected  from  freezing. 

Documentation:  Rockwell  International  Interned  Letter  #SE-PSE-94-087,  November  17,  1994,  Flight 
Rule  Revision  to  Payload  Active  Cooling  Kit  (PACK)  Thermal  Constraints. 

Rule  {A1 8-552 j,  SPACEHAB  SUBSYSTEM  WATER  LOOP  MANAGEMENT,  references  this  rule. 

D.  EXCEPTIONS  TO  THIS  RULE  WILL  BE  DOCUMENTED  IN  THE  FLIGHT 
SPECIFIC  ANNEX.  @[111501 -5011  A] 
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A18-556  RDM  CENTRALIZED  EXPERIMENT  WATER  LOOP  (CEWL) 

A.  LOST  IF:  ®[1 11501-5013] 

1.  PUMP  ACCUMULATOR  QUANTITY  IS  ?  0  (3.4)  PERCENT  AND 

SYMPTOMS  OF  PUMP  CAVITATION  ARE  PRESENT. 


Spacehab  has  identified  this  percentage  as  an  indication  of  accumulator  failure;  3.4  percent  is  the  range 
of  uncertainty  of  the  quan  tity  sensor. 

2.  THERE  ARE  SYMPTOMS  OF  PUMP  CAVITATION  AND  THE  PUMP  INLET 
PRESSURE  IS  LESS  THAN  20  PSIA. 


Pump  will  operate  erratically  and  may  cavitate  at  pressures  less  than  specified  value. 

B.  FOR  LOSS  OF  THE  CEWL,  POWER  WILL  BE  REMOVED  FROM  EXPERIMENT 
COMPONENTS  BEING  COOLED  BY  THE  CEWL  IF  REQUIRED  TO  MAINTAIN 
THERMAL  LIMITS. 

C.  THE  CEWL  INLET  QD'  S  SHALL  BE  CAPPED  FOR  ASCENT/ENTRY  AND 
UNCAPPED  PRIOR  TO  ACTIVATING  THE  CEWL  PUMP. 


The  CEWL  inlet  QD’s,  when  uncapped,  provide  pressure  relief  capability  for  the  CEWL  when  active. 

This  pressure  relief  capability  is  a  safety  requiremen  t  to  prevent  temperature  induced  over  pressurization 
of  the  CEWL  in  case  of  loss  of  flow.  Ascent/Entry  loads  may  cause  water  to  leak  into  the  Spacehab 
subfloor  from  the  CEWL  inlet  QD’s  if  not  capped. 

Reference:  Hazard  Report  RDM  HR- 5.  ®[1 11501-5013] 
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A18-557  RDM  CEWL  PUMP  OPERATIONS 

A.  FOR  LOSS  OF  A  SINGLE  PHASE,  THE  CEWL  PUMP  MAY  CONTINUE  TO  BE 
OPERATED  ON  TWO-PHASE  POWER.  @[111501-5013] 

The  CEWL  pump  was  operated  on  two  phases  during  preflight  testing.  The  CEWL  pump  may  be 
operated  but  not  started  on  only  two  phases. 

If  the  CEWL  pump  is  operating  on  the  Spacehab  Aft  INV  and  phase  A  fails,  the  CEWL  pump  will  stop 
working  because  phase  A  of  the  Spacehab  INV  provides  the  sync  pulse  required  for  Spacehab  INV  phases 
B  and  C  to  operate.  However,  the  CEWL  pump  will  continue  to  operate  on  the  Spacehab  INV  on  two- 
phase  power  if  phase  A  continues  to  operate  with  either  phase  B  or  phase  C. 

B.  THE  ON-ORBIT  CEWL  PUMP  CONFIGURATION  FOR  NOMINAL  OPERATIONS 
IS  AS  FOLLOWS: 

1.  CEWL  PUMP  1  -  ON,  USING  ORBITER  AC  POWER 

2.  CEWL  PUMP  2  -  OFF,  CONFIGURED  TO  SPACEHAB  AFT  INVERTER 
POWER 

FOR  FAILURE  OF  CEWL  PUMP  1,  CEWL  PUMP  2  WILL  BE  AUTOMATICALLY 
COMMANDED  ON.  FOR  FAILURE  OF  THE  SPACEHAB  INVERTER  OR 
ORBITER  AC,  REFERENCE  RULE  {A9-354},  SPACEHAB  AC  MANAGEMENT. 

®[ED  ] 

CEWL  pump  1  is  considered  the  prime  pump  since  an  automatic  switchover  capability  exists  in  the  Aft 
Power  Distribution  Unit  (APDU)  logic  to  power  on  CEWL  pump  2  in  case  of  a  pump  1  failure.  This 
capability  does  not  exist  from  pump  2  to  pump  1.  Pump  2  is  configured  to  an  alternate  power  source  to 
allow  it  to  be  powered  in  case  the  power  source  to  pump  1  fails.  Orbiter  AC  is  considered  the  preferred 
source  for  the  prime  pump.  Operation  of  either  CEWL  pump  by  Spacehab  Aft  Inverter  or  orbiter  AC  is 
acceptable.  Whenever  CEWL  cooled  experiments  are  operating,  a  CEWL  pump  is  required  to  provide 
heat  rejection.  ®[i  1 1 05-501 3  ] 
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SPACEHAB  ENVIRONMENTAL  CONTROL  SYSTEM  (ECS)  MANAGEMENT 


A18-601  ORB ITER/ SPACEHAB /EXPERIMENT  THERMAL  PRIORITIES 

@[111501-4993] 

IF  CONFLICTS  OCCUR,  ORBITER  THERMAL  LIMITS  WILL  NORMALLY  BE 
PROTECTED  AT  THE  EXPENSE  OF  SPACEHAB  THERMAL  LIMITS.  SPACEHAB 
HAS  PRIORITY  OVER  EXPERIMENTS.  ®[1 1 1501 -4976A] 

The  orbiter  thermal  limits  must  always  take  precedence  over  Spacehab  to  ensure  the  capabilities  of  the 
orbiter.  ®[1 11501 -4976A] 


A18-602  ORBITER  FREON  FLOW  PROPORTIONING  VALVE  (FPV)  USAGE 

@[111 501 -5011  A] 

THE  TWO  ORBITER  FREON  FPV' S  WILL  NOMINALLY  BE  USED  ACCORDING  TO 
THE  FOLLOWING  PLAN:  ©[111501-4976A] 

A.  PRELAUNCH  (POWERED  ASCENT) :  ONE  FPV  IN  THE  INTERCHANGER 
(ICH)  POSITION  AND  ONE  FPV  IN  THE  PAYLOAD  HEAT  EXCHANGER 
(PLHX)  POSITION  AS  REQUIRED  BY  THE  PAYLOAD  UNTIL  FLIGHT- 
SPECIFIC  LAUNCH  MINUS  TIME  SPECIFIED  IN  THE  FLIGHT  SPECIFIC 
ANNEX.  THEN  BOTH  FPV' S  ARE  PLACED  IN  ICH  FOR  ASCENT. 


Both  FPV’s  must  be  in  ICH  for  ascent.  However,  cold  soaking  the  Spacehab  module  prelaunch  via  one 
FPV  in  PLHX  keeps  the  predicted  module  temperatures  acceptable  until  post  insertion.  Moving  the  FPV 
back  to  the  ICH  position  still  guarantees  a  nominal  crew  cabin  temperature  at  ingress  and  during  ascent. 

B.  ON-ORBIT  14.7  PSI  OPS:  AFTER  SUCCESSFULLY  REACHING  ORBIT, 

ONE  FPV  WILL  BE  PLACED  IN  "PLHX"  POSITION  UNTIL  DEORBIT  PREP. 
THE  SECOND  FPV  WILL  ONLY  BE  TAKEN  TO  "PLHX"  IF  REQUIRED  TO 
SATISFY  PAYLOAD  THERMAL  REQUIREMENTS  AS  DEFINED  IN  THE  FLIGHT 
SPECIFIC  ANNEX.  AT  DEORBIT  PREP,  BOTH  FPV' S  WILL  BE  RETURNED 
TO  "ICH"  FOR  ENTRY  AND  LANDING.  FOR  EXTENSION  DAYS,  AN  FPV 
IN  "PLHX"  IS  NOT  REQUIRED  AS  LONG  AS  SPACEHAB  REMAINS  IN  THE 
ENTRY  CONFIGURATION  OR  WITHIN  THERMAL  REQUIREMENTS. 


If  the  cabin  is  at  14.7  psi,  marginal  cooling  exists  for  orbiter  systems  if  both  FPV’s  are  given  to  the 
payload.  To  provide  sufficient  cooling  to  the  orbiter,  only  one  FPV  should  be  in  the  PLHX  position 
unless  both  are  required  to  avoid  violating  payload  thermal  limits.  In  the  entry  configuration,  Spacehab 
thermal  loads  are  lower  such  that  an  FPV  in  PLHX  is  not  required.  However,  if  Spacehab  is 
reconfigured,  ( i.  e. ,  hatch  opened),  an  FPV  in  the  PLHX  position  may  be  required.  ©[111501-4976A] 

THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  THERMAL  18-97 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A18-602  ORBITER  FREON  FLOW  PROPORTIONING  VALVE  (FPV)  USAGE 

(CONTINUED) 


C.  ON-ORBIT  10.2  PSI  ORBITER  OPS:  REFERENCE  ALL  FLIGHTS  RULE 
{A17-308A},  ATCS  (10.2  PSIA  CABIN)  CONFIGURATION.  ®[1 11501 -4976A] 

D.  POSTLANDING:  BOTH  FPV' S  WILL  BE  IN  THE  "ICH"  POSITION  UNTIL 
REQUESTED  FOR  PAYLOAD  COOLING  NO  EARLIER  THAN  CREW  EGRESS. 
THEN  ONE  FPV  IS  PLACED  INTO  THE  "PLHX"  POSITION  FOR  THE 
DURATION  OF  EARLY  EXPERIMENT  RETRIEVAL  OPERATIONS. 


Moving  one  FPV  to  PLHX  allows  Spacehab  to  maintain  module  temperature  during  early  experiment 
sample  retrieval  operations.  Waiting  until  crew  egress  to  move  one  FPV  to  PLHX  maximizes  orbiter 
cabin  cooling  for  crew  comfort  until  ground  ventilation  can  be  connected. 

E.  EXCEPTIONS  TO  THIS  RULE  ARE  DOCUMENTED  IN  THE  FLIGHT  SPECIFIC 
ANNEX.  ®[1 1 1501-4976A] 


VOLUME  A  06/20/02  FINAL  THERMAL  18-98 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A18-603  SM/LDM  WATER  FLOW  CONTROL  ELECTRONICS  UNIT  (WFCEU) 

@[111501 -5011  A] 

A.  THE  PRIORITIES,  FROM  HIGHEST  TO  LOWEST,  FOR  THE  WFCEU 
CONFIGURATION  ARE  AS  FOLLOWS:  @[111501-4995] 

1.  MODE  2  (AUTOMATIC  CONTROL  OF  FAN/HX  INLET  TEMPERATURE) 

2.  MODE  1  (AUTOMATIC  CONTROL  OF  CABIN  TEMPERATURE) 

3.  MODE  3  (CONTROL  OF  VALVE  POSITION  BY  CABIN  TEMPERATURE 

SET  POINT  KNOB) 

4.  MANUAL  ADJUSTMENT  OF  TWO  WATER  BYPASS  VALVES  (WITH  WATER 
LINE  HEATERS  ON) 

The  WFCEU  software  has  multiple  modes  to  allow  for  multiple  sensor  failures.  Mode  2  requires  an 
operational  fan/HX  inlet  temperature  sensor  and  controls  the  module  temperature  more  accurately  than 
the  other  modes.  Therefore,  mode  2  is  the  preferred  mode  of  operation.  The  MCC  will  inform  the  crew 
if  an  alternate  operational  mode  is  necessary  and  which  specific  commands  are  required.  Mode  1 
provides  for  automatic  cabin  temperature  con  trol  by  allowing  the  WFCEU  to  operate  even  if  one  of  the 
water  temperature  sensors  fails.  Mode  3  does  not  require  any  operational  temperature  sensors,  only  the 
cabin  temperature  set  point.  If  none  of  the  three  modes  operate  satisfactorily,  an  IFM  will  be  necessary 
to  reconfigure  the  water  loop.  Direction  on  WFCV  bypass  valve  adjustment  will  be  provided  by  the 
POCC.  Crew  adjustmen  t  of  water  metering  valves  could  cause  a  flow  rate  to  the  PLHX  less  than  50 
Ibm/hour. 

Reference:  ICD  21095,  Interface  Review  Notice  37. 

B.  DURING  MODE  1  OPS,  IF  ANY  ONE  OF  SEVEN  SENSOR  INPUTS  TO  THE 
WFCEU  FAIL  OR  GIVE  ERRONEOUS  DATA,  A  COMMAND  WILL  BE  ISSUED 
FROM  THE  ORBITER  DISPLAY  SYSTEM  WHICH  ALLOWS  THE  WFCEU  TO 
OVERRIDE  THAT  INPUT. 

The  seven  inputs  to  the  WFCEU  are:  dew  point  temperature,  cabin  temperature,  cabin  temperature 
setpoint,  water  pump  inlet  temperature,  fan/HX  inlet  temperature,  WFCV  cold  inlet  temperature,  and 
WFCV  position.  Any  of  the  seven  can  be  compensated  for  by  the  WFCEU  upon  commanding  from  the 
Orbiter  Display  System.  The  MCC  will  inform  the  crew  which  flag  command  should  be  issued. 
@[111501-4995] 
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A18-604  RDM  ENVIRONMENTAL  CONTROL  UNIT  (ECU)  OPERATIONS 

A.  AUTOMATIC  CONTROL  OF  THE  AIR  BYPASS  VALVE  ( ABV)  BY  THE  ECU  IS 
THE  NORMAL  OPERATING  MODE.  @[111501-5013] 

B.  FOR  ERRATIC  OR  UNSATISFACTORY  ENVIRONMENTAL  CONTROL  OF  THE 
SPACEHAB  MODULE,  THE  ECU  SOFTWARE  CONTROL  PARAMETERS  MAY  BE 
UPDATED/MODIFIED  VIA  UPLINK  COMMANDING. 

C.  IF  THE  SOFTWARE  UPDATES  DO  NOT  IMPROVE  ECU  OPERATION,  THE  ABV 
POSITION  MAY  BE  SET  VIA  GROUND  COMMANDING. 

D.  FOR  COMPLETE  LOSS  OF  THE  ECU  AND  ECU  COMMANDING,  THE  CREW  CAN 
MANUALLY  ADJUST  THE  ABV  POSITION  VIA  IFM . 


The  above  methods  of  ECU  operation  are  listed  in  order  of  preference.  The  order  was  based  on 
maintaining  optimal  operation  of  the  RDM  thermal  control  system  while  minimizing  impact  on  crew 
operations.  ®[1 11501-5013] 
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A18-605  RDM  ROTARY  SEPARATOR  (RS)  OPERATIONS 

A.  THE  RS  SENSORS  SHALL  BE  POWERED  PRIOR  TO  RS  ACTIVATION. 
@[111501-5013] 

The  RS  sensors  can  be  powered  by  orbiter  AC  or  Spacelmb  inverter  power.  The  sensors  must  be  active 
before  RS  activation  to  preven  t  RS  automatic  switchover. 

B.  THE  RS  MAY  BE  OPERATED,  BUT  NOT  STARTED  USING  ONLY  TWO-PHASE 
POWER. 

The  RS  was  operated  on  two  phases  during  preflight  testing.  The  RS  may  be  operated  but  not  started  on 
only  two  phases. 

If  the  RS  is  operating  on  the  Spacehab  Aft  INV  and  phase  A  fails,  the  RS  will  stop  working  because  phase 
A  of  the  Spacehab  INV  provides  the  sync  pulse  required  for  phases  B  and  C  to  operate.  However,  the  RS 
will  continue  to  operate  on  the  Spacehab  INV  on  tw’o-phase  power  if  phase  A  continues  to  operate  with 
either  phase  B  or  phase  C.  ®[1 11501-5013] 

C.  THE  RS  CONFIGURATION  FOR  ASCENT/ENTRY  WILL  BE  AS  FOLLOWS: 

@[111501-5013] 

1.  RS  1  -  ON,  USING  SPACEHAB  INVERTER  POWER 

2.  RS  2  -  OFF,  CONFIGURED  TO  SPACEHAB  INVERTER  POWER 

RS  1  WILL  BE  AUTOMATICALLY  COMMANDED  OFF  AND  RS  2  COMMANDED 
ON,  IF  RS  1  FAILS.  FOR  FAILURE  OF  THE  SPACEHAB  INVERTER, 
REFERENCE  RULE  {A9-354},  SPACEHAB  AC  MANAGEMENT.  ®[ED  ] 

RS  1  is  the  prime  RS  since  an  automatic  switchover  capability  exists  in  the  APDU  logic  to  power  on  RS  2 
in  case  of  an  RS  1  failure.  RS  2  is  configured  to  inverter  power  to  allow  it  to  ser\’e  as  a  backup  in  case  of 
an  RS  1  failure.  This  automatic  switchover  capability  does  not  exist  to  turn  on  RS  1  ifRS  2  fails. 
Therefore,  as  long  as  RS  1  is  operational,  it  will  always  be  prime.  RS  2  operating  would  indicate  failure 
ofRS  1.  An  operational  RS  is  required  to  maintain  moisture  removal  capability  in  the  Spacehab  module. 
Unlike  fans  and  pumps,  the  backup  RS  is  not  configured  to  orbiter  AC  because  it  is  not  critical  for  entry 
and  the  RS  switches  automatically  without  opportunity  for  flight  controller  intervention.  ®[1 11501-5013] 
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A18-605  RDM  ROTARY  SEPARATOR  (RS)  OPERATIONS  (CONTINUED) 

D.  THE  RS  CONFIGURATION  FOR  ON-ORBIT  OPERATIONS  WILL  BE  AS 
FOLLOWS : 


1 . 

RS 

1 

-  ON, 

USING  SPACEHAB 

INVERTER  POWER 

2  . 

RS 

2 

-  OFF, 

CONFIGURED  TO 

ORBITER  AC  POWER 

RS  1  WILL  BE  AUTOMATICALLY  COMMANDED  OFF  AND  RS  2  COMMANDED 
ON,  IF  RS  1  FAILS.  FOR  FAILURE  OF  THE  SPACEHAB  INVERTER  OR 
ORBITER  AC,  REFERENCE  RULE  {A9-354},  SPACEHAB  AC  MANAGEMENT. 

®[ED  ] 

RS  1  is  the  prime  RS  since  an  automatic  switchover  capability  exists  in  the  APDU  logic  to  power  on  RS  2 
in  case  of  cm  RS  1  failure.  This  automatic  switchover  capability  does  not  exist  to  turn  on  RS  1  ifRS  2 
fails.  Therefore,  as  long  as  RS  1  is  operational,  it  will  always  be  prime.  RS  2  operating  would  indicate  a 
failure  in  RS  1.  It  is  preferred  for  RS  1  to  remain  on  Spacehcib  aft  inverter  power  from  the  ascent 
configuration.  RS  2  is  commanded  to  orbiter  AC  to  allow  RS  2  to  be  powered  by  an  alternate  source  in 
case  ofci  Spacehcib  aft  inverter  failure.  Operation  of  either  RSfrom  Spacehcib  inverter  power  or  orbiter 
AC  power  is  acceptable.  An  operational  RS  is  required  to  maintain  moisture  removal  capability  in  the 
Spacehcib  module.  The  Spacehcib  inverters  are  the  preferred  source  of  power  for  the  prime  RS  in  order 
to  off  load  orbiter  AC  power.  ®[1 11501-5013] 
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A18-606  RDM  CONDENSATE  STORAGE  TANK  (CST) /CONTINGENCY 

WATER  CONTAINER  (CWC)  MANAGEMENT 

A.  SPACEHAB  WILL  UTILIZE  ORBITER  DUMP  CAPABILITY  TO  DUMP  CWC' S 
OVERBOARD.  @[111501-5013] 

Spacehab  does  not  have  overboard  condensate  dump  capability  and  must  rely  on  the  orbiterfor  this 
function.  During  nominal  operations,  it  takes  approximately  20  hours  for  the  CST  to  be  filled  (based  on 
3.25  crew  members  in  the  Spacehab  module).  The  CWC  will  be  emptied  after  six  condensate  transfers 
from  the  CST  to  CWC  to  comply  with  the  operational  constraint  of  only  filling  the  CWC  to  90  lbs 
(approximately  75  percen  t  of  capacity). 

B.  FILLED  SPACEHAB  CWC'S  WILL  BE  STOWED  IN  THE  SPACEHAB  IF 
ORBITER  CERTIFIED  STOWAGE  LOCATIONS  ARE  NOT  AVAILABLE  IN  THE 
EVENT  OF  AN  ORBITER  FAILURE/EMERGENCY  WHERE  THE  SPACEHAB  CWC 
CANNOT  BE  EMPTIED. 

Spacehab  has  one  certified  stowage  location  in  the  module  in  which  to  stow  a  partially  filled  CWC  and 
will  consider  using  orbiter  stowage  first,  if  it  is  available.  Otherwise,  Spacehab  will  stow  full  bags  in  the 
stowage  staging  area  or  aft  of  the  intermediate  adapter  on  the  floor.  Rupture  of  a  bag  does  not  pose  a 
risk  to  crew  safety,  but  to  damaging  Spacehab  hardware. 

Reference:  Rule  (A1 0-385},  FILLED  CWC  STOWAGE  MANAGEMENT. 

C.  CWC'S  MAY  REMAIN  CONNECTED  AND  NOT  DUMPED  FOR  AN  EMERGENCY 
DEACTIVATION. 

If  time  permits,  the  CWC  will  be  disconnected  and  stowed.  The  bag  remaining  connected  does  not  pose  a 
risk  to  crew  safety,  but  to  damaging  Spacehab  hardware. 

D.  IF  THE  CWC  IS  CONNECTED  WITH  THE  CWC  VALVE  OPEN,  THE  CWC  WILL 
BE  DISCONNECTED  AND  DUMPED  OR  STOWED  BEFORE  THE  CST  PRESSURE 
EXCEEDS  10  PSIG. 

The  CST  pressure  should  be  zero  if  the  CWC  valve  between  the  CST  and  the  CWC  is  open.  A  pressure 
greater  than  zero  indicates  that  the  CWC  is  being  pressurized.  Since  it  is  desired  not  to  pressurize  the 
CWC,  the  frequency  of  CWC  changeouts  will  be  managed  to  prevent  pressurization  of  the  bag. 

However,  in  the  event  that  some  pressurization  of  the  CWC  occurs,  the  maximum  rated  pressure  of  10 
psig  shall  not  be  exceeded.  ®[i  1 1 501  -501 3  ] 
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A18-606  RDM  CONDENSATE  STORAGE  TANK  (CST) /CONTINGENCY 

WATER  CONTAINER  (CWC)  MANAGEMENT  (CONTINUED) 

E.  THE  CONDENSATE  TANK  CONTENTS  MUST  BE  TRANSFERRED  TO  THE  CWC 
OR  THE  RS  TURNED  OFF  BEFORE  THE  CST  PRESSURE  EXCEEDS  15  PSIG. 
@[111501-5013] 

The  contents  of  the  CST  must  be  transferred  or  the  rotary  separator  deactivated  prior  to  the  CST 
becoming  full  to  prevent  deadheading  the  Water  Separator  Assembly  ( WSA ).  Deadheading  the  WSA  will 
cause  water  to  be  carried  over  into  the  exit  air  stream  and  potential  rotary  separator  motor  damage. 

The  CST  pressure  is  17.5  psig  when  the  CST  diaphragm  is  fully  extended. 

F.  THE  CST  IS  NOT  REQUIRED  TO  BE  EMPTIED  FOR  EXTENSION  DAYS. 
CONSTRAINTS  ON  THE  FINAL  CST  TRANSFER  AND  DUMP  WILL  BE 
DOCUMENTED  IN  THE  FLIGHT-SPECIFIC  ANNEX. 

If  the  Spacehab  Module  remains  closed  for  an  extension  day ,  the  condensate  generation  is  negligible  and 
the  CST  is  capable  of  accommodating  all  condensate  generated,  provided  the  CST  was  emptied  based  on 
the  constraints  in  the  Flight-Specific  Annex.  If  the  Spacehab  hatch  is  opened  and  there  is  little  to  no 
crew  activity  in  the  module  for  extension  days;  condensate  generation  will  be  minimal  and  the  CST 
should  be  capable  of  accommodating  all  condensate  generated.  ®[1 11501-5013] 
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THERMAL  GO/NO-GO  CRITERIA 


A18-1001  THERMAL  GO/NO-GO  CRITERIA 


SYSTEM/COMPONENTS/FUNCTIONS 

A.  SUPPLY  HoO: 

1.  SUPPLY  H20  TANKS  (4) 

2.  DUMP  CAPABILITY 

B.  ARS  HoO: 

1.  H2OLOOPS(2) 

2.  H20  LOOP  LEAK 

C.  ATCS: 

1.  FCL  (2) 

2.  FCL  LEAK 

3.  FCL  PMPS  (4) 

4.  FES  (2) 

5.  FES  CONTRS  (PRI  A,  PRI  B,  SEC)  (3) 

6.  FES  FEEDLINE  (2) 

7.  ABS  (2) 

8.  RFCA  (2) 

9.  RAD  ISOL 

10.  HEAT  EXCHANGER  LEAK 

@[121593-1589]  @[0201 96-1 81 0A]  @[061 396-31 04A]  ®[ED 


ASCENT 
ABORT  IF: 

INVOKE 
MDF  IF: 

ENTER  NEXT 
PLS  IF 

2?  [1] 

[2] 

1  ?  [3] 

2  ? 

1  ? 

[11] 

4  ? 

[4] 

[5] 

1  ?  (TOPPING) 
[6]  [7] 

1  ?  (HI-LOAD) 
[6]  [7] 

[5] 

2  ? 

(PRIMARY) 

3?  [7] 

[5] 

2?  [7] 

1  ?  [8] 

1  ?  [8] 

[9] 

[10] 

]  @[050400-7192] 


LEGEND: 


NO  REQUIREMENT 


(  )  QUANTITY 


REQUIRED  [  ]  NOTE  REFERENCE 


THIS  RULE  CONTINUED  ON  NEXT  PAGE 


VOLUME  A  06/20/02  FINAL  THERMAL  18-105 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A18-1001  THERMAL  GO/NO-GO  CRITERIA  (CONTINUED) 


NOTES: 

[1]  A  MINIMUM  OF  300  LB  OF  H20  REQUIRED  TO  SUPPORT  CONTINGENCY  EVA  AND  DEORBIT  PREPARATION  FOR  A 
PLBD  FAIL  TO  CLOSE  CASE. 

[2]  LOSS  OF  TWO  H20  LOOPS  REQUIRES  AN  AOA. 

[3]  IF  TWO  WATER  LOOPS  ARE  LOST,  A  LANDING  WILL  BE  REQUIRED  WITHIN  4  HOURS  OF  THE  FAILURE. 

[4]  ENTER  NEXT  PLS  IF  FCL  1  PUMP  B  AND  FCL  2  PUMP  A  FAILED. 

[5]  FOR  LOSS  OF  ALL  FES  COOLING,  MUST  PRESS  TO  ORBIT  AND  OPEN  PLBD’S  ASAP  POST-OMS-1 . 

[6]  CONSIDERATION  WILL  BE  GIVEN  TO  REMAINING  ON  ORBIT  TO  ATTEMPT  TO  THAW  OUT  EITHER  EVAPORATOR. 

[7]  REQUIRES  POWERDOWN  FOR  ENTRY. 

[8]  NEXT  PLS  IS  REQUIRED  (NOT  INCLUDING  FIRST  DAY  PLS)  FOR  LOSS  OF  RADIATOR  COOLING  IN  ONE  LOOP  IF 
SUPPLY  H20  QUANTITIES  AND  MANAGEMENT  PLAN  WILL  NOT  SUPPORT  THE  FOLLOWING  PLS  WITH  THE  NEXT 
WORST  FAILURE  (LOSS  OF  GOOD  FREON  LOOP).  ASSUMING  WATER  QUANTITIES  WILL  SUPPORT  THE  NEXT 
WORST  FAILURE,  THE  MISSION  MAY  BE  EXTENDED  TO  THE  SUBSEQUENT  PLS  OPPORTUNITIES.  @[050400-7192  ] 
@[092701 -4865D]  @[092701 -4866B] 

ELS  WILL  BE  REQUIRED  IF  THE  NEXT  WORST  FAILURE  OCCURS  BEFORE  SUPPLY  WATER  QUANTITIES  CAN 
SUPPORT  NEXT  PLS.  @[050400-7192] 

[9]  MDF  IF  LEAK  IN  HEAT  EXCHANGER  BETWEEN  DISSIMILAR  FLUIDS  OTHER  THAN  FREON  TO  ORBITER  F^O. 

[10]  ENTER  NEXT  PLS  IF  LEAK  BETWEEN  FREON  AND  CABIN  H20  LOOP  @[0201 96-181 0A] 

[11]  FOR  A  LEAKING  FREON  LOOP  WHICH  WILL  SUPPORT  NEXT  PLS  BUT  NOT  THE  FOLLOWING  PLS,  A  PLS  WILL  BE 
DECLARED  IN  ORDER  TO  ACHIEVE  A  NOMINAL  D/O  PREP  AND  ENTRY.  A  LOSS  OF  ONE  FREON  LOOP  ENTRY 
REQUIRES  A  POWERDOWN  TO  14  KW.  @[061 396-31 04A] 
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A18-1001  THERMAL  GO/NO-GO  CRITERIA  (CONTINUED) 

A.  SUPPLY  H20 

1.  Supply  Water  -  two  supply  water  tanks  are  required  to  maintain  redundancy  for  FC  water 
removal  capability.  If  only  one  supply  water  tank  was  maintained,  one  additional  failure  (the 
remaining  tank)  could  result  in  loss  ofcdl  three  FC’s. 

2.  Dump  Capability  -  Loss  of  dump  capability  requires  FC  relief  system  activation  when  all 
water  tanks  are  full.  The  FC  relief  system  is  zero  fault  tolerant  under  these  conditions  and 
failure  of  this  relief  system  would  cause  losses  of  vehicle  and  crew. 

B.  ARS  H20 

1.  H20  LOOPS 

Loss  of  one  water  loop  has  no  impact  to  the  orbiter  cooling  since  only  one  loop  is  normally 
activated.  However,  the  failure  places  the  orbiter  in  a  zero-fault  tolerant  level.  The  next 
failure,  loss  of  the  other  loop,  would  leave  the  orbiter  with  no  control  for  humidity  and  no 
cooling  available  to  the  avionics  inside  the  crew  module.  Effective  PPC02  concentration 
control  would  also  be  lost  due  to  restricted  operations  of  cabin  fans  to  avoid  overheating  ac 
inverters  which  are  actively  cooled  by  water  loops.  For  loss  of  one  water  loop  du  ring  ascent, 
nominal  ascent  should  therefore  be  continued  and  first  day  PLS  be  executed. 

An  AO  A,  rather  than  cm  earlier  ascent  abort  mode,  is  preferred  for  loss  of  both  water  loops 
during  ascent  because  the  avionics,  with  proper  management,  will  not  overtemp  in  an  AO  A 
timeframe  (approximately  110  minutes).  Avionics,  due  to  the  hot  thermal  environment 
encoun  tered  in  the  ascen  t  phase,  cann  ot  be  managed  properly  for  the  extended  time  requ  ired 
for  a  first  day  PLS  to  ensure  a  safe  entry. 

Thermal  analysis  indicates  that,  if  two  water  loops  are  lost,  cabin  conditions  will  become 
in  tolerable  within  2  hours  of  the  failure.  Cabin  temperatures  approach  90  deg  F  and  relative 
humidity  reaches  100  percen  t.  Avionics  temperatures  exceed  their  loss  of  cooling  operate 
periods  and  must  be  powered  down.  The  cabin  conditions  can  be  relieved  by  performing 
cabin  depress/repress  (DEP/REP)  cycles.  The  4-hour  time  to  landing  is  based  on  a  crew  of 
seven  with  an  N2  quantity  of  262  lb.  Crew  exposure  to  the  extreme  cabin  conditions  is  the 
primary  driver  for  terminating  the  flight.  The  DEP/REP  cycles  provide  relief  from  the  high 
heat  and  humidity  by  dumping  the  excessive  heat  and  humidity  overboard  and  replacing  the 
air  with  cool,  dry  N2  and  02. 

DOCUMENTATION:  Lockheed  Technical  Memorandum,  G189A  ECLSS  ANALYSIS  OF  THE 
LOSS  OF  TWO  WATER  LOOPS  AFO  (TIG  >  2.5),  to  be  published.  Document  no.  LESC- 
24843;  engineering  judgmen  t;  l.l-ECLSS-09. 
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2.  H20  LOOP  LEAK 

When  there  is  a  coolant  leak  into  the  cabin  from  the  water  loop,  it  becomes  zero-fault  toleran  t 
to  crew  safety  because  the  next  failure,  a  Freon-to-water  leak  at  the  interchanger,  will 
introduce  toxic  Freon  21  into  the  crew  habitable  area.  However,  based  upon  the  confidence 
in  the  interchanger  hardware  integrity  (stainless  steel  construction;  no  leak  experience)  and 
the  desire  to  provide  on-orbit  time  for  crew  adaption  (SAS  concerns),  an  MDF  will  be 
performed. 

DOCUMENTATION:  Engineering  judgment;  JSC-08934,  volume  3,  section  4. 6. 1.2. 1.2. 

C.  ATCS 
1.  FCL: 

Loss  of  one  Freon  loop  requires  a  PLS  because  the  next  failure  (loss  of  other  Freon  loop) 
could  result  in  loss  of  crew/vehicle. 

Nominal  ascent  is  continued  so  that  more  time  is  available  to  reconfigure  for  a  one  Freon 
loop  entry  and  also  because  loss  of  one  Freon  loop  is  not  an  emergency.  If  both  loops  are 
lost,  an  emergency  entry  (ascent  abort )  is  required  because  all  cooling  to  the  vehicle  is  lost. 

If  both  Freon  loops  are  lost,  an  emergency  entry  is  required  because  the  FC  stack 
temperatures  will  reach  the  specification  operational  limit  of 250  deg  F  within  approximately 
50  minutes.  In  addition,  the  electrolyte  will  reach  the  25  percent  operational  limit  in 
approximately  75  minutes.  At  this  point,  continued  operation  of  the  FC’s  is  questionable. 

This  assumes  a  simultaneous  purge  of  all  three  FC’s  and  12.54  kWh  (4.18  kWh/FCP). 

DOCUMENTATION:  Dual  Freon  Loop  Failure  Entry  Analysis,  Rockwell  International, 

IL  # 388-301-79-018 ,  7/21/81. 
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2.  FCL  PUMPS: 

Loss  of  FCL  1  pump  B  and  FCL  2  pump  A  requires  a  PLS  because  both  remaining  pumps  are 
powered  by  ACL  Loss  of  AC  1  would  cause  the  loss  of  both  FCLS  and  could  result  in  loss  of 
crew/vehicle. 

If  both  Freon  loops  are  lost,  an  emergency  entry  is  required  because  the  FC  stack 
temperatures  will  reach  the  specification  operational  limit  of 250  deg  F  within  approximately 
50  minutes.  In  addition,  the  electrolyte  will  reach  the  25  percent  operational  limit  in 
approximately  75  minutes.  At  this  point,  continued  operation  of  the  FC’s  is  questionable. 

This  assumes  a  simultaneous  purge  of  all  three  FC’s  and  12.54  kWh  ( 4.18  kWh/FCP). 

DOCUMENTATION :  Dual  Freon  Loop  Failure  Entry  Analysis,  Rockwell  International,  IL 
4388-301-79-018,  7/21/81. 

3.  FES 


Total  FES 

Loss  of  total  FES  requires  a  next  PLS  because  the  next  failure  (loss  of  one  Freon  loop)  could 
result  in  loss  of  the  crew/vehicle. 

If  the  failure  occurs  on  ascent,  entry  is  not  accomplished  at  the  first  day  PLS  because: 

The  thermal  condition  of  the  vehicle  would  be  extremely  hot.  Whether  or  not  cm  entry  could 
be  accomplished  without  a  massive  powerdown  has  not  been  established.  It  is  desirable  to 
remain  on  orbit  until  the  next  day  PLS  in  order  to  “  coldsocik”  the  vehicle.  No  analysis  for  an 
orbit  3/5  loss  of  FES  case  has  been  run.  An  AO  A  case  was  run  with  the  following 
assumptions  and  results: 

a.  PLBD  open  at  15  minutes. 

b.  PLBD  closed  at  EI-7  minutes  (total  time  PLBD  open  ?  50  minutes). 

c.  Touchdown  occurred  ?  38  minutes  after  doors  closed. 
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d.  Av  bays  1  and  2  were  11  deg  F  above  die  air  inlet  for  27  minutes. 

e.  Av  bays  1  and  2  were  6  deg  F  above  the  air  outlet  for  13  minutes. 

f.  Only  two  crewmembers  were  used. 


If  the  FES  fails  prior  to  TIG  -45  min  utes,  there  is  sufficien  t  time  for  reopening  the  PLED, 
coldsoaking  the  radiators,  performing  the  required  powerdown,  and  reclosing  the  PLED  prior 
to  TIG.  No  thermal  violations  are  expected  during  entry.  ®[0201 96-1 81 OA] 


If  the  FES  fails  between  45  and  15  minutes  before  TIG  and  a  one  rev  late  deorbit  is  available, 
a  one  rev  wave  off  will  be  performed  to  allow  time  to  reopen  the  doors,  coldsoak  the  radiator, 
and  perform  the  powerdown.  No  thermal  violations  are  expected  during  entry  if  a  one  rev 
wave  off  is  performed. 


If  the  FES  fails  with  the  radiator  coldsociked  between  45  and  15  min  u  tes  before  TIG  and  a  one 
rev  deorbit  is  not  available,  the  coldsoak  will  be  utilized  to  continue  with  the  planned  TIG. 
Assuming  the  failure  occurs  at  TIG  -45  minutes,  cabin  temperature  is  expected  to  exceed  92 
degrees  F.  Avionics  bay  supply  air  temperatures  are  expected  to  peak  at  105  degrees  (96 
degrees  being  a  violation)  prior  to  NH3  activation.  These  thermal  violations  are  limited  to 
approximately  10  minutes,  peaking  at  El  and  returning  with  limits  shortly  after  NH3 
activation  at  El,  and  will  not  affect  crew  performance.  A  one  day  wave  off  is  not  preferred 
since  the  next  worst  failure,  loss  of  one  Freon  Loop,  could  cause  the  loss  of  the  crew  and 
vehicle. 


If  the  FES  fails  without  a  radiator  coldsoak  between  45  and  15  minutes  before  TIG  and  a  one 
rev  deorbit  is  not  available,  a  day  wave  off  is  required.  There  is  insufficien  t  time  to  reopen 
the  PLBD  and  coldsoak  the  radiators  prior  to  TIG.  And  there  is  not  adequate  thermal 
capacitance  in  the  radiators  to  support  the  orbiterfor  up  to  1.25  hours  without  active  cooling. 
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If  the  FES  fails  after  TIG  -15  minutes,  powerdown  will  be  performed  and  planned  TIG  will 
be  executed.  Without  a  coldsoak,  avionics  bay  supply  air  temperatures  are  expected  to  peak 
at  105  degrees  (96  degrees  being  a  violation )  prior  to  NH3  activation.  These  thermal 
violations  are  limited  to  approximately  20  minutes,  peaking  at  El  and  returning  with  limits 
shortly  after  NH3  activation  at  El,  and  will  not  affect  crew  performance.  A  one  day  wave  off 
is  not  preferred  since  the  next  worst  failure,  loss  of  one  Freon  Loop,  could  cause  the  loss  of 
the  crew  and  vehicle.  However,  with  a  coldsoak,  no  thermal  violations  are  expected. 

@[0201 96-1 81 OA] 

DOCUMENTATION:  SEH-ITA-85-001T;  SEH-ITA-80-206T. 

4.  FES  CONTRS 


Partial  loss  of  FES/controllers 


Loss  of  high-load  evaporator  is  a  PLS  (including  first  day  PLS)  because  the  next  failure  (loss 
of  one  Freon  loop)  could  result  in  loss  of  crew  or  vehicle.  The  capability  of  the  topping 
evaporator  on  Freon  loop  one  (worst  case )  is  ?  24,600  Btu/hr  or  5.5  kW.  The  24,600  Btu/hr 
is  based  on  test  data  on  one  topping  evaporator  core.  No  specification  data  exists  for  the 
topping  evaporator  on  one  Freon  loop.  Freon  loop  1  is  worst  case  because  loop  2  runs  closer 
to  the  topping  evaporator  core  and  has  better  heat  transfer  than  loop  1. 

Loss  of  topping  evaporator  or  the  loss  of  both  primary  controllers  requires  cm  MDF  because 
the  next  failure  (loss  of  one  Freon  loop)  would  cause  an  extensive  powerdown  to  be  completed 
before  entry;  however,  it  is  believed  an  entry  can  be  performed  at  this  power  level.  The 
capability  of  the  high-load  evaporator/secondary  controller  on  Freon  loop  2  (worst  case)  is  ? 
44,200  Btu/hr  or  10  kW.  The  44,200  Btu/hr  is  based  on  test  data  on  one  high-locid 
evaporator  core.  No  specification  data  exists  for  the  high-load  evaporator  on  one  Freon 
loop.  Freon  loop  2  is  worst  case  because  Freon  loop  1  runs  closer  to  the  high-locid 
evaporator  core  and  has  better  heat  transfer  than  loop  2. 
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For  loss  of  either  the  topping  or  high-locid  evaporator,  due  to  a  suspected  freeze-up, 
consideration  will  be  given  to  staying  on  orbit  in  order  to  attempt  to  thaw  out  the  affected 
evaporator.  It  must  be  noted,  however,  that  the  symptoms  of  freeze-up  are  ambiguous  with 
the  instrumentation  available.  Further,  simply  flushing  out  the  ice  does  not  necessarily 
address  the  root  cause  of  the  problem  as  our  flight  history  (below)  has  demonstrated  Flushing 
the  core  with  the  secondary  controller  on  orbit  will  require  elevated  Freon  temperatures  to  the 
FES.  This  can  be  accomplished  by  bypassing  the  radiators  or  by  closing  the  doors. 

Flight  and  Ground  History.  During  Space  Environment  Simulation  Laboratory  ( SESL) 
testing  of  the  FES  pre-STS-1,  there  were  several  episodes  of  core  freezing,  all  of  which  were 
successfully  flushed  within  very  short  periods  (hours).  SESL  testing  was  done  under  one  g 
conditions,  however,  and  the  effects  of  that  are  not  well  known.  During  STS  41-G,  when  the 
topping  evaporator  froze,  the  ice  was  successfully  removed  from  the  core  after  28  hours  with 
the  radiators  in  the  high  set  point.  During  STS-26,  FES  shutdowns  occurred  between  38  and 
55  minutes  MET.  Corrosion  in  the  topping  core  surface  degraded  the  evaporation  process 
and  gave  the  ice  a  foothold.  Use  of  the  secondary  controller  cleared  the  ice  out  of  the  topping 
core  (secondary  topper  uses  both  A  and  B  H2O  nozzles  alternately,  has  no  shutdown  feature, 
and  operates  at  a  higher  control  temperature).  On  orbit,  the  radiator  controllers  were 
operated  in  the  high  set  point  to  thaw  out  any  ice  that  remained  in  the  high  load  or  topping 
cores. 

There  is  a  high  probability  that  the  FES  core  can  be  thawed  and/or  flushed  while  the  next 
worst  failu  re,  loss  of  a  Freon  loop,  is  severe  but  it  is  a  low  probability.  It  has  been  decided 
that  the  risk  of  staying  on  orbit  to  thaw  the  FES  is  warranted. 

DOCUMENTATION:  SEH-ITA-08 1-107;  SEH-ITA-83-01  IT;  STS  41-G  and  STS-26  flight 
data;  and  engineering  judgment. 
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5.  FES  FEEDLINES 

Loss  of  two  feedlines  is  equivalen  t  to  the  loss  of  total  FES  that  requires  a  next  PLS.  This  is 
because  the  next  failure  (loss  of  one  Freon  loop)  could  result  in  loss  of  crew  or  vehicle. 

With  the  loss  of  one  feedline,  full  operational  capability  is  maintained.  Although  this  results 
in  a  single  fault  tolerant  situation,  an  MDF  is  not  called  because  the  Freon  loops  and  flash 
evaporator  system  are  single-fault  toleran  t  systems  from  launch. 

DOCUMENTATION:  SEH-ITA-83-01  IT;  SEH-ITA-81-107. 

6.  ABS 


There  is  no  requirement  for  the  NHj  after  nominal  orbit  insertion.  The  FES  and  radiators 
are  used  for  orbit  and  entry  cooling.  The  NHj  boiler  is  not  required  until  post-rollout  and  cm 
emergency  powerdown  can  be  performed  ifNH j  is  not  available.  The  ammonia  boiler  is 
required  for  launch  aborts  since  the  radiators  cannot  be  coldsociked  in  these  cases. 

Therefore,  after  nominal  ascent  and  insertion  have  been  completed,  there  is  no  requirement 
for  the  NHj  boiler. 

DOCUMENTATION:  Flight  data. 

7.  RFCA/RADIA T OR  ISOLATION  VALVE  ®f050400-7i92 1 

An  RFCA  failed  in  min  rad  flow,  a  leak  isolated  to  the  radiators,  or  cm  isolation  valve  failed 
in  the  isolate  position  (loss  of  radiator)  is  a  PLS  with  the  following  considerations: 
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Continuing  to  run  the  loop  with  the  failed  radiator  will  result  in  high  FES  rates  and 
depletion  of  supply  H2O.  Upon  the  first  radiator  failure,  the  following  actions  are  required 
to  safe  the  vehicle  (ref  Rule  { A18-251 j,  FREON  COOLANT  LOOPS  (FCL)):  @[050400-7192  ] 

a.  Deactivate  affected  Freon  loop  and  flash  evaporator  and  power  down  to  14  kW. 
@[050400-7192]' 

h.  Maneuver  to  a  cold  radiator  attitude  (e.g.,  GG,  nose  Sun). 

Debris  Avoidance  or  Docked  attitudes  may  not  be  possible. 

Closing  the  affected  PLED  may  be  required  to  keep  the  Freon  in  the  failed  loop 
from  freezing. 

c.  Move  the  Flow  Prop  Valve  on  the  good  loop  to  the  ICH  position. 

d.  Payloads  that  require  active  cooling  will  be  terminated. 

e.  If  at  10.2  psi  and  cabin  temps  are  violated,  a  14.7  repress  will  be  required. 

These  actions  place  the  orbiter  in  a  safe  configuration  and  allow  for  the  filling  of  the  supply 
H2O  tanks.  Full  Supply  H2O  tanks  protect  the  vehicle  in  the  event  of  the  next  worst  failure 
(loss  of  the  good  Freon  loop).  The  next  worst  failure  would  require  the  following: 

a.  Power  down  to  7  kW  immediately  after  the  flowing  loop  fails. 

b.  Power  up  the  loop  with  the  failed  radiator  with  a  FES  con  troller  active. 

Secondary  Topper  or  full  up  primary  controller  may  be  required. 

c.  Power  up  to  11  kW  for  entry  at  TIG-2  hours. 

d.  If  supply  water  quan  tities  will  not  support  the  next  PLS,  an  ELS  will  be  declared. 
Depletion  of  supply  H2O  would  result  in  loss  of  cooling.  Loss  of  cooling  could  result 
in  loss  of  crew  and  vehicle. 
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Loss  of  both  RFCA’s  is  a  PLS  because  the  next  failure  (loss  of  FES)  could  result  in  loss  of 
crew/vehicle. 

Note  that  the  first  day  PLS  is  passed  up  in  order  to  allow  the  crew  to  recover  from  space 
adaptation  sickness  (SAS).  This  does  incur  some  risk  in  that  there  is  a  window  of  time  in 
which  supply  H20  quantities  will  not  support  the  next  worst  failure  (loss  of  the  good  loop). 
The  probability  of  this  occurring  is  low,  however,  so  SAS  takes  priority. 

DOCUMENTATION:  AEFTP  #162,  October  29,  1999.  @[050400-7192  ] 

If  an  RFCA  is  failed  in  the  “full  open”  position,  severed  measures  can  be  taken  to  ensure  the 
evaporator  outlet  temperature  remains  above  32  deg  F.  This  is  required  to  prevent  freezing 
of  the  H20  loops  at  the  interchanger.  These  measu  res  include: 

a.  Bypassing  the  good  loop ’s  radiator. 

b.  Going  to  high  control  set  point  (57  deg  F)  on  the  good  loop. 

c.  Attitude  constraints  (-ZLV). 

d.  Closing  the  PLBD  of  the  failed  loop. 

e.  Raise  ATCS  heat  load. 

f.  Disable  flow  con  trol  valve  on  good  loop  in  a  hotter  position. 

When  deciding  which  measure  to  use,  it  should  be  taken  into  account  that,  if  the  good  loop 
should  suddenly  fail,  the  evaporator  outlet  temperature  on  the  failed  loop  should  be  warm 
enough  so  as  not  to  freeze  the  water  loops. 

Since  severed  measures  can  be  taken  to  ensure  the  evaporator  outlet  temperature  remains 
above  32  deg  F,  it  is  not  necessary  to  shorten  the  mission  for  this  failure. 
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If  both  Freon  loop  RFCA’s  are  failed  in  the  full  open  position,  the  following  steps  can  be 
taken  to  ensure  the  evaporator  outlet  temperature  remains  above  32  deg  F: 

a.  Attitude  constraints  (-ZLV;  bay  to  Earth). 

b.  Closing  the  PLBD  of  either  loop. 

c.  Reuse  AT CS  heat  load. 

If  one  loop  sudden  ly  stops  runn  ing,  the  evaporator  ou  tlet  temperature  will  be  above  32  deg  F. 

Since  these  measures  can  be  taken  to  ensure  the  evaporator  outlet  temperature  remains  above 
32  deg  F,  it  is  not  necessary  to  shorten  the  mission  for  these  failures. 

It  should  be  noted  that,  if  a  loop  with  an  RFC  A  failed  full  open  cannot  be  bypassed,  either 
manually  or  automatically,  it  should  not  be  deactivated  if  at  all  possible.  A  stagnan  t  loop  will 
cold  soak  to  temperatures  below  zero  degrees.  If  the  loop  is  deactivated,  depending  on  the 
length  of  time  deactivated,  attitude,  and  temperature  of  the  loop  when  deactivated,  the  loop 
may  not  be  usable  without  freezing  the  interchanger. 

DOCUMENTATION:  SEH-ITA-81-416T 

8.  HEAT  EXCHANGER  LEAK 

An  MDF  is  required  for  a  heat  exchanger  leak  between  dissimilar  fluids  (other  than  Freon 
and  cabin  water )  because  the  possibility  exists  that  a  generic  problem,  such  as  corrosion, 
exists  in  the  heat  exchanger.  This  type  of  problem  could  eventually  result  in  a  total  loss  of  the 
heat  exchanger  and  the  vehicle.  It  is  considered  that  the  risk  of  losing  the  heat  exchanger 
does  not  warrant  a  PLS,  but  does  warrant  an  MDF. 

If  the  leak  is  between  Freon  and  a  cabin  water  loop,  PLS  is  required  because  the  next  failure 
(external  leak  in  the  water  loop)  could  result  in  the  crew  being  exposed  to  Freon  21,  which  is 
very  toxic.  In  addition,  the  water  loop  is  considered  lost  because  several  components  in  the 
water  loop  are  incompatible  with  Freon  21  and  may  foil  to  seal  or  function.  These  material 
incompatibilities,  in  addition  to  high  pressures  in  the  water  loop  (caused  by  the  Freon  loop 
leaking  into  the  water  loop),  increase  the  chances  of  the  water  loop  developing  an  external 
leak  into  the  cabin  and  exposing  the  crew  to  Freon  21.  In  November  of  1985,  the  following 
statement  was  published  in  the  SODB,  volume  III  concerning  a  Freon  to  water  loop  leak: 

“In  the  case  of  leakage  occurring  during  a  mission,  it  is  mandatory  to  abort  the  mission  at 
the  earliest  practiced  time  in  order  to  minimize  the  possibility  for  a  second  failure  which 
could  result  in  Freon  leak  into  the  cabin  air.  ” 
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Orbiter  Systems  Redundancy  Checkout,  05/15/84. 


Lockheed  Engineering  &  Management  Sendees  Co.,  Inc.  Memos/Anahses 
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STS-4  Flight  Data  Evaluation. 
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Ascent  With  RAD  Flow  in  One  FCL,  2/10/83. 
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Minimum  Freon  Flowrate  for  Aft  Avionics  Cooling,  7/11/84. 

Revised  Deorbit  Preparation  Timeline  Analysis,  1/10/85. 

Ammonia  Boiler  Operations  With  Degraded  Flow,  4/26/85. 

One  Freon  Coolan  t  Loop  Failed  in  Bypass,  7/2/86. 

Degraded  Cabin  WCL  Flowrate  Analysis,  12/86. 

Lab  Test  Report  -  O2  Restrictor  Evaluation  Test,  11/84. 

Equip  Cooling  Requirements,  Electrical/Electronic,  Rev  A  8/2/78. 

In  ternal  Letter  -  Freon  21  Con  tamination  of  Hydraulic  Systems, 
2/27/85. 

Interned  Letter  -  FCP  Operation  During  Dual  Freon/Wciter  Coolant 
Loop  Loss  Abort  and  Entry,  3/30/79 


VOLUME  A  06/20/02  FINAL  THERMAL  18-118 

Verify  that  this  is  the  correct  version  before  use. 


NASA  -  JOHNSON  SPACE  CENTER 


FLIGHT  RULES 


A 

A/D 
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AA 

ABE 

ABS 

ABV 

AC 

ACCEL 

ACCU 

ACCUM 

ACFM 

AC  IP 

ACK 

ACLS 

ACQ 

ACS 

ACT 

AD 

ADATA 

AD  COM 

ADI 

ADS 

ADTA 

AED 

AEFTP 

AERO 

AF 

AFB 

AFD 

AFD  CONF 

AFO 

AFFTC 

AFRCC 

AFSCF 

AFTP 


APPENDIX  A 

ACRONYMS  AND  ABBREVIATIONS 

SEMI-MAJOR  AXIS 
ANALOG  TO  DIGITAL 

ASCENT/ENTRY  FLIGHT  TECHNIQUES  PANEL 
AIR-TO-GROUND  (COMM) 

AUTOLAND 
ASCENDING  LEFT 
AUTO/MANUAL 

ACCELEROMETER  ASSEMBLY 
ARM  BASED  ELECTRONICS 
AMMONIA  BOILER  SUBSYSTEM 
ABSOLUTE 

AIR  BYPASS  VALVE 

ALTERNATING  CURRENT 

ACCELEROMETER 

AUDIO  CENTRAL  CONTROL  UNIT 

ACCUMULATOR 

ACTUAL  CUBIC  FEET  PER  MINUTE 

AERODYNAMIC  COEFFICIENT  IDENTIFICATION  PACKAGE 
ACKNOWLEDGE 

AUGMENTED  CONTINGENCY  LANDING  SITE 

ACQUISITION 

AUDIO  CONTROL  SYSTEM 

ACTUATOR 

ACTIVATION 

AIR  DATA 

AIR  DATA  TRANSDUCER  ASSEMBLY 

AEROSPACE  DEFENSE  COMMAND 

ATTITUDE  DIRECTION  INDICATOR 

AIR  DATA  SYSTEM 

AIR  DATA  TRANSDUCER  ASSENBLY 

ANALOG  EVENT  DRIVER 

ASCENT/ENTRY  FLIGHT  TECHNIQUES 

AERODYNAMICS 

AIR  FORCE 

AIR  FORCE  BASE 

AFT  FLIGHT  DECK 

ASSISTANT  FLIGHT  DIRECTOR  CONFERENCE  LOOP 

ABORT  FOR  ORBIT 

AIR  FORCE  FLIGHT  TEST  CENTER 

AIR  FORCE  RESCUE  COORDINATION  CENTER 

AIR  FORCE  SATELLITE  CONTROL  FACILITY 

ASCENT  FLIGHT  TECHNIQUES  PANEL 
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AGL 

AGS 

AIF 

AIL 

AKA 

ALARA 

ALC (A) 

ALIGNS 

ALP 

ALS 

ALT 

AM 

AME 

AMI 

AMP 

ANT 

AOA 

AOS 

APC (A) 

APDS 

APDU 

APU 

ARC 

ARCS 

ARD 

ARPCS 

ARS 

AS 

ASA 

ASAP 

ASC 

ASCS 

AS  I 

ASSY 

ATCO 

ATCS 

ATO 

ATT 

ATU 

ATVC 

AUTO 

AUX 

AV 

AVAIL 


ABOVE  GROUND  LEVEL 
ANTI  G-SUIT 
AUTO/ INHIBIT/FORCE 
AILERONS 

ACTIVE  KEEL  ASSEMBLY 

AS  LOW  AS  REASONABLY  ACHIEVABLE 

AFT  LOAD  CONTROL  (ASSEMBLY) 

ALIGNMENT (S) 

APPROACH  AND  LANDING  PLAN 
AUGMENTED  LANDING  SITE 
ALTITUDE 

APPROACH  AND  LANDING  TESTS 
ACTUAL  MODE 

ABORT  MANEUVER  EVALUATOR 
ALPHA  MACH  INDICATOR 
AMPERE 
ANTENNA 

ABORT-ONCE-AROUND 

ACQUISITION  OF  SIGNAL 

AFT  POWER  CONTROLLER  (ASSEMBLY) 

ANDROGYNOUS  PERIPHERAL  DOCKING  SYSTEM 

AFT  POWER  DISTRIBUTION  UNIT 

AUXILIARY  POWER  UNIT 

AMES  RESEARCH  CENTER 

AFT  REACTION  CONTROL  SYSTEM 

ABORT  REGION  DETERMINATION 

ATMOSPHERIC  REVITALIZATION  PRESSURE  CONTROL  SYSTEM 

ATMOSPHERIC  REVITALIZATION  SYSTEM 

AIRSPEED 

AEROSURFACE  SERVO  AMPLIFIER 
AS  SOON  AS  PRACTICAL 
AS  SOON  AS  POSSIBLE 
ASCENT 

ATMOSPHERE  STORAGE  AND  CONTROL  SYSTEM 

AEROSURFACE  STICK  INPUT 

ASSEMBLY 

AMBIENT  TEMPERATURE  CATALYTIC  OXIDIZER 
ACTIVE  THERMAL  CONTROL  SYSTEM 
ABORT  TO  ORBIT 
ATTITUDE 

AUDIO  TERMINAL  UNIT 

ASCENT  THRUST  VECTOR  CONTROL 

AUTOMATIC 

AUXILIARY 

AVIONICS 

AVAILABLE 
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AVE 
AVG 
AW  I 
AZ 


AVERAGE 

AVERAGE 

ALTITUDE /VERTICAL 
AZIMUTH 


VELOCITY  INDICATOR 


B/C 

ELECTRICAL  BUS  DESIGNATORS 

B/H 

BULKHEAD 

B/U 

BACKUP 

BARO 

BAROMETER 

BCE 

BUS  CONTROL  ELEMENT 

BD 

BOARD 

BD  FLAP,  B/F 

BODY  FLAP 

BDA 

BERMUDA  ISLAND  ( STDN  STATION) 

BEN 

BEN  GUERIR  (PRIME  TAL  SITE) 

BET 

BENDING  EFFECT  TEMPERATURE 

BEST  ESTIMATE  TRAJECTORY 

BETA 

VEHICLE  SIDESLIP  ANGLE 

BF 

BODY  FLAP 

BFS 

BACKUP  FLIGHT  SYSTEM 

BITE 

BUILT-IN  TEST  EQUIPMENT 

BIU 

BUS  INTERFACE  UNIT 

BLKHD 

BULKHEAD 

BRTS 

BOOSTER  REAL  TIME  SOFTWARE 

BSR 

BITE  STATUS  REGISTER 

BSE 

BOOSTER  SYSTEMS  ENGINEER 

BT 

BURN  TIME 

BTU 

BUS  TERMINAL  UNIT 

BUC 

BACKUP  COMPUTER 

BUCKHORN  (STDN  STATION) 

BYD 

BANJUL  (PRIME  TAL  SITE) 

BYP 

BYPASS (ED) 

C 

CENTER 

CELSIUS 

C&W 

CAUTION  AND  WARNING 

C/A 

ELECTRICAL  BUS  DESIGNATORS 

C/L 

CENTER  LINE 

C/O 

CUTOFF 

CHECKOUT 

CA 

CONTINGENCY  ABORT 

CAB 

CABIN 

CAL 

CALIBRATION 

CALIFORNIA 

CAM 

COMPUTER  ANNUNCIATION  MATR 
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CAP 

CAR 

CAU 

CB,  cb 
CC 

CCAFS 

CCB 

CCC 

CCR 

CCS 

CCTV 

CDDS 

CDE 

CDMS 

CDR 

CDS 

CDSS 

CDV 

CEI 

CEWL 

CG,  c . g . 

CHIT 

CHNL,  CH 

Cl 

CIC 

CIE 

CIL 

CIR,  CIRC 

CIU 

CK 

CKT 

CL,  CLS 
CM 

CMD ,  CMND 

CMDR 

CME/V 

CM/SEC 

CNTL 

CNTLR 

CO 

C/O 

C02 


CAPABILITY 

CORRECTIVE  ACTION  REPORT 
CHANNEL  ATTACH  UNIT 
CIRCUIT  BREAKER 
CONVOY  COMMANDER 

CAPE  CANAVERAL  AIR  FORCE  STATION 
CHANGE  CONTROL  BOARD 

CODED  CONTROL  SYSTEM  COMMAND  BUFFER 
CENTRALIZED  COMPUTATION  COMPLEX 
CONTROL  CENTER  RACK 
COMMAND  CONTROL  SYSTEM 
CLOSED  CIRCUIT  TELEVISION 
COMMAND  DATA  AND  DATA  SUBSYSTEM 
CONSOLIDATED  DEVELOPMENT  ENVIRONMENT 
COMMAND  AND  DATA  MANAGEMENT  SYSTEM 
COMMANDER 

COMMAND  DATA  SYSTEM  (SUBSYSTEM) 
CURRENT  DATA  SYSTEM 
CONSOLIDATED  DATA  SELECT  SWITCH 
CABIN  DEPRESS  VALVE 
CERTIFIED  END  ITEM 

CENTRALIZED  EXPERIMENT  WATER  LOOP 
CENTER  OF  GRAVITY 

SHORT  NOTE  OR  LETTER  (NOT  AN  ACRONYM) 

CHANNEL 

CONE  INDEX 

CREW  INTERFACE  COORDINATOR 

COMPUTER  INTERFACE  ELECTRONICS 

CRITICAL  ITEMS  LIST 

CIRCULAR 

CIRCULATION 

COMMUNICATIONS  INTERFACE  UNIT 

CHECK 

CIRCUIT 

CLOSE  (D) 

CENTIMETER 

CONFIGURATION  MANAGEMENT 

COMMAND 

COMMANDER 

COMMAND  MESSAGE  ENCODER/VERIFIER 

CENTIMETERS  PER  SECOND 

CONTROL 

CONTROLLER 

CARBON  MONOXIDE 

CHECKOUT 

CARBON  DIOXIDE 
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COAS 

COF 

COFR 

COF  2 

COLA 

COMBO 

COMM 

COMP 

COMSEC 

CONF 

CONFIG 

CONT 

CONTRS 

CONUS 

CPA 

CPHS 

CPDS 

CPM 

CPSE 

CR 

CRIT 

CRSFD 

CRT 

CRU 

CRYO 

CS 

CSC 

CSDL 

CSM 

CSS 

CST 

CTU 

CU 

CWC 

CWEA 

CWS 


CREW  OPTICAL  ALIGNMENT  SIGHT 
PATRICK  AIR  FORCE  BASE  (TACAN) 

CERTIFICATE  OF  FLIGHT  READINESS 
CARBONYL  FLUORIDE 
COLLISION  AVOIDANCE 

COMPUTATION  OF  MISSES  BETWEEN  ORBITS 

COMMUNICATIONS 

COMPUTER 

COMMUNICATIONS  SECURITY 

CONFERENCE 

CONFIGURATION 

CONTINGENCY 

CONTINUED 

CONTROLLERS 

CONTINENTAL  UNITED  STATES 
COMBUSTION  PRODUCTS  ANALYZER 
CLOSEST  POINT  OF  APPROACH 

COMMITTEE  FOR  THE  PROTECTIONS  OF  HUMAN  SUBJECTS 

COMPUTER  PROGRAM  DESIGN  SPECIFICATION 

CELL  PERFORMANCE  MONITOR 

COMMON  PAYLOAD  SUPPORT  EQUIPMENT 

CHANGE  REQUEST 

CRITICAL 

CROSSFEED 

CATHODE  RAY  TUBE 

CONVERTER  REGULATOR  UNIT 

CRYOGENIC 

COMMON  SET 

COMMAND  SYSTEM  CONTROLLER 
CONTINGENCY  SUPPORT  CENTER 
CHARLES  STARK  DRAPER  LABORATORY 
COMPUTER  STATUS  MATRIX 
CONTROL  STICK  STEERING 
CONDENSATE  STORAGE  TANK 
COMMAND  AND  TELEMETRY  UNIT 
CONTROL  UNIT 

CONTINGENCY  WATER  COLLECTION 
CONTINGENCY  WATER  CONTAINER 
CAUTION  AND  WARNING  ELECTRONIC  ASSEMBLY 
CAUTION  AND  WARNING  SYSTEM 


D  DAY 

DEPLOY 

DRAG 

D&C  DISPLAY  AND  CONTROL 
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D/L 

DOWN  LINK 

D/O 

DEORBIT 

D/Q 

DISQUALIFICATION 

DA 

DISTRIBUTION  ASSEMBLY 

DAC 

DIGITAL-TO-ANALOG  CONVERTER 

DACS 

DATA  ACQUISITION  AND  CONTROL  SYSTEM 

DAE 

DOWNRANGE  ABORT  EVALUATOR 

DAK 

DAKAR  ( STDN  SITE) 

DAP 

DIGITAL  AUTO  PILOT 

DB 

DEADBAND 

DECIBEL 

DBZ 

DECIBELS  OF  Z 

DC,  dc 

DIRECT  CURRENT 

DCC 

DATA  COMPUTATION  COMPLEX 

DCM 

DISPLAYS  AND  CONTROLS  MODULE 

DCU 

DIGITAL  COMPUTER  UNIT 

DDF 

DATA  DISTRIBUTION  FUNCTION 

DDH 

DUMP  DATA  HANDLER 

DDS 

DESCENT  DESIGN  SYSTEM 

DATA  DISPLAY  SYSTEM 

DDU 

DISPLAY  DRIVER  UNIT 

DEA 

DEPLOYED  ELECTRONICS  ASSEMBLY 

DEACT 

DEACTIVATION 

DEC 

DECLINATION 

DECEL 

DECELERATION 

DECOM (S) 

DECOMMUTATION  (S) 

DED 

DEDICATED 

DEG 

DEGREE 

DEG/SEC 

DEGREES  PER  SECOND 

DEL 

DEORB IT/ENTRY /LANDING 

DELTA  T 

DELTA  TRACKING 

DELTA  V 

DELTA  VELOCITY  (CHANGE  IN  VELOCITY) 

DEORB 

DEORBIT 

DEP/REP 

DEPRESS/REPRESS 

DES 

DESCENDING 

DETECT 

DETECTION 

DEU 

DISPLAY  ELECTRONICS  UNIT 

DEV 

DEVIATION 

DFI 

DEVELOPMENT  FLIGHT  INSTRUMENTATION 

DFL 

DECOM  FORMAT  LOAD 

DFRC 

DRYDEN  FLIGHT  RESEARCH  CENTER 

DFRF 

DRYDEN  FLIGHT  RESEARCH  FACILITY 

DIFF 

DIFFERENT 

DIR 

DIRECTION 

DISC 

DISCONNECT 

DISCH 

DISCHARGE 
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DIST 

DK 

DKR 

DMA 

DMP 

DMU 

DN 

DNS 

DOD 

DOF 

DOL 

DOLILU 

DPA 

DP/DT 

DPLY 

DPS 

DR 

DRK 

DRN 

DRSCS 

DS 

DSC 

DSN 

DSO 

DT 

DTE 

DTO 

DU 

DVIS 

DYN 


e .  g . 

E&D 

EAFB 

EAS 

ECAL 

ECAS 

ECG 

ECIO 

ECLS 

ECLSS 

ECOS 


VOLUME  A 


FLIGHT  RULES 


DISTRIBUTION 
DISPLAY/KEYBOARD 
DAKAR  ( STDN  SITE) 

DIRECT  MEMORY  ACCESS 
DUMP 

DATA  MANAGEMENT  UNIT 
DISCREPANCY  NOTICE 
DOMAIN  NAME  SERVER 
DEPARTMENT  OF  DEFENSE 
DEGREE-OF-FREEDOM 
DIRECTION  OF  FLIGHT 
DAY  OF  LAUNCH 

DAY  OF  LAUNCH  I-LOAD  UPLINK 
DATA  PROCESSING  ASSEMBLY 
PRESSURE  CHANGE  RATE 
DEPLOY 

DATA  PROCESSING  SYSTEM  (ALSO  AN  MCC-H  FLIGHT 
CONTROL  POSITION) 

DISCREPANCY  REPORT 

DISPLAY  REQUIREMENTS  KEYBOARD 

DRAIN 

DIGITAL  RANGE  SAFETY  COMMAND  SYSTEM 
DUAL  STRING 

DEDICATED  SIGNAL  CONDITIONER 
DYNAMIC  STANDBY  COMPUTER 
DEEP  SPACE  NETWORK 

DETAILED  SUPPLEMENTARY  OBJECTIVE 
DISCHARGE  TEMPERATURE 
DIGITAL  TELEVISION  EQUIPMENT 
DETAILED  TEST  OBJECTIVE 
DISPLAY  UNIT 

DIGITAL  VOICE  INTERCOMMUNICATIONS  SYSTEM 
DYNAMIC 


FOR  EXAMPLE 

ENGINEERING  AND  DEVELOPMENT 
EDWARDS  AIR  FORCE  BASE 
EQUIVALENT  AIR  SPEED 
EAST  COAST  ABORT  LANDING 

EXPERIMENT  COMPUTER  APPLICATION  SOFTWARE 
ELECTROCARDIOGRAM 

EXPERIMENT  COMPUTER  INPUT/OUTPUT 
ENVIRONMENTAL  CONTROL  AND  LIFE  SUPPORT 
ENVIRONMENTAL  CONTROL  AND  LIFE  SUPPORT  SYSTEM 
EXPERIMENT  COMPUTER  OPERATING  SYSTEM 
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ECS 

ECU 

ED 

EDO 

EDOMP 

EDTE 

EDW 

EE 

EECOM 

EFTP 

EGIL 

EGT 

El 

EIU 

ELEV 

ELS 

EMCC 

EM 

EMER 

EMI 

EMU 

EMUM 

ENA,  ENBL 
ENG 

ENT 

EO 

EOM 

EPBD 

EPIC  (S) 

EPODES 

EPA 

EPSOM 

PEST 

ESL 

ER 

ESSMC 

ESCON 

EST 

ET 

ET 

METRO 


ENVIRONMENTAL  CONTROL  SYSTEM 
ENVIRONMENTAL  CONTROL  UNIT 
EDITORIAL 

EXTENDED  DURATION  ORBITER 

EXTENDED  DURATION  ORBITER  MEDICAL  PROJECT 

EMULATED  DTE 

EDWARDS  AIR  FORCE  BASE 

END  EFFECTOR 

EMERGENCY,  ENVIRONMENTAL,  AND  CONSUMABLES 
MANAGEMENT  SYSTEMS  -  MCC-H  FLIGHT  CONTROL  POSITION 
ENTRY  FLIGHT  TECHNIQUES  PANEL 

ELECTRICAL,  GENERATION,  AND  INTEGRATED  LOADING 

SYSTEMS  -  MCC-H  FLIGHT  CONTROL  POSITION 

EXHAUST  GAS  TEMPERATURE 

ENTRY  INTERFACE 

ENGINE  INTERFACE  UNIT 

ELEVON 

EMERGENCY  LANDING  SITE 
EMERGENCY  MISSION  CONTROL  CENTER 
EMERGENCY 
EMERGENCY 

ELECTROMAGNETIC  INTERFERENCE 
EXTRAVEHICULAR  MOBILITY  UNIT 

UNITED  TECHNOLOGY/HAMILTON  STANDARD  ENGINEERING 

MEMORANDUM 

ENABLE (D) 

ENGINE 

ENGAGE 

ENTRY 

ENGINEERING  ORDER 
END  OF  MISSION 

ELECTRICAL  POWER  BRANCHING  DISTRIBUTOR 

ELECTRICAL  POWER  DISTRIBUTION  AND  CONTROL  (SYSTEM) 

ELECTRICAL  POWER  DISTRIBUTION  SYSTEM 

ELECTRICAL  POWER  SUBSYSTEM 

ELECTRICAL  POWER  SWITCHING  PANEL 

ELECTRICAL  POWER  SYSTEM  TEST 

EQUIPMENT  SUPPORT  SECTION 

ESSENTIAL  BUS 

EASTERN  RANGE 

EASTERN  SPACE  AND  MISSILE  CENTER 
ENTERPRISE  SYSTEM  CONNECTION  MANAGER 
ESTIMATED 
EXTERNAL  TANK 
ET  CETERA 

EXPECTED  TIME  TO  RETURN  TO  OPERATION 
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EVE 

EVA 

EVAN 

EVAN 

EVES 

EXEC 

EX 

EXCEPT 

EX 

EX 

ET 


F 

F/C 

FA 

FAA 

FAD 

FC 

FCL 

FCO 

FCP 

FCR 

FCS 

FCT 

FD 


FDA 

FDBK 

FDDD 

FDF 

FDI 


FDIR 

FDM 

FDO 

FEID 

FEP 

FES 

FF 


VOLUME  A 


FLIGHT  RULES 


EXTRAVEHICULAR 
EXTRAVEHICULAR  ACTIVITY 
EVACUATED 
EVAPORATOR 

EXTRAVEHICULAR  LIFE  SUPPORT  SYSTEM 
EXECUTE 

EXPERIMENT  COMPUTER 
EXPERIMENT  CONTROL  PANEL 
EXPERIMENT  INPUT/OUTPUT 
EXPERIMENT 
EXTENSION 


FAHRENHEIT 
FLIGHT  CONTROL 
FLIGHT  AFT 

FEDERAL  AVIATION  AGENCY 
FLIGHT  ASSESSMENT  AERO  DATA 
FLIGHT  CRITICAL 
FUEL  CELL 

FREON  COOLANT  LOOP 

FLIGHT  CONTROL  OFFICER  (RANGE/KSC) 

FUEL  CELL  PANEL 
FLIGHT  CONTROL  ROOM 
FLIGHT  CONTROL  SYSTEM 
FLIGHT  CONTROL  TEAM 
FLIGHT  DAY 
FLIGHT  DECK 
FLIGHT  DIRECTOR 
FREEZE  DRY 

FAULT  DETECTION  AND  ANNUNCIATION 
FEEDBACK 

FLIGHT  DESIGN  AND  DYNAMICS  DIVISION 

FLIGHT  DATA  FILE 

FLIGHT  DYNAMICS  FACILITY 

FAILURE  DETECTOR  INDICATOR 

FAULT  DETECTION  AND  IDENTIFICATION 

FAULT  DETECTION  AND  ISOLATION 

FAULT  DETECTION,  IDENTIFICATION,  RECONFIGURATION 
FREQUENCY  DIVISION  MULTIPLEXER 
FLIGHT  DYNAMICS  OFFICER 

FUNCTIONAL  EQUIPMENT  INTERFACE  DEVICE 
FUNCTIONAL  ENGINEERING  INTERFACE  DEVICE 
FRONT  END  PROCESSOR 
FLASH  EVAPORATOR  SYSTEM 
FLIGHT  FORWARD 
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FFM 

FI 

FID 

FL 

FL  '  D 

FLC (A) 

FLEX 

FLMCP 

FLT 

FM 

FMC 

FMEA 

FO/FS 

FOD 

FOIO 

FOR 

FOS 

FOSA 

FOV 

FPC (A) 

FPM 

FPOV 

FPR 

FPS 

FPV 

FRCB 

FRD 

FRCS 

FRS  I 

FS 

FSCEU 

FSS 

FSW 

FT 


FT/SEC 

FTO 

FTP 

FTR 

FTS 

FU 

FWD 


FUEL  FLOWMETER 

ADVANCED  FELT  REUSABLE  SURFACE  INSULATION 

FAILURE  IDENTIFIER 

FLOW 

FAILED 

FORWARD  LOAD  CONTROL  (ASSEMBLY) 

FLEXIBLE 

FLUID  LOOP  MONITOR  AND  CONTROL  PANEL 
FLIGHT 

FREQUENCY  MODULATION 

FORWARD  MOTOR  CONTROLLER 

FAILURE  MODES  AND  EFFECTS  ANALYSIS 

FAIL  OPERATIONAL/FAIL  SAFE 

FLIGHT  OPERATIONS  DIRECTORATE 

FLIGHT  OPERATIONS  INTEGRATION  OFFICE 

FLIGHT  OPERATIONS  REVIEW 

FACTOR  OF  SAFETY 

FLIGHT  OPERATIONS  SUPPORT  ANNEX 
FIELD  OF  VIEW 

FORWARD  POWER  CONTROL  (ASSEMBLY) 

FEET  PER  MINUTE 
FLOW  PROPORTIONING  NODULE 
FUEL  PREBURNER  OXIDIZER  VALVE 
FLIGHT  PROPELLANT  RESERVES 
FEET  PER  SECOND 
FLOW  PROPORTIONING  VALVE 
FLIGHT  RULES  CONTROL  BOARD 
FLIGHT  REQUIREMENTS  DOCUMENT 
FORWARD  REACTION  CONTROL  SYSTEM 
FELT  REUSABLE  SURFACE  INSULAIION 
FLIGHT  SURGEON 

FIRE  SUPPRESSION  CONTROL  ELECTRONICS  UNIT 
FIRE  SUPPRESSION  SYSTEM 
FLIGHT  SOFTWARE 
FEET 

FLIGHT  TECHNIQUES 
FOOT 

FEET  PER  SECOND 
FLIGHT  TEXT  OBJECTIVE 
FLIGHT  TECHNIQUES  PANEL 
FLIGHT  TEST  REQUIREMENTS 
FAIL  TO  SYNCHRONIZE 
FLIGHT  TERMINATION  SYSTEM 
FUEL 
FORWARD 
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g  or  G 
G&C 

G/S 

GAX 

GBI 

GCA 

GCIL 

GDR 

GDS 

GFE 

GG 

GGVM 

GH2 

GLS 

GMEM 

GMT 

GN2 

GNC 

GND 

G02 

GOM 

GOSR 

GPC 

GPM 

GPS 

GRTLS 

GS 

GSE 

GSFC 

GSTDN 

GUID 

GWM 

GYRO 


FORCE  OF  GRAVITY  AT  SEA  LEVEL 

GUIDANCE  AND  CONTROL  (ALSO  AN  MCC-H  FLIGHT  CONTROL 
POSITION) 

GLIDE  SLOPE 

GN&C/ ANNUNCIATION  INTERFACE 
GRAND  BAHAMAN  ISLANDS 
GROUND  CONTROLLED  APPROACH 

GROUND  INTERFACE  COMMAND  LOGIC  CONTROLLER 
GENERALIZED  DATA  RETRIEVAL 
GOLDSTONE  ( STDN  STATION) 

GOVERNMENT  FURNISHED  EQUIPMENT 
GAS  GENERATOR 
GRAVITY  GRADIENT 
GAS  GENERATOR  VALVE  MODULE 
GASEOUS  HYDROGEN 
GROUND  LAUNCH  SEQUENCER 
GENERAL  MEMORY  UPDATE 
GREENWICH  MEAN  TIME 
GASEOUS  NITROGEN 

GUIDANCE,  NAVIGATION,  AND  CONTROL  -  MCC-H  FLIGHT 

CONTROL  POSITION 

GROUND 

GASEOUS  OXYGEN 
GROUND  OPERATIONS  MANAGER 
GROUND  OPERATION  SUPPORT  ROOM 
GENERAL  PURPOSE  COMPUTER 
GALLONS  PER  MINUTE 
GLOBAL  POSITIONING  SYSTEM 
GLIDE  RETURN  TO  LANDING  SITE 
GROUND  SPEED 

GROUND  SUPPORT  EQUIPMENT 
GODDARD  SPACE  FLIGHT  CENTER 

GROUND  ELEMENTS  OF  SPACEFLIGHT  TRACKING  AND 
DATA  NETWORK  (EXCLUDES  TDRSS ) 

GUIDANCE 

GUAM  (STDN  STATION) 

GYROSCOPE 


H  ALTITUDE 

H-DOT  RATE  OF  CHANGE  OF  ALTITUDE 

H2  HYDROGEN 

h2o  WATER 

h2o  gp  water  gas  pressure 

h2o  wp  water  pressure 
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ha 

HAC 

HBr 

HC1 

HCN 

HD 

HDOT 

HDR 

HDRR 

HDWE 

He 

HF 

HFA 

HFE 

Hg 

HI 

HM 

HOSC 

Hp 

HP 

HPFT 

HPFTP 

HPG 

HPMDE 

HPOP 

HPOT 

HPOTP 

HPU 

HQR 

HR 

HRA 

HRDA 

HRDM 

HRM 

HRS  I 

HR  (S) 

HSD 

HSI 

HST 

HSTD 

HTR 

HUD 

H/W 

HX 

HYD 


HEIGHT  OF  APOGEE 

HEADING  ALIGNMENT  CIRCLE 

HYDROBROMIC  ACID 

HYDROGEN  CHLORIDE 

HYDROGEN  CYANIDE 

HIGHLY  DESIRABLE 

RATE  OF  CHANGE  OF  ALTITUDE 

HIGH  DATA  RATE 

HIGH  DATA  RATE  RECORDER 

HARDWARE 

HELIUM 

HYDROFLUORIC  ACID 

HAB  FAN  ASSEMBLY 

HIGH  FREQUENCY  EXECUTIVE 

MERCURY 

HIGH 

HINGE  MOMENT 

HUNTSVILLE  OPERATIONS  SUPPORT  CENTER 
HEIGHT  OF  PERIGEE 
HIGH  POWER 

HIGH  PRESSURE  FUEL  TURBOPUMP 

HIGH  PRESSURE  FUEL  TURBOPUMP  PRESSURE 

HIGH  PRESSURE  GAS 

HIGH  PRIORITY  MISSION  OBJECTIVE  EXCEPTION 

HIGH  PRESSURE  OXIDIZER  PUMP 

HIGH  PRESSURE  OXIDIZER  TURBOPUMP 

HIGH  PRESSURE  OXIDIZER  TURBOPUMP  PRESSURE 

HYDRAULIC  POWER  UNIT 

HANDLING  QUALITY  RATING 

HOUR 

HELMET  RETENTION  ASSEMBLY 
HIGH  RATE  DATA  ASSEMBLY 
HIGH  RATE  DEMULTIPLEXER 
HIGH  RATE  MULTIPLEXER 

HIGH  TEMPERATURE  REUSABLE  SURFACE  INSULATION 
HOUR (S) 

HORIZONTAL  SITUATION  DISPLAY 
HORIZONTAL  SITUATION  INDICATOR 
HUBBLE  SPACE  TELESCOPE 
HIGH  SPEED  TRACKING  DATA 
HEATER 

HEADS  UP  DISPLAY 

HARDWARE 

HEAT  EXCHANGER 

HYDRAULIC 
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i 

i .  e . 

I/C,  ICH 

I/C 

I/F 

I/O 

I  AW 

IBM 

ICB 

ICC 

ICD 

ICH 

ICV 

ID 

IE 

IECM 

IFA 

IFM 

IGN 

IGOR 

IIP 

ILL 

IMCP 

IMSL 

I  MU 

IMVS 

IN 

IN/MIN 

INBD 

INCO 

INCORP 

INH 

IN/HR 

INI  T 

INSTR 

INTRL 

INV 

INWS 

IOM 

IOP 

IOS 

IOU 

IP 

IPL 


CURRENT 

THAT  IS 

INTERCHANGER 

INTERCONNECT 

INTERFACE 

INPUT/OUTPUT 

IN  ACCORDANCE  WITH 

INTERNATIONAL  BUSINESS  MACHINES 

INTEGRATION  CONTROL  BOARD 

INTERCOMPUTER  COMMUNICATION 

INTERFACE  CONTROL  DOCUMENT 

INTERCHANGER 

INTERCENTER  VECTOR 

IDENTIFICATION 

INPUT  ELECTRONICS 

INDUCED  ENVIRONMENT  CONTAMINATION  MONITOR 
IN-FLIGHT  ANOMALY 
IN-FLIGHT  MAINTENANCE 
IGNITION 

INTERCEPT  GROUND  OPTICAL  RECORDER 
INSTANTANEOUS  IMPACT  PREDICTION  (POINT) 
IMPACT  LIMIT  LINE 

INTEGRATED  MONITORING  AND  CONTROL  PANEL 
INTERMEDIATE  SEAL 
INERTIAL  MEASUREMENT  UNIT 
INTERCHANGEABLE-MID-VALUE-SELECT 
INCHES 

INCHES  PER  MINUTE 
INBOARD 

INTEGRATED  COMMUNICATIONS  OFFICER 

INCORPORATED 

INHIBIT 

INCHES  PER  HOUR 

INITIATION 

INSTRUMENTATION 

INERTIAL 

INVERTER 

IMPROVED  NOSEWHEEL  STEERING 

INPUT/OUTPUT  MODULE 

INPUT/OUTPUT  PROCESSOR 

INDIAN  OCEAN  STATION  (SGLS  STATION) 

INPUT/OUTPUT  UNIT 

INSTRUMENTATION  PCMMU 

IMPACT  POINT 

INITIAL  PROGRAM  LOAD 
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IPS 

I  RAMS 

IRD 

ISO 

ISOL 

ISP 

IU 

IUS 

IV 

IVA 


INCHES  PER  SECOND 

INERTIAL  REFERENCE  ALIGNMENT  MONITOR  SYSTEM 

INTEGRATED  RECEIVER  DECODER 

ISOLATION 

ISOLATION 

INTERMEDIATE  SEAL  PURGE 
SPECIFIC  IMPULSE 
INTERFACE  UNIT 
INERTIAL  UPPER  STAGE 
INTRA VEHICULAR 
INTRAVEHICULAR  ACTIVITY 


JDI  JONATHAN  DICKINSON  (STDN  STATION) 

JOIP  JOINT  OPERATIONS  INTERFACE  PROCEDURE 

JSC  JOHNSON  SPACE  CENTER 


K 

KB 

KBPS 

KEAS 

KFT/SM 

KG 

KOH 

KSC 

KTS 

KVA 

KW  or  kW 

KWH 

KYBD 


THOUSAND (S) 

KEYBOARD 

KILOBITS 

KILOBITS  PER  SECOND 
KNOTS  EQUIVALENT  AIR  SPEED 
1000  FEET  PER  STATUTE  MILE 
KILOGRAMS 

POTASSIUM  HYDROXIDE 
KENNEDY  SPACE  CENTER 
KNOTS 

KILOVOLT  AMPERES 
KILOWATTS 

KILOWATTS  PER  HOUR 
KEYBOARD 


L 

L/D 

L/L 

L/O 

LAN'  S 

LAS 

LB 

LB/HR 

LBM 

LBMP 

LCA 

LCC 


LEFT 

LIFT-TO-DRAG  RATIO 

LAUNCH/LANDING 

LIFT-OFF 

LOCAL  AREA  NETWORKS 
LAUNCH  AREA  STEEP 
POUND (S) 

POUNDS  PER  HOUR 
POUNDS  MASS 

LOWER  BODY  NEGATIVE  PRESSURE 
LOAD  CONTROL  ASSEMBLY 

LAUNCH  COMMIT  CRITERIA  (DOCUMENT  NSTS  16007) 
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LCU 

LAUNCH  CONTROL  CENTER 

LAUNCH  CORRELATION  UNIT 

LCVG 

LIQUID  COOLING  VENTING  GARMENT 

LD 

LOAD 

LDB 

LAUNCH  DATA  BUS 

LDG  GR,  LG 

LANDING  GEAR 

LDR 

LOW  DATA  RATE 

LED 

LIGHT  EMITTING  DIODE 

LEMSCO 

LOCKHEED  ENGINEERING  AND  MANAGEMENT  SERVICES 

LEQ 

COMPANY 

AVERAGE  NOISE  LEVEL 

LES 

LAUNCH/ENTRY  SUIT 

LF 

LAUNCH  FACILITY 

LPFP 

LAUNCH  FORWARD 

LEFT  FORWARD 

LOAD  FACTOR 

LOW  PRESSURE  FUEL  PUMP 

LFT 

LEFT 

LG 

LANDING  GEAR 

LH 

LEFT  HAND 

LH2 

LIQUID  HYDROGEN 

LIB 

LEFT  INBOARD 

LIN 

LINE 

LiOH  (LIOH) 

LITHIUM  HYDROXIDE 

LK 

LEAK 

LL 

LOW  LEVEL 

LMT 

LOWER  LIMIT 

LIMIT 

LNG 

LANDING 

lo2 

LIQUID  OXYGEN 

LOB 

LEFT  OUTBOARD 

LOC 

LOSS  OF  CONTROL 

LOS 

LOSS  OF  SIGNAL 

LOX 

LIQUID  OXYGEN 

LP 

LOW  POWER 

LPFT 

LOW  PRESSURE  FUEL  TURBOPUMP 

LRD 

LANDING  AND  RECOVERY  DIRECTOR 

LRS  I 

LOW  TEMPERATURE  REUSABLE  SURFACE  INSULATOR 

LRU 

LINE  REPLACEABLE  UNIT 

LSEAT 

LAUNCH  SYSTEMS  EVALUATION  ADVISORY  TEAM 

LSO 

LANDING  SUPPORT  OFFICER 

LT 

LIGHT 

LTCH 

LATCH 

LUBE 

LUBRICATION 

LVAR 

LATERAL  VARIATIONS 

LVL 

LEVEL 
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LVLH 

LWKL 

LWLL 


M 


MAD 

MADS 

MAL 

MALF 

MAN 

MANF 

MAX  Q 

MAX 

MB 

MBARS 

MBL 

MBPS 

MC 

MCA 

MCC 

MCC-H 

MCDS 

MCIU 

MCP 

MCV 

MD 

MDA 

MDF 

MDK 

MDSSC 

MDTSCO 

MDM 

MEC 

MECO 

MED 

MEDS 

MEM 

MEP 

MER 

MET 


VOLUME  A 


FLIGHT  RULES 


LOCAL  VERTICAL  LOCAL  HORIZONTAL 
LIGHTWEIGHT  KEEL  LATCH 
LIGHTWEIGHT  LONGERON  LATCH 


MANDATORY 
MACH  NUMBER 
MINUTE 

MADRID  ( STDN  STATION) 

MODULAR  AUXILIARY  DATA  SYSTEM 

MALFUNCTION 

MALFUNCTION 

MANUAL 

MANIFOLD 

MAXIMUM  DYNAMIC  PRESSURE 

MAXIMUM 

MEGABITS 

MILLIBARS 

MOBILE  UNIT  ( TACAN  STATION) 

MEGABITS  PER  SECOND 

MISSION  COMPLETION 

MOTOR  CONTROL  ASSEMBLY 

MISSION  CONTROL  CENTER 

MISSION  CONTROL  CENTER-HOUSTON 

MULTIFUNCTION  CRT  DISPLAY  SYSTEM 

MANIPULATOR  CONTROLLER  INTERFACE  UNIT 

MONITOR  AND  CONTROL  PANEL 

MICROBIAL  CHECK  VALVE 

MIDDECK 

MOTOR  DRIVE  AMPLIFIER 
MINIMUM  DURATION  FLIGHT 
MIDDECK 

SPACE LAB /MCDONNELL  DOUGLAS 

MCDONNELL  DOUGLAS  TECHNICAL  SERVICES  COMPANY 

MULTIPLEXER/DEMULTIPLEXER 

MASTER  EVENT  CONTROLLER 

MAIN  ENGINE  CUTOFF 

MANUAL  ENTRY  DEVICE 

MEDICAL 

MULTIFUNCTION  ELECTRONIC  DISPLAY  SUBSYSTEM 
MEMORY 

MINIMUM  ENERGY  POINT 

MAIN  ENGINE  PROPELLANT 

JSC  MCC-H  MISSION  EVALUATION  ROOM 

MEASUREMENT  ERROR 

MISSION  ELAPSED  TIME 
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MEV 

MF 

MFR 

MGMT 

MGTD 

MHI 

MHz 

MICB 

MIL,  MILA 

MI  LX 
MIN 

MRS 

MLG 

MLS 

MM 

MMACS 

MMC (A) 

MMH 
mmHG 
mm/ HR 
MMT 
MMU 

MMWL 

MMWLL 

MN 

MNA,  B,  C 

MNVR 

MOA 

MOC 

MOCR 

MODCOMP 

MOV 

MPAD 

MPCC 

MPE 

MPL 

MPM 

MPS 

MPSR 

MPU 

MR 


MILLION  ELECTRON  VOLTS 

MAJOR  FUNCTION 

MANIPULATOR  FOOT  RESTRAINT 

MANAGEMENT 

MAIN  GEAR  TOUCHDOWN 

MCC  HOST  INTERFACE 

MEGAHERTZ 

MID-COURSE  CORRECTION 
MISSION  INTEGRATION  CONTROL  BOARD 
MERRITT  ISLAND  LAUNCH  AREA  (STDN  STATION) 
MILLISECONDS 

MERRITT  ISLAND  LAUNCH  AREA  (STDN  STATION) 

MINUTE 

MINIMUM 

MARKS 

MAIN  LANDING  GEAR 
MICROWAVE  LANDING  SYSTEM 
MAJOR  MODE,  MASS  MOMENT 

MECHANICAL,  MAINTENANCE,  ARM,  AND  CREW  SYSTEMS 
(MCC-H  FLIGHT  CONTROL  POSITION) 

MID  MOTOR  CONTROL  (ASSEMBLY) 

MONOMETHYL  HYDRAZINE 

MILLIMETERS  OF  MERCURY 

MILLIMETERS /HOUR 

MISSION  MANAGEMENT  TEAM 

MANNED  MANEUVERING  UNIT 

MASS  MEMORY  UNIT 

MODIFIED  MIDDLEWEIGHT  LATCH 

MODIFIED  MIDDLEWEIGHT  LONGERON  LATCH 

MAIN 

MAIN  BUS  A,  B,  OR  C 
MANEUVER 

MEMORANDUM  OF  UNDERSTANDING 
MISSION  OPERATIONS  COMPUTER 
MISSION  OPERATIONS  CONTROL  ROOM 
MISSION  OPERATIONS  DIRECTORATE  COMPUTER 
MAIN  OXIDIZER  VALVE 

MISSION  PLANNING  AND  ANALYSIS  DIVISION 

MULTIPURPOSE  CONTROL  CENTER 

MISSION  PECULIAR  EQUIPMENT 

MINIMUM  POWER  LEVEL 

MANIPULATOR  POSITIONING  MECHANISM 

MAIN  PROPULSION  SYSTEM 

MULTIPURPOSE  SUPPORT  ROOM 

MAGNETIC  PICKUP  UNIT 

MIXTURE  RATIO 
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MRL 

MRN 

MS 

MSBLS 
MSFC 
MSG 
MS  ID 
MSK 

MSL 

MSPC 

MTL 

MTM 

MTRS 

MTU 

MUX 

MV 

MVS 

MW 

MWLL 


MANIPULATOR  RETENTION  LATCH 
MORON,  SPAIN  (PRIME  TAL  SITE) 

MISSION  SPECIALIST 

MICROWAVE  SCANNING  BEAM  LANDING  SYSTEM 

MARSHALL  SPACE  FLIGHT  CENTER 

MESSAGE 

MEASUREMENT  STIMULATION  IDENTIFICATION 
MASK 

MANUAL  SELECT  KEYBOARD 
MEAN  SEA  LEVEL 

MULTIPLE  STORED  PROGRAM  COMMAND 
MT.  LEMON  (USAEPG  C-BAND  STATION) 

MOC  TELEMETRY  MESSAGE 
MOTORS 

MASTER  TIMING  UNIT 

MULTIPLEXER 

MILLIVOLT 

MID-VALUE-SELECT 

MILLIWATT 

MIDDLEWEIGHT  LONGERON  LATCH 


N/A 

N2 

n2h4 

n2°4 

NASA 

NAVE 

NERVED 

NERVED 

NBAT 

NC2 

NCC 

NCRP 

NEOM 

NEP 

NGTD 

NHq 

NIS 

NLE 

NLG 

NM,  nm 

NOK 

NOM 


NOT  APPLICABLE 

NITROGEN 

HYDRAZINE 

NITROGEN  TETROXIDE 

NATIONAL  AERONAUTICS  AND  SPACE  ADMINISTRATION 

NAVIGATION 

NAVIGATION  AID 

NAVIGATIONAL  DERIVED  AIR  DATA 

NOMINAL  BUS  ASSIGNMENT  TABLE 

NOMINAL  CORRECTION  1  MANEUVER 

NOMINAL  CORRECTION  COMBINATION  MANEUVER 

NETWORK  CONTROL  CENTER 

NATIONAL  COUNCIL  ON  RADIATION  PROTECTION 

NOMINAL  END  OF  MISSION 

NORMAL  ENTRY  POINT 

NOSE  GEAR  TOUCHDOWN 

AMMONIA 

NETWORK  INFORMATION  SYSTEM 

NO  LONGER  ENDANGER 

NOSE  LANDING  GEAR 

NAUTICAL  MILES 

NO  OK 

NOMINAL 

NETWORK  OUTPUT  MULTIPLEXER 
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NOR 

NORAD 

NORM 

NOTAM 

NOTMAR 

NPC 

NR 

NRC 

NRS 

NRT 

NPSP 

NSDD 

NSP 

NSR 

NSTS 

NTD 

NWS 

NWTD 

Ny 

NY  J 
Nz 

N  7  r' 


NORTHROP  LAKEBED  LANDING  SITE 
NORTH  AMERICAN  AIR  DEFENSE  COMMAND 
NORMAL 

NOTICE  TO  AIRMEN 
NOTICE  TO  MARINERS 
NOMINAL  PLANE  CHANGE 
NOT  REQUIRED 

NATIONAL  RESEARCH  COUNCIL 
NETWORK  REGIOTRATION  SERVICE 
NEAR  REAL  TIME 

NET  POSITIVE  SUCTION  PRESSURE 
NATIONAL  SECURITY  DECISION  DIRECTIVE 
NASA  SUPPORT  PLAN 
NETWORK  SIGNAL  PROCESSOR 
COELIPTIC  MANEUVER 

NATIONAL  SPACE  TRANSPORTATION  SYSTEM 

NASA  TEST  DIRECTOR 

NOSE  WHEEL  STEERING 

NOSE  WHEEL  TOUCHDOWN 

LATERAL  ACCELERATION 

NO  YAW  JET 

NORMAL  ACCELERATION 

NORMAL  ACCELERATION  COMMAND 


O/B 

02 

OA 

OASCB 

OBS 

OCAS 

OE 

OEX 

OF 

OFT 

OFTP 

01 

OIS 

OME 

OMI 

OMRS 

OMRSD 

OMS 
ON  SC 


ONBOARD 

OXYGEN 

OPERATIONAL  AFT 

ORBITER  AVIONICS  SOFTWARE  CONTROL  BOARD 
OBSERVATION 

OPERATOR-COMMANDED  AUTO  SEQUENCES 

OUTPUT  ELECTRONICS 

ORBITER  EXPERIMENTS 

OPERATIONAL  FORWARD 

ORBITAL  FLIGHT  TEST 

ORBITER  FLIGHT  TECHNIQUES  PANEL 

OPERATIONAL  INSTRUMENTATION 

OPERATIONAL  INSTRUMENTATION  SYSTEM 

ORBITER  MANEUVERING  ENGINE 

OPERATIONAL  MAINTENANCE  INSTRUCTIONS 

OPERATIONAL  MAINTENANCE  REQUIREMENTS  AND 

SPECIFICATION 

OPERATIONAL  MAINTENANCE  REQUIREMENTS  AND 
SPECIFICATION  DOCUMENT 
ORBITAL  MANEUVERING  SYSTEM 

ONBOARD  NAVIGATION  SYSTEMS  CHARACTERISTICS 
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OOP 

OPF 

OPOV 

OPS 

ORB 

ORIDE 

ORR 

OS 

OSH 

OSHA 

OST 

OTBD 

OTC 

OVHD 

OX 


OUT-OF-PLANE 

ORBITER  PROCESSING  FACILITY 
OXIDIZER  PREBURNER  OXIDIZER  VALVE 
OPERATIONAL  SEQUENCES 
OPERATIONS 
ORBIT (AL) 

OVERRIDE 

ORRORAL  VALLEY  ( STDN  STATION) 

ORBIT  STATION 
OFF  SCALE  HIGH 

OCCUPATIONAL  SAFETY  AND  HEALTH  ADMINISTRATION 

OPERATIONS  SUPPORT  TEAM 

OUTBOARD 

ORBITER  TEST  CONDUCTOR 

OVERHEAD 

OXIDIZER 


P 

P-V-T 
P/L,  PL 
PA 

PACK 

PAD 

PADM 

PAM 

PAO 

PAP  I 

PARAM 

PASS 

PATC 

PBD 

PB  (I) 

PC 

PCA 

PCM 

PCMMU 

PCN 

PCS 

PD  I 

PDL  (S) 

PDRS 

PDU 

PEAP 

PEG 


PRESSURE,  POINTING  VECTOR 
PRESSURE-VOLUME-TEMPERATURE 
PAYLOAD 
PAYLOAD  AFT 

PAYLOAD  ACTIVE  COOLING  KIT 

PFR  ATTACHMENT  DEVICE 

PORTABLE  AUDIO  DATA  MONITOR 

PAYLOAD  ASSIST  MODULE 

PUBLIC  AFFAIRS  OFFICE 

PRECISION  APPROACH  PATH  INDICATOR 

PARAMETER 

PRIMARY  AVIONICS  SOFTWARE  SYSTEM 
PATRICK 

PAYLOAD  BAY  DOOR 
PUSHBUTTON  (INDICATOR) 

CHAMBER  PRESSURE 
POWER  CONTROL  ASSEMBLY 
PULSE  CODE  MODULATION 
PCM  MASTER  UNIT 
PAGE  CHANGE  NOTICE 
PRESSURE  CONTROL  SYSTEM 
PAYLOAD  DATA  INTERLEAVER 
PONCE  DE  LEON  (STDN  STATION) 

PAYLOAD  DEPLOYMENT  AND  RETRIEVAL  SYSTEM 

POWER  DRIVE  UNIT 

POWER  DISTRIBUTION  UNIT 

PERSONAL  EMERGENCY  AIR  PACK 

POWERED  EXPLICIT  GUIDANCE 
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PF 


PFC/ICL 

PGA 

PGSC 

pH 

PI 

PIC 

PIP 

PIREP 

PKG 

PKM 

PL 

PLB 

PLBD 

PLHX 

PLS 

PLSS 

PLOAD 

PLT 

PM 

PMC 

PMD 

PMP 

PNL 

PNEU 

POCC 

POD 

POHS 

POPU 

POR 

POS 

POSN 

PP 


PPA 

PPCOo 

PPD 

PPM 

PPO2 

PPRV 

PRB 

PRCB 


PAYLOAD  FORWARD 
PREDICTED  POWER  FACTOR 
PAYLOAD  FLEX 

POWER  FACTOR  CORRECTOR/ INRUSH  CURRENT  LIMITER 

PRESSURE  GARMENT  ASSEMBLY 

PAYLOAD  GENERAL  SUPPORT  COMPUTER 

HYDROGEN-ION  CONCENTRATION 

PAYLOAD  INTERROGATOR 

PYROTECHNIC  INITIATION  CONTROLLER 

PAYLOAD  INTEGRATION  PLAN 

PILOT  REPORT 

PACKAGE 

PERIGEE  KICK  MOTOR 
PAYLOAD 
PAYLOAD  BAY 
PAYLOAD  BAY  DOOR(S) 

PAYLOAD  HEAT  EXCHANGER 
PRIMARY  LANDING  SITE 
PRIMARY  LIFE  SUPPORT  SYSTEM 
PROPELLANT  LOAD 
PILOT 

PHASE  MODULATION 

PRIVATE  MEDICAL  COMMUNICATION 

PALMDALE 

PUMP 

PANEL 

PNEUMATICS 

PAYLOAD  OPERATIONS  CONTROL  CENTER 

PAYLOAD  OPERATIONS  DIRECTOR 

POSITION  AND  ORIENTATION  HOLD  SELECT 

PUSH  OVER  PULL  UP 

POINT  OF  RESOLUTION 

PORTABLE  OXYGEN  SYSTEM 

POSITION 

POSITION 

PARTIAL  PRESSURE 

POWERED  PITCHDOWN 

PRESENT  POSITION 

POWERED  PITCHAROUND 

PARTIAL  PRESSURE  CARBON  DIOXIDE 

POWERED  PITCHDOWN 

PARTS  PER  MILLION 

PARTIAL  PRESSURE  OF  OXYGEN 

POSITIVE  PRESSURE  RELIEF  VALVE 

PROCEDURES  AND  REQUIREMENTS  BRANCH 

PROGRAM  REQUIREMENTS  CONTROL  BOARD 


VOLUME  A  06/20/02  FINAL  ACRONYMS  &  ABBREVIATIONS 

Verify  that  this  is  the  correct  version  before  use. 


A-21 


NASA  -  JOHNSON  SPACE  CENTER 


PRCS 

PRD 

PRECIP 

PREP 

PRESS 

PRI 

PRL 

PRLA 

PRO 

PROMS 

PROP 

PROX 

PROX  OPS 

PRPLT 

PRSD 

PRTLS 

PS 

PSF 

PSI 

PSIA 

PSID 

PSIG 

PSP 

PSS 

PTB 

PTC 

PTI 

PUPO 

PVT 

PWR 

PYRO 


q 

Q-BAR 

Q-BAR  DOT 

QD 

QDM 

QMVS 

QSA 

QTY 


R 

R&E 
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FLIGHT  RULES 


PRIMARY  REACTION  CONTROL  SYSTEM 

PAYLOAD  RETENTION  DEVICE 

PRECIPITATION 

PREPARATION 

PRESSURE 

PRIMARY 

PRIORITY 

PRIORITY  RATE  LIMITING 
PAYLOAD  RETENTION  LATCHES 
"PROCEED"  -  A  GPC  COMMAND  ENTRY 
PROGRAMMABLE  READ  ONLY  MEMORY 
PROPELLANT 
PROXIMITY 

PROXIMITY  OPERATIONS  (RENDEZVOUS) 

PROPELLANT 

POWER  REACTANT  STORAGE  AND  DISTRIBUTION  SYSTEM 
POWERED  RETURN  TO  LANDING  SITE 

POWER  SUPPLY,  PAYLOAD  SIATION,  PAYLOAD  SPECIALIST 

POUNDS  PER  SQUARE  FOOT 

POUNDS  PER  SQUARE  INCH 

POUNDS  PER  SQUARE  INCH  ABSOLUTE 

POUNDS  PER  SQUARE  INCH  DIFFERENTIAL 

POUNDS  PER  SQUARE  INCH  GAUGE 

PAYLOAD  SIGNAL  PROCESSOR 

PLATFORM  SYSTEM  SERVICES  SOFTWARE 

PAYLOAD  TIMING  BUFFER 

PASSIVE  THERMAL  CONTROL 

PROGRAM  TEST  INPUT 

PULL  UP  PUSH  OVER 

PRIVATE 

POWER 

PYROTECHNIC 


DYNAMIC  PRESSURE 

AVERAGE  DYNAMIC  PRESSURE 

RATE  OF  CHANGE  OF  DYNAMIC  PRESSURE 

QUICK  DISCONNECT 

QUICK  DON  MASK 

QUAD-MID-VALUE-SELECT 

QUALIFICATION  SITE  APPROVAL 

QUANTITY 


RIGHT 

RESEARCH  AND  ENGINEERING 
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R-BAR 

R-F-L 

R-V 

R/W 

RA 

RAAB 
RAD  ( S ) 

RASS 

RAU 

RCC 

RCCB 

RCDR 

RCN 

RCRS 

RCS 

RCVR 

RDM 

RDY 

REAS 

RECAL 

REDESIG 

RE  DUN 

REF 

REG  (S) 

REL 

RELMAT 

REM 

REP 

REQ 

RESVR 

REV 

RF 

RFCA 

R-F-L 

RGA 

RGO 

RH 

RHC 

RI 

RIB 

RIC 

RJD 

RLF 

RM 


ALONG  THE  RADIUS  VECTOR 

READY-FOR-LATCH 

RANGE-VELOCITY 

RUNWAY 

RADAR  ALTIMETER 

REMOTE  APPLICATION  AND  ADVISORY  BOX 
RADIATOR (S) 

RELEASE  AUTHORIZATION  DOCUMENT 

RELEASE  AUTHORIZATION  FOR  SHUTTLE  SOFTWARE 

REMOTE  ACQUISITION  UNIT 

RANGE  CONTROL  CENTER 

REMOTE  CONTROL  CIRCUIT  BREAKER 

RECORDER 

REQUIREMENTS  CHANGE  NOTICE 

REGENERABLE  CARBON  DIOXIDE  REMOVAL  SYSTEM 

REACTION  CONTROL  SYSTEM 

RECEIVER 

RESEARCH  DOUBLE  MODULE 
READY 

REASONABLENESS 

RECALIBRATE 

REDESIGNATION 

REDUNDANT 

REFERENCE 

REGULATOR (S) 

RELATIVE 

RELATIVE  MATRIX 

ROENTGEN-EQUIVALENT  MAN 

REPRESS 

REQUIRE 

RESERVOIR 

REVOLUTION 

RADIO  FREQUENCY 

RADIATOR  FLOW  CONTROL  ASSEMBLY 

READY  FOR  LATCH 

RATE  GYRO  ASSEMBLY 

RANGE  TO  GO 

RIGHT  HAND 

ROTATIONAL  HAND  CONTROLLER 
ROCKWELL  INTERNATIONAL 
RECORD  IDENTIFIER 
RIGHT  INBOARD 

ROCKWELL  INTERNATIONAL  CORPORATION 

REACTION  JET  DRIVER 

RELIEF 

REDUNDANCY  MANAGEMENT 
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RMS 

RMU 

RNDZ 

ROB 

ROCC 

ROLREF 

ROM 

ROTA 

RPC 

RPL 

RPM 

RPS 

RPTA 

RQMT 

RR 

RRM 

RS 

RSB 

RSDS 

RSLS 

RSO 

RSOC 

RSOR 

RSR 

RSS 

RST 

RSTDS 

RSTNG 

RT 

RTC 

RTD 

RTDS 

RTLS 

RTN 

RTS 

RTV 

RUD 

RVLC 


S  TRK 
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REMOTE  MANIPULATOR  SYSTEM 
RMS /MECHANICAL /UPPERS TAGE 
RENDEZVOUS 
RIGHT  OUTBOARD 

RETRIEVAL  OPERATIONS  COMMUNICATIONS  CENTER 
RANGE  OPERATIONS  CONTROL  CENTER 
ROLL  REFERENCE 

RETRIEVAL  OPERATIONS  MANAGER 

NAVAL  STATION  ROTA,  SPAIN 

REMOTE  POWER  CONTROLLER 

RATED  POWER  LEVEL 

REVOLUTIONS  PER  MINUTE 

RMS  PLANNING  SYSTEM 

RUDDER  PEDAL  TRANSDUCER  ASSEMBLY 

REQUIREMENT 

RENDEZVOUS  RADAR 

RUNWAY  REMAINING  MARKER 

REDUNDANT  SET 

ROTARY  SEPARATOR 

RUDDER  SPEEDBRAKE 

RANGE  SAFETY  DISPLAY  SYSTEM 

REDUNDANT  SET  LAUNCH  SEQUENCER 

RANGE  SAFETY  OFFICER 

ROCKWELL  SPACE  OPERATIONS  COMPANY 

RANGE  SAFETY  OPERATING  REQUIREMENT 

RANGE  SAFETY  REPRESENTATIVE 

ROOT,  SUM,  SQUARE (D) 

RANGE  SAFETY  SYSTEM 
RESTRING 

RANGE  SAFETY  TELEMETRY  DISPLAY  SYSTEM 

RESTRING 

REAL  TIME 

RIGHT 

REAL-TIME  COMMAND 

REAL-TIME  CLOCK 

RESISTIVE  THERMAL  DEVICE 

RANGE  SAFETY  TELEMETRY  DISPLAY  SYSTEM 

RETURN  TO  LANDING  SITE 

RETURN 

REMOTE  TRACKING  STATION 
PLIABLE  SEALANT 
RUDDER 

REDLINE  VOTING  LOGIC  CIRCUIT 


STAR  TRACKER 
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S-BD 

S/B 

S/C 

S/D,  SHTDN 

S/W 

SAA 

SAGI 

SAIL 

SAL 

SAR 

SAS 

SB 

SPDBK 

SBTA 

SBTC 

SCA 

SCAS 

SCO 

SCOS 

SCR 

SCU 

SDF 

SDL 

SDP 

SEBS 

SEC 

SEGP 

SEI I 

SEL 

SELP 

SENS 

SEP 

SEPTM 

SERC 

SES 

SESL 

SESP 

SETP 

SFCO 

SFT 

SGLS 

SHOD 

SIG  COND 
SIMO 


SIDE-BAND 

STANDBY 

STABILITY  AND  CONTROL 

SHUTDOWN 

SOFTWARE 

SPACELAB  AURAL  ANNUNCIATOR 

SPACEHAB  AUDIO  GROUND  ISOLATOR 

SHUTTLE  AVIONICS  INTEGRATION  LABORATORY 

NORTHRUP  STRIP 

SEARCH  AND  RESCUE 

SPACE  ADAPTATION  SYNDROME 

SPEEDBRAKE 

SPEEDBRAKE 

SPEEDBRAKE  TRANSDUCER  ASSEMBLY 
SPEEDBRAKE/THRUST  CONTROLLER 
SHUTTLE  CARRIER  AIRCRAFT 

SUBSYSTEM  COMPUTER  APPLICATION  SOFTWARE 

SURVEILLANCE  CONTROL  OFFICER 

SUBSYSTEM  COMPUTER  OPERATING  SYSTEM 

STRIP  CHART  RECORDER 

SECONDARY  CONTROL  UNIT 

SERVICE  AND  COOLING  UMBILICAL 

SOFTWARE  DEVELOPMENT  FACILITY 

SOFTWARE  DEVELOPMENT  LAB 

SHUTTLE  DATA  PROCESSOR 

SPACELAB  EMERGENCY  BREATHING  SYSTEM 

SECOND 

SECONDARY 

SINGLE  ENGINE  GOOD  POD 

SERVOACTUATOR  ERROR  INDICATION  INTERRUPT 
SELECT 

SINGLE  ENGINE  LEAKING  POD 

SENSOR 

SEPARATION 

SINGLE  ENGINE  PRESS  TO  MECO 
SINGLE-ENGINE  ROLL  CONTROL 
SHUTTLE  ENGINE  SIMULATOR 

SPACE  ENVIRONMENTAL  SIMULATION  LABORATORY 

SINGLE  ENGINE  SINGLE  POD 

SINGLE  ENGINE  TWO  PODS 

SENIOR  FLIGHT  CONTROL  OFFICER  (KSC) 

SINGLE  FAULT  TOLERANT 
SPACE/GROUND  LINK  SYSTEM 
SPACEHAB  OPERATIONS  DIRECTOR 
SIGNAL  CONDITIONER 
SIMULTANEOUS 
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SL 

SLF 

SLODB 

SLS 

SM 

SM  GPC 

SM/LDM 

SMAC 

SMCH 

SMG 

SMIDEX 

SMS 

SMU 

SMWLL 

SN 

SNSR 

SODB 

SOMS 

SOO 

SOP 

SOV 

SPAH 

SPAN 

SPAR 

SPARTAN 

SPC 

SPDB 

SPDS 

SPEC 

SPI 

SPK 

SPL 

SPLY 

SPW 

SRB 

SRBTS 

SRM 

SRO 

SS 

SSC 
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SPACELAB 

SHUTTLE  LANDING  FACILITY 
SPACELAB  OPERATIONAL  DATA  BOOK 
SECONDARY  LANDING  SITE 
SYSTEMS  MANAGEMENT 
STATUTE  MILE 

SYSTEMS  MANAGEMENT  GENERAL  PURPOSE  COMPUTER 

SINGLE  MODULE/LOGISTICS  DOUBLE  MODULE 

SPACECRAFT  MAXIMUM  ALLOWABLE  CONCENTRATION 

STANDARD  MIXED  CARGO  HARNESS 

SHUTTLE  METEOROLOGICAL  GROUP 

SPACELAB  MIDDECK  EXPERIMENTS 

SHUTTLE  MISSION  SIMULATOR 

SPACE  MOTION  SICKNESS 

SPEAKER  MICROPHONE  UNIT 

SUPER  MIDDLEWEIGHT  LONGERON  LATCH 

SPACE  NETWORK 

SENSOR 

SHUTTLE  OPERATIONAL  DATA  BOOK 
SHUTTLE  OPERATIONS  MEDICAL  SYSTEM 
STAR  OF  OPPORTUNITY 
SECONDARY  OXYGEN  PACK 
SUBSYSTEM  OPERATING  PROGRAM 
SHUTOFF  VALVE 

SPACELAB  PAYLOAD  ACCOMMODATION  HANDBOOK 
JSC  MCC-H  SPACECRAFT  ANALYSIS  ROOM 
SPAR  AEROSPACE 

SHUTTLE  POINTED  AUTONOMOUS  RESEARCH  TOOL  FOR 
ASTRONOMY 

STORED  PROGRAM  COMMAND 
SUBSYSTEM  POWER  DISTRIBUTION  BOX 
STABILIZED  PAYLOAD  DEPLOYMENT  SYSTEM 
SPECIALIST  FUNCTION 
SPECIFICATION 

SURFACE  POSITION  INDICATOR 
SCOTT  PEAK  (USAEPG  C-BAND  STATION) 

SCRATCH  PAD  LINE 
SUPPLY 

SUPPORT  WING 

SOLID  ROCKET  BOOSTER 

SRB  RADAR  BEACON  TRACKING  SYSTEM 

SOLID  ROCKET  MOTOR 

SUPERINTENDENT  OF  RANGE  OPERATIONS 

SINGLE  STRING 

SUBSYSTEM 

SUBSYSTEM  COMPUTER 
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SSD 

SSFS 

SSIO 

SSME 

SSMEC 

SSOR 

SSP 

SSR 

SSV 

ST 

STA 


STBD 

STBY 

STC 

STD 

STDN 

STEP 

STG 

STIN 

STS 

STSOC 

STT 

SUBS 

SUPA 

SV 

SVO 

S/W 

SW 

SW  (S) 
SW  VLV 
SYNC 
SYNCOM 
SYS 


SPACECRAFT  SOFTWARE  DIVISION 

SPACE  SHUTTLE  FUNCTIONAL  SIMULATOR 

SUBSYSTEM  INPUT/OUTPUT 

SPACE  SHUTTLE  MAIN  ENGINE 

SPACE  SHUTTLE  MAIN  ENGINE  CONTROLLER 

SPACE-TO-SPACE  ORBITER  RADIO 

STANDARD  SWITCH  PANEL 

SPACE  SHUTTLE  PROGRAM 

STAFF  SUPPORT  ROOM 

SPACE  SHUTTLE  VEHICLE 

STAR  TRACKER 

SHUTTLE  TRAINING  AIRCRAFT 
STANDARD 

STANDARD  OPERATING  PROCEDURE 

STARBOARD 

STANDBY 

SATELLITE  TEST  CENTER  (SUNNYVALE,  CA) 

STS  TEST  DIRECTOR 

SPACECRAFT  TRACKING  AND  DATA  NETWORK 
SHUTTLE  TURNAROUND  ENHANCEMENT  PROGRAM 
SIMPLIFIED  THERMAL  EVALUATION  PROGRAM 
STAGE 

STRAIGHT-IN 

SPACE  TRANSPORTATION  SYSTEM 

SPACE  TRANSPORTATION  SYSTEM  OPERATIONS  COMPANY 

SPACELAB  TRANSFER  TUNNEL 

SUBSEQUENT 

SHUTTLE  URINE  PRETREAT  ASSEMBLY 
STATE  VECTOR 

SPECIAL  VEHICLE  OPERATIONS 

SOFTWARE 

SPACE  WING 

SWITCH (ES) 

SWITCHING  VALVE 
SYNCHRONIZE 

SYNCHRONOUS  COMMUNICATION  SATELLITE  (HUGHES) 
SYSTEM 


T  TEMPERATURE 

TRACKING 

T/O  TAKE  OVER 

T/R  TRANSMIT  AND  RECEIVE 

TACAN,  TAC  TACTICAL  AIR  NAVIGATION 

TAEM  TERMINAL  AREA  ENERGY  MANAGEMENT 

TAG  TEXT  AND  GRAPHICS 

TAGS  TEXT  AND  GRAPHICS  SYSTEM 
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TAL 

TAS 

tb,  TB 

TBD 

TBS 

TC 

TCS 

TCSS 

TD 

TDRS 

TDRSS 

TDT 

TELP 

TEMP 

TETP 

TFL 

TGO 

TGT 

THC 

T I 

TIC 

TIG 

TIPS 

TK,  TNK 

TLM,  TM 

TMBU 

TMCC 

TP 

TPC 

TPF 

TPG 

TP  I 

TPL 

TPS 

TRAJ 

TREF 

TRK 

TTA 

TTS 

TURB 

TV 

TVC 


TRANSOCEANIC  ABORT  LANDING 
TRUE  AIR  SPEED 
INSTRUMENT  PANEL  TALKBACK 
TO  BE  DETERMINED 
TO  BE  SUPPLIED 
THERMOCOUPLE 
THERMAL  CONTROL  SYSTEM 
OAKHANGER  (STDN) 

TOUCHDOWN 

TRACKING  DATA  AND  RELAY  SATELLITE 

TRACKING  DATA  AND  RELAY  SATELLITE  SYSTEM 

TURBINE  DISCHARGE  TEMPERATURE 

TWO  ENGINES  LEAKING  POD 

TEMPERATURE 

TWO  ENGINES  TWO  PODS 

TELEMETRY  FORMAT  LOAD 

TIME  TO  GO  TO  MECO 

TARGET 

TRANSLATIONAL  HAND  CONTROLLER 
TERMINAL  PHASE  INITIATION 
TICK 

TIME  OF  IGNITION 

THERMAL  IMPULSE  PRINTER  SYSTEM 
TANK 

TELEMETRY,  TECHNICAL  MEMO 
TABLE  MAINTENANCE  BLOCK  UPDATE 
TEMPORARY  MISSION  CONTROL  CENTER 
TANGENT  PLANE 

TELEMETRY  PREPROCESSING  COMPUTER 
TERMINAL  PHASE  FINALIZATION  (BRAKING) 
TOPPING 

TERMINAL  PHASE  INITIATION 

TRANSPACIFIC  LANDING 

THERMAL  PROTECTION  SYSTEM 

TRAJECTORY 

TIME  REFERENCE  WORD 

TRACK 

THERMAL  TEST  AREA 
TITUSVILLE  (TACAN  STATION) 

TURBINE,  TURBULENCE 
TELEVISION 

THRUST  VECTOR  CONTROL 


U/L  UPLINK 

UAS  URINE  ABSORPTION  SYSTEM 
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UCD 

URINE  COLLECTION  DEVICE 

UHF 

ULTRA  HIGH  FREQUENCY 

UL 

UPPER  LIMIT 

UMB 

UMBILICAL 

UMI 

UPPER  MEMORY  INITIAL  PROGRAM 

LOAD 

UPP 

USER  PARAMETER  PROCESSING 

UPS 

UNINTERUPTED  POWER  SUPPLY 

US 

UNITED  STATES 

USAEPG 

U.S.  ARMY  ELECTRONIC  PROVING 

GROUND 

USAF 

UNITED  STATES  AIR  FORCE 

USPD 

UNDERSPEED 

UTIL 

UTILITIES 

V 

VOLTS 

V,  VEL 

VELOCITY 

V-BAR 

ALONG  THE  VELOCITY  VECTOR 

VAA 

VIEWPORT  ADAPTER  ASSEMBLY 

VAB 

VEHICLE  ASSEMBLY  BUILDING 

VAC 

VACUUM 

VOLTS,  ALTERNATING  CURRENT 

VAFB 

VANDENBERG  AIR  FORCE  BASE 

VAS 

VIDEO  ANALOG  SWITCH 

VCU 

VIDEO  CONTROL  UNIT 

VDC 

VOLTS,  DIRECT  CURRENT 

VERN 

VERNIER 

VGO 

VELOCITY  TO  GO 

VI, V- I 

VOLTAGE  -  CURRENT 

Vi 

INERTIAL  VELOCITY 

VI TR 

VIDEO  INSTRUMENTATION  TAPE 

RECORDER 

VLV (S) 

VALVE ( S ) 

VMS 

VERTICAL  MOTION  SIMULATOR 

(AT  LASA  AMES 

VP 

VERTICAL  PLANE 

VIEWPORT 

VRCS 

VERNIER  REACTION  CONTROL  SYSTEM 

VREL 

RELATIVE  VELOCITY 

vrel 

RELATIVE  VELOCITY 

VS 

VERSUS 

VTR 

VIDEO  TAPE  RECORDER 

VWSS 

VERTICAL  WIRE  SKY  SCREEN 

W/ 

WITH 

W/O 

WITHOUT 

W 

WATTS 

WB 

WIDE  BAND 
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wccu 

wcs 

WFCEU 

WFCV 

WLPS 

WMS 

WNDW 

WONG 

WOW 

WPA 

WSA 

WSB 

WSGT 

WSMR 

WSSH 

WSTF 

WST 

WWV 

WX 


X  CG 

XDCR 

XDUCER 

XFEED ,  XFD 

XFER 

XLV 

XVV 

XPNDRS 

XPONDER 

XRANGE 

XWIND 


YLV 

YW 


ZLV 

ZOT 

ZSI 

ZW 

ZZA 
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WIRELESS  CREW  COMM  UNIT 

WASTE  COLLECTION  SYSTEM 

WATER  FLOW  CONTROL  ELECTRONICS  UNIT 

WATER  FLOW  CONTROL  VALVE 

WALLOPS 

WASTE  MANAGEMENT  SYSTEM 
WINDOW 

WEIGHT  ON  NOSE  GEAR 
WEIGHT  ON  WHEELS 
WINDOW  PROTECTION  ATTITUDE 
WATER  SEPARATOR  ASSEMBLY 
WATER  SPRAY  BOILER 
WHITE  SANDS  GROUND  TERMINAL 
WHITE  SANDS  MISSILE  RANGE 
WHITE  SANDS  SPACE  HARBOR 
WHITE  SANDS  TEST  FACILITY 
WASTE 

WORLD  WIDE  TIME  BASE 
WEATHER 


X-AXIS  CENTER  OF  GRAVITY 

TRANSDUCER 

TRANSDUCER 

CROSSFEED 

TRANSFER 

X-AXIS  LOCAL  VERTICAL 

X-AXIS  POINTED  ALONG  VELOCITY  VECTOR 

TRANSPONDERS 

TRANSPONDER 

CROSS RANGE 

CROSSWIND 


Y-AXIS  LOCAL  VERTICAL 

Y-AXIS  POINTED  ALONG  VELOCITY  VECTOR 


Z  LOCAL  VERTICAL 

THE  SPONTANEOUS  COMBUSTION  OF  A  SMALL  AMOUNT  OF 
FUEL  IN  THE  THROAT  OF  A  THRUSTER  NOZZLE 
Z-AXIS  SOLAR  INERTIAL 

Z-AXIS  POINTED  ALONG  VELOCITY  VECTOR 
ZARAGOZA  (PRIME  TAL  SITE) 
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APPENDIX  B 
CHANGE  CONTROL 


1.0  INTRODUCTION 

1.1  PURPOSE 

The  purpose  of  this  appendix  is  to  delineate  change  control  procedures  for  Volumes  A,  B,  C,  D, 
and  flight-specific/increment-specific  Flight  Rules  Annexes.  This  will  ensure  the  proper 
coordination  of  changes  and  provide  a  record  of  the  proposed  changes  including  the  rule  rationale 
and  the  reason  for  making  the  change.  The  web-based  database,  Workflow,  is  now  being  used  to 
generate  CR’s  for  Volumes  A,  B,  C,  D,  and  Flight  Rules  Annexes  and  is  the  preferred  method  for 
initiating  CR’s.  Refer  to  paragraph  2.1 .1  for  Workflow  enrollment  instructions.  The  change  request 
(CR)  form  on  page  B-10  is  designed  to  assist  this  change  control  process  only  when  it  is  not 
possible  to  use  Workflow.  Workflow  is  available  at  URL:  http://mod.jsc.nasa.gov/da8.  Under  the 
Workflow  Link  title,  click  on  the  Flight  Rule  CR  System  link. 

1.2  GENERAL 

All  Flights  critical  items  list  (CIL)-related  rules  and  generic  rules  with  a  recurring  potential  for 
mission-specific  options  or  exceptions  will  be  flagged  so  that  they  are  readily  identifiable  in  the  All 
Flights  generic  documents.  Hazard  control  (HC)-related  rules  are  monitored  by  NA/Safety 
Division,  and  impact  to  an  HC  rule  requiring  PRCB/JPRCB/SSPCB  is  reported  to  the 
FRCB/JFRCB.  When  a  change  to  a  CIL-related  specific  flight  rule,  or  an  HC-related  rule,  is 
approved  and  CIL  retention  rationale  is  affected  by  the  change,  the  change  will  not  be 
incorporated  until  a  corresponding  change  to  the  retention  rationale  is  approved  by  the  Shuttle  or 
Station  Programs.  The  same  general  philosophy  applies  to  the  changes  that  modify  existing 
payload  or  orbiter  hazard  controls.  These  flight  rule  changes  will  not  be  incorporated  until  the 
appropriate  safety  organization  approves  a  corresponding  change  to  the  related  hazard  control 
documentation.  A  [CIL]  tag,  in  brackets,  will  be  added  to  the  title  for  CIL-related  rules.  Some 
Volume  A  rules  not  identified  as  CIL  are  identified  as  hazard  control  and  an  [HC]  tag,  in  brackets, 
will  be  added  to  the  title  of  those  rules.  Volume  B  rules  primarily  have  been  identified  for  hazard 
control  and  will  be  tagged  [HC]  in  the  title.  Examples  of  All  Flights  rules  that  have  the  recurring 
potential  for  flight-specific  options  or  exceptions  are  some  of  the  remote  manipulator  system  rules. 
For  those  type  flight  rules,  the  options  or  exceptions  can  be  exercised  as  part  of  the  flight-specific 
Flight  Rules  Annex  development  process.  Flight-specific  exceptions  to  any  other  All  Flights 
generic  rules  must  be  approved  by  the  appropriate  Flight  Rules  Control  Board  (FRCB)  or  Joint 
Flight  Rules  Control  Board  (JFRCB). 

It  is  suggested  that  those  organizations  with  flight  rules  which  affect  CIL  retention  rationale  or 
hazard  controls  implement  an  independent  internal  CR  handling  procedure  that  identifies  CIL  or 
HC  flight  rules  and  protects  against  inappropriate  changes  to  these  types  of  rules. 

The  FRCB/JFRCB  is  responsible  for  review  and  approval  of  CR’s  written  against  the  Volume  A,  B, 
C,  and  D  generic  rules  documents.  The  FRCB/JFRCB  is  chaired  by  the  Director,  Mission 
Operations  or  his  designee. 
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1.3  EFFECTIVITY 

January  21 , 2002. 

2.0  CHANGE  PROCEDURES 

2.1  SUBMISSION  OF  CHANGES 

The  flight  rules  change  control  process  starts  when  someone  in  the  technical  community  identifies 
a  valid  need  to  delete  or  modify  an  existing  flight  rule  or  to  add  a  new  rule.  The  web-based 
database,  Workflow,  is  now  being  used  to  generate  CR’s  for  Volumes  A,  B,  C,  D,  and  Flight  Rules 
Annexes.  Refer  to  the  paragraphs  below  for  Workflow  user  and  enrollment  instructions.  That 
individual  fills  out  the  Workflow  CR  form.  (If  access  to  the  Workflow  form  is  not  available  to  the 
user,  a  paper  form  is  provided  on  page  B-10.)  In  developing  the  Workflow  change  file,  the  CR 
author  should  cut  and  paste  appropriate  pages  from  the  Flight  Rules  document  and  SAVE  AS  a 
user  file  in  the  user’s  directory.  Changes  may  be  made  to  the  appropriate  rules  of  the  author’s  file. 
When  working  this  file,  please  accept  any  revisions  on  the  copied  page  then  turn  the  REVISION 
MODE  ON  so  the  change  inputs  are  highlighted.  Extracted  rule  pages  or  blank  pages  free  of  the 
graphics  frame  are  encouraged. 

All  of  the  current  Flight  Rules  documents  are  available  on  the  internet.  The  URL  is: 
http://mod.jsc.nasa.gov/da8.  No  ID  or  password  will  be  required  to  access  any  of  the  rules 
provided  the  user  is  accessing  from  a  trusted  site  (all  NASA  centers,  contractors,  and 
International  Partners).  If  unable  to  access,  users  need  to  send  an  e-mail  note  to  DA8/M.  L. 

Griffith  (mary.l.griffith1@jsc.nasa.gov)  with  their  full  name,  company,  IP  address,  and  a 
justification  statement  for  access. 

The  completed  CR  is  then  submitted  to  a  division  FRCB/JFRCB  representative  for  approval. 

That  representative  should  ensure  that  all  CR’s  are  coordinated  within  the  originating  division 
before  submitting  them  to  the  DA8/Flight  Director  Office,  Lyndon  B.  Johnson  Space  Center, 
Houston,  Texas  77058.  Each  division  should  establish  its  own  process  to  handle  this  internal 
coordination.  DF/System  Division  is  an  exception  to  this  protocol.  CR’s  from  DF  are  not 
processed  through  the  DF  FRCB  representative,  but  submitted  to  the  Flight  Director  Office  by 
DF  Branch  Offices.  When  internal  coordination  has  been  completed,  the  division  FRCB/JFRCB 
representative  signs  the  form  and  forwards  it  to  the  Flight  Director  Office.  For  Workflow  CR’s, 
facsimile  signature  is  recognized  by  the  DA8/Flight  Director  Office  when  the  CR  is  routed 
electronically  from  the  appropriate  Group  Lead,  Branch  Manager,  or  the  Division  FRCB/JFRCB 
representative  within  MOD  to  DA8/J.  M.  Bryant  (to  the  appropriate  DA8/Book  Manager  for 
Annexes)  for  generic  rule  CR’s  and  cc  to  DA8/W.  P.  Dill  for  Space  Shuttle  Operational  Flight 
Rules,  Volume  A;  DA8/J.  M.  Bryant  for  ISS  Generic  Operational  Flight  Rules,  Volume  B;  and 
DA8/W.  P.  Dill  for  Joint  Shuttle/ISS  Generic  Operational  Flight  Rules,  Volume  C,  or 
Soyuz/Progress/ISS  Joint  Flight  Rules,  Volume  D.  Examples  of  the  electronic  addresses  are: 
SMPT :  william. p. dilll  @jsc. nasa.gov  or  smpt:  wdill@ems.jsc.nasa.gov.  Organizations 
outside  MOD  may  submit  CR’s  through  the  appropriate  MOD  division  to  facilitate  presubmittal 
review  and  coordination  or  may  submit  completed  CR’s  directly  to  the  Flight  Director  Office. 
Workflow  CR’s  submitted  from  outside  MOD  require  a  tailored  setup  for  the  author  as  the  CR  will 
not  be  processed  without  one  additional  review/approval  inside  the  author’s  Branch,  Group,  etc. 
When  practicable,  coordination  should  include  the  Flight  Director.  Workflow  CR’s  are 
encouraged  from  outside  MOD. 
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2.1.1  Enrollment 

“Workflow”  is  a  web-based  database  which  uses  e-mail  to  route  and  announce  CR’s  for 
review  or  approval.  The  approval  process  is  discussed  in  paragraph  2.2.  Workflow  requires 
the  user  to  be  enrolled  in  the  database. 

Anyone  with  a  need  who  resides  in  the  JSC  Domain  or  certain  trusted  domains  may  be 
enrolled  in  Workflow  by  providing  their  full  name,  4-digit  mail  code,  domain  user  ID, 
telephone  number,  and  e-mail  address.  The  request  and  information  should  be  provided  to 
Division  database  editors,  trusted  domain  database  editors,  or  to  the  Book  Manager  listed  on 
the  Preface  page  of  the  flight  rules  documents. 

Enrollment  for  users  outside  the  JSC  Domain/trusted  domains  is  available  if  the  user  has  a 
need  to  change  or  review  flight  rules.  At  URL:  http://mod.jsc.nasa.gov/da8),  under  the  title 
Workflow  Link,  click  the  Process  for  obtaining  access  to  Workflow  link.  Fill  out  the  form 
and  follow  the  submitting  instructions.  The  DA8/Flight  Director  Office  will  sponsor  each 
request.  The  requester  will  be  informed  when  the  application  is  approved  and  enrollment 
completed. 

The  Workflow  URL  is:  https://isc-mod-wrkflow.isc.nasa.gov.  Refer  to  the  Help  and 
Frequently  Asked  Questions  and  the  Complete  Users  Guide  links  for  further  information. 

There  is  also  a  Workflow  Trainer  CBT  which  is  at  URL:  http://mod.jsc.nasa.gov/da8. 

2.1.2  Format 

Individuals  desiring  to  submit  a  flight  rule  change  will  complete  the  Workflow  CR  form.  For 
new  flight  rule  submittals,  the  rule  and  its  associated  rationale  should  be  phrased  as  it  is 
intended  to  appear  in  the  flight  rules  document.  Supporting  data  for  the  rationale  may  be 
attached.  For  changes  to  existing  rules,  the  proposed  changes  must  be  made  obvious  when 
making  the  Workflow  file  attachment  by  accepting  any  revisions  on  the  Flight  Rule  page  to 
be  modified,  then  turn  the  revision  mode  ON  so  that  changes  may  be  clearly  identified. 

2.1.3  CR  Input  Nonconformance 

If  an  error  is  discovered  while  reviewing  an  incorporated  Flight  Rule  CR,  please  notify  the  Book 
Manager  of  the  nonconformance  using  the  EZ  CR  form  provided  on  the  next  page  of  this 
appendix.  (Be  aware  that  this  is  not  the  Flight  Rule  CR  form  and  should  only  be  used  to  report 
nonconformances.)  Verification  of  the  nonconformance  initiates  a  metric  input,  correction, 
possible  corrective  action,  nonconformance  disposition/approval,  and  closure.  Closure  of 
“Control  of  Nonconforming  Product”  nonconformance  EZ  CR’s  are  approved  by  the  Flight 
Director  Office  USA  supervisor  or  his  designee.  Closure  of  “Corrective  and  Preventive  Action” 
nonconformance  EZ  CR’s  are  approved  by  the  Chief  of  the  Flight  Director  Office  or  his  designee. 
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FLIGHT  RULES  EZ  CR 


DATE 

INITIATED  BY:  ORG/NAME/PHONE 

RULE  NUMBER 

CONTROL  NUMBER 

CR  FLIGHT  EFFECTIVITY 


OTHER  AFFECTED  FLIGHT  RULES  DOCUMENT  w/Date  |  REV  Date 


Rule  Element 


SHORT  DESCRIPTIVE  TITLE  OF  CHANGE 


Rule  Section 


Nonconformance  Descriotion  -  Attached  (If  reauired 


Special  instructions  (if  required): 


ALL  FLTS  VOL 


ANNEX 


RULE 


RATIONALE 


NONCONFORMANCE 

TECHNICAL  ERROR 
EDITORIAL  ERROR 


SUBMIT  CR  TO:  Annex  Book  Manaaer  or 


DA8/W.  P.  DILL,  NASA/JSC,  PHONE  713-483-5418 


SMPT:  william,  p.dilll  @isc.  nasa.gov 


Approval 


RECEIVED: 

INCORPORATED: 

EZ  CR  STATUS:  OPEN 


(DA8  Use  Only) 
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INSTRUCTIONS 

1 .  DATE  -  Enter  FLIGHT  RULES  EZ  CR  initiation  date. 

2.  INITIATED  BY:  ORG/NAME/PHONE  -  Enter  the  originator’s  organization,  name,  and  phone  number  (including 
area  code  if  other  than  JSC). 

3.  RULE  NUMBER  -  Enter  the  nonconformance  rule  number. 

4.  CONTROL  NUMBER  -  Leave  blank;  will  be  assigned  and  entered  by  the  document  manager. 

5.  FLIGHT  EFFECTIVITY  -  Enter  whether  Generic  or  Flight  Specific  Number. 

6.  OTHER  AFFECTED  RULES  -  Enter  other  rules  affected. 

7.  DOCUMENT  DATE  w/Date/  REV  Date  -  Enter  the  “affective  document”  document  date  and  the  PCN/Rev  (if 
applicable  )  that  contains  the  rule  to  be  modified. 

8.  Enter  All  Flights  Volume  A,  B,  or  C,  or  check  the  appropriate  box  for  the  annex 

9.  RULE  ELEMENT  -  Enter  the  rule  element  number. 

1 0.  RULE  SECTION  -  Enter  the  rule  section  number 

1 1 .  SHORT  DESCRIPTIVE  TITLE  OF  CHANGE  -  Enter  a  short  descriptive  title  of  the  change. 

12.  jes  RULE,  e<  RATIONALE  -  Check  appropriate  box  for  whether  the  nonconformance  is  in  rule  and/or  rationale. 

13.  NONCONFORMANCE  DESCRIPTION  -  Enter  a  description  of  the  nonconformance. 

14.  SPECIAL  INSTRUCTIONS  (IF  REQUIRED)  -  Enter  any  special  instruction  here. 

15  NONCONFORMANCE  -  Leave  blank;  will  be  assigned  and  entered  by  the  document  manager. 
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2.2  CR  APPROVAL 

2.2.1  Coordination 

Pre-coordination  between  the  author  and  affected  disciplines  is  assumed.  In  Workflow,  when 
the  Flight  Director  Office  receives  a  generic  flight  rule  CR  for  disposition,  it  will  automatically  be 
assigned  a  contol  number,  and  it  will  be  assigned  to  a  coordinating  flight  director.  The 
coordinating  flight  director  works  with  the  initiator  on  any  desired  changes  to  the  wording  for  the 
rule  or  rationale.  The  coordinating  flight  director  conducts  the  Flight  Director  Office  review  and 
assists  in  the  identification  of  any  additional  data  or  coordination  that  may  be  required.  When 
this  initial  coordination  has  been  completed  and  external  coordination  is  required,  a  mandatory 
review  sheet  is  readied  by  the  coordinating  flight  director  and  distributed  for  formal  review  and 
comment  with  an  appropriate  suspense  date  provided.  When  required,  all  FRCB/JFRCB 
members  plus  others  identified  by  the  coordinating  flight  director  will  receive  review  copies  via 
Workflow.  To  allow  adequate  review  time,  the  suspense  date  is  established  to  support  the  next 
scheduled  FRCB/JFRCB  (or  specific  launch  date).  CR’s  are  required  to  be  delivered  to  the 
Flight  Director  Office  for  review  no  later  than  3  weeks  prior  to  the  FRCB/JFRCB.  CR’s 
submitted  after  the  3-week  deadline  may  be  scheduled  on  the  FRCB/JFRCB  agendas  at  the 
discretion  of  the  Board  Chair. 

This  review  includes  an  assessment  of  impact  to  retention  rationale  for  CIL-related  rules  and  a 
review  of  related  orbiter  or  payload  hazard  reports.  For  all  proposed  changes  to  CIL/HC-related 
flight  rules,  the  rationale  must  be  approved  by  the  respective  Program  before  the  CR  may  be 
placed  on  the  Board  agenda. 
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2.2.2  Approved/Disapproved/Deferred  CR’s 

2.2.2. 1  Generic  CR’s 

For  minor  changes  to  generic  rules/rationale,  format  only  changes  to  flight  rules,  and  when  no 
mandatory  review  assignments  have  been  made  by  the  reviewing  Flight  Director,  the  FRCB/JFRCB 
Chairman  may  approve  the  CR  without  formal  presentation  to  the  board,  provided  no  changes  were 
recommended  by  the  board  members.  These  are  the  CR’s  identified  on  the  FRCB/JFRCB  agenda 
with  an  asterisk.  Occasionally,  the  FRCB/JFRCB  Chairman  will  approve  and  sign  a  CR  out  of  board 
to  expedite  a  CR  through  the  process,  and  usually  that  CR  will  be  presented  at  the  next 
FRCB/JFRCB.  All  other  CR’s  will  be  considered  by  the  FRCB/JFRCB  with  a  formal  presentation.  The 
FRCB/JFRCB  considers  each  CR  based  on  the  impact  on  operations,  the  impact  on  documented 
hazard  controls  or  CIL  retention  rationale,  and  the  technical  justification.  Each  CR  will  then  be 
approved,  disapproved,  or  deferred.  Approved  changes  will  be  incorporated  into  the  next  page 
change  notice  (PCN)  or  revision  to  the  generic  document.  Disapproved  CR  changes  will  be  returned 
to  the  initiator  along  with  the  reason  for  disapproval.  Disapprovals  may  be  appealed  to  the  Level  II 
Program  Office,  if  desired.  The  last  possible  FRCB/JFRCB  action  is  deferral.  CR’s  will  be  deferred 
for  only  two  reasons:  all  mandatory  concurrences  have  not  been  received,  or  additional  data  or 
analysis  is  needed.  CR  deferrals  will  be  rescheduled  for  a  subsequent  FRCB/JFRCB  meeting. 

FRCB/JFRCB  minutes  document  the  status  of  each  CR  dispositioned  (approved,  deferred, 
approved  with  modification,  actions  given,  and  status  of  past  actions).  Workflow  databased  CR’s 
may  be  processed  by  the  Book  Manager  acting  for  the  FRCB/JFRCB  Chair  in  accordance  with  the 
FRCB/JFRCB  CR  status  documented  in  the  minutes. 

2. 2. 2. 2  Annex  CR’s 

The  Lead  Flight  Director  has  approval  authority  of  CR’s  for  Flight  Specific  Increment  Annexes  or 
for  Flight  Specific  Annexes. 


3.0  DOCUMENT  REVISIONS/DEVELOPMENT 

3.1  DEVELOPMENT 

The  Flight  Director  Office  will  compile  for  the  generic  documents  the  effective  changes  and 
corrections  of  minor  typographical  errors  into  complete  Revisions  or  PCN’s  to  the  basic 
document. 

The  Flight  Director  Office  prepares  annexes  on  a  per  flight  basis  according  to  schedule  template 
at  approximately  launch  minus  7  months  in  most  cases. 

Editorial  changes  may  be  used  to  correct  typographical  errors  if  there  are  no  other  changes  on 
the  page  concerned. 
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3.2  DOCUMENT  APPROVAL 

3.2.1  Generic  Rules  Documents 

Revisions/PCN’s  to  the  Volume  A  document  will  be  approved  by  the  Chief,  Flight  Director  Office; 
Director,  Mission  Operations;  and  Manager,  Space  Shuttle  Program.  Pen  and  Ink  (P&l)  changes 
will  be  approved  by  the  Chief,  Flight  Director  Office  under  DA8  memorandum  with  concurrence 
by  the  Director,  Mission  Operations.  Real-time  CR’s  are  approved  by  the  Flight  Director  and  the 
Mission  Operations  Director  and  are  statused  to  the  Mission  Management  Team. 

Revisions/PCN’s  to  the  Volume  B  and  D  documents  will  be  approved  by  the  Chief,  Flight  Director 
Office;  Director,  Mission  Operations;  and  Manager,  Space  Station  Program.  P&l  changes  will  be 
approved  by  the  Chief,  Flight  Director  Office  under  DA8  memorandum  with  concurrence  by  the 
Director,  Mission  Operations.  Real-time  CR’s  are  approved  by  the  Flight  Director  and  the 
Mission  Operations  Director  and  are  statused  to  the  Mission  Management  Team. 

Revisions/PCN’s  to  the  Volume  C  document  will  be  approved  by  the  Chief,  Flight  Director  Office; 
Director,  Mission  Operations;  Manager,  Space  Shuttle  Program;  and  Manager,  Space  Station 
Program.  P&l  changes  will  be  approved  by  the  Chief,  Flight  Director  Office  under  DA8 
memorandum  with  concurrence  by  the  Director,  Mission  Operations.  Real-time  CR’s  are 
approved  by  the  Flight  Director  and  the  Mission  Operations  Director  and  are  statused  to  the 
Mission  Management  Team. 

Documents  are  updated  with  approved  CR’s  and  statused  at  program  review  boards.  If  all 
signatures  are  not  obtained  in  time  to  meet  publication  schedules,  signatures  pages  will  be 
posted  by  eratta  when  they  are  received. 

3.2.2  Annex  Documents 

A  “Headsup”  review  copy  of  the  “Final”  document  is  provided  for  program  review  5  working  days 
prior  to  “Final”  presentation  to  the  affected  Program  Requirements  Control  Board  (PRCB)  or 
SSCB  or  Joint  Board.  After  the  5-day  review,  the  Flight  Director  is  scheduled  on  the  appropriate 
board  agenda  via  a  Control  Board  CR  to  brief  any  flight  specific  issues  potentially  affecting 
Program  policies.  Also,  any  additional  significant  changes  received  during  the  5-day  review 
period  will  be  briefed. 

Pre-Final  documents  are  approved  by  the  Lead  Flight  Director  or  his  designee. 

The  Annex  Final  and  Revisions/PCN’s  to  the  Final  document  will  be  approved  by  the  Chief, 

Flight  Director  Office;  Director,  Mission  Operations;  and  Manager,  Space  Shuttle  Program.  Pen 
and  Ink  (P&l)  changes  will  be  approved  by  the  Lead  Flight  Director  under  DA8  memorandum 
with  concurrence  by  the  Chief,  Flight  Director  Office  and  Director,  Mission  Operations.  Real-time 
CR’s  are  approved  by  the  Flight  Director  and  the  Mission  Operations  Director  and  are  statused 
to  the  Mission  Management  Team. 

The  Increment  Annex  Final  and  Revisions/PCN’s  to  the  Final  will  be  approved  by  the  Chief, 

Flight  Director  Office;  Director,  Mission  Operations;  Manager,  Space  Shuttle  Program;  and 
Manager,  Space  Station  Program.  Pen  and  Ink  changes  will  be  approved  by  the  Lead  Flight 
Director  under  DA8  memorandum  with  concurrence  from  the  Chief,  Flight  Director  Office  and 
the  Director,  Mission  Operations.  Real-time  CR’s  are  approved  by  the  Flight  Director  and  the 
Mission  Operations  Director  and  are  statused  to  the  Mission  Management  Team. 
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3.3 

PUBLICATION 

3.3.1 

Schedule 

3.3.1. 1 

Generic  Rules 

All  Flights  documents  (Volumes  A,  B,  C,  and  D)  originating  as  initial  documents  would 
approximately  follow  the  schedule  described  for  annexes  except  the  FRCB/JFRCB  would 
exercise  individual  rules  approval  prior  to  obtaining  respective  PRCB/JPRCB/SSPCB  approvals. 
After  initial  release  of  Volumes  A,  B,  C,  etc.,  in  “Final”  form,  subsequent  revisions  will  be  in  the 
form  of  PCN’s  or  Pen  and  Inks  (P&l’s),  depending  on  CR  traffic  and  mission  requirements. 

3. 3. 1.2  Annex/Increment  Rules 

Initial  publication  of  annexes  will  be  in  “Basic”  form  and  provided  for  the  Flight  Operations  Review 
(FOR)  data  pack  distribution  at  approximately  launch  minus  4  months  for  Space  Shuttle  only 
missions  and  L-5  months  for  Joint  Shuttle/ISS  missions  (schedule  provided  by  Payload  FOR 
memorandum.)  Post-FOR,  the  flight  rules  will  be  published  in  “Basic,  Revision”  form  and 
distributed  in  time  to  support  the  flight  simulation  schedule.  The  “Final”  approval  process  takes 
place  at  approximately  liftoff  minus  1  month.  The  logistics  required  for  the  formal  approval 
process  precludes  initiating  a  PCN  within  2  weeks  of  launch.  Within  2  weeks  of  the  launch,  the 
Pen  and  Ink  (P&l)  process  is  invoked  with  P&l  changes  processed  “on  console”  at  launch  minus  1 
day,  and  produced  on  an  “as  required”  basis.  After  liftoff,  changes  will  be  processed  real  time  per 
JSC-26843,  Flight  Control  Operations  Handbook  (FCOH)  Shuttle  Operations,  SOP  1.2.1,  Real- 
Time  Flight  Rules  Changes,  or  JSC-29279,  FCOH  Station  Operations,  SOP  2.6,  Real-Time  Flight 
Rules  Changes. 

3.3.2  Distribution 

Hard  copy  publications  will  be  printed  and  distributed  through  normal  administrative  channels. 

Use  of  electronic  copies  off  the  website  is  encouraged.  All  of  the  current  Flight  Rules 
documents  are  available  on  the  internet  at  URL:  http://mod.jsc.nasa.gov/da8. 
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CHANGE  REQUEST 

(TO  BE  USED  ONLY  WHEN  WORKFLOW  DATABASE  IS  UNAVAILABLE.) 


DATE 

INITIATED  BY:  ORG/NAME/PHONE 

CONTROL  NUMBER 

RULE  NUMBER 

CR  FLIGHT  EFFECTIVITY  &  Term 

OTHER  AFFECTED  FLIGHT  RULES 

DOCUMENT  w/Date  |  REV  Date 

ALL  FLTS  VOL 

ANNEX 

Terminate  after 

Rev: 

Rule  Element 

Rule  Section  i 

SHORT  DESCRIPTIVE  TITLE  OF  CHANGE 

RULE 

_ 

RATIONALE 

Rule  Chanae  -  Attached 

Special  instructions  (if  required): 

REASON  FOR  CHANGE  (required  input  -  each  paragraph  is  limited  to  255  characters) 
Para  1 : 

Para  2: 


Pre-Coord:  (org/name) 


APPROVED: 

Signed  By: 

SUBMITTING  ORGANIZATION 
FRCB/JFRCB  MEMBER 

DATE: 


CIL  HAZARD  CONSTRAINTS  TO 
OPERATIONS? 

YES  I  I  NO 


DOES  THIS  CHANGE  MODIFY  EXISTING 
CIL  RETENTION  RATIONALE? 


YES 


NO 


APPROVED: 

Signed  By: 

FRCB/JFRCB  CHAIRMAN 

DATE: 


CHANGE  IS  A  RESULT  OF: 


NEW  CAPABILITY 

H/W 

PROCEDURE  CHG 

S/W 

EDITORIAL 

OTHER 

DOES  THIS  CHANGE  AFFECT  CREW 
PROCEDURES? 

YES  I  I  NO 


DOES  THIS  CHANGE  MODIFY 
FOR  A  CONTROLLED  HAZARD? 

YES  I  I  NO 


APPROVED:  (ANNEX  ONLY) 
Signed  By: 

LEAD  FLIGHT  DIRECTOR 

DATE: 


EVALUATION  SUMMARY: 

(DA8  USE  ONLY) _ 


SUBMIT  FINAL  COMMENTS  BY: 
IN  SUPPORT  OF  JOP  ON: 


IN  SUPPORT  OF  FRCB/JFRCB  ON: 


MAND 

1*1 


Evaluator 


DATE 


A/ 

M 


D 


Comments 


_ 

SUBMIT  CR  TO:  Annex  Book  Manaaer  or 

RECEIVED: 

(DA8  Use  Only) 

DA8/W.  P.  DILL.  NASA/JSC.  PHONE  713-483-5418 

E-MAIL:  william,  p.dilll  (S.jsc.nasa.aov 

INCORPORATED: 

CR  STATUS: 

JSCDA8  Ver  1 1 .0  (Rev  July  2001)  Electronic  Media  CR  Form  for  Use  with  Word  Ver  6.0  and  later  releases 
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1 .  DATE  -  Enter  CR  initiation  date. 

2.  INITIATED  BY:  ORG/NAME/PHONE  -  Enter  the  originator’s  organization,  name,  and  phone  number  (including 
area  code  if  other  than  JSC). 

3.  CONTROL  NUMBER  -  Leave  blank;  will  be  assigned  and  entered  by  the  document  manager. 

4.  RULE  NUMBER  -  Enter  the  existing  rule  number  to  be  modified.  If  this  is  a  new  rule,  enter  the  section  number 
and  the  document  manager  will  assign  a  rule  number. 

5.  FLIGHT  EFFECTIVITY  &  Term  and  Terminate  after:  -  Enter  the  first  flight  for  which  the  rule  is  required.  If 
generic,  enter  “ALL".  For  Annex  or  Increment  Annex  STS-XX  or  INC  X/STS-XX,  if  there  is  a  mission  that 
requires  termination  thereafter,  make  that  entry  here  using  similar  annotation  STS-XX,  etc. 

6.  OTHER  AFFECTED  RULES  -  Enter  other  rules  which  either  reference  this  rule  or  which  this  rule  references. 

7.  DOCUMENT  DATE  w/Date/  REV  Date  -  Enter  the  “affective  document"  document  date  and  the  PCN/Rev  (if 
applicable  )  that  contains  the  rule  to  be  modified. 

8.  es  ALL  FLIGHTS  VOL,  es  ANNEX  -  Enter  All  Flights  Volume  A,  B,  or  C,  or  check  the  appropriate  box  for  the 
annex  document  for  which  the  CR  is  intended. 

9.  RULE  ELEMENT  -  Enter  the  rule  element  number. 

1 0.  RULE  SECTION  -  Enter  the  rule  section  number. 

1 1 .  SHORT  DESCRIPTIVE  TITLE  OF  CHANGE  -  Enter  a  short  descriptive  title  of  the  change. 

12.  es  RULE,  e<  RATIONALE  -  Check  appropriate  box  for  rule  and/or  rationale. 

13.  RULE  CHANGE-  ATTACHED  -  Enter  the  rule  and  rationale  exactly  as  it  will  appear  in  the  document  to  be 
changed.  It  is  preferred  that  the  page(s)  being  changed  be  copied  and  pasted  below  the  page  break  of  the  CR 
form  (“Instructions”  page  to  be  deleted).  The  rule/rationale  should  be  modified  with  revision  mode  ON.  For  a 
new  rule,  enter  rule  below  the  page  break  using  format  shown  below: 

14  TITLE  -  In  capital  letters  and  underlined. 

RULE  -  In  capital  letters  exactly  as  it  will  appear  in  the  document. 

RATIONALE  -  Enter  the  word  “Rationale"  followed  by  the  rule  rationale  in  lower  case  letters. 

15.  SPECIAL  INSTRUCTIONS  (IF  REQUIRED)  -  Enter  any  special  instruction  here. 

1 6.  REASON  FOR  CHANGE  -  Enter  the  technical  or  philosophical  reason  for  changing  the  existing  rule  or  why  a 
new  rule  is  required. 

17.  PRE-COORD:  (ORG/NAME)  -  Enter  any  pre-coordination  information  obtained  here. 

1 8.  APPROVED:  SUBMITTING  ORGANIZATION  FRCB/JFRCB  MEMBER/DATE  -  This  block  is  to  be  signed/dated 
by  the  Flight  Rules  Control  Board  (FRCB)  or  Joint  FRCB  member  of  the  organization  submitting  the  rule. 
Concurrences,  if  required,  may  be  initialed  in  this  block.  Changes  originating  from  organizations  which  have  no 
FRCB/JFRCB  membership  may  submit  their  proposed  changes  directly  to  the  Flight  Director  Office,  DA8, 
Lyndon  B.  Johnson  Space  Center,  Houston,  Texas  77058. 

19.  CIL  HAZARD  CONSTRAINTS  TO  OPERATIONS:  YES  es  NO  es  -  Optional,  the  originator  may  attempt  to 
answer  this  question;  however,  the  responsibility  lies  with  DF  to  determine  if  the  CR  affects  JSC  23227, 
“CIL/Hazard  Constraints  to  Operations.”  This  is  the  MOD  ops  retention  rationale  document. 

20.  DOES  THIS  CHANGE  MODIFY  EXISTING  CIL  RETENTION  RATIONALE:  YES  ^  NO  ^  -  Optional,  the 
originator  may  attempt  to  answer  this  question;  however,  the  responsibility  lies  with  DF  to  make  this  assertion. 

21 .  DOES  THIS  CHANGE  AFFECT  CREW  PROCEDURES?  YES  ^  NO  ^  -  The  originator  should  attempt  to 
answer  this  question  and  make  reference  to  changes  in  the  crew  procedures  document  in  item  11. 

22.  DOES  THIS  CHANGE  MODIFY  RATIONALE  FOR  A  CONTROLLED  HAZARD?  YES  *s  NO  *s  -  Optional,  the 
originator  may  attempt  to  answer  this  question;  however,  the  responsibility  lies  with  the  Systems  or  Operations 
Divisions  to  make  this  assessment. 

23.  APPROVED:  FRCB/JFRCB  CHAIRMAN  -  This  block  is  to  be  signed  by  the  FRCB/JFRCB  Chairman,  Operations 
Director,  or  his  alternate  signifying  approval  by  the  FRCB/JFRCB. 

24.  APPROVED:  LEAD  FLIGHT  DIRECTOR  -  This  block  is  to  be  used  only  for  Lead  Flight  Director  concurrence  for 
changes  to  the  flight-specific  annexes. 

25.  CHANGE  IS  RESULT  OF  -  Check  appropriate  box. 

26.  EVALUATION  SUMMARY  -  Leave  blank;  used  by  DA8  to  identify/request  mandatory  CR  review. 

27.  RECEIVED/INCORPORATED/CR  STATUS:  -  Leave  blank;  this  block  is  used  for  internal  document  control  by 
the  document  manager. 
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1 . 1  PURPOSE . C-l 

1 . 2  SCOPE . C-l 
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INDEX  OF  WAIVERS 


1.0 

INTRODUCTION 

1.1 

PURPOSE 

APPENDIX  C  CONTAINS  THE  LIST  OF  WAIVERS  TO  THE  NSTS  12820,  SPACE 
SHUTTLE  OPERATIONAL  FLIGHT  RULES  ALL  FLIGHTS  DOCUMENT,  VOLUME  A. 

1.2  SCOPE 

EACH  WAIVER  IS  APPROVED  BY  THE  SPACE  SHUTTLE  PROGRAM  REQUIREMENTS 
CONTROL  BOARD  FOR  THE  FLIGHT  EFFECTIVITY  AS  SPECIFIED.  WAIVERS 
THAT  HAVE  BEEN  APPROVED  FOR  MULTIPLE  FLIGHTS  ARE  CURRENT  AND  IN 
EFFECT  UNLESS  THEY  ARE  IDENTIFIED  AS  HAVING  BEEN  RESCINDED  BY  THE 
PROGRAM  OFFICE  BOARD. 

THE  FLIGHT  OPERATIONS  TEAM  IS  RESPONSIBLE  FOR  IMPLEMENTATION  OF 
THE  WAIVERS  TO  THE  OPERATIONS  FLIGHT  RULES  THAT  HAVE  BEEN  APPROVED 
BY  THE  SPACE  SHUTTLE  REQUIREMENTS  CONTROL  BOARD  AS  SPECIFIED  BY 
THE  PRCB  DIRECTIVE  SIGNED  BY  THE  CHAIR. 
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LIST  OF  WAIVERS 


NUMBER 

TITLE 

FLIGHT 

EFFECTIVITY 

PRCB 

DIRECTIVE 

1 

WAIVER  TO  SPACE  SHUTTLE  OPERATIONAL  FLIGHT 
RULES,  ALL  FLIGHTS  DOCUMENT  FOR  STS-52 

STS-52 

S063689Q 

2 

WAIVER  TO  SPACE  SHUTTLE  OPERATIONAL  FLIGHT 
RULES,  ALL  FLIGHTS  DOCUMENT  FOR  STS-66 

STS-66 

S063689BQ 

3 

WAIVER  TO  SPACE  SHUTTLE  OPERATIONAL  FLIGHT 
RULES,  ALL  FLIGHTS  DOCUMENT  FOR  STS-71 

STS-71 

S063689CH 

4 

WAIVER  TO  SPACE  SHUTTLE  OPERATIONAL  FLIGHT 
RULES,  ALL  FLIGHTS  DOCUMENT  FOR  STS-75 

STS-75 

S063689CT 

5 

WAIVER  TO  SPACE  SHUTTLE  OPERATIONAL  FLIGHT 
RULES,  ALL  FLIGHTS  DOCUMENT  FOR  STS-76 

STS-76 

S063689CU 

6 

WAIVER  TO  SPACE  SHUTTLE  OPERATIONAL  FLIGHT 
RULES,  ALL  FLIGHTS  DOCUMENT  FOR  STS-94 

STS-94 

S063689DW 

7 

WAIVER  TO  SPACE  SHUTTLE  OPERATIONAL  FLIGHT 
RULES,  ALL  FLIGHTS  DOCUMENT  FOR  STS-95 

STS-95 

S063689EL 

8 

WAIVER  TO  SPACE  SHUTTLE  OPERATIONAL  FLIGHT 
RULES,  ALL  FLIGHTS  DOCUMENT  FOR  STS-108 

STS-108 

S063689FB 

®[ED  ] 
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APPENDIX  D 

HAZARD  REPORT/CIL  CPOSS— REFERENCE 

1.0  INTRODUCTION . D-l 

1  .  1  PURPOSE . D-l 

1 . 2  GENERAL . D-l 

2.0  UPDATE  PROCEDURE . D-l 

2.1  RESPONSIBLE  PARTY . D-l 

2.2  CURRENCY  REQUIREMENT . D-l 

3.0  USER  INFORMATION . D-2 

3.1  COLUMN  IDENTIFICATION . D-2 

3.2  LINK  EXECUTION . D-2 

4.0  FLIGHT  RULE/HAZARD  REPORT/CIL  CROSS  REFERENCE  TABLE  . D-2 
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HAZARD  REPORT/CIL  CPOSS— REFERENCE 


1.0  INTRODUCTION  @[012402-5144] 

1 . 1  PURPOSE 

THIS  APPENDIX  PROVIDES  A  CROSS-REFERENCE  BETWEEN  THE  FLIGHT 
RULES,  HAZARD  REPORTS  (HR'S),  AND  CRITICAL  ITEMS  LIST  (CIL). 

THIS  MATRIX  FULFILLS  THE  REQUIREMENT  DOCUMENTED  IN  NSTS  22206, 
REQUIREMENTS  FOR  PREPARATION  AND  APPROVAL  OF  FAILURE  MODES  AND 
EFFECTS  ANALYSIS  (FMEA)  AND  CRITICAL  ITEMS  LIST  (CIL),  FOR 
MISSION  OPERATIONS  DIRECTORATE  (MOD)  TO  CONTROL  AND  MAINTAIN  A 
DATABASE  WHICH  CORRELATES  CIL'S  WITH  APPLICABLE  FLIGHT  RULES/CREW 
PROCEDURES . 

1 . 2  GENERAL 

FLIGHT  RULE  TITLES  ARE  CURRENTLY  FLAGGED  WITH  " [ HC ] "  AND  "[CIL]" 

IN  ORDER  TO  IDENTIFY  THEIR  RELATIONSHIP  TO  THE  SPACE  SHUTTLE 
PROGRAM  HAZARD  REPORTS  (HR)  AND  CRITICAL  ITEMS  LIST  (CIL) .  THIS 
APPENDIX  PROVIDES  THE  CROSS  REFERENCE  FROM  FLIGHT  RULES  TO  THE 
ASSOCIATED  HR'S  AND  CIL'S.  NOTE:  THERE  IS  A  DIRECT  ONE-TO-ONE 

CORRELATION  BETWEEN  THE  FLIGHT  RULE  AND  THE  HR  CAUSE.  THERE  IS 
ALSO  A  DIRECT  CORRELATION  BETWEEN  THE  HR  CAUSE  AND  THE  CIL'S. 
HOWEVER,  THE  CORRELATION  BETWEEN  THE  FLIGHT  RULES  AND  CIL'S  IS  NOT 
DIRECT.  CIL  EXAMINATION  IS  THEREFORE  REQUIRED  TO  DETERMINE  ITS 
APPLICABILITY  TO  THE  FLIGHT  RULE  UNDER  CONSIDERATION  (I.E.,  A  CIL 
APPLICABLE  ONLY  TO  ASCENT/ENTRY  WOULD  NOT  APPLY  TO  AN  ON-ORBIT 
FLIGHT  RULE) . 

2 . 0  UPDATE  PROCEDURE 

2 . 1  RESPONSIBLE  PARTY 

THIS  APPENDIX  WILL  BE  UPDATED  WITH  THE  CHANGE  REQUEST  PROCEDURE 
THROUGH  THE  FLIGHT  RULES  CONTROL  BOARD  (FRCB )  AS  CORRECTIONS  AND 
MODIFICATIONS  ARE  REQUIRED. 

2.2  CURRENCY  REQUIREMENT 

HAZARD  REPORTS  AND  CIL'S  HAVE  CURRENCY  REQUIREMENTS.  THIS 
APPENDIX  IS  NOT  THE  CONTROLLING  DOCUMENT  FOR  HR  OR  CIL  CURRENCY; 
THE  USER  MUST  REFER  TO  THE  APPROPRIATE  PROGRAM  DOCUMENTATION  FOR 
CURRENCY  OF  THESE  CROSS-REFERENCE  ITEMS.  @[012402-5144] 
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3.0  USER  INFORMATION  ®[oi 2402-51 44 ] 

3 . 1  COLUMN  IDENTIFICATION 
OLD  FLIGHT  RULE  #  -  OLD  FLIGHT  RULE  NUMBER 
NEW  FLIGHT  RULE  #  -  NEW  FLIGHT  RULE  NUMBER 

HR  &  CAUSE  #  -  HAZARD  REPORT  NUMBER  AND  CAUSE  NUMBER 

EXAMPLE:  "ORBI-O86B  A"  STANDS  FOR  ORBITER  HAZARD  REPORT  086, 

REVISION  B,  CAUSE  A.  THERE  IS  A  DIRECT  CORRELATION  BETWEEN  THE 
HAZARD  CAUSE  AND  THE  FLIGHT  RULE  IDENTIFIED  TO  MITIGATE  THE 
HAZARDOUS  SITUATION. 

CIL  #  -  CRITICAL  ITEMS  LIST  NUMBER 

THIS  NUMBER  IS  CORRELATED  TO  THE  FLIGHT  RULE  BY  WAY  OF  THE  HAZARD 
REPORT  CAUSE.  THE  CIL  FAILURE  MODE  IS  USUALLY  (BUT  NOT  ALWAYS) 
RELATED  TO  THE  FLIGHT  RULE. 

3.2  LINK  EXECUTION 

IF  THIS  DOCUMENT  IS  ACCESSED  ON  THE  FLIGHT  DIRECTOR  OFFICE  WEB 
SITE,  ALL  ASSOCIATED  LINKS  TO  FLIGHT  RULES  CAN  BE  TRAVERSED. 
HOWEVER,  THE  LINKS  TO  HAZARD  REPORTS  OR  CRITICAL  ITEMS  MAY  NOT  BE 
TRAVERSABLE .  THOSE  DOCUMENTS  ARE  NOT  LOCATED  ON  THE  SAME  SERVER 
WITH  THIS  DOCUMENT  AND  ARE  SUBJECT  TO  SECURITY  RESTRICTION  ON  THE 
USA  WEB  SERVER. 

4 . 0  FLIGHT  RULE/HAZARD  KEPORT/CIL  CROSS  REFERENCE  TABLE 

@[012402-5144] 

NOTE:  LINK  TO  TABLE  REMOVED  UNTIL  ACCURACY  OF  DATA  CAN  BE 

VERIFIED.  IF  ACCESS  IS  REQUIRED,  PLEASE  CONTACT  MARY  LOU 
GRIFFITH . 


VOLUME  A  06/20/02  FINAL  HAZARD  REPORT/CIL  D-2 

CROSS  REFERENCES 

Verify  that  this  is  the  correct  version  before  use. 


